Skip navigation
All Places > All Things PI - Ask, Discuss, Connect > Blog > Author: aduhig

Preamble

Both PI Web API and PI Vision require an SSL certificate upon installation. The default installation will create a self-signed certificate, but users will see an ugly certificate error when navigating to it. Users can click through these errors, but configuring it in this way is bad practice. If your website is configured correctly, then these errors indicate a potential man-in-the-middle attack. You want your users to alert you if they see these errors, not click through them on a daily basis.

Chrome.pngIE.png

The simplest way to get a secure certificate that provides the best user experience within your corporate network is to use your Enterprise Certificate Authority to generate it. Users will see a nice, green padlock:

good.png

In this post, I'll walk you through setting this up. I'll assume you have obtained the following:

  • A Server with PI Vision or PI Web API installed, or to be installed. This server will be referred to from now on as the PI Web Server
  • A Domain account that is a Local Administrator on the PI Web Server
  • A Domain Administrator on standby, in case changes need to be made (see later steps for details)
  • Permission from your IT department for using Active Directory Certificate Services automatic enrolment in order to obtain certificates for your PI System production environment.

Steps

  1. On the PI Web Server, log in using a domain account that is a member of the Local Administrators group.
  2. Click Start.
  3. In the Search programs and files box, type mmc.exe, and press ENTER.
  4. On the File menu, click Add/Remove Snap-in.
  5. In the list of available snap-ins, click Certificates, and then click Add.
  6. Click Computer account, and click Next.
  7. Click Local computer, and click Finish.
  8. Click OK.
  9. In the console tree, double-click Certificates (Local Computer), and then double-click Personal.
  10. Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Enrollment wizard.
  11. Click Next.
  12. Click Next.
  13. Try to find the Web Server template. If you do not see it like in the below screenshot, click cancel, go down to the Appendix 1 part of this article and follow the directions there, then come back and follow on again from step 9.
    cn.png
  14. Select the Web Server template. Click the warning icon below More information is required to enroll for this certificate. Click here to configure these settings.
  15. In the Subject name area under Type, click Common Name.
  16. In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.
  17. In the Alternative name area under Type, click DNS.
  18. In the Alternative name area under Value, enter the fully qualified domain name of the PI Web Server, and then click Add.
  19. In the Alternative name area under Value, enter the machine name of the PI Web Server, and then click Add.
  20. Repeat the previous step for any other alternative name you would like users to use when navigating to the web application. Appropriate DNS entries will also need to be created, but this is beyond the scope of this article.
  21. Click OK.
  22. Click Enroll.
  23. Click Finish.
  24. Click Certificates then double click on your new certificate. On the Details tab, under Subject Alternative Name the names you entered above should be present.
  25. Install your software on your PI Web Server, be it PI Web API or PI Vision. If you've already installed the software, click Start, navigate to the PI Web API Admin Utility and follow the wizard to change your current self-signed certificate to your newly created certificate.

Appendix 1: If the Web Server Template is unavailable

  1. On the Certificate Authority Server (which is usually the domain controller), log in as a Domain Administrator or CA Administrator.
  2. On the CA computer, click Start, type certtmpl.msc, and then press ENTER.
  3. In the contents pane, right-click the Web Server template, and then click Properties.
  4. Click the Security tab.
  5. We need to add the computer account for the PI Vision server to this template, and give it Enroll permission. For detailed directions, follow the screenshot below and the directions underneath.
    template security.png
  6. Click Add...
  7. Click Object Types...
  8. Ensure Computers is checked.
  9. Click OK.
  10. Type the name of your PI Web Server into the object names box. In the example in the screenshot, the machine name for the server is MASTERWEB.
  11. Click Check Names and ensure that you find the account (the name should underline)
  12. Click OK
  13. Check the Enroll box under Allow with your PI Vision Server computer account selected
  14. Click OK

After following the above steps, go back to your PI Vision Server and continue the original steps.

Conclusion

Comments or corrections welcome. If you've got any questions, feel free to post them and we'll discuss!

This article was written using a Virtual Learning Lab (VLE) virtual machine. If you have your own PI System, great! You're welcome to follow along with what you've got, but if you'd like to access the machine used to build this article, you must have a subscription to the VLE. You can purchase a subscription for 1 month or 1 year here. If you've already got a subscription, visit the My Subscription page and start the machine titled "UC 2017 Hands-on Lab: Tips and Tricks with PI Builder and PI System Explorer". Once provisioned, connect with the credentials: user: pischool\student01 password: student. You can work from the full manual for the lab by downloading it here.

 

Software Versions Used in this Article

Product
Version
PI System Explorer2017 - 2.9.X
PI Asset Framework2017 - 2.9.X

 

Introduction

When building an Element template, it can be hard to figure out how to configure PI Point attributes. If you have a consistent tag naming convention, substitution parameters can be used directly, but what do you do if you don’t have a consistent naming pattern? You could bind the attribute to its appropriate tag by hand, but this might give you headaches down the line when you try to improve the template and don't see your improvements echo to all of the elements based on the template. This article works through the best method of configuring these data references when you're in this situation. We're going to demonstrate this by adding a new Attribute named Discharge Pressure to the Compressor Template, change the Units of Measure to psig, and make it Data Reference PI Point.  Then add a child-Attribute to this Attribute called Tag Name. If you find yourself in this situation while building an Asset Framework database in the future, follow this article to ensure you use best practises when doing so. In a nutshell:

The Bad Way - Hard-coded PI Point Data References

On the Element TemplateOn a Specific Element
badTemplate.pngbadElement.png

 

The Good Way - Soft-coded PI Point Data References

On the Element TemplateOn a Specific Element
goodTemplate.pnggoodElement.png

 

Prepare a "PI Servers" Element to Hold PI Data Archive Configuration

It's useful for any PI AF Database to have the PI Data Archive names held inside attribute values. This makes it a whole lot easier if you ever have to move to another PI Data Archive with a different name. You'll just need to change a single attribute value to migrate your entire database! You'll only need to do this step once for your database, then you'll be able to reuse it for all configuration int he future.

  1. Open PI System Explorer
  2. Press the Ctrl+1 key combination to go to the Elements view.
  3. Create an Element PI Servers based on the PI Server Template, and name it PI Servers. Hint: If you're doing this on your own system, you'll have to also create the PI Server template. Head to the Library, and create an Element Template called "PI Servers" and give it a single attribute of string type called "Server1".
    1.png
  4. Click on the PI Servers element, then click on the Attribute tab in the Attribute Viewing pane.  Enter the server name into the Server1 Attribute.
    2.png

 

Add a New Attribute on Your Element Template

  1. Press the Ctrl+3 key combination to navigate to the Library view.
  2. Select the Compressor Template under Element Templates.
  3. Click on the Attribute tab in the Attribute Viewing pane.
  4. Right click anywhere on the white space in the Viewing Pane and select New Attribute Template.
  5. Select the Attribute, press the F2 key, and type Discharge Pressure.
  6. For the Data Reference select PI Point.  Click inside the combo box for Default UOM and type in psig.
    3.jpg
  7. Select the Discharge Pressure Attribute and set the Data Reference to PI Point.  Click the Settings button, then in the PI Point Data Reference dialog type %@\PI Servers|Server1% in the field next to the Data Server (this grabs the value of Server1 that we ended up with in the above steps), and then type %@.|Tag Name% in the field next to the Tag Name. If this syntax doesn't make much sense now, don't worry. We're going to create a sub-attribute later called "Tag Name" that this substitution syntax will grab.
  8. One last thing, it is a best practice to never to use <default> units for a measurement.  So click on the Source Units combo-box and select psig from the available units of measure.
    7.png
  9. Click the OK Button. Note: The "quick" way to do the above steps is (once you become familiar with the syntax), is to delete the text under the Settings button and type \\%@\PI Servers|Server1%\%@.|Tag Name%;UOM=psig directly.
  10. Select the Discharge Pressure Attribute.  Right click and select New Child Attribute Template.  Press the F2 key and type Tag Name.  Change the Value Type to String. Under Properties select Hidden. Normally you would mark Attributes as Hidden if they are not important for end users to see. In our case end users don’t need to see the Tag Name as long as the Discharge Pressure attribute is displaying correctly. However, it's sometimes useful to leave this "Tag Name" attribute as visible - some users like being able to see which point this attribute is bound to.
    4.png
  11. Press the Ctrl+S key combination to Check In your changes.

 

Configure the Tag Name Attribute for a Specific Element

  1. Press the Ctrl+1 key combination to go to the Elements view.
  2. Select the first compressor element (name starts with K) in the Browser pane (Facility1>Area1>Rotating Equipment) then click on the Attribute tab in the Attribute Viewing pane.
    9.jpg
  3. Select the child-Attribute Tag Name, press the F2 key, and type cdt158 for the value.  Press the F5 key to refresh.  The Discharge Pressure Attribute is now receiving data.

 

Conclusion

Once this is configured, you would use PI Builder to manually bind the tag names to your desired tags. Following the above procedure greatly enhances the ease of management of your AF Database, and is considered best practise at the time of the publishing of this article. If you run into any issues when working through this or have any questions, you're welcome to post a comment!

 

Further Resources

  • If you're interested in learning PI AF, check out the online course
  • For a great article on tips and tricks with PI AF, check out this post
  • The full manual used to resource this post can be downloaded here

 

This article was written and adapted from materials originally developed by Ales Soudek and Nick Pabo.

Filter Blog

By date: By tag: