This section presents general guidelines for "tightening" DCOM security settings for GagePort Mitutoyo OPC Server / OPC client interactions. These procedures should be taken after troubleshooting GagePort Mitutoyo OPC Server Connections . This list of guidelines is not exhaustive. It is assumed the reader is familiar with Window security issues and DCOM security in particular. The issue of security in an automation environment is currently being addressed by an OPC Foundation working committee.
Note: Whenever possible, try to use DCOMCNFG settings that are custom to the GagePort Mitutoyo OPC Server. This has two benefits; one, as the OPC server is setup for initial use, the behavior of other COM objects installed on the same computer node is not affected and two, future changes to other COM object DCOM security settings do not affect the behavior of a correctly operating GagePort Mitutoyo OPC server.
Enable authentication security by setting the DCOMCNFG Default Authentication Level at a level of at least Connect. If you are running DCOMCNFG supplied with SP4, then ensure that the Authentication Level custom setting is set to at least the level Connect. Once authentication is enabled, DCOM security will attempt to verify the user identities of both the OPC server and the OPC client. Thus, user accounts must be setup correctly if the OPC Server is on one computer node and the client is on another computer node. See the guideline below on domain authentication setup. In a peer-to-peer network, the user account under which the OPC server is running must also exist on the OPC client machine, and vice versa.
Enable GagePort Mitutoyo OPC Server activation security by specifying known users and / or groups in the DCOMCNFG Use custom launch permissions option for the OPC Server. As a rule, the activation security should always be more restricted than the authorization security. This prevents the situation where an OPC client can activate the GagePort Mitutoyo OPC Server, but cannot use the OPC Server objects.
To restrict access of OPC clients to a GagePort Mitutoyo OPC Server that is already running (authorization security ), modify the access control list (ACL) of the OPC server by editing the Use custom access permissions option of DCOMCNFG.
A domain authentication architecture provides the lowest cost solution (from a maintenance perspective) for DCOM security. If you are using a domain, then follow these general setup guidelines:
Create a new domain group. Users part of this group will be allowed to launch the GagePort Mitutoyo OPC Server and access it's objects.
Add the new group to the launch permissions and access permissions ACL for the GagePort Mitutoyo OPC Server. Do this using DCOMCNFG .
Make all user accounts that run an OPC client application part of this new group.
About DCOM Security. |
|
Getting Started with GagePort Mitutoyo OPC Server. |