Internet Realms

A realm in VTScada has two aspects:

• It is a name given to configuration options that include the connection protocol (HTTP) and port (usually 80). Without a realm there will be no port for Internet communications.
• It is a group of applications that are logically associated with one another for the purpose of authenticated access from a web browser. Without a group of applications, there will be nothing to connect to on the configured port.

Realms are required and used by:

• VTScada Thin Client Server operations including VIC and Mobile Internet Client connections.
• ODBC Interface to VTScada History
• Web services via the REST interface
• Realm-Area Filtering

Do not name any realm, "Rest" or "SQLQuery". Doing so will interfere with remote access to VTScada data.

Any number of realms can be created, and any application can be placed into one or more realms. When connecting to an application, the name of the realm is included as part of the connection URL Uniform Resource Locator. The address of a web page..

These notes and many VTScada dialogs will refer to SSL (secure socket layer) security. SSL and is an older technology and the term "SSL certificate" has become the de facto name for Internet security. Be assured that VTScada uses the more modern Transport Layer Security, implemented using X509 certificates.

Ports

The default port number is 80, the standard Hypertext Transfer Protocol (HTTP) port. If you are using SSL, you must first have obtained an SSL certificate (see SSL Certificates), and installed it. Supply the SSL standard port number of 443, in this case, and look at the SSL check box. If this check box is disabled, you need to supply the host + domain name for the SSL certificate in VTScada's Setup.ini configuration file (located in the installation directory). Add the following line to the [SYSTEM] section:

SSLCertName = <host+domain>

where <host+domain> is the host and domain name you specified when obtaining an X.509-compliant SSL certificate. (Do not include the angle brackets.) This must exactly match the "CN=" field of your SSL certificate. After modifying the Setup.ini configuration file, you must stop and restart VTScada for your change to take effect.

If connecting from a public network (e.g. the Internet), you will likely have to traverse firewalls and other security mechanisms. Configuring a realm or VTScada Thin Client Server to operate on other than the standard ports (port 80 for plain text HTTP, or port 443 for SSL-secured HTTPS), will likely require special configuration of such interposing security mechanisms. It is therefore advisable to operate on the standard ports whenever possible.

 

Note that there is no requirement that the port(s) used by your realms match those used in the server tab. The port on the realm is used to configure the address to which the client will connect to authenticate. After successful authentication, an XML packet will be passed back to the client, which will include the list of servers as configured on the servers tab. The client will use that list to connect to a server.

Group Sign ins and Realms

If you are using security groups and realm-area filtering, then you must create a realm having the same name as each group. Operators who would normally logon using their group name, account name, and password will instead open a URL having a realm that matches the group name and sign in using just their account name and password. They will not be allowed to connect to any other realm.

Super users, who are not members of any group, will not be able to sign in over the Internet unless the application property RootNamespace (RootNamespace) is added and its value set to the name of a realm created for the use of these accounts.

 

Configure a Realm

Preparation

Before configuring a realm, the following must be in place:

• Secure the application. See: Best Practices for Security.
• Configure the VTScada Thin Client Server. See: Configure a VTScada Thin Client Server.

If you plan to allow programmers and developers to access diagnostic applications such as the Source Debugger or TraceViewer from an Internet connection, then you must secure those application or else add them to a realm with a standard application.
Script applications will run when accessed by an Thin Client. Do not configure them to start automatically.
If exposing diagnostic applications to the Internet you are strongly advised to take all possible precautions to prevent their use by unauthorized persons.

Steps:

1. Open the VTScada Thin Client / Setup dialog, from the VAM VTScada Application Manager.
2. Ensure that the Realms tab is selected.

3. Click Add in the Authorization Realms section of the dialog.

The Add Realm dialog opens.

4. Enter a meaningful name for the realm in the Realm Name field.

Realm names should not include spaces. Use a hyphen, underscore or mixed case to indicate word boundaries (e.g. "My-Realm", "My_Realm" or "MyRealm" ).

5. Enable the HTTP protocol.
6. Enter the port number that connections to the server should use.
   This may vary from the port number configured in the Server Setup tab, depending on your network configuration.
7. Select the number of clients.
   Some sites might allow all possible connections to the same realm while others divide their licensed connections between

8. Click OK.

The new realm is created, and you are returned to the VTScada Thin Client / Server Setup dialog where the new realm appears in the Realm drop-down list.

9. Click Add in the Applications Available On section of the VTScada Thin Client / Server Setup dialog.

The Add Application dialog opens as shown.

10. Select the VTScada application you wish to add to this realm from the Application drop-down list.

The first VTScada application added to this realm is the default application for the realm. A connection is automatically attempted to the default application if a partially specified URL is provided to your web browser. For example:
     http://myserver.trihedral.com/myrealm
is a partially specified URL, containing only the protocol (http), host (myserver), domain name (trihedral.com), and realm (myrealm).

11. Click OK.

You are returned to the VTScada Thin Client / Server Setup dialog where the selected application is added to the realm.

12. Click the Apply button
13. Test using one of the three connection options.
    

14. Click OK.

Your application is now available to VTScada thin clients.

Troubleshooting:

• Unable to connect.

Check that no other service is using the configured port.

If trying to connect using the server computer, ensure that the Local option is selected (done automatically). If not, it is likely that the domain is not being recognized.

If trying to connect remotely, check that the server is visible on the network. Firewall or proxy server configuration may be required.

Check that the VTScada Thin Client Server configuration was completed correctly.

Check that security is enabled in the application, and that your account has the Thin Client Access privilege.