Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

Overview of PI Connectors

TABLE OF CONTENTS

PI connectors security

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedMay 22, 2025
  • 2 minute read

PI connectors use an HTTPS connection to provide a web-based administration interface. Security is managed by designated members of a PI Connector Administrators group.

Passwords

Passwords are used by some PI connectors to access data sources. These passwords are located in the data source configuration files on the PI Connector and PI Data Collection Manager hosts.

Note: The Microsoft Data Protection API (DPAPI) is used to perform encryption for connectors that encrypt confidential information such as passwords.

Cryptographic keys

Connectors create two X.509 certificates at installation time for each connector application (PI Connector, PI Connector Relay, and PI Data Collection Manager). The first X.509 certificate is used to secure an HTTPS connection used for application administration. The second X.509 certificate is used to secure AMQPS communication which is used between different connector applications; for example, between an individual PI Connector and the PI Connector Relay. The private keys for these certificates are stored in the Windows Certificate Store.

Security best practices

To mitigate security vulnerabilities, security best practices should be followed in order to tighten security around your PI Connector, PI Connector Relay, and PI Data Collection Manager.

Note: Configure security settings before starting the PI Connector, PI Connector Relay, and PI Data Collection Manager.

AVEVA recommends the following:

  • Ensure the service identities for the PI Connector, PI Connector Relay, and PI Data Collection Manager do not have domain or host administrative privileges.

  • Confirm that members of the PI Trusted Installers Windows group on the PI Data Collection Manager host do not have domain or host privileges. The purpose of the accounts in this group is to signal the occurrence of an installation of a connector to the PI Data Collection Manager.

  • Block access to the connector administration port using a firewall if your usage scenario does not require remote access to the connector administration website. This suggestion does not apply for the PI Connector Relay and PI Data Collection Manager which requires that their administration website ports remain available.

AVEVA provides a Knowledge Base article on best practices for securing your PI System, which is available through the customer portal. Eight best practices for securing your PI Server provides detailed information about securing Data Archive.

In This Topic
TitleResults for “How to create a CRG?”Also Available in