This selection from the main Platform Administration view lets you change that platform’s authentication. This affects the login used to access the host’s platform daemon. Depending on the type of platform currently opened (QNX-based or Windows-based), update authentication provides different dialogs, as follows:
-
QNX-based platforms: Digest platform authentication
-
Win32-based platforms, either:
Digest platform authentication is the only method for a QNX-based host or Linux-based Supervisor, and is an alternative for a Windows-based host. The associated Authentication dialog lets you change the single platform account credentials (user name and password), as shown in Figure 46.
Credentials are case-sensitive. For example, PlatUser and Platuser are not the same.
When commissioning a new JACE, always change platform credentials from the defaults! Note that the Commissioning Wizard incudes a step for this (“Platform daemon authentication”). Do not omit this step. A JACE installed with default platform
credentials is extremely susceptible to unauthorized intrusion! Further, in AX-3.8 there are related “warnings”. See Improvements to AX-3.8 digest authentication.
The following sections provide more details:
In digest authentication, platform user name can be as follows:
-
If QNX-based host, a maximum of 14 alphanumeric characters (
a-z,A-Z,0-9), where the first character must be alphabetic, and following characters either alphanumeric or underscore (_). -
If Windows-based host, any number of alphanumeric characters, including hyphens and underscores.
In digest authentication, platform password for both QNX-based and Win32-based hosts can be any combination of alphanumeric
characters, including common punctuation (! @ # $ %). This permits a strong password.
A “strong password” is highly recommended. Some basic guidelines on strong passwords:
-
Use both upper and lower case.
-
Include numeric digits.
-
Include special characters.
-
Don’t use dictionary words.
-
Don’t use company name.
-
Don’t make the same as the user name.
-
Don’t use common numbers like telephone, address, birthday, and so on.
In digest authentication, when changing credentials (user name or password, or both), your new credentials become immediately effective when you click . If you previously had “Remember these credentials,” selected in the Authentication login dialog, the cached credentials are automatically updated. For related details, see the “Credentials manager” section in the User Guide.
In AX-3.8, improvements were made in platform digest authentication and JACE security, as follows:
-
Platform digest credentials now use a strong, two-way AES-256 encryption technique, utilizing the unique keyring and key material file of the host (JACE).
-
Platform digest credentials were relocated to a more secure location in the registry of the host platform (e.g. JACE).
-
Any AX-3.8 JACE controller operating with factory default platform credentials issues warnings seen with an AX-3.8 Workbench platform connection to it, in these areas:
-
In the Platform Administration view, a yellow box WARNING
remains in the bottom right area of this view: Factory default platform credentials detected
This warning remains until you change the credentials to non-defaults, using from this same Platform Administration view.
-
In the Application Director view, upon station startup a text warning is seen in station output before any other messaging.
As shown above, this warning precedes all other station output, and it repeats upon each station start until you change the platform credentials to non-defaults.
-
Note that related to this change in AX-3.8 digest platform credentials, that station backups no longer store platform credentials—which can affect backup restoration behavior. For related details, see AX-3.8 changes to backup dist usage.
A Win-32 based platform can use either digest or basic (native Windows OS user based) authentication for Niagara platform access.
-
Digest platform authentication provides good protection against password eavesdropping. However, there is only one level of platform login access, using a single platform user account.
-
Basic platform authentication provides integration with existing Windows installations, and provides two levels of platform access. However, it does not protect against password eavesdropping.
For any Win32-based host, including a JACE-NXS, when you update platform authentication, a dialog asks you to select one of the two methods, as shown in Figure 47.
-
If you select digest authentication, upon you go to the authentication dialog to set the single platform login account (Figure 46). There is no linkage between Windows OS users accounts and the platform administrator.
-
If you select basic authentication, you go to a different dialog where you can assign one existing Windows user group to each of the two possible levels of platform access.
If the host platform is currently configured for digest authentication, and you change to basic authentication, you first
see a login dialog, as shown in Figure 48. If already configured for basic authentication, you go directly to the basic authentication dialog (Figure 49).
Use your standard Windows login credentials—if the host is on a Windows domain, login using the credentials you use when logging into that domain. This is necessary to limit the number of possible domain groups to only those groups in which you are a member. Such groups will be selectable in the next dialog for Basic Platform Authentication (Figure 49).This basic authentication dialog lets you select one Windows group for each of the two levels of platform access. In addition, the “Stations” checkbox determines certain platform writes from a station.
For more details, see the next sections station access and levels of platform access.
A “Stations” checkbox in the basic authentication dialog (Figure 49) allows you to disable any station user from changing TCP/IP settings, system time, or rebooting the host by accessing the station’s PlatformServices.
In general, if a Windows-based JACE, you should leave the Stations checkbox enabled, as shown. However, if an Supervisor (PC) platform, you may wish to clear
the Stations checkbox, particularly if the local IT department has host access concerns.
Basic platform authentication provides two levels of platform access, which are determined by a user’s group membership(s). The levels of platform access are:
-
User
Platform access at this level allows full use of most Workbench platform views. This includes the ability to change platform daemon HTTP port, install or delete licenses and stations (including the one running), also to install, re-install, or upgrade the platform dist file and/or modules, and to start, re-start, or stop a station.
-
Admin
Full access. This includes all user-level platform operations, plus the ability to configure host TCP/IP settings and dialup configuration, change platform authentication, change host date/time settings, use the File Transfer Client, and reboot the host.
When platform-connected at the user level (vs. admin), some platform views are read only. This includes views for TCP/IP Configuration and User Manager. In addition, some Platform Administration view buttons are unavailable, as shown in Figure 50.
Platform access to a remote Windows-based host (JACE-NXT, JACE-NXS) also provides a User Manager view in which you can manage Windows users and groups local to that host.
For platform admin level access, you can select from a list of user groups known to Windows on that host, as shown in Figure 51.
Groups include Windows “built-in” user groups (include “BUILTIN” or “NT AUTHORITY” prefix), as well as any locally-defined user groups. If the remote host has been added to a Windows domain, groups defined in that domain are also listed and available.
Domain groups are limited to only those in which the login user is a member.
If a user has membership in both assigned Windows user groups, upon successful platform login they have admin-level platform access.
Default group selections for a Niagara Win32 installation (either Workbench/Supervisor installation or a factory-shipped JACE-NXS)
are as follows:
-
User Group — BUILTIN/Users
-
Admin Group — BUILTIN/Administrators