Management of plug-in providers

By default, you can run PI AF plug-ins from any provider. For increased security, you can configure PI AF so that only plug-ins from trusted providers are allowed to be loaded and executed in the client application (PI AF server 2.5 and higher). Plug-in providers are encouraged to code-sign their plug-ins using Authenticode technology. You control how plug-in security is enforced by setting the verify level.

Verification level

You can display the verification level used when plug-ins are loaded by issuing the afdiag command with no parameters. The verification level is listed in the Configuration Settings section of the resulting output as PluginVerifyLevel.

/PlugInVerifyLevel parameter

You set the verify level with the afdiag command, and specify the /PlugInVerifyLevel parameter. Valid levels are:

• None: Disable validation; run all plug-ins. This level is only supported in the PI AF Client 2018 SP3 Patch 1 and earlier versions.

• AllowUnsigned: Run unsigned plug-ins and plug-ins with valid signatures. This level is supported only in the PI AF Client 2018 SP3 Patch 1 and earlier versions.

• RequireSigned: Run only plug-ins with valid signatures.

• RequireSignedTrustedProvider: Run only plug-ins with a valid signature from a trusted provider.

Other AFDiag parameters for managing plug-in providers

The following afdiag parameters are available to manage plug-in providers:

• Display a list of trusted providers: /TrustedProviderList

• Add a trusted provider: /TrustedProviderAdd:providername

• Remove a trusted provider: /TrustedProviderRemove:providername

For more information on these parameters, see AFDiag utility parameters. You can locate the provider name by viewing the digital signature for the plug-in DLL, as described in Locate the names of trusted providers.