Connecting Remotely to DeltaV v7.2 and Later Through OPC
Article ID: AP-0500-0023 Publish Date: 28 May 2013 Article Status: Approved Article Type: General Product Technical Information Required Action: Information Only User Discipline: Configuration/Installation Recent Article Revision History: Revision/Publish Description of Revision 28 May 2013 Added procedures regarding creation of Local Account for Item 2.3 and reiterated that there is no need to add any other user to the properties of the FRSOPCDV DCOM object. (See end of article for a complete revision history listing.) Affected Products: Product Line Category Device Version DeltaV Workstation Software VE2223 OPC Remote Services v10.x DeltaV Workstation Software VE2223 OPC Remote Services v11.3.x DeltaV Workstation Software VE2223 OPC Remote Services v12.3 DeltaV Workstation Software VE2223 OPC Remote Services v7.x DeltaV Workstation Software VE2223 OPC Remote Services v8.x DeltaV Workstation Software VE2223 OPC Remote Services v9.x This Knowledge Base Article, AP-0500-0023, provides information to customers who want to connect remotely to OPC in DeltaV v7.2 and later. To communicate with a DeltaV v7.2 system or later using OPC from a non-DeltaV machine running Windows NT or later operating system, the client machine must be installed with an application called OPCRemote. Furthermore, you must add user accounts to the DeltaV system and to the remote machine where you will run the OPC client. The user may need to verify the DCOM settings with those presented in this KBA. 1 Installing the OPCRemote Software on the Remote Client Machine To ensure that the remote client has the correct OPCRemote file version required to communicate with the DeltaV OPC server, insert the appropriate disk depending on the DeltaV version you have and perform the following steps: 1. To start the installation procedure, click Start | Run then type Explorer. Browse to the DV_EXTRAS\OPCREMOTE folder on the CD and double-click OPCRemote.exe. Note The disk location of this folder varies depending on the DeltaV version. For DeltaV v7.3 and v7.4, it is found in DeltaV CD 2. Users will find two instances of OPCRemote in the DV_EXTRAS folder. OPCRemote is intended for Windows XP Page 1 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Throug... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... and higher operating systems while the OPCRemoteForWinNT is for Windows NT and Windows 2000. For DeltaV v7.4.1, v7.4.2, v8.4, v8.4.1, v8.4.2, it is found in DeltaV CD 4. For DeltaV v9.3 and later, it is in DeltaV DVD 1. 2. During the installation, the user will see the following message: If you are going to connect to a DeltaV OPC Server, enter the name of the DeltaV workstation. Otherwise, enter the name of the computer on which you are installing this software: 3. Enter the node name of the computer that will be the OPC server machine (e.g., a DeltaV Application Station or ProfessionalPLUS Station). Note If you encounter the error messages shown below when you install OPCRemote, simply ignore the messages and continue with the installation. The error messages will occur because the DeltaV and DVBHisAdmin groups do not exist on the non-DeltaV node. The password for the DeltaVAdmin account on the client machine must match the password on the server machine for unsolicited callbacks to work properly. This is because the DeltaV OPC server is running as DeltaVAdmin on the server machine and the DeltaVAdmin account is automatically created by the DeltaV OPCRemote installation. The DeltaV Server Password Utility is automatically run when OPCRemote is installed on the remote machine to synchronize the password of the DeltaVAdmin account on the server machine and client machine. If the DeltaVAdmin account password is changed in the server machine, it must also be changed on the client machine. On the client machine, go to c:\Program Files\FRS\OPCRemote folder and run ServPwd.exe (DeltaV Server Password Utility) to re-synchronize the DeltaV Admin account password to the server machine. Page 2 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Throug... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... x DeltaV v7.2 DeltaV Server Password Utility x DeltaV v7.3 (and later) DeltaV Server Password Utility: the Set Password to Default button is available for the reset of the DeltaVAdmin password to the original password Note If you are upgrading a DeltaV system, it is necessary to remove OPCRemote from the OPCRemote machine and then reinstall OPCRemote on the remote client machine from the disk that comes with the newer version of DeltaV. 2 Configuring User Accounts for the DeltaV OPC Server Machine and the Remote OPC Client OPC uses Microsoft DCOM technology to allow a client to connect to a server running across a network that uses TCP/IP. Any two machines configured for DCOM communications can be setup to run as a DeltaV OPC client and server. Remote OPC Client Machine User Setup The OPC client application runs using a valid Windows account and DeltaV account on the server machine. The server is set up differently depending on whether the computers are in a workgroup or domain. The following sections describe the various setup options. The term opcuser is used as an example user account name. 2.1 Both OPC Client machine and DeltaV OPC Server Machine are in a Workgroup Page 3 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Throug... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... The opcuser account runs as a local user if both the OPC client machine and DeltaV OPC server machine are in a workgroup. To set up the opcuser on the DeltaV OPC server machine: 1. Use the DeltaV User Manager on the DeltaV OPC server machine to create a user account (opcuser account) and assign it the same password as that of the OPC client machine. 2. Make opcuser both an Operating System Account and a DeltaV Database Account. 3. Grant proper DeltaV groups (at least OPERATE group) and DeltaV locks (at least Control key) to opcuser. 4. Download the DeltaV machine. 2.2 The OPC Client Machine is in a Domain and the DeltaV OPC Server Machine is in a workgroup Page 4 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Throug... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... The opcuser account runs as a Domain User in Domain A and the DeltaV OPC Server machine is in a Workgroup. To set up the user on the DeltaV OPC server machine: 1. Use the DeltaV User Manager on the DeltaV OPC server machine to create a user account (for example, opcuser) and assign it the same password as that of the domain user account used on the OPC client machine. 2. Make opcuser both an Operating System Account and a DeltaV Database Account. 3. Grant proper DeltaV groups (at least OPERATE group) and DeltaV locks (at least Control key) to opcuser. 4. Download the DeltaV machine. 2.3 The OPC client machine is in a workgroup and the DeltaV OPC server machine is in a domain. Page 5 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Throug... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... The opcuser account runs as Local User (in a workgroup) and the DeltaV OPC server machine is in a Domain (Domain A). To set up the user on the DeltaV OPC Server Machine: 1. Open DeltaV User Manager to create a user account with the same name and password as the local user account (opcuser account) of the OPC client machine. 2. Make opcuser both an Operating System Account and a DeltaV Database Account. Note Starting in DeltaV v10.3, the computer/domain selection must be set to <unspecified> for the opcuser account so that OPC communication will work. 3. Grant proper DeltaV groups (at least OPERATE Group) and DeltaV locks (at least Control key) to this user. 4. Create a local user on the DeltaV Application Station that has exactly the same user name and password as the elected opcuser via Local Users and Computers on Windows Operating System. Note This is applicable to a member server, i.e. not a domain controller. Page 6 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Throug... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... 5. Download the DeltaV machine. Alternatively, use Windows User Manager application to perform the following tasks on the DeltaV OPC Server Machine: 1. Create a local user account (opcuser account). 2. Assign it the same password as that of the OPC client machine. 3. Add it to the local DeltaV group. 4. Open DeltaV User Manager and create a DeltaV Database account with the same name as the local user account (opcuser account). 5. Grant proper DeltaV groups (at least OPERATE Group) and DeltaV locks (at least Control key) to this user. 6. Download the DeltaV machine. 2.4 The OPC Client Machine is in Domain A and the DeltaV OPC Server Machine is in Domain B - Domain A has a Trust Relationship With Domain B Scenario 1: The opcuser account runs as Domain A User and the DeltaV OPC Server is in Domain B, and Domain B trusts Domain A. Since a two-way trust exists between the two domains, use either Windows User Manager in the DeltaV OPC Server machine to create a local user account or Active Directory Users and Computers to add the OPC clients opcuser account (Domain A) to the DeltaV OPC Server (Domain B) machine. In addition, be sure to do the following: 1. Use Active Directory Users and Computers to add Domain A\opcuser to the DeltaV group of the DeltaV domain; or use Windows User Manager to add the local user account to the local DeltaV group. 2. Use the DeltaV User Manager to create opcuser as a DeltaV Database account. 3. Grant proper DeltaV groups (at least OPERATE Group) and DeltaV locks (at least Control key) to this user. 4. Download the DeltaV machine. Another way to set up the opcuser account on the DeltaV OPC Server domain would be to do the following: 1. Open DeltaV User Manager on the DeltaV OPC Server machine to create a user account with the same name and password as the domain user account (opcuser account) as that of the OPC client machine. 2. Make opcuser both an Operating System Account and a DeltaV Database Account. Page 7 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Throug... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... Note Starting in DeltaV v10.3, the computer/domain selection must be set to <unspecified> for the opcuser account so that OPC communication will work. 3. Grant proper DeltaV groups (at least OPERATE Group) and DeltaV locks (at least Control key) to opcuser. 4. Download the DeltaV machine. Scenario 2: The Client Runs as Domain A User and the Server is in Domain B, and Domain B does not trust Domain A. To set up the user on the DeltaV OPC Server Machine set-up as a domain member, use Windows User Manager to do the following: 1. Create a local user account (opcuser account). 2. Assign it the same password as the OPC client machine. 3. Make the opcuser account a member of a DeltaV group. 4. Create a DeltaV Database account with the same name as the local user account (opcuser account). 5. Grant proper DeltaV groups (at least OPERATE Group) and DeltaV locks (at least Control key) to the opcuser account. 6. Download the DeltaV machine. Another way to set up the opcuser account on the DeltaV OPC Server machine set-up as either a domain member or domain controller would be to do the following: 1. Open DeltaV User Manager on the DeltaV OPC Server machine to create a user account with the same name and password as the domain user account (opcuser account) as that of the OPC client machine. 2. Make opcuser both an Operating System Account and a DeltaV Database Account. Note Starting in DeltaV v10.3, the computer/domain selection must be set to <unspecified> for the opcuser account so that OPC communication will work. Page 8 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Throug... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... 3. Grant proper DeltaV groups (at least OPERATE Group) and DeltaV locks (at least Control key) to opcuser. 4. Download the DeltaV machine. Note The one-way trust configuration will not work if the OPC client machine is also a domain controller and the OPC Server machine is not a domain controller. In this case, it is required that a two-way trust be established for OPC communication to work. 3 DCOM Setup Distributed Component Object Model (DCOM) is an application level protocol for object-oriented remote procedure calls. This is useful for distributed, component-based systems of all types. Furthermore, it is useful to OPC in that it allows a client to connect to a server running across a network that uses TCP/IP. To use DCOM, do the following steps: 1. Connect two machines on a network with TCP/IP network protocol. 2. Enable DCOM on both machines (normally DCOM is enabled automatically during the operating system installation). 3. Set the DCOM security to allow the client to connect to the server application. Windows provides a utility called dcomcnfg.exe. This utility provides a user interface where the necessary DCOM registry settings could be configured. 3.1 Enabling DCOM on the PC If DCOM is not enabled, you can enable it by doing the following steps on both the server and client machines: 1. Go to Start | Run. Type in dcomcnfg.exe and then press ENTER. 2. When the Component Services window appears, right-click on My Computer icon and then Select the Default Properties tab. Page 9 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Throug... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... 3. Select the checkbox Enable Distributed COM on this computer. 4. Changing this value requires a reboot. The EnableDCOM registry key is set to Y when this box is checked. If DCOM is not enabled, then all cross-machine calls are rejected (the caller, typically, gets an RPC_S_SERVER_UNAVAILABLE return code). 3.2 Setting the Location of the OPC Data Server On the server machine, the DeltaV OPC Data Server application must be set to run on the local machine. 1. Go to Start | Run. Type in dcomcnfg.exe and then press ENTER. 2. Select the entry FrsOpcDv from the applications list and select the Properties button. 3. Select the Location tab. 4. Select the Run application on this computer checkbox. On the client machine, the DeltaV OPC Data Server application must be set to run on the server machine. This is set up automatically when DeltaV OPC Remote is installed. This can be verified by following these steps: 1. Go to Start | Run. Type in dcomcnfg.exe and then press ENTER. 2. Select the entry DeltaV OPC Server from the applications list and select the Properties Page 10 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Thro... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... button. 3. Select the Location tab. 4. Select the checkbox Run application on the following computer. 5. Type in the name of the server machine. 3.3 Setting DCOM Properties On both the server and client machines, the DeltaV OPC Data Server application must have the correct properties. 1. Go to Start | Run. Type in dcomcnfg.exe and then press ENTER. 2. When the Component Services window appears, right-click on My Computer icon and then Select the Default Properties tab to view the default DCOM Communication Properties. 3. The Default Authentication Level should be set to Connect. Page 11 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Thro... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... 4. The Default Impersonation Level should be set to Identify. Once access is permitted, COM will check security for each call. There are two categories, AuthenticationLevel and ImpersonationLevel. The Authentication Level dictates how secure the communication is between the client and the server. The negotiated authentication level is the highest for client and server. It can not be RPC_C_AUTHN_LEVEL_NONE if the caller wants to know who the caller is. The Impersonation Level indicates the degree of authority that is granted to the calling application or server for it to use the identity of the client. 3.4 Setting DCOM Security On the client machine, COM security needs to be modified to make callbacks work. Note Clients that call the CoInitializeSecurity() function to determine the security settings to be used by the application DO NOT require this change. 1. Go to Start | Run. Type in dcomcnfg.exe and then press ENTER. 2. When the Component Services window appears, right-click on My Computer icon and then Select the Default COM Security tab to view the default COM Security. 3. Edit the Default Access Permissions by selecting the Edit Default button. 4. Add the DeltaVAdmin user in the list of users with local and remote access permissions. 3.5 Access and Launch Permissions In order for DeltaV OPC Server service to run, the DCOM access and launch permissions must have been set on the server machine. This is set up automatically when DeltaV software is installed. This can be verified by following these steps: 1. Go to Start | Run, type in dcomcnfg.exe and then press ENTER. 2. Select the entry FrsOpcDv from the applications list and select the Properties button. 3. Select the Security tab. 4. The Access permissions should include the accounts that need to connect to the DeltaV OPC Server. The SYSTEM account is the only account with Launch permission. The System account will also have Access permission. The accounts that need to connect are the ones that will actually be running the client Page 12 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Thro... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... application. If these are not Domain accounts then the user name and password must match on both the server and client machines for Windows to recognize the users as the same account. The user name must also be a DeltaV System user on the server machine (defined by running DeltaV User Manager). Note Once the server is running, launch permission setting is not used. The only user that launches the server is SYSTEM. Any other client accessing the server bypasses launch permissions and requires Access permission only. The elected common OPCUSER does not need to be added to the DCOM object properties. Running workstation configuration should revert all DeltaV-related DCOM object properties to the recommended settings. Additionally, the Identity tab, which tells COM how to launch the server, should be properly set up. There are three options in this tab: z Interactive User - Server is launched as user who is currently logged on the machine. If nobody is logged on, launch fails. z Launching User - Server is launched with account running the client application on the other machine. z This User - DCOM logs on the specific user in the background and starts server using caller's token. This is the setting needed for the DeltaV OPC Data Server. This option should be selected and DeltaVAdmin should be the user name. 4 Checking the User Accounts 1. Log into both machines to verify the above account name and password using the new account. 2. On the DeltaV machine (ProfessionalPLUS or Application workstation), log into the system and log into DeltaV as well. Start | DeltaV | Engineering | Flexlock | Select the new account and login. 3. Use OPCWatchit on the DeltaV machine and verify that you can browse to a diagnostic parameter and read the value: Start | Run | OPCWatchit | click BrowsePath | browse to Diagnostics/AppStationNodeName/FREMEM.CV (where the AppStationNodeName is replaced by the name of the relevant DeltaV computername) Page 13 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Thro... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom... If you get a value returned in the value box and a Get item succeeded: 0 in the status box, then your OPC server is working. If the browse does not work, try clicking on the TypePath button and enter the following: AppStationNodeName/FREMEM.CV 1. Log on to XP on the remote OPC client machine using the new account created. 2. Attempt to browse to and read a parameter from the DeltaV application. Note It may take a minute or so for the OPCWatchit to make the initial connection. 3. Click Start | Programs | FRS OPCRemote | OPCWatchit | Click BrowsePath | 4. Browse to Diagnostics/AppStationNodeName/FREMEM.CV If value is returned in the value box and a Get item succeeded: 0 is displayed in the status box, then your OPCWatchit has succeeded in connecting to the remote DeltaV OPC server. If the browse button does not work, try clicking on the TypePath button, then type in the following: AppStationNodeName/FREMEM.CV Contact Information Services are delivered through our global services network. To contact your Emerson local service provider, click Contact Us. To contact the Global Service Center, click Technical Support. Complete Article Revision History: Revision/Publish Description of Revision 28 May 2013 Added procedures regarding creation of Local Account for Item 2.3 and reiterated that there is no need to add any other user to the properties of the FRSOPCDV DCOM object. 05 May 2010 Included information about DCOM changes needed for clients not using CoInitializeSecurity and about setting up users starting with DeltaV v10.3 26 Aug 2005 Original release of article Emerson Process Management 2012. All rights reserved. For Emerson Process Management trademarks and service marks, click this link to see trademarks. All other marks are properties of their respective owners. The contents of this publication are presented for informational purposes only, and while every effort has been made to ensure their accuracy, they are not to be construed as warrantees or guarantees, express or implied, regarding the products or services described herein or their use or applicability. All sales are governed by our terms and conditions, which are available on request. We reserve the right to modify or improve the design or specification of such products at any time without notice. View Emerson Products and Services: Click This Link Page 14 of 14 Customer KB AP-0500-0023: Connecting Remotely to DeltaV v7.2 and Later Thro... 13/3/2014 http://sms.na.emersonprocess.com/xml/IR_Report.asp?cmd=get&doctype=kba_custom...