Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2024 R2)

TABLE OF CONTENTS

Understand TLS certificates

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedDec 02, 2025
  • 3 minute read

Transport layer security (TLS) certificate encryption must be configured at or after an AVEVA PI Server 2024 R2 installation to implement claims-based authentication using OpenID Connect (OIDC). TLS encryption is required to use claims-based authentication. TLS encryption may also be used in environments that aren't using the AVEVA Identity Manager.

In addition, trust must be established between the AVEVA Identity Manager (AIM) and all of the PI Server 2024 R2 components using AIM's configured certificate.

AVEVA Identity Manager

When a TLS connection is established, the AVEVA Identity Manager provides a certificate that the client validates before trusting the server's identity.The client represents the application that wants to access data or perform actions on behalf of the resource owner (the owner of the identity and resources). The PI Server uses information from the identity service (AVEVA Identity Manager) to verify if the claims the client (the end user) obtained are valid. The PI Server uses those claims to determine access permissions.

During a PI Server 2024 R2 installation, you must select the "Configure certificate for TLS Encryption" option to select an existing certificate to use for the trust connection. A client ID and secret must be issued so that the Data Archive can connect to the AVEVA Identity Manager and validate incoming access tokens.

Data Archive

The Data Archive server needs to establish a trusted connection with the AIM server. To enable this trust, the Data Archive server needs to have either the public version of the AIM server's Certificate of Authority (CA) or the public version of the AIM server's self-signed certificate installed on the system's trusted root store. The Data Archive proves its identity to the AIM server using information established through a registration mechanism carried out during installation

For a client to use OIDC (claims) authentication against a Data Archive server, it must be able to trust both the Data Archive server and its associated AVEVA Identity Manager server. The Data Archive server must present a valid certificate for a secure connection to be established from the client's perspective. In addition, that certificate must have a chain of trust that is verifiable on the client. The same applies to the AVEVA Identity Manager server.

Certificates must be installed on PI Server and PI client components:

PI Server components

  • The following PI Server components require a certificate with a private key installed on the server to identify itself to clients:

    • Data Archive

    • Asset Framework

    • PI Analysis Service

    • PI Notifications

  • Services can use the same certificate if they are located on the same node.

PI Clients

  • Each AF client and Data Archive client needs to have a public copy of the Certificate of Authority that signed the Data Archive server's certificate. If that certificate is a self-signed certificate, this means a public version of the certificate itself.

  • AF clients must trust the AF service certificate on the client machine. The AFCertificate mode setting only affects what verification the client does on the service certificate, and does not affect which certificate the service uses.

Contact your organization's IT department for their guidelines on installing and obtaining certificates.

Note: For more information on certificate storage and SSL certificate requirements, review this Knowledge Base article: Certificate Requirements for AVEVA Identity Manager.

In This Topic
TitleResults for “How to create a CRG?”Also Available in