Professional Documents
Culture Documents
Exaquantum Engineering Guide Vol 2
Exaquantum Engineering Guide Vol 2
Exaquantum Engineering Guide Vol 2
IM 36J04A15-02E
© Yokogawa March 5 2012
12th Edition Issue 1
Exaquantum Engineering Guide – Volume 2 Network Configuration i
All rights are reserved in this document, which is the property of Yokogawa Electric
Corporation. Information contained herein is the property of Yokogawa Electric
Corporation.
Unless agreed in writing by Yokogawa Electric Corporation, the licensee shall not remove,
release, disclose, reveal, copy, extract all or part of the documentation.
Trademark Acknowledgements
Microsoft, Windows, Windows Vista, Windows Server 2008, Windows Server 2008 R2,
Windows 7 Professional, Microsoft Word, Microsoft Excel, Microsoft Office 2007,
Microsoft Office 2010, Visual Basic, Visual C++, SQL Server, MDAC, Microsoft .NET and
ActiveX are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Exaquantum uses Microsoft SQL Server as part of an Integrated Value Added Solution.
Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated, and registered
within particular jurisdictions.
Basic Scripting Engine provided by Cypress Software Inc., Copyright 1993 – 2000, all rights
reserved.
All other company and product names mentioned in this manual are trademarks or registered
trademarks of their respective companies.
Highlights
The Highlights section gives details of the changes made since the previous issue of this
document.
Summary of Changes
Detail of Changes
Chapter/Section/Page Change
Section 2.3 Added firewall configurations for RBNS connections
Added NetworkTest.exe to the Firewall exclusions
Section 6 Various updates to security measures
Appendix A.13.5 Functions added to manual settings for Standard Security
Appendix A.14 Minor updates
Various Removed references to unsupported Operating Systems
Section 5 Updated for R2.70
Pages A1, A9,A10, A12 Updated port upper limit
Pages A8,A13 Deleted reference to Windows 2003
Appendix A.15 New description
Table of Contents
Chapter 1 Introduction
The introduction of Windows 2008 allows a high degree of administrator control and
flexibility. The result of this is a more complex operating system and domain structure.
Because of this it is not possible to give detailed step-by-step guides to administrative
matters within this document. It is assumed that network administration will be performed
by a qualified engineer.
The Exaquantum Engineering Guide contains tasks that need to be completed by users
within your organization that have administrative privileges. The user(s) of this document
must also be familiar with the following topics:
DCOM Settings
This documentation therefore assumes that the person carrying out the procedures has
knowledge and experience in the areas mentioned above. It also assumes that you have
already completed the relevant Exaquantum course(s).
1.3 General
This document is designed to give users guidelines for implementing Exaquantum in a new
or their existing network infrastructure. The configurations of Exaquantum and the networks
to which they belong can vary greatly.
This Engineering Guide has been divided into Volumes and Chapters that detail various
procedures and methods. Certain chapters may not be relevant to your Exaquantum system.
Volume 1: Administration
0: Introduction
Chapter 6: IT Security
Volume 5: PI Connection
1.4 Terms
The following terms are used in this manual and are defined according to their use within
Exaquantum.
Business Network
CENTUM system
Connections
There are two main types of connection required, and the settings for these are dependent on
the network configuration of the computers involved:
The first connection is from the OPC Server to the Exaquantum server. This is required so
that requests for data can be passed from Exaquantum to the OPC servers and the actual data
passed from the OPC Servers to Exaquantum.
The second connection is between the Exaquantum server and its clients. This allows clients
to access data held on the Exaquantum server.
Critical data
Information assets, such as project database, formula and operation log in CENTUM system
that needs to be protected.
DCOM
DCOM (Distributed Component Object Model) is the architecture that allows applications to
run on remote computers. The Exaquantum installation program uses DCOM settings to
enable this. The settings are made initially using QDCOMConfig.exe, shipped with
Exaquantum and run automatically during installation.
QDCOMConfig can be re-run at any time to change Exaquantum DCOM settings. For more
information on QDCOMConfig, see the Exaquantum Engineering Guide Volume 1 –
Administration (IM 36J04A15-01E).
A collection of computers that are able to share resources using common users and user
groups, administered by a central Domain Controller (DC). Or Controller A Windows
domain can be running in Mixed or Native mode.
Privileges assigned to a user account that allow domain wide administration tasks to be
performed. These tasks include the creation and maintenance or Global and Domain Local
User Groups and the creation of Global User Accounts. They also include the creation and
maintenance of Trust Relationships.
A Windows Security User Group that is only available in a Windows domain running in
Native mode. This group type allows central administration on a domain controller and can
have members from anywhere in the Windows Forest.
Domain Controller
dcomcnfg
The Microsoft Windows program that allows modification of DCOM settings for
applications. This works on two levels. Firstly a set of default settings exist which will be
applied to all applications. These can be overwritten by setting specific DCOM properties
for any or all applications. New applications acquire the default settings unless specific
properties are applied.
Note 1: Any changes made to DCOM settings will only take effect when the computer is
restarted.
EXA System
Exaquantum System
An Exaquantum System is typically distributed across three types of computer. These are an
Exaquantum client, which obtains data from an Exaquantum server, which in turn receives
data from an OPC server. These computers will each belong to a domain or a workgroup,
though not necessarily the same one as the other computers.
A collection of Windows domains that are linked by virtue of a common schema. Transitive
trust relationships are normally added by default for all domains in the Forest.
Global Account
A user account that is created on a domain and so is available to all computers within that
domain or within other domains that have the correct Trust Relationships.
Global Group
A user group that is created on a domain and so is available to all computers within that
domain. Global Groups can only contain members (security principals) from within the
domain they are created in.
IT environment
IT security
Security measures for the IT environment to defend and counter current and future security
threats such as cyber terrorism. A security profile defined by Yokogawa for their range of
EXA products providing a consistent configuration to defend these systems.
Kerberos Authentication
One of the authentication methods by cipher code. It is used to confirm the identities of the
server and client in networks including the Internet where the communication path is not
secure this is the default method for Windows domains.
Local Account
A user account that is created locally on a computer and so is available only for use on that
particular computer.
Local Group
A user group that is created locally on a computer (the Exaquantum Server in the case of
Exaquantum). Local Groups within a workgroup can only contain members (security
principals) from the same computer. Local Groups within a domain can contain members
from that domain and any others that have valid Trust Relationships.
Multi-server
The ability to have more than one Exaquantum Server in your system. Each Server must
contain identical user group information.
NIC
Abbreviation of Network Interface Card. This is an interface card that is used to network
terminals.
OPC
Abbreviation of OLE for Process Control. This is a standard interface that supports the
development of the measurement control system using Microsoft COM/DCOM.
PCN
Abbreviation of Process Control Network. Network built for ICS (Industrial Control System)
such as the CENTUM system.
Program account
Windows account with a special privilege that enables Exaquantum-related programs to run.
QDCOMConfig
The Exaquantum tool that sets the specific DCOM settings required for Exaquantum. This
application runs silently during installation and can be re-run manually at any stage. For
more information on QDCOMConfig, see “Accessing The Domain Quantumuser Account”
in the Exaquantum Installation Guide (IM 36J04A13-01E).
Security Principle
Transitive Trust
Trust Relationships that allow pass-through authentication. This allows security principles
to be authenticated from remote domains. Transitive trust relationships are created by
default when Windows domains are added to a Windows Forest.
Trust Relationship
A method of communicating between two domains whereby a trusting domain allows access
to users of a trusted domain. These are set up using User Manager for Domains. A single
trust relationship requires configuration work on both domains.
User Account
User Group
As above, but this allows users to be grouped, which makes attributing privileges easier to
manage. Exaquantum generally attributes privileges by user groups, which are checked by
the Exaquantum Server during normal operation.
User Manager
The Windows program that allows local computer users and user groups to be created and
modified.
This window is similar to the User Manager window but also allows:
Windows service
Workgroup
A collection of computers that are able to share resources by using matching user accounts
added to each unit.
This chapter defines the scope of supply for the customer and the System Integrator. The
customer needs to define his configuration requirements in simple tables, applying a physical
process type breakdown strategy that the customer will understand. The System Integrator
will expand the customers (design specification) tables into the required Exaquantum system
configuration, applying a best-practice interpretation that the System Integrator will
understand best.
From R2.60 Yokogawa provides the option of installing Exaquantum in the ‘Standard IT
security model’ defined for other Yokogawa EXA products to provide a unified security
configuration. If this option is taken (described in Chapter 6 IT Security) then most
installation decisions are defined by the model. If the Legacy option is followed then many
more options are open to integrate the Exaquantum system with existing customer networks
and systems.
This chapter describes how the process of configuring Exaquantum can range from easy to
complex, depending on the degree of customization the customer wishes to apply. The
primary advantages of customization are to maximize useful history availability for a given
disk space size, and also to ensure the work performed by Exaquantum is restricted to that
which is genuinely useful, and has genuine business value.
ISA99.00.01 defines security zone as a logical or physical group which share common
security requirements and the same security level.
By making the multiple zones where each zone satisfies different security requirements,
defense-in-depth strategy can be realized.
To communicate between Level 4 and Level 3 of ISA 99.00.01 Reference Model is not
recommended in the Exaquantum system.
Note:
The domain configuration offers centralized security and administration of users and data,
which can be easier to maintain than the workgroup configuration described later. However,
whenever the system is reconfigured, administrator level access to the domain controller is
required to implement the changes. Where control of IT is centralized this can be a severe problem.
Exaquantum fits into the last category of these servers, ‘stand-alone servers’.
By default, Exaquantum Legacy model and Standard Workgroup model installations use
local groups that will function in a Windows workgroup environment.
The advantage of the Windows workgroup is that a separate domain controller is not
required. However, in a workgroup all the user accounts and passwords must be created on
each client and server, and kept concurrent, this is also true for Groups in a Standard
Workgroup model installation.
Note 1: When using Exaquantum with a workgroup, we recommend that the Password Age
is set to Never Expire.
The following network items (known as security principles) are required by an Exaquantum
System:
User Groups
Windows Security groups that are used to control access to Exaquantum databases.
Exaquantum in the Legacy model has four User Groups (5 in the Standard and
Strengthened models) as standard and can use more if Role-based Namespace is used.
User Accounts
Windows Log-in accounts used by users to access computers and therefore access
Exaquantum. These accounts are made members of the relevant user groups to control
access.
Exaquantum Service account (defaults to Quantumuser for the Legacy model and
QTM_PROCESS for Standard and Strengthened models)
A special user account under which the Exaquantum processes run. This user account
must be available to all Exaquantum computers and OPC servers.
If the end user does not use any common Windows naming resolution methods such as
WINS or DNS, it will be necessary to add an entry to the ‘hosts and ‘lmhosts’ file for the
Exaquantum server on each client.
\%Windir%\system32\drivers\etc.
If they have not already been used, the files will have a .sam extension. Remove this
extension before using the file.
To allow the addition of clients or change the IP Address of the Exaquantum server, the
‘hosts’ and ‘lmhosts’ files will need to be kept up to date. Failure to do so will make
connection to the Exaquantum server impossible.
Recommendations
If the end user has a Windows server on his network using WINS and DNS, allow the
Exaquantum server to use them. This will reduce administration work later.
If the end user requires a few Exaquantum clients, adding the hostname and IP Address of
the Exaquantum server in the local host files will be sufficient, provided they have static IP
addresses and do not use DHCP.
If the end user does not use WINS and DNS, do not add these services to the network for the
purpose of installing the Exaquantum server, use local host files instead.
Exaquantum is a network intensive application and works best when used on a 1000mbps or
100mbps network running at full duplex to the server. . The choice of the network speed
will largely depend on the existing end user topology.
To make the maximum bandwidth available it is recommended that the Exaquantum server
is installed in an Ethernet switch (the only way you can get full duplex) as opposed to a hub.
This will provide the best performance for client workstations.
Some organizations choose to add their Exaquantum server to the same network segment as
their Exaopc or HIS workstation, which typically run on a segment. This is sufficient,
however, care should be taken not to break the segment or exceed the length and/or the
number of stations on that segment.
This requires two Network Interface controls in the Exaquantum server. The
Exaopc/HIS/EWS will typically be running in a workgroup configuration.
Typically a user will not want to link their HIS/Exaopc/EWS LAN to their main site
Ethernet. To support communication with the Exaquantum server a second Network
Interface control is required on the Exaquantum server.
Two Network interface cards can be fitted to an Exaquantum Server, to allow the separation
of the OPC network, and the business layer network. When this is the case, in most
instances, it is recommended that the binding order of the cards is OPC network first.
Networking Protocols
Routers are an integral part of many of today’s networks and Exaquantum has been tested
and used in organizations where such configurations exist.
Through the use of RAS it is possible to access Exaquantum data through a conventional phone line.
For speed and performance we recommended the Exaquantum server and its clients are in
the same subnet. If the Exaquantum clients reside in different subnet, try and keep the
number of ‘hops’ to a minimum to maintain performance.
2.2.6 Firewalls
Firewalls are a common device to restrict traffic between networks. If there are any firewalls
between the Exaquantum server and its clients, the following should be noted:
Some Firewalls offer Network Address Translation (NAT) facilities. Exaquantum clients
will not be able to contact an Exaquantum server through the firewall if address translation is
used.
For more details about firewalls and DCOM see section 2.3 Firewall Configuration.
The Exaquantum data server requires that the operating system be configured correctly.
There are some simple steps that can be taken to ensure that Exaquantum performance is
optimised. This configuration is recommended for a standard Exaquantum installation,
although there may be reasons why particular services need to run on a specific installation.
The following guide details some of these steps:
Services such as DHCP server, WINS Server and DNS Server should not be running on the
Exaquantum server.
NETBEUI Protocol
This is not required by Exaquantum and should ideally be removed. If it has to be installed,
then it must have a lower priority than the TCP/IP protocol that is used by Exaquantum.
Network Monitor
Disable the network monitor from the network cards unless specifically monitoring network
traffic, as this can impede performance.
IP Address
We recommend that the Exaquantum server is issued with a static IP address rather than
having one assigned from the DHCP server.
Virus Checkers
If virus checkers are used on the Exaquantum server, then the checking of the database files
should be disabled, as this will affect performance.
Other Software
The Exaquantum Server should only be used to run Exaquantum. Other software can affect
the performance.
This section contains information on how to configure a firewall. The communications links
between components of an Exaquantum based system are shown. Any or all of these may
pass through firewalls.
M
O
M
C
O
C
D
D
DCOM traffic cannot traverse Network Address Translation (NAT) Firewalls except via a
VPN tunnel; hence neither NAT or Static NAT should be configured on any of links 1-3, 5 or 8.
Some, more sophisticated, firewalls perform deep packet inspection of DCOM traffic and
may restrict access by Program ID/GUIDs; most are limited to restricting traffic at a Port and
IP Address level.
TCP port numbers and the start and end points of the required communications.
From this information the required Firewall configurations may be derived for standard
configurations. Project specific communication requirements resulting from bespoke code or
additional applications are not covered in this document. A series of sample configurations
follow with worked Firewall configurations.
Assumptions
The DCOM port range used by a Windows system may be restricted from the default 1024-
65535. It should be noted that this restriction is for ALL DCOM use on that system not just
Exaquantum and any other DCOM applications. For this reason it is not recommended to
limit the DCOM port range on Client PCs but only on Server systems. To facilitate decisions
on this, each link’s detail section includes the number of concurrent DCOM processes
required to support the link at each end.
NB. 2 DCOM ports are used for Windows processes so the counts below must be summed
and then add 2 to find the minimum size port range to use on the systems.
This link is split into two components that may be installed together or separately.
Quantum.exe
ExaQuantumExecutive.exe
QRBNSServerBrowse.exe
QNameSpaceBrowser.exe
QHistorian.exe
Total DCOM Ports on the Exaquantum Server = 3 in addition to the Exaquantum Explorer
client:
QBuilder.exe
QAnalyse.exe
QBFRetriever.exe
The restrictions of DCOM port ranges may be applied on both the Exaquantum Server and
the OPC server(s); there is no need for these ranges to be the same size.
QOPCDAMgr.exe
QOPCAEPump.exe
QOPCPropertyAccess.exe
QFBRetriever.exe
QZOPCAECatchup.exe
Total DCOM Ports on the Exaquantum Server = 5 (none in addition to the Exaquantum
Explorer client).
Quantum.exe
ExaQuantumExecutive.exe
QRBNSServerBrowse.exe
QNameSpaceBrowser.exe
QHistorian.exe
Quantum.exe
W3pw.exe
NB. If the web site is set up to respond on a port other than 80 then amend Table 2-5 IP
address and TCP port filters Link 4.
NO DCOM on this link. However, if the full Exaquantum Explorer thick client was installed
and access is possible to the Exaquantum server then the ports as defined for link 1 are
required between the Client and Exaquantum Server as Quantum.exe will connect to the
Exaquantum Server not the Exaquantum Web Server Web service for data.
NB. If the Terminal Server is set up to respond on a port other than 3389 then amend the
above.
Exaquantum may act as an OPC DA & HDA Server to transfer data to a higher level PI
historian via an intermediate Interface server. The PI OPC DA and HDA Interface processes
run on the PI Interface server with some Yokogawa software..
The restrictions of DCOM port ranges may be applied on both the Exaquantum Server and
the PI Interface Server there is no need for these ranges to be the same size.
ZOPDA.exe
QOPCHDAServer.exe
QOPCHAEServer.exe
Exaquantum */TCP & DNS 53/TCP & Domain Name Service (DNS)
Server UDP UDP
DNS 53/TCP & Exaquantum */TCP & Domain Name Service (DNS)
UDP Server UDP
Exaquantum may act as an OPC DA & HDA Server; the ProgIDs/GUIDs at the client end
will depend on the client.
The restrictions of DCOM port ranges may be applied on both the Exaquantum Server and
the OPC clients(s); there is no need for these ranges to be the same size.
ZOPDA.exe
QOPCHDAServer.exe
QOPCHAEServer.exe
The PI OPC Interface PC must transfer the data collected to the PI server.
Note: To port Number 5040 on PI Server is default value. In case PI system setting changes
from default value, Port Number need to be set.
QRBNSServerBrowse.exe
QNamespaceBrowser.exe
Quantum.exe
ExaQuantumExecutive.exe
QRBNSServerBrowse.exe
QHistorian.exe
If this function is being used the ports identified in Table 2-14 IP address and TCP port
filters MSMQ are used, NB this does not use DCOM but does use RPC and port 135 to
allow a client to identify the port(s) that mqsvc.exe is listening on. The machine to machine
links that require access on these ports will depend on the MSMQ configuration and may be
all within a single Exaquantum server or separated over multiple Windows servers and
administrative clients. See http://support.microsoft.com/?id=178517 for details.
Sections Exaquantum in DMZ (De-Militarized Zone) and Exaquantum, WTS server and
Web server in DMZ illustrate the use of the information in previous sections to define actual
firewall configurations for two typical network topologies.
The DMZ is illustrated as having two, separate, firewalls though it could be configured with
a single device with three network connections.
1 Domain
Controller 8
Exaquantum Explorer 7 OPC
& Admin Client Client
Firewall
A
Exaquantum
Server
Firewall
B
2
OPC
Server
(workgroup)
Firewall A
Links of Type 1, 7 and 8 leading to the following port mapping (initially assuming no
restriction on the DCOM port mapping).
Firewall B
If HIS are to be used as Exaquantum clients the configuration of Firewall B will need to be
extended to include link type 1 ports and it may be considered worthwhile to restrict the
DCOM port range on the HIS’s to 9 plus any other required for non Exaquantum links in
use.
To reduce the scope of the ‘holes’ in the firewalls, the DCOM ranges on the Exaquantum
and OPC servers may be restricted.
Exaquantum Server
2 Windows Processes
Total 17
OPC Server
Dependent on the OPC server – 3 for Exaopc CS3000 cassette with HDA.
Domain
Controller
WTS Client Web Client 4
7 6 Firewall A
Exaquantum
Web Server
DMZ WTS
Server
Firewall B 5
2 Exaquantum
OPC Server
Server
Firewall A
Links of type 4, 6 & 7 leading to the following port mapping (initially assuming no
restriction on the DCOM port mapping).
Table 2-18 IP address and TCP port filters Exaquantum and web in DMZ A
Firewall B
Table 2-19 IP address and TCP port filters Exaquantum and web in DMZ B
To reduce the scope of the ‘holes’ in the firewalls the DCOM ranges on the Exaquantum and
OPC servers may be restricted.
Exaquantum Server
2 Windows Processes
Total 15
NB Links 3 and 5 count even though they do not go through a firewall as they come out of
the DCOM port pool
OPC server
Dependent on the OPC server – 3 for Exaopc CS300 cassette with HDA.
This section provides the technical information on how to configure firewalls capable of
deep packet inspection for DCOM traffic by GUID. Examples of such firewalls include:
The section on 2.3.1 Firewall Configuration must be read in conjunction with this section
to cover the simple IP packet level filtering also required.
The communications links between components of an Exaquantum based system are shown.
Any or all of these may pass through firewalls. Those that contain DCOM traffic are shown
in Figure 2-4.
The links are numbered and will be described in detail in the following sections.
From this information the required Firewall configurations may be derived for standard
configurations. Project specific communication requirements resulting from bespoke code or
additional applications are not covered in this document.
This link is split into two components that may be installed together or separately.
NOTE that where the location in Table 2-18 IP address and TCP port filters Exaquantum and
web in DMZ A specifies “Exaquantum Client”, it is not possible to define a GUID or Prog
ID in these cases, as they are dynamic DCOM callbacks, and it is possible to run more than
one instance of the associated DCOM Process.
There will be differences depending on the OPC server(s) being used though these will be in
the ProgIDs used on the OPC server. The list below assumes the OPC server supports all of
the options available:
DA including Browsing
HDA
A&E
Properties
Table 2-23 GUIDs and ProgIDs Link 2
DCOM Process ProgID & GUID Location
QOPCDAMgr.exe YokogawaMarex.QOPCDAMgr.1 Exaquantum Server
{65FF4FB1-7D85-11D4-8A8A-
00C04F95AC2C}
QOPCDAPump.exe QOPCAEPump.Pump.1 Exaquantum Server
{97CB6026-7E0B-11D2-9462-
00C04FA2F82A}
QOPCPropertyAccess.exe YokogawaMarex.QOPCProp.1 Exaquantum Server
{77C5C20C-3DF6-11D4-B2DB-
004095460E25}
QFBRetriever.exe (OPC QFBRetriever.cCandidates Exaquantum Server
equalize) {BAB8A4FB-42D4-11D4-A0D8-
00C04F7949E9}
QFBRetriever.cReadFile
{BAB8A4F9-42D4-11D4-A0D8-
00C04F7949E9}
QZOPCAECatchup.exe YokogawaMarex.QZOPCAECatchup.1 Exaquantum Server
{87320759-08BA-11D5-8AFD-
00C04F95AC2C}
Dependent on the OPC OPC Server
server software, One for
AE, one for DA, possibly
one for HDA
Exaquantum may act as an OPC DA & HDA Server; the ProgIDs/GUIDs at the client end
will depend on the client.
Table 2-25 GUIDs and ProgIDs Link 8
DCOM Process ProgID Location
ZOPDA.exe Yokogawa.ExaopcDAEXQ.1 Exaquantum Server
{7C55C23F-4A01-43AD-B517-
B7DA3B25EECB}
QOPCHDAServer.exe QOPCHDAServer.HDAServer.1 Exaquantum Server
{E42A32A3-BDD8-40A5-9388-
2ADE4CC9AAA3}
QOPCHDAServer.HDAServerEx.1
{2A2165B5-7291-4F60-BD5B-
DB6EB554E777}
QOPCHAEServer.exe QOPCHAEServer.HDAServer_PIAE.1
{A297E742-2EA3-463E-BD63-
46C6555391AE}
Dependent on the OPC OPC Server
client software, One for
DA, possibly one for
HDA
With Windows Vista, Windows 7 and 2008 Server, Microsoft provided a software firewall.
The control is to restrict inbound connections, and additionally, outbound connections. The
Firewall may be used to secure clients in an Exaquantum system.
This section deals with the setting up of incoming connections only. For Exaquantum clients
running on Windows Vista, Windows 7 or 2008 Server, it is recommended to use the default
settings for outbound connections. If it is necessary to modify the outbound settings (for
example where sites have a Domain Security Policy), then this should be undertaken only by
an Administrator with appropriate knowledge.
To permit the client to connect to the server the following port needs to be added to the
exceptions list of the firewall.
135 TCP RPC (DCOM) listener To allow the call back to connect to DCOM
and establish the call.
The following applications need to be added to the exceptions list of the firewall to allow the
call back transfer of historical data (see How to setup the Windows Firewall – Vista,
Windows 7, Server 2008 and Server 2008 R2 for instructions on how to do this):
C:\Program Files\Microsoft
Office\OFFICE12
C:\Program Files\Microsoft
Office\OFFICE14
Note1: Anything that uses the OLE/DB provider to retrieve historical data needs to be
added to the above list e.g. Crystal Reports.
Note2: Any user defined API that requests historical data should also be added to the list.
With Windows 2008 Server and Server 2008 R2, Microsoft provides a software firewall to
restrict inbound connections and outbound connections.
The Firewall may be used on Exaquantum Servers systems. Note that client tools may be run
on a server and may require connections to other servers in a multi-server configuration.
This section deals with the setting up of incoming connections only. For Exaquantum
Servers running on Windows 2008 Server, it is recommended to use the default settings for
outbound connections (no restriction). If it is necessary to modify the outbound settings (for
example where sites have a Domain Security Policy), then this should be undertaken only by
an Administrator with appropriate knowledge based on the details provided in Section 2.3
Firewall Configuration.
To permit clients to connect to the server the port in Table 2-28 Windows Firewall
configuration – Ports needs to be added to the exceptions list of the firewall.
135 TCP RPC (DCOM) listener To allow the client to connect to DCOM and
establish the call.
1433 TCP SQL Server Allow client access to the SQL server
The applications in Table 2-29 Windows firewall configuration Programs need to be added
to the exceptions list of the firewall to allow the call back transfer of historical data (See
How to setup the Windows Firewall – Vista, Windows 7, Server 2008 and Server 2008 R2
for instructions on how to do this):
Exaquantum System <Installation Folder>\ Developer Needed for call back when
Events Viewer Tools\SysEventsViewer.exe requesting tag value.
C:\Program Files\Microsoft
Office\OFFICE12
C:\Program Files\Microsoft
Office\OFFICE14
Note1: Anything that uses the OLE/DB provider to retrieve historical data from another
server needs to be added to the above list e.g. Crystal Reports.
Note2: Any user application that utilizes the Exaquantum API to request historical data
from another server should also be added to the list.
How to setup the Windows Firewall – Vista, Windows 7, Server 2008 and
Server 2008 R2
Once the snap in is open it will look as Figure 2-5 WFAS Snap in.
Then to add a rule open in bound rules and then select ‘add a new rule’ to invoke the wizard
as shown in Figure 2-6 Add a Rule.
To add a program rule allowing DCOM connection to a particular program follow the steps
shown in Figure 2-7 Add a Program Rule to Figure 2-11 Name the Rule:
To add a Port Rule choose the port option and follows the steps from Figure 2-12 Port Rule
Option to Figure 2-13 Specify the Port:
To amend an existing rule select it and double click then edit in the properties box as shown
in Figure 2-14 Edit a Port Exception. From here additional definitions for the rule may be
added, for example specifying which source computers the inbound rule applies to etc.,
This procedure should be carried out on the Exaquantum/PIMS server. Port ranges do not
have to be restricted on the client machine. In restricting the ports on the Exaquantum server
the firewall can be configured to only be open to incoming traffic on these ports to the
dedicated IP address of the Exaquantum server. All out going ports 1024-65535 should be
open.
If other applications are using DCOM the port requirements for each application should be
taken into consideration.
1 To start Component Services, from the Start menu, point to Programs, point to
Administrative Tools, and then click Component Services.
4 In the Properties for COM Internet Services dialog box, click Add.
5 In the Port range text box, add a port range (for example, type 5000-5010), and then
click OK.
6 Leave the Port range assignment and the Default dynamic port allocation options set
to Internet range.
7 Click OK three times, and then restart the Exaquantum/PIMS server computer.
A Virtual Private Network (VPN) connection allows users at a remote location away from
the site to connect securely to a private LAN or WAN via a public network such as the
Internet. This type of connection masks the communications by providing encryption of the
contents and wrapping it in a different address while in transit over the public network. Extra
configuration will probably be required at each end of the VPN connection in order that the
two computers can still locate each other through the masking process. This chapter
explains:
In a system that provides a full Domain Name Service (DNS), and in which any intervening
Firewalls have been configured correctly, an Exaquantum system should work normally over
a VPN without any extra configuration.
The following procedure summarizes the how a normal VPN connection works:
The client attempts to establish a secure connection to the remote VPN server.
If the authentication is satisfactory, the VPN server will issue the client with an IP address
within the same sub-net as the Exaquantum server. This is address is only valid within the
local network; it is not the ‘real’ IP address of the client (as seen on the Internet).
The Exaquantum server will be able to communicate with the remote client using this
address, while the VPN server facilitates the routing to the real address of the client.
In the opposite direction, the client will communicate with the Exaquantum server via the
VPN server which will perform the necessary routing. The client will use the VPN to access
the name resolution service (DNS) facilities provided on the destination network to locate
the server.
However, if there is no DNS available, the system will have to be configured differently,
which is discussed in the next section.
There are two methods that can be used that approach the problem from different angles:
Using IP address - This method uses IP addresses instead of computer names, which
requires that a change be made to both the Exaquantum settings in the client PC, and to
the Windows Registry on each Exaquantum server.
Using computer names - This method continues to use names as usual. The only change
required is that the ‘hosts’ file on the client is modified to map the IP address of each
Exaquantum server to the correct name.
There are two or three stages to enabling this system, which depends if there is more than
one Exaquantum server:
Client configuration
2 Open the Server Manager Tool by selecting Start -> Programs -> Exaquantum -> Server
Manager.
3 In the Primary Server box, replace the server’s name with the server’s IP address.
4 If your system uses a secondary server, in the Secondary Server box, replace the server’s
name with the server’s IP address.
5 To check that the connection can be established, click on the Test button for each server
configured and confirm the status is ‘Running’.
Server Configuration
In a normally configured system, the Exaquantum server passes its host name to the clients.
Without a DNS to resolve this name, the client will be unable to locate the server. To
overcome this problem, the server must be configured to pass the IP address instead.
This change requires editing the Windows registry. Before making any changes to the
registry it is recommended that you have a full working backup of your system. If you are
not confident with making such changes, you should contact your Yokogawa support
representative.
2 For each of the registry keys noted above, in the key’s data, replace the server name with
the equivalent IP address.
4 The changes will not take effect until the Exaquantum Server is stopped and restarted.
Ensure there are no clients connected, and then use the Exaquantum Server Manager
Tool, available from Start -> Programs -> Exaquantum -> Exaquantum Server Manager.
5 Click on the Stop button to stop the service. After a short pause the service status will
change to ‘Stopped’.
6 When it becomes available, click on the Start button to restart the service. The status will
change to ‘Running’.
In addition to the above, in a multi-server environment the other servers will also have to be
identified by the Primary server using their IP addresses. This is achieved using the Servers
tool on the Primary Server.
1 Log on to the server using an account with QAdministrator privileges, such as the
QuantumUser account.
2 Open the Administration Tools by selecting Start -> Programs -> Exaquantum ->
Administration Tools.
3 Navigate the tree on the left to locate Console Root -> Yokogawa Exaquantum ->
System Configuration -> Servers.
4 For each of the servers listed, change the Computer name to the equivalent IP address.
6 The changes will not take effect until the Exaquantum Server is stopped and restarted.
Ensure there are no clients connected, and then use the Exaquantum Server Manager
Tool, available from Start -> Programs -> Exaquantum -> Exaquantum Server Manager.
In this situation, the only configuration necessary is to provide the client with some means of
resolving the NetBIOS host names provided by the server. This is achieved by adding the
appropriate entries to the ‘hosts’ file on the client PC. In a standard installation using the
default locations, the ‘hosts’ file can be found at:
\%Windir%\system32\drivers\etc.
In order to complete this configuration you will need to know the host names and IP
addresses of all the Exaquantum servers to be accessed.
2 To the existing entries in the ‘hosts’ file, add a line for each Exaquantum server on the
system, in the form: <IP address> <name>.
3 Save the changed host file and close the text editor. The changes take immediate effect.
Test the changes by using the Ping command against the servers in the form:
ping <name>.
ping MyServer1 .
Troubleshooting VPN
Failure to connect
There are two main reasons why a VPN connection fails to work, which are listed below. To
help diagnose what is causing the problem in any particular case, work through the sections
later in this chapter.
No DNS
In systems where DNS is not available, this system will not work as the client will be unable
to resolve the server name. No error messages will be given, but the usual symptom is that
the client cannot access any of the product client tools, and in most cases, only the splash
screen will be displayed.
Firewall
Another possible cause of failure is a Firewall, situated between the two computers that is
restricting some of the communications ports required by Exaquantum.
Verifying network connectivity – Check that there is a suitable network path between
the two computers.
Verifying DNS functionality – Check that the DNS is available to the client PC.
The purpose of this test is to determine if there is a suitable network path between the client
PC and Exaquantum server machines.
First, establish a VPN connection between the client PC and the VPN server. When
connected, open a console window on the client PC and type:
There should be a series of responses from the server addressed. The whole event will be
something like:
C:\>ping 172.10.20.31
Pinging Exaq1 [172.10.20.31] with 32 bytes of data
Reply from 172.10.20.31: bytes=32 time<1ms TTL=128
Reply from 172.10.20.31: bytes=32 time<1ms TTL=128
If there was no response, the problem could be that a Firewall is blocking the ICMP protocol
used to perform the ‘ping’ function; check this with the network administrator.
The purpose of this test is to establish that the client PC can access the DNS on the
destination network. It is assumed that the VPN connection between the client and VPN
server is working, and that the network connectivity has been tested is passed.
First, establish a VPN connection between the client PC and the VPN server. When
connected, open a console window on the client PC and type:
The DNS should respond with the IP address of the Exaquantum server. The whole event
will be something like:
C:\>nslookup Exaq1
Server: pluto.corp.yokogawa-marex.com
Address: 172.10.20.100
Name: Exaq1.corp.yokogawa-marex.com
Address: 172.10.20.31
In the example above, the IP address in question is the second one, 172.10.20.31.
If you know there is a functioning DNS available on the remote network then there may
be a fault in the configuration.
There is no DNS available, and you will have to reconfigure the Exaquantum system for
working on such a system as described earlier in this chapter.
It is possible to allow access to certain tags based on a user’s role. Administrators may be
able to view tags from all over the plant, but an Operator in Area 1, for example, would only
view tags in Area 1. This is controlled by an extension of the security model called Role-
Based Namespace and requires additional user groups to control access. Refer to the
Exaquantum/PIMS User’s Manual (IM 36J04A11-01E) for more information.
The user groups will contain the user accounts that will be allowed the abilities particular to
the group. Therefore all accounts to be added must be available to these groups so that they
can be added. Alternatively, local copies of the user accounts can be created in the same
location as the user groups. These copies must have the same password as the originals.
The Exaquantum Service account must be available to all Exaquantum computers. This can
be achieved by making it a domain account accessible by all Domain computers, or by
creating local copies of the account on each Exaquantum computer. All copies of the
Exaquantum Service account must have the same password.
Exaquantum is a network-based product and involves managing databases to store and allow
retrieval of process data. Access to the databases must be controlled to allow only
authenticated users access. The security model used for Exaquantum is comprehensive,
allowing a flexible and solid degree of both general and role-based security. At the
cornerstone of this security model are Windows Security Groups.
The Exaquantum Security Model applies to both the Exaquantum Data Server and the
Exaquantum Web Server. Both servers use the same installation mechanism to comply with
the security model.
Note: Membership of other groups is needed to perform special operations but this is
omitted from this example for clarity.
The Exaquantum Service account is the account as which the server side processes run.
When a client connects to the server a DCOM response is made from the Server side
processes, DCOM on the client must recognise the Exaquantum Service account to allow
them to connect.
The second aspect of connection is the membership of User Groups. To allow basic
access to Exaquantum, all users must be members of the QUserGroup.
Example: a login takes place on an Exaquantum client computer by a user with a login
account of John_Smith. DCOM on the server first checks the QUserGroup for a member
called John_Smith. If a match is found a return DCOM connection running as the
Exaquantum Service account is made to the client where DCOM will check that it
recognizes the Exaquantum Service account. For more details see Chapter 4 DCOM and
Network Security in Exaquantum.
Note: The examples below give a basic understanding of security concepts. The methods
described do not reflect the way that the software works in detail.
In a domain all user accounts can be created globally. As such they are available to all
computers in the domain. To add a user account to the user group, the user group is accessed
on the Domain controller and the account added using the appropriate tool. All accounts are
controlled centrally, which offers an administrative saving. The Exaquantum Service
account is also created globally in the domain, and so is available to all computers in the
domain. This ensures that Exaquantum processes will run correctly.
The User Groups are created locally on the Exaquantum Server(s) but should contain Global
groups as members allowing control of access to be managed from the Domain Controllers.
Workgroup Authentication works through matching local users/passwords on the client and
server; where these match the client user is treated as if it were the matching server user.
Workgroup authentication works whether the client and server are in a domain or
workgroup. In the case where the client is a domain member with a domain user logged on
and the server is in a workgroup configuration the domain user is treated as if it was a local
user on the client and compared for name and password with any local users on the server.
Therefore all user accounts used for Exaquantum access are duplicated on the Exaquantum
server, where the user groups are created. These duplicated user accounts are then added to
the local user groups.. It should be noted, however, that there is considerably more
administration to perform as each account needs to be added to each computer that requires
it. Additionally, password changes must be performed on each instance of the user account.
It is possible to control the tags that each operator can view. This is done by creating
additional groups that further control access to the Exaquantum databases.
Each RBNS view is based on membership of one Windows security group. This group
should normally be created in the same place as your four standard Exaquantum User
Groups but can be created in a different location. Exaquantum supports groups in different
locations including a combination of locations. Therefore you can have RBNS views based
on groups created locally on the Exaquantum server as well as views based on groups
created on the local or external domains.
For more information, refer to "User account and Groups" in the Exaquantum Installation
Guide (IM 36J04A13-01E).
The RBNS configuration tool (located within Administration Tools of Exaquantum) allows
selection of Windows security groups from any location available on the network. However,
you will need some knowledge of the group type and restrictions, as these are not detailed by
the configuration tool. The following table should help you plan your RBNS group set-up:
This may require the assistance of your network administrator. RBNS group creation is
covered in more detail in the Exaquantum/PIMS User’s Manual (IM 36J04A11-01E).
It may be necessary, due to site security policy, to change the EXA Account. This is done
using the tool:
The tool must be run with as a user who has local administration rights. Additionally, on
Windows 2008, the tool must be run with elevated rights: right mouse click on
ExaAccountSetting.exe, and select Run as Administrator from the pop-up menu.
Note: If the EXA user account is changed, previous user name will not be deleted
automatically. Hence, please delete previous EXA account name manually, ensuring that this
name is not still used by other applications or packages.
For further information please refer to Installation Guide (EXA Account Setting).
If your Exaquantum System is configured to use global security principles and the OPC
server has access to these, no action needs to be taken. This is the case if the OPC server is
in the same domain as the Exaquantum Server and a global Exaquantum Service account has
been configured. For all other cases you will have to create a local copy of the Exaquantum
Service account.
If you do not know if the account exists you can try to log on to the OPC server using the
Exaquantum Service account and password, specifying the correct domain. If you cannot
log on then you will have to create the account locally.
If the OPC server does not have access to a global Exaquantum Service account, you must
create a local account. This must have the same password as the Exaquantum Service
account used by the Exaquantum Server.
Figure 4-1 Communication Links in a Typical Exaquantum System components and how
they communicate in a typical system comprising:
Client
OPC
Quantum.exe Server
Server
OPC
Clients
Quantum.exe
SQL Server
Tab
- Physical computer boundary - External communications
The internal communications are shown for completeness but are not of significance to the
DCOM communications discussion.
Each physical computer has DCOM settings for the entire computer as follows:
Each individual Process has some specific DCOM settings to aid communications as follows:
Table 4-3 DCOM Settings shows how the Exaquantum installation adjusts the DCOM
settings to allow each of the external communication routes:
For Exaquantum Clients, and Web Servers, a network test facility from the Server
ManagerNOTE: Network Diagnostic Tool supports IP4 addresses only; IP6 is not
supported.
The Server should be entered; the IP address and FQDN fields are optional; if these are
blank when running the test, they will be filled in automatically.
The Test button will run the network tests, and the results will be shown in the output field.
The OK button will save the log file settings and close the application.
The Cancel button will close the application, without saving any changes.
The results of the test can be saved to a text file, by checking Output to Log file, and using
the Log File Path browse button to specify the output folder + file.
Exaquantum Client
The Server Manager (Figure 5-2) is available from the Exaquantum menu, from the Start +
Programs option on the taskbar.
The Test button runs a basic connection test to either the Primary or Secondary server
The Network Test button starts the Exaquantum Network Test dialog (Figure 5-3); this runs
detail connection tests to either the Primary or Secondary server
After starting up the NetworkTest dialog, the server name will be filled in – it will contain
the name of the primary or secondary server. The IP Address and FQDN fields are optional;
if these are blank when running the test, they will be filled in automatically.
The Test button will run the network tests, and the results will be shown in the output field.
The OK button will save the log file settings and return to the Server manager dialog.
The Cancel button will return to the Server Manager dialog, without saving any changes.
The results of the test can be saved to a text file, by checking Output to Log file, and using
the Log File Path browse button to specify the output folder + file.
1. Ping test
2. Report of what IP address DNS reports for the specified server name
This test has two functions, which verify connectivity from Client to Server, and then back
from Server to the Client.
1. Tests that a connection can be made to the Quantum Session running on the
specified server
2. Following a successful test, the Quantum Session on the specified remote server
will execute a callback test to the client (where the Network Test Dialog is
running).
Chapter 6 IT Security
6.1 Overview
This chapter is a guide for introducing IT (Information Technology) security to the EXA
system in order to defend against and counter current and future security threats.
Two security models are offered to minimize, wherever possible, the effects of IT security
introduction on the configuration and operation of the current system.
These models are based on the general configuration of all Yokogawa’s EXA products. The
application of these models requires the examination of the current system, engineering
activities and operations.
This chapter targets engineers who install the Exaquantum system and examine its operation.
The security provided is capable of defending against attacks on the Exaquantum system by
a third party who does not have specialized knowledge in IT and uses only generally
available devices or tools.
• Introduction to IT Security
Security Threats
There are a number of possible security threats, with which the IT Security is designed to
handle. These are classified as follows:
Threat of a negative impact on the system brought about by an unauthorized person from
Business Network/DMZ/PCN via a network, which causes the leakage of critical data.
Threat that arises when a terminal or critical data is stolen and the data is analyzed.
The unit of the network shown in the block of the above-mentioned chart is called a security
zone. The security zone is a logical or a physical group, with a common security requirement
and the same security level. The defense is improved using a Hierarchy of zones with
different security settings.
Item Policy
Wireless network The use of the wireless network for terminal access is not considered.
Anti-virus software Only the anti-virus software that is approved by the Yokogawa Electric
Corporation is to be used. Moreover, it is necessary to verify each update
before use on a test terminal to check for unanticipated effects of new
scan engine and Pattern file update.
Windows security
patch Only the security patch whose necessity is confirmed by Yokogawa are
to be applied.
(Service pack is
contained.)
Windows Auto Update The Auto Update function of Windows cannot be used.
function
Unverified software The installation and the use of programs that are not verified by the
Yokogawa Electric Corporation is prohibited.
• Legacy
• Standard
• Strengthened
• Access control
When installing Exaquantum R2.60 or later, you can choose to configure the Legacy or
Standard model by using the IT Security Setting Tool.
Feature Model that gives priority to The Model has features to counter "Attack
consolidation of previous version and over the network" and "Direct attack from
products not supporting ‘IT security’ terminal operation” consideration must be
models. given to Exaquantum operation with another
System (Exaopc and CENTUM, etc.)
"Theft of critical data" will not be opposed
by the Standard Model, due to low threat
considering from Exaquantum feature.
Adjustment On installation Exaquantum R2.60.00 On installation Exaquantum R2.60.00 or
means or later, ‘IT Security’ can be selected late, ‘IT Security’ can be selected Legacy or
Legacy or Standard model. Standard model.
The security restrictions corresponding to each security model are shown in the following
table.
×: Not implemented
♦ After installing another EXA package that supports IT Security such as Exapilot,
ExaOPC, Exaplog
• Exaquantum Client.
The following steps provide information for the general use of the tool. Section 6.2.4
Changing the Security Model provides the detail for specific scenarios.
1 The user for executing the IT security setting tool differs depending on the current
security model and user management. Log on in the appropriate user as detailed in
Section 6.2.4 Changing the Security Model, before running the IT Security setting
tool.
IMPORTANT
When A user with no administrative privilege starts up this tool or one who does not belong
to EXA_MAINTENANCE group, an error dialog is displayed.
IMPORTANT
Terminate all client window before IT security tool execution. Current executing
Exaquantum and EXA service such as Exa Boss, PM Logd will be stopped.
3 Select "IT security setting" menu from the Windows start menu.
Note: Don’t use Security Setting Change Tool for Exaopc. From Windows Start Menu –
[YOKOGAWA EXA] – [Security].
4 A dialog box to select the package(s) to which to apply Security settings is displayed.
Checks are done on the Security settings of all packages that support ‘IT Security’.
Because the Security settings are necessary for all packages when the security model is
changed, the check cannot be removed.
TIP: A check mark is attached for all the packages currently installed with supporting IT
security setting.
5 "Selection of the security model" dialog box is displayed. Select the appropriate type of
IT security, and click "Next" button.
IMPORTANT
♦ Only models that the user has privilege to change can be selected.
TIP: The Security Settings window allows the user to select security items to be configured
in the computer. As long as there is no particular reason, select the check boxes of all
security items. If a model which is different from the currently-set Security Model is
selected, all security items need to be configured. Leave all security items as they are
selected.
♦ When "Legacy Model" or "Standard model (stand-alone)" are selected, the Security
settings window is displayed. It is recommended that all items be checked
♦ When "Standard model (domain)" is selected, the Security settings window displays the
current domain name
IMPORTANT
When selecting standard (Domain) and a required user group is not created on the domain
server, an error message is displayed.
Click OK button and create a required user group on the domain server, then performs from
step 3.
8 When the Security setting is started, the progress bar is displayed under the left of the
Security settings item dialog box.
NOTE: When the settings end abnormally, the dialog box is displayed. Click OK to end
the IT Security Tool.
Collect information necessary for the analysis with the EXA package information
gathering tool, and give the query to YOKOGAWA.
IMPORTANT
Any manual changes performed since the last run of the IT security setting tool or
installation may be lost following the running of this tool. These will need to be made again.
If the current Security Model is changed, the user needs to have both execution authorities,
before change and after change.
To give user the appropriate permission, refer to “Section 2.23 User Group Generation
before Installation” in IM36J04A13-01E Exaquantum Installation Guide.
Conditions
o Local Administrators
o Local EXA_MAINTENANCE
Steps
3. Delete the local accounts quantumuser and EXA (if running on a server)
4. Reboot the PC
Conditions
• The set of groups, detailed in Section 2.9 “User Account and Group” of the
Installation Guide, must have been created on the Domain.
o Local Administrators
o Domain EXA_MAINTENANCE
Steps
3. Delete the local accounts quantumuser and EXA (if running on a server)
4. Reboot the PC
o Local Administrators
o Local EXA_MAINTENANCE
• Change password policy, detailed in Section 10.22 “Password Policy Setting (Legacy
Model)” of the Installation Guide.
Steps
3. Reboot the PC
o Local EXA_MAINTENANCE_LCL
• Change password policy, detailed in Section 10.22 “Password Policy Setting (Legacy
Model)” of the Installation Guide.
Steps
3. Reboot the PC
5. Remove the groups from the Domain, listed in Section 2.9 “User Account and Group” of
the Installation Guide.
Conditions
• The set of groups, detailed in Section 2.9 “User Account and Group” of the
Installation Guide, must have been created on the Domain.
o Local Administrators
o Domain EXA_MAINTENANCE
o Local EXA_MAINTENANCE
Steps
3. Reboot the PC
4. Remove the local groups, listed in Section 2.9 (User Account and Group of the
Installation guide).
o Local Administrators
o Local EXA_MAINTENANCE
Steps
3. Reboot the PC
5. Remove the groups from the Domain, listed in Section 2.9 (User Account and Group of
the Installation guide).
This section describes the procedures required for linking the Exaquantum R2.70 with the
otherYOKOGAWA solution-based software packages as of the R2.70 release.
All descriptions are for the Exaquantum server only; no settings are required for an Exaquantum
client.
Refer to the coexistence and connection instructions in the manuals for the other packages in
parallel with this document.
Two configurations are considerd for each package.
Coexistence Operating environment where Exaquantum server and other packages operate on the
same PC.
Connection Operating environment where Exaquantum server and other packages operate via a
network with another PC.
Note: Exaquantum does not support the new Combination management Model in IT security.
z Security Model
If Exaquantum coexists another product, please set same security model on the each product.
When Exaquantum R2.70 coexists with Exaopc R3.70 or later, Exapilot R3.90 or later, Exaplog R3.40 or
later, Exasmoc R4.03 or later, Exarqe R4.03 or later, please set “Legacy Model.”. This is because the IT
Security Setting tool is different between Exaquantum and the other products.
If Exaquantum coexist with other products which do not support IT Security, the Security model should be
set to Legacy on Exaquantum.
z User Management
If Exaquantum coexists or connects with another product, please set same User Management. If the
Security Model or User Management is different to another product, Exaquantum will not run correctly.
Products other than Exaquantum support Combination Management; Exaquantum does not support this
mode. For a description of Combination Management, please refer to the documentation of these other
products.
Exaquantum in legacy mode is supported in a domain environment. However other products do not support
this arrangement. If it is required for other products to connect with Exaquantum running in this way, please
use the Standalone procedure (documented in the following tables) for the other products.
<DVD>:TOOLS\CreateQTMProcess.exe
z Integration Code:
Integration code described on and after this page is a code assigned to each combination of
Yokogawa system products.
If Exaquantum is combined with other product, confirm the assigned integration code
described in both manuals. The last two digits of an integration code is a revision number of
combination information, meaning that a larger number indicates a newer revision of a
product. If Exaquantum and other product of the latest version are combined, perform setup
according to the procedure with a larger number.
0103-0201-03-01
6.2.5.1 Exaopc
For the Standard Model matching Exaquantum and Exaopc service accounts are required on both
systems. For the standard model ,the accounts must be members of the particular group.
The "Process execution account making tool" from the Exaopc product CD is used to create the
OPC_PROCESS user.
<DVD->: EXA\TOOLS\CreateOPCProcess.exe
NOTE. Exaquantum and Exaopc R3.70.00 can only coexist in Legacy mode. This is because the two
products have different versions of the IT Security Setting tool.
Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exaopc
2 Exaquantum Not supported Not supported
Standard Exaopc
Connection.
Standalone Management Domain Management
1 Exaquantum Create the User Account "OPC_PROCESS", Create the User Account
Standard and place it in the user group "QTM_OPC". "OPC_PROCESS", and place it in the
user group "QTM_OPC_LCL".
Exaopc Create the User Account "QTM_PROCESS", Create the User Account
Standard and place it in the user group "OPC_USER". "QTM_PROCESS", and place it in the
user group "OPC_USER_LCL".
2 Exaquantum Create Exaopc Process account (Default Create Exaopc Process account (Default
Standard EXA). It must have a matching password with EXA). It must have a matching password
Exaopc Server, and place it in the user group with Exaopc Server, and place it in the
"QTM_OPC". user group "QTM_OPC_LCL".
Exaopc Legacy Create the User Account "QTM_PROCESS". Not Applicable
3 Exaquantum Create the User Account Create the local User Account
Legacy “OPC_PROCESS” “OPC_PROCESS”
Exaopc Create the User Account "quantumuser". Create the User Account
Standard It must have a matching password with "quantumuser". It must have a
Exaquantum Server, and place it in the matching password with Exaquantum
user group "OPC_USER". Server, and place it in the user group
"OPC_USER_LCL".
4 Exaquantum Create Exaopc process account (default Create Exaopc process local account
Legacy EXA). It must have a matching password (default EXA). It must have a
with the Exaopc server. matching password with the Exaopc
If Exaopc process execution account is server.
EXA, no need to create it. If Exaopc process execution account
is EXA, no need to create it.
Exaopc Legacy Create the User Account "quantumuser" Not Applicable
and with a password matching the
Exaquantum Server.
Exaopc R3.60.00
NOTE. Exaquantum and Exaopc R3.60.00 cannot coexist on the same PC. This is because the two products
have different versions of the IT Security Setting tool.
Connection.
Standalone Management Domain Management
1 Exaquantum Create the User Account "OPC_PROCESS", Create the User Account
Standard and place it in the user group "QTM_OPC". "OPC_PROCESS", and place it in the user
group "QTM_OPC_LCL".
Exaopc Create the User Account "QTM_PROCESS", Create the User Account
Standard and place it in the user group "OPC_USER". "QTM_PROCESS", and place it in the user
group "OPC_USER_LCL".
2 Exaquantum Create Exaopc Process account (Default Create Exaopc Process account (Default
Standard EXA). It must have a matching password EXA). It must have a matching password
with Exaopc Server, and place it in the user with Exaopc Server, and place it in the user
group "QTM_OPC". group "QTM_OPC_LCL".
Exaopc Legacy Create the User Account "QTM_PROCESS". Not applicable
3 Exaquantum Create the User Account Create the User Account
Legacy “OPC_PROCESS” “OPC_PROCESS”
Exaopc Create the User Account "quantumuser". Create the User Account "quantumuser".
Standard It must have a matching password with It must have a matching password with
Exaquantum Server, and place it in the Exaquantum Server, and place it in the
user group "OPC_USER". user group "OPC_USER_LCL".
4 Exaquantum Create Exaopc process account (default Create Exaopc process local account
Legacy EXA). It must have a matching password (default EXA). It must have a matching
with the Exaopc server. password with the Exaopc server.
If Exaopc process execution account is If Exaopc process execution account is
EXA, no need to create it. EXA, no need to create it.
Exaopc Legacy Create the User Account "quantumuser" Not Applicable
and with a password matching the
Exaquantum Server.
Connection.
Standalone Management Domain Management
1 Exaquantum Create Exaopc Process account (Default Create Exaopc Process account (Default
Standard EXA). It must have a matching password EXA). It must have a matching password
with Exaopc Server, and place it in the user with Exaopc Server, and place it in the user
group "QTM_OPC". group "QTM_OPC_LCL".
Exaopc Legacy Create the User Account "QTM_PROCESS". Not applicable
2 Exaquantum Create Exaopc process account (default Create Exaopc process local account
Legacy EXA). It must have a matching password (default EXA). It must have a matching
with the Exaopc server. password with the Exaopc server.
If Exaopc process execution account is If Exaopc process execution account is
EXA, no need to create it. EXA, no need to create it.
Exaopc Legacy Create the User Account "quantumuser" Not Applicable
and with a password matching the
Exaquantum Server.
6.2.5.2 Exapilot
In case of the standard (strengthened) model, the service accounts need to be replicated between
the systems and placed into the correct user groups
For the creation of the Exapilot execution account “PLT_PROCESS”, a tool is provided.
This is included on the Exapilot CD. This tool can be executed from the Exapilot CD.
<CD>:EXA\TOOLS\CreatePLTProcess.exe
NOTE. Exaquantum and Exapilot R3.90.00 can only coexist in Legacy mode. This is because the two
products have different versions of the IT Security Setting tool.
Coexistence.
Standalone Management Domain Management
1 Exaquantum Create Exapilot process Not Applicable
Legacy Exapilot account (default EXA).
It must have a matching
password with Exapilot
Server and place it in the
user groups
"QUserGroup" and
"QDataWriteGroup".
2 Exaquantum
Not Supported Not Supported
Standard Exapilot
Connection.
Standalone Management Domain Management
1 Exaquantum Standard
Not Supported Not Supported
Exapilot Standard
Not Supported Not Supported
2 Exaquantum Standard
Not Supported Not Supported
Exapilot Legacy
Not Supported Not Applicable
3 Exaquantum Legacy
Not Supported Not Supported
Exapilot Standard
Not Supported Not Supported
4 Exaquantum Legacy
Create Exapilot process account Create Exapilot process account
(default EXA) and with a (default EXA) and with a password
password matching of Exapilot. matching of Exapilot. Add this user
Add this user to the user groups to the user groups "QUserGroup" and
"QUserGroup" and “QDataWriteGroup”.
“QDataWriteGroup”.
Exapilot Legacy No special settings are necessary Not Applicable
Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are Not Applicable
Legacy Exapilot necessary
2 Exaquantum
Not Supported Not Supported
Standard Exapilot
Connection.
Standalone Management Domain Management
1 Exaquantum Standard
Not Supported Not Supported
Exapilot Standard
Not Supported Not Supported
2 Exaquantum Standard
Not Supported Not Supported
Exapilot Legacy
Not Supported Not Applicable
3 Exaquantum Legacy
Not Supported Not Supported
Exapilot Standard
Not Supported Not Supported
4 Exaquantum Legacy No special settings are necessary No special settings are necessary
Exapilot Legacy No special settings are necessary Not Applicable
Coexistence.
Standalone Management Domain Management
1 Exaquantum Create Exapilot process account (default Not Applicable
Legacy Exapilot EXA). It must have a matching
password with Exapilot Server and
place it in the user groups
"QUserGroup" and
"QDataWriteGroup".
2 Exaquantum Place the User Account Place the User Account
Standard Exapilot "PLT_PROCESS" in the user group "PLT_PROCESS" in the user
“QTM_DATA_READ". group
Place the User Account “QTM_MAINTENANCE_LCL".
"PLT_PROCESS" in the user group Place the User Account
“QTM_DATA_WRITE". "QTM_PROCESS" in the user
Place the User Account group “PLT_OPC_LCL".
"QTM_PROCESS" in the user group
“PLT_OPC".
Connection.
Standalone Management Domain Management
1 Exaquantum Standard
Create the User Account Create the User Account
"PLT_PROCESS". "PLT_PROCESS".
Place the User Account Place the User Account
"PLT_PROCESS" in the user "PLT_PROCESS" in the user group
group “QTM_DATA_READ". “QTM_MAINTENANCE_LCL".
Place the User Account
"PLT_PROCESS" in the user
group “QTM_DATA_WRITE".
Exapilot Standard
Place the User Account Place the User Account
"QTM_PROCESS" in the user "QTM_PROCESS" in the user group
group “PLT_OPC". “PLT_OPC_LCL".
2 Exaquantum Standard
Not Supported Not Supported
Exapilot Legacy
Not Supported Not Applicable
3 Exaquantum Legacy
Not Supported Not Supported
Exapilot Standard
Not Supported Not Supported
4 Exaquantum Legacy
Create Exapilot process account Create Exapilot process account
(default EXA) and with a (default EXA) and with a password
password matching of Exapilot. matching of Exapilot. Add this user
Add this user to the user groups to the user groups "QUserGroup" and
"QUserGroup" and “QDataWriteGroup”.
“QDataWriteGroup”.
Exapilot Legacy No special settings are necessary Not Applicable
Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exapilot
2 Exaquantum
Place the user which executes Place the user which executes Exaquantum
Standard Exapilot
Exaquantum Explorer in the Explorer in the user group
user group “PLT_OPERATOR". “PLT_OPERATOR".
Connection.
Standalone Management Domain Management
1 Exaquantum Standard No special settings are necessary No special settings are necessary
Exapilot Standard
Place the user which executes Place the user which executes
Exaquantum Explorer in the Exaquantum Explorer in the domain
user group “PLT_OPERATOR". group “PLT_OPERATOR".
2 Exaquantum Standard
Not Supported Not Supported
Exapilot Legacy
Not Supported Not Applicable
3 Exaquantum Legacy
Not Supported Not Supported
Exapilot Standard
Not Supported Not Supported
4 Exaquantum Legacy No special settings are necessary No special settings are necessary
Exapilot Legacy No special settings are necessary Not Applicable
Coexistence.
Standalone Management Domain Management
1 Exaquantum Create Exapilot process account (default Not Applicable
Legacy Exapilot EXA). It must have a matching password
with Exapilot Server and place it in the
user groups "QUserGroup" and
"QDataWriteGroup".
2 Exaquantum Not Supported Not Supported
Standard Exapilot
Connection.
Standalone Management Domain Management
1 Exaquantum Standard
Not Supported Not Supported
Exapilot Standard
Not Supported Not Supported
2 Exaquantum Legacy
Create Exapilot process account Create Exapilot process account
(default EXA) and with a (default EXA) and with a password
password matching of Exapilot. matching of Exapilot. Add this user
Add this user to the user groups to the user groups "QUserGroup" and
"QUserGroup" and “QDataWriteGroup”.
“QDataWriteGroup”.
Exapilot Legacy No special settings are necessary Not Applicable
Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exapilot
2 Exaquantum
Not Supported Not Supported
Standard Exapilot
Connection.
Standalone Management Domain Management
1 Exaquantum Standard Not Supported Not Supported
Exapilot Standard Not Supported Not Applicable
6.2.5.3 Exaplog
Exaquantum and Exaplog can both coexist on the same PC or connect from separate PCs.
However, it is not possible for the Exaquantum Client to be installed on the same PC as Exaplog,
due to different versions of the IT Security Setting Tool.
NOTE. Exaquantum and Exaplog R3.40.00 can only coexist in Legacy mode. This is because the two
products have different versions of the IT Security Setting tool.
Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exaplog
2 Exaquantum
Not Supported Not Supported
Standard Exaplog
Connection.
Standalone Management Domain Management
1 Exaquantum Standard
Not Supported Not Supported
Exaplog Standard
Not Supported Not Supported
2 Exaquantum Standard
Not Supported Not Supported
Exaplog Legacy
Not Supported Not Applicable
3 Exaquantum Legacy
Not Supported Not Supported
Exaplog Standard
Not Supported Not Supported
4 Exaquantum Legacy No special settings are necessary No special settings are necessary
Exaplog Legacy Not Applicable
Create the User Account
"Quantumuser". It must have a
matching password with
Exaquantum Server. Grant it the
privilege “Log on as batch job".
Exaplog R3.30.00
Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exaplog
2 Exaquantum
Create the User Account Create the local group
Standard Exaplog
"Quantumuser". It must have a “PLG_CONVERTER_LCL”. Create the
matching password with Exaplog local User Account "Quantumuser". It must
Server. Add it to "Log on as have a matching password with Exaplog
batched job". Server. Add it to "Log on as batched job".
Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exaplog
2 Exaquantum
Not Supported Not Supported
Standard Exaplog
Connection.
Standalone Management Domain Management
1 Exaquantum Standard
Create the User Account Not Supported
"Quantumuser" .It must have a matching
password with Exaplog Server. Place it in
the user group.“QTM_DATA_READ".
Exaplog Legacy
Create the User Account "Quantumuser" Not Applicable
It must have a matching password with
Exaquantum Server. Add it to "Log on
as batched job".
6.2.5.4 Exasmoc/Exarqe
It is possible for the Exaquantum and Exarqe / Exasmoc client to coexist on the same PC.
Coexistence is possible for the Legacy Security model. No special settings are necessary.
<DVD>:CENTUM\SECURITY\Yokogawa.IS.iPCS.Platform.Serurity.CreateCentumProcess.
exe
<DVD>:CENTUM\SECURITY\CreateCentumProcess.exe
Connection.
Standalone Management Domain Management
1 Exaquantum Standard Create the User Account Create the User Account
"CTM_PROCESS", and place in the "CTM_PROCESS", and place it in the
user group "QTM_OPC". user group "QTM_OPC_LCL".
CENTUM VP Create the User Account Create the User Account
Standard "QTM_PROCESS", and place in the "QTM_PROCESS", and place it in the
user group "CTM_OPC". user group "CTM_OPC_LCL".
2 Exaquantum Standard Create the User Account "CENTUM ", Create the User Account "CENTUM ",
and place in the user group and place it in the user group
"QTM_OPC". "QTM_OPC_LCL".
CENTUM VP Legacy Create the User Account Not Applicable
"QTM_PROCESS".
3 Exaquantum Legacy Create the User Account Create the local User Account
“CTM_PROCESS” “CTM_PROCESS”
CENTUM VP Create the User Account Create the local User Account
Standard "quantumuser". It must have a "quantumuser". It must have a
matching password with matching password with Exaquantum
Exaquantum Server, and place it in Server, and place it in the user group
the user group “CTM_OPC ". “CTM_OPC_LCL ".
4 Exaquantum Legacy Create the User Account "CENTUM". Create the local User Account
It must have a matching password with "CENTUM". It must have a matching
CENTUM VP. password with CENTUM VP.
CENTUM VP Legacy Create the User Account Not Applicable
"quantumuser”.
Connection.
Standalone Management Domain Management
1 Exaquantum Standard
Create the User Account Create the User Account "CENTUM
"CENTUM “. It must have a “. It must have a matching password
matching password with CS3000. with CS3000. Place in the user group
Place in the user group "QTM_OPC_LCL".
"QTM_OPC".
CS3000 Not Applicable
Create the User Account
"QTM_PROCESS"
2 Exaquantum Legacy
Create the User Account Create the local User Account
"CENTUM “. It must have a "CENTUM". It must have a
matching password with CS3000. matching password with CS3000
CS3000 Create the User Account Not Applicable
"quantumuser" and with a password
matching the Exaquantum Server.
6.2.5.7 Other companies OPC server
Process execution accounts have to be replicated for the standard (Strengthened) model and placed
into the correct user groups.
Table 6-4 Legacy Model
Setting contents
connection Exaquantum No special settings are necessary.
Other companies Follow the setting procedure of Other companies OPC server
OPC server
Table 6-5 Standard (Strengthened) Standalone Model
Setting contents
connection Exaquantum Create Other companies OPC execution account, and place in the user group
"QTM_OPC".
Other companies Follow the setting procedure of Other companies OPC server
OPC server
Table 6-6 Standard (Strengthened) Domain Model
Setting contents
connection Exaquantum Create Other companies OPC execution account, place in the user group
"QTM_OPC_LCL".
Other companies Follow the setting procedure of Other companies OPC server
OPC server
Setting contents
cohabitation Exaquantum Place the process execution account of the client into “QUserGroup” and optionally
“QDataWriteGroup”.
Client *1
connection Exaquantum Create an account to match the client process execution account and place into the
“QUserGroup” and optionally “QDataWriteGroup”.
Client *1 Follow the client manual.
Setting contents
cohabitation Exaquantum Place the client process execution account into the “QTM_DATA_READ” and
optionally “QTM_DATA_WRITE”.
Client *1
connection Exaquantum Create an account to match the client process execution account and place into the
“QTM_DATA_READ” and optionally “QTM_DATA_WRITE”.
Client *1 Follow the client manual.
Table 6-9 Standard (Strengthened) Domain Model
Setting contents
cohabitation Exaquantum Place the client process execution account into the “QTM_DATA_READ” and
optionally “QTM_DATA_WRITE”.
Client *1
connection Exaquantum Create an account to match the client process execution account and place into the
“QTM_DATA_READ” and optionally “QTM_DATA_WRITE”.
Client *1 Follow the client manual.
*1 As for client, follow the manual.
6.3 Operations
This chapter describes Windows account management and the related programs whose
operation requires attention when ‘IT Security’ settings summarized in the section Appendix
A.13 IT Security Detail Information is introduced.
Two types of account management, i.e. common account management and individual
account management, are provided.
More complex
than the
A Windows conventional Favorable
Individual account account is operation because because access
low high
management allocated to each Windows can be controlled
user. logoff/logon is on a user basis.
required when the
user is changed.
The common account management provides high operational convenience. From the
viewpoint of security, however, it is not ideal because anonymity is high. It is recommended
that the user training is conducted and the system be configured to use individual account
management.
For account
If a common account is used it is reccomended that the group of staff with access ais tightly
controlled to provide traceability in the event of an accident or similar event.
It is recommended that users passwords are changed periodically to reduce the risk of the
password cracking attacks. Passwords used by groups of users should be changed at least
when staff leaves to prevent access by ex-employees.
When automatic logon function is used, it is recommended that no higher access level than
OPC_DATA_READ is given to the autologin account. This prevents engineering or other
functions being accessed by non-privilege users who have access to the system.
For anonymity
The user of a common account and permanently logged on terminal provides little tracking
of activity. Hence it is recommended that access to the ternimal be tightly controlled and
staff be strictly training in security procedures.
The individual account management allows tight control of the privileges allocated to each
user and allow identification of the user responsible for particular activities on the system.
The downside of this is that it requires users to log on and then off whenever they change
terminal.
The account privileges should be promptly changed when the privileges of a user are
changed. (*1)
By properly maintaining the account, illegal access from invalid users or an unexpected
attack can be prevented.
*1: For example, deletion of the account of the user who resigned, change of the group
when a maintenance person becomes an operator, etc.
Passwords should be set to require changing periodically to reduce the threat of cracking
attacks being successful.
When the user at a terminal is alternated, time is required for log off/log on of Windows
compared with individual account management. Prevent alternating all users at a terminal to
prepare for the emergency response. The provision of job specific terminals mitigates this
issue.
Personal account management and responsibility for the security of the account become the
user’s responsibility with individual account management and this needs to be stressed with
the users. .
System Monitoring
Periodic monitoring of the security event log on the system is recommended. By doing this,
abnormalities in the system can be detected in an early stage, which contributes to the early
detection of an attack or its sign. If you find any login failures, consult your internal network
administrator or a specialist and take prompt action.
When accounts are controlled as a workgroup, identical user accounts need to be created
both on the terminal for the user and the engineering terminal that has a project database and
the password of the registered accounts must be identical. If the password is changed, the
password of all the terminals in which the identical accounts are registered need to be
changed to the new common password.
When there is a large difference (more than 5 minutes at default value) between the time of
the domain controller and that of Exaquantum, the authentication function in the domain
environment does not work properly. It is therefore required to pay careful attention to the
time synchronization between the domain controller and terminals.
For details, refer to Appendix A.8 Maximum Tolerance for Computer Clock
Synchronization.
On Windows Vista, the following limitations come into effect when a user belonging to the
group ‘QTM_MAINTENANCE’, ‘QTM_MAINTENANCE_LCL’, ‘EXA_
MAINTENANCE’ or ‘EXA_MAINTENANCE_LCL’ which are associated with
Administrator privilege to operate Exaquantum.
When using each tool, the dialog may be shown. At that time, click [Continue] or [Allow]
button.
The verified security patches approved by Yokogawa should immediately be applied to the
Exaquantum system. Prompt application is required because the period between the
detection (announcement) of security vulnerability (security hole) in the OS and the attack
exploiting the vulnerability has become shorter.
When security patches and service packs are applied to the Exaquantum system, the existing
security settings (Firewall settings and local security settings) may be changed. Therefore,
after applying security patches and service packs, verify that the former security settings are
retained.
Antivirus Software
The update of the search engine or pattern files of the antivirus software can impact function
of these terminals. It is recommended that the behavior is tested with a test terminal in
advance of the update being applied.
Unverified Programs
Windows shared folders may be used to deliverExaquantum Explorer file (PXD file) to the
clients. However, files shares provide a weak point for the spread of virus infections if not
managed carefully.
The security risk may be minimized by sharing with the minimum required access(typicall
read only).
- If Time synchronization master uses firewall, open UDP port 123 of Time Synchronization
master.
1. Open Control Panel from Start Menu, select "data and time".
2. Select [Internet Time] tab in Date and Time Properties and click [change setting] button.
3. Check "Automatically synchronize with an Internet time server" and click "Update Now"
button.
The Exaquantum server acquires data from various sources including the OPC gateways.
During this acquisition the data is saved and managed chronologically with the time serving
as the designated key. Exaquantum clients and those PCs using the API interface retrieve
data from the Exaquantum server with time being one of the key parameters.
Time synchronization is therefore very important for the entire Exaquantum system. Of
particular importance is the time synchronization between the Exaquantum server and the
OPC gateways as this affects the data being saved and read.
In the following sections the Exaquantum system is said to include the Exaquantum server,
Exaquantum client, OPC gateways, and PCs using the Exaquantum API.
The “Active Directory domain” is a domain established using the ActiveDirectory database
using Windows Server 2003 or Windows Server 2008.
The “Existing network environment” indicates a network that has already been established at
the time the Exaquantum system is installed.
The “New work group environment” indicates a network in a work group environment
established with the installation of the Exaquantum system.
If the Exaquantum server is in an Active Directory domain, the first domain controller which
takes the PDC Emulator Role usually functions as the time master (time server). Because
PCs in the same domain are automatically time-synchronized, specific setup for time
synchronization is not necessary.
The time synchronization between the systems on the PCS LAN and the Exaquantum server
is critical. It is recommended therefore that the PCS and the Site Windows Domain have a
common external time source, such as GPS clock(s).
Time synchronization must be setup using the “Time synchronization in the existing
network” method if the following hold true:
If no Active Directory domain exists then time synchronization must be setup using the
“New work group environment” method.
If the Exaquantum server exists in a network with the following properties then time
synchronization must be setup according to the directives of the network administrator:
The time server is not the DC (domain controller) in the Active Directory domain.
The OPC gateways should be configured to ensure they are time synchronized at the same
time of the day. The domain administrator should ensure the time synchronization period is
correctly set.
If time synchronization is not implemented even when the above networks have been established,
set up time synchronization referring to “Time synchronization in a new work group environment”.
If the Exaquantum system is to be installed into a network with the following configuration,
the network administrator should be consulted regarding time synchronization in the
network:
The OPC gateways should be configured to ensure they are time synchronized at the same
time of the day. The domain administrator should ensure the time synchronization period is
correctly set.
Time synchronization is very important and the Exaquantum server can be used to perform
the time correction for the time server while also acting as a time server for the OPC
gateways.
If there are many OPC gateway and difficult to set time synchronization between system,
data collection time from OPC gateway can be used Exaquantum time.
Note: In case of domain environment, it is unnecessary to use this tool. Because time
synchronization was done automatically.
To install the time synchronization functionality on the OPC gateway PC perform the
following steps from either of the Time synchronization tools storage directories as listed
above:
2 When the selection of the Computer to Set Up is running; click the [Next] button to go
the Type of Time Synchronization Setup process.
3 When the setup tool is running; select “Set Time Synchronization on the master server”
and click the [Next] button to go the Setup of the Time Synchronization Server setup
process.
4 When the setup tool is running; click the [Set] button to initialize the time
synchronization process. On completion the time server function will be enabled on this
PC.
To install the time synchronization functionality on the Exaquantum server perform the
following steps from either of the Time synchronization tools storage directories as listed
above:
2 When the selection of the Computer to Set Up is running; click the [Next] button to go
the Type of Time Synchronization Setup process.
3 When the setup tool is running; select “Set Time Synchronization client on the
Exaquantum Server” and click the [Next] button to go the Setup of the Time
Synchronization Client setup process.
4 When the setup tool is running; click the [Set] button to initialize the Time
synchronization process. On completion the time server function will be enabled on this
PC.
Note: Please add port 123/UDP to "Exceptions" of the Windows Firewall of the Domain
Controller when the Windows Firewall is enabled.
Time Service
Net Time
Therefore, if the Exaquantum system is using either the Time Service or Net Time, time
synchronization method then on Exaquantum upgrade to R2.20 the time synchronization
method needs to be changed to the Windows Time. To change the time synchronization
method the current method needs to be disabled and the new one installed.
Time Service:
To install the time synchronization functionality on the Exaquantum server perform the
following steps from either of the Time synchronization tools storage directories as listed above:
2 When the selection of the Computer to Set Up is running; click the [Next] button to go
the Type of Time Synchronization Setup process.
3 When the setup tool is running; select “Set Time Synchronization client on the
Exaquantum Server” and click the [Next] button to go the Setup of the Time
Synchronization Client setup process.
4 When the setup tool is running complete the following setup steps on the dialog screen:
Enter the same OPC gateway computer name as the one used in the “Time Server Name”
field set during the Exaquantum installation.
Net Time:
In order to change new time synchronization system delete the batch file in which the
following command is described in the “Start-up” folder. If any command other than the
following is included, first delete the other command and then delete the following command.
In the standard installing procedure the batch file named “Timesync.cmd” has been created.
Set up time synchronization using the method described in 7.1.3 Time synchronization
in a new work group environment which is a subsection of 7.1 Setting time synchronization.
Appendix A. IT Security
Appendix A.1 External process of Exaquantum and working module
list of Communication
Table A-1 External process of Exaquantum and working module list of Communication
No Service/Runtime file name Port Number (protocol) Others
Exaquantum server
TCP:139
UDP:137
1 File and printer sharing (*1)
UDP:138
TCP:445
TCP:135 (*2)
2 QOPCAEPump.exe
TCP:20500 to 20600
TCP:135 (*2)
3 Quantum.exe
TCP:20500 to 20600
TCP:135 (*2)
4 QEventHandler.exe
TCP:20500 to 20600
TCP:135 (*2)
5 ExaQuantumExecutive.exe
TCP:20500 to 20600
TCP:135 (*2)
6 QHistorian.exe
TCP:20500 to 20600
TCP:135 (*2)
7 QArchive.exe
TCP:20500 to 20600
TCP:135 (*2)
8 QOPCHDAServer.exe
TCP:20500 to 20600
TCP:135 (*2)
9 QOPCHAEServer.exe
TCP:20500 to 20600
Exaquantum Client
TCP:135 (*2)
1 Quantum.exe
TCP:20500 to 20600
*1: When file sharing uses TCP:445 only, the setting of “disabling of NetBIOS over
TCP/IP” is required
*2: Moreover, the setting of DCOM dynamic port restriction is required see Figure
Group Policy Management Editor
Exaquantum Web Exaquantum Web Server Service Local System Manual operation
Server
Windows Defender is the free spyware removal tool (built-in on Windows Vista and
Windows 7) supplied by Microsoft. The Yokogawa system products do not support the
software because it has not been tested with the Yokogawa system products. Do not activate
Windows Defender.
The EFS (Encrypting File System) function is a Windows standard file cryptography function.
Do not apply the EFS function to Yokogawa system products because the management of the
encryption key on multiple terminals and the slowdown in the throughput caused by the
encryption has not been verified.
The BitLocker function introduced in Window Vista (standard functions provided with
Ultimate and Enterprise editions) to ensure HDD data tamper resistance encrypts the HDD at
the volume level. This function has not been tested with the Yokogawa system products.
While the DCOM function, the basis of OPC, used in the Yokogawa system products is very
useful function that realizes various kinds of processing between processes through a network,
it is said that it includes many vulnerabilities. Security is ensured in the Yokogawa system
products by limiting the accessible users. However, please be careful about the control of the
accounts of the OPC users.
In the standard security model of Exaquantum, the scope of Windows Firewall configured
during installation has been set to [Any computer (including those on the Internet)] in order to
minimize the effect of system configuration to the operation. It is recommended to limit the
range of communication by considering the system configuration and to limit the scope at port
(program) level. Narrowing the scope will prevent access from unauthorized terminals.
2 In the [Exceptions] tab, select arbitrary setting items, and click [Edit] button.
3 In the [Edit a Program] (or [Edit a Port]) dialog, click [Change scope] button.
When the workgroup configuration is adopted, and the system is composed with two or more
terminals, it is necessary to manage the account at each terminal. When the system cooperates
with related products and security is set, it is necessary to prepare the account of the same ID
(password is also the same) in all terminals where it will be used.
When the domain management is adopted, a domain controller can do the unified Account
management for the terminals and the accounts which are used in the system, because all
terminals which are included in the system configuration participate in the domain.
Moreover, when logon to a terminal has succeeded, the logon information that flows on the
network can be suppressed as much as possible compared with workgroup management,
because the logon information is managed by the function of the Windows domain network.
Other Application
File Sharing Printer Sharing Program
SMB/ CIFS
Direct Hosting
(Windows 2000 or later)
TCP:445
NetBIOS
NIC
Various kinds of information on a machine on which NetBIOS is running are accessible using
NetBIOS features, which is said to provide low levels of security.
<Acquirable information>
Domain information
Account information
In order to prevent the reproduced attack, the time stamp is used as a part of protocol
definition in Kerberos V5. For the smooth operation of the time stamp process, the time of
each client and the domain controller should be synchronized as often as possible.
Also, this setting is not fixed, because the setting returns to the default value (5 minutes) when
the domain controller is rebooted.
1 On the domain server, launch [Group Policy Management] from [Administrative Tools].
2 In the console tree, right-click [Default Domain Policy] under the current domain node
and select [Edit].
3 From the console tree in the [Group Policy Management Editor] window, select
[Computer Configuration] - [Policies] - [Windows Settings] - [Security Settings] -
[Account Policies] - [Kerberos Policy].
RPC TCP:135
When cohabiting with other EXA product, it must be registered total number of ports that
other EXA product needs. Number of ports that Exaquantum needed are 100.
DCOM uses Remote Procedure Call (RPC) dynamic port allocation. This setting controls
which ports RPC dynamically allocates for incoming communication.
1 From the Start menu, launch [Run...] and enter “dcomcnfg” to start DCOMCNFG.EXE.
5 Click [Add] button and assign the port range to “20500-20600” as the standard dynamic
port, and select [Internet range] for the environment of the usage.
Command
<Command>
netsh firewall add portopening [protocol=]protocol [port=]port [name=]name [ [mode=]mode
[scope=]scope [addresses=]address [profile=]profile [interface=]interface ]
<Function>
Add the configuration of firewall ports.
<Detail of Parameter>
protocol - Port protocol
TCP - Transmission Control Protocol (TCP)
UDP - User Datagram Protocol (UDP)
ALL - All protocols
port - Port number
name - Port name
mode - Port mode (Omissible)
ENABLE - Allow communication via firewall (Default)
DISABLE - Do not allow communication via firewall
scope - Port scope (Omissible)
ALL - Allow every traffic via firewall (Default)
SUBNET - Allow local network (subnet) traffic only
CUSTOM - Allow communication via the specified firewall only
addresses - Custom scope address (Omissible)
profile - Configuration profile (Omissible)
CURRENT - Current profile (Default)
DOMAIN - Domain profile
STANDARD - Standard profile
ALL - All profiles
interface - Name of interface (Omissible)
pause
rem DCOM
netsh firewall add portopening tcp 135 DCOM ENABLE CUSTOM LocalSubnet
(Omitted hereinafter)
Command
<Command>
sc [Servername] Command Servicename [Optionname= Optionvalue...]
<Function>
Add, start, and stop the Windows serviceWindows.
<Detail of Parameter>
Servername
Omissible. When executing Command by the remote computer, specify the server name. In that case, two
backslashes(\\) should be used in front of the server name (e.g. \\myserver). When executing “sc.exe” in the local
computer, do not use this parameter.
Command
Specifies sc Command. The administrator privilege of the specified computer is required for most sc Command.
The following Commands are supported in Sc.exe.
Config - Changes the service configuration (it continues the change perpetually).
Continue - Sends “Continue control request” to the service.
Control - Sends “Control” to the service.
Create - Creates the service (and add the created service to registry).
Delete - Deletes the service (from registry).
EnumDepend - Enumerates Dependence of the service.
GetDisplayName - Acquires the display name (DisplayName) of the service.
GetKeyName - Acquires the key name of the service (ServiceKeyName).
Interrogate - Sends “Interrogate control request” to the service.
Pause - Sends “Pause control request” to the service.
Qc - Inquires for the service configuration. Refer to Help of SC QC for further details.
Query - Inquires for the status of service or enumerates the status of service type. Refer to Help of SC QUERY
for further details.
Start - Starts the service.
Stop - Sends “Stop request” to the service.
Servicename
Specifies the name that was specified by Service key of registry. Note that this name is different from
DisplayName. The DisplayName is a name that is shown when using “nwt start Command” and “[Service] tools
of Control Panel”. The ServiceKeyName is used as the main identifier of the service in Sc.exe.
Optionname
The name and value of Option Command Parameter can be specified by using the Optionname Parameter or
Optionvalue Parameter. Note that there should be no blank space between the Optionname and the equal sign. In
the parameter of the Option, 0 names or more and the combinations of Values can be specified. More than 0
combination of Name and Value can be specified.
Optionvalue
Specifies the Parameter value that was specified in Optionname. The range of valid value may differ depending on
the Command. Refer to Help of each Command for the list of Available Value.
set s_name=Browser
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=Dhcp
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=Dnscache
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=ERSvc
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=helpsvc
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=NetDDE
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=NetDDEdsdm
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=RemoteRegistry
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=seclogon
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=ShellHWDetection
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=Themes
echo stop and disable to %s_name% service.
set s_name=upnphost
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=WebClient
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=WZCSVC
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
echo finish.
1 From the Start menu, choose [Run...] and enter “mmc” to start the MMC console.
4 From the [Available Standalone snap-ins:] list, select [Security Templates], and then click
[Add] button, [Close] button, and finally click [OK] button.
User account access control can be managed through account membership of Groups named
in Access Control Lists granting access to the data or program in question.
The following table shows the group created for standard, strengthened, and legacy models
and their roles.
User
User and Group Name or Location
group where Privilege
Description
Object is Group
Standard/ Created
Legacy (*2)
Strengthened
User
User and Group Name or Location
group where Privilege
Description
Object is Group
Standard/ Created
Legacy (*2)
Strengthened
User
User and Group Name or Location
group where Privilege
Description
Object is Group
Standard/ Created
Legacy (*2)
Strengthened
TypeA – For Domain User Management this is a Domain Group. For Workgroup
Management, this is a Local Group.
TypeC :- This is always a Local Group but is only created when implementing Domain User
Management.
*2: The user groups or users applicable in the legacy model are shown for reference.
Caution
To enable collaboration between Exaquantum and the other coexisting packages, full access
control right is given to access control groups and accounts as follows.
[1]: QTM_DATA_READ
[2]: QTM_DATA_WRITE
[3]: QTM_EXPLORER_DESIGN
[4]: QTM_MAINTENANCE
[5]: QTM_OPC
[6]: EXA_MAINTENANCE
For each access user group, the following Local Security privileges are assigned besides
Windows standard privileges.
Logon as a service - Y Y Y
[2]: QTM_DATA_WRITE
[3]: QTM_EXPLORER_DESIGN
[4]: QTM_MAINTENANCE
[5]: QTM_OPC
[6]: EXA_MAINTENANCE
2 In Local Security Settings window, select [Local Policies] - [User Rights Assignment].
Among various local security policies displayed here, the above three access privileges are the
minimum necessary requirements for operating the Exaquantum system.
The following two user/group control methods that make use of access control on an access
user group basis are available.
Register the
Consists of
accounts of the
Workgroup control Exaquantum
users in all the
terminals only.
terminals.
Consolidating the
Requires a domain users reduces
Register the
server to be human errors,
accounts of the
Domain control established besides which can be an
users on the domain
Exaquantum advantage with
server.
terminals. respect to the
security.
3 For more information on access user group management, refer to Appendix A.6
Workgroup Management and Domain Management.
To cope with attacks from an unknown area, network access to a terminal is minimized.
Caution
When installing Exaquantum R2.60 or later, you can configure Windows Firewall to
comply with the Standard model by using the Security Setting Tool. If using a Personal
Firewall made by a third-party, it is the user’s responsibility to setup and operate it.
TIP: Most of the third-party Personal Firewall products have initial settings, so some of them
may conflict with the settings in the following description.
Before setting up, make sure you remove the initial settings, and ensure that unexpected
services are not started after setting up.
In the case of the Standard model, Exaquantum-related DCOM processes are set up as
exceptions so that Exaquantum functions can run without any changes in the settings. These
settings are common to all terminals. There is no restriction to the communication target.
EPMAP 135/TCP
MSSQL 1433/TCP
Application Path
mmc.exe WINDOWS¥system32¥mmc.exe
EPMAP 135/TCP
Table A-13
Application Path
mmc.exe WINDOWS¥system32¥mmc.exe
The service for SQL Server which operates in the local System account has been changed for
SQL server Account..
An account for SQL server service is made for the Exaquantum server for the standard model.
All accounts of the above-mentioned SQL server service are changed to SQL server account
for the Exaquantum server.
Caution
Manually set SQL Server services other than the target services (SQL Server, SQL Server
agent) not to start.
For further Setting details, please contact your local Yokogawa representative.
This section provides an introduction to the Windows security functions that run in the IT
environment and are applicable to the Exaquantum. When implementing these security
functions, consider their suitability for use with Exaquantum.
Table A-16 Relationship between IT Environment Setting items and Security models
Standard Strengthened
Setting items
model model
Restriction on AutoRun Y Y
This operation prevents an illegal program from being launched automatically from a medium
such as a CD-ROM inserted into a drive. This is an effective measure specially for countering
virus infections (USB worms) in a computer caused by means of USB flash memories.
Restriction
Standard Model
Disable autorun on specified Drives (removable drive, Network Drive, unknown type
Drive)
Strengthened Model
Setting method
2 Install Microsoft .NET Framework 3.5 Service Pack 1. (If already installed, go to step 3).
To install, double click the following file on the Exaquantum DVD :
<Exaquantum DVD>\Misc\dotnetfx35.exe
If you want to enable the autorun, double click the following file.
<Exaquantum installation folder>\Exaopc\PKGCOM\tool \ PMCEnableAutoRun.reg.
Notes
Even if Exaquantum installation DVD is inserted, the installation menu will not stand up
if autorun is disabled for CD-ROM drives. (In case of Strengthened Model)
In the domain environment, according to domain controller policy, autorun setting may be
overwritten on domain controller setting. When overwriting, change domain controller
setting manually.
Writing to USB storage device may be disabled globally by using the StorageDevicePolicies
setting in Windows, thus stopping a user copying off Exaquantum data. It is possible to
restore writing privilege temporarily by using the StorageDeviceCTL tool.
This setting makes USB disk usage disable. Due to system maintenance management, if
engineer would like to make USB device enable temporary, StorageDeviceCTL tool will be
provided.
Note 2. For Windows 7, Windows Server 2008, Windows Server 2008 R2, after executing
StorageDeviceCTL, the“Portable Device Enumerator Service” service need to be re-started.
This is to enble the new settings to take effect.
Note 4. For Windows Server 2008 R2, as Portable Device Enumerator Service may not be
active, an OS restart may be required for settings to take effect.
Caution
If you use a USB Removable HDD as an Auto Archiving destination folder, and change the
removable media to read only using StorageDevicePolicies, the next archive operation will
fail. You need to change your confirmation, for example set the archive folder to an internal
HDD.
Setting StorageDevicePolicies
<Exaquantum Installation
folder>\Exaopc\PKGCOM\tool\PMCEnableStorageDevicePolicies.reg
3. Restart Windows.
<Exaquantum Installation
folder>\Exaopc\PKGCOM\tool\PMCDisableStorageDevicePolicies.reg
After executing this tool, when putting USB memory on PC, write procedure can be
performed.
In case this tool executed on PC which does not set Storage Device Policies, set Storage
Device Policies automatically, and Storage Device can only read.
C:¥Program Files\YOKOGAWA\IA\iPCS\Products\SECURITY\PROGRAM\)
Yokogawa.IA.iPCS.Platform.Security.StorageDeviceCTL.exe
Note: In case USB memory removes, right click on "Safety Remove Hardware and Eject
Media" icon, select "Safety Remove Hardware and Eject Media".
Setting method
Modify the Local Security Policy setting as follows:
1. Open Local Security Policy from control panel - Administrative Tools.
2. Select [Security Settings] - [Local Policies] - [Security Options] in the left hand panel.
3. Double click [Interactive logon: Do not display last user name Properties]
4. Select [Enable] and click [Apply] button
Note
You must enter a user name on every logon attempt if you apply this security measure
Setting method
1. Log on as a user with Administrator privilege.
2. Install Microsoft .NET Framework 3.5 Service Pack 1. (If already installed, go to step 3). To
install, double click the following file on the Exaquantum DVD :
<Exaquantum DVD>\Misc\dotnetfx35.exe
3. Double click on the following file:
(Standard Model or Strengthened Model)
<Exaquantum installation folder>\Exaopc\PKGCOM\tool\PMCDisablingUSBStorageDevice.exe.
4. Reboot the PC.
If you want to enable the USB Storage Devices, double click the following file.
<Exaquantum installation folder>\Exaopc\PKGCOM\tool\PMCEnablingUSBStorageDevice.exe.
Note
If this function is applied to Windows Server 2008 R2, you cannot use StorageDeviceCTL to temporarily
cancel the effect of disabling USB storage devices. To cancel, you need to double click the
"PMCEnablingUSBStorageDevice.reg". (Refer to the Setting method)
.
Note that, to disable taking out of data using removable storage media without using this function, you need
to take security measures such as putting a cover on USB ports.
The Web server might be installed in Exaquantum. It is necessary to pay close attention to
security when connecting the Web server to the Internet or Intranet.
Do not enable components such as FTP, NNTP, and SMTP or any other unused service.
For further installation details, refer to Chapter 8 Installing IIS in the Exaquantum Installation
Guide (IM36J04A13-01E).
1 Choose “Roles” from [Administrative Tools] – [Service Manager] in the [Start] menu.
Roles
Roles Services
Web Server
Static Content
Default Document
Directory Browsing
HTTP Errors
HTTP Redirection
Application Development
ASP .NET
.NET Extensibility
ASP
ISAPI Extensions
ISAPI Filters
HTTP Logging
Logging Tools
Request Monitor
Tracing
Security
Basic Authentication
Windows Authentication
Digest Authentication
URL Authorization
Request Filtering
Performance
Management Tools
The dynamic content function and extension with an IIS server are achieved by using Web
service extensions.
The IIS 6.0 extended security function enables or disables individual Web service extensions
separately. An IIS server after being newly installed transmits only static contents. To enable
the dynamic content function, the user can use the Web Service Extensions node of IIS
Manager. These extensions include ASP.NET, SSI, WebDAV, FrontPage Server, and others.
Disable unnecessary Web service extensions to reduce the risk of attack to the IIS server.
1 Choose the [Internet Information Service (IIS) Manager] menu from [Administrative
Tools] in the [Start] menu.
Allowed/
Web Service Extensions Extension Required Condition
Prohibited
A log can be created for each Web site and application separately. An IIS log includes
information about who accessed a site, what was referred to, when its information was most
recently referred to, and so on. The use of an IIS log allows the administrator to evaluate the
frequency of contents access and grasp the bottle neck of information. The log can also be
used as a resource to investigate attacks on the site.
If using the [IIS Manager] MMC snap-in, the user can configure a log file format, log
schedule, and information to be recorded in the log. To restrict the size of a log, it is necessary
to carefully set up which fields to be recorded in the log. To configure an IIS log, select the
Web site properties from the “Internet Information Service (IIS) Manager” window.
■ Preparation
When you set [Auto logon setting] including HIS type SSO, follows the procedures below.
(2) Log on from the same account which was used at CENTUMVP security setting.
When the account which was used for the security setting was used for HIS reboot, reset the
HIS start setting and restart PC.
Execute Session 2.1 [IT Security Setting preparation] from the administrator account belonging to [CTM_
MAINTENACE] group.
♦ Execute Session 2.23 User Group Generation before Installation from the administrator
account, belonging to [CTM_ MAINTENACE] group.
● Legacy model:
Exaquantum R2.70 client installation is not supported on CENTUM CS 3000. When installing Exaquantum
client on CENTUM CS 3000, please install Exaquantum client on Exaquantum R2.60.
For details about Exaquantum client installation procedure of Exaquantum R2.60, Please refer to the
following file in Exaquantum DVD.
<DVD>\Client\Support\ReadmeEn.txt
Execute the Web client installation in the same way as Section 4.5 Exaquantum/PIMS Server Installation or
4.7 Exaquantum Client Installation from the account for IT Security Setting
In case of HIS type SSO, please do not assign OFFUSER the authentication to access from
the security point of view.
So you cannot call each Exaquantum application from the start menu on the auto logon
environment. To call Exaquantum applications, the following preparation is necessary.
For user accounts defined when Exaquantum is installed, execute the following setting. Refer to CENTUM
VP Instruction manual.
Assign each APC tool to the function key from [Run] in the preset menu, if necessary.
The acquiring method of the tool path name registered in the start menu is as follows.
(2) Right-click the Exaquantum tool name which exists in the start menu, and select property.
The correspondence of APC tools in the start menu and the pass names are as follows.
Menu Path
Menu Path
Note 1) When the Windows system drive is not C drive, modify the drive name.
From the function key assign of CENTUM builder, select the function, following to the
From HIS setting window, select [Preset Settings], following to the procedures in
2. Insert the Exaquantum DVD media into the Domain Controller PC.
"!Please Reboot!"
The following domain groups are also added by the batch file:
• QTM_DATA_READ
• QTM_DATA_WRITE
• QTM_EXPLORER_DESIGN
• QTM_MAINTENANCE
• EXA_MAINTENANCE
• QTM_OPC