2 Replies Latest reply on May 8, 2012 2:01 PM by mhamel

    Cross Domain PI Web Services

    DavidMFairchild

      Has anyone been able to use PI Web Services between two domains?  For example, to provide your PI data to a customer or supplier from a different company?

       

      After a week of reading and experimenting with help from Mattieu Hamel for a great post, I have been able to fairly reliably retrieve data within the Domain.  But, as of this writing, I have not been able to transfer data between domains, or should I say between Forests.  I also haven't been able to find any documentation anywhere on how to do it.  Although I have found plenty of documentation indicating that it can be done.

       

      I am looking for secure communication and only from an allowed user.

       

      Any help would be appreciated.

        • Re: Cross Domain PI Web Services
          mhamel

          Hi David,

           

          I have been involved in various things today that kept busy the whole day but I will answer you back tomorrow.

            • Re: Cross Domain PI Web Services
              mhamel

              @David: If you want to allow communication from forest XYZ.com to a PI Web Services Endpoint hosted on a Web Server (IIS) located on Operations.ABC.int domain (within ABC.com forest) if you many ways to do this.

               

               

              Figure 1

               

               

              Figure 2

              1. You can request the creation of a 2-way forest trust between ABC.com and XYZ.com but this is not practical as you give right to everyone to go anywhere. (See Figure 1)
              2. You can request the creation of a 1-way forest trust between ABC.com and XYZ.com allowing XYZ.com to use resources located on the ABC.com forest but this is not practical as you give right to everyone to go anywhere within the ABC.com forest. (See Figure 1)
              3. You can request the creation of a 2-way external trust between Operations.ABC.int and Control.XYZ.int domains but this means all resources within both domains can be accessed without restrictions. (See Figure 1)
              4. You can request the creation of a 1-way external trust between Operations.ABC.int and Control.XYZ.int domains to use resources located on the Operations.ABC.com domain but this is not practical as you give right to everyone to go anywhere within the Operations.ABC.int domain. (See Figure 1)
              5. You can request the creation of Client Certificate Mapping Authentication or an IIS Client Certificate Mapping Authentication on the Web Server within Operations.ABC.int domain. You will map a certificate to a specific Active Directory User of the Operations.ABC.int domain. Machines from XYZ.com forest with these certificates will have a granted access to call the PI Web Services Endpoint from ABC.com. The certificate is stored with the computer. (See Figure 2)
              6. A project at OSIsoft has started with the aim to offer a similar mechanism to exchange information between different legal entities or companies that could leverage the power of the cloud to do it. If you are interested the product manager can join the conversation. He would be interested in your particular use case(s).

              If you want to learn more on authentication mechanism offered by the Microsoft Web Server (IIS), I invite you to read this link.

               

              Let me know if that helped you.