Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2018)

TABLE OF CONTENTS

PI API 2016 for Windows Integrated Security

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJan 13, 2023
  • 4 minute read

Starting with the release of PI API 2016 for Windows Integrated Security, PI API-based client applications support Windows authentication and improved transport security. Windows security encompasses more than just authenticating identity. Transport security improves message integrity and privacy. The AVEVA™ PI System™ uses the Windows logon security context to protect integrity and privacy of data communications. Activated protections include session keys, confidentiality, and integrity (with replay and sequence detection). Prior to this PI API update, PI trusts were used to configure authentication on the connection between Data Archive and PI interfaces (or other PI API-based application). With this update to PI API, Windows authentication support is extended on the PI interface node or any other PI API-based application connecting to Data Archive.

PI API 2016 for Windows Integrated Security brings significant security enhancements for Data Archive client applications, as well as reducing overall risk to the PI System in general. The security enhancements consist of the following:

  • Windows Integrated Security

    Previous versions of PI API rely upon PI trusts or explicit logins for authentication. With PI API 2016 for Windows Integrated Security, Windows authentication becomes the supported authentication model for PI API-based client applications, such as PI interfaces. Windows Integrated Security is a more secure authentication model than PI trusts for authenticating users.

    With PI API 2016 for Windows Integrated Security, Windows Integrated Security is enforced as the only security model to all applications using PI API functions. Implementation of Windows authentication across the entire PI System deployment offers a familiar administrative experience, in addition to modern defenses provided by the operating system. In addition, PI identities allow you to map Windows groups or users to categories of access permissions. PI mappings are the mechanism for associating Windows users or groups with PI identities.

    Windows Integrated Security is supported on PI Server 3.4.380 or later. As such, PI API 2016 for Windows Integrated Security requires PI Server 3.4.380 or later.

    Caution: PI API 2016 for Windows Integrated Security does not support PI trusts or explicit logins. If you require PI trusts for authentication, do not upgrade to PI API for Windows Integrated Security to avoid any potential data loss

  • Transport Security

    Transport security improves message integrity and privacy. PI API 2016 for Windows Integrated Security internally routes messages to the local PI Network Manager, which manages transport security with the Data Archive server.

    Data integrity provides increased security against malicious attacks and intrusions into your data infrastructure. Transport security provides an additional layer of defense essential to protecting against data breaches, injection attacks, unauthorized eavesdropping, etc. Transport security not only protects your deployment, but the confidentiality of any secondary infrastructure or client connecting to your system.

    For the most secure experience, we recommend customers run PI Data Archive 3.4.395 (2015) or later, and PI API 2016 for Windows Integrated Security. Transport security is supported on all client applications using PI API 2016 for Windows Integrated Security automatically when connection is to a Data Archive server version 2015 or later. If a buffering node connects to multiple Data Archive servers of different versions, transport security is enabled only on the connections to the Data Archive servers with version 3.4.395 or later and PI API 2016 for Windows Integrated Security deployed.

  • Software Security

    PI API 2016 for Windows Integrated Security is the most secure version of PI API released. Additionally, PI API 2016 for Windows Integrated Security leverages the greatest number of Microsoft software security defenses provided by the compiler and operating system. PI API 2016 for Windows Integrated Security was developed specifically for modern Windows platforms, and enables the server operating system defenses in accordance with Microsoft security development lifecycle (SDL) guidance. Updated software is critical to defending against malicious attacks and unauthorized intrusions in your system.

PI API 2016 for Windows Integrated Security is supported on most UniInt PI Interfaces, such as: PI Interface for OPC DA, PI to PI interface, and Random simulator interface.

Note: PI API 2016 for Windows Integrated Security is NOT supported on interfaces running on UNIX or Linux platforms.

We recommend upgrading from PI trusts and explicit login to Windows authentication through the use of PI mappings as the authentication model throughout your PI System. Applications using PI API 2016 for Windows Integrated Security require a Windows logon or service accounts to connect with the Data Archive server. Therefore, before upgrading to PI API 2016 for Windows Integrated Security, you must configure PI mappings to replace any existing PI trusts used by PI interfaces. PI trusts and explicit logins are disabled on PI API 2016 for Windows Integrated Security.

  • When should I upgrade to PI API 2016 for Windows Integrated Security?

    You should upgrade if your client node supports Windows authentication, and all PI Servers connected from this node run version 3.4.380 or later, with PI mappings configured for the applications running on the client node.

  • When should I not upgrade my PI API?

    You should defer PI API 2016 upgrade if your Windows platform is unable to meet minimum requirements or if you need more time to verify compatibility with a custom PI API application.

  • I am not upgrading my PI API. However, I want to upgrade my Data Archive version. Will upgrading my Data Archive server affect my existing PI trusts?

    There is no effect on your existing PI trusts, and they authenticate as normal. If, additionally, you upgrade to PI API 2016 for Windows Integrated Security, then your existing PI trusts will not work as expected. This is because PI trusts are not supported once PI API is upgraded to PI API 2016 for Windows Integrated Security.

PI trusts are still available as a method for authenticating PI interfaces. However, the use of PI trusts should be reserved to cases where Windows authentication cannot be used. In such cases, do not install or upgrade to PI API 2016 for Windows Integrated Security, as it does not support PI trusts or explicit logins.

TitleResults for “How to create a CRG?”Also Available in