Plantweb Insight Technical Notes and Tips Tuesday, November 17,2020 9:30PM Rescuing a VM ‘There are two mechanisms in general available for backing up and restoring Virtual Machine to a previous state: 1. Snapshot 2. Cloning Both the operations can be performed within minutes without shutting down the system ~ but requires admin privileges on the ESXi or Vmware Snapshots ae convenient as short term backups, very useful during test and development. \VMwate supports upto 32 restore points Its generally not recommended to keep as 2 long term backup as the disk size bloats with time and the number of restore points Cloning is just 2 copy of a VM and isthe best option if someone wants to keep a historical restore point for longer period. ‘Atypical use case when performing upgrades: 1. Create a snapshot or clone ofthe current state, 2. Attempt to perform the upgrade. 3._ Ifthe upgrade falls for any reason one can restore the previous state created in step #2. LDAP Configuration ‘Users should connect over port 636 which is standard secure port. This also means their AD server should allow fora secure connection *+Itis recommended to use an IP address rather than a FODN for LOAP Syncing the Time Source Between GW and PWI ‘The main one to checks the gateway. Ideally its connected to an NTP server as shown below. Here is where itis (On Plantweb Insight, you need to ensure that the VM has the Time synchronization enabled to the YM. Itis diferent for VMware and Hyper-V but they are both capable of being configured for the LVM. There is no place in Plantweb Insight that tells you itis time sync’d though. That may be something that we need to add for clarity Hyper-V Installation on Windows ServerBy default there are no DHCP servers on Hyper-V virtual switches on Windows Server. More recent versions of Windows 10 do have a "Default" virtual switch which is configured for NAT and therefore provides a DHCP server to the VM. 50, depending on the person installing the system and their ability to modify the Hyper-V server configuration it can be fairly straightforward or much more difficult. The easiest way to configure the Hyper-V Server system isto create an “internal” Virtual Switch, That “internal” virtua switch must be connected to the "Secondary" network interface on the Plantweb insight VM. If they don’t have it, you should send them the 2.1.0 Hyper-V VM. On th: the network interfaces on Plantweb insight are setup very specifically to “Primary” and “Secondary” interfaces soit will be obvious With that switch, the Hyper-V host and the VM will be ‘on the same network and you have a chance to configure the VM IP's etc. Once the “Internal” Switch is setup, they need to configure the Virtual Network Interface that is assocrated with that Switch to be on the 192.168.254x subnet. | would suggest an IP lke 192.168.254.9 since the \VM's default is 192.168.254,20. Once the Network interface is configured, they can then launch the Web browser at hitps://192.168.254.10/ and they should be connected to Plantwed Insight. Then they can configure the primary port etc. to be what they want, PWI Deployment on ESXi managed by Vsphere (One of two ways we can go: 1. Assuming this person is familiar with VSphere and ESXI, we could suggest the following. steps: 2. PWIsystem has secondary ethernet set to a known static ln: 192.168.254.10/24. . The main idea is to connect a browser from another virtual machine running on the same ESXi host to pus secondary ethernet port. Todo this one has to create a new virtual switch within the ESXi hast and connect, W's secondary port and the virtual machine running the browser to this virtual switeh, The VM running the browser must be configured to be In the same network as secondary ethemet port. Eg: 192.168,.254.15/24 a, Then they can log into the pwi server via the secondary IP and setup primary ethernet IP as desired, 2. The ather way i to install the VM frst on a VMware workstation ~ setup the static IP addresses as required and then export it from Workstation and import it into ESXi We can help here if you could get their static IP configuration, Not very convenient - but doable. 1e Pwi's Backup from v1.6 to v2.0 / v2.1 Before restoring backup + Make sure that data sources are all reachable in the network © Example- PWI 1.6 (backup using data gateway A)if this is going to be restored in 2.0 oF 2.1, gateway A should be available on the network. Otherwise they will need to wait 12 hours. Devices will show the last status of the assets before backup was taken. BMA will take 12 hours to update statuses if gateway gets connected after backup (other apps will take about § minutes) Device Configuration for PW! ‘The configuration mentioned inthe manual sto provide Plantweb Insight and all the possible applications with the best information possible for success. It allows the gateway to best manage the device and efiientiy publish the data to Pantweb insight. ‘The "Emerson Optimized burst configuration” is defined for most of the Emerson devices. It basically packs most of the important information into one command or if it is a more complex device into the frst burst message. This saves power. ‘The other two cases are for devices that don't support “Emerson Optimized burst configuration” or ifthe device is connected via an Adapter (775), Command 3 and 48 case is only used for wired devices that are not HART 6 or 7 devices. All wireless devices are HART 7 and therefore must support command 9 and 48 So depending on what device or scenario someone is asking about, the answer may be slighty different TLS Compatibility ‘The PWI system is configured to support TLS 1.2 and above — which includes TLS 1.3,Example screen shot for 2 Chrome browser connection shows TLS 1.3 under ‘Connection’. Ignore ‘the certificate warning as | haven't setup the certificate property Security overview a This page ie not secure (broken HTTPS). A Confinte mizang nies emicong avald, turtes conticate (et -CERT AUTHORITY JNVALID) View certificate Connection = secure connection stings iis enenpted and authenticated uscg TLS 13, ail serves soeurely Al eexpurees on tis page ae served securely PWI Code Languages WI uses ciferent programming such nodefs, react, angular), golang and python Install Files For demos on VMware you should grab the app_srv0-1.6.18....0va. That is the one for 25, gateways. The one with the _xis for 100 gateways. Modbus Mapping “Modbus Support — Here's the lst of the Application and Modbus Support *Please do note that the Modbus will not generate a mapping file when those Apps that supports ‘toes not eontain any configuration Application Name |Support | 1D NMA No Support ‘MA No Support | wee No Support | Pump Supported |1 He Supported 3 ACHE ‘Supported 4 PV Supported |§ o Supported 6 STA Supported | 99 Installing a VM on a VM ‘Need a machine that ean run nested VMs Delta-V Installs For the DeltaV question, Insight should be installed on the same layer as the ProPlus and any App Stations. Essentially, on the DeltaV network and not on the plant network| think the machine it resides on should be an official DeltaV approved server with 2 nies on the primary and secondary highway. Those ip addresses | assume would come from the deltaV commissioner. Greg Wentzel [My understanding is thatthe IP address for Plantweb insight has to be allocated from the Delta ACN address space soit can communicate with the WIOC{s) and/or gateways that are ‘commissioned on the network, am not familiar with how the “allocation” works but l understand that there con be some addresses set aside for other address assignment outside ofthe Delta ‘commissioning process. That address becomes a static IP address in Plantweb Insight network configuration. -ric Rotvold (On Windows 10 {at least) the Primary NIC should be connected to the Default VSwitch and the Secondary NIC should be “Not Connected”. A user can connect the Secondary NIC toa VSwitch as needed, For a Hyper-V setup we should enable / provide instructions to setup the NICs a follows: a. Attach the primary NIC to Default Switch. As you mentioned It appears Default Switch has some sort of dhep function b. Secondary NIC must be present but left unconnected. This interface must be bridged out necessary for rescue purposes. Set HART UDP Port from 5094 to 20004: Gateway can be seen in Delta Explorer Network Interface Controllers PW v2.0 has 3 NICS The third network connection is not shown inthe UI so the user does not have any knowledge of, Also for clarity the third i a virtual NIC which means it shares the NIC for eth0 or NIC #1 Server Plantweb insight is provided as a Virtual Machine (VM) that runs the Wed Server. So once the VM 'srunning, the web browser simply connects to the IP address of the VM/Web Server and they have access to the platform. It can't be installed on just any server. t needs to be installed on a VMware ESXi server or VMware Workstation or Windows Hyper-V server (Windows Server 2016, 2019, Windows 10, ... Plantweb insight server dawn to Gateway is one port (port S094), OPC UA There are different versions ofthe OPC UA specifications. In general that means that overtime they have added new features and specification clarifications over the years. In general most OPC UA clients and server interact with each other no matter the specification version. There are tests that can be run against the servers and clients to verify compatiblity with various features of the specification. The server and client in Plantweb Insight both originate from tested/verified ibraries With OPC DA (the old OPC standard) there were version differences that were structural such that the client had to be aware of which type of server it was connecting to. Security ‘+The VM is running Ubuntu 16.04 as the 05 ‘© We don't put any antivirus on the VM, and we don't expect that we need them — we have rot seen the need for it. We have set up a strict frewall that protects the VM ‘that only allows access to certain ports (web interface and communication to gateways) ‘+ We have done penetration testing on the VM both internally and externally and have had good feedback from a security standpoint so far Data Storage and Gateway Disconnection There is currentiy no store-and-forward mechanism in Plantweb Insight. Plantweb Insight uses 9 publish-subscribe interface with the gateway. Ifthe connection is broken, Plantweb Insight wl try 10 re-establish the connection periodically. During that time-period data from the gateway and its devices is lost. This part will nt be fixed. The gateway does not have a store-and-forward feature 0 any time the connection to a gateway is lost, Plantweb Insight wil also lose that dataPRD App Latency Plantweb insight is receiving the published data from the device(s) at whatever rate they are publishing. It then uses that data as Marcio mentions and fiters atleast 4 of those data points to determine a state. The computations are not running continuously but are run every minute, When they run, they cycle throueh all the data collected over that period and determine state transitions that happen during that time, The problem 3 customer will hve with say Modbus or OPCs that they won't necessarily see all ‘the state transitions because there could be more than one over the calculation period. Those servers will ony see the final state. ‘The better way to interact with PRV is through the Alert REST API's where they can get all the state transitions. si PI (051 Pl supports many interfaces: Modbus, OPC DA, OPC UA and their own interfaces. We have had discussions an building an OS! Pi native output for the Connectivity Solution but its ina future release (maybe on the runway). We could move it up for implementation by this fall There are multiple customers that have asked for a native interface. PW would use OME (OSI Message Format) interface via the Pl Web API OME endpoint.