European Laboratory for Particle Physics

Laboratoire Européen pour la Physique des Particules

CH-1211 Genève 23 - Suisse

OPC Support
IT-CO recommended DCOM settings
for OPC
Document Version: 4.1
Document Issue: 0
Document Date: 11 July 2008
Document Status: Final
Document Author: Jean-Pierre Puget, Renaud BARILLERE, Mark Beharrell

Abstract
This document presents the DCOM settings recommended by IT-CO for the use of OPC servers at
CERN on the NICE infrastructure.

This recommendation is based on documents [1]& [2] internally published by the OPC foundation. The
procedure described hereafter has been used to install several OPC servers for tests in laboratories and
for production applications at CERN.

1 Pre-requisite

1. Operating Systems

These procedures have been developed for Windows XP SP2.

2. Privileges

In order to be able to set all the required DCOM properties one has to be logged with administrator
privileges.
3. OPC servers installations

The OPC servers have been installed on the PC. Although servers can be installed by any users having
administrator privileges, we recommend to install them being logged as the local administrator.
4. OPCEnum installation

With the OPC DA v2+ specifications, it has been recommended to use the OPCEnum application to let
OPC clients browse the available OPC servers. This application is usually provided with the COTS

Final page 1
OPC Support IT-CO recommended DCOM settings for OPC
2 Disclaimer Version/Issue: 3.1/0

OPC servers, if not, the application is made available by the OPC foundation to all its members (CERN
is one of them).

It is assumed that OPCEnum has been installed. It is not required that it is installed as a service. We will
assume here after it has been installed as a standard application.
5. User groups

If several users shall be granted access rights to a given OPC server, we recommend the creation of a
group of users. As it is, a priori, not possible for local administrators to create group valid in the CERN
domain, we suggest to create local groups. This would obviously imply to duplicate this group creation
on all the PCs where the OPC Server will be installed.

The creation of local groups requires (usually?) administrator privileges.

2 Disclaimer

We have tested these settings with ISEG,Wiener, CAEN, Matricon Simulator and Semantic Net OPC
servers on a varity of PC’s. Whilst we have found the settings to work in the majority of cases, there
have been occasions when this has not been the case.

If you should continue to have any problems with the running of an OPC client or server after following
the steps outlined in this document - please contact ITcontrols.support@cern.ch for further assistance.

page 2 Final
OPC Support IT-CO recommended DCOM settings for OPC
3 The firewall. Version/Issue: 3.1/0

3 The firewall.

When setting up the OPC server/client we recommend that you initially switch the firewall off. After
you have a working configuration you should restart the firewall and add to the exception list (1) the
dcom port (2 & 3) by selecting the add port button (4)

Figure 1

Final page 3
OPC Support IT-CO recommended DCOM settings for OPC
3 The firewall. Version/Issue: 3.1/0

Then by using the Add Program button (5), add to the exception list each client (6) and server (7)
running on the computer.

Figure 2

page 4 Final
OPC Support IT-CO recommended DCOM settings for OPC
4 OPC Server settings Version/Issue: 3.1/0

4 OPC Server settings

OPC security is based on DCOM security, therefore the default security settings selected for the OPC
server’s and client’s machine will affect all the DCOM compents on that machine. This document
recommends settings that minimise changes to default DCOM settings thus reducing the chance of
‘breaking’ some other component when configuring an OPC server. To assist us in this task we use the
DCOM configuration tool: dcomcfng.exe, which is available in XP installations.

4.1 Specific OPC server settings

Here our goal is to have a restricted the number of users that have permission to access a specific OPC
server. The example used in this document is the ISEG OPC server.

a. Firstly we create a local group (i.e. ISEGOPCUSERS) that contains a list of all the users who
are to be able to access the OPC server.
b. Now we start dcomcnfg.exe (1) and select the OPC server we want to configure, from the list
of DCOM entries (2).

Figure 3

Final page 5
OPC Support IT-CO recommended DCOM settings for OPC
4 OPC Server settings Version/Issue: 3.1/0

c. We right click on our selected item (3) and select the properties item from the pull down menu
that appears. In the window that appears select the General tab (4) and make sure the
authernitcation level field (5) is set to Connect.

Figure 4

d. Now we select the identity tab (6) and in the panel enter the user whos id the OPC is to run
under (7) - note that it is essential that this user id has sufficient access writes to access the
resources (i.e. Hardware) used by the OPC server.Apply the settings.

Figure 5

page 6 Final
OPC Support IT-CO recommended DCOM settings for OPC
4 OPC Server settings Version/Issue: 3.1/0

e. Now select the security tab (8), we customise the Launch and Activate permissions by adding
all the opc user group we created eariler, to the list and giving all permissions to that group (9
- 13).

Figure 6

f. We repeat this process with for the Access permissions (14-18)

Figure 7

Final page 7
OPC Support IT-CO recommended DCOM settings for OPC
4 OPC Server settings Version/Issue: 3.1/0

g. Right click on ‘My Computer’ and select ‘Properties’ from the menu that appears (3). Select
the Default properties tab (4) and ensure the fields are filled as shown below (5 & 6).

Figure 8

h. Now selecting the COM security tab (7), edit the default settings for access permissions (8) by
adding Anonymous Logon (9) and giving it all access permissions (10). Repeat steps 9 & 10
for edit limits (11).

Figure 9

page 8 Final
OPC Support IT-CO recommended DCOM settings for OPC
4 OPC Server settings Version/Issue: 3.1/0

i. Now edit the default settings for the launch and activation permissions (12) by adding
Anonymous Logon (13) and giving it all permissions (14). Repeat steps 13 & 14 for edit limits
(15).

Figure 10

At this point we have completed the configuration of the OPC server - you should close the dcomcnfg
program and restart the OPC server so that the new settings can take effect.

Final page 9
OPC Support IT-CO recommended DCOM settings for OPC
4 OPC Server settings Version/Issue: 3.1/0

4.2 OPCEnum settings

OPCEnum is a COM component that allows a remote opc Client to browse the local machine to
identify OPC servers that are installed on it.

Figure 11

We configure this as we would a specific OPC server, by following the steps a) - f) detailed above. The
sole exception to this is insteps g) & f) where we add each local OPC user group (such as
ISEGOPCUSRES in the above example) to the list of autherised users (thus allowing all OPC users to
browse the local host for OPC servers).

page 10 Final
OPC Support IT-CO recommended DCOM settings for OPC
5 Settings for the Client side. Version/Issue: 3.1/0

5 Settings for the Client side.

a. Start the dcomcnfg tool (1) and navigate to ‘My Computer’ (2).

Figure 12

b. Right click on ‘My Computer’ and select ‘Properties’ from the menu that appears (3). Select
the Default properties tab (4) and ensure the fields are filled as shown below (5 & 6).

Figure 13

Final page 11
OPC Support IT-CO recommended DCOM settings for OPC
5 Settings for the Client side. Version/Issue: 3.1/0

c. Now selecting the COM security tab (7), edit the default settings for access permissions (8) by
adding Anonymous Logon (9) and giving it all access permissions (10). Repeat steps 9 & 10
for edit limits (11).

Figure 14

d. Now edit the default settings for the launch and activation permissions (12) by adding
Anonymous Logon (13) and giving it all permissions (14). Repeat steps 13 & 14 for edit limits
(15).

Figure 15

Now stop the dcomcnfg tool and restart and OPC clients that are running.

page 12 Final
OPC Support IT-CO recommended DCOM settings for OPC
6 Reference Version/Issue: 3.1/0

6 Reference

1 Demonstration Guidelines, 4th draft version, by the OPC foundation.

2 http://www.igearonline.com/print/OPCXPSP2.pdf

This document has been prepared using the SDLT Single File Template that have been prepared by the IPT Group
(Information, Process and Technology), IT Division, CERN (The European Laboratory for Particle Physics).
For more information, go to http://framemaker.cern.ch/.

Final page 13
OPC Support IT-CO recommended DCOM settings for OPC
6 Reference Version/Issue: 3.1/0

page 14 Final