Domain-level security

The System Platform network account must be configured on the domain controller and used by all local and remote component installations.

In order to maintain a central point of security administration, the following configurations are recommended:

• For Application Server, configure OS Group-based security.

• For InTouch HMI, configure ArchestrA security from WindowMaker.

These settings facilitate a centrally-administered security model within the distributed Microsoft domain.

Distributed SCADA systems will likely use more than one domain controller. Such distributed topologies join computer nodes at different sites to different domain controllers; the operators, engineers and technicians log into those domains.

For systems with remote sites that are prone to long disconnected periods (from the central network), it is important to distribute additional DNS servers and backup domain controllers at strategic points in the network.

A single System Platform network account is accessible from any domain. A galaxy can span multiple domains, but a single network account must be used for all nodes. This account can be a local account on each node, each account having the identical name and password.

Domain control and authenticated token cache expiration time are features of Microsoft security. Before changing domain parameters, refer to Microsoft documentation.

It is critical to properly configure the DNS settings for the NIC adapter to ensure that multiple domains are visible to the computer. This configuration is performed when installing the bootstrap on each node. Microsoft security with Active Directory and DNS supports invoking such "cross-domain" accounts at installation time.

Tune expiration times relating to domain control and security. For example, in a scenario where Application Server security is enabled as OS User or OS Group for the galaxy and the node is temporarily disconnected from a domain controller, logins to Operations Control Management Console, Object Viewer, and OMI/InTouch ViewApps still succeed, but for a limited time.

If a domain is out of communication for a period of time, tokens are locally cached until the configured timeout. If the operating system's default expiration time is too short for your operation, modify/extend the expiration timeout setting for cache security.

Application Server

Galaxy security (run-time) is configured via the Security dialogue of the IDE. Users and gGrous are assigned, states are created and mapped to galaxy privileges, and individual Application Objects are allocated to security groups. As long as their membership is then authenticated against galaxy authorized groups, they will have access to the capabilities of the system.

All Application Server installations must use a common domain, user name and password for authentication, even for the case in which there are multiple domain controllers in the system. The same-named domain account must exist as a member of the local administrator's group on each node; i.e. it must be one domain, one user name and its associated password. This ensures a contiguous galaxy.

Ensure the Login Time is at its default value of 1000 ms, and not 0 (disables the login).

This setting limits the role-validation part of the login to 1 second and improves login time on an application in a SCADA system using "OS Group based security." Role-validation on a large system might otherwise take many seconds.

To change the default login time

1. Launch the IDE on the GR node.

2. Select Galaxy > Configure > Security

3. Select OS Group based and set the login time.

InTouch HMI

Use the ArchestrA security model selection within InTouch WindowMaker.

Historian Server

When historizing data, the System Platform network account used in Application Server must also exist on the Historian Server node.