Apis Hive DCOM Configuration
Apis utilises DCOM technology, and is subject to DCOM security considerations in general. Using DCOM security, you can customise who is allowed to access Apis for configuration and data retrieval.
Default settings
When installing Apis for the first time on a computer, the following DCOM settings are applied:
- The Apis Hive application is registered to run as a Windows NT service, running with the security context of the built-in "System" account.
- The access rights for the Apis Hive application are set to allow everyone access, i.e. very poor access control.
If you're not comfortable with these settings, you should read the rest of this topic to change them.
NOTE: If you're upgrading or re-installing Apis on a computer, the previously used settings are preserved.
Setting the security context for Apis Hive
The Apis Hive must run in a security context with Administrator privileges. Depending on whether Apis Hive is configured to run as a service or DCOM server, there are several options. Launch the Windows Distributed COM Configuration Properties application, DCOMCNFG.EXE, located the Windows system directory.
Selecting the user account to use to run Apis Hive
From the applications tab in the DCOMCNFG window, locate and select Apis Hive from the list of applications. Click the "Properties" button, then, select the "Identity" tab.
- If Apis Hive is registered to run as a DCOM server, select a user account with administrator privileges on the local machine.
- If Apis Hive is registered to run as a service, the lower checkbox named "The system account" will be enabled as well, and should be selected. Note: In some cases, when Apis Hive, or its modules, communicates with other applications using network services, Apis Hive may require to run on a dedicated user account instead, due to restrictions on network usage on services.
Important! The selected user account Apis Hive is configured to run on must have the user rights "Log on as batch job" and "Log on as service" enabled on it.
Enabling remote access and configuration of Apis Hive
To enable remote configuration or access to Apis, select the "Default Properties" tab in the DCOMCNFG window. Make sure the "Enable Distributed COM on this computer" and "Enable COM internet services on this computer" are checked. Also, select the "Default Authentication Level" to "Connect" and "Default Impersonation Level" to "Identify".
Granting access and launch permissions
The last step is to grant access and launch permissions to different users of Apis Hive. Select the "Security" tab from Apis Hive's properties. To customise the access and launch permissions of Apis Hive, select "Use custom access permissions" and "Use custom launch permissions", and press the "Edit" buttons to modify them.
You should always grant access and launch rights to the "Administrators" group and the "System" account. If Apis Hive is accessed through Internet Information Server, for instance, you must enable access permission for the user configured in Internet Information Server. Particularly when used together with Apis Process Explorer, Apis Jar, or the Apis OLEDB Providers, . This user is by default: IUSR_ComputerName, where ComputerName is the name of the computer running Internet Information Server. Further, if remote access and configuration are to be allowed, you must also grant the "Network" account access to Apis Hive.
Other Apis executables, such as the Apis historian services, Apis Honeystore and Apis OPCHDA, also need the same security configuration. So, instead of configuring each application individually, you set each of them to default access, launch and configuration permissions, and instead configure the default's Security in the "Distributed COM Configuration Properties" page. Make sure the Apis account and web server account have full access for all three types of permissions.
Note that in systems with other DCOM servers, this might compromise security policies for those servers.