Client/FEP Projects Configuration Procedures
This section provides additional procedures related to configuration of Client/FEP procedures.
In Version 4.0 only project upgrade for the project backup of Version 3.0. When you upgrade the software for the setup type client or FEP from Version 3.0 to Version 4.0, in SMC the already existing Version 3.0 projects display the Project status as Outdated
(in red).
Note that project restore using the toolbar icon is not supported in SMC for Client/FEP!
- You have upgraded the software for Setup Type: Client/FEP from Version 3.0 to Version 4.0.
- You have launched SMC on Client/FEP stations.
- In the SMC tree, select Projects > [project] that you want to upgrade.
- In the Client Project Information expander of the Project Settings tab, the Project status displays as
Outdated
(in red) and the toolbar icon Upgrade is enabled for those projects whose project data version is earlier than the current Desigo CC setup data version.
- Click Upgrade .
- A confirmation message displays.
- Click OK.
- If the Pmon port number (default 4999) of the Client/FEP project you are about to upgrade, is already in use, a message displays.
- Click OK.
- Click Edit that enables the Pmon port field.
- Edit the Pmon port number according to the given range, ensuring that it is not same as that of another started Client/FEP project.
- Click Upgrade again.
- The selected project is upgraded to the current data version. The Project status on upgrade displays as
Stopped
.
NOTE: If you have changed the Server project parameters, you must realign the Client/FEP project with the linked Server project. Otherwise, the Client/FEP - Server project communication does not work.
Next, you can activate and then start the Client/FEP project.
For starting a project at least one active project must be available under Projects in the SMC tree.
- The project is active and stopped and has unique port numbers.
- (Only applicable for Projects on FEP) You have copied and imported the same Windows key file, as that on the Server computer, on the disk of the FEP computer.
- (Only applicable for Projects on FEP) You have re-aligned the Client/FEP Project with the updated project on the Server.
- Click Start .
- The Pmon service in the Windows services starts which in turn starts the project.
You might now log on to the local Installed Client and work with the Server project.
For each upgraded project, you must change the password for the root user using Users application when you launch the Client. When you restore a project that you created from the template you must change all the passwords including the password for root and defaultadmin users using the Users application. (In Additional User Administration Procedures, see Changing a Password.
It is recommended to check the Client/FEP project’s consistency using the following procedure before launching the Installed Client. This is used for running diagnostics on the Client/FEP project.
- You have closed SMC, if running.
- In the StartSmc.bat file under [installation drive:]\[installation folder]\GMSMainProject\bin you have added the /support switch for the project for which you want to perform the consistency check.
- In the SMC tree, select Projects > [project].
- Click Check Consistency .
- The system internally checks the validity for a project verifying the project configuration such as ports, languages, certificates against the Server.
It also checks the system configuration information and displays a message asking if you want to open the log file now.
- Click Yes to open the log and check for any errors.
- A log file opens in the default editor. The log file is also saved on the disk at the path
[installation drive:]\[installation folder]\GMSMainProject\log in the format [Project name]_[DD MM YYYY]_[HHMMSS].
- The project is stopped.
- On the Server, ensure the following. Otherwise, a message displays.
— For the Windows store certificates, the root certificate must be in the TRCA store of the Local machine certificates store in the Windows Certificate store. Additionally, a CNG certificate with ECDSA signature algorithm is not supported.
— For File (.pem) based certificates, the root certificate must be available on the disk.
— Before creating/modifying the Client/FEP project, you need to share the Server project folder with the logged-on user of the Client/FEP operating system.
- On a Client/FEP, ensure the following:
— For Windows store certificates, the root certificate of the configured Server project is imported in the TRCA and the host certificate (along with its private key which is exportable) must be imported in the Personal store of the Local machine certificates in the Windows Certificate store and is set as default.
— For file (.pem) based certificates, the root and the host certificates (.pem files) must be available on the disk.
- In the SMC tree, select Projects > [project].
- Project Settings displays.
- Click Edit .
- The Server Information expander gets enabled.
- The Process Monitor (Pmon) user is synched with the System Account user, if it is changed after project creation.
- In the Client Project Information expander, the Shared project path field is enabled.
- In the Communication Security expander, the Root certificate and the Host certificate fields along with Add are enabled. If the selected Server project has Client/Server communication mode as
Secured
, the certificate type is configured to be the same as the Server project and the fields for Root certificate, Host certificate, and Host key (in case of a .pem certificate) and Host certificate users display the certificates set as default on the Client/FEP machine.
- In the Server Information expander, do the following:
a. Edit the server name by typing the full computer name of the Desigo CC Server machine, for example, ABCXX022PC.dom01.company.net, or by clicking Browse and selecting the Server machine using the Workstation Picker dialog box.
b. Edit the default Service port using the spin control buttons to match the Service port number on the selected Server.
c. Click Projects and edit the project from which you want to fetch the information using the Project Information dialog box. Optionally, you can also do this by clicking Browse for Server project in the Client Project Information expander.
- The selected Server project name displays and is also set as the default Client/FEP Project name in the Client Project Information expander. The Shared project path automatically displays the shared server project path, if the selected Server project is shared. The security settings are modified as per the selected server project.
- (Optional and not required when the Server project folder is shared) Type in the Shared project path or click Browse to select the shared project folder using the Browse for Folder dialog box.
NOTE: You must provide the Server name before browsing for the shared project.
- The Server name, service Port, port numbers are changed, language is edited, the Process Monitor user is changed internally and synched with the current System Account user for the selected project. The project shared path is set.
- In the Communication Security expander, proceed as follows:
a. Click Browse to select the root certificate. By default, it displays the default root certificate on the Client/FEP machine. Provide the same root certificate as that configured on the Server project.
b. Click Browse to select the host certificate. By default, it displays the default host certificate set on the Client/FEP machine. Ensure that this host certificate is created using the root certificate and that it has a private key.
c. (Enabled and required only in case of File .pem based certificate type) Click Browse and select the host key certificate.
d. (Enabled only when the selected Server project has Client/Server communication mode as Secured and the Certificate type is Windows store) Click Add to add a host certificate user using the Select User dialog box. For example, you can add a non-admin user so that a non-admin user can launch the Desigo CC client application.
NOTE 1: Only the users and group listed for the selected host certificate can launch the Desigo CC Client successfully on the Client/FEP machine.
NOTE 2: Even if the logged-on user of the Client/FEP operating system is a member of the Administrators group and has rights on the private key of the host certificate, you must still explicitly assign this user rights on the host certificate’s private key by adding the user to the Host Certificate User list.
- The certificates are configured for the selected certificate type.
- Click Save .
- If you modify the shared project path, a message displays, prompting you to re-activate the modified project.
- Click OK.
- Click Activate Project .
- Start .
Special Considerations When Applying Security for Closed Mode Configurations
- To work with closed mode you must explicitly provide permissions to the closed mode user (GMSDefaultUser) on the private key of the host certificate configured for the Client/Server communication. You must do this even if the closed mode user (GMSDefaultUser) is a member of a user group (for example, Administrators group) that has rights on the private key of the Host certificate.
- If you are configuring closed mode on the Client/FEP system, you must provide rights to the local GMSDefaultUser on the Desigo CC Server project folder, in order to have access to it from the Client/FEP machine. The logged-on Windows user on a Client station is a local GMSDefaultUser.
The Manual configuration mode allows you to freely configure the projects parameters. However, note that the Desigo CC client application on the Client/FEP station will not launch if there is any mismatch between the security configurations of the Server and Client project.
- You have all the required server project details including the Server name, the ports (except Pmon), the shared project path, and the security details.
- Before creating/modifying the Client/FEP project, you need to share the Server project folder with the logged-on user of the Client/FEP operating system.
- On the Client/FEP computer, ensure the following:
— If Windows store certificates are used for securing the Client/Server communication, the root and host certificates are imported in the appropriate certificate store and are set as default.
A CNG certificate with ECDSA signature algorithm is not supported.
— If File (.pem) based certificates are used for securing the Client/Server communication, the root, host and a host key certificates must be available at a known path on the disk.
- The project is stopped.
- In the SMC tree, select Projects > [project].
- Click the Project Settings tab.
- Click Edit .
- The Server Information expander is enabled.
- The process monitor user is synched with the System Account user, if it is changed.
- In the Client Project Information expander, select the Manual configuration check box to edit the project in manual mode.
- In the Server Information expander, Projects and Service port are disabled.
- The Client Project Information and the Communication Security expanders are enabled.
- In the Server Information expander, edit the Server name by typing the full computer name of the Desigo CC Server machine, for example, ABCXX022PC.dom01.company.net, or by clicking Browse and selecting the Server machine using the Workstation Picker dialog box.
- In the Client Project Information expander, proceed as follows and edit the information as required:
- Port numbers
- Languages
- Enter a value into the Shared project path field or browse for the Server project that you want to connect to on the selected Server.
NOTE 1: When you save the project changes, the project path is not validated. Hence you must provide the correct shared project path.
NOTE 2: You must enter the server name before browsing for the shared project.
NOTE 3: You can create a project on the Client/FEP without providing the shared project path. However, in this case, the very first project that you create on the Client/FEP will no longer be activated automatically. For project activation providing the shared project path is mandatory.
- Clear the Query Cache check box which disables the Query Cache port field.
- The server name, service port, port numbers are changed, language are edited, the process monitor user is changed internally and synched with the current system account user for the selected project. The Shared project path is configured.
- In the Communication Security expander, proceed as follows:
- From the Client/Server communication drop-down list, select the communication mode to match that of the selected Server project. Otherwise, you cannot connect to the Server project.
- (Enabled only when the Client/Server communication mode is Secured) Edit the proxy port, if required.
- (Enabled only when the Client/Server communication mode is Secured) Modify the certificate type, Windows store or File (.pem) based depending on the selected Server project.
- (Enabled only when the Client/Server communication mode is Secured) Click Browse to select the root certificate. By default, it displays the default root certificate set on the Client/FEP. The root certificate must be the same as that of the Server project.
- (Enabled only when the Client/Server communication mode is Secured) Click Browse to select the host certificate. By default, it displays the default host certificate set on the Client/FEP machine. The host certificate must be created using the root certificate selected and must have a private key.
- (Enabled only when the Client/Server communication mode is Secured and the selected Certificate type is File (.pem) based) Click Browse and select the host key certificate.
- (Enabled only when the selected server project has Client/Server communication mode as Secured and the Certificate type is Windows store) Click Add to add a host certificate user using the Select User dialog box. For example, you can add a non-admin user so that a non-admin user can launch the Desigo CC client application.
NOTE 1: Only users and groups listed for the selected host certificate can launch the Desigo CC client application on the Client/FEP computer.
NOTE 2: Even if the logged-on user of the Client/FEP operating system is a member of the Administrators group, and that Administrator group has rights to the private key of the selected host certificate, you still have to assign rights to the logged-on user of the Client/FEP operating system on the host certificate’s private key by adding the user to the Host certificate users list.
- The certificates are configured for the selected certificate type.
- Click Save Project .
- A message displays prompting you to re-activate the modified project.
- Click OK.
- Click Activate Project .
- Click Start .
- You can now work with the Desigo CC client application on the Client/FEP station. Desigo CC will run in the context of the active project on the Client/FEP.
Special Considerations when Applying Security for Closed Mode Configuration
- You must provide permissions to the Closed mode user (GMSDefaultUser) on the private key of the host certificate configured for the client/server communication. This must be done even if the Closed mode user (GMSDefaultUser) is a member of the Administrators group and that Administrator group has rights on the private key of the host certificate.
- If you are configuring Closed mode on the client/FEP, then you must also provide file-system access rights to the GMSDefaultUser of the client/FEP on the project folder on the server.
For a Server project which is linked to a Client/FEP project, you have changed the security settings for the proxy port, Client/Server communication mode, Certificate type, removed an extension from a project and so on. Use the following procedure to align the Client/FEP project with the changed settings of the selected Server project.
- The Client/FEP project that you want to re-align with the modified Server project is
Stopped
.
- In the SMC tree, select Projects > [project].
- Click Edit .
- Click Realign Server Configuration .
- Click Save Project .
- The project on Client/FEP is re-aligned with the modified Server project.
Automatic configuration mode is the default project creation mode on the Client/FEP. In this mode, the Manual configuration check box in the Client Project Information expander is cleared.
While creating a project in automatic configuration mode, the Client/Server communication mode and the Certificate type are automatically set to match those of the selected Server project.
You can establish a secured communication between the Server project and the Client/FEP project. For this you either use file (.pem file) based or Windows store based certificates. The following procedure describes the Client/FEP project creation using Windows store based certificates.
On the Server, ensure the following:
- For Windows store certificate:
- the root certificate must be imported in the TRCA store of the Local machine certificates store in the Windows Certificate store.
- you cannot use a CNG certificate with ECDSA signature algorithm as a root or host certificate.
- For .pem file certificates, the root certificate must be available on the disk of Server as well as Client/FEP machine.
- Share the Server project folder that you want to connect to with the logged-on user of the client/FEP operating system before creating the project.
On the Client/FEP, for the Windows store certificates, you must ensure the following:
- The same valid root certificate as on Server project you are about to configure in the client/FEP project must be imported in the Trusted Root Certification Authorities of the Local machine certificate store.
- The host certificate (along with a key,) that you are going to provide for Secured client/server communication must be created using the root certificate on server project. The host must be imported in the Personal store of the Windows Certificate store.
- In the SMC tree, select Projects.
- Click Create Project .
- In the Server Information expander, do the following:
a. In the Server name field, type the Full computer name of the server or click Browse to locate and select the server using the Workstation Picker dialog box.
NOTE: If you get a message stating that the server is not available, see the troubleshooting steps.
c. Click Projects to browse for Server projects using the Project Information dialog box. In the Project Information dialog box, proceed as follows:
d. Select a Server project that you want to connect to.
NOTE: It is recommended to enable the secure communication between server and Client/FEP. To do this, you must select a server project configured for secured Client/Server communication. Note that the Stand-alone and Unsecured options are also available. If you choose a Stand-alone server project, no communication is possible between Server project and Client/FEP project. For an unsecured server project, the communication is unsecured (without certificates) and hence not recommended.
e. Click OK.
- The details of the selected server project, including the name of the project on the Client/FEP, Project path, port numbers, language, and the Shared project path, if the project is shared, and the Query Cache if enabled along with Query Cache port number, are added in the Client Project Information expander.
- The default security details are modified and are set to match the security configuration details of the selected server project.
- In the Client Project Information expander, do the following:
- (Optional) Edit the Project name, if a project with the same name already exists in the SMC tree.
- (Optional) Edit the Project path.
- (Optional, and not required when the Server project folder is shared) Displays the shared project path of the selected Server project, if the Server project folder is shared. However, you can edit this by typing in a new path or browsing for the shared project folder.
NOTE 1: When you save the project, the project path is not validated. Therefore, you must provide the correct shared project path.
NOTE 2: You must enter the server name before browsing for the shared project. Otherwise, a message displays.
NOTE 3: You can create a client/FEP project without providing the shared project path. However, in this case, the very first project that you create on the client/FEP will no longer be activated automatically. The shared project path is mandatory for activating the project.
- In the Communication Security expander, do the following:
a. Browse for a root certificate from the Windows store using the Select Certificate dialog box, or from the disk using the Open dialog box, depending on the certificate type. By default, the default root certificate on the Client/FEP displays in the Root certificate field. Make sure that you select the same root certificate that was used for secured Client/Server communication on the Server project.
b. Browse for a host certificate from Windows store using the Select Certificate dialog box, or from the disk using the Open dialog box, depending on the on the certificate type. The host certificate and the host key (only for File .pem based certificates) must be generated from the root certificate you provided. If you select the host certificate from the User store, the Add button is disabled. Since the User store is local to a user account on the computer, you cannot add users to the Host Certificate User list.
c. (Required only in case of File (.pem) based certificates) Browse the host key from the disk.
d. (Available only for the Secured client/server communication type and Certificate type Windows store) Add Host certificate user to the list of users, if required.
NOTE 1: Only users and group listed for the selected host certificate can launch the Desigo CC Client on the Client/FEP.
NOTE 2: Even if the logged-on user of the Client/FEP operating system is a member of the Administrators group and has rights on the private key of the host certificate provided, you must still explicitly assign this user rights on the host certificate’s private key by adding the user to the Host Certificate User list.
- Click Save .
- A warning message displays warning if the root certificate provided on client and Server projects do not match. You must ensure that the root certificate is the same as that of the Server project. Otherwise, the Desigo CC client does not launch, and you must do the following:
- Click Cancel.
- In the Root Certificate field of the Communication Security expander, browse for and select the same root certificate as on the server.
- Click Save .
- The data entered while creating the project is validated and saved.
- The new project node is created as a child under the Projects node in the SMC tree. Although it is in the
Stopped
state, you can edit, activate, delete, or start it.
- A project folder structure is created with subfolders and files at the specified path.
- The project config file is updated with info such as ports, languages and so on.
- In case of file (.pem) based certificates, the root and host certificates and the host certificate key file used for secure communication are copied to the path ..\[ProjectName]\Config and config file are updated. In case of Windows store certificates, only the config file is updated.
Special Considerations when Applying Security for Closed Mode Configuration
- You must provide permissions to the closed mode user (GMSDefaultUser) on the private key of the host certificate configured for the client/server communication. This must be done even if the closed mode user (GMSDefaultUser) is a member of the Administrators group and that Administrator group has rights on the private key of the host certificate.
- If you are configuring closed mode on the client/FEP, then you must also provide file-system access rights to the GMSDefaultUser of the client/FEP on the project folder on the server.
When you create a project in manual configuration mode, you must manually enter the client/FEP project details into the relevant fields.
Before you start, make sure that you have all the necessary server project details, including the server name, the ports (except Pmon), the shared project path, and the security details. Although manual configuration mode lets you freely enter the Client/FEP project details (for example, Client/Server communication mode and certificate type), you must still ensure these match those of the selected Server project. Otherwise, Installed Client on Client/FEP does not launch.
You can establish a secured communication between the Server project and the Client/FEP project. For this you either use file (.pem file) based or Windows store based certificates. The following procedure describes the Client/FEP project creation using Windows store based certificates.
On the Server, ensure the following:
- For Windows store certificate:
- the root certificate must be imported in the TRCA store of the Local machine certificates store in the Windows Certificate store.
- a CNG certificate with ECDSA signature algorithm is not supported.
- For file (.pem) based certificates, the root certificate must be available on the disk of Server as well as Client/FEP machine.
- Share the Server project that you want to connect to with the logged-on user of the client/FEP operating system before creating the project on the client/FEP.
On the client/FEP machine, you must ensure the following for the Windows store certificates.
- The same valid root certificate as on Server project you are about to configure in the client/FEP project must be imported in the Trusted Root Certification Authorities store of the Local machine certificate store and be set as default.
- The host certificate, along with a key you are going to provide for Secured client/server communication, must be created using the root certificate on the server project. The host must be imported in the Personal store of the Windows Certificate store and be set as default.
- In the SMC tree, select Projects.
- Click Create Project .
- In the Server Information expander, do the following:
a. Select the Manual configuration check box.
b. In the Server name field, type the full computer name of the server or click Browse to locate and select the server using the Workstation Picker dialog box.
- The service port is disabled, and the Client Project Information and the Communication Security expanders become available.
- In the Client Project Information expander, do the following:
a. Enter a value into the Project name field.
b. Edit the Project path to change the default.
c. Edit the Languages to match the languages on the server project.
d. Enter a value into the Shared project path or browse for the server project.
NOTE: The shared project path is mandatory for activating the project.
e. Edit the port numbers for the Pmon, Server Data, Server Event, Server HDB Reader and Query Cache port fields.
f. Select the Query Cache port check box that enables the Query Cache port field. Set a unique port number.
- In the Communication Security expander, do the following:
a. In the Client/Server Communication drop-down list, change the default setting Secured to Unsecured only when you want to enable the Client/Server communication in Unsecured mode or to Stand-alone only when you want to disable the communication between the server project and the client/FEP station.
b. Type or set the Proxy port field so that it matches that of the selected server project.
c. Select the certificate type to match that of the selected server project. The default selection is Certificate type - Windows store.
d. Click Browse to change and select the root and host certificates, and the host key (only in case of .pem file certificate). Ensure that the root certificate is the same as that of the Server project. Otherwise, the Desigo CC client application will not launch. The host certificate and the host key must be generated from the root certificate provided on the Server project.
e. (Available only when the Client/Server communication type is Secured and the Certificate type is Windows store) Add Host certificate user to the list of users.
NOTE 1: Only users and groups listed for the selected host certificate can launch the Desigo CC client application on the client/FEP station.
NOTE 2: Even if the logged-on user of the client/FEP operating system is a member of the Administrators group and has rights on the private key of the host certificate provided, you still have to explicitly assign this user rights on the host certificate’s private key by adding the Host Certificate User list.
- Click Save .
NOTE: Make sure that the root certificate is the same as that of the Server project. Otherwise, the Desigo CC client application cannot launch, and you must do the following:
a. Click Cancel.
b. In the Root Certificate field of the Communication Security expander, browse for and select the same root certificate as on the server.
c. Click Save .
d. The data entered while creating the project is validated and saved.
- On successful project creation, the new project node is created as a child under the Projects node in the SMC tree. It is in
Stopped
state you can edit, activate, or delete it. You also can start/stop the project.
A project folder structure is created with subfolders and files at the specified path.
For .pem file certificates, the root and host certificates and the host certificate key file used for secure communication are copied to the path ..\[ProjectName]\Config and the config file is updated.
In case of (.pfx/.cer) certificates, only the config file is updated.
Special Considerations When Applying Security for Closed Mode Configurations
- You must explicitly provide permissions to the closed mode user (GMSDefaultUser) on the private key of the host certificate configured for Client/Server communication, even if the closed mode user (GMSDefaultUser) is a member of the Administrators group and that Administrator group has rights on the private key of the host certificate.
- If you are configuring closed mode on the Client/FEP system, you must provide rights to the GMSDefaultUser of the Client/FEP machine on the project folder on the server.
Tips
- Once a project is created, you must start and activate it. The Installed Client on a Client/FEP station runs pointing to that active project on the Client/FEP computer.
- For a Windows store certificate type, when you click Browse, you must select the Store Location - Local machine Certificates and then select the root certificate from the Trusted Root Certification Authorities tab. The host certificate you need to select from the Personal tab. The root and host certificates must be imported into the Windows store using the SMC.
- The project on Client/FEP project runs in the context of the configured Server project.
- The Server project to which the active Client/FEP project is pointing to must not be active.
- To start the Client/FEP project, you must first start the Server project that is connected to the Client/FEP project you are about to start.
- For the projects created on any other setup type (for example, Client/FEP) than the installed setup type (for example, Server) are listed under the Projects node in the SMC tree in SMC. However, when selected, you cannot work with them, you can only delete them.