Manually enable security portal#
During the Critical Manufacturing MES installation it is possible to install the Security Portal as disabled. In this scenario, the Security Portal is still installed in the environment but it is not enabled. In order to enable it, you need to follow the steps that are defined in this document.
In order to enable the Security Portal some of the Web.config files that exist in the environment need to be updated.
Note
the file paths given in the following steps assume that you are in the disk folder where Critical Manufacturing MES was installed. For example if the Critical Manufacturing MES was installed in the folder C:\Program Files\CriticalManufacturingSystem and this document asks to change the file UI\api\Web.config then the file to be changed is the one located at C:\Program Files\CriticalManufacturingSystem\UI\api\Web.config.
UI Configuration files#
UI\api\Web.config#
Please open the file UI\api\Web.config. Inside of that file there should be a rule named api with the following server variable:
<serverVariables>
<!--<set name="CMF_ALLOW_UNAUTHENTICATED" value="True" />-->
</serverVariables>
Please remove the comment from that file. The file should now have the following server variable definition:
<serverVariables>
<set name="CMF_ALLOW_UNAUTHENTICATED" value="True" />
</serverVariables>
Save and close the file.
UI\discoveryservice\Web.config#
The file UI\discoveryservice\Web.config needs to be updated in the same way as the previous UI\api\Web.config file. That is, the server variable of the rule api needs to be changed from:
<serverVariables>
<!--<set name="CMF_ALLOW_UNAUTHENTICATED" value="True" />-->
</serverVariables>
to
<serverVariables>
<set name="CMF_ALLOW_UNAUTHENTICATED" value="True" />
</serverVariables>
Save and close the file.
UI\messagebus\Web.config#
The file UI\messagebus\Web.config needs to be updated in the same way as the previous UI\api\Web.config file. That is, the server variable of the rule api needs to be changed from:
<serverVariables>
<!--<set name="CMF_ALLOW_UNAUTHENTICATED" value="True" />-->
</serverVariables>
to
<serverVariables>
<set name="CMF_ALLOW_UNAUTHENTICATED" value="True" />
</serverVariables>
Save and close the file.
UI\reportingservices\Web.config#
Please open the file UI\reportingservices\Web.config. Inside of that file there should be a rule named ReportServer_MainInbound with the following server variable:
<serverVariables>
<!--<set name="CMF_IS_REPORTSERVER" value="True" />-->
</serverVariables>
Please remove the comment from that file. The file should now have the following server variable definition:
<serverVariables>
<set name="CMF_IS_REPORTSERVER" value="True" />
</serverVariables>
Save and close the file.
UI\Web.config#
Multiple parts of the file UI\Web.config need to be changed in order to correctly enable the Security Portal. Please open the file UI\Web.Config. In that file you should see the following appSettings:
<appSettings>
<!--<add key="CmfAuth_ClientId" value="..."/>-->
<!--<add key="CmfAuth_ClientSecret" value="..."/>-->
<!--<add key="CmfAuth_UserEndpoint" value="..."/>-->
<!--<add key="CmfAuth_ApiEndpoint" value="..."/>-->
<!--<add key="CmfAuthReports_ReportServerBaseUrl" value="..." />-->
<!--<add key="CmfAuthReports_HostEndpoint" value="..."/>-->
</appSettings>
The value of those appSettings depends on the values that were passed during the Critical Manufacturing MES installation.
Please remove the comments from each of those appSettings. The file should now have the following appSettings:
<appSettings>
<add key="CmfAuth_ClientId" value="..."/>
<add key="CmfAuth_ClientSecret" value="..."/>
<add key="CmfAuth_UserEndpoint" value="..."/>
<add key="CmfAuth_ApiEndpoint" value="..."/>
<add key="CmfAuthReports_ReportServerBaseUrl" value="..." />
<add key="CmfAuthReports_HostEndpoint" value="..."/>
</appSettings>
The list of IIS modules that are loaded by the site also needs to be updated. In the file you should see the modules CmfAuth and CmfAuthReports:
<modules>
<!-- <add name="CmfAuth" type="Cmf.Auth.IIS.Module.AuthenticationModule, Cmf.Auth.IIS.Module"/> -->
<!-- <add name="CmfAuthReports" type="Cmf.Auth.IIS.Module.ReportServer.ReportServerModule, Cmf.Auth.IIS.Module"/> -->
</modules>
Please remove the comments for those modules. The file should now have the following modules:
<modules>
<add name="CmfAuth" type="Cmf.Auth.IIS.Module.AuthenticationModule, Cmf.Auth.IIS.Module"/>
<add name="CmfAuthReports" type="Cmf.Auth.IIS.Module.ReportServer.ReportServerModule, Cmf.Auth.IIS.Module"/>
</modules>
Additionally a URL rewrite rule also needs to be updated. In the file you should see a rule named Public Files:
<rules>
<!--<rule name="Public Files" patternSyntax="ECMAScript" stopProcessing="true">
<match url="manifest.json|clientaccesspolicy.xml|crossdomain.xml" />
<serverVariables>
<set name="CMF_ALLOW_UNAUTHENTICATED" value="True" />
</serverVariables>
</rule>-->
</rules>
Please remove the comment from the URL rewrite rule Public Files. The file should now have the following rule:
<rules>
<rule name="Public Files" patternSyntax="ECMAScript" stopProcessing="true">
<match url="manifest.json|clientaccesspolicy.xml|crossdomain.xml" />
<serverVariables>
<set name="CMF_ALLOW_UNAUTHENTICATED" value="True" />
</serverVariables>
</rule>
</rules>
Save and close the file.
Configure Report Server settings#
In order to authenticate requests that are sent to the Report Server, those requests need to be sent through a particular IIS site that was created during the Critical Manufacturing MES installation. The URL for that IIS site follows the pattern $PROTOCOL/$IIS_SITE_URL:$PORT/$REPORT_INSTANCE/pages/ReportViewer.aspx where:
$PROTOCOLis eitherhttporhttpsdepending on whether or not the environment is running in HTTPS;$IIS_SITE_URLis the URL to the IIS instance where the Critical Manufacturing MES was installed;$PORTis the IIS binding port where the Critical Manufacturing MES was installed;$REPORT_INSTANCEis the name of the SQL Server Report Instance that contains the reports for the Critical Manufacturing MES installation. For example if the URL used to access the SQL Server Report webpage ishttp://vm-db3/ReportServer_ONLINE, then the$REPORT_INSTANCEisReportServer_ONLINE.
As an example, if $PROTOCOL is http, $IIS_SITE_URL is vm-qa-env, $PORT is 82 and $REPORT_INSTANCE is ReportServer_ONLINE then the URL that should be used to authenticate the requests that are made to the Report Server is http://vm-qa-env:82/ReportServer_ONLINE/pages/ReportViewer.aspx.
The URL for that IIS site needs to be add to the GUI config /Cmf/System/Configuration/Reporting/Report Server/. To change this config, open the GUI and in the Administration section open the Configuration page. Use the Configuration page to set the value of the config /Cmf/System/Configuration/Reporting/Report Server/.
After that open the file UI\Web.config and ensure that the appSetting CmfAuthReports_ReportServerBaseUrl is pointing to the real URL of the SQL Report Server. For example if the original URL for a report was http://vm-db3/ReportServer_ONLINE/CriticalManufacturingSystem/_History/Report_ABC then the value of the appSetting CmfAuthReports_ReportServerBaseUrl should be http://vm-db3/ReportServer_ONLINE. Similarly the appSetting CmfAuthReports_HostEndpoint should also contain the URL for the IIS site used to connect to the business tier. The format of that URL is $PROTOCOL/$IIS_SITE_URL:$PORT/api/ where:
$PROTOCOLis eitherhttporhttpsdepending on whether or not the environment is running in HTTPS;$IIS_SITE_URLis the URL to the IIS instance where the Critical Manufacturing MES was installed;$PORTis the IIS binding port where the Critical Manufacturing MES was installed.
For example, if $PROTOCOL is http, $IIS_SITE_URL is vm-qa-env and $PORT is 82, then the appSetting CmfAuthReports_HostEndpoint should be http://vm-qa-env:82/api/.
See also the instructions in Reports to see what pre-requirements are needed in order for the Security Portal to access the reports.