Configure the Client Connection Configuration

When you configure the Client Connection, it fetches the SSL certificate from AVEVA Recipe Management Server and AVEVA Identity Manager Server and adds the information to local machine trusted store. It also registers the AVEVA Recipe Management clients with AVEVA Identity Manager.

NOTE: The installation and configuration of the Client Connection is required only when the client node requires AVEVA System Platform, or any application that uses REST API or the new Client API to run under non-admin privileges. After configuration of the Client Connection, you can run these applications successfully.

To configure the Client Connection

1. Open the Configurator utility.

2. Expand the left pane, click AVEVA Recipe Management, and then click Client Connection Configuration. The Configurator option appears in the right pane.

   

3. In the Recipe Management Server area, do the following:

   1. Specify the site host name in the Site Hostname box. If the SSL Certificate used by AVEVA Identity Manager host is issued to Fully Qualified Domain Name (FQDN), then the AVEVA Identity Manager host name will have to be provided as the same FQDN. For example, myserver.mydomain.com.

   2. Specify the AIM Registrar username in the AIM Registrar User box. Make sure that the AIM Registrar User that you enter has Administrator privileges; otherwise, client registration will not succeed.

   3. Specify the password in the Password box.

Whitelisting of Users/Groups

AVEVA Recipe Management Client Connection configuration option allows you to white-list additional users or groups that are allowed to work with AVEVA Recipe Management applications to read the client secrets from AVEVA Data Store. You must include all users accessing the AVEVA Recipe Management model from AVEVA System Platform and applications which use the AVEVA Recipe Management Client API and Rest API in InTouch scripts or custom applications.

Consider, for example, the user uses AVEVA Recipe Management Client API or Rest API based custom applications from different Nodes. You need to whitelist that user on all the Nodes where they use these applications. Otherwise, they will not have permission to run the custom applications.

As a best practice, you should whitelist the group instead of a user. So, if one whitelisted user forgets the credentials or gets locked out from the system, another user in the whitelisted group can access the resources.

NOTE:
- Users accessing AVEVA Recipe Management through web client need not be whitelisted. Also, if the Configurator user and ArchestrA Network user exist, they are automatically whitelisted.
- User accounts created for off-node communications using the “Change Network Account” utility must be whitelisted or added to the Whitelisted Group to access and work with AVEVA Recipe Management applications.
- If the whitelisted user gets locked out from the system, even the administrator cannot recover the system. Hence, it is recommended to whitelist Groups.
- You need not whitelist Users/Groups on the AVEVA Recipe Management server.

To whitelist Users/Groups

4. Open the Configurator utility.

5. Expand the left pane, click AVEVA Recipe Management, and then click Client Connection Configuration. The Configurator option appears in the right pane.

6. In the Whitelisting Users/Groups area, do the following.

   

   1. Click Add. The Add User/Group dialog box appears.

      

   2. In the User/Group Name box, specify the user/group that you want to whitelist.

   3. Click OK and then reconfigure the Client Connection Configuration.

   NOTE: Administrators who are already whitelisted on a specific system can whitelist other users/groups by running the RMP Client Connection Configuration feature. If client has been registered automatically, then only a whitelisted administrator user has the privilege to whitelist other users/groups.