Understand PI API for Windows Integrated Security

PI API 2016 for Windows Integrated Security introduced support for Windows authentication and improved transport security. Windows security encompasses more than just authenticating identity. Transport security improves message integrity and privacy. The AVEVA™ PI System™ uses the Windows sign on security context to protect integrity and privacy of data communications. Activated protections include session keys, confidentiality, and integrity (with replay and sequence detection). Prior to this PI API update, PI trusts were used to configure authentication on the connection between Data Archive and PI interfaces (or other PI API-based application). With the latest version of PI API for Windows Integrated Security, Windows authentication support is extended on the PI interface node or any other PI API-based application connecting to Data Archive.

PI API for Windows Integrated Security (WIS) introduced significant security enhancements for Data Archive client applications, as well as reducing overall risk to the PI System in general. These security enhancements consist of the following:

• Windows Integrated Security

  Previous versions of PI API relied on PI trusts or explicit logins for authentication. Windows authentication is now the supported authentication model for PI API-based client applications, such as PI interfaces. WIS is a more secure authentication model than PI trusts for authenticating users.

  WIS is enforced as the only security model to all applications using PI API functions. Implementation of Windows authentication across the entire PI System deployment offers a familiar administrative experience, in addition to modern defenses provided by the operating system. In addition, PI identities allow you to map Windows groups or users to categories of access permissions. PI mappings are the mechanism for associating Windows users or groups with PI identities.

  Data Archive 3.4.380 or later is required for PI API 2016 for WIS and later versions.

  Caution: PI API 2016 for WIS and later versions do not support PI trusts or explicit logins. If you require PI trusts for authentication, do not upgrade to PI API 2016 for WIS or later versions to avoid any potential data loss

• Transport Security

  Transport security improves message integrity and privacy. PI API for WIS internally routes messages to the local PI Network Manager, which manages transport security with the Data Archive server.

  Data integrity provides increased security against malicious attacks and intrusions into your data infrastructure. Transport security provides an additional layer of defense essential to protecting against data breaches, injection attacks, unauthorized eavesdropping, etc. Transport security not only protects your deployment, but the confidentiality of any secondary infrastructure or client connecting to your system.

  For the most secure experience, we recommend customers run PI Data Archive 3.4.395 (2015) or later, and the latest version of PI API for WIS. Transport security is supported on all client applications using this version automatically when connection is to a Data Archive server version 2015 or later. If a buffering node connects to multiple Data Archive servers of different versions, transport security is enabled only on the connections to the Data Archive servers with version 3.4.395 or later and PI API for WIS deployed.

• Software Security

  PI API for WIS leverages the greatest number of Microsoft software security defenses provided by the compiler and operating system. PI API for WIS was developed specifically for modern Windows platforms, and enables the server operating system defenses in accordance with Microsoft security development lifecycle (SDL) guidance. Updated software is critical to defending against malicious attacks and unauthorized intrusions in your system.

PI API for WIS is supported on most UniInt PI Interfaces, such as: PI Interface for OPC DA, PI to PI interface, and Random simulator interface.

Note: PI API for WIS is NOT supported on interfaces running on UNIX or Linux platforms.

We recommend upgrading from PI trusts and explicit login to Windows authentication through the use of PI mappings as the authentication model throughout your PI System. Applications using PI API for WIS require a Windows or service accounts to connect with the Data Archive server. Therefore, before upgrading to the latest version of PI API for WIS, you must configure PI mappings to replace any existing PI trusts used by PI interfaces. PI trusts and explicit logins are disabled on PI API 2016 for WIS.

• When should I upgrade to PI API 2016 for Windows Integrated Security?

  You should upgrade if your client node supports Windows authentication, and all PI Servers connected from this node run version 3.4.380 or later, with PI mappings configured for the applications running on the client node.

• When should I not upgrade my PI API?

  You should defer PI API 2016 upgrade if your Windows platform is unable to meet minimum requirements or if you need more time to verify compatibility with a custom PI API application.

• I am not upgrading my PI API. However, I want to upgrade my Data Archive version. Will upgrading my Data Archive server affect my existing PI trusts?

  There is no effect on your existing PI trusts, and they authenticate as normal. If, additionally, you upgrade to PI API 2016 for Windows Integrated Security, then your existing PI trusts will not work as expected. This is because PI trusts are not supported once PI API is upgraded to PI API 2016 for Windows Integrated Security.

PI trusts are still available as a method for authenticating PI interfaces. However, the use of PI trusts should be reserved to cases where Windows authentication cannot be used. In such cases, do not install or upgrade to PI API 2016 for Windows Integrated Security, as it does not support PI trusts or explicit logins.