Skip navigation
All Places > PI Developers Club > Blog > 2009 > April
2009

The annual RSA Conference in San Fransico is a huge event with many great topics. Hope these highlights are useful to you. 

 

Monday 20th:

 

OSIsoft partner AlertEnterprise! wins 1st place at the RSA innovation sandbox.  If you missed seeing AlertEnterprise! at the UC check them out online, very cool integration with PI Notifications. http://www.alertenterprise.com/

 

OSIsoft was invited to participate in the CERT/CC Vendor Forum.  Most of the mainstream IT suppliers and security technology companies were represented and the meeting was very interactive.  The most lively topic involved responsibilities for responding to bugs found in shared libraries (openssl, netsnmp, libpng etc...Microsoft used the term 'giblets' for libraries aquired over the years).  There is an opportunity to keep track of product dependencies and first responders. Some time dependencies are nested and this affects timeliness of patches.

 

I applaud CERT/CC for bringing the group together.  It's pretty clear the security tool vendors can offer some remediation, even if just a stop gap, until a patch is available or deployed.  With the unfortunate demise of the PCSF vendor forum CERT/CC remains an appropriate resource to coordinate security bug response between vendors.  The need for this role is likely to increase as AMI/SmartGrid technologies forces even more interoperability across industrial technologies.

 

Carnegie Mellon also presented on various initiatives at the Software Engineering Institute including secure code wiki at www.securecoding.cert.org (most content is for unmanaged code) and recent release of the DRANZER activeX fuzz tool (OSIsoft is working with this for the next release of ActiveView).

 

 Tuesday 21st.

 

The 2009 RSA conference may be dedicated to Edgar Allen Poe because of his fondness for cryptography, but the value theme has been about collaboration.  From IT vendors to NSA, open team work is a key discussion focus.  Time will tell if actions follow words. 

 

I liked this metaphor...cyber fraud is like pollution, we need to promote a healthy eco system and vendors need to take the lead.

 

Many of the technical presentations are about enabling collaboration – such as data leakage protection, cloud computing and federated access solutions.

 

Dependencies are forcing the issue. No power, no internet; no internet no power.  How can this symbiotic relationship represent strength rather than an obvious vulnerability?   Key note speakers suggest optimism that economic gains are enough to provide balance with safety, privacy and security concerns; we should consider a “good enough” approach to security.  The minority view added a security threshold with enough diligence to prevent a “black swan” catastrophic event.

 

A sub theme is that point security solutions raise complexity.  Collaboration is more than people.  Point solutions need to function as part of the security infrastructure.  From a PI System perspective, embracing Active Directory is consistent with this aspect of collaboration.  Benefits not only include management of users and groups, but the user productivity of multi-tier single sign on (Kerberos) and simplified application of security policy.

 

 Wednesday 22nd

 

The weather has been unseasonably warm. Could the hot air be coming from Washington DC attendees?  Melissa Hathaway's keynote address regarding US cyber policy recommendations amounted to little more.  We'll just have to wait until the 60 day report for the president is made public; she expects a very political discussion will follow.

 

The Rockefeller-Snow bill is already in play. Section 7 proposes licensing and certification of cyber security professionals with scope that includes critical infrastructure service providers.  Some are lobbying for similar security certification for software engineers. A Farewell Dossier scenario comes to mind. Regardless the government is expected to use its power of procurement to force more security assurance into the software supply chain.

 

Legal worked its way into many other discussions as well. Allan Paller of SANS noted the stage is set for a huge increase in cyber litigation; suppliers are easy targets if application developers have not been trained in secure code.  Microsoft's SDL includes training requirements and is now moving toward CBT style delivery, per Steve Lipner.

 

IO Active's Dan Kaminsky offered optimism about secure DNS.  He views the international collaboration on DNS a huge success.  Indeed the coming provisions for root certificates and keys could be the most practical mechanism to enable end to end IPSEC, encryption for email, and other crypto reliant services.  The panel participants widely trashed X509 and SSL/TLS as too complex or otherwise compromised.

 

Another panel of cryptography experts framed the key management problem in a different light.  Let's consider the case of encrypted archive files. Loss of the key represents a singular way to delete all your data, ouch! [:'(]

 

Thursday 23rd

 

More tracks on software professionals.  Many can talk security but are unable recognize a security bug. Microsoft's Lipner says new apps appearing everyday with no security. Vulnerability stats show applications are the target. See the CWE top 25 programming errors at Safecode.org or SANS.  [in a later talk, it was suggested attacks are moving further up the stack and specifically targeting human interface components - seen as a combination of cyber and social attack, humans are the weakest link]

 

The critical infrastructure presentations echo the collaboration and holistic approach themes.  Examples cited include convergence of physical and cyber defenses.  Likewise jurisdictional problems (internal, public-private, state- federal, international) are hampering implementation of standards.  At the same time convergence of technology and services are giving rise to new threats.

 

We all know log files are a mess. In the talk "IT Tower of Babel" Microsoft, Mitre and Oracle are collaborating on a common event enumeration (CEE.mitre.org) standard.  It boggles my mind that OPC AE / UA would be left out of this effort.  

 

Keynote from IBM's Brian Truskowski was excellent.  I found many parallels to OSIsoft vision about survival, approach to security and how information is strategic to accelerate the pace of business.  In one metaphor, Brian compared today's business environment to the titanic...just not designed for maneuverability.  CEOs see the iceberg but can't change course.

 

He goes on to emphasize complexity is the enemy.  Security needs to break out of the product mentality.  Needs to be built-in and designed to enable activity; security as an afterthought add-on hinders action...results in drowning in cost and complexity.  He notes that security is growing and nearing the ~10% of IT spending; this trend cannot continue.  We need smarter security.

 

 

 

Friday 24th

 

RSA saved one of the best for last.  Fortify's Brian Chess and Cigital's Gary McGraw were awesome presenting "Building Security in Maturity Model".  Ok, perhaps the title and BSIMM acronym need work.  But they take this topic to heart.  In summary, they said it's time for security professionals to quit making up advice.  We want science not Alchemy.  I think this rule should apply to anything named a best practice.

 

There is no magic crypto fairy dust and no silver bullets for security. We have to agree that security is an emergent property.  To that end, the enlightened work to build security into the software lifecycle. But guess what...everyone has a SDL; what really makes a security initiative successful?

 

I won't spoil it here, the printed report may not be as entertaining as Brian and Gary's delivery but I highly recommend a read if you want to know the secret sauce.  http://www.bsi-mm.com

As you might have gathered from the change to the name of this blog, the next release of our product will be called "PI WebParts" instead of "RtWebParts." We'll be gradually moving from the old name to the new over the next few months, in the various places where you see our products discussed, such as our web sites, and marketing literature. It's the same product, and of course you will be able to upgrade from RtWebParts v2.2 to PI WebParts v3.0 when it becomes available.

Sam Pride

vCampus - Australian Style!

Posted by Sam Pride Apr 17, 2009

The first 5 months of the vCampus have been very promising. We’ve already had plenty of great contributions from our user-base, from every corner of the globe. As such, the vCampus team have been looking for a team member from the AsiaPacific region. And they found me….

For those of you who have not met me, I’m based in the OSIsoft Australia office (In sunny Perth, Western Australia). I have been with the company for 3 years now, in a Field Service/Tech Support/Training role and really enjoy working with our customers and the challenges they face.

Before joining OSIsoft, I was a Software Engineer, both contracting out to various clients and as a .Net developer at a local communications company. During my time as a developer, I became quite involved with the local community and have always seen the benefits that user groups and networking provides. The lack of a developer/user community at OSIsoft was one of the first things I noticed when joining the team; I’m glad that vCampus has been established and even happier that I can be a part of it!

Keep a look out for me trolling the forums, responding when I can. I also have a few great ideas (at least I think so) in the pipeline, so “watch this space”. Feel free to email myself or the vCampus team any questions or comments and we’ll do our best to answer them in a prompt manner.

Manual entry data is an important aspect of many customer's PI servers, as is the need for Highly-Available and reliable systems. Unfortunately, using the PI-SDK to store manual entry data is not that straight-forward in a PI-HA environment. 

In the current release of the PI-SDK and the PI-Server, there is no out-of-the-box mechanism in place to replicate SDK writes to all members of the collective. Whilst there are features planned for future releases that will overcome these issues, we need to be able to ensure our manual entry data mechanisms work well with the existing PI version. The good news is, implementing a robust solution for Manual Entry Data (or any PI-SDK writes) in a HA environment is not overly complicated.  This blog post will hopefully outline the considerations and technical details for achieving this (and hopefully not confuse you too much!)

As mentioned previously, the PI-SDK will only write to one collective member at a time. This is further complicated by the fact that, when connecting to a named server, the SDK actually connects to the collective itself and there is no guarantee you will actually connect (or stay connected) to your desired server. To overcome this limitation, the PI-SDK provides a new Interface, IPICollective, which allows us to gather information on the Collective and target an individual server.

The IPICollective interface is a secondary interface supported by the PISDK.Server object that provides extra functionality for dealing with PI Collectives. The IPICollective allows us to access the Collective-specific information (such as the Collective Name, the members in the Collective etc) and also provides some handy methods for establishing and managing connections to various members of the collective.  We will investigate the interesting/important members of IPICollective through a quick example.

Example

The following snippet of code contains a function called OpenMember. This function will try to connect to a collective member if the server name is a member of a collective, else it will connect directly to the PI Server. As this method returns a connected (hopefully) PISDK.Server object, you can use it in place of your regular Server.Open() calls.

 

 

 

.csharpcode, .csharpcode pre {      font-size: small;      color: black;      font-family: Consolas, "Courier New", Courier, Monospace;      background-color: #ffffff;      /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt {      background-color: #f4f4f4;      width: 100%;      margin: 0em; } .csharpcode .lnum { color: #606060; }

 
ProtectedFunction OpenMember(ByVal _serverName AsString, ByVal _connectionString AsString) As PISDK.Server

        Dim srv As Server
        Dim sdk As PISDK.PISDK
        Dim col As IPICollective
        Dim colList As CollectiveList
        Dim colMember As CollectiveMember

        'Get a handle on the SDK
        sdk = New PISDK.PISDK()

        'set the server to point to our desired server
        srv = sdk.Servers(_serverName)

        'Check to see if it is a collective
        col = srv
        If col.IsCollectiveMember() Then'If so, locate the correct Collective Member
            colList = col.ListMembers()
            colMember = colList(_serverName)

            'Open the member (not the collective)
            srv = col.MemberOpen(colMember, _connectionString)
        Else'It is a normal server, open it as you normally would.
            srv.Open()
        EndIfReturn srv

    End Function



The IsCollectiveMember property of IPICollective will return true if the underlying server object is a collective member (or a collective in its own rights). You should always check this property before trying to use the Collective-specific functionality of the IPICollective interface, as any unsupported request (such as determining the Collective name) will throw an error.

Once we have determined that the PI Server is a member of a collective, all we need to do is pass the appropriate CollectiveMember object (which we obtained through the ListMembers() function) to the MemberOpen() method. This behaves like the standard Server.Open() method you most likely have called in the past, meaning you can still supply a connection string. The PISDK.Server object that was returned can be used exactly as you would before.

You may be tempted to use the IPICollective.SwitchMember() method to connect to another PI Server. Whilst this method will allow you to connect to another a member, you have no real control over which member you connect to. The SwitchMember() method uses the CollectiveMember's priority when failing over the connection; it will attempt to connect to the highest priority server other than itself. Calling this method multiple times would result in the connection failing between the Primary and the first secondary, starving any additional secondaries. The only workaround to this is to programmatically update the priority for each member of the collective before switching, which is not ideal.

The final thing you will need to do before you can use this connection to send data to your Collective members is to ensure that the Replication_EnableSDKWriteValues PI Tuning parameter is set to 1. This is disabled by default (it doesn't even appear in the list) and will cause any PI-SDK writes to fail. The parameter does not appear in the SMT Tuning Parameters plug-in by default; you will need to right-click on an existing entry and chose "new".

There are, however, some drawbacks to connecting and disconnecting to the various members using MemberOpen. Steve Pilon eloquently outlines some of these drawbacks in his post on the discussion forums: http://vcampus.osisoft.com/forums/p/97/302.aspx#302. Instead of duplicating Steve's comment I suggest you have a quick read and possibly join in the discussion if you have further questions in this regard. Nevertheless, these drawbacks may be outweighed by the benefits obtained through replication of data and there are also some things you can do to mitigate their effect.
Next Steps

Unfortunately, getting a connection to an individual collective member is only one part of the puzzle. Your application will need to be modified to write to all the SDK members. Furthermore, you will need to account for buffering data to SDK servers that are unavailable. There is a lot to consider when implementing replication of Data, even more so if you wish to pass the ACID test (http://en.wikipedia.org/wiki/ACID). There are many options when choosing how to implement a local cache, such as Database, Flat-Files, far too many to list here. I will address these concerns and the various options in another post (blog or discussion forum).

ACE

Another viable alternative when implementing manual entry data for a HA environment is to use ACE. ACE uses the API to send data to PI which means data updates pass through the buffer. This will allow you to replicate data to multiple PI Servers, yet retrieve data using the PI-SDK (giving you data-access failover). It's important to remember that only updates using the PIACEPoint are sent using the API; any direct PI-SDK calls still behave as they would in your own custom app.

Unfortunately, using the IPICollective methods discussed earlier will not quite work in PI-ACE. The PI-SDK only allows one open connection per application. When you call IPICollective.MemberOpen(), you will most likely receive an error message "The server is already open under a different connection string", as the one PIACEClassLibraryHost process may be shared by multiple contexts (threads) . You should not attempt to close the existing connection, as this is used by PI-ACE to retrieve Data and configuration information and any premature interruption may cause crashes and unexpected behaviour. The bottom line is, when using PI-ACE to write data to PI, use the inbuilt PIACEPoint functionality.

 

 

Final Thoughts


Thanks for sticking through such a long post. I hope it has been useful to somebody! This is not the final word on this subject, there are plenty of slight details I have glossed over (which I hope to cover in a later post) and there are some great products/features in the engineering plan that will greatly improve this problem.

As always, if you have any questions or comments, please feel free to post them here or respond to me personally or the rest of the vCampus team if you would prefer to remain private.  If anybody has any alternate solutions, please, post them up; I'm sure they will be well received.


P.S. All this talk about Collectives has made me think of the Borg - looking forward to the new StarTrek movie (Geek and proud!)

The 2009 Users Conference
Lots announced - especially for 'data access'

 

That's it. It's over and it was, in my humble opinion, a frank success! Indeed, the 20th OSIsoft Users Conference was held last week in San Francisco and was rich in announcements and presentations of all kinds - especially in the 'Data Access' space.

 

vCampus was mentioned a number of times in the opening/closing keynotes, Cristobal (Escamilla) took care of the vCampus booth at the Product Expo and for my part, I gave a talk in the 'Data Access' track of the Product Theaters. Plus, anybody involved with vCampus - whether customer, partner or employee - had one of those cool vCampus "pins" on his/her name tag holder (let me tell you this drove curiosity and excitement for non-subscribers!).

 

It was really great to meet some of you in person and it was exciting to see how everybody else (i.e. non-members) was excited about the vCampus program! Registrations already started to feel this hype so this is good news for all of us: more content, more discussions, more everything!

 

For Those Who Could Not Attend the UC:
Next Webinar... Discoveries from UC2009 (April 30th)

 

Good news for those who could not attend the last Users Conference: we will hold a webinar to summarize what was announced during the event. A number of exciting news were communicated, a number of which pertain to the data access products (new products, new releases of existing products, etc.)   We feel it is important for PI developers to know about these and understand where we are going to make well-informed decisions. Ray Verhoeff, who is leading the 'Data Access' roadmap on the Engineering Leadership Team at OSIsoft, will make us the honor to join as a guest speaker.

 

The webinar is part of the vCampus-exclusive "Builders' Café Webinar Series" and is titled "Discoveries from UC2009". It is scheduled for April 30th at 9am Pacific Time and registration is already open, as you can see in the top-right corner of the vCampus Auditorium. Register Now!

 

vCampus Live!
(formely known as the OSIsoft Developers Conference, or DevCon)

 

Another very exciting announcement made last week was the "vCampus Live!" event, which can be thought of a revamped, redesigned Developers Conference (a.k.a. DevCon). This is a huge topic by itself so I don't want to talk too much about that here - stay tuned for future blog posts and announcements on this!

cescamilla

Live, from the UC 2009!

Posted by cescamilla Apr 1, 2009

You can feel the eagerness in the air of this fresh morning tainted by the smell of Transpara's coffee machine, distant noises make us aware of the day that is about to begin. This is a dawn for a new year, OSIsoft's new year, it will be marked with new developments, fresh ideas, new content, and more news than even before. In a constant evolving world and with Microsoft telling us that they do not have a plan for the next 6 months as there is no visibility into what the future will bring we realize that one full year has passed and now it is time for a wake up call.

 

Attendees.jpg

 

It is OSIsoft's 20th User Conference, a place were OSIsoft's employees and Customers discuss all things alike, from games' scores to new jokes, technical questions, use cases, family updates, and the good old fashion catch-up game that societies and families like to play. And that is exactly what we are, a big family.

 

And it all begins with the founder and CEO of OSIsoft giving and interesting and insightful speech about technology, stupid grids and everything, it was amazing for the customers that didn't had the chance to attend a previous Users Conference and refreshing for the lucky ones that have had the chance to attend before.

 

Pat-initial-talk.JPG

 

 

 

I hope to see the community members at the vCampus Live!

Filter Blog

By date: By tag: