Rockwell Software's Security Server Network Edition

7/27/2019 Rockwell Software's Security Server Network Edition

1/74

Getting Results with

Rockwell Software

Security Serve

(Network Edition

August 2000


2/74

Contacting

Rockwell Software

Technical Support Telephone1-440-646-7800

Technical Support Fax1-440-646-7801

World Wide Webwww.software.rockwell.com

Copyright Notice 1999, 2000 Rockwell Software Inc., a Rockwell Automation company. All rights reserved

Printed in the United States of America

Portions copyrighted by Allen-Bradley Company, LLC, a Rockwell Automation company.

This manual and any accompanying Rockwell Software products are copyrighted by Rockwell

Software Inc. Any reproduction and/or distribution without prior written consent from RockwellSoftware Inc. is strictly prohibited. Please refer to the license agreement for details.

Trademark Notices The Rockwell Software logo, RSAlarm, RSAnimator, RSAssistant, RSBatch, RSBreakerBox,

RSButton, RSChart, RSCompare, RSControlRoom, RSData, RSDataPlayer, RSEventMaster,

RSGauge, RSJunctionBox, RSLogix Emulate 5, RSLogix Emulate 500, RSGuardian, RSHarmony,

RSKeys, RSLadder, RSLadder 5, RSLadder 500, RSLibrary Builder, RSLinx, RSLogix 5,

RSLogix 500, RSLogix Frameworks, RSLogix SL5, RSMailman, RSNetworx for ControlNet,

RSNetworx for DeviceNet, RSPortal, RSPower, RSPowerCFG, RSPowerRUN, RSPowerTools,

RSRules, RSServer32, RSServer, RSServer OPC Toolkit, RSSidewinderX, RSSlider, RSSnapshot,

RSSql, RSToolbox, RSToolPak I, RSToolPak II, RSTools, RSTrainer, RSTrend, RSTune,

RSVessel, RSView32, RSView, RSVisualLogix, RSWheel, RSWire, RSWorkbench,

RSWorkshop, SoftLogix 5, A.I. Series, Advanced Interface (A.I.) Series, AdvanceDDE,

AutomationPak, ControlGuardian, ControlPak, ControlView, INTERCHANGE, Library Manager,

Logic Wizard, Packed DDE, ProcessPak, View Wizard, WINtelligent, WINtelligent LINX,WINtelligent LOGIC 5, WINtelligent VIEW, WINtelligent RECIPE, WINtelligent VISION, and

WINtelligent VISION2 are trademarks of Rockwell Software Inc., a Rockwell Automation

company.

Data Highway Plus, DH+, DHII, DTL, MicroLogix, Network DTL, PLC, PLC-2, PLC-3, PLC-5,

PowerText, Pyramid Integrator, PanelBuilder, PanelView, PLC-5/250, PLC-5/20E, PLC-5/40E,

PLC-5/80E, SLC, SLC 5/01, SLC 5/02, SLC 5/03, SLC 5/04, SLC 5/05, and SLC 500 are

trademarks of the Allen-Bradley Company, LLC, a Rockwell Automation company.

Microsoft, MS-DOS, Windows, and Visual Basic are registered trademarks, and Windows NT,

Windows 98, Microsoft Access, and Visual SourceSafe are trademarks of the Microsoft

Corporation.

ControlNet is a trademark of ControlNet International.

DeviceNet is a trademark of the Open DeviceNet Vendors Association.

Ethernet is a registered trademark of Digital Equipment Corporation, Intel, and Xerox Corporation.

Pentium is a registered trademark of the Intel Corporation.

Adobe and Acrobat are trademarks of Adobe Systems Incorporated.

IBM is a registered trademark of International Business Machines Corporation. AIX, PowerPC,

Power Series, RISC System/6000 are trademarks of International Business Machines Corporation.

UNIX is a registered trademark in the United States and other countries, licensed exclusively

through X/Open Company Limited.

AutoCAD is a registered trademark of Autodesk, Inc.

Warranty This Rockwell Software product is warranted in accord with the product license. The product's

performance will be affected by system configuration, the application being performed, operator

control and other related factors.

The product's implementation may vary among users.

This manual is as up-to-date as possible at the time of printing; however, the accompanying

software may have changed since that time. Rockwell Software reserves the right to change anyinformation contained in this manual or the software at anytime without prior notice.

The instructions in this manual do not claim to cover all the details or variations in the equipment,

procedure, or process described, nor to provide directions for meeting every possible contingency

during installation, operation, or maintenance.


3/74

Preface

Preface

Purpose of this bookThis getting results book provides you with information on how to install anuse Rockwell Software's Security Server. It also explains how to access andnavigate the online help.

Intended audienceWe assume that you are a network engineer, and that you are familiar with:

Microsoft

Windows NT

Domain administration for Windows networks

How does it fit in with other Rockwell Softwareproduct documentation?

The getting results book can be considered the entry point into ourdocumentation set. The documentation set contains pertinent, easily accessibproduct information and ships with the software product. The documentatioset is designed to free you from tedious paper shuffling and reduce informatio

overload.The getting results book and online help make up the RSI documentation se

Online help

The online help includes all overview, procedural, screen, and referenceinformation for the product. The help contains four basic components:overview topics, quick start topics, step-by-step procedures, and screenelement descriptions (for example, text boxes, drop-down lists, and optionbuttons). All of the help is context sensitive with the application and providethe user with immediate access to application tasks and screen elementdescriptions.


4/74

ii Getting Results with Rockwell Softwares Security Server (Network Edition)

Document conventionsThe conventions used throughout this document for the user interface complywith those recommended by Microsoft Corporation. If you are not familiarwith the Microsoft Windows user interface, we recommend that you read thedocumentation supplied with the operating system you are using before

attempting to use this software.

FeedbackPlease use the feedback form, which you will find packaged with your software,to report errors and/or let us know what information you would like to seeadded in future editions of this document.


5/74

Table of Contents

Contents

Preface.......................................................................................Purpose of this book ................................................................................................................

Intended audience.....................................................................................................................

How does it fit in with other Rockwell Software product documentation? ....................

Document conventions............................................................................................................

Feedback.....................................................................................................................................

Chapter 1

Introducing Rockwell Softwares Security Server...................

What Rockwell Software's Security Server is ........................................................................

What is a resource? ...................................................................................................................

What is an access control list? .................................................................................................

What is an action? .....................................................................................................................

The Network Edition of the Security Server ........................................................................

The Standalone Edition of the Security Server .......................... ....................................... ...

Chapter 2

Installing the Security Server and clients ...............................

Introduction ...............................................................................................................................

System requirements.................................................................................................................

Before installing the server ......................................................................................................

Installing the Security Server ..................................................................................................1

Setting the start up parameters for the Security Server service.........................................

Setting up DCOM for the users of the Security Server .....................................................

Installing clients for the Security Server ...............................................................................

Chapter 3

Managing your Security Server configuration ....................... 2

The Security Server Configuration Explorer .......................................................................2

The Security Server model ......................................................................................................2


6/74

iv Getting Results with Rockwell Softwares Security Server (Network Edition)

Adding user groups to the system .............. ....................................... ................................. 25

Importing actions for Rockwell Software applications...................................................... 26

Adding a single user to a group ............................................................................................. 26

Adding workstation groups to the system .............................................................. ............. 27

Creating a resource .................................................................................................................. 28Grouping resources................................................................................................................. 29

Grouping actions ..................................................................................................................... 29

Assigning access to individuals and groups ......................................................................... 30

Finding users, workstations, actions, or groups.................................................................. 32

Viewing and changing the server properties ....................................................................... 32

Refreshing access control lists ............................................................................................... 36

Using admin accounts to control access to the

Security Server's Configuration Explorer ............................................................................ 36Roaming security ..................................................................................................................... 37

Chapter 4

Backing up and synchronizing Security Servers....................39

Using directory replication ..................................................................................................... 39

Exporting your Security Server database ............................................................................. 39

Importing your Security Server database ............................................................................. 40

Restoring a previously saved configuration......................................................................... 40

Chapter 5

Upgrading from Standalone Edition to Network Edition........43

Appendix A

Setting up A.I. Series software to use Security Server .........45

Creating the global resource for PLC-5 A.I. Series ............................................................ 45

Creating the global resource for PLC-3 A.I. Series ........................................................... 46

Creating a resource based on processor name for PLC-5 processors............................. 47Creating a resource based on processor name for PLC-3 processors............................. 48

Appendix B

Setting which account domain controller to use...................49

Background............................................................................................................................... 49


7/74

Table of Contents

Changing the account domain controller .............................................................................5

Appendix C

Consolidating processor resources for RSLogix 5and RSLogix 500..................................................................... 5

Rules for resource consolidation ...........................................................................................5Consolidating processor resources ........................................................................................5

Unconsolidation .......................................................................................................................5

Glossary .................................................................................. 5

Index ....................................................................................... 6


8/74

vi Getting Results with Rockwell Softwares Security Server (Network Edition)


9/74

Introducing Rockwell Softwares Security Server

What Rockwell Software's Security Server isIt's easy to protect a system from unwanted intrusion or unauthorized use.Lock it up and don't let anyone use it at all. Don't connect it to a network, don

leave it where someone could get to it, and most likely, you won't have anythinto worry about. The problem with that scenario, of course, is that we don't uscomputers that way. We can't lock them up and we can't keep them off ournetworks. We have to allow people to use them, and that is where securityproblems arise.

We want to protect our systems from unauthorized use, but we also wantauthorized users to use the systems efficiently. We also want to make securitefficient for ourselves, making changes to the system as simple as possible.

Rockwell Software's Security Server is a centralized system for restricting acceto resources. Centralizing the system makes it easier for you to establish and

maintain secure systems.

There are two forms of the Security Server:

A Network Edition (the edition this book discusses), which gives youcentralized control over security functions for Rockwell Software productover your entire network.

A Standalone Edition, which gives you local control over securityfunctions on the machine where you install the Security Server.

These two forms operate in much the same way, except that the NetworkEdition has some features the standalone edition does not have.

What is a resource?A resource is an application, processor, or computer that Security Server canrestrict access to. Resources contain actions, functions that can be controlled

Chapter

1

Introducing Rockwell

Softwares SecurityServer


10/74

2 Getting Results with Rockwell Softwares Security Server (Network Edition)

Resources contain rules for access to actions, called access control lists (ACLs).These rules define who can access the resources actions, and the circumstancesunder which a user can access those actions.

Global and application resources

Resources are eitherglobal, controlling access to actions in an application, orthey are applicationresources, controlling access to a particular aspect of anapplications functions.

For example, in PLC-5 A.I. Series software, there is anglobalresource calledAI5GLOBALRIGHTS. With this global resource, you can control actions inthe software globally, without respect to the processors being used.

However, PLC-5 A.I. Series software also allows you to define applicationresources for your processors. By using these application resources, you cancontrol the actions in PLC-5 A.I. Series software based on what processors arebeing used.

A computer can also be a resource. RSLinx, for example, uses the computerrunning RSLinx as a resource. To use the Security Server with RSLinx, youcreate a resource with the name of the computer running RSLinx, then grant ordeny RSLinx actions to users for that computer.

What is an access control list?Access control lists are lists of rules regarding access to actions. Simply put,access control lists (ACLs) define who can do what to a resource and fromwhere they can do it.

Each rule in an ACL requires a user or user group, a workstation or workstationgroup, and a software function (action). ACL rules are called access controlentries (ACEs).

Who can do what from where

Access control lists answer the question who can do what from where.Forming and maintaining ACLs is the central activity in the Security Server.Therefore, understanding how ACLs work is critical to using the SecurityServer effectively and efficiently.

Access control entries

An ACL contains entries, each of which contains four parts:

User, which defines who can or can't access the resource and action

Workstation, which is the physical location of the user (Network Edition

only)


11/74


Action, which is an operation performed on an resource

Deny/Grant, which defines whether the user can or cannot use the functio

Of course, many facilities will have hundreds of potential users, workstationand actions available. The Security Server permits you to group users,workstations, and actions to make the process of creating ACLs more efficien(Workstations are part of ACLs only in the Network Edition of the Security

Server.)For example, if you have a group of electricians, all of whom can performcertain actions from certain workstations, you can create a group calledElectricians and place all of your electricians in that group. You can thencreate a group of workstations called Electrician Workstations and place aof the workstations the electricians use into that group. You can then creategroup of actions called Electrician Actions and place all of the actionselectricians can perform in that group. You could then create an ACE that say

Electricians at Electrician Workstations are granted Electrician Actions

Access

ControlList

Member

Member

Member

Member

Member

Member

Member

Member

ACLMember

ActionUser Workstation Deny/Grant


12/74


You can create groups based on however your facility is organized: by jobfunction, by area, by whatever means you like. However you do it, you'll wantto plan how you are going to organize people, workstations, and actions beforeyou begin using the Security Server.

What is an action?An action is a software function. The Security Server controls access to actionsthrough Access Control Lists (ACLs).

For example, online programming is a software function that is an action for

PLC-5 A.I. Series software. With the Security Server, you can control who canprogram online and from which workstations a given person can programonline.

Applications provide a list of their actions to the Security Server. See yourapplication's documentation for information about how it sends its list ofactions to the Security Server.

Data Table Value

Modification

Description Editing

Downloading Program

to PLC-5

Forcing Functions

Offline Monitoring

Offline Programming

Online Monitoring

Online Processor

Mode Changes

Online Programming

Updating Program

from PLC-5

"Electricians"

group

"Electrician

Workstations"

group

"Electrician

Actions" group

can be

grouped

and used to

form this

simple ACL

at these

workstationsand these

actions

Bob

Hans

SueRay

Hilda

Maria

These

electricians

Machine 1

Machine 2

Machine 3Machine 4

Machine 5

Machine 6

"Electricians"at "Electrician

Workstations"

are granted

"Electrician

Actions"


13/74


The Network Edition of the Security ServerIn the Network Edition of the Security Server, the software maintains theresources, user groups, and workstation groups and provides access to themfrom applications. Applications access the Security Server when they are abouto perform a secured function (the exact timing of these accesses varies from

application to application). The Security Server responds to the application,either granting or denying the user-requested action based on the ACEs.

The Network Edition of the Security Server provides network level security.Users of this edition are domain users. User groups may be either defined inSecurity Server or in domain user groups.

The Standalone Edition of the Security ServerThe Standalone Edition of the Security Server operates in much the same waas the Network Edition, except there is no separate computer running the

Security Server.Standalone Edition provides workstation level security. For Windows NT oWindows 2000, users may be local users or private users. Private users existonly within the Security Server database. For Windows 95, Windows 98, orWindows Me platforms, users can be only private users.

Tip The Security Server does not work if the Rockwell Softwareapplications on a given computer are not aware that a SecurityServer system exists. Generally, you must configure applications touse the Security Server, and you can override the configurations by

reinstalling the software (the details of overriding the SecurityServer depend on the individual application). To ensure yoursystem is secure, make sure you secure the installation disks for yourRockwell Software applications.


14/74



15/74

Installing the Security Server and clients

IntroductionThis chapter explains how to install and start the Security Server software. Thchapter includes information on the following:

system requirements

installation methods

installation procedures

updating an existing installation

starting procedures

After installing the software, we recommend that you read the release notelocated in the online help. The release note may contain more up-to-dateinformation than was available when this document was published. To view threlease note, clickStart > Rockwell Software > Security Server NetworkEdition > Release Notes.

System requirementsThe Network Edition of the Security Server installs in two phases:

A server installation, which takes place on the computer on which youwant to run the server.

A client installation, which takes place on the client workstations. Theserver installation places the software for installing the client in a directoryyou can share with the workstations that will install the client for the SecuritServer. This saves you from having to carry disks to the client workstationand provides a centralized point for updating the client.

The Security Server requires:

A computer running one of the following operating systems:

Chapter

2

Installing the Security

Server and clients


16/74


Microsoft Windows NT Workstation or Windows NT Server, version 4.0(with service pack 4 or higher.) Additional computers are required if youwant backup security servers. See page 9 for information about whetherto run the Security Server on Windows NT Workstation or Windows NTServer.

Microsoft Windows 2000 Workstation or Windows 2000 Server.Additional computers are required if you want backup security servers.See Should you run the Security Server on a Workstation or Server? onpage 9 for information about whether to run the Security Server onWindows 2000 Workstation or Windows 2000 Server.

Connection to a network supporting Microsoft Networking with a WindowsNT 4.0 Server acting as a primary domain controller. Note that the SecurityServer will not work in Windows 2000 native (Active Directory)environments. It will work in mixed domain environments (without ActiveDirectory).

The client for the Security Server requires: A computer running one of the following operating systems:

Microsoft Windows NT Workstation or Windows NT Server, version4.0 (with service pack 4) or higher

Microsoft Windows 2000 Workstation or Windows 2000 Server

Microsoft Windows Me

Microsoft Windows 98

Microsoft Windows 95 with the DCOM patch (see Microsofts Web site

for this patch: www.microsoft.com) Connection to a network supporting Microsoft Networking with a Windows

NT 4.0 Server acting as a primary domain controller. Note that the SecurityServer will not work in Windows 2000 native (Active Directory)environments. It will work in Windows 2000 forest/domains configured asmixed mode.


17/74

Installing the Security Server and clients

Should you run the Security Server on aWorkstation or Server?

A significant difference between the Workstation and Server versions ofWindows 2000 and Windows NT is that the Workstation versions can suppoonly ten simultaneous network connections. This does not mean that you cahave only ten Rockwell Software client applications connected to one SecuritServer running on a Workstation system. Communication to the SecurityServer takes place only when it's needed, so it's likely that you could use aWorkstation to run the Security Server for much larger facilities. However, imore than ten Rockwell Software client applications try to perform a securedaction at the same time, the client workstations will not be able to connect tothe Security Server.

If you already have a Server system, it's probably a good idea to run the SecuritServer on that system.

Before installing the serverBefore running the server setup, you must verify the settings for the currentllogged on user account. Failure to do so will result in improper installation othe software.

You must have administrator rights on your Windows NT or Windows 2000machine to install the Security Server. If you are not an administrator of youmachine, an administrator can add your account to the Administrators groupor install the Security Server for you.

The Security Server runs as a service

The Security Server runs as a service. However, it can't run correctly in theSystem account (the System account can't access network services, and theSecurity Server relies on network services). It must run under a user accounwhich means that the software must log on as a user. You may want to give

the Security Server a user account of its own rather than having it run in theaccount of a human user. (The account you use will be validated with youraccount domain.)

When you install the Security Server, you must log on with an account that haAdministrator rights. The installation program will establish the following

rights for the user account under which the Security Server will run:

Tip Installing the Security Server requires an account in which theserver will run.


18/74


Act as part of the operating system

Generate security audits

Log on as a service

Manage auditing and security log

Where you should install the Security Server

If you intend users in more than one domain to access the same Security Server,you must run the server under an account in a domain that is trusted by theother domains containing users of the Security Server.

The following illustration shows where you can install the Security Server infour basic networking scenarios. Note this applies only to Windows NT 4.0domains; Windows 2000 native domains (with Active Directory) are notcurrently supported.

Domain A

(account domain)Domain B

Two domains, one-way trust

relationship

Install server on

Domain A

Two domains, two-way trust

relationship

Install server on

either domain

Domain A

(account domain)Domain B

Domain A

(account domain)Domain B Domain C

Three domains, one-way trust

relationships

There is no trust relationship between Domain

C and Domain A. There is no configuration

that would allow one RSSecurity Server to

serve users on all three domains.

Domain BDomain A

(account domain)Domain C

Three domains, one-way trust

relationships

Install server on

Domain A


19/74

Installing the Security Server and clients 1

Installing the Security Server

1. On the machine on which you want to install the Security Server, insertthe Security Server CD-ROM into the CD-ROM drive.

2. Follow the instructions that appear on the screen.

a. On the Welcome dialog box - Read the Security Server introductoryinformation, and then clickNext.

b. On the Software License Agreement dialog box - Read the entireSoftware License Agreement. ClickYes to accept and continueinstallation, or clickNo to decline and exit the installation.

c. On the Registration Information dialog box -Type your name, thename of your company, the support ID number of your software, anthen clickNext.

d. On the Select Folder dialog box - Select a directory location for theSecurity Server application files.

Tip Before installing the Security Server, you must log on to the domainin which you intend to run the Security Server. Make sure the username under which the Security Server will run has an account on

the domain. Otherwise the software will install, but it won'tconfigure properly.

If autorun is: Then:

enabled The Setup program starts automatically and the Welcome

dialog box appears. Proceed to step 2.

disabled Perform the following steps:a. ClickStart, then clickRun. The Run dialog box appears.

b. In the Open field, type x:\setup, where xis the letter ofthe drive containing the Security Server CD-ROM.

c. ClickOK. The Welcome dialog box appears.

Tip You can find the support ID number on the product box label.


20/74


A dialog box appears, indicating that a Security Server subdirectory willbe created in the specified destination directory. ClickYes to confirm,or No to exit.

e. On the Select Components dialog box - Select installation options. Inthe Product (left) pane, select the Security Server product(s) that you

want to install. In the Product Options (right) pane, select thecomponent(s) of each product that you want to install. If you want tocreate a centralized location for the workstation client software, makesure Client Install is checked. ClickNext.

f. On the Specify Start Menu Item dialog box -Accept the default

program folder, or type the name of the program folder in which youwant the Security Server application icons to appear. ClickNext.

A dialog box appears, indicating the specified location of the SecurityServer icons in the Start menu. ClickYes to confirm, or No to exit.

g. On the Security Server Network Edition dialog box - Confirm yourprevious selections, and then clickNext. The Setup dialog boxappears while files are being copied to the hard disk drive.

h. On the Rockwell Softwares Security Service Installer dialog box -

set the parameters for running the Security Server. These parameters

are described on page 13.i. On the Rockwell Softwares Security Service Installer dialog box -

read and follow the instructions. You can also refer to theinstructions starting on page 14 for information regarding setting upDCOM for the server.

j. On the Setup Complete dialog box - Select the activation and readmeviewing options and clickFinish.

To begin activation, insert the Master disk into the 3.5-inch disk drive.

k. On the EVMOVE dialog box - Follow the instructions that appear onthe screen to activate the Security Server software.

l. On the Restart Windows dialog box - Specify the restart option foryour operating system and clickFinish. The installation is complete.

3. When you are finished installing the software, remove the Security ServerCD-ROM from the CD-ROM drive and the Security Server Master diskfrom the disk drive. Store them in a safe place.

Tip If you have a number of computers that will be clients for theSecurity Server, you can automate the process of selecting serversfor the clients. See page 20 for more information.


21/74


Setting the start up parameters for the SecurityServer service

After the setup program copies its files to your server's hard drive, it will displathe Rockwell Software's Security Service Installer window. The followintable describes the installation parameters.

The Security Server runs as a service whether it starts automatically at machinstartup, or manually when a client requests it to start, or through the Servicesapplet. (See your Windows NT or Windows 2000 documentation for

information about running the Services applet.)

If the server starts manually through DCOM (when a client requests it to startit will stop when the last client disconnects from it.

This parameter: Does this:

Domain The domain of the user account in which the Security Server will run.

Account The user account under which the Security Server willrun. By default, this field shows the account you arecurrently using. If this is not the account you want to runthe Security Server, enter the correct account name.

Password The password for the account under which the Security Server will run. The field is blank by default. You mustenter the password for the account.

Startup Mode The Security Server runs as a service. You can have theservice start when Windows starts or you can choose tostart the service manually.

Manual: The Security Server starts when an appli-

cation requests it. This is the default set-

ting.

Automatic: The Security Server starts when themachine boots.

Most likely, you'll want the service to start manually.That way, the server does not run until an applicationrequests it, taking the minimum amount of resources.However, for large networks, you probably will want theservice to start automatically.


22/74


If the service fails to install properly

When you clickOK, the Security Server validates the user name with thedomain controller. If you did not log on to the correct domain, or if the username you have entered is not a valid user and enabled in the domain youentered, configuration of the Security Server service will fail.

If you have entered a valid domain and user, but not a valid password for thatuser, the Security Server service will fail to start due to a logon failure.

To solve these problems, verify that the user for the Security Server exists inthe domain, then log on to that domain. Run the Security Server ServiceInstaller, and correct the problem. (ClickStart > Rockwell Software >Security Server Network Edition > Security Service Installer.)

For the account validation to work properly, you must disable the Guestaccount. See your Windows NT or Windows 2000 documentation forinformation about disabling accounts.

Changing the service installation parameters

You can change the service installation parameters by running the SecurityServer Service Installer. ClickStart > Rockwell Software > Security ServerNetwork Edition > Security Service Installer.

The server will be identified for the Security Server clients by the name of themachine running the Security Server. Note the name of the machine runningthe server.

If the service is started automatically at machine startup or manually throughthe Services applet, the service can only be stopped by the Services applet. (See

your Windows NT or Windows 2000 documentation for information aboutrunning the Services applet.)

Setting up DCOM for the users of the Security ServerApplications communicate to the Security Server using Microsoft's DistributedComponent Object Model system, otherwise known as DCOM. You must setup DCOM so users of the Security Server can launch and access the SecurityServer.


23/74


There are two layers to DCOM configuration. There is a default layer, whicapplies to all DCOM-enabled applications. There is also an application-speciflayer, which applies only to the application being accessed (in this case, theSecurity Server database). Users must have rights to both layers; if they aredenied access to the default layer, they cannot access the application-specificlayer.

Create a group of users for the Security Server

Probably the most efficient way of handling the configuration is to create agroup of users. You must be an administrator of the computer on which yoare creating the group.

See your Windows NT or Windows 2000 documentation for informationabout creating user groups.

Give the group access to the service

Give the new user group the Access this computer from network right. Thgroup members will need this right, since they will be using the network toaccess the server.

Tip DCOM connections are cached by the server. If a user attempts aconnection and the connection fails because the user does not haverights to make the connection, the server will continue to deny thatuser access until the server is rebooted. The same thing applies tomade connections; once a user can make a connection, that user willbe able to make that connection until the computer running theSecurity Server is rebooted. Therefore, when you make changes tothe DCOM configuration, it is a good idea to reboot the computerrunning Security Server.


24/74


Set up the DCOM configuration so the group hasaccess

DCOM configuration is done through the DCOMCNFG.EXE application.

Start DCOMCNFG

To start DCOMCNFG, clickStart > Run. Type DCOMCNFG, then clickOK. This opens the Distributed COM Configuration Properties window.

Set the default properties

In the Distributed COM Configuration Properties window, click the DefaultProperties tab. Set the default DCOM properties as shown.

Tip The DCOMCNFG application may look somewhat different onyour system. The setting location and names should be the same.

Set the Default

Authentication

Level to Connect

Make sure this

box is checked!

Set the Default

Impersonation

Level to Identify


25/74


Setting the default DCOM permissions

In the Distributed COM Configuration Properties window, click the DefaulSecurity tab.

Set the default launch permissions

In the Default Launch Permissions section, click the Edit Default button

Add the Security Server users group to the list of who can launch a DCOMapplication. Make sureType of Access is set toAllow Launch.

If the SYSTEM account is not added with Allow Launch access, DCOMcannot start (the System Control Manager, which runs DCOM, runs in theSYSTEM account). Make sure the SYSTEM account is in the default launchpermissions list with Allow Launch access. It is also a very good idea to havthe INTERACTIVE user in this list as well. Otherwise, someone using theSecurity Server on the server machine may not be able to start it.

Set the application-specific DCOM properties

In the Distributed COM Configuration Properties window, click theApplications tab. Click the Sentinel.Database application, then clickProperties. This displays the Sentinel.Database properties window.

In the Sentinel.Database properties window, click the Security tab.

Sets who can

access the

Security Server

Sets who can

launch the

Security Server


26/74


For the access permissions section, clickUse custom access permissions.ClickEdit and add the Security Server user group. Make sureType of Accessis set toAllow Access.

For the launch permissions section, clickUse custom launch permissions.ClickEdit and add the Security Server user group. Make sureType of Access

is set toAllow Launch.

Reboot the server computer

To make sure your changes to the DCOM configuration are in place, rebootthe computer. Otherwise, old cached connections could prevent properconfiguration.

Installing clients for the Security Server

To install the client for computers running A.I. Series software (or to place theConfiguration Explorer on a client machine):

1. From the computer running the Security Server, give read access for theClientSetup directory (by default, C:\Program Files\RockwellSoftware\Security Server\ClientSetup) to the client workstations.

2. From the client workstations, install the client software from theClientSetup directory on the server. (The client is already installed on the

computer running the Security Server.)

Tip When you install a Rockwell Software application that uses theSecurity Server, client software is installed along with theapplication (except for A.I Series software).

When you install a client for the Security Server on a client machine,you can also install the Security Server Configuration Explorer,which allows you to administer security rights from clientworkstations. This can be very convenient for administration ofyour security system.

If you install the Configuration Explorer on a client machine, makesure you create administrator accounts for the Security Server (seepage 36). Otherwise, any user on the client machine will be able to

change the security configuration.


27/74


Configuring the clients to use servers

From a computer that has a client for the Security Server installed, clickStar> Rockwell Software > Security Server Client > Security Server

Definition. This application defines the servers to which you are attaching thclient.

To define a server:

1. ClickBrowse to display a Network Neighborhood view of computers oyour workstations domain.

2. In the list of machines that appears, click the name of the machine that irunning the Security Server, then clickOK.

3. To add backup Security Servers into the list, clickNew, select a server,then clickOK.

Click these

arrows to change

the serverpriority.

Click Browse to

locate a server.

When you have

defined a server,

it appears in this

list.

When you select

a workstation

name, it appears

here.

Click New to

define a new

server.

Click Add to add

the selected

server to the list

Important If you are configuring a backup Security Server, make sure its servelist matches the primary Security Servers list.


28/74


4. You can adjust the priority of machines (the order in which the client willlook at servers) by clicking on a server then clicking the arrow buttonsnext to the server list. Servers toward the top of the list have higherpriority.

5. Click the OKbutton. You have now configured the client to use Security

Servers.If the client is unable to connect to the primary Security Server, it will tryto connect to backup servers in the order set in step 4.

Enable remote DCOM (for Windows 98 clients)

If you are running the Security Server client on a computer running Windows98, you must enable remote DCOM before you can connect the client to theSecurity Server computer. To enable remote DCOM:

1. Start the DCOMCNFG application. This application allows you toconfigure DCOM settings. To run DCOMCNFG:

a. ClickStart > Run.

b. Type DCOMCNFG, then clickOK. This opens the DistributedCOM Configuration Properties window.

2. Click the Default Security tab.

3. Check the Enable Remote Connection checkbox.

Automating client setup

You can automate the client setup process by changing the SERVER.INI file

found in the ClientSetup directory on the Security Server. Changing theSERVER.INI file simplifies and speeds the process of configuring clients by

placing the server names into the client configuration by default.

This is an example of a SERVER.INI file:

; This file will contain the machine name where the Security Server

; has been installed as the "Primary" server. You can define backup

; servers by adding multiple entries to this file.

;

[ServerNames]

Primary = SECURITY_SERVER

;Backup#n =

; where n = 1, 2, 3, ...

(Comment lines start with a semicolon.)


29/74


Note that the primary server is defined for you. When the Security Server isinstalled, the primary server is defined as being the computer on which theserver was installed. In the example shown above, the computer calledSECURITY_SERVER is the primary Security Server.

You can define backup servers as shown in the following example:

[ServerNames]Primary = SECURITY_SERVER

Backup#1 = MAIL_SERVER

Backup#2 = ACCOUNT_SERVER

Backup#3 = BACKUP_SERVER

Once the SERVER.INI file is changed, you will find those four servers definewithout having to run the Security Server Definition application, saving somtime in selecting and arranging those servers.


30/74



31/74

Managing your Security Server configuration 2

The Security Server Configuration ExplorerThe Security Server Configuration Explorer is the tool you use to configureRockwell Software application security. It is used to create resources, to definresource ACLs, to group users, workstations and resources. It is also used tconfigure the properties of the Security Server, to perform access checks, anto provide troubleshooting help. It also allows you to import and export

databases for synchronizing the databases for Security Servers.

You can use the Security Server Configuration Explorer from a machine onwhich you have the Security Server. If you have installed the ConfigurationExplorer on machines running the client, you can also run it from there.However, you must run Configuration Explorer from the domain in which thSecurity Server is running. Otherwise, you may not be able to access all of thusers or machines you need to configure the Security Server system.

Starting Configuration Explorer

To run Configuration Explorer, clickStart > Rockwell Software > SecuritServer Network Edition > Security Config Explorer.

The Security Server modelRockwell Software's Security Server is based on resources. Rules are set up foeach resource. Each rule specifies a user or user group, a workstation orworkstation group, an action or action group, and whether the access is granteor denied.

Chapter

3

Managing your Security

Server configuration

Important Configuration Explorer can make changes only to the primarySecurity Server. To make changes to both your primary and backuSecurity Servers, you must make the changes to the primarySecurity Server, then copy the database from the primary server tthe backup server. See page 39 for more information.


32/74


For example, you may want certain users to be able to monitor a specific PLC-5 processor from any workstation. You may want these same users to be ableto modify that processor's program while online with that processor, but onlyfrom workstations in line-of-sight of that processor. You can create rules(ACLs) to do this with the Security Server.

About resources

In the Security Server, there are two types of resources: global or application.Global resources control access to actions (functions) in a software product.Application resources control access to specific applications of a softwareproduct.

For example, in PLC-5 A.I. Series software, there is anglobalresource calledAI5GLOBALRIGHTS. With this global resource, you can control actions inthe software globally, without respect to the processors being used.

However, PLC-5 A.I. Series software also allows you to define application

resources for your processors. By using these application resources, you cancontrol the actions in PLC-5 A.I. Series software based on what processors arebeing used.

A computer can also be a resource. RSLinx, for example, uses the computerrunning RSLinx as a resource. To use the Security Server with RSLinx, youcreate a resource with the name of the computer running RSLinx, then grant ordeny RSLinx actions to users for that computer.

Precicely what an application resource is varies depending on the software youuse with the Security Server. For example, for PLC-5 A.I. Series software, an

application resource is a processor. When rules of access are applied tofunctions associated with one of these application resources, softwarefunctions are controlled with respect to that processor. For RSLinx software,an application resource is the computer running RSLinx.

Resource names and IDs

Resources have a name, an ID, and a description. The description helps letusers of the resource understand what the resource is for. The name and IDare used by the client application to identify the resource.

TipYou can change whether the server grants or denies actions bydefault through the Security Server's Configuration ExplorerProperties function (see page 32).


33/74


How actions are added to the Security Serverdatabase

Before you can create access control lists for using actions, you must add theactions to the Security Server database. Different applications have differenmethods of adding actions; consult the documentation for the application fothe correct method.

See Importing actions for Rockwell Software applications on page 26 forinformation on how to import the actions for several Rockwell Softwareapplications.

Adding user groups to the systemFor large systems with many users and workstations, it's best to group usersinto logical groups, such as Managers or Electricians. You can then assigactions to entire groups rather than to individuals.

If you want to assign actions to groups of users, you need to assign users to group.

To add a group of users to the system:

1. Right-click the Users/Groups folder, then clickNew Group. Thesoftware displays the User Group - Newwindow.

2. Type a name for this group in the Name field. You can add a descriptio

for the group in the Description field. The name can contain anycharacters except: comma (,), pipe (|), or slash (/)

3. Click the Group Members tab.

4. Click theAdd button. The software displays a browser window, whichallows you to browse through your Windows network to find users.

5. Once you find the user you want to add, click the user name, and thenclickOK.

6. Repeat steps 4 and 5 for all of the users you want to add to the group.

Tip As a convenience, once you add a user or workstation to a group inConfiguration Explorer, that user or workstation becomes availablein the _Security Server domain in Configuration Explorer. You

can use the Security Server domain as a shortcut to the users orworkstations you have previously added.


34/74


Importing actions for Rockwell Software applicationsAction lists for several Rockwell Software applications are available as SecurityServer database backup files. You can import these files to add actions forthese applications.

To import one of these files, open Configuration Explorer, clickFile >

Import, then select the file you want to import. (Alternately, you can right-click theActions/Groups folder, then clickImport Actions.) The files arelocated (by default) in the \Rockwell Software\Security Server\System folder.

Consult the documentation for your specific application for more information

about configuring it to use the Security Server.

Adding a single user to a groupIf you are adding one or two users and you know the logon names of thoseusers, it is probably faster to add them individually. To add a single user:

1. Open the group to which you want to add the new user.


3. Click theAdd User button. The Enter user name dialog appears.

4. Type the logon name of the user in the User Name field. If the user is inthe same domain that you are currently logged onto, type just the userslog on name (you can type the domain name too, but it is not necessary).If the user is in another domain, you need to type the domain and username.

For this application: Import this file:

RSLogix 5 RSLogix5Security.bak

RSLogix 500 RSLogix500Security.bak

PLC-3 A.I. Series software AI3Security.bak

PLC-5 A.I. Series software AI5Security.bak

RSBatch RSBatchSecurity.bak

RSLinx RslinxSecurity.bak

RSLogix Frameworks DiagramDeveloper Offline and Online

FrameworksSecurity3.bak


35/74


5. To validate that the user is a member of the domain (or that you have thcorrect user), clickDisplay. The Description and Full Name fields wishow the users information from the account domain controller (if theinformation exists).

6. To finish, clickAdd User. This also validates that the user exists on the

account domain controller, and adds the user to the group.

Adding workstation groups to the systemYou can also group workstations and assign actions to those groups. Forinstance, you may want people in your office to be able to program offline bunot online. If you grouped workstations into Office and Plant groups, anassigned rights based on location, you could then restrict online programminfrom your office.

If you want to assign actions to groups of workstations, you need to assignworkstations to a group.

To add a group of workstations to the system:

1. Right-click theWorkstations/Groups folder, then clickNew Group.The software displays theWorkstation Group - Newwindow.

2. Type a name for this group in the Name field. You can add a descriptiofor the group in the Description field. The name can contain anycharacters except:

comma (,), pipe (|), slash (/), or backslash (\)


4. Click theAdd button. The software displays a browser window, whichallows you to browse through your Windows network to findworkstations.

5. Once you find the workstation you want to add, click the workstation

name, and then clickOK.6. Repeat steps 4 and 5 for all of the workstations you want to add to the

group.

Tip One use of workstation groups is to create line of sight accessrules, allowing access to process only from those workstationswhere the process can be seen.


36/74


Creating a resourceTo create a resource:

1. Right-click the Resources/Groups folder, then clickNew. The softwaredisplays the Resource - Newwindow.

2. If you are creating a resource for an application (a global resource), click

the Global Resources (Application Name) drop-down list, and selectthe application for which you want to create a global resource. The fieldsfill in with the appropriate information.

If your application is not shown in the Global Resources (ApplicationName) drop-down list, consult the documentation for your application forinformation about the name and resource ID it requires.

3. If you are creating an application resource, click theApplicationResources drop-down list, then click the application for which you wantto create a resource. Click the Browse button, then browse for theresource you want to create.

Currently, there are two types of resource available by browsing.Depending on the application for which you are creating a resource, youcan browse for a workstation (through a network browse window) or for

a processor (through RSLinx Super Who). The type of browse windowyou will see depends on the application you select in the ApplicationResources list.

Tip Do not change the name or resource ID of the global resource foran application. Applications use this information whencommunicating with the Security Server; if it is changed, user accesswill be denied.

Tip If you are creating application resources for RSLogix 5 or RSLogix500 (which consist of processors and the communication driversused to communicate with them), you may want to consolidatethose resources so they are not dependent on the computers fromwhich they are being accessed. See Consolidating processorresources for RSLogix 5 and RSLogix 500 on page 53 for more

information.


37/74


Grouping resourcesYou can group resources to efficiently create ACLs for them. For example, you have a series of PLC-5 processors in one location, and those processor ahave resources, you can group those resources to make assigning rights easie

To create a resource group:

1. Right-click the Resources/Groups folder, then clickNew Group. Thsoftware displays the Resource Group - Newwindow.

2. Type a name for this group in the Name field. You can add a descriptiofor the group in the Description field. The name can contain anycharacters except:

comma (,), pipe (|), slash (/), or backslash (\)

3. Click the Group Members tab. You'll see a list of the available resourcein the security system. Select the actions you want in the group, then clicthe right arrow (>>) button. The selected actions move into the

Member Items list.4. Click the OKbutton. The resource group is now ready to have users

assigned to it.

Grouping actionsIf your system is particularly complex, you may want to group actions as wellGrouping actions permits you to assign combinations of actions to individuaor groups. For example, you may want your maintenance employees to be abto monitor machines but not modify data values or program them. You coul

group all of the monitoring actions and assign them to your maintenanceemployees. (On top of that, you could group your maintenance employees,group the maintenance actions, and then assign the action group to themaintenance employee group).

To create an action group:

1. Right-click theActions/Groups folder, then clickNew Group. Thesoftware displays theAction Group - Newwindow.

2. Type a name for this group in the Name field. You can add a descriptiofor the group in the Description field. The name can contain any

characters except:comma (,), pipe (|), slash (/), or backslash (\)

3. Click the Group Members tab. You'll see a list of the available actions ithe security system. Select the actions you want in the group, then clickthe right arrow (>>) button. The selected actions move into theMember Items list.


38/74


4. Click the OKbutton. The action group is now ready to have usersassigned to it.

Assigning access to individuals and groups

You can assign access to actions to individuals and groups through theresource. For example, if you want to assign the actions for an application, goto that application's resource.

To assign actions to individuals or groups:

1. Click the resource containing actions you want to assign.

2. Click theAccess Control List tab. The access control list, or ACL, is thelist of who has rights to actions for that resource.

3. In the Users/Groups field, type the name of the user or group of usersyou want to have rights to an action. If you want to browse for the name,click the button next to the Users/Groups field.

4. If you want to limit the action to a particular workstation or group ofworkstations, type the name of the workstation or workstation group intheWorkstations/Groups field. If you want to browse for the name,click the button next to theWorkstations/Groups field.

5. Select the actions you want to assign, then click the right arrow (>>)button. The selected actions move to the Selected Actions list.

6. If you intend to grant access to these actions, click the Grant button. Ifyou intend to deny access to these actions, click the Deny button.

7. ClickOK. The access control list fills with the actions you assigned.

Editing an access control list entry

To change an access control list entry, click the entry then clickEdit. Awindow appears, allowing you to change the entry.

Tip Use user and workstation groups in resource ACLs. You'll probablyfind it easier to debug your ACLs if you do it that way.


39/74


How access control list entries are applied

An access control list entry (ACE) that comes first in an access control list haprecedence over the rules below it. For example, if the first ACE in an accescontrol list grants a group of users every action for a resource, you can't denthose users an action later in the list. However, if you want to deny a group o

users a particular action but grant all others, you can place the denial first in thaccess control list, then place an ACE granting access to all actions under thdenial. The denial takes precedence because it came first, but that group ofusers still has access to the other actions from that resource.

The same thing applies to groups of users. If a user is denied access to an actioearly in an access control list, but the user is part of a group that is grantedaccess to that same action later in the same list, the user is denied access to thaaction.

Grant for Bob/

Workstation1

Deny for */

Workstation1

ACE

ACE

Result

Because Bob was granted the action

in the first ACE, the second ACE is

ignored.

Let's say we have a user named Bob at a

workstation called Workstation 1. Bob is trying

to perform an action for which there are two

access control entries (ACEs).

Grant for Bob/

Workstation1


40/74


Moving access control list entries

Because access control list entries that come first take precedence over entriesthat come later, you can move rules higher or lower in the access control list totry to avoid rule conflicts (or set up conflicts to your advantage).

To move an entry, click the entry, then click the up or down arrow buttons tomove the rule into the position you want.

Finding users, workstations, actions, or groupsYou can search for users, workstations, actions, or groups in the project tree.To do this, clickEdit > Find, and enter a string to find in the Search for field.Do not use wildcards (like ? or *) in your search strings. You can enter a partialstring (like down for download).

You can search down in the tree, up in the tree, or in both directions.

Viewing and changing the server propertiesThrough the Security Server's Configuration Explorer, you can view and

modify the current configuration of the Security Server.To view the server's configuration, clickFile > Properties. The PropertyPage window appears.

Deny for */

Workstation1

Grant for Bob/

Workstation1

ACE

ACE

Result

Because everyone (*) at

Workstation1 was denied the action

in the first ACE, the second ACE has

no effect. Even though the second

ACE would allow Bob to perform the

action, it is ignored because the first

ACE has priority.

Let's say Bob is still at Workstation1, but we

change the ACE order.

Deny for */

Workstation1


41/74


General tab

The General tab shows general system information. This information may buseful for troubleshooting or if you require technical support with the SecuritServer.

Setup tab

The Setup tab allows you to control some of the behavior of the SecurityServer.

This information: Means:

Server Machine Name The name of the computer running the server.

Database Version The version of the Security Server database (wherethe security information is stored)

Workstation Groups The number of workstation groups in your currentdatabase

Workstations The number of workstations in your currentdatabase

Resource Groups The number of resource groups in your currentdatabase

Resources The number of resources in your current database

Action Groups The number of action groups in your currentdatabase

Actions The number of actions in your current database

User Groups The number of user groups in your currentdatabase

Users The number of users in your current database


42/74


Default Security Access

You can set the Security Server to grant or deny access to actions by default.(When you first install the Security Server, it denies access by default. If youhave more actions you want to grant than deny, you may want to set up theSecurity Server to grant access by default then create denials in the accesscontrol lists for your resources).

Database Backup Files

By default, the Security Server keeps three backup files of your securitydatabase. If the Security Server database becomes corrupt, you may be able torecover your database from one of these backup files. (See page 39 for more

information.) You can select from zero to nine backup files.

Security Audit Events

Windows NT has an Application Log that allows you to see when certainactions take place. If you want to log client and Configuration Explorer eventsin the Application Log, check the appropriate boxes. (Security Server events,such as startup and shutdown of the server, are always logged.)

You can access and view the Application Log through the Event Viewerapplication that comes with Windows NT or Windows 2000. See yourWindows NT or Windows 2000 documentation for information regarding

using Event Viewer.Log Audit Events to Sentinelx.log

Check this box if you want to log Security Server events to a file rather than tothe Windows NT/Windows 2000 Application Log. If you choose to log eventsto a file, the Security Server writes event log information to a comma-delimitedASCII file that can be imported into other applications (such as Microsoft

Excel) for review.

Maximum Log Files

If you choose to log events to a file, the Maximum Log Files listbox becomes

available. Use this box to set how many days of logging you want to retain. TheSecurity Server will create a new Sentinelx.log file for each day on which anentry occurs (new files are created at midnight). The log files are stored in theSystem\log folder under the folder where the Security Server is installed.

Tip Resources must always be defined in the Security Server databasewhether default access is set to grant or deny. If a resource is notdefined, access to it will be denied.


43/74


Server Information tab

The Server Information tab shows information about your networking setup

Default Account Domain and Default Account Domain Controller

The Default Account Domain and Default Account Domain Controllersettings work in tandem. The Security Server will access the default account

domain controller for user and group information if the domain of the user ogroup matches that of the default account domain. In large and geographicalldiverse networks, this may greatly speed network access.

See Appendix B on page 49 for more information.

Network information refresh rate (minutes)

The refresh rate is the rate at which the Security Server checks its database. Foexample, when a user is removed from a group, the refresh removes any usegroups to which the user belonged and no other user belonged. Anotherexample is when a new user is added to a new domain network group. The

Security Server will add this new user group to its database when it performsthe check. At each refresh, the Security Server rewrites its database.

Client Connections to Server

These fields indicate the maximum number of client workstations that canconnect to the Security Server at one time, the peak number of clientworkstations that have connected to the Security Server at one time, and thenumber currently connected.

The peak number of client workstations indicates the number of licencesrequired for your system. If it is at the maximum number, it is possible that yo

may need more licences.

If you need to increase the number of client workstations that can connect tthe Security Server, please contact your Rockwell Software sales representativ

Configuration Explorer tab

The Configuration Explorer tab shows information about your networkingsetup.

Default Account Domain and Default Account Domain Controller

The Default Account Domain and Default Account Domain Controllersettings work in tandem. The Configuration Explorer gathers and presentsnetwork information for you to create user groups or resource ACLs. Thesetwo settings allow you to select a domain controller for a particular domain.The domain controller is then used for all Configuration Explorer browsing othe domain. Note these settings may be different for each instance ofConfiguration Explorer on your network.


44/74


See Appendix B on page 49 for more information.

Display Full Names

When Display Full Names is checked, Configuration Explorer displays fullnames and descriptions (when available from the server) for members ofSecurity Server groups. When domain groups are displayed, the full names and

descriptions of users in those groups are also displayed.

Displaying full names and descriptions can take time. Turning this function off(by clearing the Display Full Names checkbox) will speed up these networkoperations.

Refreshing access control listsYour access control lists (ACLs) can contain users who no longer haveaccounts or whose accounts are disabled. You may wish to remove these usersfrom your ACLs. To do this, clickFile > Refresh ACLs.

When you choose to refresh ACLs, the Security Server performs that taskduring the next refresh cycle, and makes a log entry including the domainaccount and action taken. You can change the time to the next refresh cycle bychanging the server preferences. See Network information refresh rate(minutes) on page 35 for more information.

Using admin accounts to control access to theSecurity Server's Configuration Explorer

If you install the Configuration Explorer on a user's computer, you must define

an administrator for the Configuration Explorer. Otherwise, anyone withaccess to the Configuration Explorer can change the configuration of your

entire Security Server system.

To define an administrator:

1. ClickView > Admin Accounts. This displays the AdministrationAccounts window.

2. ClickAdd. This displays a browse window, allowing you to select a userto be an administrator for Configuration Explorer.

3. Locate a user to be an administrator, click that user's logon name, and

then clickOK. If you want to search for a user, type the beginning of theuser's logon name in the Search for field, then clickFind.

Tip As a convenience, the _Security Server domain contains all usersthat are currently in the Security Server's database. To save time,you can choose administrators from this domain.


45/74


Roaming securityWith the Network Edition of Security Server, it is possible to disconnect fromyour network and maintain access to secured functions. For example, amaintenance engineer may need to take a laptop with secured software off ohis or her network to perform operations in a plant. This is accomplished

through a process called roaming.Roaming operates by caching security information for a set number of days. ASecurity Server administrator decides whether roaming should be enabled, anfor how many days. If Roaming is enabled, any user can cache securityinformation to run while disconnected from the network.

While roaming, access is checked for each resource using the logged-in user anworkstation. The system creates a roaming database that remains in effect unta timeout occurs (the number of days roaming is permitted expires) or theConfiguration Explorer terminates the roaming session.

If a timeout occurs, the user will no longer be able to access secured RockweSoftware applications.

Enabling or disabling roaming

Roaming is enabled through Configuration Explorer. Only Security Serveradministrators are able to enable or disable roaming (if you have not definedadministrators for your Security Server, see Using admin accounts to controaccess to the Security Server's Configuration Explorer on page 36 forinformation about doing this.

To enable roaming, clickView > Set Roaming Security Timeout.

By default, roaming is enabled. To disable roaming, check the DisableRoaming Security Caching checkbox.

If you wish to enable roaming, set the number of days roaming should beenabled with the Roaming Security Timeout (days) listbox. You can setbetween 0 and 90 days. If you want to make roaming valid only during the

current day, set the timeout to 0 days (the day ends at midnight).

Using roaming

To use roaming:

1. Start Configuration Explorer.

2. ClickView > Configure Roaming Security Information.

Important If you do not define administration accounts, any user can enableor disable roaming.


46/74


3. Since there is no network server available to validate users, you mustprovide a name and password to use with Security Server while roaming.Under theAlias User Information section of the Configure RoamingSecurity Information dialog, enter your user name in the User Namefield. Do not use your network user name for this field.

4.Enter a password to use with Security Server while roaming in thePassword and Confirm Password fields.

Roaming remains enabled until either the Configuration Explorer reattaches tothe Security Server, or the timeout period elapses. If the roaming timeoutperiod elapses, connect Configuration Explorer to the Security Server to

restore operation.

Important Do not forget your user name and password! If you do, you willnot be able to use roaming, and you will not be able to use softwarethat is secured with Security Server.


47/74

Backing up and synchronizing Security Servers 3

Rockwell Software's Security Servers do not communicate with each other. Iyou want to keep the same security information on primary and secondarySecurity Servers, you may handle this process in any of three ways:

export your Security Server database from your primary Security Server animport the database on your backup Security Servers

directly copy the database files from the primary Security Server to backupservers.

use Windows NT/2000 directory replication to copy the database files fromthe primary Security Server computer to backup computers (this is thepreferred method since it happens automatically)

Using directory replicationWindows NT and Windows 2000 have a built-in replication service that allowyou to copy files from one computer to another automatically. In Windows

NT this is called the LAN Manager Replication service; in Windows 2000this is called the File Replication service. You can configure this service tocopy files from the folder containing the Security Server database from theprimary Security Server to backup servers.

Note that the Windows 2000 File Replication Service is not available on

Windows 2000 Professional. Therefore, if you are using a computer runningWindows 2000 Professional as a Security Server, you will not be able to use thmethod for replicating your database.

For more information about using directory replication, see the documentatio

for Windows NT or Windows 2000.

Exporting your Security Server databaseTo export your Security Server database, run the Configuration Explorer, theclickFile > Export Database.

Chapter

4

Backing up and

synchronizing SecurityServers


48/74


This function allows you to save a backup file. The backup file contains all ofthe information necessary to reconstruct your Security Server database eitheron your primary Security Server or on a backup Security Server.

Importing your Security Server database

When you import a Security Server database into a Security Server, theimported database will be added to the current configuration of that SecurityServer.

To import a Security Server database, run the Security Server ConfigurationExplorer, then clickFile > Import Database. The software allows you toselect a backup database file to import.

If the database import detects conflicts, you can choose to overwrite thecurrent database with the imported information or not. You can do this on acase-by-case basis or for the entire imported database. For example, if a user

already exists in the database and the imported database contains the same user,you can choose whether to overwrite the current database with the informationabout that user from the imported database.

If there are errors detected during the import

If the database import detects errors, the import notifies you that there areerrors and writes descriptions of the errors to a log file. The file is namedSentinelImport.log, and it is found in the Security Server system directory (bydefault, that directory is C:\Program Files\Rockwell Software\SecurityServer\System). You can open the log file in Windows Notepad and examine

it. (A typical error is that a user described in the backup database no longerexists or is no longer enabled in the domain the import removes such usersand notifies you in the log file.)

The error log file describes errors by line numbers. These line numbers referto the end of a resource or user list, not to the line containing the error. Thestring (invalid user name, for example) causing the error is listed with the errordescription. You should search for the string causing the error and not the linenumber if you wish to correct the backup database.

Restoring a previously saved configurationEach time you change your Security Server configuration and save thosechanges, the software writes a backup of your last saved security database aswell as your most recent changes. (The database is also saved and backed upduring each refresh cycle.) If you make a mistake and need to revert to apreviously saved version of your Security Server database, you can do so.


49/74

Backing up and synchronizing Security Servers 4

To restore a previous version of your Security Server database, locate thedirectory containing the Security Server system. By default, the Security Servesystem is located in C:\Program Files\Rockwell Software\Security Serve\System\db. In that directory, you'll find the files that make up a SecurityServer database. The following table describes these files:

Delete the Sentinel.sdb file and replace it with one of the backup files. If yojust made the change you need to correct, the backup file you need isSentinel.sb1 (the number on the backup file is incremented with subsequentsaves).

This file: Does this:

Sentinel.sdb The primary security database. Contains all of the databaseinformation necessary for the Security Server to providesecurity functions.

Sentinel.sb1.sbN

The backup security database files. Contains previousversions of the security database. With each save of thesecurity database, the Security Server copies the previouslysaved version to a backup file. For information about settingthe number of security database backups maintained by the

Security Server, see page 34.

Important Before overwriting a database file, make sure the Security Server inot running.

Tip If you are restoring a database that was backed up during a resourceconsolidation or unconsolidation, the backed-up database is located(by default) in C:\Rockwell Software\SecurityServer\System\SentinelResourcen.bak (where n is a sequencenumber indicating how many times the consolidation orunconsolidation has been done). For information about resourceconsolidation, see Consolidating processor resources for RSLogix5 and RSLogix 500 on page 53.


50/74



51/74

Upgrading from Standalone Edition to Network Edition 4

The databases for Security Server Standalone Edition and Network Editionvary in the following ways:

Standalone Edition provides security for a single workstation, whileNetwork Edition provides network-wide security.

Standalone Edition does not contain references to workstations.

Standalone Edition users can be either users local to a Windows NTmachine, or they can be private users, known only to the Security ServerNetwork Edition uses only domain users, validated by a domain controlle

Because of these differences, access control lists and users created inStandalone Edition are not compatible with Network Edition. Thisinformation will be lost during an upgrade to Network Edition.

It is possible to retain the resource/group and action/group definitions fromStandalone Edition when upgrading to Network Edition.

To upgrade a Standalone Edition database to a Network Edition database:

1. Export the Standalone Edition database.

2. Install Security Server Network Edition.

3. Import the exported Standalone Edition database file into NetworkEdition. During the import, there will be warnings concerning importinthe Standalone Edition database.

4. Review the SentinelImport.log file for import errors. See Restoring apreviously saved configuration on page 40 for more information.

Chapter

5

Upgrading from

Standalone Edition toNetwork Edition


52/74



53/74

Setting up A.I. Series software to use Security Server 4

A.I. Series software can use the Security Server to secure resources. To set uA.I. Series software to do this, you need to tell the software to send its actionto the Security Server.

There are two types of resource for A.I. Series software. There is a global

resource called AI5GLOBALRIGHTS or AI3GLOBALRIGHTS, whiccontrols access to functions in the software. You can also create resources foeach processor being programmed (in case you want to vary the actions grantebased on the processor

Rockwell Software's Security Server Network Edition

Documents

Transcript of Rockwell Software's Security Server Network Edition