Presentation is loading. Please wait.

Presentation is loading. Please wait.

Channel Access Security 2006 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 2 Channel Access Security  The IOC Application.

Published byJulianna Morgan Modified over 8 years ago

Similar presentations

Presentation on theme: "Channel Access Security 2006 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 2 Channel Access Security  The IOC Application."— Presentation transcript:

1 Channel Access Security 2006 kasemirk@ornl.gov

2 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 2 Channel Access Security  The IOC Application Developer's Guide has a full chapter about AS, about 20 pages for the R3.14.8 release.  The CA server decides what type of access is permitted. For the IOC, this is implemented as follows:  Each record is assigned to an Access Security Group by setting its ASG field  "DEFAULT", "VAC_ENGINEER", …  Each ASG is defined via Rules. Read and write permissions depend on the  Name of the user who runs the CA client  Name of the computer on which the CA client runs  Type of record field (two, fixed categories)  Optionally a CALC-record type computation

3 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 3 Pros and Cons  CA Security is very flexible  Prohibit "write" access to a list of PVs, unless accessed by  Specific user  At specific computer  Under specific circumstances (machine mode, …)  Limitations  Designed for high performance in "friendly" environment.  Won't affect access via IOC shell.  User and computer names are sent by client, without authentication, in clear text.  Meant to aid operations, avoid mistakes, not to prevent malicious attacks.

4 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 4 Default Setup  Doing nothing is equivalent to this:  Create file "as.cfg": ASG(DEFAULT) { RULE(1, READ) RULE(1, WRITE) }  Add this line to your st.cmd: asSetFilename("path_to_the_file/as.cfg")  Result:  Every record uses the "DEFAULT" ASG.  … which allows full read/write.  The 'asprules' and 'asdbdump' commands now show something (on vxWorks, use 'asDump')  Caveat:  If the AS config file does not exist or contains an error, all access is prohibited!  Use 'ascheck' on the host before loading a file into the IOC.

5 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 5 Read-Only Example  Group that allows read, but no write: ASG(READONLY) { RULE(1, READ) }  To have an effect, set the ASG field of at least one record to READONLY.  One can change ASG fields at runtime.  Via Channel Access, unless AS prohibits it…  'caput' will show that the old and new values stay the same  EDM will change cursor when over read-only field.

6 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 6 Restricted Example  Limit write access to  members of a user access group UAG,  while on a computer in the host access group HAG: UAG(x_users) { ubuntu } HAG(x_hosts) { ubuntu } ASG(X_TEAM) { RULE(1, READ) RULE(1, WRITE) { UAG(x_users) HAG(x_hosts) } }  Caveats:  The CA client library sends the user and host names to the server. Especially the host name can be tricky:  It's not the client's IP address!  It's the result of the 'hostname' command,  … which might differ from the DNS name  The 'casr' command on the IOC can sometimes help to show who and from where is connecting via CA, and the 'asdbdump' command shows who they pretend to be.

7 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 7 Mode-Based Example  Limit write access to times where some variable meets some criteria  ASG(MODE) { INPA(tx:setpoint) RULE(1, READ) RULE(1, WRITE) { CALC(A < 50) } }  This is based on the same code as the 'CALC' record  One can assign inputs 'A' to 'L'.  The computation should result in 0 or 1, the latter allowing access.

8 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 8 RULE(, )  is 0 or 1.  The dbd file assigns each field to an access security level. Fields that are typically changed during operation are on level 0.  Example: For the AI record, VAL is level 0, the rest is level 1.  Rules for level 1 also grant access to level 0.  Example: Everybody can write 'VAL' (level 0), but restrict other fields: ASG(WRITE_SOME) { RULE(1, READ) RULE(0, WRITE) RULE(1, WRITE) { UAG(x_users) HAG(x_hosts) } }  is NONE, READ, or WRITE  Plus an optional TRAPWRITE, which will cause invocation of a 'trap write listener', i.e. custom C code that might be added to the IOC. This can be used to log write access by user and host, it doesn't otherwise affect access security.

9 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 9 And that's all I have to say about that!

10 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 10 Acknowledgements  Material and ideas have been copied from the IOC Application Developer's Guide  Marty Kraimer, Janet Anderson, Andrew Johnson (APS) and others

Download ppt "Channel Access Security 2006 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 2 Channel Access Security  The IOC Application."

Similar presentations

Make This work with EPICS! 2006

Make This work with EPICS! 2006
CLS Process Variable Database By: Diony Medrano. CLS PV Database - Topics Background Design Constraints Design and Implementation Benefits and Future.

CLS Process Variable Database By: Diony Medrano. CLS PV Database - Topics Background Design Constraints Design and Implementation Benefits and Future.
1 1999/Ph 514: Working With an IOC EPICS Working with an IOC Marty Kraimer APS.

1 1999/Ph 514: Working With an IOC EPICS Working with an IOC Marty Kraimer APS.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
EPICS Base R3.14.11 and beyond Andrew Johnson Computer Scientist, AES Controls Group.

EPICS Base R and beyond Andrew Johnson Computer Scientist, AES Controls Group.
EPICS Channel Access Overview 2006

EPICS Channel Access Overview 2006
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
Channel Access Protocol Andrew Johnson Computer Scientist, AES Controls Group.

Channel Access Protocol Andrew Johnson Computer Scientist, AES Controls Group.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
The Soft-IOC Based Alarm Handler – an Operations View Pam Gurd October 31, 2007.

The Soft-IOC Based Alarm Handler – an Operations View Pam Gurd October 31, 2007.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Using the Windows Event Viewer and Task Scheduler Chapter 5.

Using the Windows Event Viewer and Task Scheduler Chapter 5.

Similar presentations

Ads by Google