Redundancy On The Cheap: How to use two servers, FactoryPMI, FactorySQL, and MySQL to make a mission critical HMI/SCADA application.

SACRAMENTO, CA -

Introduction
FactoryPMI and FactorySQL have long supported clustering and redundancy, respectively. But their database-centric architecture always left the question: What about the database? A true clustered database solution, like Microsoft SQL Server Clustering or Oracle 11g RAC works great, but can take 4+ extra servers and tens of thousands of dollars worth of software. This whitepaper describes how to set up redundancy on the cheap, using 2 servers and MySQL.

First disclaimer: The solution provided here works well, but you do give up some of the reliability that you'd get with a true clustering solution. If you can afford it, go with a true clustered database. They are great and are built for exactly what you're doing. That said; we understand that budgets aren't infinite, and sometimes you have to do more with less. In that case, read on.

Second disclaimer: The solution here isn't rocket science, but it does demand that the user has a solid grasp on our products, databases, and networking. After all, rocket science probably isn't that difficult if you're a rocket scientist. If you start thinking this might be beyond your technical capability, skip to the bottom where we provide a much simpler solution that very well might be "good enough" for many users.

The Basics
This guide is going to be using some advanced features of FactorySQL, FactoryPMI, and MySQL that you may not be familiar with. Let's go over some of these features first.

FactorySQL Redundancy. FactorySQL Redundancy is a feature that lets two or more FactorySQL services running on different physical machines cooperate, so that if the primary instance goes down due to a machine crash or software fault, one of the secondary instances will take over. FactorySQL uses a common database connection to share project configuration data, as well as monitor who is the currently running master instance.

FactoryPMI Clustering. FactoryPMI Clustering is a feature that lets two or more FactoryPMI Gateway instances running on different physical machines share configuration data and split client load evenly across all running instances, with dynamic client failover. FactoryPMI Clustering uses UDP communication over the local subnet for all clustering communication.

Aggregate Connections / Failover Connections. In FactorySQL, you can create an aggregate connection to a database. This special connection type uses two other database connections to create a single one. If the primary connection goes down, the secondary connection will be used instead. In FactoryPMI, you can specify a failover connection for any datasource connection. In a similar fashion, if that datasource connection fails, the failover connection will be used instead. These two features are very important to the technique presented in this guide, because they let FactorySQL and FactoryPMI use two separate databases as one, which is how we simulate a clustered database.

MySQL Replication. MySQL Replication is a feature of MySQL that lets you specify one database as a master and one as a slave. All changes that are made to the master will be replicated over the network to the slave. Setting up MySQL replication is out of the scope of this guide, but was covered in an earlier article, available here.

The Architecture
The basic idea is to set up MySQL replication for realtime data (status and control), and FactorySQL datacaching for historical data. When both servers are up, history will be logged to the master database, and realtime status and control will go through the master database. In the event that the master server goes down, history will be cached by the secondary server's FactorySQL, and realtime status and control will be routed through the secondary database. When the master server is brought back up, the secondary FactorySQL will put all cached history into the master database. So, during the failure, history will be unavailable, but status and control will work.

Figure 1: Redundant Architecture Overview (click to zoom)

Figure 1 is a diagram of the architecture this guide is describing. You'll see a "master" and "slave" server. Each server has the full "stack" of software on it, that is: an OPC Server, FactorySQL, a database (MySQL), and FactoryPMI. Don't let the picture frighten you, it's not as bad as it looks. Notice that there is a lot of symmetry here: Both instances of FactorySQL actually have the exact same connections, and the same goes for both of the FactoryPMI Gateways. Let's go over the configuration for each piece of the software stack.

First, we have the OPC server. Both OPC servers will be connected to your devices (PLCs, RTUs, etc). They don't need to be specifically set up for "redundancy", but they do need to be configured in the same manner, so that they have access to the same tags, etc.

Before we go over FactorySQL, let's look at the database. Notice that there are two separate schemas: one for historical data, and one for realtime data. Separating the data into two schemas lets us use different connections for each schema. The master database has both schemas, but the slave server only has the realtime schema. You need to set up MySQL replication to replicate the realtime schema from the master to the slave. Again, see this article for detailed instructions on setting up MySQL replication .

The FactorySQL configuration will be identical on both the master and the slave. The crux of the configuration here is in the Data Connection Settings. You'll need the following connections:

• HistoryConnection: Connection to the master's historical schema. Native or DSN connection. Ensure that Data Caching is enabled in the Service Settings.


• MasterRealtime: Connection to the master's realtime schema. Native or DSN connection.


• SlaveRealtime: Connection to the slave's realtime schema. Native or DSN connection.


• RealtimeConnection: Aggregate connection with MasterRealtime as the primary connection, and SlaveRealtime
  as the secondary connection. Failover mode should be set to "Use secondary until primary is available"

Ensure that SQLTags is enabled and using the RealtimeConnection (unless you aren't using SQLTags). Enable redundancy, and set it to use the RealtimeConnection. Note that FactorySQL redundancy makes your project configuration shared implicitly across your master and slave, but the settings themselves need to be configured individually.

FactoryPMI configuration is fairly simple. You'll want to configure your master, and when it is all configured, you'll join your slave into the master's cluster. The configuration, again, mostly has to do with the datasource connections. You'll need the following connections:

• HistoryConnection: A connection to the master's historical schema.


• SlaveRealtime: A connection to the slave's realtime schema.


• MasterRealtime: A connection to the master's realtime schema, with the SlaveRealtime set as the "Failover Datasource".

In your project, make sure to use the HistoryConnection for all historical queries (e.g. charts, tables, reports etc. Use the MasterRealtime for all realtime information (e.g. SQLTags). To cluster your two FactoryPMI Gateways together, first set the Cluster Name of the master server to something intelligible, such as "FPMICluster". Then set the slave's Cluster Name to the same name. Ensure that you don't have any software firewalls such as Windows Firewall enabled, and that multicast UDP traffic on a single port can pass between the two Gateways.

How It Works
Now that you have your master and slave configured, let's take a look at how it will work in the event of a failure. First, look at Figure 2, which shows the path data takes when both servers are running. Notice that realtime and historical data go through the master database, and the FactoryPMI Gateways share the client load. Data flow is shown in the thick green lines. All other connections are not being used.

Figure 2: Normal Data Flow (click to zoom)

Now let's look at the data flow in the event that the master server has crashed in Figure 3. Again, the active data paths are shown in thick green. Notice that the realtime data is going through the slave's realtime schema, FactorySQL is caching the historical data, and the FactoryPMI clients have all switched to the FactoryPMI Gateway instance running on the slave.

Figure 3: Master Crashed Data Flow (click to zoom)

Conclusion and a Simpler Alternative
There you have it, with some clever partitioning of connections and some MySQL replication, you can create a mission critical HMI/SCADA system that logs seamless history, and never loses control of your application. Of course, there are details to work out, such as backup schemes for your history in case the master server crash cannot be recovered from, but such things can be put in place fairly easily. If you are going to put a system like this in place, we recommend two additional things: purchase the commercial version of MySQL (it is fairly inexpensive) so that you can receive support from them, and practice. Disaster recovery plans and redundant software can be quite complex. If you're serious about a highly available SCADA system, make sure that you regularly practice simulated outages to ensure that everything goes smoothly.

Last but not least, we have promised a simpler alternative, in case this all seems too complex. The alternative is: Have a cold-standby server ready and waiting. Purchase a USB licensing dongle from us (so that you can simply swap the FactoryPMI and FactorySQL license in a physical form), and in the event of a failure, turn on the secondary server and give it the IP address that your master server used to have. Yes, you'll probably be down for 5 to 10 minutes, and you will lose the history during that period, but you'll be able to explain how it works in one sentence. The only tricky part to this is to make sure that your secondary server's project files stay up to date. This can be achieved reliably through well-known procedural guidelines, or through automatic ghosting.

As always, if you'd like to speak to one of our engineers to discuss any of these architectures, or have some new ideas that we haven't thought of, please give us a call at 1-800-266-7798.

Inductive Automation
Inductive Automation pioneered the first full-featured web-launched HMI/SCADA system in the world. Its standards based, database-centric architecture receives accolades from plant managers, IT managers, and system integrators worldwide. With a commitment to software quality and technical support second to none, Inductive Automation is at the forefront of industrial software.

How To: Use Active Directory® Authentication with FactoryPMI™

SACRAMENTO, CA AUGUST 14, 2007 - Microsoft’s Active Directory authentication technology is secure and in widespread use throughout the industrial landscape. By using Active Directory authentication in FactoryPMI, you ensure that access to your HMI/SCADA application is governed by a well-maintained, secure authentication source. In addition, compliance with the FDA’s 21CFR part 11 mandates that you use Active Directory! FactoryPMI has long supported Active Directory authentication. With FactoryPMI version 2.2.0, this support just got easier to configure and more flexible. In this article, we’ll demonstrate how to set up FactoryPMI’s Active Directory authentication feature.

Authentication Profiles
FactoryPMI can concurrently support many different types of authentication through use of authentication profiles. Each profile defines a different way to authenticate users. Each project can then choose which profile to use. To get started, we need to add a new authentication profile of type “Active Directory”. First, log into the configuration section of your FactoryPMI Gateway. Next, choose “Profiles” under “Authentication” in the menu. Then press the “Add Profile” button. You’ll see a screen that looks like this. Hit “Next”.


Settings
The settings for the Active Directory profile are simple. Basically all you need are your domain name, the address of your domain controller(s), and a username/password pair so that the FactoryPMI designer can log in to retrieve the list of all possible roles.



Testing and Tuning
That’s it - your Active Directory authentication profile is complete. To test it out, edit your project and make it’s Authentication Profile be your new profile. Now try to log in. Use the username and password that you log into Windows with. If you have any problems, give us a call or ask a question at our user forum at http://www.inductiveautomation.com/forum. If you’re finding that the role listing function in the Designer is going too slow, you may need to tune your Active Directory profile. Suppose all of your roles are stored below some sub folder in your Active Directory tree, such as MyCompany.com/Users/Roles. Then edit your Active Directory authentication profile and modify the Role Search Base property to something like:
"OU=Users,DC=Mycompany,DC=com". This will make the role search faster by searching less of the Active Directory tree.

Now sit back and enjoy the security and convenience of centralized user management!

About Inductive Automation
Inductive Automation pioneered the first full featured web-launched HMI/SCADA system in the world. Its standards based, database-centric architecture receives accolades from plant managers, IT managers, and system integrators worldwide. With a commitment to software quality and technical support second to none, Inductive Automation is the rising star in the industrial software landscape.

Contact
Jim Meisler
(800) 266-7798 x27
jmeisler@inductiveautomation.com

How To: Use FactoryPMI Gateway On 2 Closed Networks

SACRAMENTO, CA JUNE 5, 2007 - This article explains how to set up a FactoryPMI Gateway that needs to be accessible from 2 separate private networks on different adapters.

Many industrial controls systems have been set up as 2 separate networks; the corporate subnet has local server and Internet access, while the controls subnet houses the PLCs and HMI systems. SCADA applications, especially as you get into reporting, MES, and ERP, often need to access both sides. These setups typically have computers with 2 network cards, one attached to each network. This is called a multihomed host. This article describes how to configure FactoryPMI on a multihomed computer.

We don't recommend this type of setup, especially since they were often configured without care. In critical production facilities it's not uncommon to see IP addresses like 1.2.3.4 (random routable addresses) or subnet masks that show that the engineer had no idea what they do. That was fine when industrial sites were isolated. Now that Internet access is becoming universal, this kind of practice borders somewhere between sloppy and unprofessional. Additionally, SCADA security is a hot and important area of Homeland Security.

Background

---

The FactoryPMI Gateway needs to be able to tell runtime clients its single address to communicate over. This is important for clustering and reconnection, even if there is only one Gateway. The address is set as the HTTP Address in the Network section of the Gateway Configuration page. If set to autodetect, the Gateway will choose one IP address, and runtime clients will only work if they can contact the Gateway via that address - in most cases one network will work and the other will not! If autodetect is unchecked it can be set to an IP address (for example 192.168.0.55), a hostname or NetBIOS name (sn25p), or a fully registered domain name (fpmi.inductiveautomation.com).




Determining the Gateway address and problem

---

On a working FactoryPMI client menu go to help->About FactoryPMI. This is most simply done on the FactoryPMI Gateway machine. You will see the FPMI Gateway location. This is the address that the FactoryPMI Gateway gives clients for communication. If a client can not connect to the Gateway over this address it won't be able to run a project.



You should always be able to pull up the Gateway Configuration web page - the Gateway (web server) listens over all IP addresses and interfaces. The common problem that you may see is that launching the client on one network works and the other fails. On the failed network it will load as if everything were fine, but then give you an error message right before logging in. Possible errors that you may see are Error Loading Plugins or Error downloading project data.


Getting FactoryPMI working on both networks

---

Getting both networks running is as simple as telling both networks a name or address that they each recognize. The easiest way to accomplish this is to simply use a the computers hostname or NetBIOS name. Name resolution can work in a number of ways. The easiest way to determine if it will work is by opening a DOS prompt and the client and pinging the Gateway by that address. If you get a response, you're good on that network. Repeat for both networks.



In most cases this will resolve seemingly magically by broadcast. If client and Gateway use the same WINS server, this should always work. If you have control of your own DNS servers you can add an "A" record, but Dynamic DNS might resolve it automatically. In the worst case you can always add manual hostname to IP address mappings in the HOSTS or LMHOSTS file of the local client.


Success! You should now be able to run your FactoryPMI clients from either network!

Naive 2 network setup usually = bad idea

---

The "separate networks" concept for security is a good idea. You should consider putting a computer on both networks to be the same (or worse) than putting a router in between the networks as far as security is concerned. It can be done securely or insecurely, but should not be plugged in carelessly. This type of setup isn't the best solution, but it's cheap and easy, and therefore common. Here are a few reasons that this type of setup should eventually become a relic of times passed:

• A properly configured router (can be a PC) can isolate both subnets, routing traffic for certain designated nodes, identified by MAC address. This provides a single, configurable, secure, point. Each node needs only one Ethernet adapter and IP address. A layer 3 switch is ideal for this application.


• Even home Ethernet switches provide enough bandwidth so that one side will not bog down the other. QOS (quality of service) and other performance options exist. If the PLC side truly needs realtime or deterministic performance, or the corporate network is huge, you'll probably be using other equipment and have a knowledgeable IT staff.


• It's now standard to use non-routable IP addresses and NAT behind a firewall for the corporate network. Companies no longer provide real (Internet accessible) addresses for each computer. In most cases this a sufficient starting point with respect to security, for the controls network. If it's not, you should be using an IT department instead of a tacky workaround. Your efforts are better spent password protecting the PLCs and securing the firewall.

The point to take away is that a closed (controls) network is about as secure as you can get. It no longer remains closed when you bridge it to another network. Don't kid yourself into thinking that the networks are still isolated when you have that one computer with 2 ethernet cards plugged into each. As you add computers to both networks or make your SCADA system more distributed, which is the trend for corporate access, the security of this 2 networks concept disappears. If you need security, standard IT technology has this problem figured out. There is nothing inherently "bad" about a multihomed system - it's something that you should strive to learn more about if you wish to implement one. Industrial software users and systems integrators alike should become proficient with IT basics.

Summary

---

We learned that FactoryPMI can be easily set up to work in a multihomed setup. We considered that networking technologies exist to properly segment and secure our traffic.

Here's how we setup a FactoryPMI Gateway to work with multiple networks:

• Verified that name resolution works on both networks


• In the Network section of the Gateway Configuration page, set a hostname as the http address

How To: Expose a FactoryPMI Gateway Behind a Private Network

SACRAMENTO, CA MAY 1, 2007 - This month's article covers some basic networking principals and settings to expose a local FactoryPMI gateway to a wider network.

Background

---

We're going to learn about TCP/IP and networking with FactoryPMI by example. Our setup uses the address range 192.168.0.1-254. This is an example of a non-routable Class C IP network. Class C means that we have 255 addresses to deal with and a 24 bit subnet mask (255.255.255.0). Non-routable means that we're using addresses have been reserved for private (non-Internet) use. This means that Internet routers will ignore requests that use these addresses. Make sure that you use non-routable addresses when setting up private control networks! We have a router set up that has a single legal IP address and provides Internet access to our network with Network Address Translation (NAT). This article is relevant to any setup where you use NAT, port forwarding, or a DMZ (Demilitarized zone, a subnetwork that sits between the internal and external network).

• The FactoryPMI gateway uses the static (non-DHCP) address 192.168.0.2 and currently runs over port 8080


• The router uses the LAN address 192.168.0.1


• The router uses the WAN (Internet) address 69.19.188.26


• Clients' addresses are assigned via DHCP in the range 192.168.0.100-150. They need to access the FactoryPMI project


• We want to be able to access our application over the Internet

Getting Started

---

Our first step to allow access to the FactoryPMI gateway is by setting up a port forward rule in the router. It should specify that TCP traffic directed to 69.19.188.26 over port 8080 be forwarded to 192.168.0.2. You may also need to add an incoming firewall rule to support this with the same settings.

To test, open http://69.19.188.26:8080 in a web browser. If you see the default FactoryPMI Gateway web site it worked! If not, try loosening up your firewall policy and using 192.168.0.2 as the DMZ host. Keep in mind that a home router DMZ host is not a true DMZ in terms of network segmenting - it is a feature that will pass all traffic to our Gateway, with the exception of certain attacks. This is much more wide open than a single port forward - more geared toward Internet games that require numerous ports to be open. Incrementally tighten back security as you determine what works.

Next make sure that your firewall doesn't block outbound TCP traffic from your local network over port 8080. In most cases it shouldn't, but our network is very secure so we'll set up an outbound firewall rule to allow TCP traffic from 192.168.0.x to 69.19.188.26 over port 8080. Without this rule, Internet users won't have a problem, but your local clients won't be able to access the system. Your clients should address 69.19.188.26 instead of 192.168.0.2 when using the FactoryPMI runtime. I would then restrict gateway configuration access to either 127.0.0.1 (localhost) or 192.168.0.*.

Launching Projects

---

Now launch one of your applications via Java Web Start by clicking on a project link. The application will seem to download properly, but fail to launch. What gives? The FactoryPMI Gateway web server can listen over all IP addresses, but the client application needs to know the address of its Gateway - this setting is true for each Gateway in the Cluster. Normally this is automatically detected properly, but our Network Address Translation fools the client. Another error that you may see will say Error Loading Plugins, indicating the same problem.



We need to statically tell clients that their gateway address will be the valid Internet IP address. Go to the Gateway Configuration Page -> Network and uncheck Autodetect HTTP Address. We then type 69.19.188.26 under HTTP Address.

I'm also going to uncheck Autodetect Bind Interface since I have multiple network adapters. I'll then specify 192.168.0.2 as the address for Bind Interface. This wasn't necessary, but is good to disambiguate our IP addresses.



Summary

---

Here's how we setup a FactoryPMI Gateway to work with NAT

• Set up a port forward rule in our router


• Under the Network tab of the FactoryPMI Gateway Configuration page, uncheck Autodetect HTTP address and specify



• Ensure that outbound TCP client traffic is allowed from our network to the WAN address of our router over the FactoryPMI port


• Clients now reference the FactoryPMI project from the WAN address. So do computers over the Internet.