Modify the Client/FEP Project Parameters in Automatic Mode
- The project is stopped.
- On the Server, ensure the following. Otherwise, a message displays.
— For the Windows store certificates, the root certificate must be in the TRCA store of the Local machine certificates store in the Windows Certificate store. Additionally, only certificates with RSA signature algorithm are supported. CNG certificates are not supported.
— For File (.pem) based certificates, the root certificate must be available on the disk.
— Before creating/modifying the Client/FEP project, you need to share the Server project folder with the logged-on user of the Client/FEP operating system.
- On a Client/FEP, ensure the following:
— For Windows store certificates, the root certificate of the configured Server project is imported in the TRCA and the host certificate (along with its private key which is exportable) must be imported in the Personal store of the Local machine certificates in the Windows Certificate store and is set as default.
— For file (.pem) based certificates, the root and the host certificates (.pem files) must be available on the disk.
- In the SMC tree, select Projects > [project].
- Project Settings displays.
- Click Edit .
- The Server Information expander gets enabled.
- The Process Monitor (Pmon) user is synched with the System Account user, if it is changed after project creation.
- In the Client Project Information expander, the Shared project path field is enabled.
- In the Communication Security expander, the Root certificate and the Host certificate fields along with Add are enabled. If the selected Server project has Client/Server communication mode as
Secured
, the certificate type is configured to be the same as the Server project and the fields for Root certificate, Host certificate, and Host key (in case of a .pem certificate) and Host certificate users display the certificates set as default on the Client/FEP machine.
- In the Server Information expander, do the following:
a. Edit the server name by typing the full computer name of the Desigo CC Server machine, for example, ABCXX022PC.dom01.company.net, or by clicking Browse and selecting the Server machine using the Workstation Picker dialog box.
b. Edit the default Service port using the spin control buttons to match the Service port number on the selected Server.
c. Click Projects and edit the project from which you want to fetch the information using the Project Information dialog box. Optionally, you can also do this by clicking Browse for Server project in the Client Project Information expander.
- The selected Server project name displays and is also set as the default Client/FEP Project name in the Client Project Information expander. The Shared project path automatically displays the shared server project path, if the selected Server project is shared. The security settings are modified as per the selected server project.
- (Optional and not required when the Server project folder is shared) Type in the Shared project path or click Browse to select the shared project folder using the Browse for Folder dialog box.
NOTE: You must provide the Server name before browsing for the shared project.
- The Server name, service Port, port numbers are changed, language is edited, the Process Monitor user is changed internally and synched with the current System Account user for the selected project. The project shared path is set.
- In the Communication Security expander, proceed as follows:
a. Click Browse to select the root certificate. By default, it displays the default root certificate on the Client/FEP machine. Provide the same root certificate as that configured on the Server project.
b. Click Browse to select the host certificate. By default, it displays the default host certificate set on the Client/FEP machine. Ensure that this host certificate is created using the root certificate and that it has a private key.
c. (Enabled and required only in case of File .pem based certificate type) Click Browse and select the host key certificate.
d. (Enabled only when the selected Server project has Client/Server communication mode as Secured and the Certificate type is Windows store) Click Add to add a host certificate user using the Select User dialog box. For example, you can add a non-admin user so that a non-admin user can launch the Desigo CC client application.
NOTE 1: Only the users and group listed for the selected host certificate can launch the Desigo CC Client successfully on the Client/FEP machine.
NOTE 2: Even if the logged-on user of the Client/FEP operating system is a member of the Administrators group and has rights on the private key of the host certificate, you must still explicitly assign this user rights on the host certificate’s private key by adding the user to the Host Certificate User list.
- The certificates are configured for the selected certificate type.
- Click Save .
- If you modify the shared project path, a message displays, prompting you to re-activate the modified project.
- Click OK.
- Click Activate Project .
- Start .
Special Considerations When Applying Security for Closed Mode Configurations
- To work with closed mode you must explicitly provide permissions to the closed mode user (GMSDefaultUser) on the private key of the host certificate configured for the Client/Server communication. You must do this even if the closed mode user (GMSDefaultUser) is a member of a user group (for example, Administrators group) that has rights on the private key of the Host certificate.
- If you are configuring closed mode on the Client/FEP system, you must provide rights to the local GMSDefaultUser on the Desigo CC Server project folder, in order to have access to it from the Client/FEP machine. The logged-on Windows user on a Client station is a local GMSDefaultUser.