3 Replies Latest reply on Jun 8, 2013 9:21 PM by mhamel

    PI Web Service Security outside of .NET

    sbuster

      I'm looking to integrate to a PI system outside of the .NET platform and don't quite understand exactly what security mechanisms are support by PI Web Services besides windows auth.  I see lots of code examples around kerbose/windows integrated security, but I'd like to know how I pass in credentials simply using something like SOAPUI.  Can I use WS-SecurityToke + UsernameToken profile?  Can I simply use HTTP Basic auth and not use any SOAP details at all? 

       

       

       

      Thanks

        • Re: PI Web Service Security outside of .NET
          xwang

          Hi,

           

          The security of PI Web Services is same as it of PI Clients.  Actually, you could look PI Web Services as a PI Client as well.  PI Clients use PI Trust or PI Mapping security mechanism.  Therefore, each Web Services consumer needs its own PI security settings.  For example, there are 3 computers, one for PI server and IIS server with PI Web Services, two for PI Web Services consumers.  PI Server must have a security settings for each PI Web Services consumer machines individually, PI Trust or PI Mapping.  

           

          Not sure if this is clear, if having any question on this, please let me know.  The explanation of PI Trust and PI Mapping, please see the user menu of PI Server.

           

          Xi Wang

           

          v-Campus engineer

          • Re: PI Web Service Security outside of .NET
            hanyong

            There are various authentications that can be configured with PI Web Services other than Windows authentication. For example having no security or authentication or using basic authentication. I am not sure what you mean by "not use any SOAP details" though.

             

            I've configured my test environment to using basic authentication from no authentication, perhaps what I did will be useful for you for reference. But it is probably not the only way of configuration.

             

            1. In IIS Manager, enable the site to use Basic Authentication. 

             

            My original setting has no authentication hence only Anonymous was enabled before I changed the settings.

             

            2. Update the web.config file in the PI Web Services folder.

             

            Again my original setting has not security implemented. It was using the sample "web_config_basic_no_security.config" file located in the "/help/Samples" folder

             

            The changes include setting the  binding option to use Basic authentication for client credentials from:

             
            <basicHttpBinding />
            

            to

             
            <basicHttpBinding>
               <binding name="basicBinding">
                 <security mode="TransportCredentialOnly">
                     <transport clientCredentialType="Basic" />
                    </security>
                </binding>
            </basicHttpBinding>
            

            Next is comment out the endpoint for metadata exchange for the services 

             
            <service behaviorConfiguration="DefaultServiceBehavior"
                    name="PIWebServices.PIDataService.PITimeSeriesSvcImpl">
                    <!--<endpoint address="mex" binding="mexHttpBinding" name="mexBasicEndpoint"
                      contract="IMetadataExchange" />-->
                    <endpoint binding="basicHttpBinding" bindingConfiguration="basicBinding"
                      name="BasicEndpoint" bindingNamespace="http://xml.osisoft.com/services/PIDataService"
                      contract="PIWebService.PIDataService.IPITimeSeries" />
                  </service>
            

            After making these changes, I can connect to my PI Web Services by providing user credentials for authentication. Some of these steps, I have referred to this techsupport knowledge base article and simply modifying the steps to use basic authentication instead of windows authentication referred in the article.

             

            One flaw in the above configuration (TransportCredentialOnly mode) is that my username and password are not encrypted. It is recommended that you use Transport mode that communicates via https so that the information is encrypted.

              • Re: PI Web Service Security outside of .NET
                mhamel

                @Steve: I would like to add more details to Han Yon's post.

                 

                If you think of working on non-Microsoft platform, it exists other alternative to develop with a near .NET framework that is cross-platform compatible. You can think of the Mono framework which is an open-source, cross-platform, implementation of C# and the CLR that is binary compatible with Microsoft .NET.

                 

                Mono runs on Linux, Microsoft Windows, Mac OS X, BSD, and Sun Solaris, Nintendo Wii, Sony PlayStation 3, Apple iPhone. It also runs on x86, x86-64, IA64, PowerPC, SPARC (32), ARM, Alpha, s390, s390x (32 and 64 bits) and more.

                 

                In terms of security, Kerberos security can work with other platform. Last year during the VCL12, we had a demonstration of PI Web Services using WS-Security from a Linux openSUSE machine with Java language. You can take a look at the Download Center with the category Extras to download the material.

                 

                Also, you could search also for WS-* stack if you use Java with JAX-WS and Java-WS.

                 

                Regarding the use of WS-SecurityToken and UsernameToken profile, I haven't tried myself but IMO this should work but I don't see the real interest to use this for testing a WS-* scenario. Could you explain more what you are trying to achieve?