Thin Web Client Security

Data security in the CygNet Thin Web Client is ensured using encrypted communication, user authentication, and access control via the CygNet Access Control Service (ACS).

Encrypted Communication

The main Thin Web Client web service and the Thin Web Client publishing service have "public" facing ports that use secure data transfer via encrypted communication. The ports are:

The placement of these servers within your network depends on your requirements for external access and your company’s security policy. These services will respond to any IP address configured on the host. If the host has multiple IP addresses, requests to these ports on any of those IP addresses will be honored.

Both the main web service and the publishing service communicate with the CygNet host server. The TWC services are CygNet clients and use the same communication APIs. Therefore, they require access to the CygNet services on the configured service ports. All firewall and network configurations, such as Network Address Translation, firewall pinholes, etc., must be configured to allow traffic to the appropriate IP addresses and ports.

All traffic between the client web browser and the Thin Web Client web services is encrypted using https. If a user attempts to access the unsecured http port (5000), they will be automatically directed to the secure https port (5001).

A website certificate from a Certificate Authority is required to access the main web service; otherwise, the web browser will attempt to block access. See Preparing your System for CygNet Thin Web Client for instructions on obtaining and installing an SSL certificate.

User Authentication

Like other CygNet clients, user authentication is managed by the operating system. The main web service (TWC.Service.Server) is running on a Windows-based operating system, so users will authenticate either locally to that computer or via the Active Directory (AD) service associated with the main TWC service. When a user navigates to the Thin Web Client with a web browser and has not previously authenticated with the web service, they will be prompted to enter valid logon credentials (a username and password) to continue, which will be authenticated against the Active Directory (AD) service configured for the main TWC service , and if successful, the user can proceed. If the credentials are valid, a secure web token is generated internally and used by the browser for all subsequent communication with the service. Embedded in this secure web token is the authenticated username, which is used by the service to authorize access to each of the application’s pages, as well as any referenced CygNet data entities such as facilities, points, alarms, and real-time values.

Access Control

Like other CygNet clients, access control to the system and to individual Canvas screens is handled by the CygNet Access Control Service (ACS).

Additional Resources

For more information about using and configuring security events to control access in CygNet, see Security > Implementing Security.

User Access

Users must have the appropriate access permissions to the TWC server they are trying to access. Each authenticated username will be verified as authorized to access the application by checking the access level set for the username for the appropriate security application and event stored in the ACS specified in the web application’s configuration file. After authorization to the TWC server has been verified, standard CygNet system checks apply when accessing specific CygNet data entities based on the logged-in username.

User access is handled via a dedicated TWC application for the ACCESS event in the CygNet ACS. Users without proper permission for the TWC application will see a message indicating that they are not authorized to view the desired application or page. Web client users must be granted Level 1 (read) for the TWC ACCESS event in order to access the Thin Web Client server, the application menu, and all pages.

TWC Application and ACCESS Event in the ACS

TWC Application and ACCESS Event in the ACS

The TWC security application and event stored in the ACS is specified in the TWC configuration file, Configuration.json:

"SystemAccessEvent":"TWC+ACCESS",

Additional Resources

For more information about using and configuring a TWC security events, see Security > CygNet Thin Web Client Security.

Page Access

Users must also have the appropriate access permissions to the page(s) they are trying to access. Page security is activated for Canvas screen files published and viewed in the CygNet TWC web view.

Access to specific application pages is determined using the same ACS security settings that control a user’s access to the originating Canvas screen files stored in the BSS. Web client users must be granted Level 1 (read) for the BSS application and the ACCESS event in the CygNet ACS in order to view Canvas files stored in their BSS. If Blob File Level Security or Blob Folder Level Security is configured for the Canvas (.can) file(s), it must be at least Level 1 (read). Users without proper permission for the BSS (or the file or folder) will see a message indicating that they are not authorized to view the desired page.

BSS ACCESS Event in the ACS

BSS ACCESS Event in the ACS

 

Tip: 

ACS Changes and Login Issues

The TWC server (and sometimes Canvas) doesn't always respond immediately to a change in the ACS. If you can't access to your application menu or other pages in the CygNet TWC web view, after configuring ACS security events and attempting to login, try forcing a browser refresh to clear the browser cache and/or browser history, and reload the page.