TermSecure and iFIX Security
TermSecure is an additional layer of security provided by ThinManager. It can either hide applications from un-authorized users, called SecureAccess, or it can grant access to a user’s personal applications at any location, called SmartContext. Administrators may often want to integrate TermSecure with their HMI platform(s). In other words, when a user logs into TermSecure, they are automatically logged into the HMI environment as well with the proper credentials. In this article, two methods for this integration are described for GE's Proficy iFIX human machine interface (HMI). Each TermSecure user can be configured to login to Windows in 1 of 4 ways using the TermSecure User Configuration Wizard (Windows Log In Information page of the wizard):
- Manually: User must manually enter Windows credentials when the session is launched.
- Automatically - Use Terminal Configuration Login Information: User is automatically logged into the session with the credentials specified for the Terminal Configuration.
- Automatically - Use TermSecure Username and Password: User is automatically logged into the session with the TermSecure username and password. This requires that a Windows user with the same credentials be created on the terminal server(s).
- Automatically - Specify a Windows Username and Password: User is automatically logged into the session with a separate set of credentials specified in the TermSecure User Configuration Wizard. This is an example of username and password obfuscation, which is an RSA security measure.
TermSecure User Configuration Wizard – Windows Log In Information
Without TermMon ActiveX Control
Each Windows user that is associated with a TermSecure user must then be connected to an iFIX user account. This is accomplished using the iFIX Security Configuration application. In the User Profile dialog box for each iFIX user account, select Use Windows Security, and enter the Windows user name. If the account is local, leave the domain field blank; otherwise, enter the name of the domain controller. The security accounts are linked as such TermSecure User -> Windows User <- iFIX User
Note: In this scenario, when a new TermSecure user logs in, a new iFIX session is launched. This is not the case when using the TermMon ActiveX Control (see below).
With TermMon ActiveX Control
- Copy the TermMon.ocx to a location on each of your iFIX terminal servers. The TermMon.ocx is included on the ThinManager install media when you purchase the product. If you are working from a demo license, it can be download from here: http://downloads.thinmanager.com
- Register the TermMon.ocx ActiveX control on each your iFIX terminal servers.
- Open a command prompt as an Administrator.
- For 32-bit OS, run:
- For 64-bit OS, run:
- Open iFIX Workspace.
- Add the TermMon.ocx to a Window that is always visible within the iFIX application (like a Navigation or Status bar).
- In iFIX 5.5, select the Insert ribbon bar, then the Objects/Links toolbar icon, then the Ole Object button.
- Click the Create Control radio button.
- Scroll down to find the TermMon control.
- Click OK.
- Right click an empty part of the iFIX screen where you are placing the ActiveX control, and select Edit Script. This will open the iFIX VBA Editor.
- Select CFixPicture from the drop down list at the top, and the Initialize event from the adjacent drop down list. This will create the CFixPicture_Initialize event.
- Inside this event, enter the following: TermMon1.Enable (assumes the name of your control is TermMon1).
- Select the Close event from the adjacent drop down list. This will create the CFixPicture_Close event.
- Inside this event, enter the following: TermMon1.Disable (assumes the name of your control is TermMon1).
- Select TermMon1 from the drop down list at the top and the OnEvent event from the adjacent drop down list. This will create the TermMon1.OnEvent event. See the sample code below to see how to detect TermSecure security events, and in turn login/logout of iFIX security programmatically.
Private Sub CFixPicture_Initialize() ‘ Enable the ActiveX Control. TermMon1.Enable End Sub Private Sub CFixPicture_Close() ‘ Disable the ActiveX Control. TermMon1.Disable End Sub ' This event will fire automatically by the ActiveX control. Private Sub TermMon1_OnEvent(ByVal EventCode As Integer) Dim password As String ' EventCode 8 => a new user has logged into TermSecure. If EventCode = 8 Then ' We will assume the TermSecureUsername is the same as the iFIX username. ' If not, you would have to add a second assignment for the correct username ' in each Case statement below. ' Based on the TermSecure username, assign the correct password. Select Case TermMon1.TermSecureUsername Case "user1" password = "user1password" Case "user2" password = "user2password" Case "user3" password = "user3password" End Select ' As long as the TermSecure username is not an empty string (which would imply ' a logoff has occurred), log the user into the iFIX security system. If TermMon1.TermSecureUsername <> "" Then System.FixLogin TermMon1.TermSecureUsername, password Else System.FixLogout End If End If End Sub
With TermMon 7.6+
TermMon 7.6+ supports iFix directly and can perform the login using the Active Directory credentials of the TermSecure user.
Private Sub CFixPicture_Initialize() TermMon1.Enable End Sub Private Sub TermMon1_OnTermSecureUserChange(ByVal Action As Integer, ByVal UserName As String, ByVal previous_username As String) If Action = 1 Or Action = 2 Then result = TermMon1.iFixLogin ElseIf Action = 3 Then System.FixLogout End If End Sub
TermMon.iFixLogin Return Codes
TermMon1.iFixLogin will return one of the codes from TermMonConst
|Success (0)||login succeeded, no error from iFix||Fail (1)||iFix returned an error on the login||Timeout (4)||timeout communicating with ThinManager terminal||RequestFailed (7)||could not locate the iFix install, specifically fixtools.dll||UserNotFound (10)||no TermSecure user logged into the terminal||NoWindowsUsername (15)||failed to get windows credentials from terminal||NoWindowsPassword (16)||failed to get windows credentials from terminal|