Overview of the Certificate-based Security
The core Historian services include:
- Data Archiver
- Client Manager
- Configuration Manager
- Diagnostic Manager
When you install Historian, you are provided with the Enable Certificate-based Security check box to enable Certificate-based Security and generate root certificate with a password for Server and the core services. By selecting this option, the installer will generate the root certificates, machine specific certificates, and the core services certificates in the <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder, and add it to Trusted Root Certification Authorities in the machine.
Certificate | Applicability |
---|---|
ica_key.cer and ica_key.pfx | Root certificates. |
ClientManager.cer, and ClientManager.pfx | Historian Core Services specific certificates. |
ConfigManager.cer, and ConfigManager.pfx | |
DataArchiver.cer, and DataArchiver.pfx | |
DiagnosticManager.cer, and DiagnosticManager.pfx | |
<Machine name>.cer, and <Machine name>.pfx | Machine specific certificates. |
If you want to connect a distributed/mirror node to a Historian primary mirror server, or you want to connect your collectors to a remote Historian server, you need the server specific root certificates (ica_key.cer and ica_key.pfx) on the client machine to establish a successful handshake. To establish a successful handshake, you must copy the root certificates from the server machine and place them in the machines where the mirror nodes or collectors are installed. For more information, see the table below.
After installation, based on the install type, you must perform the following configuration:
Installation Type | Description | Configurations |
---|---|---|
Historian Single Server | This is for a stand-alone Historian system, which contains only one Historian server. This type of system is suitable for a small-scale Historian setup. |
Collectors and server are installed on the same machine You do not have to perform any additional configurations. To use MTLS for collectors, you must enable the MTLS security for the collector instance as needed. For more information, refer to Enable MTLS Security for Collectors. Collectors and server are installed on different machines (Collectors trying to connect to a remote Historian)
|
Historian Mirror Primary Server | This is for a horizontally scalable Historian system, which contains multiple Historian servers, all of which are connected to one another. This will be the primary server for the distributed/mirror node(s). |
Collectors and Historian primary mirror server are installed on the same machine You do not have to perform any additional configurations. To use MTLS for collectors, you must enable the MTLS security for the collector instance as needed, for more information, refer to Enable MTLS Security for Collectors. Collectors and Historian primary mirror server are installed on different machines (Collectors trying to connect to a remote Historian primary mirror server)
|
Historian Distributed/Mirror Node | This is for a horizontally scalable Historian system. Installing this server will allow you to add this node to a primary server. |
Configuration on the distributed/ mirror node machine(s)
Collectors and distributed/mirror node are installed on the same machine You do not have to perform any additional configurations. To use MTLS for collectors, you must enable the MTLS security for the collector instance as needed, for more information, refer to Enable MTLS Security for Collectors. Collectors and distributed/mirror node are installed on different machines (Collectors trying to connect to a remote distributed/mirror node)
|