TermSecure and iFIX Security

From ThinManager Knowledge Base
Jump to: navigation, search

Overview

TermSecure is an additional layer of security provided by ThinManager. It can either hide applications from un-authorized users, called SecureAccess, or it can grant access to a user’s personal applications at any location, called SmartContext. Administrators may often want to integrate TermSecure with their HMI platform(s). In other words, when a user logs into TermSecure, they are automatically logged into the HMI environment as well with the proper credentials. In this article, two methods for this integration are described for GE's Proficy iFIX human machine interface (HMI). Each TermSecure user can be configured to login to Windows in 1 of 4 ways using the TermSecure User Configuration Wizard (Windows Log In Information page of the wizard):

  1. Manually: User must manually enter Windows credentials when the session is launched.
  2. Automatically - Use Terminal Configuration Login Information: User is automatically logged into the session with the credentials specified for the Terminal Configuration.
  3. Automatically - Use TermSecure Username and Password: User is automatically logged into the session with the TermSecure username and password. This requires that a Windows user with the same credentials be created on the terminal server(s).
  4. Automatically - Specify a Windows Username and Password: User is automatically logged into the session with a separate set of credentials specified in the TermSecure User Configuration Wizard. This is an example of username and password obfuscation, which is an RSA security measure.
TermSecure User Configuration Wizard
TermSecure User Configuration Wizard – Windows Log In Information

Without TermMon ActiveX Control

Each Windows user that is associated with a TermSecure user must then be connected to an iFIX user account. This is accomplished using the iFIX Security Configuration application. In the User Profile dialog box for each iFIX user account, select Use Windows Security, and enter the Windows user name. If the account is local, leave the domain field blank; otherwise, enter the name of the domain controller. The security accounts are linked as such TermSecure User -> Windows User <- iFIX User


Note: In this scenario, when a new TermSecure user logs in, a new iFIX session is launched. This is not the case when using the TermMon ActiveX Control (see below).


With TermMon ActiveX Control

  • Copy the TermMon.ocx to a location on each of your iFIX terminal servers. The TermMon.ocx is included on the ThinManager install media when you purchase the product. If you are working from a demo license, it can be download from here: http://downloads.thinmanager.com
  • Register the TermMon.ocx ActiveX control on each your iFIX terminal servers.
    • Open a command prompt as an Administrator.
For 32-bit OS, run:
c:\windows\system32\regsvr32 c:\Path\TermMon.ocx
For 64-bit OS, run:
c:\windows\syswow64\regsvr32 c:\Path\TermMon.ocx
  • Open iFIX Workspace.
  • Add the TermMon.ocx to a Window that is always visible within the iFIX application (like a Navigation or Status bar).
    • In iFIX 5.5, select the Insert ribbon bar, then the Objects/Links toolbar icon, then the Ole Object button.
    • Click the Create Control radio button.
    • Scroll down to find the TermMon control.
    • Click OK.
  • Right click an empty part of the iFIX screen where you are placing the ActiveX control, and select Edit Script. This will open the iFIX VBA Editor.
  • Select CFixPicture from the drop down list at the top, and the Initialize event from the adjacent drop down list. This will create the CFixPicture_Initialize event.
  • Inside this event, enter the following: TermMon1.Enable (assumes the name of your control is TermMon1).
  • Select the Close event from the adjacent drop down list. This will create the CFixPicture_Close event.
  • Inside this event, enter the following: TermMon1.Disable (assumes the name of your control is TermMon1).
  • Select TermMon1 from the drop down list at the top and the OnEvent event from the adjacent drop down list. This will create the TermMon1.OnEvent event. See the sample code below to see how to detect TermSecure security events, and in turn login/logout of iFIX security programmatically.
Private Sub CFixPicture_Initialize()

    ‘ Enable the ActiveX Control.
    TermMon1.Enable
    
End Sub

Private Sub CFixPicture_Close()

    ‘ Disable the ActiveX Control.
    TermMon1.Disable
    
End Sub

' This event will fire automatically by the ActiveX control.
Private Sub TermMon1_OnEvent(ByVal EventCode As Integer)

    Dim password As String
    
    ' EventCode 8 => a new user has logged into TermSecure.
    If EventCode = 8 Then
    
        ' We will assume the TermSecureUsername is the same as the iFIX username.
        ' If not, you would have to add a second assignment for the correct username
        ' in each Case statement below.
        
        ' Based on the TermSecure username, assign the correct password.
        Select Case TermMon1.TermSecureUsername
        
            Case "user1"
                
                password = "user1password"
            
            Case "user2"
        
                password = "user2password"
            
            Case "user3"
        
                password = "user3password"
                            
        End Select
            
        ' As long as the TermSecure username is not an empty string (which would imply
        ' a logoff has occurred), log the user into the iFIX security system.
        If TermMon1.TermSecureUsername <> "" Then
        
            System.FixLogin TermMon1.TermSecureUsername, password
            
        Else
        
            System.FixLogout
            
        End If
                
    End If

End Sub

With TermMon 7.6+

TermMon 7.6+ supports iFix directly and can perform the login using the Active Directory credentials of the TermSecure user.

Private Sub CFixPicture_Initialize() 
    TermMon1.Enable 
End Sub Private

Sub TermMon1_OnTermSecureUserChange(ByVal Action As Integer, ByVal UserName As String, ByVal previous_username As String)
    If Action = 1 Or Action = 2 Then 
        result = TermMon1.iFixLogin
    ElseIf Action = 3 Then 
        System.FixLogout 
    End If 
End Sub 

TermMon.iFixLogin Return Codes

TermMon1.iFixLogin will return one of the codes from TermMonConst

Success (0) login succeeded, no error from iFix
Fail (1) iFix returned an error on the login
Timeout (4) timeout communicating with ThinManager terminal
RequestFailed (7) could not locate the iFix install, specifically fixtools.dll
UserNotFound (10) no TermSecure user logged into the terminal
NoWindowsUsername (15) failed to get windows credentials from terminal
NoWindowsPassword (16) failed to get windows credentials from terminal