8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

Tech Note 901

Configuring Smart Card Authentication for ArchestrA System Platform 2012 All Tech Notes, Tech Alerts and KBC D documents and software are provided "as is" without warranty of any kind. See the Terms of Use for more information. Topic#: 002708 C reated: November 2012

Introduction A Smart Card is a pocket-sized card with embedded integrated circuits. The card has secure storage for data, including private keys and public key certificates. The card holder is authenticated through a Personal Identification Number (PIN) and can be authorized to access only particular data on the card. You can configure an InTouch application to support Smart Cards for user authentication. Instead of the application requiring a username, password, and domain to be provided, the Smart Card certificate and associated PIN number can be used for authentication. You can also choose to log on with your name, password, and domain instead of the Smart Card. Operations that require user authentication, such as logging on or secured/verified writes, can also take advantage of Smart Card authentication.

Application Versions • Wonderware InTouch® 10.5 and later Wonderware Application Server 3.5 and later Note: InTouch now supports the standard Microsoft interface for secure user access to Active Directory accounts via Smart Cards.

About Smart Card Reader and Drivers Wonderware supports the following Cards and Readers: Card

C2-40

Raak Technologies C2-40 Mini Driver Smart Card

Reader Omnikey 3021 Smart Card USB Readers

F IGURE 1: SMART C ARD AND READER Note: As long as the SmartCard is compliant with the Microsoft Cryptographic services API, Wonderware will support the SmartCard. https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

1/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

Setting Up Smart Card Authentication You must do the following to set up Smart Card authentication: Configure the InTouch application to use either InTouch OS Security or ArchestrA OS security. The ArchestrA OS security can be either OS user-based or OS group-based. Join the WindowViewer computer to the correct domain for your network. Within WindowMaker, enable Smart Card authentication for the InTouch application. Configure the Smart Cards for the domain where you will use them. Install card drivers & readers on the WindowViewer computer. Smart Card and their drivers are hardware-specific. For information on installing and setting up your Smart Card reader, refer to the documentation for your specific reader. Connect the Smart Card reader to the appropriate port of the WindowViewer computer. Note: To use Smart Card with Terminal Server and RDP clients, a Smart Card reader must be attached to the client systems to enable Smart Card authentication. To connect a Smart Card reader to a Terminal Server using RDP, you need to make sure that the RDP client connection settings have the Smart Card option enabled under Local Devices and Resources.

Configure Galaxy Security for a Managed InTouchViewApp 1. 2. 3. 4.

On the main menu, click Galaxy-> Configure-> Security. Select OS User based. Click the Role tab and add 2 roles (Figure 2 below). For this example, the Operator and Supervisor are shown. Give the permissions necessary for each role. In this example, all permissions are given to the Operator & Supervisor.

F IGURE 2: ADD ROLE 5. Click the Users tab and add two users (Figure 3 below). In this example, the users are called JUNO\TechsupAdmin1 & JUNO\TechsupAdmin2.

https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

2/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

F IGURE 3: ADD DEFAULTUSER 6. Click the JUNO\TechsupAdmin1 user and click the Operator role.

https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

3/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

F IGURE 4: TECHSUPADMIN1 WITH OPERATOR ROLE 7. Click the JUNO\TechsupAdmin2 user and click the Supervisor role.

https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

4/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

F IGURE 5: ADD SUPERVISOR ROLE

Configure the Galaxy Object with Security Writes 1. 2. 3. 4. 5.

Create a $UserDefined instance called UDData. Click the UDA tab and add three integer type UDA's. In this example, they are I1, I2 & I3. For I1 the security mode is Operate. For I2 the security mode is Secured Write. For I3 the security mode is Verified Write.

6. Deploy all the objects. (WinPlatform_001, AppEngine_001, Area_001, UDData).

https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

5/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

F IGURE 6: DEPLOY

THE

OBJECTS

Enabling Smart Card Authentication in WindowMaker This example shows how to configure Smart Card Authentication in WindowMaker using the OS User based security from the Galaxy. 1. 2. 3. 4. 5. 6.

Create a derived InTouchViewApp. For this example it is called ITVATest_SC. Open WindowMaker. On the Special menu, click Security/Select Security Type and then click ArchestrA. On the Special menu, click Smart Card Authentication. By default, this option is not checked. Create an InTouch Window called SmartCard Window or similar. Create six text objects ( ## ) and assign the following animation to each text object: • • • • • •

Domain ##: Assign Value Display for Type String and add $OperatorDomain system tag. Operator ##: Assign Value Display for Type String and add $Operator system tag. AccessLevel ##: Assign Value Display for Type Analog and add an $AccessLevel system tag. I1 ##: Assign User Input for Type Analog and add Tagname as Galaxy:UDData.I1. I2 ##: Assign User Input for Type Analog and add Tagname as Galaxy:UDData.I2. I3 ##: Assign User Input for Type Analog and add Tagname as Galaxy:UDData.I3.

https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

6/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

F IGURE 7: C ONFIGURE THE UDA'S 7. Create a button and call it PostLogin. 8. On an Action script on the above button add the script shown in Figure 8 (below). The Condition Type is On Left Click/Key Down.

F IGURE 8: ON KEY DOWN C ONDITION SCRIPT 9. Switch to Runtime.

https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

7/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

F IGURE 9: RUNTIME SMARTC ARD WINDOW 10. Click PostLogin without the Smart Card inserted. The OS User based login dialog box appears.

F IGURE 10: LOGIN WITHOUT SMART C ARD 11. Insert the Smart Card (TechsupAdmin1) and click PostLogin Button. Figure 11 (below) shows the dialog box display.

F IGURE 11: SMART C ARD LOGIN 12. Type the PIN number for that Smart Card User. The Runtime Window returns the following:

F IGURE 12: DOMAIN, OPERATOR AND ACCESSLEVEL DISPLAY https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

8/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

13. Type a value for I1 such as 25. Since the security mode configured to Galaxy:UDData.I1 was Operate, no Security Dialog box will be displayed.

F IGURE 13: VALUE DISPLAY FOR I1 14. Enter a value for I2 such as 50. Since the security mode configured to Galaxy:UDData.I2 was Secured Write the secuirty dialog box will appear. Type the PIN.

F IGURE 14: SECURED WRITE LOGIN 15. Figure 15 (below) shows the display in Window Viewer.

https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

9/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

F IGURE 16: VALUE DISPLAY IN RUNTIME 16. Enter a value for I3 such as 75. Since the security mode configured to Galaxy:UDData.I3 is Verified Write the secuirty dialog box appears. Type the PIN.

F IGURE 17: VERIFIED WRITE LOGIN Since it is verified write we need an Operator and a Supervisor signatures. You can either use both modes (Smart Card mode or User Mode).

https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

10/11

8/22/13

Configuring Smart Card Authentication for ArchestrA System Platform 2012

F IGURE 17: VALUE DISPLAY

IN

RUNTIME

Note Logging on with Your Smart Card You can use a Smart Card to log on to InTouch WindowViewer. You must have an application with Smart Card authentication enabled to use it to log on to the InTouch application. Your Smart Card must contain at least one certificate that is configured in your domain. A Smart Card reader must be attached to the computer running WindowViewer. You will be required to enter the PIN of the Smart Card you are using. If a Smart Card is not detected in the reader when you try to log on, you are prompted to authenticate using your user name and password instead. You can use Smart Cards for authentication for secured and verified data writes. Click the following icon to view this file in .pdf format:

B. Shah Tech Notes are published occasionally by Wonderware Technical Support. Publisher: Invensys Systems, Inc., 26561 Rancho Parkway South, Lake Forest, C A 92630. There is also technical information on our software products at Wonderware Technical Support. For technical support questions, send an e-mail to [email protected].

Back to top ©2013 Invensys Systems, Inc. All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, broadcasting, or by anyinformation storage and retrieval system, without permission in writing from Invensys Systems, Inc. Terms of Use.

https://wdnresource.wonderware.com/support/kbcd/html/1/t002708.htm

11/11