Setting up Trust Authentication for PI AF in Bentley APM

 

There are multiple ways you can setup PI Trust.  APM supports the following:

• Trust for domain accounts
• Trust for IP address

 

From APM there are two points of connection both of which are read-only

1. Browsing tags from the Smart Client. In this case PI software must be installed for the user to browse tags and map them to an Indicator in APM. Trust authentication could be configured based their domain account.
2. OnPrem Agent pulling readings from PI. Again, can use a domain account to run the Agent Service, or given that it is a fixed machine, the IP address may be a suitable choice for the trust authentication.

 

Setting Up Bentley Plugin:

Requirements on any machine to connect to PI Server:

• Install PI SDK
• Move PI Trust to the top of the protocol order:

 

• In APM, clear the account fields within the Bentley PI data Source:

 

Setting up Trusts on the PI Server:

• Configure required Trust Properties for OnPrem Server Machine IP and for specific users if using trust for domain account for end user browsing tags

Trouble Shooting:

PI SDK Utility will log when connections are successful and when they refused so you can look at that log.

It logs process name and user and IP

 

eg: At 2:19 I connected in order to browse tags.

At 2:22 I tried to connect to pull a reading and you will notice that the message mentions IvaraServer rather than IvaraClient. This failed because the only trust setup on our system was for domain accounts rather and IvaraServer was configured to run as the Local System account.

At 2:31 I successfully pulled a reading as I added the IP address to the trusts.

 

 Other Notes: 

If OnPrem machine is on a DMZ Network, it gets complicated; cannot configure a domain user to run the service.  Recommend using IP authentication