System Settings Procedures

Select any of following for procedures for working with the different expanders that display when you select System in the SMC tree.

Prerequisites:

  • You have launched the System Management Console (SMC) and System is selected in the SMC tree.
Configure the System Account

Use this procedure to change the default value for the System Account user. The System Account user is a user that internally runs the Pmon service of the project and is the HDB user. It is recommended to configure the System Account user before creating a project and an HDB. Once created it is set for all the projects available in SMC.

  • The Windows (domain/local) user to be configured as System Account user has Log On as Service right set.
  1. In the Settings expander, select System Account.
  1. Select Specific account.
  1. Click Browse.
  1. You can either select an existing user from the Current Station tab or click the Other Domains tab, and then do the following:
    a. (Optional) Select a Domain to change the default.
    b. Enter a user name or user account.
    c. Click Check Name to locate all matching or similar object names.
    d. Select the user name that displays in the list.
    e. Click OK.
  1. Enter a password.
  1. Click Save .
    NOTE: If you cannot configure the domain user as Pmon user on the domain controller machine, see Cannot Configure Domain User as a System Account User.
  • The user accounts are configured.

 

Configure the HDB Service Account

Use this procedure to change the default value for the HDB Service Account user. The HDB Service Account user is a user that internally runs the Siemens GMS HDB Service and is the HDB service user. It is recommended to configure the HDB Service Account user before creating the HDB. Once created it is set for all the HDBs available in SMC.

  • The Windows (domain/local) user to be configured as HDB Service Account user has Log On as Service right set.
  1. In the Settings expander, select HDB Service Account.
  1. Select Specific account.
  1. Click Browse.
  1. You can either select an existing user from the Current Station tab or click the Other Domains tab, and then do the following:
    a. (Optional) Select a Domain to change the default.
    b. Enter a user name or user account.
    c. Click Check Name to locate all matching or similar object names.
    d. Select the user name that displays in the list.
    e. Click OK.
  1. Enter a password.
  1. Click Save .
    NOTE: If you cannot configure the domain user as HDB Service Account user on the domain controller machine, see Cannot Configure Domain User as a System Account User.
  • The user accounts are configured.

 

Create a Default Management Platform User Account

Creating a default Desigo CC user account is a one-time procedure required the first time you start the closed mode. This procedure creates a default Desigo CC user account, which also creates a corresponding Windows user account in the Windows User Group. This account is required to run a Windows service that runs the Desigo CC closed mode.

  • In the Settings expander, the closed mode user displays in red, indicating that the closed mode user (GmsDefaultUser) does not exist and you must create it.
  1. Click Create to create a new closed mode user (GmsDefaultUser) that displays in red.
  1. Type a password and confirm it.
  1. Click Save .
  • The password is validated and the default Desigo CC user account is created and saved successfully.

NOTE:
If you have upgraded a project from previous version other than Version 3.0 and want to work with it in the closed mode, then after logging in with the GMSDefaultAdmin, you must update the password for the GmsDefaultUser with the newly created GmsDefaultUser password.

 

Configure Closed Mode User Settings

Do this procedure to change the Closed mode user password, that does not match with the current Windows password of the Closed mode user (GmsDefaultUser), and hence indicated by displaying the Password field name in red.

  1. In the Password field of the Closed Mode section of the Settings expander, type the most recent password for the Closed mode user (GmsDefaultUser) that is set in Windows.
  1. Click Apply.
  1. In the toolbar, click Save .
  • The newly updated Closed mode user password is saved successfully.

 

Change the Password of the Closed Mode User (GmsDefaultUser)

The following procedure is required only for systems that run in closed mode.

  • You are logged on to the management platform in closed mode.
  1. To disable closed mode from a station, see the Removing Closed Mode from a Station.
  • Closed mode is disabled for the selected station. The Windows default user is logged off and the Windows logon screen displays. The operator using that station can log on to the Windows operating system and then launch the Desigo CC Client with appropriate access to system resources.
  1. To reset the password for a closed mode user, do the following:
    a. Select Start > Computer, right-click to open a menu and select Manage.
    b. In the Computer Management Console tree, select Users.
    c. Right-click the GmsDefaultUser user account for which you want to re-set the password.
    d. Click Set Password.
    e. Click Proceed.
    f. Enter a new password and confirm.
    g. Click OK.
    h. Close the Computer Management window.
  1. To change the closed mode user password in the SMC, do the following:
    a. Launch the SMC.
    b. In the Settings expander, configure the Closed mode user password.
    c. Launch the Desigo CC Client.
    d. Set the System Manager to Engineering mode.
    e.     Set the System Browser to Management View.
    f. Select Project > System Settings > Users.
    g. Select GmsDefaultUser.
    h. Select the Change Password expander and enter a new password.
    i. Confirm the new password.
    j. Click Apply.
  1. To enable the closed mode on the server, from System Browser, select Main Server.
  1. To enable closed mode on the FEP or client, do the following:
    a. Select Project > Management System > FEP/Client.
    b. Create a new FEP or client node.
    c. On the newly-created FEP or client node, configure Hostname with Current Station.
  • System Manager displays.
  1. In System Browser, select the Main Server, FEP or Client node.
  1. From the closed mode drop-down list, select Yes, thus enabling the closed mode. For more information, see Setting Up a Closed Mode Station.
  1. Click Save .
  • You can run the Desigo CC Client in closed mode.

Special Considerations when Applying Security for Closed Mode Configuration

  • You must provide permissions to the Closed mode user (GMSDefaultUser) on the private key of the host certificate configured for the client/server communication. This must be done even if the Closed mode user (GMSDefaultUser) is a member of the Administrators group and that Administrator group has rights on the private key of the host certificate.
  • If you are configuring Closed mode on the client/FEP, then you must also provide file-system access rights to the GMSDefaultUser of the client/FEP on the project folder on the server.

 

Configure the Service Port

You can perform this procedure only on the Desigo CC Server system.

When the Service port is already in use, you cannot start the GMS SMC Project Data Service that runs on the Service port. In this case you need to change the default value of the Service port (8888) in the Settings expander.

The Service port is used by the Client/FEP to obtain the project information from the server. This communication happens using GMS SMC ProjectData Service, which runs on the Service port. This service provides server project information (such as name, language and configured ports) to the clients.

  • You have stopped the GMS SMC Project Data Service from the Services expander.
  1. In the Settings expander, to change the Service port number, do one of the following:
  • Type the port number.
  • Increase or decrease the port number using the spin control buttons.
  1. Click Save .
    NOTE: If you start the GMS SMC Project Data Service without saving the changed port number, the service will start; however, it will not run on the new configured port. To ensure that the service runs on the new port, you must first save the changed port number and then start the GMS SMC Project Data Service.
  • The port number is configured.
  1. From the Services expander, select the GMS SMC Project Data Service and click Start.

 

Export the Key File on the Server

You have FEP connected to the server computer. For securing the data of drivers and devices, you must import the same key file as on the server.

  • On the server, the system key is available in the Windows store.
  • The system account is configured.
  1. In the Security expander, select Export key.
  1. Type in the key file name, for example, Server1Key.
  1. Click Browse.
  1. In the Open dialog box, do the following:
    a. Locate and select the target directory path where the key file will be stored on the disk.
    b. Click Open.
  1. Type in the password and confirm. The password must match the Windows local password policy.
  1. Click Save System Settings.
  • A confirmation message displays.
  1. Click OK.
  • The system key is exported from the Windows store to the configured location on the disk.

 

Import the Key File

You have FEP connected to the server and you want to import the same Windows key as on server.

  • The same Windows key file as that on the server is available on the disk of the FEP or server.
  • The system account is configured.
  1. In the Security expander, select Import key.
  1. Click Browse.
  1. In the Open dialog box, do the following:
    a. Locate and select the source directory path where the key file is located on the disk.
    b. Click Open.
  1. Type in the password of the key.
    NOTE: You must enter the same password that was entered while exporting the key file on the server. By providing the correct password, the key file is decrypted and imported into the Windows key store.
  1. Click Save System Settings.
  • A confirmation message displays.
  1. Click OK.
  • The key file is imported in the Windows store on the computer.
    On the server, the Windows key file that was automatically created in the Windows key store on SMC startup, is overwritten by the newly imported Windows key file.

 

Configure the Service Account

Do the following procedure to change the existing values for the Service account user.

  • The Windows (domain/local) user to be configured as Service account user has Log On as Service right set.
  1. In the Services expander, from the list of services, select a service for which you want to change the Service account user.
    NOTE: You cannot change the Service account user for the project's Pmon service, GMS_WCCILpmon_[Project Name].
  1. To configure a service account other than the default Local system account, select Specific Account.
  1. Click Browse to select and configure a new Service account user for the selected service.
  1. You can either select an existing user from the Current Station tab or click the Other Domains tab; then from the available list of domains do the following:
    a. Select a Domain.
    b. Type a Username or User account.
    c. Click Check Name to locate all matching or similar object names listed in the Enter username or user account in the selected domain.
    d. Select the user name that displays in the list.
  1. Click OK.
  1. In the Service Account expander, enter the password.
  1. Click Apply.
  1. The selected user is set as the Service account user for the selected service. Note that all the unsaved services whose current Service account user is changed are indicated in red.
  1. If necessary, repeat steps 2 to 9 to configure the Service account user for any other listed service.
  1. Click Save.
  1. The Service account user is set.

 

Enable and Configure the Service Administrator Account

You can perform the following procedure only in the Server SMC.

When restoring a project backup on another machine than the actual server, one is not directly able to access the project because the Windows users configured in that project do not exist on that machine. Therefore, before logging onto the Installed Client you need to perform the following procedure. Once the procedure has been carried out, you can log in with the newly-defined Service Administrator.

  • You want to change the default values for the Service Admin. You have added a /support switch in the StartSmc.bat file located at [installation drive:]\[installation folder]\GMSMainProject\bin and saved it.
  • You have re-launched the SMC after saving this StartSmc.bat file and the Service Admin expander is available.
  • System is selected in the SMC tree.
  1. Open the Service Admin expander.
  • The Service Admin expander opens with Disable Service Admin selected by default.
  1. Select Enable Service Admin.
  • A field for setting Service Admin displays. By default, the currently logged-in Windows user is set as a Service Admin user.
  1. Click Browse to change the default Service Admin to local Windows user or domain user.
  1. Do one of the following
  • Select an existing user from the Current Station tab.
  • Click the Other Domains tab. On the list of available domains do the following:
    a. (Optional) From the list of available domains, select a domain to change the default. By default, the current domain is selected.
    b. Enter a user name or user account.
    c. Click Check Name to locate all matching or similar object names in the selected domain.
    d. Select the user name that displays in the list.
  1. Click OK.
  1. Click Save .
  • A message displays notifying you that the changed Service Admin is set only after you re-start the project.
  1. Click OK.
  • The Service Admin user is configured.
  1. Re-start the active project.
  • You can now log onto the Desigo CC Client using the credentials of the configured service admin user. Once you logon, observe that the service admin user that you configured in the SMC is available in Engineering mode of Security > User and has the linked user group as DefaultAdmin.

NOTE:
The service admin becomes enabled or disabled only when you re-start the projects.

 

Set Log on as a Service Right

To set Log on as a service right for a Windows local/domain user, do the following:

  1. From the Start menu, navigate to Control panel > Administrative tools > Local Security Policy.
  1. In the Local Security Policy window, expand the Local Policies node and select User Rights Assignment.
  1. In User Rights Assignment, navigate to the Log on as a service policy.
  1. Double-click Log on as a service.
  • The Log on as a service Properties window opens.
  1. Click Add User or Group.
  1. In the Select Users, Computers, Service Accounts, or Groups dialog box, type [Machine name\User name] and click Check Names and confirm.
  1. Click OK.
  • The Log on as a service right is set for the selected Windows local/domain user.

 

Return User Account Control Settings to Default or Always Notify

Perform these steps to return the User Account Control settings to their default. Before you installed the Desigo CC software, you changed the Windows User Account Control settings to Never notify to avoid problems during the installation process.

  1. Click the Windows Start button.
  1. In the Search field, enter Change User Account Control Settings, and then press ENTER.
  • The User Account Control Settings dialog box displays.
  1. Move the slider to Always notify.
  1. Click OK.

 

Synchronize System Use Notification Files

Perform this procedure when you want to sync the modified system use notification files available at [Installation Drive]:\[Installation Folder]\GMSMainProject\Data\SMC with the server project.

  • The required system use notification files are available at the location
    [Installation Drive]:\[Installation Folder]\GMSMainProject\Data\SMC.
  • In the SMC tree System tab is selected.
  • Click Sync System Use Notification on the toolbar.
  • The system use notification files are copied to the GMSMainProject\Bin folder.
  • All the existing web applications (for example Flex Client web application) become outdated. You must upgrade such web applications by clicking Upgrade . (See Upgrade a Web Application)

 

Configure and Apply Password Policies for a Project

You can configure and apply password policies for projects by changing the default Windows policies. For information on the password and account policies, see Security Expander in SMC System Settings.

  1. Navigate to the Security expander.
  • The details of password and account policies with their default values display in the Security Policy section.
  1. Modify the values for password and account policies and click Save .
  • The configuration type changes to Manual indicating that the values of these policies were changed manually.
    You can set the Windows policies again by clicking Get Windows Policy.