Industrial Control Engineering UNICOS-PVSS evolution 2011-2012 Hervé Milcent EN/ICE/SCD 07/10/2011 1.

Slides:



Advertisements
Similar presentations
Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.
Advertisements

Experiment Control Systems at the LHC An Overview of the System Architecture An Overview of the System Architecture JCOP Framework Overview JCOP Framework.
15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Industrial Control Engineering Industrial Controls in the Injectors: "You (will) know that they are here" Hervé Milcent On behalf of EN/ICE IEFC workshop.
Isabelle Laugier, AT/VAC/ICM Section February 7 th 2008.
E. Hatziangeli – LHC Beam Commissioning meeting - 17th March 2009.
130 October 2009 PIC - WIC - LHC_CIRCUIT UNICOS PVSS.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
Portal and AQAS-Philadelphia University 21-22/6/2011 AVCI Platform in PU Dr. Abdel-Rahman Al-Qawasmi Philadelphia University Director of Computer Center.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
What you’ll take away: 1.Define team and schedule 2.Software and hardware specifications 3.Analysing 4.Configuration and migration 5.Validation and Test.
Automatic Generation Tools UNICOS Application Builder Overview 11/02/2014 Ivan Prieto Barreiro - EN-ICE1.
Module 7: Fundamentals of Administering Windows Server 2008.
European Organization for Nuclear Research LHC Gas Control System Applications G.Thomas, J.Ortola Vidal, J.Rochez EN-ICE Workshop 23 April 2009.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
PSEN Server Balance EN/ICE Procedures Jean-Charles Tournier EN/ICE/SCD 09-September-2015.
Peter Chochula ALICE DCS Workshop, October 6,2005 DCS Computing policies and rules.
Avira Endpoint Security. Introduction of Avira Management Center (AMC)
UNICOS-PVSS evolution Hervé Milcent (EN-ICE-SCD) 06/09/2010.
Controls EN-ICE LAV Environment Monitor Jonás Arroyo CERN EN/ICE-SCD 6 th April 2011.
20th September 2004ALICE DCS Meeting1 Overview FW News PVSS News PVSS Scaling Up News Front-end News Questions.
Industrial Control Engineering UNICOS distributed control  What does it mean?  Why do we need it  Implication for UNICOS device and tools Hervé Milcent.
Industrial Control Engineering UNICOS device and front-end Hervé Milcent UNICOS device front-endHervé Milcent1.
Satisfy Your Technical Curiosity Specialists Enterprise Desktop -
Microsoft Management Seminar Series SMS 2003 Change Management.
1 UNICOS PVSS Evolution Cryogenics Control Enrique BLANCO Industrial Controls & Electronics Group.
In the depth of UNICOS … Hervé Milcent EN/ICE How to create a new package.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
1 JCOP-UNICOS. 2 Purpose of this meeting Requested by IT/CO To present you the UNICOS requirements on the hierarchy classifications Not to discuss the.
Virtualization Technology and Microsoft Virtual PC 2007 YOU ARE WELCOME By : Osama Tamimi.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Anritsu Automation Platform (AAP) AAP PC Connects to the system via IP connection (system switch) AAP was developed to add features that were requested.
PSEN Server Balance EN/ICE Procedures Jean-Charles Tournier EN/ICE/SCD 14-January-2016.
PVSS: Windows  Linux. 13th May Outline Current software architecture PVSS on Linux Demo What has to be redone for Linux console Vacuum, GCS, cryogenics.
Configuring and Deploying Web Applications Lesson 7.
UAB Tools 1 20/05/2014. Summary Status, opened issues & future requests : Extended Configurations Reverse Engineering Olproc FlexExtractor DIP Import/Export.
Industrial Control Engineering Infrastructure: EN/ICE needs Wrap up Mandate: WG Infrastructure to establish the needs for an ICE server pool and study.
European Organization for Nuclear Research LHC Gas Control System Applications Generation to Deployment phases Strategy/Principles.
R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,
UNICOS LHCLoggingDB Josef Hofer EN/ICE/SCD. Agenda The LHC Logging Database Purpose of the LHCLogging component Basic concepts Advanced concepts Logging.
LHC Section Meeting 1.eLogbook 2.LHC Controls Security Panel.
Industrial Control Engineering ADE Rapid Application Development Environment.
JCOP Framework and PVSS News ALICE DCS Workshop 14 th March, 2006 Piotr Golonka CERN IT/CO-BE Outline PVSS status Framework: Current status and future.
BE-CO work for the TS Outcome of the actions 23 – 28 Apr May 12P.Charrue - BE/CO - LBOC1.
H2LC The Hitchhiker's guide to LSA Core Rule #1 Don’t panic.
 1- Definition  2- Helpdesk  3- Asset management  4- Analytics  5- Tools.
Microsoft Dynamics NAV Microsoft Dynamics NAV managed service for partners, under the hood Dmitry Chadayev Corporate Vice President, Microsoft.
UNICOS-CPC course - CERN EN/ICE Industrial Controls Engineering Department Deployment of the CPC6 control application Marc Quilichini
UNICOS Application Builder Architecture
Securing Network Servers
CMS DCS: WinCC OA Installation Strategy
CV PVSS project architecture
Control system network security issues and recommendations
Computing infrastructure for accelerator controls and security-related aspects BE/CO Day – 22.June.2010 The first part of this talk gives an overview of.
UNICOS: UNified Industrial COntrol System CPC (Continuous Process Control) Basic course SESSION 4: SCADA UCPC 6 UNICOS-Continuous Process Control Check.
4th Forum How to easily offer your application as a self-service template by using OpenShift and GitLab-CI 4th Forum Alberto.
Introduction to System Administration
Introduction to System Administration
CMS Operational Experience
Unit 9 NT1330 Client-Server Networking II Date: 8/9/2016
Presentation transcript:

Industrial Control Engineering UNICOS-PVSS evolution Hervé Milcent EN/ICE/SCD 07/10/2011 1

Industrial Control Engineering  Accessing BE/CO infrastructure  Description  Consequences on the daily work, deployment, access, etc.  Current operational release  Christmas release: Core, CPC  UNICOS in LabView  AOB:  Future release  web 07/10/20112 Outline

Industrial Control Engineering  PVSS manager except Ui in Linux  OWS = Ui in Windows and Linux  Linux Ui: accelerators operators (LHC, PS, etc.), from CCC  Windows Ui: CRYO operator, from CCC, local control room, trusted console from outside TN via terminal server  OWS: All panels, libs, etc. in Linux Server  Avoid having a copy in each OWS for each project  access via SAMBA (Windows) and NFS (Linux)  PVSS constraints:  Ui run-time: access in R/W in log and data folder and files  Ui editor: access in R/W in log, images, colorDB, panels, scripts, data, pictures  BE/CO infrastructure: 300 servers - 1/3 PVSS servers and a lot of Linux consoles  Installation of PVSS Server automated via transfer.ref  Synchronization of user and passwd in all servers via e-group :ACC-all containing all the allowed users.  NFS:  Automount to BE/CO NFS server  From each server in TN: access via NFS to all the others  SAMBA:  simple and easy configuration: no difference between Ui run-time and Ui editor  A user allowed via SAMBA = allowed to ssh in all the servers  PVSS project started with a service account: unicryo, qpsop, etc. 07/10/20113 PVSS and BE/CO infrastructure

Industrial Control Engineering  Refer to atlasecr security issue.  IT security issue with service account  Tracking who logs in  Once in a server, a user can access to all the others via NFS  Corrupt the PVSS project.  Many user may start the OWS Ui run-time, and should not have access to other servers 07/10/20114 Why protecting the access

Industrial Control Engineering  User must have a CERN account and has signed the OC5 rules  Access to a set of servers via SAMBA and ssh  PVSS servers are grouped and assigned with e-group of allowed user, e-group=ACC- UNICOS-xx (admin group to setup the e-group members: ACC-UNICOS-xx-admin), e.g.: ACC-UNICOS-cryolhc, ACC-UNICOS-cryolhc-admins  In this e-groups can only be:  Personal NICE account, like milcent  Operational account not defined as BE/CO op account like qpsop  A user can be in many e-group  A user not the e-group=no access via SAMBA, no ssh  Propagation of e-group content in 15 – 30 min (if no problem in IT)  Propagation of re-assignment of PVSS Server and e-group: every working day  Detailed info   No difference between a operator (UI run-time) and a developer (Ui editor)  Separate PVSS server for test and production  2 users  unicryo for EN/ICE production server use only, password known by ACC-UNICOS- admin (only EN/ICE staff: application responsible)  unitest for EN/ICE test purpose server  ACC-UNICOS-admin: sudoers in all PVSS servers 07/10/20115 BE/CO & EN/ICE proposal for Windows OWS: server configuration

Industrial Control Engineering  User must have a CERN account and has signed the OC5 rules  OWS console on the technical network (or trusted): as before (usually login with service account: e.g. lhcop)  From GPN (e.g. from the office):  PVSS developer, e.g. milcent, it is recommended to use a VPC (Virtual Personal Computer) and log in with NICE personal account  Operator: log in a terminal server provided by BE/CO as NICE personal account or service account  Outside CERN:  Log in cernts with NICE personal account  Then same procedure as from GPN 07/10/20116 BE/CO & EN/ICE proposal for Windows OWS: starting a OWS

Industrial Control Engineering  A user not in a e-group = no samba access, no ssh in both Server and Linux console  For accelerator related application, operators (except accelerator operators)  service and personal account will be allowed for log in BE/CO Windows terminal servers and Windows console in CCC for the operators, e.g. cryomoni, etc.  No access to Linux and Windows console in CCC (or trusted).  For experiment application, e.g. CRYO experiment, MCS, GCS, etc.  use personal account only in BE/CO Windows terminal servers.  No access to Linux and Windows console in CCC (or trusted).  Developers: use VPC (Virtual Personal Computer) 07/10/20117 BE/CO & EN/ICE proposal for Windows OWS: consequences

Industrial Control Engineering  Same strategy  ACC-UNICOS-admin added as sudoer in their PVSS server  VAC: use the same CMF package as for UNICOS for OWS 07/10/20118 BE/CO & EN/ICE proposal for Windows OWS: CRYO experiment, MCS, VAC

Industrial Control Engineering  Windows 7 and Windows 2008 access via SAMBA  BE/CO & IT  BE/CO & EN/ICE: configuration of folders and files protections  Validation of PVSS Ui in Windows 7, SLC 6, Windows 2008  BE/CO: provide SLC 6 and Windows 2008  EN/ICE/SCD: validation of PVSS Ui in all platform.  EN/ICE/SCD: PVSS installation  Procedure to get a VPC well configured  BE/CO  Procedure to get access to BE/CO terminal server with personal account  BE/CO  Cleaning list of users: remove all EN/ICE from ACC-all (except FESA developers, LabVIEW, ACC-UNICOS-admin) and re-assigning them to e-groups  EN/ICE/SCD & BE/CO  MODBUS port re-allocation:  EN/ICE & BE/CO 07/10/20119 BE/CO & EN/ICE proposal for Windows OWS: pending issues

Industrial Control Engineering  Go or not go to Linux server?  OWS Ui: log in terminal server with personal account  Security issue:  Server on TN  Access to the LHC Experiment TN  by default nfs automount between TN, experimental network  may need a custom installation   Still missing some servers (G1 type)  BE/CO: re-assigning servers ….  But if we don’t go …. ! 07/10/ GCS:

Industrial Control Engineering Question ? OK to proceed? 07/10/ BE/CO & EN/ICE proposal for Windows OWS

Industrial Control Engineering  300 servers  1/3 PVSS Servers  Many consoles  Limited resource number in BE/CO  Little pre-emptive maintenance  Action only when problem  Let’s try to reduce the list of servers and group project per shutdown time  E.g.: CNGS and POPS, CRYO and CIET portal  Consequence:  re-deployment in MOON and in servers  RBAC setup. 07/10/ BE/CO servers

Industrial Control Engineering Question ? OK to proceed? 07/10/ BE/CO servers

Industrial Control Engineering unicos-pvss for PVSS 3.8-SP2  Content (most important issues)  feature to ease the work of the standby service.  Remove spurious alarm: to have at the end a systemIntegrity alarm as a real alarm to be looked at  Handle the automatic restart of critical failing manager: LHCLogging  Request from POPS: EventList  Mandatory issue for CPC 6  Expert name: - expert name in UNICOS used for information only. No filtering, no search on expert name, the expert name is just used like a description  Device/unicos configuration: extra storage  Children/parent relationship  …  CPC 6 compatibility: import/export, widget/faceplate, CPC 6 functions  Unicos-pvss Core compatible with CPC 5 and other packages  Export/import WindowTree/TrendTree in XML  Distributed control: same notation as in the installation tool  no need to clean the config file  Import functions called from a PVSSctrl  allow an automatic import without the import panel  very useful for icemoon, NA62  Easy way to find systemIntegrity alarm value: useful for SBS  From SystemStatus, etc. not only from the systemIntegrity alarm panel.  Recipe: import, duplicate existing recipe instance, create new recipe instance, modify recipe instance 07/10/ current release: unicos-pvss PVSS 3.8-SP2

Industrial Control Engineering  unCore  Clean separation between component  Explanation of the systemIntegrity alarm in systemIntegrity view and Front-end diagnostic views  More check during the import: existing alias, MODBUS com&data  unSystemIntegrity  Configuration on remote system, stop/start of scripts  No kill of valarch during online backup  MAIL/SMS at startup configurable  unLHCServices  Bug fix in PVSS00Laser when dealing with alert 07/10/ Christmas release: unicos-pvss-5.2.1

Industrial Control Engineering  unCore:  Stop/start/add driver/simulator from import panel  Stop/start unicos scripts remotely  eventList/alarmList in faceplate  Comment on device  Device action: many privilege, list of action per domain/privilege  unSystemIntegrity  Bool to syatemIntegrity alarm 07/10/ Christmas release: issues may be included

Industrial Control Engineering 07/10/ Christmas release: CPC

Industrial Control Engineering  All remaining PVSS 3.6-SP2 servers  PVSS 3.8-SP2 and new hardware  need between ½ to 1 day intervention per server: no need to keep of IP like for CRYO  BE/CO: up to 10/day in parallel before Christmas, 6/day after  All packages must be ready for PVSS 3.8-SP2  Re-organizing servers and projects  pvss2, pops, cv, others?  Upgrade of installation tool 07/10/ Christmas: reminder

Industrial Control Engineering  CPC devices except AnalogParameter, DigitalParameter and WordParameter  Faceplate, widget, device action: 90% done, only run-time trend  Import: nearly 100% done  Device access control  Not yet, not sure if it will be included  Graphical Frame:  Tree device overview  not yet  EventList: based on 0.5sec time resolution  not yet  AlarmList  not yet  Panel design: old implementation  TrendTree/WindowTree: old implementation  Packaging:  not yet  TSPP S7 and Modbus frame decoding:  Linux: connection to Siemens OK  Windows: no connection yet to Siemens  Decoding: not yet done. 07/10/ News: UNICOS in LabView

Industrial Control Engineering  Web   Similar to JCOP  Missing EDMS.  Future release:  5.3.0: Spring-Summer  Comment on devices  Device action access control  5.4.0: End of 2012  XML import 07/10/ AOB