Enable the Explorer for secure access to your Historical data.
Ensure Pulse is Configured for HTTPS
Configure Explorer to Utilise an Identity Provider
Keep Your Secret Safe Using Environmental Variables
Ensure Explorer is configured for https
In order to utilise authorized access, Explorer must be configured to utilize https communication and be bound to a certificate.
See the example below on a sample settings.config file to enable https on Explorer:
Default location for the settings.config file on Windows environments are:
C:\ProgramData\Flow Software\Timebase\Explorer\Settings
Make sure that your configured url endpoints are not using the same port. By default, the http endpoint is binding to port 4531 and https to port 4532
"Kestrel": {
"Endpoints": {
"Http": {
"Url": "http://<YourIPAdressHere>:4511"
},
"Https": {
"Url": "https://<YourIPAdressHere>:4512",
"Certificate": {
"Subject": "localhost",
"Store": "Root",
"Location": "CurrentUser",
"AllowInvalid": "true"
}
}
}
}
What are the possible values for the different certificate properties you may ask?
Location is either CurrentUser or LocalMachine
Your Store Name is either AddressBook, AuthRoot, CertificateAuthority, Disallowed, My, Root, TrustedPeople, or TrustedPublisher
Subject refers to the value of the "Subject" field in your certificate
AllowInvalid where the value is set to true if the validity check for the certificate should by bypassed/ignored. Set to false if only valid certificates are permitted.
Create a Client in Pulse
By Default, Pulse will have created clients to use for all Timebase modules. These clients's Client Id and Client Secrets can be used to configure the different modules Idp settings.
It is assumed by this point that Pulse is installed, configured to use https and bound to your certificate and active.
Create a Client via the Pulse UI by navigating to the https address of your Pulse service.
Client should have the following minimum config configured:
Client Id - Unique Client Identifier
Redirect URL - redirect to the Log in dialog after successful authorization. For the Historian this value will be: https://<YourExplorerIpAdress>:4532/callback
Allowed Audiences - Explorer must be allowed to "connect" to all historians providing data. Make sure to add your Historian Client Ids
Grant Types - Client Credentials
Scopes - Open ID
Once done configuring the client, select save. Select your newly created client to gain access to your Client Id and Client Secret. You need both of these for the next step.
You can copy/paste your Id and client secret from the client details page to configure your Explorer's identity provider settings.
Configure Explorer to Utilise an Identity Provider
In order for Explorer to authenticate against Pulse using the new Client you configured; you need to edit the Explorer sources file to include your new authentication settings. See an example below:
Default location for the sources.config file on Windows environments are:
C:\ProgramData\Flow Software\Timebase\Explorer\Config
{
"Historians": {
"Local": {
"Name": "Local",
"Host": "localhost",
"Port": 4512,
"UseTls": true,
"Auth": {
"Enabled": false,
"IdP": {
"Host": "localhost",
"Port": 4542,
"UseTls": true
},
"ClientId": "<YourClientHere>",
"ClientSecret": "<YourClientSecretHere>"
}
}
}
}
You will use your copied Client Id and Client Secret to configure your historian Idp settings.
Keep your secret save using Environmental variables
Potentially, having your secret in plain text can be a security violation and best practises would be to use environment variables to store your secret.
Environmental variables can be referenced in your setting file:
"Auth": {
"Enabled": true,
"IdP": {
"Host": "<yourPulseIPAdressHere>",
"Port": 4542,
"UseTls": true
},
"ClientId": "<yourClientIDHere>",
"ClientSecret": "%MyClientSecrectEnv%"
}
For Windows based systems, an environmental variable placeholder is denoted by %%, while in Linux / Mac it is denoted by ${} e.g %MyClientSecrectEnv% n Windows and ${MyClientSecrectEnv} in Linux / Mac