RS Linx Classic Read Only

Geospark · Oct 8, 2013

FactoryTalk Security - Part 2

So now that you know you are using FactoryTalk Security.

What are your options?

I need to explain the different ways FactoryTalk Security can be set up so you can investigate it yourself and decide which way you want to go.

FactoryTalk Security is a component of FactoryTalk Services Platform (FTSP).

FTSP is made up of:
FactoryTalk Security (FTS) - Manages Security Services
FactoryTalk Administration Console (FTAC) - Configures Security Services
FactoryTalk Diagnostics (FTDS) - Provides Security Services Diagnostics Viewer
FactoryTalk Directory (FTD) - Manages Security Services Directory Locations

FTDS can be installed with FTSP, or FactoryTalk Activation (FTA). The FTDS Viewer is a very useful diagnostics tool for viewing logged FTS and FTA errors and events.

First we need to look at FactoryTalk Directory (FTD).

By default, FTD installs two Directory Locations, a Local Directory, and a Network Directory. Which one is used depends on the required Security setup.

1. FactoryTalk Local Directory

A single computer, usually, but not necessarily, in a stand-alone environment, is to be set up for independent Local Security. RSLinx Classic is installed and FactoryTalk Security is enabled using the Local Directory option. This computer is known as a FactoryTalk Security Server, as it manages and configures its own Security. Other Rockwell Software, required to be secured, are installed with the enable FactoryTalk Security option, and also set to use the Local Directory. The Local Directory stores all the Users/Permissions, Policy Settings and Project information related to Rockwell Software on the Local computer only. The Local Directory is only available to the Local computer, even if the computer resides on a network.

2. FactoryTalk Network Directory

Two, or more computers on a plant network are to be set up for Network Security. One computer is to be assigned as the FactoryTalk Network Server. It will usually have RSLinx Classic OEM, or Gateway installed. FactoryTalk Security is enabled using the Network Directory on the Server. All the other computers on the network are Client computers. RSLinx Classic is installed on the Client computers and FactoryTalk Security is enabled to also use the Network Directory. The Server computer administers Users/Privileges, Policy Settings and Project information for all the Secured Rockwell Software being used on the networked computers. The Client computers must have access to the Network Directory on the FactoryTalk Network Server in order to use the Secured Rockwell Software installed upon them.

Even though both a Local Directory and Network Directory exist on each computer that has FactoryTalk Security enabled, and both can be used interchangeably, the information stored in one Directory is completely separate from the other. If you setup a User in FTAC for a Local Directory, the User does not exist for the Network Directory. You would have to set up the User for both Directories separately.

Now we need to look at Users and User Groups:

Windows v FTS Users

When you login to Windows, you are using a Windows-Linked User Account. You have the option to add your Windows-Linked User Account to FTS in FTAC. Nearly all Rockwell Software requires a User to have Administrator Privileges to carry out most actions. So your Windows-Linked User Account should have Administrator Privileges. This then adds your Windows-Linked User Account to the Windows Administrators User Group, in Windows.

When you open FTAC, you are prompted to Select FactoryTalk Directory. Here you select Network, or Local. Again, you need to know from the above options which FactoryTalk Directory the computer you are working on is using. If you know it's definitely a stand-alone computer, select Local. If it's acting as a FactoryTalk Network Server, or Client, for the Maintenance computer network, then select Network.

If you expand Users and Groups=>User Groups you should see one or all of the following, Authenticated Users, Windows Administrators and Administrators.

Depending on which are there, if you look closely at the icons for Authenticated Users and Windows Administrators you'll see a small link symbol. This indicates that they are Windows-Linked User Groups.
Again, depending on whether or not it's there, If you look at the icon for Administrators you'll see there is no link symbol. That's because it's a FTS Administrator Group.

If the Windows-Linked Windows Administrators Group is there, double-click it to show its Members. Your Windows-Linked User Account, if it has Administrator Privileges, should already be listed here. If Windows Administrators is not there, right-click on User Groups=>New=>Windows-Linked User Group...=>Add... and type Windows Administrators in the text box. The OK button becomes available and when pressed, the previous window should now display Windows Administrators. Click OK again to add it to the User Groups. Then check its Members.

Go back to the FTS Administrators Group and double-click it to view its Members. The Windows-Linked Windows Administrators Group should be listed here. If not, press the Add... button and you get the Select User or Group window. Make sure Filter Users is set to Show groups only. Windows Administrators may already be listed here. If not, press Create New=>Windows-Linked User Group=>Add... and follow the same procedure as above to get the Windows Administrators Group into the FTS Administrators Group.

Once this is done in FTAC for the correct FactoryTalk Directory, your Windows-Linked User Account is now added to the Administrators Group of FactoryTalk Security.

In FTAC, again using the correct Directory, you need to check the Security Access Rights, for your Windows-Linked User Account, are all set to Allow for RSLinx Classic. As your Windows-Linked User Account is added at the Group level, this is done by selecting Administrators from the list.

I hope that makes sense.

G.

ronman · Oct 9, 2013

Is there any way to disable FactoryTalk Security once it has been enabled?

dmargineau · Oct 9, 2013

I don't think this is the solution to your issue since you will need "absolute" credentials for the "Network" FactoryTalk Administration Console.
I'd study first http://literature.rockwellautomation.com/idc/groups/literature/documents/qs/ftsec-qs001_-en-e.pdf
to get an idea of what you are trying to "alter".

Geospark · Oct 9, 2013

dmargineau said:
...I'd study first...to get an idea of what you are trying to "alter".

dmargineau,

I think it's obvious now that our friend doesn't want to study FTS, or know anything about it. He just wants to add a driver in RSLinx and get on with his job.

ronman,

You haven't provided me enough answers to the specific questions asked, so I won't waste any more of your time, or mine, trying to get FactoryTalk Security working.

If you are sure that you are authorized to disable FactoryTalk Security on this computer, then proceed as follows:

To disable the FactoryTalk Security Server

User needs Windows Administrator Priveleges

Open Regedit:

(Windows XP)
Start=>Run Type: regedit=>OK

Or

(Windows 7)
Start=>Search programs and files=> Type: regedit=>Enter

Navigate to:

(Windows XP or Windows 7 32-bit)
HKEY_LOCAL_MACHINE\SOFTWARE\Rockwell Software\RSLinx

Or

(Windows 7 64-bit)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Rockwell Software\RSLinx

There should be an entry: 68112182

With a value: 0x00000000 (0)

Double click on the 68112182 entry

Change the value to 993fc6 with the Base set to Hexadecimal

Click OK and reboot the computer

The Security menu in RSLinx Classic should now be disabled.

The Registry entry should look like this...

G.

ronman · Oct 10, 2013

Thanks a lot for the information. The computer is running, so it isn't an emergency, but it presents a hurdle that I will need to jump. I've been busy with other jobs, so my replies haven't been quick.
I hope to read more about FactoryTalk Security and decide what to do next. The information you've provided has been educational for me and hopefully others who get stuck on this road.

ronman · Oct 10, 2013

Geospark,

The computer is running Server 2003 and the FactoryTalk Security is for a local directory rather than a network directory.

You've given me the information to disable the security. Since I'm the only person who uses the computer, is there some upside to keeping it active?

Geospark · Oct 10, 2013

ronman,

Apologies if I was reading you wrong. If you do want to learn more about FTS than I've brushed over, then the PDF that dmargineau linked you to is the ideal place to start.

Security is more common where fixed computers are used on the plant floor for programming and, or SCADA, such as your RSView32 station. It prevents operators and the like from inadvertently, or intentionally messing with the SCADA system or shutting things down.

Whether security is required or not for your computer would be very hard for me to gauge sitting where I am. If you think there is no great threat from anyone messing with it where it's situated, and unless you can get it working without too much hassle, you'd probably be better off disabling it.

If it's working ok, it should be seamless and should not really interfere with your work.

If you do want to try get it going, then...

In Windows,
Make sure your Windows account is an Admin account
Make sure it's a member of the Windows Administrators Group

In FTAC,
Make sure the Windows Administrators Group is in the Users and Groups, along with Administrators Group
Make sure Windows Administrators Group is also a member of the Administrators Group.
Then, if needs be, set permissions for the Administrators Group for RSLinx Classic, etc.

G.

ronman · Oct 10, 2013

I downloaded the rockwell pdf about FactoryTalk Security, but haven't read all of it yet.

I went to the Registry Editor in Server 2003, but couldn't find 68112182 under HKEY_LOCAL_MACHINE\SOFTWARE\Rockwell Software\RSLinx.

ronman · Oct 10, 2013

I still haven't solved the problem of getting through FactoryTalk Security, but I was able to add the node that I wanted.

In the Registry Editor, under HKEY_LOCAL_MACHINE\SOFTWARE\Rockwell Software\RSLinx\Drivers\AB_ETH\AB_ETH-1\Node Table, I added the node.

Geospark · Oct 10, 2013

Ok, I've never added drivers that way, but handy to know.

While you're being clever, try this...

If that entry doesn't exist in Regedit, create it and set it to the value I mentioned.

To create entry, right-click on RSLinx folder=>New=>DWORD value
Change New Value #1 to 68112182 and assign the 993fc6 value.

Reboot, and check if RSLinx Classic Security menu is Grayed out.

G.

ronman · Oct 11, 2013

I created 68112182 as you said. In order to get the correct value, one must enter C6 3F 99 00. This will come out as 0x00993fc6 (10043334).

I rebooted and security was no longer applied to RS Linx!

Thanks for taking the time to suggest all of these ideas, Geospark. It worked.

Geospark · Oct 11, 2013

I'm more than happy to assist you.

p.s. If you feel like playing around with it some time in the future, to re-enable it, just change that value back to 0.

G.

RS Linx Classic Read Only

Geospark

Lifetime Supporting Member

ronman

Member

dmargineau

Lifetime Supporting Member

Geospark

Lifetime Supporting Member

ronman

Member

ronman

Member

Geospark

Lifetime Supporting Member

ronman

Member

ronman

Member

Geospark

Lifetime Supporting Member

ronman

Member

Geospark

Lifetime Supporting Member

Similar Topics