Can OpenHistorian Read data from another OpenHistorian Instance?

Hi,

We have the below environment.

  1. A is a PMU
  2. B is a PDC (openHistorian)
  3. C is a PDC (OpenHistorian)

Here A and B both are connected and B is reading the data from PMU.
C needs to be configured to read the data from B instead of A.
Is it possible? please help.

OpenHistorian, we have Manage Nodes under system menu, could you please explain about this and if you have any help file, it would be great.

E.g. Each Substations needs to be connected with one OpenHistorian.

Thanks & Regards
Logu

I’d say the simplest way to do this is probably to set up an internal GEP or STTP subscription on C. This requires that the communications channel is trusted and C is allowed to initiate connections to B.

Here’s a guide for creating internal subscriptions, although it looks to be very old so I’m not 100% sure how accurate it is.
https://github.com/GridProtectionAlliance/SIEGate/blob/master/Source/Documentation/wiki/Creating_Internal_Gateway_Connections.md

Thanks Stephen,

I will check and get back to you.

Regards
Logu

Hi Stephen,

I’m trying to setup the sub subscription using “Subscription Based input-> Create Authorization Request” from OpenHistorian Manager tool, but you are recommend to use “SIEGate” tool.

Which one is correct?
Can I perform subscription between OpenHistorians using “OpenHistorian manager” itself or
do I need to use “SIEGate” tool?

The instructions use SIEGate, but the same screens exist in openHistorian. The menu item in openHistorian corresponding to the instructions in the documentation would be Inputs > Subscription Based Inputs > Create Internal Subscription. The configuration for the Create Authorization Request screen is more involved, and would be my recommendation if the communications channel is not trusted.

Hi Stephen,

Thanks for your information. Still I’m working on this.
However I’m working for setup the debug environment, for that
I installed OpenHistorian Setup kit - its working fine (i.e able to add device and see the information using OpenHistorian manager and Web tool).

To setup the debug, I created debug dll and exe for OpenHistorian and copied with .pdb files, but service is not getting started and throwing the error message

[1/24/2020 4:48:02 PM] [TLS!DATAPUBLISHER] Data publisher encountered an exception while connecting client to the command channel: Unable to authenticate connection to client [::ffff:10.10.150.204]: No matching certificate found in the list of trusted certificates. - at statuslog.txt

Connection Error log is reporting

Application Domain: openHistorian.exe
Assembly Codebase: C:/Program Files/openHistorian/openHistorian.exe
Assembly Full Name: openHistorian, Version=2.5.183.0, Culture=neutral, PublicKeyToken=null
Assembly Version: 2.5.183.0
Assembly Build Date: 1/24/2020 2:51:51 PM
.Net Runtime Version: 4.0.30319.42000

Exception Source: System
Exception Type: System.Security.Authentication.AuthenticationException
Exception Message: The remote certificate is invalid according to the validation procedure.
Exception Target Site: InternalEndProcessAuthentication

---- Stack Trace ----
System.Net.Security.SslState.InternalEndProcessAuthentication(lazyResult As LazyAsyncResult)
openHistorian.exe: N 8024338
System.Net.Security.SslState.EndProcessAuthentication(result As IAsyncResult)
openHistorian.exe: N 00078
GSF.Communication.TlsServer.ProcessTlsAuthentication(asyncResult As IAsyncResult)
TlsServer.cs: Ln 1188, Col 17, IL 0071

(Outer Exception)
Date and Time: 1/24/2020 4:11:23 PM
Machine Name: NOJA-180
Machine IP: fe80::7970:c144:d14d:84c7%16
Machine OS: Microsoft Windows NT 6.2.9200.0

Application Domain: openHistorian.exe
Assembly Codebase: C:/Program Files/openHistorian/openHistorian.exe
Assembly Full Name: openHistorian, Version=2.5.183.0, Culture=neutral, PublicKeyToken=null
Assembly Version: 2.5.183.0
Assembly Build Date: 1/24/2020 2:51:51 PM
.Net Runtime Version: 4.0.30319.42000

Exception Source:
Exception Type: System.Exception
Exception Message: Unable to authenticate connection to client [::ffff:10.10.150.204]: No matching certificate found in the list of trusted certificates.

Could you please help me to solve this?
Also when creating debug dlls, its pointing the hardcoded path, where I built the dll.

A debug build of openHistorian.exe will not run as a service unless you add the -RunAsService flag. It’s designed to run as an application by default to simplify debugging with Visual Studio.

Hi Stephen,

thanks for your information.

I’m getting below error in status log and not able to see page in OpenHistorian Web Manager.

[1/28/2020 1:23:24 PM] Failed to pre-compile razor template “GSF.Web.Security.Views.Login.cshtml”: Errors while compiling a Template.
Please try the following to solve the situation:

Error 1:

Application Domain: openHistorian.exe
Assembly Codebase: C:/Program Files/openHistorian/openHistorian.exe
Assembly Full Name: openHistorian, Version=2.5.183.0, Culture=neutral, PublicKeyToken=null
Assembly Version: 2.5.183.0
Assembly Build Date: 1/28/2020 11:40:41 AM
.Net Runtime Version: 4.0.30319.42000

Exception Source: RazorEngine
Exception Type: RazorEngine.Templating.TemplateCompilationException
Exception Message: Errors while compiling a Template.

  • If the problem is about missing/invalid references or multiple defines either try to load
    the missing references manually (in the compiling appdomain!) or
    Specify your references manually by providing your own IReferenceResolver implementation.
    See https://antaris.github.io/RazorEngine/ReferenceResolver.html for details.
    Currently all references have to be available as files!
  • If you get ‘class’ does not contain a definition for ‘member’:
    try another modelType (for example ‘null’ to make the model dynamic).
    NOTE: You CANNOT use typeof(dynamic) to make the model dynamic!
    Or try to use static instead of anonymous/dynamic types.
    More details about the error:
  • error: (22, 21) The type or namespace name ‘Ajax’ does not exist in the namespace ‘Microsoft’ (are you missing an assembly reference?)
    Temporary files of the compilation can be found in (please delete the folder): C:\Users\LoganathanM\AppData\Local\Temp\RazorEngine_ojoqed35.m04
    The template we tried to compile is:

Error2:
[1/28/2020 3:43:50 PM] [TLS!DATAPUBLISHER] Data publisher encountered an exception while connecting client to the command channel: Unable to authenticate connection to client [::ffff:10.10.151.141]: No matching certificate found in the list of trusted certificates.

I’m getting below error, while launching web page.

This localhost page can’t be foundNo web page was found for the web address: http://localhost:8180/@GSF/Web/Security/Views/Login.cshtml?redir=Lw%3D%3D

Could you please explain the cause for the both errors
If there any settings or am I missing anything?

If there are errors compiling the Login.cshtml template, then you certainly would not be able to get to the web interface. There should be more details about Error 1 in the error log that would help to determine what the cause is.

Error 2 is indicating that you created a subscription to the TLS data publisher, but the data publisher has not been properly configured to allow access for that subscriber. If you are using an internal subscription, you need to change the port either to 6175 for GEP or 7175 for STTP. If you actually are creating a TLS subscription, you will need to import the subscription request (.SRQ file) on the publisher system via the Actions > Data Publisher Configuration > Authorize Subscribers screen.

Hi Stephen,

I’m keep getting below error. Even I placed subscriber and publisher certificate in certs\remotes folder in each machine.

“Data subscriber encountered an exception while attempting command channel publisher connection: Unable to authenticate connection to server: No matching certificate found in the list of trusted certificates.”

Could you please explain cause for this error?

I followed below steps

  1. Subscriber machine (S), I created subscriber request (.srq) file.
  2. Publisher machine §, I imported (.srq) file and authorized subscriber and saved subscriber details as per procedure.
  3. Publisher machine, certificate was created while authorizing subscriber and stored under /certs/remotes folder.
  4. Subscriber machine no certificate was created in publisher name, so I copied the certificate from publisher machine and put it under /certs/remotes folder of subscriber machine.
  5. Imported certificates in both machines to trusted root authority using mmc.

Result:
Publisher machine, no error is logged but status log is saying subscriber connection is closed.
subscriber machine ,“Data subscriber encountered an exception while attempting command channel publisher connection: Unable to authenticate connection to server: No matching certificate found in the list of trusted certificates.”

I’m not sure, where to put the certificate?
Do I need to create any self-signed certificate using make-cert or IIS tools?

Whatever documents we have and you provided, did not describe about certificate part clearly.

Please help.

thanks & Regards
Logu

Hi Logu,

First of all, let me clarify that my recommendation was to use an internal subscription if the communications channel was trusted. An internal subscription does not require a certificate exchange, so the material I provided would not have explained what to do. The process for setting up a secure connection using TLS can be significantly more complicated. The basic procedure for a unidirectional data flow is as follows.

  1. Locate openHistorian.cer in the openHistorian installation folder on the publisher system.
  2. Transfer openHistorian.cer to the subscriber system.
  3. Use the Create Authorization Request page to configure the subscriber. When you create the request, make sure to click the Advanced... button and use the Import CER... button to import the publisher’s certificate into the trusted certificate store on the subscriber system. Also make sure the check the Self-signed? checkbox.
  4. After generating the subscription request (the .SRQ file), transfer that file to the publisher system and then use the Authorize Subscribers page to configure the publisher. The first thing you do should be to import the SRQ. You can edit the information from there. Make sure to check the Self-signed? checkbox.
  5. Go back to the subscriber and enable the device that represents the subscription.

For more detailed information, you can refer to the following discussion.
https://discussions.gridprotectionalliance.org/t/subscriptions-using-tls/445

Thanks,
Stephen

Hi Stephen,

Thanks for your help. I’m able to subscribe with publisher after importing certificate.

Please clarify below with respective of TLS publisher/subscription.

Query 1: Measurement details are not appearing in subscriber machine under option “input/Subscription based inputs/Measurement Subscriptions”

We have below environment,

  1. We have 3 machines (A, B and C).
  2. Machine A connected with Synchro phaser & PDC.
  3. Machine B & C is running with PDC (OpenHistorian) only.
  4. I enabled TLSPublisher between A & B, A & C.
  5. A is successfully connected with B and C; stream statistics are good.
  6. A is configured subscriber measurement access under Action/publisher menu.
  7. In B, I’m able to see all measurements, which measurements are enabled access from A.
  8. In C, I’m not able to see all measurements, which measurements are enabled access from A.
  9. Between A & B, A & C, streaming statistics is fine and showing green, but measurement is not
    appearing between A & C.

Could you please explain, if I need to do anything?

Query 2:

To perform TLSPublishing between PDCs, we are using default certificate “OpenHistorian.cer”, which is arrived with setup.

In future, we need to use our own certificate, which is received from certificate authority.
What is the procedure for this? Could you please explain.

Thanks & Regards
Logu

Query 1: Please ensure that you have configured measurement access for subscriber C on publisher A by selecting the appropriate option in the combo box on the Measurement Access screen.

Query 2: The procedure is pretty simple. Install the certificate into the certificate store, adjust permissions to give openHistorian access to the private key, use Windows tools to export the .cer file, then override the appropriate setting in openHistorian configuration to tell the system to use that .cer file to identify the local certificate. Note that GEP/STTP uses mutual authentication, so every system should have its own certificate whether subscriber or publisher. Please refer to the link in my previous post for information about the configuration settings that need to be overridden in order to use your own certificates. Here is the link again.

https://discussions.gridprotectionalliance.org/t/subscriptions-using-tls/445

Hi Stephen,

please clarify below

I’m using TLS publishing and trying in below environment.

3 systems running with OpenHistorian (such as A, B and C)

  1. ‘A’ is connected with PMU and running with OpenHistorian.
  2. ‘B’ and ‘C’ both are running with OpenHistorain only.
  3. Here ‘B’ is subscribed with ‘A’.
  4. ‘C’ is subscribed with ‘B’.

Result:

“A” is publishing all measurement details to “B” using PPA and through Gateway Exchange Protocol (GEP) by default.
But B is not publishing any information to C, but it’s connected successfully. Expectation is we need to see ‘A’ is measurement details in ‘C’ through ‘B’.

I observed, B is publishing A’s details to ‘C’ through Gateway Protocol by default.
Also, by default its exposing all measurements through STAT, not through PPA.

Could you please clarify, where I’m missing and why I’m not able to see A’s measurements in ‘C ‘through ‘B’

If you need any other information, please let me know.

Thanks & Regards
Logu

Ah, if C is connected to B then it makes more sense. Your issue has to do with internal and external data flows. The short answer is that you need to tweak the connection string on B’s subscriber to make sure internal=true is applied. For details, please refer to the following post.

Dear Stephen,

Thanks for your great information. It is working fine.

I have few more queries, please kindly clarify.
According to this current scenario, All devices (A,B,C) are in same network (with in corporate network).

C is a subscriber for B and C is located at other network (public or Cloud).
B is located within corporate network.

We need to forward the message to C through B.
Now, we are using internal forwarding or internal subscription, when all are in same network.
How will you configure when in other network?

thanks & Regards
Logu

For data coming from another network, you should probably be using receiveInternalMetadata=true; receiveExternalMetadata=false; internal=false. This will bring in the remote network’s internal data, but your subscriber will consider it to be external data within your network.

In general, you should do what seems appropriate to maintain the necessary data flows. Internal/external is really just a tool to help simplify the configuration of data flows for a typical synchrophasor architecture. If it makes sense to mark another network’s data as internal because you’re defining a unidirectional data flow in order to forward that data along to other networks, then it’s perfectly reasonable to do so. If you have very complicated data flows that can’t be managed with just internal/external, then you have other options such as marking everything as internal and using subscriber measurement access in the TLS data publisher configuration to filter things down. The important thing is to know how the concept of internal and external works in order to get your data flows right.

Thanks,
Stephen

Hi Stephen,

I’m performing TLSSubscription between Azure VM running with OpenHistorian and PC running with OpenHistorian at my office network.

I configured all required settings between Azure VM and my PC.
Here my PC is a publisher, Azure VM is a subscriber.

I’m not able to find any error message in publisher log file and showing green color in subscriber status.
Whereas Azure Vm(Subscriber), stream statics is in gray color and logging below details in statuslog.txt file.

Could you please explain its happening?

[2/13/2020 3:55:12 PM] [ABC] Attempting connection to tcp://ABC IPAddress:6177…

[2/13/2020 3:55:12 PM] [ABC] Attempting command channel connection to publisher…

[2/13/2020 3:55:12 PM] [ABC] Connection established.

[2/13/2020 3:55:12 PM] [ABC] Data subscriber command channel connection to publisher was established.

[2/13/2020 3:55:12 PM] [ABC] Failure code received in response to server command “Unsubscribe”: Subscriber not authenticated - Unsubscribe request denied.

[2/13/2020 3:55:12 PM] [ABC] Failure code received in response to server command “MetaDataRefresh”: Subscriber not authenticated - MetaDataRefresh request denied.

Thanks & Regards
Logu

When the subscriber connects, what information does the publisher’s status log provide?

Hello Stephen,

Good Morning

I’m trying to perform TLS subscription between two machines (Cloud and Non-cloud machines), I’m able to perform subscription successfully, However I have a query, please clarify.

• Machine-A Cloud
• Machine-B Non-cloud running with in corporate network.

Machine details

Machine A:
o Running with OpenHistorian 2.6.x version
o Not connected with PMU
o Locating at Azure cloud environment
o It’s a subscriber to machine B
o Firewall is configured to allow all relevant ports.
Machine A’s subscriber configuration
interface=0.0.0.0; compression=true; autoConnect=true; securityMode=TLS; server=Public IP of Corporatenetwork:6177; remoteCertificate=C:\Program Files\openHistorian\Certs\Remotes\ABC.cer; validPolicyErrors=RemoteCertificateChainErrors, RemoteCertificateNameMismatch; validChainFlags=UntrustedRoot; checkCertificateRevocation=False;receiveInternalMetadata=True; receiveExternalMetadata=True

Machine B:
o Running with OpenHistorian 2.6.x version
o Connected with PMU
o It’s a publisher to cloud machine.
o Running with in corporate network.
o Subscriber configuration is enabled with “Self-signed” and “Enable PG connection”.
o Relevant certificate is placed at C:\Program Files\openHistorian\Certs\Remotes\SubscriberName.cer

My Queries:

  1. Subscriber machine’s, server configuration parameter, we have mentioned Public IP of Corporatenetwork:6177, whereas local network, we are giving exact publisher IP address.

Here, if I have 2 publishers and will be subscribed by one cloud machine, in this case, how can I mention each publisher details? because, we have specified public IP of corporate network.

This may be infra related question, but if you have any suggestion for this use case, please clarify.