In an effort to create a more unified support experience, we have moved support of our Knowledgebase to Rockwell Automation Tech Support.

If you would like to speak with one of our engineers, please Submit a Question or give us a call at the phone number here. In North America, To route your phone support request directly to a technical support engineer, call toll free 1-888-382-1583 or 1-440-646-3434, select Option 3 (Technical Support), then select Option 5 (More Options). When prompted, enter the ThinManager Direct Dial Code 201.

TermSecure and InTouch Security

From ThinManager Knowledge Base
Jump to: navigation, search

Overview

TermSecure is an additional layer of security provided by ThinManager. It can either hide applications from un-authorized users, called SecureAccess, or it can grant access to a user’s personal applications at any location, called SmartContext. Administrators may often want to integrate TermSecure with their HMI platform(s). In other words, when a user logs into TermSecure, they are automatically logged into the HMI environment as well with the proper credentials. In this article, two methods for this integration are described for Wonderware's InTouch human machine interface (HMI). Each TermSecure user can be configured to login to Windows in 1 of 4 ways using the TermSecure User Configuration Wizard (Windows Log In Information page of the wizard):

  1. Manually: User must manually enter Windows credentials when the session is launched.
  2. Automatically - Use Terminal Configuration Login Information: User is automatically logged into the session with the credentials specified for the Terminal Configuration.
  3. Automatically - Use TermSecure Username and Password: User is automatically logged into the session with the TermSecure username and password. This requires that a Windows user with the same credentials be created on the terminal server(s).
  4. Automatically - Specify a Windows Username and Password: User is automatically logged into the session with a separate set of credentials specified in the TermSecure User Configuration Wizard. This is an example of username and password obfuscation, which is an RSA security measure.
TermSecure User Configuration Wizard
TermSecure User Configuration Wizard – Windows Log In Information

Without TermMon ActiveX Control

Each Windows user that is associated with a TermSecure user can be used to login to InTouch if OS Security is selected from WindowMaker ( Security | Select Security Type | OS ). The security accounts are linked as such TermSecure User -> Windows User <- InTouch. Within WindowMaker, each Windows user account has an associated access level that determines what InTouch functions are accessible. Access levels are assigned to the Windows groups using the InTouch script function AddPermission(). Once the access levels are properly assigned to Windows groups, the $AccessLevel system tag can be used to enable/disable access to the individual elements of the application.


Note: In this scenario, when a new TermSecure user logs in, a new InTouch session is launched. This is not the case when using the TermMon ActiveX Control (see below).


With TermMon ActiveX Control

  • Copy the TermMon.ocx to a location on each of your InTouch terminal servers. The TermMon.ocx is included on the ThinManager install media when you purchase the product. If you are working from a demo license, it can be download from here: http://downloads.thinmanager.com
  • Register the TermMon.ocx ActiveX control on each your InTouch terminal servers.
    • Open a command prompt as an Administrator.
For 32-bit OS, run:
c:\windows\system32\regsvr32 c:\Path\TermMon.ocx
For 64-bit OS, run:
c:\windows\syswow64\regsvr32 c:\Path\TermMon.ocx
  • Open WindowMaker.
  • Add the TermMon.ocx to a Window that is always visible within the InTouch application (like a Navigation or Status bar).
    • In InTouch 11.0, click the Special menu, followed by the Configure | Wizard/ActiveX Installation menu items.
    • From the Wizard/ActiveX Installation popup window, click the ActiveX Control Installation tab.
    • In the Available ActiveX Controls list box below, scroll to the TermMon Control and select it.
    • Click the Install button. This will move the TermMon control from the lower list to the top list.
    • Click OK.
    • Click the Wizard Hat toolbar icon.
    • From the Wizard Selection popup window, select the ActiveX Controls item on the left hand side.
    • Double click the TermMonCtrl icon from the right hand side.
    • Place the control on the desired InTouch window.
  • Use CTRL-w to open the Window Properties dialog box.
  • Click the Scripts button.
  • Select On Show from the Condition Type drop down list.
  • In the script body, enter the following:
#TermMonCtrl1.Enable();
  • Select On Hide from the Condition Type drop down list.
  • In the script body, enter the following:
#TermMonCtrl1.Disable();
  • Double click the TermMon control.
  • From the TermMonCtrl1 Properties dialog box, select the Events tab.
  • Enter a new script name next to the OnEvent script followed by the enter key.
  • Click OK to creating a new script.
  • See the sample code below to see how to detect TermSecure security events, and in turn login/logout of InTouch programmatically.
    DIM password AS MESSAGE;
    DIM termSecureUsername AS MESSAGE;
    DIM loginResult AS DISCRETE;
    
    termSecureUsername = #TermMonCtrl1.TermSecureUsername;

    { EventCode 8 => a new user has logged into TermSecure. }
    IF #ThisEvent.OnEventEventCode == 8 THEN
    
        { We will assume the TermSecureUsername is the same as the InTouch username. }
        { If not, you would have to add a second assignment for the correct username }
        { in each Case statement below. }
        
        { Based on the TermSecure username, assign the correct password. }
        IF termSecureUsername == "user1" THEN
                
            password = "user1password"
            
        ELSE IF termSecureUsername == "user2" THEN
                
            password = "user2password"
            
        ELSE IF termSecureUsername == "user3" THEN
                
            password = "user3password"

        ENDIF;
        ENDIF;
        ENDIF;

    ENDIF;            
            
    { As long as the TermSecure username is not an empty string (which would imply }
    { a logoff has occurred), log the user into InTouch. }
    IF termSecureUsername <> "" THEN
        
        loginResult = AttemptInvisibleLogon( termSecureUsername, password ) ;
            
    ELSE
        
        loginResult = Logoff();
            
    ENDIF;

With TermMon 7.8+

TermMon 7.8+ supports InTouch directly and can perform the login using the Active Directory credentials of the TermSecure user. Register, add, and enable/disable the TermMon control via script as described above. Then:

  • Double click the TermMon control.
  • From the TermMonCtrl Properties dialog box, select the Events tab.
  • Enter a new script name next to the OnTermSecureUserChanged script followed by the enter key.
  • Click OK to creating a new script.
  • See the sample code below to see how to detect TermSecure security events, and in turn login/logout of InTouch automatically:


IF #ThisEvent.OnTermSecureUserChangeAction == 1 OR #ThisEvent.OnTermSecureUserChangeAction == 2 THEN
	ret = #TermMonCtrl.InTouchLogin;
	IF ret <> 0 THEN
		X = Logoff();
	ENDIF;
ENDIF;

TermMon.iFixLogin Return.InTouchLogin

TermMonCtrl.InTouchLogin will return one of the codes from TermMonConst

Success (0) login succeeded, no error from inTouch
Fail (1) inTouch returned an error on the login
Timeout (4) timeout communicating with ThinManager terminal
RequestFailed (7) could not locate the needed scripting dll, intspt.dll, from the InTouch install directory
UserNotFound (10) no TermSecure user logged into the terminal
NoWindowsUsername (15) failed to get windows credentials from terminal
NoWindowsPassword (16) failed to get windows credentials from terminal