Porovnávané verzie

Stará verzia 13

changes.mady.by.user D2000 Dev Team

Uložené

porovnané s

Nová verzia 14

changes.mady.by.user D2000 Dev Team

Uložené

Kľúč

  • Tento riadok sa pridal
  • Riadok je odstránený.
  • Formátovanie sa zmenilo.

...

There are 2 basic types of D2000 users: administrators and standard users. Administrators can edit D2000 objects using D2000 CnfCNF/D2000 GrEditor tools. Selected administrators can also edit/create other users. This is how to obtain the list of users in the D2000 Cnf tool:

...

Note 2: Sometimes, external systems read/write data from/to these databases; in these cases, network connectivity is required from these systems. Best practice is to use a dedicated (if possible, read-only) user for these reports, who has strictly limited access rights for specific database tables only.



Please describe how the communication of D2000 clients with the D2000 Server is secured

Client processes (both user processes D2000 HI, D2000 CNFD2000 GrEditor, and system processes e.g., D2000 Kom, D2000 Calc, D2000 DbManager) communicate with the D2000 Server using TCP, by default connecting to the TCP port 3119 (although also reverse connection of the D2000 Server to processes located, e.g., in low-level DMZ can be configured). On Windows, the local D2000 processes  (running on the same computer as the D2000 Server) use shared memory, which is faster than TCP.

Scenario 1 - Default configuration

By default, proprietary compression and encryption are used in the communication channel.


Scenario 2 - TLS configuration

A standard TLS (version 1.3 in D2000 version 25) is used. Clients verify the validity of the D2000 Server's certificate. It is necessary to regenerate and redistribute the server certificate before it expires. More information on configuration and certificate generation can be read in the documentation.




Please describe what system accounts and elevated privileges are used for the D2000 system

Scenario 1 - D2000 on Linux

On Linux, the D2000 runs under a user specified during installation. The default user is D2000. The D2000 application is started as a service using systemd. Most of the D2000 processes run with basic privileges; there are several exceptions, which are described in the documentation:

  • D2000 Server process requires special capabilities to create multicast sockets: 
    setcap cap_net_raw=pe kernel
  • D2000 Kom process may require special capabilities to work with raw sockets, to bind to privileged ports, and to work with GPIO and serial ports:
    setcap cap_dac_override,cap_sys_rawio,cap_net_bind_service+ep kom
  • D2000 Wssc process requires access to privileged port (port<1024):
    setcap cap_net_bind_service+ep wssc


Scenario 2 - D2000 on Windows

On Linux, the D2000 runs as a service under a LOCAL SYSTEM user. Individual processes may, however, be run under specific users for multiple reasons:

  • D2000 Event Handler: If the Sysprof module is deployed, to access other computers with D2000 (to monitor disk/CPU usage, free memory, etc). Also, if the process accesses remote file shares (e.g., to read/create TXT, XML, or CSV files), a dedicated user is needed, as network services are not available under a LOCAL SYSTEM user.
  • D2000 Kom: If the OPC DA protocol is used to connect to the remote server, the same user with an identical password has to be configured on both computers.
  • D2000 DbManager: If Kerberos authentication is used for some ODBC connections, this process may have to be run under a specific user.

In the configuration of individual processes, when Autostart is enabled, a specific Windows user can be configured (together with the password). In this case, the D2000 Server process creates a Windows service under this user and starts the service. The specified user has to have a "Log on as a service" right.