Register certificates on the secondary server
- Last UpdatedJan 13, 2023
- 1 minute read
A PI mapping must exist on the primary server to allow the Windows user to connect to the primary and write to the server table. Starting with Data Archive 2017, Data Archive collectives support certificate-based authentication for each member. With this release, each secondary Data Archive server can have its own unique certificate to use for authentication purposes with the primary server.
To support this authentication mechanism, servers within the collective must register their certificates with each other:
-
The piartool utility has registration functionality through the -registerhacert --updatePublicCertOnPrimary option to register certificates amongst the collective members that cannot run Collective Manager to do this automatically.
-
In addition, the piartool utility has reporting functionality through the -registerhacert --reportInfoOnTarget localhost option to assist with troubleshooting certificate-related issues.
See the PI Data Archive topic piartool command-line options.
-
If you want to use your own certificate on a primary or secondary member, open PI Collective Manager on that computer and use the Import Certificate option.
All imported certificates must meet the following requirements:
-
Have a private key
-
Be configured for both client authentication and server authentication
-
Have the key usage options for digital signature and key encipherment enabled
-
-
On a secondary server, open the command window.
-
From a command prompt, change directory to the \pi\adm directory.
-
Run the command piartool -registerhacert -u:
piartool -registerhacert -u
The following message will appear:
Updating the public certificate on the primary.
-
Repeat Steps 1 through Step 3 for each secondary server in the collective.