This section presents general
guidelines for "tightening" DCOM security settings for GagePort
Mitutoyo OPC Server / OPC client interactions. These procedures
should be taken after troubleshooting GagePort
Mitutoyo OPC Server Connections . This list of guidelines is not exhaustive. It is
assumed the reader is familiar with Window security issues and DCOM
security in particular. The issue of security in an automation
environment is currently being addressed by an OPC Foundation
working committee.
Note: Whenever possible, try to use
DCOMCNFG settings that are custom to
the GagePort Mitutoyo OPC Server. This has two benefits; one, as
the OPC server is setup for initial use, the behavior of other COM
objects installed on the same computer node is not affected and
two, future changes to other COM object DCOM security settings do
not affect the behavior of a correctly operating GagePort Mitutoyo
OPC server.
Enable authentication security by setting the DCOMCNFG
Default Authentication Level at a level
of at least Connect. If you are running
DCOMCNFG supplied with SP4, then ensure that the Authentication Level custom setting is set to at
least the level Connect. Once
authentication is enabled, DCOM security will attempt to verify the
user identities of both the OPC server and the OPC client. Thus,
user accounts must be setup correctly if the OPC Server is on one
computer node and the client is on another computer node. See the
guideline below on domain authentication setup. In a peer-to-peer
network, the user account under which the OPC server is running
must also exist on the OPC client machine, and vice versa.
Enable GagePort Mitutoyo
OPC Server activation security by specifying known users and / or groups in the DCOMCNFG
Use custom launch permissions option
for the OPC Server. As a rule, the activation security should
always be more restricted than the authorization security. This
prevents the situation where an OPC client can activate the
GagePort Mitutoyo OPC Server, but cannot use the OPC Server
objects.
To restrict access of OPC
clients to a GagePort Mitutoyo OPC Server that is already running
(authorization security ), modify the access control list (ACL) of the OPC server
by editing the Use custom access
permissions option of DCOMCNFG.
A domain authentication
architecture provides the lowest cost solution (from a maintenance
perspective) for DCOM security. If you are using a domain, then
follow these general setup guidelines:
Create a new domain group. Users part of this group will be allowed to launch the GagePort Mitutoyo OPC Server and access it's objects.
Add the new group to the launch permissions and access permissions ACL for the GagePort Mitutoyo OPC Server. Do this using DCOMCNFG .
Make all user accounts that run an OPC client application part of this new group.
|
|
About DCOM Security. |
|
|
Getting Started with GagePort Mitutoyo OPC Server. |
