epics channel access gateway and access security
play

EPICS Channel Access Gateway and Access Security Florian Feldbauer - PowerPoint PPT Presentation

Jul 03, 2023 •221 likes •413 views

EPICS Channel Access Gateway and Access Security Florian Feldbauer Helmholtz-Institut Mainz Johannes Gutenberg-Universit at Mainz LV. Collaboration Meeting November 30, 2015 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 1/15

  1. EPICS Channel Access Gateway and Access Security Florian Feldbauer Helmholtz-Institut Mainz Johannes Gutenberg-Universit¨ at Mainz LV. Collaboration Meeting November 30, 2015 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 1/15

  2. PANDA DCS Overview Each sub-detector has it’s own partition Separated from each other via CA-Gateways Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 2/15

  3. PANDA DCS Partition DCS partition for one sub-detector FL CL Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 3/15

  4. PANDA LMD DCS Partition E30 LAN Client WAN Client GbE, CA (global PANDA net) E20 CA Gateway Databases GbE, CA (LMD subnet) E10 ECH44A PC CANbus Ethernet (TCP/IP) EHS F205p-F Raspberry Pi Assembly area CANbus Ethernet (SNMP) RS485 RS232 TMCM142 Unistat 425W Raspberry Pi SoC @detector PWM SPI CANbus PL506 HiPace300 Stepper motor THMP nXDS15i MuPix Distance Florian Feldbauer (HIM/JGU) sensor LV. CM, 11/30/2015 CA Gateway 4/15

  5. EPICS Channel Access SL CL FL Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 5/15

  6. EPICS Channel Access SL CL FL Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 5/15

  7. EPICS Channel Access Gateway Parts of CA Gateway: CA Access Security 1 PV list 2 Network configuration 3 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 6/15

  8. CA Access Security ”No attempt has been made to protect against the sophisticated saboteur. Network and physical security methods must be used to limit access to the subnet on which the iocs reside.” 1 1 Application Developer’s Guide, c. 8, ”Access Security”, s. 8.3.2, ”Limitations” Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 7/15

  9. CA Access Security - Features Access security protects IOC databases from unauthorized CA clients, based on Who? userid of the ca client Where? Hostid where user is logged on, No attempt to see if user is local or remotely logged on What? Individual fields of records are protected When? Access rules can contain input links/calculations Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 8/15

  10. CA Access Security - Definition ASL Access Security Level 0 or 1 By default all fields are level 1 except VAL, CMD and RES Level 1 implies 0 ASG Access Security Group Group defining access rights for users/hosts UAG User Access Group List of user names User names may appear in more than one UAG HAG Host Access Group List of host names Host names may appear in more than one HAG Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 9/15

  11. CA Access Security - Simple Example PandaLmd.access 1 UAG(uag) {user1,user2} HAG(hag) {host1,host2} ASG(DEFAULT) { RULE(1,READ) RULE(1,WRITE) { 6 UAG(uag) HAG(hag) } } Provide read access to anyone located anywhere write access to user1 and user2 if located at host1 or host2 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 10/15

  12. PV List List of PV names available through gateway Combines PVs with access rules PV names can be given as pattern Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 11/15

  13. PV List - Simple Example PandaLmd.pvlist ## DENY overwrite ALLOW EVALUATION ORDER ALLOW, DENY 4 ## Allow access by ASG DEFAULT to PVs which ## begin with "PANDA:LMD:" PANDA:LMD:.* ALLOW ## Deny access by ASG DEFAULT to PVs which 9 ## begin with "PANDA:LMD:" and end with "__" PANDA:LMD:.*__ DENY ## Allow access by ASG GatewayAdmin to gateway ## internal PVs 14 gateway:.*Flag ALLOW GatewayAdmin Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 12/15

  14. Network Configuration For CA Gateway PC with two network interfaces is needed eth2 connected to local (sub-detector) subnet Running local DHCP/DNS server on eth2 (dnsmasq) eth1 connected to network of the institue If using firewall, ports 5064(udp/tcp), 5065(udp) must be open Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 13/15

  15. Network Configuration Need to know IP address of eth1, broadcast address of eth2 ~ > /sbin/ifconfig [...] eth1 Link encap:Ethernet HWaddr 74:d4:35:ec:0c:47 inet addr:10.32.90.101 Bcast:10.32.90.255 Mask:255.255.255.0 5 [...] eth2 Link encap:Ethernet HWaddr 74:d4:35:ec:0c:45 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 [...] Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 14/15

  16. Using the CA Gateway Starting the CA Gateway ~ > cd /opt/epics/gateway2_0_6_0 2 ~ > bin/linux-x86_64/gateway \ -log /home/panda/cagateway.log \ # Logfile -cip 192.168.1.255 \ # Client IP address -sip 10.32.90.101 \ # Server IP address -uid 1000 -gid 1000 \ # User id and group -server -no_cache \ # run as daemon 7 -home /opt/epics/gateway2_0_6_0 \ # Dir to search for config -pvlist PandaLmd.pvlist \ # File with PV list -access PandaLmd.access # Access Security definition Stopping the daemon ~ > cd /opt/epics/gateway2_0_6_0 ~ > ./gateway.killer Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 15/15

  17. BACKUP Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 16/15

  18. Installing the CA Gateway Dependencies: Epics base 3.14.12 (or newer) ~ > wget -q -O - https://launchpad.net/epics-gateway/trunk/2.0.6.0/+ download/gateway2_0_6_0.tar.gz | tar xzf - -C /opt/epics ~ > cd /opt/epics/gateway2_0_6_0 3 ~ > echo "EPICS_BASE = /opt/epics/base" > configure/RELEASE.local ~ > make -j4 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 17/15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Python Channel Access Bindings Review of a conversation on EPICS tech-talk 4 different

Python Channel Access Bindings Review of a conversation on EPICS tech-talk 4 different

Python Channel Access Bindings Review of a conversation on EPICS tech-talk 4 different interfaces CaPython (FNAL) http://www-d0online.fnal.gov/www/groups/ctl/epics/epics_python.html A faithful reproduction of the low level channel access API.

466 views • 8 slides
1 Ideal Multiple Access Protocol Random Access Protocols Broadcast channel of rate R bps When

1 Ideal Multiple Access Protocol Random Access Protocols Broadcast channel of rate R bps When

Multiple Access Multiple Access Multiple hosts sharing the same medium What are the new problems? Readings: Kurose & Ross, 5.3, 5.5 Multiple Access protocols Shared Media Single shared broadcast channel Ethernet bus Two

527 views • 7 slides
Random Access Networks Random Access networks are characterised by the absence of a channel-

Random Access Networks Random Access networks are characterised by the absence of a channel-

Chapter 3 Random Access Networks Random Access networks are characterised by the absence of a channel- controlled access mechanism. To some extent, a station is free to broadcast its packets on the network at a time determined by the station

309 views • 15 slides
Implementation of RDB Channel Archiver Richard Ma DePauw University RDB Channel Archiver An

Implementation of RDB Channel Archiver Richard Ma DePauw University RDB Channel Archiver An

Implementation of RDB Channel Archiver Richard Ma DePauw University RDB Channel Archiver An EPICS extension toolset for data archiving - EPICS (Experimental Physics and Industrial Control System) is a set of open source software tools to

420 views • 5 slides
Please Sign In 1 Lisbon Channel Access Project Non-Mandatory Pre-Bid Conference February 21,

Please Sign In 1 Lisbon Channel Access Project Non-Mandatory Pre-Bid Conference February 21,

Lisbon Channel Access Project Non-Mandatory Pre-Bid Please Sign In 1 Lisbon Channel Access Project Non-Mandatory Pre-Bid Conference February 21, 2018 NMDOT CN A301870 2 Lisbon Channel Access Project Introductions: SSCAFCA Staff

268 views • 12 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

128 views • 8 slides
Arrival Notification and Presentation using the web channel Sea Traffic How to access the web

Arrival Notification and Presentation using the web channel Sea Traffic How to access the web

Arrival Notification and Presentation using the web channel Sea Traffic How to access the web channel? The link to the web declaration service can be found on the Customs website (www.tulli.fi). The start page for all the declarations can be

523 views • 13 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

Access control Access control determines access to files and processes in OS Old area of security, but not well understood CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control. 1 2 System

889 views • 5 slides
OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control

OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control

Access Control and OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control Some resources (files, web pages, ) are sensitive. How do we limit who can access them? This is called the access

629 views • 27 slides
A Single Window Gateway for e-Content Access, Delivery and Analysis www.remotexs.xyz

A Single Window Gateway for e-Content Access, Delivery and Analysis www.remotexs.xyz

A Single Window Gateway for e-Content Access, Delivery and Analysis www.remotexs.xyz Confidential RemoteXs Key Features ! Serve & Access e-content from a single portal Zero IT infrastructure cost (IP address allocation) Inbuilt

356 views • 11 slides
Mul$-protocol gateway and interface for transparent data access

Mul$-protocol gateway and interface for transparent data access

Mul$-protocol gateway and interface for transparent data access for AAL applica$ons By: Ye-Qiong Song and Mou$e Chehaider LORIA and Universit de

373 views • 14 slides
& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY

& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY

& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY ACCESS POINT SECURITY WAS BORN THANKS TO THE COOPERETION BETWEEN ETS AND BICARJET , TWO ITALIAN LEADERS IN THE AUTOMATION ACCESS INDUSTRY. POINT

151 views • 13 slides
A Single Window Gateway for e-Content Access, Delivery and Analysis www.remotexs.xyz Confiden'al

A Single Window Gateway for e-Content Access, Delivery and Analysis www.remotexs.xyz Confiden'al

A Single Window Gateway for e-Content Access, Delivery and Analysis www.remotexs.xyz Confiden'al RemoteXs Key Features ! Serve & Access e-content from a single portal Zero IT infrastructure cost (IP address alloca'on) Inbuilt

537 views • 11 slides
Multiple Access Readings: Kurose & Ross, 5.3, 5.5 Multiple Access Multiple hosts sharing

Multiple Access Readings: Kurose & Ross, 5.3, 5.5 Multiple Access Multiple hosts sharing

Multiple Access Readings: Kurose & Ross, 5.3, 5.5 Multiple Access Multiple hosts sharing the same medium What are the new problems? Shared Media Ethernet bus Radio channel Token ring network Multiple Access

888 views • 61 slides
About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique range of access control technology & temporary physical security products : - Keysafes Locking Bar Void security doors & screens

368 views • 21 slides
Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction to Computer Security Announcements intermission OS security: access control Unix-style access control Stephen McCamant Multilevel and mandatory

656 views • 9 slides
Gas SO Incentives Initial Consultation Workshop Elexon 13 July 2011 Welcome..

Gas SO Incentives Initial Consultation Workshop Elexon 13 July 2011 Welcome..

Gas SO Incentives Initial Consultation Workshop Elexon 13 July 2011 Welcome.. Housekeeping Objective of Workshop To enable customers to understand and respond to the Initial Consultation document Golden Rules Keep session

786 views • 66 slides
Adjectives that describe the people you want in your organization: 1. _______________ 2.

Adjectives that describe the people you want in your organization: 1. _______________ 2.

on ORK with Eric Chester at HOW TO IGNITE PASSION IN YOUR PEOPLE IGNITE PASSION WITHOUT BURNING THEM OUT Adjectives that describe the people you want in your organization: 1. _______________ 2. _______________ 3. _______________ 4.

949 views • 18 slides
Fixedmobile convergence FuncRonal convergence The Universal Access Gateway concept Dirk

Fixedmobile convergence FuncRonal convergence The Universal Access Gateway concept Dirk

Fixedmobile convergence FuncRonal convergence The Universal Access Gateway concept Dirk Breuer Deutsche Telekom Laboratories, Germany Tibor Cinkler Budapest University of Technology and Economics, Hungary Stphane Gosselin Orange

244 views • 5 slides
P

P

P P rss

279 views • 4 slides
7/17/2019 The 5 L Language guages of Appreci ciatio ation The Secret to Em ployee Engagem ent

7/17/2019 The 5 L Language guages of Appreci ciatio ation The Secret to Em ployee Engagem ent

7/17/2019 The 5 L Language guages of Appreci ciatio ation The Secret to Em ployee Engagem ent Diana Rogers Jaeger, APR, M.Ed. www.LOVETOAPPRECIATE.com LOVE TO APPRECIATE CONSULTING LOVE TO APPRECIATE CONSULTING 1 7/17/2019 Learning

499 views • 12 slides
Primary 1 All slides will be uploaded. No hardcopy will be provided. All feedback will

Primary 1 All slides will be uploaded. No hardcopy will be provided. All feedback will

CHANGKAT Form Teacher her 1: For orm Teac acher her 2: Primary 1 All slides will be uploaded. No hardcopy will be provided. All feedback will be done online through the QR Codes / tinyurl. Parents without mobile access can

1.08k views • 49 slides
Low Cost Microwave Radiometer WP 2600 Design of a Low Cost Radiometer Thomas Rose Radiometer

Low Cost Microwave Radiometer WP 2600 Design of a Low Cost Radiometer Thomas Rose Radiometer

Low Cost Microwave Radiometer WP 2600 Design of a Low Cost Radiometer Thomas Rose Radiometer Physics GmbH (RPG) Susanne Crewell Meteorological Institute Bonn Madr id, 16 Dezember 2002 1 I ntroduction Ground-based microwave radiometer are

266 views • 14 slides
Characterizing transcriptomes using ngs data T. Kllman BILS/Scilife Lab/Uppsala University May

Characterizing transcriptomes using ngs data T. Kllman BILS/Scilife Lab/Uppsala University May

Characterizing transcriptomes using ngs data T. Kllman BILS/Scilife Lab/Uppsala University May 2015 20150521 1/38 Outline The transcriptome 1 RNA sequence technologies 2 RNA-seq analysis 3 Mapping based approach Tools for working

624 views • 38 slides

More recommend