TAC Vista
Transkrypt
TAC Vista
TAC Vista TAC Pangaea WorkStation TAC Software Installation Manual TAC Vista TAC Software Installation Manual Copyright © 2006-2010 Schneider Electric Buildings AB. All rights reserved. This document, as well as the product it refers to, is only intended for licensed users. Schneider Electric Buildings AB owns the copyright of this document and reserves the right to make changes, additions or deletions. Schneider Electric Buildings AB assumes no responsibility for possible mistakes or errors that might appear in this document. Do not use the product for other purposes than those indicated in this document. Only licensed users of the product and the document are permitted to use the document or any information therein. Distribution, disclosure, copying, storing or use of the product, the information or the illustrations in the document on the part of non-licensed users, in electronic or mechanical form, as a recording or by other means, including photo copying or information storage and retrieval systems, without the express written permission of Schneider Electric Buildings AB, will be regarded as a violation of copyright laws and is strictly prohibited. Trademarks and registered trademarks are the property of their respective owners. TAC Software, Installation Manual Contents Contents INTRODUCTION 1 About this Manual 1.1 1.2 Structure ..................................................................................................................... Typographic Conventions .......................................................................................... 9 9 10 REFERENCE 2 3 4 TAC Vista Server with Workstation Installation 13 2.1 2.1.1 2.2 2.2.1 2.2.2 2.3 2.4 2.5 2.6 14 14 16 16 16 17 17 18 19 Microsoft SQL Server ................................................................................................ Authentication ............................................................................................................ Connecting to a Remote SQL Server ......................................................................... Starting The SQL Server Browser Service ................................................................ Setting SQL Server to Allow Remote Connections ................................................... SQL Configuration..................................................................................................... New TAC Vista Server with Workstation Installation .............................................. TAC Vista Server with Workstation Upgrade ........................................................... If You Install from a CD ............................................................................................ Windows Security Settings for TAC Vista 21 3.1 3.2 3.2.1 3.3 3.3.1 3.3.2 3.3.3 3.4 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.6 3.5 3.5.1 3.6 22 22 22 24 24 24 26 29 29 29 30 30 34 37 40 40 45 Vista System with One Vista Server .......................................................................... Vista System with Several Vista Servers ................................................................... Setting a Windows Firewall Program Exception ....................................................... Vista System with Remote Access on a Domain ....................................................... Setting a Windows Firewall Program Exception ....................................................... Setting a Windows Firewall Port Exception .............................................................. Configuring Access Permissions on My Computer ................................................... Vista System with Remote Access in a Workgroup or a Non-NT Domain............... Setting a Windows Firewall Program Exception ....................................................... Setting a Windows Firewall Port Exception .............................................................. Configuring Access Permissions on My Computer ................................................... Configuring Launch and Activation Permissions on My Computer.......................... Configuring Launch and Activation Permissions on TACOS ................................... Configuring Access Permissions on TACOS ............................................................ Vista System with Web Access.................................................................................. Configuring Launch and Activation Permissions on My Computer.......................... Restrict User Access to TAC Vista Resources .......................................................... Installing TAC Vista Webstation 47 4.1 4.2 47 48 Activate ASP.NET 4.0 ............................................................................................... Activate ASP.NET 2.0 ............................................................................................... Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 5 (80) Contents 4.3 4.4 4.4.1 4.5 4.6 4.7 4.8 4.9 4.9.1 5 TAC Software, Installation Manual Webstation Themes .................................................................................................... SSL – Secure Sockets Layer....................................................................................... Secure Sockets Layer (SSL) with Dynamic TGML Viewer ...................................... Localization ................................................................................................................ Utilizing HTTP Compression..................................................................................... Using Vista Webstation Views in Web Portals or as Stand-Alone Browser Views .. Disabling Worker Process Recycling and Shutdown ................................................. Displaying Dynamic TGML Graphics ....................................................................... Changing TGML Graphics Display Mode ................................................................. 48 50 51 61 62 62 63 64 65 SQL Technical Information 67 5.1 5.1.1 5.1.2 5.1.3 5.1.4 5.2 5.2.1 5.2.2 5.2.3 5.3 5.4 5.4.1 67 68 69 69 70 70 70 71 72 73 74 75 Index 6 (80) TAC Vista and SQL Privileges .................................................................................. Feature Background.................................................................................................... Typical SQL Configuration........................................................................................ Custom SQL Configuration........................................................................................ Privilege Comparison Chart ....................................................................................... SQL Configuration Troubleshooting.......................................................................... Errors that Require SQL Server Reconfiguration ...................................................... Amendable Errors....................................................................................................... Select SQL Admin Login or Generate Scripts ........................................................... Manual Log Database Schema Upgrade .................................................................... Log Data Migration .................................................................................................... Reconfiguring SQL Server Settings for TAC Vista ................................................... 77 Schneider Electric Buildings AB, Feb 2011 04-00001-05-en INTRODUCTION 1 About this Manual TAC Software, Installation Manual 1 1 About this Manual About this Manual This manual describes a particular process. For information on certain products, we refer you to the manual or Help for the product in question. For information on how to install software, we refer you to the instructions delivered with the software. For information on third party products, we refer you to the instructions delivered with the third party product. If you discover errors and/or unclear descriptions in this manual, please contact your Schneider Electric representative. Note • We are continuously improving and correcting our documentation. This manual may have been updated. Please check our Docnet site at www.tac.com for the latest version. 1.1 Structure The manual is divided into the following parts: • Introduction The Introduction section contains information on how this manual is structured and how it should be used to find information in the most efficient way. • Reference The Reference section contains more comprehensive information about various parts of the Getting Started section. It also provides you with information on alternative solutions not covered by the Getting Started section. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 9 (80) 1 About this Manual 1.2 TAC Software, Installation Manual Typographic Conventions Throughout the manual the following specially marked texts may occur. ! Warning • Alerts you that failure to take, or avoid, a specific action might result in physical harm to you or to the hardware. Caution • Alerts you to possible data loss, breaches of security, or other more serious problems. Important • Alerts you to supplementary information that is essential to the completion of a task. Note • Alerts you to supplementary information. Tip • Alerts you to supplementary information that is not essential to the completion of the task at hand. Advanced • 10 (80) Alerts you that the following information applies to complex tasks or tasks restricted by access. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en REFERENCE 2 TAC Vista Server with Workstation Installation 3 Windows Security Settings for TAC Vista 4 Installing TAC Vista Webstation 5 SQL Technical Information TAC Software, Installation Manual 2 2 TAC Vista Server with Workstation Installation TAC Vista Server with Workstation Installation TAC Vista Server with Workstation can be downloaded from the Schneider Electric extranet or installed from a CD. For more information on how to install TAC Vista Server with Workstation, see Help accessible from the installation program. It is recommended that you install Microsoft Excel before installing TAC Vista Server. Excel is required for reports in Vista. Caution • • If you are going to install TAC Vista Web Applications on the same computer as TAC Vista Server with Workstation: • Remove any certificates installed on the Web server before installing Vista. • Reinstall the certificates after installation. For more information see: http://support.microsoft.com/kb/309398 Tip • For information on how to order licenses, see the TAC Licenses Installation Manual. • For more information on how to use licenses, see Help accessible from the TAC Vista Server with Workstation installation program. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 13 (80) 2 TAC Vista Server with Workstation Installation 2.1 TAC Software, Installation Manual Microsoft SQL Server Before starting the TAC Vista Server with Workstation installation, you should consider which Microsoft SQL Server you want to use: • A Microsoft SQL Server 2005 Express Edition installed by the TAC Vista Server with Workstation installation program • A new SQL Server • An existing SQL Server Note • Microsoft SQL Server 2005 Express Edition is installed with SP3, which is required for computers running Windows 7 (32 bit and 64 bit) or Windows Server 2008 (32 bit and 64 bit) systems. For more information on the different SQL Server options, see Help accessible from the TAC Vista Server with Workstation installation program. 2.1.1 Authentication When installing a new Microsoft SQL Server, you should consider which authentication method to use when clients (including TAC Vista) want to access SQL Server. There are two options: • Mixed mode authentication • Windows authentication Mixed mode authentication With mixed mode, SQL Server can grant access to applications that identify themselves using a Windows account or using a SQL login defined in SQL Server. If you want SQL Server to allow access to clients, for example, TAC Vista Server, using SQL authentication, you have to set SQL Server in mixed mode. 14 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 2 TAC Vista Server with Workstation Installation Windows authentication With Windows authentication, SQL Server only grants access to applications that identify themselves using a Windows account defined in SQL Server. Important • If you choose to use Windows authentication, it is recommended that you run Vista Server as a service. • If you want to run Vista Server as a service, you need to configure the service to run under a Windows user account set up in SQL Server. • If you do not want to run TAC Vista as a service, you have to log on to the Vista Server computer with a Windows user account set up for Vista on SQL Server, and start Vista Server interactively. Otherwise the storing and reading of log data will not succeed. • If you run TAC Vista and SQL Server in a workgroup, it is recommended that you use SQL Server authentication.Connecting to remote SQL Servers using Windows authentication in workgroups is not supported by TAC Vista. Note • If you are not going to install SQL Server, check with the customer SQL administrator for information on which authentication mode is being used. If your system requires maximum security, you have to set SQL Server in Windows authentication mode. For more information on the different authentication options, see Help accessible from the TAC Vista Server with Workstation installation program. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 15 (80) 2 TAC Vista Server with Workstation Installation 2.2 TAC Software, Installation Manual Connecting to a Remote SQL Server In order for TAC Vista to be able to connect to a remote SQL Server you have to make a number of settings: 2.2.1 • The SQL Server Browser service has to be started • SQL Server 2005 has to allow remote connections Starting The SQL Server Browser Service The SQL Server Browser service exposes SQL Servers to computers on the local network. To start the SQL Server Browser service 1 On the computer running SQL Server, in the Surface Area Configuration window, click Surface Area Configuration for Services and Connections. Tip 2.2.2 • You can access SQL Server 2005 Surface Area Configuration on the Start menu under Microsoft SQL Server 2005 Configuration Tools. 2 In the tree structure, under SQL Server Browser, click Services. 3 In the Status type list, click Automatic. 4 Click Apply. 5 Click Start. 6 Click OK. Setting SQL Server to Allow Remote Connections In order for TAC Vista to be able to connect, SQL Server needs to allow remote connections. To set SQL Server to allow remote connections 1 On the computer running SQL Server, in the Surface Area Configuration window, click Surface Area Configuration for Services and Connections. Tip 16 (80) • You can access SQL Server 2005 Surface Area Configuration on the Start menu under Microsoft SQL Server 2005 Configuration Tools. 2 In the tree structure, under Database Engine, click Remote Connections. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 2 TAC Vista Server with Workstation Installation 3 Select Local and remote connections. 4 Select Using both TCP/IP and named pipes, and then click OK. 5 Click OK. Important • 2.3 You have to restart the SQL Server service for changes in the settings to take effect. SQL Configuration Before starting the TAC Vista Server with Workstation installation, you have to consider how you want to set up the SQL Server configuration in TAC Vista. There are two SQL configuration options: • Typical - the typical SQL configuration settings will be used. The integrated log database backup/restore functions in TAC Vista will be available. SQL Server has to be installed on the same computer as TAC Vista Server with Workstation. • Custom - the typical SQL configuration settings will be altered. The integrated log database backup/restore functions in TAC Vista will be disabled and log database backup/restore has to be performed in SQL Server. For more information on the different SQL configuration options, see Help accessible from the TAC Vista Server with Workstation installation program. 2.4 New TAC Vista Server with Workstation Installation There are numerous installation options depending on which SQL Server you want to use, and how you want it configured. • Install Microsoft SQL Server 2005 Express Edition - Typical • Use a new Microsoft SQL Server - Custom • Use a new Microsoft SQL Server - Typical For more information on the different installation options, see Help accessible from the TAC Vista Server with Workstation installation program. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 17 (80) 2 TAC Vista Server with Workstation Installation 2.5 TAC Software, Installation Manual TAC Vista Server with Workstation Upgrade There are numerous installation options depending on the existing SQL Server and its configuration: • Use the existing Microsoft SQL Server - Custom or Typical • Upgrade Microsoft SQL Server 2000 Desktop Engine (MSDE) to SQL Server 2005 Express Edition - Typical Caution • Do not unistall Microsoft SQL Server 2000 Desktop Engine (MSDE). The TAC Vista installation requires the existing SQL Server 2000 Desktop Engine to be able to detect the configuration data that will be used to configure SQL Server 2005 Express Edition. It also requires the existing SQL Server to detect the location of the existing log database. • Replace Microsoft SQL Server 2000 Desktop Engine (MSDE) Typical • Upgrade from a TAC Vista version earlier than 4.3.0 The installation program searches for existing SQL Servers, SQL Server configurations, and TAC Vista log databases and suggests settings based upon what it has found. For more information on the different upgrading options, see Help accessible from the TAC Vista Server with Workstation installation program. 18 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 2.6 2 TAC Vista Server with Workstation Installation If You Install from a CD You can install the software components on the CD individually. You can also install multiple software components by running TAC Vista Batch Installation. The installation automatically runs individual setup programs for each of the included software components. There are three installation options: • Typical • Full • Custom The installation CD setup options include the following programs: Table 2.1: Program / Setup Type Typical Full Custom TAC Vista Server with Workstation and TAC Graphics Editor X X X INet Host Tool TAC XBuilder X X X TAC Vista Web Applications X TAC Vista OPC Server X TAC Vista OPC Server for Danduc X TAC Vista OPC Server for I/NET X X Echelon LNS Server TAC I-talk Collector and Interface X X X By default, some programs are already selected in the Custom option. You can clear the selection if you do not want to install the selected programs. Caution • During the CD installation process, you may be asked to restart the computer after some of the setup programs. Please do not restart the computer until all of the setup programs (included in the type of setup you selected) have been installed. • When you have completed the installation, you have to restart your computer. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 19 (80) 2 TAC Vista Server with Workstation Installation 20 (80) TAC Software, Installation Manual Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 3 Windows Security Settings for TAC Vista Windows Security Settings for TAC Vista This instruction is valid for TAC Vista IV and TAC Vista 5 and describes the necessary settings when TAC Vista runs under Windows XP with Service Pack 2 (SP2). It also describes the necessary settings when TAC Vista with Web access runs under Windows Server 2003 Service Pack 1 (SP1). In Windows XP SP2 and Windows Server 2003 SP1, Microsoft introduces a set of security technologies that improve the computer security. Some of the changes concern IP and DCOM communication. Since Vista uses DCOM to communicate, you have to configure COM security settings to enable communication. TAC Vista Servers (Server-toServer communication) use TCP/IP to communicate. Windows Firewall SP2 (included with Windows XP) and Windows Firewall SP1 (included with Windows Server 2003), are switched on by default and stop incoming traffic to the computer. Thus, you have to configure Windows Firewall to allow Vista to communicate. Important • The instructions assume that you have an unconfigured and preinstalled Windows XP SP2 or Windows Server 2003 SP1. • Your Windows Firewall might be controlled by policies and be turned off or turned on and may not allow any exceptions. In this case, contact your local IT department. Note • Schneider Electric Buildings AB, Feb 2011 04-00001-05-en In this instruction My Computer is the designation for the local system. My Computer does not refer to the local computer name. 21 (80) 3 Windows Security Settings for TAC Vista 3.1 TAC Software, Installation Manual Vista System with One Vista Server TAC Vista Server and Workstation In a system with a Vista Server and Workstation installed on the local computer, no changes to the COM security settings are required. Note • 3.2 A stand-alone Vista does not communicate over the network. That is, there is no incoming communication. There is no need to make exceptions in Windows Firewall. When you first start Vista server, Windows asks if you want to keep blocking the server program (TACOS Application). As long as Vista Workstation runs stand-alone, you can keep the application blocked. Vista System with Several Vista Servers Computer B Computer A TAC Vista Server and Workstation TAC Vista Server and Workstation TCP/IP In a system with Vista Server and Workstation installed on two or more computers (remote communication), no changes to the COM security settings are required. You have to set Windows Firewall to allow incoming communication to Vista Server. 3.2.1 Setting a Windows Firewall Program Exception In a system with several Vista Servers, you have to make exceptions for the TACOS application in Windows Firewall to allow Vista Server to receive incoming communication. 22 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 Windows Security Settings for TAC Vista To set a Windows Firewall exception 1 Start TAC Vista Server. 2 In the Windows Security Alert dialog box, click Unblock. Important • Repeat the procedure for all Vista Servers that participate in network communication. Notes • The Windows Security Alert dialog box only appears the first time you start Vista Server. • When you unblock the Vista Server application (TACOS.exe), it is added to the Windows Firewall exceptions list. The IP ports on which Vista communicates are also added to the list. • If you want to unblock a blocked application at a later time, you have to add it to the Windows Firewall exceptions list. • To add a program to the Windows Firewall exceptions list, in Windows Firewall, click the Exceptions tab, click Add Program, browse to TACOS.exe, click OK, and then click OK. • In this case, you also have to manually add the IP ports on which Vista Server communicates to the Windows Firewall exceptions list. • By default, Vista communicates on TCPPORT 45612. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 23 (80) 3 Windows Security Settings for TAC Vista 3.3 TAC Software, Installation Manual Vista System with Remote Access on a Domain Computer B Computer A TAC Vista Workstation TAC Vista Server DCOM DCOM In a system with Vista Server installed on one computer and Vista Workstation installed on another computer on a domain, you have to set Windows Firewall to allow incoming communication to Vista Server. You also have to change the COM security settings to enable communication over the network. 3.3.1 Setting a Windows Firewall Program Exception In a system with remote Vista workstations, you have to make exceptions for the TACOS application in Windows Firewall to allow incoming communication on the computer. For information on how to unblock Vista Server (that is, add it to the Windows Firewall exceptions list), see Section 3.2.1, “Setting a Windows Firewall Program Exception”, on page 22. 3.3.2 Setting a Windows Firewall Port Exception In a system with remote Vista Workstations, you have to make exceptions for port 135 (DCOM) in Windows Firewall to allow communication on the port. To set a Windows Firewall port exception 1 On the computer running Vista Server, start Windows Firewall. Tip 24 (80) • You can access Windows Firewall in Control Panel. 2 Click the Exceptions tab. 3 Click Add Port. 4 In the Name box, type "DCOM". 5 In the Port Number box, type "135". Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 Windows Security Settings for TAC Vista 6 Click TCP. 7 Click OK. 8 Click OK. Note • In this scenario, you only have to make an exception for port 135 (DCOM), not for Vista TCPPORT. Repeat the procedure on the computer running the remote Vista Workstation. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 25 (80) 3 Windows Security Settings for TAC Vista 3.3.3 TAC Software, Installation Manual Configuring Access Permissions on My Computer You have to configure the COM security settings to enable communication over the network. There are two types of COM Security permissions: • Access permissions • Launch and Activation permissions Access permissions define the access an account has to a launched application. You have to set access permissions on both the computer running Vista Server and the computer running Vista Workstation. In this scenario, you do not need to configure launch and activation permissions. To configure access permissions on My Computer 1 On the computer running Vista Server, start Component Services. Tip 26 (80) • You can access Component Services in Control Panel under Administrative Tools. 2 In the tree structure, right-click Component Services\Computers\My Computer, and then click Properties. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 Windows Security Settings for TAC Vista 3 Click the COM Security tab. 4 In the Access Permissions area, click Edit Limits. 5 In the Group or user names area, click ANONYMOUS LOGON. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 27 (80) 3 Windows Security Settings for TAC Vista 6 TAC Software, Installation Manual In the Allow column, select Remote Access. Note • By granting the remote account ANONYMOUS LOGON remote access permissions, you give Vista Workstation the right to access a Vista Server. 7 Click OK. Important • You have to restart your computer for global changes in DCOM settings to take effect. Note • 28 (80) On the computers running Vista Workstation, you have to grant the remote account ANONYMOUS LOGON remote access permissions, to give Vista Server the right to access Vista Workstation (callback). Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3.4 3 Windows Security Settings for TAC Vista Vista System with Remote Access in a Workgroup or a Non-NT Domain Computer B Computer A TAC Vista Workstation TAC Vista Server DCOM DCOM In a system with Vista Server installed on one computer and Vista Workstation installed on another computer in a workgroup or on a nonNT domain, you have to set Windows Firewall to allow incoming communication to Vista Server. You also have to change the COM security settings to enable communication over the network. 3.4.1 Setting a Windows Firewall Program Exception In a system with several Vista Servers, you have to make exceptions for the TACOS application in Windows Firewall to allow incoming communication on the computer. For information on how to unblock Vista Server (that is, add it to the Windows Firewall exceptions list), see Section 3.2.1, “Setting a Windows Firewall Program Exception”, on page 22. 3.4.2 Setting a Windows Firewall Port Exception In a system with several Vista Servers, you have to make exceptions for port 135 (DCOM) in Windows Firewall to allow communication on the port. You have to make the exception on all computers running Vista Server. For information on how to set a Windows Firewall port exception, see Section 3.3.2, “Setting a Windows Firewall Port Exception”, on page 24. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 29 (80) 3 Windows Security Settings for TAC Vista 3.4.3 TAC Software, Installation Manual Configuring Access Permissions on My Computer Access permissions define the access an account has to a launched application. You have to set access permissions on both the computer running Vista Server and the computer running Vista Workstation. Note • The access permissions on My Computer in a Vista system with remote access in a workgroup or a none-NT domain should be identical to the access permissions on My Computer in a Vista system with remote access on a domain. For information on how to configure DCOM access permissions, see Section 3.3.3, “Configuring Access Permissions on My Computer”, on page 26. 3.4.4 Configuring Launch and Activation Permissions on My Computer You have to configure the COM security settings to enable communication over the network. There are two types of COM security permissions: • Access permissions • Launch and Activation permissions Launch and activation permissions define which account can launch a COM-based application, for example, TAC Vista Server, either on the network or locally. To configure launch and activation permissions on My Computer 1 On the computer running Vista Server, start Component Services. Tip • 30 (80) You can access Component Services in Control Panel under Administrative Tools. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 Windows Security Settings for TAC Vista 2 In the tree structure, right-click Component Services\Computers\My Computer, and then click Properties. 3 Click the COM Security tab. 4 In the Launch and Activation Permissions area, click Edit Limits. 5 In the Group or user names area, click ANONYMOUS LOGON. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 31 (80) 3 Windows Security Settings for TAC Vista 6 TAC Software, Installation Manual In the Allow column, select Remote Activation. Notes 32 (80) • By granting the account ANONYMOUS LOGON remote activation permissions, you give Vista Workstation the right to access a remote Vista Server. • On the computers running Vista Workstation, you have to grant the remote account ANONYMOUS LOGON remote activation permissions in order to give Vista Server the right to access Vista Workstation (callback). 7 In the Group or user names area, click Everyone. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 Windows Security Settings for TAC Vista 8 In the Allow column, select Remote Activation. Note • By granting the account Everyone remote activation permissions, you give Vista Workstation the right to activate a remote Vista Server. 9 Click OK. Repeat the procedures on all computers running Vista Server. Note • Schneider Electric Buildings AB, Feb 2011 04-00001-05-en On the computers running Vista Workstation, you have to grant the remote account Everyone remote activation permissions, to give Vista Server the right to access Vista Workstation (callback). 33 (80) 3 Windows Security Settings for TAC Vista 3.4.5 TAC Software, Installation Manual Configuring Launch and Activation Permissions on TACOS Launch and activation permissions define which account can launch a COM-based application, for example, TAC Vista Server, either on the network or locally. To configure launch and activation permissions on TACOS 1 On the computer running Vista Server, start Component Services. Tip 34 (80) • You can access Component Services in Control Panel under Administrative Tools. 2 In the tree structure, right-click Component Services\Computers\My Computer\DCOM Config\TACOS, and then click Properties. 3 Click the Security tab. 4 In the Launch and Activation Permissions area, select Customize, and then click Edit. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 Windows Security Settings for TAC Vista 5 In the Launch Permissions dialog box, in the Group and users area, click ANONYMOUS LOGON. 6 In the Allow column, select Remote Activation. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 35 (80) 3 Windows Security Settings for TAC Vista TAC Software, Installation Manual 7 In the Group or users area, click Everyone. 8 In the Allow column, select Remote Activation. 9 Click OK. Repeat the procedures on all computers running Vista Server. 36 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3.4.6 3 Windows Security Settings for TAC Vista Configuring Access Permissions on TACOS Access permissions define the access an account has to a launched application. To configure access permissions on TACOS 1 On the computer running Vista Server, start Component Services. Tip • You can access Component Services in Control Panel under Administrative Tools. 2 In the tree structure, right-click Component Services\Computers\My Computer\DCOM Config\TACOS, and then click Properties. 3 Click the Security tab. 4 In the Access Permissions area, select Customize, and then click Edit. 5 In the Access Permissions dialog box, in the Group and users area, click ANONYMOUS LOGON. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 37 (80) 3 Windows Security Settings for TAC Vista 6 TAC Software, Installation Manual In the Allow column, select Remote Access. Notes 38 (80) • By granting the account ANONYMOUS LOGON remote access permissions, you give Vista Workstation the right to access a remote Vista Server. • On the computers running Vista Workstation, you have to grant the remote account ANONYMOUS LOGON remote access permissions, to give Vista Server the right to access Vista Workstation (callback). 7 In the Group or users area, click Everyone. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 Windows Security Settings for TAC Vista 8 In the Allow column, select Remote Access. Note • By granting the account Everyone remote access permissions, you give Vista Workstation the right to access a remote Vista Server. 9 Click OK. Important • You have to restart your computer for global changes in DCOM settings to take effect. Repeat the procedures on all computers running Vista Server. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 39 (80) 3 Windows Security Settings for TAC Vista 3.5 TAC Software, Installation Manual Vista System with Web Access In a system with Vista Server, Vista Webstation (version 4.3.0 and later), and Vista ScreenMate (version 4.3.0 and later) installed on one computer and a Web browser installed another computer, you have to change the permissions for the NETWORK SERVICE account (or ASPNET if you are running Windows XP SP2) to enable communication between Webstation and Vista Server. Computer B Computer A TAC Vista Server Webstation ScreenMate Web Browser Internet Important 3.5.1 • Running TAC Vista Webstation on Windows XP in customer installations is not generally supported. • This instruction assumes that you are running TAC Vista on Windows Server 2003 Service Pack 1 (SP1). Configuring Launch and Activation Permissions on My Computer Launch and activation permissions define which account can launch a COM-based application, for example, TAC Vista Server, either on the network or locally. To configure launch and activation permissions on My Computer 1 ! Tip • 40 (80) On the computer running Vista Server, start Component Services. You can access Component Services in Control Panel under Administrative Tools. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 Windows Security Settings for TAC Vista 2 In the tree structure, right-click Component Services\Computers\My Computer, and then click Properties. 3 Click the COM Security tab. 4 In the Launch and Activation Permissions area, click Edit Default. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 41 (80) 3 Windows Security Settings for TAC Vista 42 (80) TAC Software, Installation Manual 5 Click Add. 6 In the Select Users and Groups dialog box, click Locations. 7 In the Locations dialog box, click the local computer name, and then click OK. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3 Windows Security Settings for TAC Vista 8 In the Select Users and Groups dialog box, in the Enter the object names to select box, type “NETWORK SERVICE”. Important • If you are running Windows XP SP2, type "ASPNET" instead of “NETWORK SERVICE”. • Running TAC Vista Webstation on Windows XP in customer installations is not generally supported. Note • NETWORK SERVICE and ASPNET are computer accounts under which the server service is run. The accounts provide the security context for the service. 9 Click Check Names. 10 Click OK. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 43 (80) 3 Windows Security Settings for TAC Vista TAC Software, Installation Manual 11 In the Launch Permission dialog box, select NETWORK SERVICE. Important • If you are running Windows XP SP2, select ASPNET instead of NETWORK SERVICE. 12 In the Allow column, select Local Activation. Note • By granting the account NETWORK SERVICE or ASPNET local activation permissions, you give the account the right to access Vista Server. 13 Click OK. Important • 44 (80) You have to restart your computer for global changes in DCOM settings to take effect. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 3.6 3 Windows Security Settings for TAC Vista Restrict User Access to TAC Vista Resources To increase security and integrity of information related to TAC Vista, use Windows built-in users and group security functionality to restrict user access to the following TAC Vista resources (Windows folders, files, and registry entries used by TAC Vista): • • • TAC Vista Database • Windows Vista – C:\ProgramData\TAC\TAC Vista 5.1.0\Db • Windows XP – C:\Documents and Settings\All Users\Application Data\TAC\TAC Vista 5.1.0\Db\ TAC Vista Application Data • Windows Vista – C:\ProgramData\TAC\TAC Vista 5.1.0 • Windows XP – C:\Documents and Settings\All Users\Application Data\TAC\TAC Vista 5.1.0\ TAC Vista Registry • HKEY_LOCAL_MACHINE\Software\TAC AB\ If the restrictions are too rigid error messages from TAC Vista may appear when TAC Vista tries to access or change information subject to the restriction. To remove the restriction, perform a Grant Access command in TAC Vista Server Setup. Note • Schneider Electric Buildings AB, Feb 2011 04-00001-05-en The Windows user that runs TAC Vista Server needs to have Full Control permissions. 45 (80) 3 Windows Security Settings for TAC Vista 46 (80) TAC Software, Installation Manual Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4 4 Installing TAC Vista Webstation Installing TAC Vista Webstation If you want to run TAC Vista Web Applications on Windows Server 2003 Standard Edition or Window Server 2008 Standard Edition, both Internet Information Services (IIS) and ASP.NET have to be installed. Important • 4.1 Both Internet Information Services (IIS) and ASP.NET have to be installed before you start installing TAC Webstation. Activate ASP.NET 4.0 If you want to run TAC Vista Web Applications on Windows Server 2008 Standard Edition, both Internet Information Services (IIS) and ASP.NET 4.0 have to be installed and activated (disabled by default). Important • You have to be logged in as a local administrator to be able perform this procedure. To activate ASP.NET 4.0 1 In Control Panel, click Administrative Tools and then click IIS Server Manager. 2 Right-click Roles and then click Add roles. 3 Select Web Server (IIS) and then click Next. 4 Click Add Required Features. 5 Click Next twice. 6 Select ASP.net. 7 Click Add Required Role Services and then click Next. 8 Click Install to install ASP.net 4.0. 9 Install TAC Vista Server. 10 Install TAC Vista Webstation. 11 On the Start menu, click Run. 12 In the Open box, type “cmd”to open the command prompt. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 47 (80) 4 Installing TAC Vista Webstation TAC Software, Installation Manual 13 At the command prompt, type: “C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i enable” to run the ASP.NET IIS Registration Tool (Aspnet_regiis.exe) for ASP.NET version 4.0. 4.2 Activate ASP.NET 2.0 If you want to run TAC Vista Web Applications on Windows Server 2003 Standard Edition, both Internet Information Services (IIS) and ASP.NET 2.0 have to be installed and activated (disabled by default). Important • You have to be logged in as a local administrator to be able perform this procedure. To activate ASP.NET 2.0 1 In Control Panel, click Administrative Tools and then click Internet Information Services (IIS) Manager. 2 In the Internet Information Services (IIS) Manager dialog box, in the Internet Information Services tree, expand the tree under the server where TAC Vista Web Applications is installed (usually only the local computer is listed here), and then click Web Service Extensions. 3 In the Web Service Extensions pane, click ASP.NET v2.0. 4 Click Allow. The status for ASP.NET 2.0 changes from Prohibited to Allowed. 5 4.3 Close the Internet Information Services (IIS) Manager dialog box. Webstation Themes In addition to the Webstation/ScreenMate themes included, you can add and configure your own themes. The Style folder in the TAC Vista Web Applications install folder contains folders with various themes. To create a new theme 48 (80) 1 Browse through the theme folders, select the one that is closest to your new theme, and then copy it. 2 Rename the new folder with the theme name you want to see in the themes list in TAC Vista Web Settings and in TAC Vista Webstation. 3 Open the new folder. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4 Installing TAC Vista Webstation All pages use the Webstation.css file for common layout issues. Edit the Webstation.css file for global layout changes. In addition to this file, every Webstation/ScreenMate page uses a specific CSS file, the file’s purpose can be deduced from its name. Edit this file for local changes. 4 You can edit CSS files to suit your style. A thorough knowledge of HTML and CSS is required. 5 Start TAC Vista Web Settings and click Theme - Colors and Fonts. You can now click the Theme list to check that the newly created theme is added to the list. If you select the new theme, the preview image will be wrong. This is corrected later. 6 Click OK to accept the new theme. 7 Exit TAC Vista Web Settings. 8 Start Webstation and check the result. 9 If you are satisfied with the result, make a screen shot of a suitable view and save it as a .gif file in the images sub folder in your newly created theme folder. The file must be named preview.gif. There is probably a preview.gif file already from when you copied the Default theme folder with all its contents. Before you overwrite the existing preivew.gif file, check the dimensions of the existing preview.gif file and save your new screen shot with the same dimensions. 10 Start TAC Vista Web Settings and click Theme - Colors and Fonts. You can now click the Theme list to check that the newly created theme has a preview attached. 11 Exit TAC Vista Web Settings. 12 Open the images subfolder in your theme folder and change the images to suit your needs. 13 Turn on Thumbnails mode in Windows to view miniatures of the images. Do not change the dimensions of these images. If you look at the images and Webstation at the same time, you can see where the images are used. If you would like to preview your theme as you work with it, start TAC Vista Webstation and select the theme you are working with. You can refresh the screen periodically to see the changes. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 49 (80) 4 Installing TAC Vista Webstation 4.4 TAC Software, Installation Manual SSL – Secure Sockets Layer To increase security while sending information between a Web browser and a Web server, encrypted communications using HTTPS should be set up using SSL (Secure Sockets Layer). Before SSL can be used, an SSL certificate must be created and registered with the Web server, in our case, Internet Information Server (IIS). Normally, when SSL is used in applications that can be accessed by the public, a trusted SSL certificate is purchased from an accredited company such as Verisign. For temporary protection or testing, a self-signed certificate may be used. Technically, this certificate offers the same encryption as a certificate issued by a CA (Certification Authority); however, it may be perceived as less safe because the server ownership has not been verified by the CA. Self-signed certificates may generate warning messages in Web browsers. One convenient method of creating a self-signed certificate is to use a tool called SelfSSL. SelfSSL has been developed by Microsoft and is supplied with a IIS 6 Resource Kit. The programs can be downloaded from the Microsoft Web site. To download SelfSSL, visit www.microsoft.com and search for SelfSSL. Download the IIS 6.0 Resource Kit Tools and follow the installation instructions. When you have completed the installation you should run SelfSSL.exe with the appropriate parameters to install a certificate and register it with IIS. For example, selfssl.exe /V:365 will install a certificate that is valid for 365 days. More help is given by writing selfssl.exe /? on the command line. Once the program has been installed you can browse using HTTPS and the standard HTTP. If you wish to restrict browsing to HTTPS this must be set up in IIS. For more details, see the Microsoft documentation for IIS. Note • 50 (80) The first time you log in to a TAC Webstation that is installed on a server using SelfSSL, you will get a message saying something like Certificate not signed by a trusted authority. Accept the certificate. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4.4.1 4 Installing TAC Vista Webstation Secure Sockets Layer (SSL) with Dynamic TGML Viewer To be able to use the dynamic TGML viewer in TAC Vista Webstation, you need to: • Install a certificate and a keystore on the IIS server • Set up the IIS to use SSL To install the certificates 1 In Control Panel, click Administrative Tools and then click IIS Server Manager. 2 Click the root machine node in the left-hand tree-view explorer and then click the Server Certificates icon in the feature pane to the right. 3 In the Actions pane, click the certificate creation action you want to perform. For example, a self-signed certificate. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 51 (80) 4 Installing TAC Vista Webstation TAC Software, Installation Manual 4 52 (80) Specify a name for the certificate. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4 Installing TAC Vista Webstation 5 Schneider Electric Buildings AB, Feb 2011 04-00001-05-en When the certificate has been created, select it and click View to the left in the Actions pane. 53 (80) 4 Installing TAC Vista Webstation TAC Software, Installation Manual 6 54 (80) On the Details tab, click Copy to File and then click OK. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4 Installing TAC Vista Webstation 7 In the Certificate Export Wizard, click Next to create a certificate .CER file. 8 Click No, do not export the private key and then click Next. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 55 (80) 4 Installing TAC Vista Webstation TAC Software, Installation Manual 9 Click DER encoded binary X.509 (.CER) format and click Next. 10 Specify a name for the CER file and a location for the CER file and click Next. 56 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4 Installing TAC Vista Webstation 11 Click Finish to create the .CER file. 12 Browse to the folder where the .CER file has been created. 13 Run the Java keytool program to create a keystore file, by typing: "C:\Program Files\Java\jdk1.6.0_20\bin\keytool.exe" -import trustcacerts -keystore VistaWebstation_keystore -file VistaWebstationCert.cer at the command prompt.. Important • Do not change the name of the keystore file. It has to be “VistaWebstation_keystore” 14 Enter a password when prompted and repeat it. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 57 (80) 4 Installing TAC Vista Webstation TAC Software, Installation Manual 15 Click Yes to confirm that you trust the certificate. 16 Zip the keystore file. Important • Do not change the file name VistaWebstation_keystore.zip. 17 Move the .zip file to the subfolder (Components\JavaTgmlViewer) where you have installed TAC Vista Webstation, for example, C:\Inetpub\wwwroot\TACVistaWeb515\Components\JavaTgmlViewer\VistaWebstation_keystore.zip. To set up the IIS to run SSL 58 (80) 1 In Control Panel, click Administrative Tools and then click IIS Server Manager. 2 Browse to the web site where you have installed TAC Vista Webstation. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4 Installing TAC Vista Webstation 3 In the Actions pane, to the left in the pane, click Bindings 4 Click Add. 5 Select type: https and then select the SSL certificate you created earlier. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 59 (80) 4 Installing TAC Vista Webstation TAC Software, Installation Manual 6 Click OK. To only accept SSL requests This procedure should be performed right after setting up the IIS to run SSL. 1 Browse to the Webstation application. 2 In the feature pane, click SSL Settings. 3 Check Require SSL and then click Apply in the Actions pane. Important • 60 (80) This will prevent the users from connecting to Webstation using http. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4 Installing TAC Vista Webstation Note 4.5 • When attempting to view a .tgml graphic in TAC Vista Webstation, the is now going to be asked a few security confirmation questions. • The first question is asked when the user logs in to Webstation (continue to the web site). • The second question is asked when the user clicks a .tgml graphic (confirm to load the Java applet, since the Schneider Electric certificate does not match your self-signed certificate) to confirm that you trust the publisher. • The third question is asked directly after the second, whether or not to not block the loading of the zip-file containing the keystore file (needed by the Java applet to be trusted by the web site). Localization Localization is added by installing the corresponding language pack. A language pack defines both the language and the country/region. If a language pack is not yet available for your country/region you can still change the date format and so on. The language cannot be changed without a language pack. Localization installations are based on Microsoft Windows. To change or set the country/region, use Vista WebApplications Settings. Available localizations are shown in the Localization list on the Localization page. You can add a localization to the list by creating an empty folder with a specified name syntax. The name must follow the RFC 1766 standard in the format "<language code>-<country/region code>", where <language code> is a lowercase two-letter code according to ISO 639-1 and <country/region code> is an uppercase two-letter code according to ISO 3166. For example, U.S. English is "en-US" and Finnish-Swedish is "sv-SF"; this type of format is called a "localization pair". In cases where a two-letter language code is not available, a three-letter code according to ISO 639-2 is used; for example, the three-letter code "div" is used for communities that use the Dhivehi language. The localization pair must conform with the localization list in Microsoft .NET: http://../webstation/CultureInfoNames.aspx where .. is replaced with the network address to Vista Webstation. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 61 (80) 4 Installing TAC Vista Webstation TAC Software, Installation Manual To add a localization 1 Use Windows Explorer to browse to the localization folder for Vista Webstation, usually C:\Inet- pub\wwwroot\TACVistaWeb401\Bin 2 Create a new folder where the folder name is in the format:<language code>-<country/region code> The file name must conform with the localization code given in the file http://../webstation/CultureInfoNames.aspx where .. is replaced with the network address to Vista Webstation. The new folder can be left empty. 3 4.6 Start Vista Web Applications Settings and set the new localization. Utilizing HTTP Compression If your sites use a lot of bandwidth, or if you would like to make more effective use of your bandwidth, you can enable HTTP compression. HTTP compression speeds up transmission time between compressionenabled browsers and IIS. You can compress only static files, or both static files and dynamic application responses. If your network bandwidth is restricted and your processor utilization is already very high, HTTP compression can be beneficial. This is particularly the case for static files. For more information about HTTP Compression, visit www.microsoft.com and search for "Utilizing HTTP Compression", "IIS 6.0 Compression with Windows Server 2003", and "HOW TO: Specify Additional Document Types for HTTP Compression". 4.7 Using Vista Webstation Views in Web Portals or as Stand-Alone Browser Views All views that have an "Add to Favorites" icon on the toolbar can be used as stand-alone views or as integrated parts of, for example, a Web portal. The Vista Webstation link needs to be slightly modified before you can use it. To extract and modify the link 62 (80) 1 Open the view in Vista Webstation. 2 On the view’s toolbar, click Add to Favorites. 3 Use your browser to help you save the link. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4 Installing TAC Vista Webstation 4 Use your browser to locate the link among your Favorites and open the link properties. A typical link looks like this: http://.../webstation/DefaultPage.aspx?frameset=true&page=... 5 In "frameset=false", change true to false, in our example: http://.../webstation/DefaultPage.aspx?frameset=false&page=... The favorite can now be used as a stand-alone view. The link can also be used for a Web portal. Consult you local Webmaster for further details. 4.8 Disabling Worker Process Recycling and Shutdown If Webstation and/or ScreenMate is rarely used, you can experience occasional delays when loading the login page. You can increase the performance by keeping WebStation or ScreenMate applications in the server’s memory by disabling unloading of the applications. To disable worker process recycling 1 In the IIS Manager, expand the local computer, expand Application Pools, right-click the application pool you want to configure, and then click Properties. 2 On the Recycling tab, click to clear the Recycle worker processes (in minutes) check box. 3 Click OK. To disable worker process shutdown 1 In the IIS Manager, expand the local computer, expand Application Pools, right-click the application pool you want to configure, and then click Properties. 2 On the Performance tab, under Idle timeout, click to clear the Shutdown worker process after being idle for (time in minutes) check box. 3 Click OK. Note • Schneider Electric Buildings AB, Feb 2011 04-00001-05-en These settings will affect all applications in the changed application pool. 63 (80) 4 Installing TAC Vista Webstation 4.9 TAC Software, Installation Manual Displaying Dynamic TGML Graphics Webstation can display TGML graphics in two different viewer modes, dynamic or static. In the Dynamic Mode all TGML graphics are displayed in the same way as in TAC Vista. All animations, scalability and user interactivity are displayed in Webstation. In the Static Mode a static version of the TGML graphic is displayed in Webstation. To be able to use the Dynamic Mode, Java must be installed on the client computer. There are three different alternatives in the TAC Vista Web Settings dialog box: Table 4.1: TGML Viewer Mode Viewer Mode Auto-detect (default mode) Action The web browser selects if TGML will be displayed dynamically or statically. If Java is not installed Static mode is selected. If Java is installed Dynamic Mode is selected. Static Static display of TGML graphics. Dynamic Dynamic display of TGML graphics. If dynamic is selected Java has to be installed. When you open a TGML graphic in the web browser you will be prompted to install Java. A link 64 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 4 Installing TAC Vista Webstation will direct you to the appropriate Java version stored at TAC. When the Java is installed, TGML graphics will be displayed dynamically. Fig. 4.1: Java download page You can at any time change from dynamic to static or from static to dynamic display of TGML graphics using the TAC Vista Web Settings dialog. 4.9.1 Changing TGML Graphics Display Mode The settings for the display modes of TGML graphics can be changed in the TAC Vista Web Settings dialog at any time. The TAC Web Settings is installed on the Server computer together with TAC Webstation. To change the TGML graphics display mode 1 Schneider Electric Buildings AB, Feb 2011 04-00001-05-en In All Programs, point to TAC, point to TAC Vista Web Applications, and then click TAC Vista Web setting. 65 (80) 4 Installing TAC Vista Webstation 66 (80) TAC Software, Installation Manual 2 In the TAC Vista Web Settings dialog, click TGML Viewer Mode. 3 In the Select viewer mode for TGML box, select the mode you want to use. 4 Click OK. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 5 5 SQL Technical Information SQL Technical Information Before setting up TAC Vista, it can be useful to know the basics about SQL privileges and the roles that provide the SQL database user with these privileges. If you have an existing Microsoft SQL Server 2000 Desktop Engine or SQL Server 2005 Express Edition log database and want to change to a SQL database with more storage capacity, you probably want to migrate the log data from the existing log database to a new one. 5.1 TAC Vista and SQL Privileges TAC Vista allows two configuration modes for its SQL Server: • Typical • Custom The typical configuration gives TAC Vista full control of the SQL Server installation, and generally uses SQL Server 2005 Express Edition as its storage engine on the local machine. The custom configuration, however, lets you set up the log database in Microsoft SQL Server 2000 Standard/Enterprise Edition or Microsoft SQL Server 2005 Workgroup/Standard/Enterprise Edition. Reasons to choose a custom configuration may be: • The site already has an existing SQL Server that serves a number of different applications. • The site organization is security-conscious, and wants to lock down its SQL Server attack surface as much as possible. • The SQL Server Express Edition 4GB limit per database risks becoming a capacity issue. This section describes what privileges TAC Vista requires in the respective modes, and why. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 67 (80) 5 SQL Technical Information 5.1.1 TAC Software, Installation Manual Feature Background There are currently two major features with high-privilege requirements: • Integrated backup/restore • Automatic schema upgrade Integrated Backup/Restore TAC Vista provides a minimal backup agent that can perform SQL backups on the same time schedule as the one that performs Vista database backups. SQL Server has to be located on the same computer as TAC Vista Server for the integrated backup to work. At restore time, the database needs to be post-processed to be accessible by TAC Vista. A restore function ensures the restored data is prepared for use. To be able to prepare the database, TAC Vista needs to connect to SQL Server with sysadmin privileges. If you select Typical SQL configuration, the installation program automatically sets up a SQL login with the sysadmin server role. Automatic schema upgrade The SQL database schema is the logical structure of the log database at a given time. The database schema may be changed between TAC Vista versions. Whenever the database schema is changed, the changes need to be integrated into running systems when TAC Vista is upgraded to the new version. At start-up, TAC Vista Server checks the current schema version of its attached log database and if the schema version does not match the expected, the server runs one or more upgrade scripts in order to make the schema compatible. This way, improvements can be made to the log database without disturbing the existing installation. The existing installation will self-adjust to the new schema. In order for TAC Vista Server to be able to perform the upgrade steps, its SQL database user needs to hold at least the database roles db_ddladmin and db_datawriter. 68 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 5.1.2 5 SQL Technical Information Typical SQL Configuration If you choose Typical SQL configuration, the TAC Vista installation program takes care of the settings based on whether or not there have been previous SQL settings. The TAC Vista setup program installs Microsoft SQL Server 2005 Express Edition on the local computer, and uses fixed names for the server instance and database. The database is configured so that TAC Vista connects with a SQL database user that is a member of the sysadmin server role. This gives TAC Vista the opportunity to enable both the integrated backup/restore and automatic schema upgrade features. Typical SQL configuration is intended for sites where: 5.1.3 • The organization wants to avoid license costs for a commercial edition of SQL Server. • You want TAC Vista to manage SQL maintenance tasks. • The expected log database requirements do not exceed 4GB. Custom SQL Configuration For organizations with more specific requirements as to their log storage, Custom SQL configuration gives more options - at the expense of more responsibility. In this mode, the setup program does not force server names and locations, database names, or connection details. You can install and configure SQL Server at any time and have TAC Vista access it using either SQL or Windows authentication, and with a minimum of privileges. As a consequence, TAC Vista can no longer do integrated backups, as there is no guarantee that SQL Server is located on the same computer. This means that organizations have to set up a maintenance plan on SQL Server, separate from TAC Vista. By default, automatic schema upgrade is unavailable. An administrator can enable it by adding the db_ddladmin and db_datawriter roles to the TAC Vista SQL database user. There is a simple trade-off between security and convenience, and the default choice is to favor security. If automatic schema upgrade fails due to insufficient privileges or other issues, an upgrade script is generated so that you can manually upgrade the schema with any SQL tool. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 69 (80) 5 SQL Technical Information 5.1.4 TAC Software, Installation Manual Privilege Comparison Chart The table shows the differences in privilege requirements for the typical vs. custom configuration modes. Table 5.1: Privilege Comparison Chart Configuration Mode Role For What? Optional Typical sysadmin Integrated backup/restore, automatic schema upgrade No Custom db_ddladmin Automatic schema upgrade Yes db_datawriter 5.2 SQL Configuration Troubleshooting If you run into problems when configuring SQL Server for TAC Vista, there can be a number of causes. 5.2.1 Errors that Require SQL Server Reconfiguration Some errors will stop you from continuing the installation, because the final setup will not work, as TAC Vista is configured to communicate with SQL Server in ways that SQL Server was not configured to allow. SQL Server is Not Configured to Support SQL Server Authentication This error occurs if you have selected SQL Server authentication and attempted to connect to a SQL Server that is not configured to support SQL Server authentication. To solve the problem, you can either select Windows authentication for your Vista installation or configure SQL Server to allow mixed-mode authentication. For information on authentication, see Section 2.1.1, “Authentication”, on page 14. SQL Server Cannot be Found If you are sure that you typed the name of the SQL Server instance correctly in the SQL Server name box, it is possible that SQL Server does not allow remote connections. For information on how to configure SQL Server to allow remote connections, see Section 2.2, “Connecting to a Remote SQL Server”, on page 16. 70 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 5.2.2 5 SQL Technical Information Amendable Errors If the problem is neither caused by SQL Server authentication configuration nor by SQL Server not allowing remote connections, the installation program allows you to try to remedy the problem and then continue. These problems could be solved on the SQL Server side, but can also be worked around in the installation. Error messages of this kind are presented in the Select SQL Admin Login or Generate Scripts dialog box. Listed below are the most common types of amendable errors. Login failures If the error message mentions login failures, you may want to investigate whether: • Your SQL login information is correct. • Your Windows account is added as a login in SQL Server. • You are using Windows authentication but not using a domain account when attempting to connect to a remote SQL Server. This is not a supported configuration. You must either use SQL Server authentication or a domain account. Insufficient privileges to create or reconfigure log database The selected authentication mode decides whose privileges are used to create or reconfigure the log database on the specified SQL Server. When you have selected SQL Server authentication, the installation attempts to create or reconfigure the log database using the provided SQL Server login and password. If it turns out that this user does not have enough privileges to perform the installation tasks, the installations falls back and uses the logged-on Windows account to connect to SQL Server. When you have selected Windows authentication, there is no such fallback. The Windows account used to log on to the computer is always used for creating or reconfiguring, and never the Windows account provided for TAC Vista log database access. If the error message says that you do not have sufficient privileges to create or reconfigure the selected log database, this means that the login used by the installation is not a sysadmin on SQL Server. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 71 (80) 5 SQL Technical Information 5.2.3 TAC Software, Installation Manual Select SQL Admin Login or Generate Scripts In the Select SQL Admin Login or Generate Scripts dialog box you can do either of the following: • Type name and password for a SQL login with sysadmin rights on SQL Server. • Generate SQL scripts that you can give to a SQL administrator who can run the script on SQL Server and solve the problem. Use a SQL login with sysadmin rights Select the Use a SQL admin login option to give the installation a SQL Server login and password it can use to complete its work. TAC Vista is still configured to use the login information you provided earlier, but the installation will be able to create or reconfigure the log database using this sysadmin login. Note • This requires that the SQL Server be configured to accept Mixed mode authentication. For information on authentication, see Section 2.1.1, “Authentication”, on page 14. Generate SQL scripts Select this option when you do not have a SQL Server login with sysadmin privileges. SQL Server may be managed by someone else, such as the customer’s IT department. You can generate an installation script that matches your settings and give it to the customer SQL administrator, who can run the script on SQL Server. The TAC Vista installation requires that the log database is created or reconfigured using the appropriate script, before the installation program is run again. Write down the connection details, so you can use the same information next time you run the installation. 72 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 5.3 5 SQL Technical Information Manual Log Database Schema Upgrade The SQL database schema is the logical structure of the log database at a given time. The database schema may be changed between TAC Vista versions. Whenever the database schema is changed, the changes need to be integrated into running systems when they are upgraded to the new version. At start-up, TAC Vista Server checks the current schema version of its attached log database and if the schema version does not match the expected, the server runs one or more upgrade scripts in order to make the schema compatible. If this process fails, TAC Vista Server generates a single upgrade script, which you can use to upgrade your log database manually. TAC Vista Server cannot run if the schema version is incorrect, so if the automatic upgrade fails, it will show the following message and immediately shut down: You can use the generated script to upgrade the log database to the version matching TAC Vista Server. Make sure that you run the script on the SQL Server and in the database configured for the same TAC Vista Server that showed the failure message. You can find the SQL Server name and log database name in TAC Vista Server Setup. Use a generic SQL tool to run the script, for example. OSQL.EXE or SQL Server Management Studio. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 73 (80) 5 SQL Technical Information 5.4 TAC Software, Installation Manual Log Data Migration If you want to move your log data from one SQL Server to another, for example, because you need more storage capacity, you have to start by migrating the data from the existing log database to the new log database. Migration means that you move the database from one location to another. You do this in a generic SQL tool by using either backup/ restore or detach/attach. Important • You have to backup the database to a folder to which SQL Server has write permissions. • The default Backup folder under the SQL Server installation folder is prepared with the correct permissions by the SQL Server setup. • Use an account with SYSADMIN privileges to connect. Note • 74 (80) Usually, you have to change the file names and paths to match the SQL Server’s data directory and database name. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual 5.4.1 5 SQL Technical Information Reconfiguring SQL Server Settings for TAC Vista In order for TAC Vista to find the migrated log data, you also have to reconfigure the SQL Server settings for TAC Vista. This is done in TAC Vista Server Setup. To reconfigure SQL Server Settings for TAC Vista 1 In TAC Vista Server Setup, click the SQL Server tab. 2 In the SQL configuration area, select the SQL Server name box. Note • If you are using Typical SQL configuration, the name of the SQL Server instance is TACVISTA. 3 Select the new SQL Server. 4 In the Log database name box, type the name of the backed up log database. Notes • If you are using Typical SQL configuration, the name of the log database is taclogdata. • If you are using Custom SQL configuration, select Authentication, type a SQL login or Windows account and a password. 5 Click OK. Note • If TAC Vista Server Setup asks if you want to reconfigure the log database, click Yes. For more information on how to configure the SQL Server Settings for TAC Vista, see Help in TAC Vista Server Setup. Schneider Electric Buildings AB, Feb 2011 04-00001-05-en 75 (80) 5 SQL Technical Information 76 (80) TAC Software, Installation Manual Schneider Electric Buildings AB, Feb 2011 04-00001-05-en TAC Software, Installation Manual Index A Access Permissions 26, 30, 37 ANONYMOUS LOGON 28, 32 ASPNET 43–44 Authentication 14 authentication mode 15 authentication options 15 Automatic schema upgrade 68 B Batch Installation 19 C capacity 67 certificates 13 Custom 17, 19, 67, 70 Custom SQL Configuration 69 D Docnet 9 Domain 24 F Full 19 G Generate scripts 72 I Install from a CD 19 Insufficient privileges 71 Integrated Backup/Restore 68 Integrated backup/restore 68 L Launch and Activation Permissions 30, 34, 40 licenses 13 limit 67 M Microsoft SQL Server 14 Microsoft SQL Server 2000 67 Schneider Electric Buildings AB, Feb 2011 04-00001-05-en Index Microsoft SQL Server 2005 67 Mixed mode authentication 14, 72 My Computer 26, 30, 40 N NETWORK SERVICE 43–44 New installation 17 Non-NT Domain 29 P Port Exception 24, 29 Privilege 70 Program Exception 22, 24, 29 R Reconfigure SQL Server 75 Remote 16 Remote Access 24, 29 remote connections 16 Remote SQL Server 15–16 restart 19 S schema version 68 SQL administrator 15 SQL Configuration 17 SQL Configuration Troubleshooting 70 SQL Privileges 67 SQL Server Authentication 70 SQL Server Browser Service 16 SQL Server Browser service 16 SQL Server Settings 75 storing and reading of log data 15 SYSADMIN 74 T TAC Vista version earlier than 4.3.0 18 TAC Vista Web Applications 13 taclogdata 75 TACOS 34, 37 Troubleshooting 70 Typical 17–19, 67, 69–70 Typical SQL Configuration 69 U Upgrade 18 77 (80) Index TAC Software, Installation Manual Use a SQL login 72 V Vista Server as a service 15 W Web Access 40 Windows authentication 14–15 Windows Firewall 22, 24, 29 Windows user account 15 Windows XP 21 Workgroup 15, 29 78 (80) Schneider Electric Buildings AB, Feb 2011 04-00001-05-en Copyright © 2006-2011, Schneider Electric Buildings AB All brand names, trademarks and registered trademarks are the property of their respective owners. Information contained within this document is subject to changewithout notice. All rights reserved. 04-00001-05-en For more information visit www.schneider-electric.com/buildings Last Manual Page