Protecting and deploying a project

When you create a new project, the files and folders structure is created. Such a project is known to be unprotected, and it does not contain any sensitive data yet. Some files are already encrypted with a default cryptographic key. The next step is to protect the project before you add any piece of sensitive data in its configuration and then deploy. First on the engineering host, and after configuration, test, and validation, on the host computers that are the system in production.

This topic guides you through the steps to protect a project and deploy it.

The service SV Core Security service must be running to perform cryptographic operations.
Make sure the service is started or such operations will fail to execute.

The fact that the SV Core Security service is running must be monitored at all times on all PcVue hosts.

How to protect a project

Protecting a project consists in customizing the secure key used for cryptographic protection of the project. If it is a new project, the custom key you set will replace the default key. If it is an existing project that does not need migration, it may already be protected if the operations described here were already performed in the past.

A project which cryptographic protection is based on the default key is said to be unprotected because any encrypted configuration file from such a project can be copied and loaded as part of any other project, on any computer, by anyone with access to the project files. The reality is that it is very handy in many situations when you want to share or transmit a piece of configuration, but it exposes to risks if the project contains sensitive data, the user directory configuration or certificate private keys for example. The secure key is like a password, and you do not want to protect your project with a default password everyone has access to.

If you are migrating a project designed with a version earlier than version 17, a prerequisite to protecting the project is to migrate it. See Project and library migration for more information.

To protect a project, you can use the Host Deployment Console, on an engineering or a test host:

  1. Open the Host Deployment Console as a user with Administrative privileges, a shortcut is available on the desktop and in the Programs menu.
  2. In the left pane, click on Key management. The Key generation view opens.
  3. Select or enter manually the path to the folder where you want to store the key file.
  4. Enter a name for the key file.
  5. Enter a passphrase of your own, it will be used to protect the key file. Confirm the passphrase.
  6. Select the key length you want (default 32 bytes).
  7. Click the Generate button. After a few seconds, the key file is available in the output folder you have selected.
    The key file contains the value of a randomly generated secure key and is protected by the passphrase.
  8. In the left pane, click on Add protection. The Add protection view opens.
  9. Select the Project folder or enter the Project name manually.
  10. Select the Key file generated at step 7, and enter the Passphrase used to protect it.
  11. Because the project is not yet protected, make sure the toggle Apply protection to the project immediately is enabled and click Add.
    This operation imports the key value stored in the specified key file so it can be used by PcVue to cipher and decipher data for the project. Because the toggle was enabled, the operation also deciphers the project based on the current default key, rotates the keys, and ciphers the project with the new custom key. The project is now protected and can be run on the host where this operation was performed.
  12. Backup the key file and the associated passphrase.

Alternatively, you can use the svcmd CLI:

  1. Open a terminal as a user with Administrative privileges and go to the program files folder where PcVue is installed. By default, C:\Program Files\ARC Informatique\PcVue 17\Bin\
  2. Run the following command to generate a new custom secure key file. Replace the .key file path and the passphrase with your own.
    Copy
    svcmd key generate X:\keys\my-project.key --pass MyPa$$phrase
    This command generates the .key file that contains the value of a randomly generated secure key. The key file is protected by the passphrase.
  3. Run the following command to retrieve the id of the project. Replace MyProject with your own project folder.
    Copy
    svcmd project get-id MyProject
  4. Run the following command to add the project protection metadata. Replace <PROJECT-ID> by the id retrieved in step 3. Replace the .key file path and the passphrase with your own.
    Copy
    svcmd project-protection add <PROJECT-ID> X:\keys\my-project.key --pass MyPa$$phrase
    This command imports the key value stored in the key file passed as argument so it can be used by PcVue to cipher and decipher data for the project referenced by its identifier. The project itself, and its configuration files are not affected by this command.
  5. Run the following command to apply the secure key to the project. Replace <PROJECT-ID> by the id retrieved in step 3. Replace the .key file path, the passphrase, and the project folder with your own.
    Copy
    svcmd project-protection apply <PROJECT-ID> X:\keys\my-project.key C:\Projects\usr\MyProject --pass MyPa$$phrase
    This command deciphers the project based on the current default key, rotates the keys, and ciphers the project with the new custom key. The project is now protected and can be run on the host where these commands were run.
  6. Backup the key file and the associated passphrase.

Your project is now protected, cryptographic protection is based on a custom secure key only known from you and your organization. If an encrypted file is extracted from the project, it cannot be loaded as part of another project without knowledge of the key file and associated passphrase.

If you are using central project management, it is time to create a new version of your project so it can be tested, validated, and deployed on other hosts.

If you want to ensure that only this project can be run on the engineering station, it is also time to specify some application-wide setting that will restrict the host to only running this specific project. See below for more information.

If not done yet, it is time to set up central project management. See How to manage project and library versions for more information.

Your protected project is as secure as the secret key and passphrase used to protect it.

The key file and associated passphrase must be backed up and kept safe for later use.
You will need them to deploy the project on other hosts, you will need them if a host must be restored, and they are necessary for key renewal operations.
If they are compromised, your sensitive data are at risk.
If they are lost, you will end up losing access to your configuration data once the last host knowing the key will fail or will be decommissioned.

If you manage several projects, we recommend you use a different secure key and passphrase for each project.

Not all files of a project are subject to cryptographic protection.
Even with a protected project, files that are not encrypted can still be copied and pasted from one project to another one.

See Host Deployment Console or svcmd CLI reference for details, including more information about the other operations related to project protection:

  • Renewal of a secure key
  • Preparation of an unprotected copy of a project
  • Protection removal

How to deploy a protected project on more hosts

For each PcVue host where you want to deploy the project, you are going to perform the following operations:

  • Add the protection metadata to the host
  • Set up central project management if need be
  • Specify application-wide settings and restrict the host so it can only run the specified project

From a cryptographic protection point of view, deploying a protected project on a host only requires adding the protection metadata to the host. You can use the Host Deployment Console:

  1. Open the Host Deployment Console as a user with Administrative privileges, a shortcut is available on the desktop and in the Programs menu.
  2. In the left pane, click on Add protection. The Add protection view opens.
  3. Select the Project folder or enter the Project name manually.
  4. Select the Key file used to protect the project and enter the Passphrase.
  5. Because the project is already protected, make sure the toggle Apply protection to the project immediately is disabled and click Add.
    This operation imports the key value stored in the specified key file so it can be used by PcVue to cipher and decipher data for the project. Your project can now be run on the host where this operation was performed.

Alternatively, you can use the svcmd CLI:

  1. Open a terminal as a user with Administrative privileges and go to the program files folder where PcVue is installed. By default, C:\Program Files\ARC Informatique\PcVue 17\Bin\
  2. Run the following command to retrieve the id of the project if you do not have it at hand. Replace MyProject with your project folder.
    Copy
    svcmd project get-id MyProject
  3. Run the following command to add the project protection metadata. Replace <PROJECT-ID> by the id retrieved in step 3. Replace the .key file path and the passphrase with your own.
    Copy
    svcmd project-protection add <PROJECT-ID> X:\keys\my-project.key --pass MyPa$$phrase
    This command imports the key value stored in the key file passed as argument so it can be used by PcVue to cipher and decipher data for the project referenced by its identifier. Your project is ready to be started on the new host.

If not done yet, it is time to set up central project management. See How to manage project and library versions for more information.

If a host must be decommissioned, in addition to removing any sensitive file, it is important to remove the protection metadata. To do so, use Host Deployment Console Remove protection view, or the svcmd project-protection remove command.

In addition, it is time to specify some application-wide settings. And you can increase the system security by restricting the host to only running a specific project. If you do so, a user without Administrative privilege cannot trick the host into running another potentially modified project.

You can use the Host Deployment Console:

  1. Open the Host Deployment Console as a user with Administrative privileges, a shortcut is available on the desktop and in the Programs menu.
  2. In the left pane, click on Host configuration. The Host configuration view opens.
  3. Click the Enable protection check-box.
  4. Select the Project folder or enter the Project name manually.
  5. Enter the desired value for the fallback station number.
  6. Click the Save button to save changes.

Alternatively, you can use the svcmd CLI:

  1. Open a terminal as a user with Administrative privileges and go to the program files folder where PcVue is installed. By default, C:\Program Files\ARC Informatique\PcVue 17\Bin\
  2. Run the following command to restrict the host so it can only run the specified project. Replace MyProject with your project folder.
    Copy
    svcmd host protect --project MyProject
  3. Run the following command to set the fallback station number. Replace [STATION-NUMBER] by the actual fallback station number you want to use on the host.
    Copy
    svcmd host station-number [STATION-NUMBER]

The steps described here must be performed on all hosts where the project must be executed, including client stations, server stations, web backend servers, engineering, and test hosts.

Completing project deployment on a host

The steps described above are dealing with cryptographic protection of the project. It is a set of steps common to all PcVue stations. In addition, completing the deployment requires dealing with station-specific steps.

Operator workstations

There are 2 options for installation and deployment of the operator workstations running PcVue in order to access the runtime HMI:

  •  PcVue may be installed on each PC. It is the default setup after installation.
  •  PcVue may be installed on a Remote Desktop Server host and run remotely from lightweight terminals used as operator workstations. See Overview of deploying PcVue on an RDS host for more information about deployment.

In both cases, PcVue will be running as a Desktop application in an interactive user session.

Server station hosts

For server stations, including data acquisition servers, historical data servers, gateway servers, and web backend servers, PcVue will be running as a Windows service. See Overview of running PcVue as a Windows Service for more information.

Final word

Finally, if not done yet, it is time to review and tune the following Windows services that are part of the PcVue product:

Tool Help book or topic Description
SV Core Daemon Deploying PcVue as a Windows Service The service in charge of hosting the sv32.exe process when running as a Windows service.
SV Core Session Host Deploying PcVue on an RDS host The service in charge of monitoring sessions on a host.
SV Core Security

svcmd CLI reference

Host Deployment Console

The service in charge of cryptographic operations.
SV Core Data Isolation How to manage project and library versions The service in charge of handling delegated data access. Used by Central project management to handle file operations.
SV DbConnect Data Connections overview The service in charge of handling Sql connections and Sql queries.