Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2018)

Task 2: Identify all PI trusts and corresponding PI identities

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Task 2: Identify all PI trusts and corresponding PI identities

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedOct 03, 2024
  • 2 minute read

Before upgrading your PI API to PI API 2018 Patch 2 for Windows Integrated Security, you must first configure PI mappings to replace any existing PI trusts or explicit logins on PI API. The second task of this process is to identify all PI identities currently being used by PI trusts on your PI interfaces running on the Interface node.

Consider the following factors:

  • Which PI identity will you use to grant the interfaces access to the Data Archive?

  • Which PI identities are currently being used and evaluate if it is worth preserving for the upgraded PI API, or if a new PI identity is more suitable?

  1. Determine the name of the configured PI trust using the PI SMT Network Statistics plug-in.

    1. Open PI SMT and expand Operation on the left pane.

    2. Select Network Manager Statistics.

    3. Identify the Data Archive in the Server list.

    4. Identify the interface by the service name (interfaces run as services) and PeerAddress. Identify the corresponding name of the trust in the Trust column for that interface. For interfaces that are not running, the trust can be determined by examining the trust table under Mappings & Trusts as described in the following steps.

  2. Open PI SMT and expand Security on the left pane.

  3. Select Mappings & Trusts.

  4. Select the Trust tab.

  5. For interfaces that are not running, identify the trust based on the Application Name, Network Path and/or IP Address. Identify the PI User associated with this trust. Identify the interface(s) on your Interface node under Application Name.

  6. For interfaces that are running, identify the trust based on the service name (interfaces run as services) determined in Step 1 and identify the PI user for that trust.

    Each of these trusts enable an authentication model where the connection credentials of the interface is compared to records in the trust database. Each PI trust is defined against a single PI identity (one type of PI user), PI group (a group of PI users), or PI user (listed under the PI User column). Take note of this PI Identity (Identity1) for later tasks of the upgrade. When an interface successfully authenticates through a trust, it gets the access permissions defined for the associated identity, group, or user.

  7. Evaluate if you want to use the existing PI Identity for the upgraded PI API, or if new identities need to be created.

    1. If the PI identity assigned to an existing trust has least privileges or reasonable privileges for their environment, then use that existing PI Identity. See Knowledge Base article: KB00833 - Seven best practices for securing your PI Server for more information.

    2. If the interface is currently using excessive privilege, (for example a trust with piadmin or piadmins), then consider creating a new PI identity to use for the mapping.

TitleResults for “How to create a CRG?”Also Available in