OSIsoft: Create PI Coresight SQL Database/Configure PI Coresight through the Admin Page [v3.0.0.4]

OSIsoft: Create PI Coresight SQL Database/Configure PI Coresight through the Admin Page  [v3.0.0.4]

In the previous video we installed PI Coresight 2016 and in this video we’ll create the PI Coresight SQL Database and configure PI Coresight through the admin page. So the last thing we did in addition to checking the permissions of our PI Coresight service account was to change the application pools for PI Coresight to run under that service account. So back here in IIS Manager, you can see that our PI Coresight app pools are running under pischoolsvc-pi-coresight; We also confirmed under services that the PI Web API and PI Web API crawler are both also running under that same domain service account, svc-pi-coresight and they are both running currently. At this point before we jump to the PI Coresight admin page, there are a couple of things that we want to check first. The first thing is to make sure that we have the PI Data Archive and AF Servers that we want to connect to listed in our default table. To do this, I’m going to open up PI System Explorer And under file, connections, I’m going to confirm that I have the correct Data Archive that I’m going to be connected to listed here as well as the correct AF Server. And I can confirm that here. And I can make sure that we can connect. So I’m able to connect to both of these and I’ll also want to make sure to check the SQL permissions before I attempt to create the SQL Database automatically. To check this, I’m going to need to use SQL Server Management Studio and I’m actually going to navigate to the machine where the SQL Server is. OK, so this is the SQL Server. And the SQL Server’s name is here. So make sure to note down what your SQL Server’s name is. And you might have something that ends with SQL Express and it’s the full name here. I’m going to connect to the SQL Server instance and one thing I need to do is make sure that on this SQL Server that ensure allow triggers to fire others in set to true. To check this I’m going to go to the instance, right click and go to properties. And here under advanced and I can confirm that allow triggers to fire others is set to true. So that looks good. Additionally for the user that I’m going to open the PI Coresight admin page as to be able to use that to create the PI Coresight SQL database. That user must have specific permissions on the SQL Server. So I’m going to do that with my account. So I’m going to check the SQL permission for my account right now. So this is my account and under right click properties and then server roles. I want to confirm that I have the DB creator server role. I will also need alter any login permission which I do have if I have the security admin server role already which I do. So those two are the minimum requirements and I can see that I meet those minimum requirements. And so I’ve checked out everything that I need to do on the SQL Server. So I’m ready to navigate back to the machine where I installed PI Coresight. OK, so I’m back here on the PI Coresight Server. And there are a couple of user groups that got created when we installed PI Coresight. And these control who has access to the PI Coresight administration page. And I’ll need to make sure that I’m going to have access for that. So I’m going to look at the local users and groups here OK, I can see that the PI Coresight admins, PI Coresight user and PI Web API admins groups were all created when I installed PI Coresight. For me to be able to access the PI Coresight admin page, I’ll need to be in the PI Coresight admins group. And for me to configure the Data Archive and AF Servers on the admin page, I’ll also need to be a part of the PI Web API admins groups. And then any users that need to be able to use PI Coresight to create displays and see data, will need to be part of the PI Coresight users group. So let’s take a look at what’s in those groups by default. So I ran the PI Coresight installation kit under this user, My User, cmetzinger. You can see this is automatically added to the PI Coresight admins and PI Web API admins. If you want, you can modify this. For example maybe I want to add our PI Administrator’s domain group so that all of our PI Administrators will also be Coresight Administrators. So I can do that for PI Coresight admins and PI Web API admins if I want. And if I’m already a member of that group, I can clean that up. And again this is just an example. Customize these groups in a way that matches your organization’s structure. And for PI Coresight users, you can see that authenticated users are here by default. I can also modify this if we went. For example I’m going to add and change this to be the all employees domain group instead. Again the key here is anybody who is accessing the PI Coresight admins page is going to be needing to be in the admins groups. So now that I know that my user account is in these admin’s groups and has the appropriate permissions on the SQL Server, I’m ready to go ahead and navigate to the PI Coresight admin page making sure that I do so on the machine where I’ve installed PI Coresight. If you need some help remembering the URL for the PI Coresight admin page, a really easy way is to go back to IIS Manager and we can drill down here to the Coresight admin and just browse here. And you can see that we are essentially going to the server, Coresight and admin. Now depending on your browser, you may also want to run Internet Explorer or your appropriate web browser as administrator for this task. And right before I create the Coresight database in SQL, there is one check that I just want to point out in the PI Coresight Live Library installation and administration guide. I am at this step, the PI Coresight database creation and you’ll see that there is an option to automatically create the PI Coresight database which I’m doing and there are some requirements. And I meet this one, I’m running my browser locally on the same computer as the PI Coresight application server. If you are not able to meet the requirements to automatically create the PI Coresight database, you can check out the section on manually creating the PI Coresight database. But I’m going to use this using the steps in the automatically create the PI Coresight database. So let’s go back to the admin page. And here I’m going to manage configuration. So the SQL Server that we just checked, I’m going to need to write that name of the SQL Server here. And then once we connect to the SQL Server, it will show the databases. For example we can see that our AF Database is on the SQL Server. But I want to create the Coresight database. So I’m going to give it a name Coresight. And I’ll click save to create the PI Coresight database in the SQL Server. And before I do that again you can confirm here that I am logged in to the admin page as cmetzinger and we’ve confirmed that cmetzinger has the SQL permissions to be able to create this database. OK, and the database was created successfully. We also want to add our Data Archive and AF Servers that we want to be exposed in PI Coresight. So I’m going to actually navigate to the Data Server tab first. And you can see the PI Data Archive that is picked up from our connections earlier. And I can test connection to make sure that I can connect. And I can go ahead and allow. And save. And then I’m also going to want to add the AF Server. And we can see the AF Server that we checked before and in this case you can test connection. And if you have more than one AF Database, you might go with the all option or pick very specific databases. In this case I just have the one database, the company database. That’s the only one that’s going to be added when I select all. And I’ll click save. OK. Now I’m ready to return to the overview page. Let me go ahead and refresh the page here. OK, great. So now we want to start looking for the green checks making sure that our SQL Database has a green check, our data server has a green check which again is our PI Data Archive. And looking down here that our AF Server and index search server status also has green checks. So that all looks good. Initially we’ll see that it’s not necessarily the case that we finish indexing the AF Server or our PI Points on our Data Archive. But if we check back in a bit we should see that these also will have green checks. So everything looks good from that perspective. And there is one other setting that we might want to go ahead and do right away and that’s on import folder management. So I’m going to go ahead and jump to that. Starting with PI Coresight 2014, we are able to import PI ProcessBook displays and view them over the web with PI Coresight. To do this we’ll setup specific folders and the PI ProcessBook displays that get added to that folder will get picked up and displayed in PI Coresight. To do this, I’ll want to go ahead and add a folder. But in this case let me actually browse to the folder that I’m going to add so I can remember the name. OK, so this is the import folder that we are going to be using. We haven’t added any PI ProcessBook displays but when we do we are going to add them here. So I’ll copy this path and then you also can add the friendly name. So this will be how the folder name will show up in PI Coresight for our users. So I’m going to give it a friendly name. And it is important that the PI Coresight service account must have read permissions to this folder. So make sure to double check that if you haven’t already. And then I’ll go ahead and add. And then hitting show status. It looks like there are no errors. So the next thing I want to do is actually go to the PI Coresight URL and test and make sure that we can connect to PI Coresight starting first locally on the PI Coresight Server. So I’m going to navigate to the PI Coresight URL and it’s basically just going to be this first part minus the admin. So I’m going to copy that. And then I can go ahead and create a new display. You can see that here is the way that the folder that we just added would show up. I’m going to go ahead and create a new display to do some tests. So I can see my AF Database. I can see my PI Data Archive. So I’m just going to search and make sure that I can add some things. So it looks like I was able to add this PI Point to my display. And let me also take a look at my AF structure. And make sure that I’m seeing my assets show up. OK, so my attributes are showing up as well. Now this all looks good. So I can access PI Coresight locally but we want all of our users to be able to access PI Coresight from their individual machines through the web browser. It’s also important for us to remember that we want to be able to use Windows Integrated Security when these users connect to the PI Server. And for this, we want to use Kerberos delegation. So let’s jump back to the PI Coresight installation and administration guide to review those requirements. So we can see the final step here, phase 5, setting up Kerberos delegation. And again this is recommended because it allows your users to authenticate on the PI Data Archive and AF Server with their Windows Integrated Security. Now in order to do this you want to make sure to work with your IT team to setup Kerberos delegation to the PI Data Archive and AF Server. And you can follow all the steps in this phase for those details. Now I’ve already worked with my IT team to do this. Essentially they configured the service account for delegation on the domain controller, the SVC PI Coresight account. And they also set SPN’s for my PI Coresight machine. And that service account. So let me just point out the commands that they were in. So they ran these commands to set these two SPNs and I can confirm that the SPNs were set. If I actually navigate to a command prompt and do a list SPN. So let me double check to make sure that the SPNs were set. And right click run as administrator. And if you want to list the SPNs, you can do setspn -l and then the account. So again domain and then the name of the account that you are running the PI Coresight services under. I can confirm that these two here indicate that the SPNs were set. So FQDN and the name. And again that got done by running these two commands. So the SPNs have been set and the final step that I want to make sure to do related to this is to turn off kernel mode. So if you are using Kerberos delegation and you have the recommended configuration where all the Windows services and application pools are running under the same domain account the way that I have, then we want to turn off kernel mode. And we can do this in IIS Manager. So back in IIS Manager, if we select Coresight and then authentication here and then on Windows authentication we are going to right click and do advanced settings. And it’s this one right here. So I’m going to deselect this to turn off kernel mode. And then hit OK. Now to make sure everything got picked up, because of the fact that I only have PI Coresight running on this web server, I’m going to go ahead and do an IIS reset in my administrative command prompt. OK, and now that I’ve successfully done that and I made sure that we turned off kernel mode authentication, now I want to go to a remote machine and test that I can access PI Coresight remotely as well. OK, so I’m now on this machine and as you can see, this is a different machine and I’m also going to now do the same test connecting to PI Coresight. And then new display. OK, great I can see that I’m getting the same behavior even though I am connecting to the PI Coresight Server remotely. One thing that you might notice however is that the URL was a little bit different. In this case I used HTTP instead of HTTPS. That’s because when I installed PI Coresight, I used a self signed certificate that the installation created. I did not have a certificate that was from a certification authority. If you didn’t use a self signed certificate during the installation, you’ll be able to use HTTPS here. And I’ll show you that if I go to HTTPS what I’ll get is the warning about the fact that the certificate is not trusted in my individual case. And again it’s because the certificate didn’t come from a certificate authority. And so while I can navigate to it, I would get the certificate error in this case. Now that I’ve confirmed that I can successfully access PI Coresight remotely, what do I need to keep in mind for my other users? Well remember for them to access PI Coresight, they will need to be in the PI Coresight user group that we saw earlier. And because of the fact that we are using Windows Integrated Security to authenticate to our PI Server, we’ll need to make sure that they have the appropriate permissions on our PI Data Archive and AF Server to be able to see the things that they need. One important point about this is when you are doing a search like I did here for your PI Points on your PI Data Archive, for this to be successful in PI Coresight you must be able to authenticate with a Mapping. A Trust will not work. And also Mappings for local groups will also not work. So just something to keep in mind. Again they would still be able to see data on existing displays but to be able to do the search you must have a Mapping that is not based on a local group for that. And for more details on this, check out our documentation. With that we have a successful PI Coresight installation and configuration using the admin page. And our users are now able to access data from our PI Server remotely over the web. If you have any problems or receive any different behavior, the place that you’ll need to check is on the PI Coresight machine here, you want to make sure to navigate to the Event Viewer logs. And check out these specific logs related to PI Coresight for any errors and then with that you can send these errors to our tech support team. Thanks for watching and hope you are enjoying your PI Coresight installation.

Danny Hutson

2 thoughts on “OSIsoft: Create PI Coresight SQL Database/Configure PI Coresight through the Admin Page [v3.0.0.4]

  1. My client cant access PI Vision,when I input website address of my PI Vision,That's redirected to a another website. Can you help me???

Leave a Reply

Your email address will not be published. Required fields are marked *