Architecture and Best Practices - Recommendations for PI ... - OSIsoft
Architecture and Best Practices - Recommendations for PI ... - OSIsoft
Architecture and Best Practices - Recommendations for PI ... - OSIsoft
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Regional Seminar Series<br />
<strong>Architecture</strong> <strong>and</strong> <strong>Best</strong> <strong>Practices</strong>:<br />
<strong>Recommendations</strong> <strong>for</strong> <strong>PI</strong> Systems<br />
Glenn Moffett<br />
Product Management<br />
<strong>OSIsoft</strong>, LLC<br />
Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Areas of discussion & Topics Outline<br />
Visualization<br />
Notifications<br />
Asset Framework<br />
Advanced Computing Engine<br />
<strong>PI</strong> Server<br />
Interfaces<br />
2 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Hardware <strong>and</strong> Virtualization<br />
Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Hardware Virtualization<br />
Overview<br />
APP<br />
OS<br />
APP<br />
OS<br />
APP<br />
OS<br />
APP<br />
OS<br />
APP<br />
OS<br />
4 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.<br />
APP<br />
OS<br />
4
Operating System Virtualization<br />
• Why are <strong>OSIsoft</strong> customers using Virtualization?<br />
• Server consolidation<br />
• Improved availability <strong>and</strong> provisioning<br />
• <strong>OSIsoft</strong> supports virtualization<br />
• <strong>OSIsoft</strong> Knowledge Base article 3062OSI8<br />
• Consider shared resources implications<br />
5 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Virtualized <strong>PI</strong><br />
<strong>PI</strong> Server<br />
Secondary<br />
ACE Server<br />
Virtual Host A<br />
VM Host Farm<br />
<strong>PI</strong> Server<br />
Primary<br />
AF Server<br />
Virtual Host B<br />
Virtual<br />
Desktops<br />
(Clients)<br />
Interfaces<br />
Virtual Host C<br />
6 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Operating System Virtualization*<br />
<strong>Best</strong> practices<br />
• Treat virtual machines as if they were physical<br />
machines<br />
• Invest in Enterprise-level hardware <strong>and</strong><br />
software<br />
• Do not mix virtual <strong>and</strong> physical on the same<br />
host<br />
• Use qualified Virtualization support personnel<br />
• Test on the target plat<strong>for</strong>m<br />
* <strong>OSIsoft</strong> Center of Excellence<br />
7 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Application Virtualization<br />
Overview<br />
• Applications centrally installed <strong>and</strong> managed<br />
• Users are remote<br />
• <strong>OSIsoft</strong> customers are successfully using Microsoft <strong>and</strong><br />
Citrix virtualization products<br />
8 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
64 Operating Systems<br />
Overview<br />
• Why 64-bit?<br />
• Access to larger memory footprint<br />
• Reduce limitation to applications<br />
• <strong>PI</strong> ACE contexts was limited due to 32 bit<br />
9 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.<br />
9
<strong>PI</strong> System 64 bit operating system support<br />
• Several products support native 64-bit operation<br />
• Examples: <strong>PI</strong> Server, <strong>PI</strong> WebParts, Asset Framework<br />
• Windows compatibility layer enables 32-bit programs to run<br />
on 64-bit<br />
• Example: Interfaces, <strong>PI</strong> ACE<br />
• Future product releases will support native 64 bit<br />
• <strong>PI</strong> ACE, <strong>PI</strong> Notifications<br />
10 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
64-bit Application Support - Exceptions<br />
• Certain components work only with 32-bit<br />
versions of applications<br />
• <strong>PI</strong> System Add-ins <strong>for</strong> Microsoft Excel<br />
• DataLink <strong>for</strong> Excel<br />
• RDBMS interface <strong>and</strong> 64-bit drivers<br />
• <strong>PI</strong> ActiveView & <strong>PI</strong> Graphic (SVG) require<br />
32-bit Internet Explorer<br />
11 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> System 64 bit operating system support<br />
<strong>Best</strong> practices<br />
• Verify support<br />
• Release Notes<br />
• Technical support<br />
• Scenarios to watch out <strong>for</strong><br />
• Applications that are plug-ins or run by another application<br />
• Microsoft Internet In<strong>for</strong>mation Server<br />
• Office 2010<br />
• Where 3 rd party libraries (dlls) need to run with another<br />
application<br />
• RDBMS interface<br />
12 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Interface Buffering <strong>and</strong> Failover<br />
Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Interface Buffering<br />
Overview<br />
• Ability of interface node(s) to store data in<br />
the event of disconnection from <strong>PI</strong> Server(s)<br />
• Goal: Minimize data loss<br />
• Two flavors<br />
• <strong>PI</strong> Buffer Subsystem<br />
• <strong>PI</strong> Bufserv<br />
<strong>PI</strong> Server<br />
<strong>PI</strong> Buffer<br />
Subsystem<br />
<strong>PI</strong> interface(s)<br />
Interface Node<br />
14 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Interface Failover<br />
• Support failure of data collection<br />
• Goal: Minimize data loss<br />
• Synchronization is with the data source<br />
or<br />
Overview<br />
• Synchronization is between the interfaces<br />
<strong>PI</strong> Buffer<br />
Subsystem<br />
<strong>PI</strong> interface<br />
Failover mechanism<br />
<strong>PI</strong> Buffer<br />
Subsystem<br />
<strong>PI</strong> interface<br />
15 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Interface Failover<br />
• Interfaces “watch” each other’s Heartbeat<br />
<strong>and</strong> Status<br />
• Failover Types<br />
• Hot = No data loss<br />
• Warm = Maybe data loss<br />
• Cold = Some data lost<br />
(Hint: minimize data loss by using disconnected startup)<br />
16 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Interface failover - Hot<br />
Send<br />
data<br />
to <strong>PI</strong><br />
Primary<br />
Interface<br />
Failure Data in the<br />
communication Collection layer<br />
Timeline : 3.5 1 2 3 4 5 6 7 (interval)<br />
Heartbeat:<br />
Device<br />
Status:<br />
1 2 3 4 5 6 7<br />
95 0<br />
File<br />
Data Source<br />
Heartbeat:<br />
Device<br />
Status:<br />
Send<br />
data<br />
to <strong>PI</strong><br />
from the last 2 intervals<br />
(4 & 5) <strong>and</strong> this one (6)<br />
1 2 3 4 5 6 7<br />
Backup<br />
Interface<br />
17 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.<br />
0<br />
Data<br />
Collection<br />
Possible overlap of data<br />
during intervals 4 <strong>and</strong> 5
OPC Server Failover <strong>and</strong> Interface Failover<br />
PRIMARY<br />
INTERFACE<br />
PRIMARY<br />
DATA SOURCE<br />
(e.g. OPC<br />
SERVER)<br />
<strong>PI</strong> SDK, <strong>PI</strong> A<strong>PI</strong><br />
Interface Buffer<br />
PLC / INSTRUMENT SYSTEMS<br />
<strong>PI</strong> SDK, <strong>PI</strong> A<strong>PI</strong><br />
Interface Buffer<br />
BACKUP<br />
DATA SOURCE<br />
(e.g. OPC<br />
SERVER)<br />
BACKUP<br />
INTERFACE<br />
18 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Interfaces<br />
<strong>Best</strong> practices<br />
• Configure Buffering<br />
• <strong>PI</strong> Buffer Subsystem<br />
• Consider implementing failover support<br />
• Disconnected start-up<br />
• Create interface health points<br />
• Do not authenticate to <strong>PI</strong> using piadmin<br />
19 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Server High Availability (<strong>PI</strong> HA)<br />
Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Server High Availability (<strong>PI</strong> HA)<br />
Overview<br />
• Redundancy with multiple <strong>PI</strong> Servers as one<br />
collective<br />
• Goal: Maximize data access <strong>for</strong> clients<br />
21 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Server – High Availability <strong>Architecture</strong><br />
<strong>PI</strong> server collective<br />
Secondary<br />
<strong>PI</strong> server<br />
<strong>PI</strong> Buffer<br />
Subsystem<br />
<strong>PI</strong> interface<br />
System<br />
Management<br />
Tools<br />
Configuration<br />
changes<br />
Failover mechanism<br />
Thin clients: <strong>PI</strong> WebParts<br />
Smart clients: ProcessBook, DataLink, Custom<br />
applications<br />
Primary<br />
<strong>PI</strong> server<br />
<strong>PI</strong>-SDK<br />
Identical time series data<br />
<strong>PI</strong> Buffer<br />
Subsystem<br />
<strong>PI</strong> interface<br />
Copyright © 2010 <strong>OSIsoft</strong>, LLC<br />
Secondary<br />
<strong>PI</strong> server(s)<br />
22
<strong>PI</strong> HA <strong>and</strong> security architecture<br />
NERC CIP-002 Critical<br />
Cyber Assets<br />
<strong>PI</strong> Interface<br />
Node<br />
Protected User<br />
Domain<br />
<strong>PI</strong> Server<br />
(HA)<br />
Electronic<br />
Security Perimeter<br />
Data Only Conduit<br />
DMZ<br />
<strong>PI</strong> Server<br />
(HA)<br />
Business User<br />
Domain<br />
Desktops <strong>and</strong><br />
Data Access<br />
Servers<br />
Configuration Data<br />
Time Series Data<br />
Application Data
<strong>PI</strong> deployment across security zones<br />
CIP-002 Critical<br />
Cyber Assets<br />
<strong>PI</strong> Interface Node<br />
or<br />
OEM with <strong>PI</strong>-to-<strong>PI</strong><br />
Data Only Conduit<br />
Electronic<br />
Security Perimeter<br />
DMZ<br />
<strong>PI</strong> Server<br />
Business User<br />
Domain<br />
Desktops <strong>and</strong><br />
Data Access<br />
Servers<br />
Originator<br />
Time Series Data<br />
Application Data
Replication of <strong>PI</strong> Server data<br />
CIP-002 Critical<br />
Cyber Assets<br />
<strong>PI</strong> – SCADA<br />
Interface<br />
Protected User<br />
Domain<br />
<strong>PI</strong> Server<br />
Electronic<br />
Security Perimeter<br />
DMZ<br />
<strong>PI</strong>-to-<strong>PI</strong><br />
Business User<br />
Domain<br />
<strong>PI</strong> Server<br />
Originator<br />
Time Series Data
<strong>PI</strong> Server High Availability<br />
Benefits<br />
• Maintain availability during scheduled maintenance<br />
• Redundancy of data<br />
• Locate <strong>PI</strong> Server member close to consumers of the data<br />
<strong>Best</strong> practices<br />
• Implement <strong>PI</strong> Server High Availability<br />
26 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
New <strong>PI</strong> Server Security Concepts<br />
Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Server Security<br />
Overview<br />
• <strong>PI</strong> Server 3.4.380.36 (2009) introduced support <strong>for</strong> Windows<br />
Integrated Security<br />
• Microsoft Active Directory (AD) integration<br />
• Map AD users to <strong>PI</strong> Identities<br />
• <strong>PI</strong> Identities are roles on the <strong>PI</strong> Server<br />
• <strong>PI</strong>Operators, <strong>PI</strong>Engineers, <strong>PI</strong>Supervisor<br />
28 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Comparing <strong>PI</strong> Users <strong>and</strong> <strong>PI</strong> Identities<br />
Nancy<br />
Bob<br />
Jim<br />
29 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Mapping Windows users to <strong>PI</strong> Identities<br />
30 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Authorization: Object Level Security Model<br />
31 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Automatic Backward Compatibility<br />
Tag dataaccess datagroup dataowner<br />
sinusoid o:rw g:rw w:r pi_users bob<br />
Tag datasecurity<br />
sinusoid pi_users:A(r,w) | bob:A(r,w) | <strong>PI</strong>World:A(r)<br />
32 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Active Directory Integration<br />
• <strong>PI</strong> Server must be a member of a domain to leverage<br />
Kerberos authentication<br />
• Multiple AD domains must have trusts established or users<br />
<strong>and</strong> groups from other domain cannot be used<br />
• One-way trusts are supported: the server domain must trust the<br />
client domain<br />
• For non-domain accounts, you can use Windows Local<br />
Groups from the <strong>PI</strong> Server machine<br />
• Passwords have to match <strong>for</strong> NTLM authentication<br />
33 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Identity Planning<br />
<strong>Best</strong> practices<br />
• Develop a <strong>PI</strong> Identity Scheme <strong>for</strong> your Organization<br />
• Protect your data<br />
• Ease of maintenance<br />
• Organizational separation<br />
• St<strong>and</strong>ardize<br />
• Consider Kerberos<br />
• Map AD principals directly<br />
• Map AD principals to local groups<br />
34 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
How to Tighten Security<br />
<strong>Best</strong> practices<br />
1. Use the new Security Tool to help secure your <strong>PI</strong> Server<br />
2. Disable or protect the <strong>PI</strong>ADMIN account<br />
3. Disable <strong>PI</strong> password authentication (Explicit Logins)<br />
4. Secure piconfig by <strong>for</strong>cing login<br />
5. Retire <strong>PI</strong> SDK-based Trusts<br />
6. Use Windows Integrated Security<br />
36 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Server<br />
• Security<br />
• Monitoring!<br />
• MCN Health Monitor<br />
• Archives<br />
• Backups<br />
<strong>Best</strong> practices<br />
37 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Advanced Computing Engine<br />
Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Advanced Computing Engine<br />
Overview<br />
• Develop calculations in Microsoft Visual Studio<br />
• Wizards assist configuration<br />
• High availability<br />
<strong>Best</strong> practices<br />
• Configure buffering<br />
• Error h<strong>and</strong>ling<br />
• Per<strong>for</strong>mance Counters<br />
ACE<br />
Data Buffering<br />
Services<br />
<strong>PI</strong> Server<br />
39 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.<br />
<strong>PI</strong>-SDK
Module database <strong>and</strong> Asset Framework<br />
ACE uses the Module Database (MDB) <strong>for</strong> configuration<br />
<strong>and</strong> calculation metadata<br />
<strong>PI</strong> ACE<br />
MDB MDB<br />
<strong>PI</strong> SERVER COLLECTIVE AF Link Subsystem AF SERVER<br />
40 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Asset Framework <strong>and</strong> <strong>PI</strong> Notifications<br />
Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Asset Framework<br />
Overview<br />
• Organize <strong>PI</strong> Server data <strong>and</strong> metadata by asset<br />
Clients: <strong>PI</strong> ProcessBook, <strong>PI</strong> WebParts 2010, <strong>PI</strong> Notifications<br />
AF SDK<br />
Data References<br />
RDB OLE-DB<br />
<strong>PI</strong> Server<br />
<strong>PI</strong> SDK<br />
TCP 5450<br />
Asset<br />
Framework<br />
Service<br />
TCP 5457<br />
TCP 1433<br />
MS SQL<br />
Express/<br />
Server<br />
42 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Asset Framework – Components<br />
• Two key components<br />
• AF Server<br />
• SQL Server database<br />
• SQL Server<br />
• Express, St<strong>and</strong>ard<br />
• Cluster or Mirror<br />
• AF Server<br />
• Behind a load balancer<br />
• AFSDK Collective<br />
43 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Asset Framework – High Availability<br />
44 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> AF – AFSDK High Availability<br />
45 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Asset Framework<br />
<strong>Best</strong> practices<br />
• Backups!<br />
• Monitor SQL Server with MCN Health Monitor<br />
• Do not run the SQL Server database engine as<br />
LOCALSYSTEM, admin, or domain admin.<br />
• DO NOT RUN the AF Server with SysAdmin privilege (don’t<br />
use SA account, LOCALSYSTEM, or admin)<br />
• Minor: <strong>for</strong> AF Table, disable AF2.0 compatibility, enable<br />
impersonation<br />
46 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Notifications<br />
Overview<br />
• Let the right people know when a critical event occurs<br />
<strong>PI</strong> SDK<br />
TCP 5450<br />
<strong>PI</strong> SDK<br />
<strong>PI</strong> Server<br />
AN SDK<br />
Notification Scheduler<br />
& Analytic Processors<br />
Data Buffering<br />
Services<br />
Clients: <strong>PI</strong> Notifications<br />
TCP 5458<br />
AF SDK<br />
TCP 5450 TCP 5450<br />
TCP 5457 TCP 5457<br />
Asset<br />
Framework<br />
(AF) Server<br />
AF SDK<br />
TCP 5458<br />
TCP 1433<br />
Acknowledgement<br />
Web Page<br />
AN SDK<br />
MS SQL<br />
Express/<br />
Server<br />
Clients: Web<br />
Browser<br />
TCP 80/443<br />
47 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
<strong>PI</strong> Notifications<br />
<strong>Best</strong> practices<br />
• Configure buffering<br />
• Per<strong>for</strong>mance Counters<br />
• Configure redundant scheduler<br />
48 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
More In<strong>for</strong>mation<br />
• Whitepapers <strong>and</strong> Tech Support bulletins on <strong>OSIsoft</strong> web site<br />
• User Manuals<br />
• <strong>PI</strong> Server 2010 Configuring Security<br />
• Asset Framework 2010 User's Guide<br />
• <strong>OSIsoft</strong> vCampus – Online community<br />
• Forums, Whitepapers, Webinars<br />
49 Empowering Business in Real Time. © Copyright 2010, <strong>OSIsoft</strong>, LLC. All rights Reserved.
Thank you<br />
© Copyright 2010 <strong>OSIsoft</strong>, LLC.<br />
777 Davis St., Suite 250 San Le<strong>and</strong>ro, CA 94577