Required PI Server configuration for PI APS

In order to run PI APS, you must configure the PI Server to allow connections from the PI APS Configuration Utility, PI APS Synchronization Engine, and PI APS Synchronization Trigger service. This section provides the information that you need to configure:

• Authentication methods for the PI APS programs to connect to the PI Server.

• Authorization of the required access permissions to PI Server secure objects by the PI APS programs.

The PI Server provides a default trust that authenticates local clients on the PI Server node as the piadmin user, which can write to all PI Server objects. With default PI SDK authentication options, a copy of PI APS on the PI Server node authenticates through the default trust and, therefore, does not require any security configuration in the PI Server. If the PI SDK authentication options are changed so that local clients cannot authenticate through the default trust, configure authentication and authorization as if PI APS is installed on an Interface Node. As noted earlier, OSIsoft discourages using PI APS on the PI Server node except to synchronize points for PI COM Connectors.

When PI APS is installed on an interface node, PI APS client programs provide some form of identification when they attempt to connect to the PI Server. The PI Server authenticates the identification information to determine if the client program is permitted to connect. If the client is allowed to connect, authorization to access a PI Server secure object is determined by comparing the authenticated identity with access permissions for the object.

Several methods are available for authentication:

• PI mapping (requires PI Server version 3.4.380 or later and PI SDK 1.3.6 or later)

• PI Trust

• Explicit login

The PI APS Synchronization Engine and PI APS Synchronization Trigger service are both Windows services. That is, they are not interactive applications and, therefore, explicit login is not possible. A PI trust or PI mapping must be configured for the PI APS Synchronization Engine and PI APS Synchronization Trigger service. The installation kit creates PI APS services that log on to Windows as the Local System account, which has full access to the local system files and registry but cannot be used in a PI mapping on a remote PI Server. The PI APS services can be changed to log on as other Windows accounts (specifically, domain accounts) that can be used in a PI mapping as long as the accounts satisfy the Windows security requirements, which are discussed later in section Required Windows permissions for PI APS.

Note: During an upgrade, the installation kit removes the PI APS services and then creates new services. If you changed the login account for either the PI APS Sync Engine or PI APS Sync Trigger service in order to use a PI mapping for authentication, the login account is reset to Local System by the upgrade. The PI APS services will not authenticate as intended until you reconfigure the logon account for the new services.

The PI APS Configuration Utility is an interactive application and all authentication methods can be used.

If the PI Server is version 3.4.380 or later, OSIsoft recommends using Windows security through PI Mappings. Windows security provides the strongest authentication and full Windows account traceability in the PI Server log and audit trail records.

Refer to the PI Server documentation for details about creating PI trusts or PI mappings.