| Product(s): | APM Implementation and Performance Management | ||
| Version(s): | 7 | ||
| Environment: | N/A | ||
| Area: | N/A | ||
| Subarea: | N/A |
Problem Description
An APM user had reported that the ODC DA service has stopped returning data. They were migrating their OPC compliant data source to a new location and found that they could no longer establish a connection with the APM ODC service. User had continued using the same DNS and existing installed APM ODC service. Upon investigation, we found that the likely reason is that Window's have recently made it mandatory to harden DCOM authentication. (https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
2022-10-25 09:00:57.1054Z Error NL01W9AS042 SISAD\SA_APM2 Ivara.ServiceProvider.ODC.OPCDAPlugin.OPCDAPlugin [82] ODCPluginOPCDA - failed to get status from agent plugin. Exception: EXCEPTION OCCURRED:NullReferenceException Object reference not set to an instance of an object. at OPCDA.NET.OpcServer.GetStatus(SrvStatus2& serverStatus) at Ivara.ServiceProvider.ODC.OPCDAPlugin.OpcDaAgent.get_DataSourceInfo() at Ivara.ServiceProvider.ODC.OPCDAPlugin.OPCDAPlugin.GetPluginStatus()
Solution
The following instructions are used to enable APM ODC connections with OPC compliant data sources in an environment where the DCOM authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY per Microsoft’s DCOM server security requirements update:
These settings need to be match between the data source server(s) and all APM service servers that communicate with them such as the APM ODC service(s) and APM Smart-client (application) services. This will be required for all APM users using the OPC DA, OPC HDA plugins.
- Ensure that DCOM security is set up properly on OPC server and the APM server (the ‘client’ that is talking to the OPC server). Machines running an APM Thick Client to browse OPC will also need these security and registry settings. Note - This isn’t directly related to the current DCOM hardening issue but is a prerequisite to having OPC communications work properly
From Windows run dcomcnfg.exe
Select Mycomputer, right click select properties
Examine the ‘Default Properties’ page:
Make sure “Enable Distributed COM on this computer” is enabled
Default Authentication Level is “Connect”
Default Impersonation Level is “Identity”
Examine the ‘COM Security’ page
Edit Limits for ‘Access’ and for ‘Launch and Activation’
Ensure that appropriate users or groups have remote access, launch, and activation control.
Note - the account that runs IvaraServer services as well as the interactive users that browse OPC tags need to have permissions. For this you need to know how the APM ODC service and the APM Smart-Client Services are installed: Local Service, Local System, Network (Network username) or Network Service and user the appropriate credentials if using a Network user.
2. Registry settings to control DCOM hardening and launch authentication
On both the OPC server and the APM Server (and Thick Client OPC browsing machines), ensure the following values are set:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]
"RequireIntegrityActivationAuthenticationLevel"=dword:00000001
"RaiseActivationAuthenticationLevel"=dword:00000002
(or see screenshot below for reference)
All servers must be rebooted after these changes.
If there are any issues connecting to OPC from APM, check the Event Viewer (Windows Logs - System) on OPC server and APM server.
See also
SR 7001492237