Learn about security

Configure security settings before starting PI Data Collection Manager, PI Connector Relay, any connectors, and OMF applications.

Successful data collection and the assurance that data is properly secured requires several security configuration steps. The following topics describe the connection types and security used by connectors, OMF applications, PI Connector Relay, and PI Data Collection Manager.

Connector applications (connectors, PI Connector Relay, and PI Data Collection Manager) process information over HTTPS and AMQPS connections. OMF applications process information over HTTPS. Each connection is encrypted and authenticated.

HTTPS connections

The HTTPS connections service web-based user interfaces and listen for registration requests. During installation, you select the HTTPS port. The X.509 certificate associated with the HTTPS port is self-signed and created during installation. Connector and PI Data Collection Manager applications provide a web-based user interface to perform configuration and to access diagnostic information. To access the user interface, a user must be a member of the PI Connector Administrators group on the computer hosting the application. PI Connector Relay and PI Data Collection Manager use the HTTPS connections to process registration requests.

OMF applications use HTTPS connections to send data to PI Connector Relay.

AMQPS connections

AMQPS is a secure version of the AMQP protocol, an open standard application layer protocol. The AMQPS connections process administration messages and forward data from the connector to the relay. The AMQPS connections are secured using self-signed X.509 certificates created when the connector, PI Connector Relay, or PI Data Collection Manager applications are installed. The certificate used by an AMQPS connection is different from the certificate associated with a HTTPS connection.

Administration

A connector or relay must first be registered before it can be administered by the PI Data Collection Manager and participate in data collection. For information on connector registration, see Request registration from a connector to PI Data Collection Manager and for a relay, see Add a PI Connector Relay.

After registration, connectors and relays initiate the connection to PI Data Collection Manager. If the connection is allowed, PI Data Collection Manager uses the connection to remotely administer the connector and relay, for example, by issuing start and stop requests. PI Data Collection Manager cannot initiate a connection to a connector or relay. Administration communication occurs over port 5672 (AMQPS) on the PI Data Collection Manager host. This port number is not configurable.

Data collection

Connectors, OMF applications, and relays must be registered with PI Data Collection Manager and routed in a data flow path to participate in data collection. Instructions for creating data flow routes are described in Understand data collection configuration. Connectors and OMF applications differ in the way they initiate connections to the relay and send data.

• For connectors, the connector establishes a connection to port 5671 (AMQPS). The data flow is uni-directional, but protocol control messages (such as message acknowledgements) are sent by the relay when responding to the connector. Data is sent from a connector to port 5671 (AMQPS) on the PI Connector Relay host. This port number is not configurable.

• For OMF applications, the OMF application establishes a connection to the web administration port (HTTPS protocol) on the relay. Data from the data source is sent in OMF messages to the HTTPS port (port configured at relay installation) on the PI Connector Relay host. This port is also used in the "Relay Ingress URL" field for OMF application routing to the relay.