WinCC OA OS Auth

[stephen.jones]

Hello,

My question concerns the OS authentication (OS Auth) feature of WinCC OA.

I am designing a new SCADA system with WinCC OA. We want a central system to store and manage all user accounts and against which all applications can authenticate. Everything is to be Linux/Unix based, so Active Directory is not an option.

I have a test system with WinCC OA 3.16 on CentOS 7.5. Separate CentOS servers are running 389 Directory Server as the LDAP directory (with SSL enabled). All hosts (including those with WinCC OA) have the OS configured through PAM, NSS and OpenLDAP client to authenticate against 389-DS (for login, SSH, etc.).

I create a new test project in WinCC OA, open the User Administration tool from Gedi and change the mode to 'OS Auth'. I open Group Administration and select 'Add' and the Group Selection window appears. When I attempt to load groups the entire User Administration and Gedi windows close/crash (gedi flashing red/yellow in the console). What is happening here? The only error message I can find at the time is in the system log:

kernel: WCCOAui[2612]: segfault at 18 ip 00007f0a01ff5407 sp 00007f09f7c6bc20 error 4 in libLLVM-5.0-rhel.so[7f0a01a85000+2168000]

Not sure if/how this relates to the OS Auth issue.

The help documentation is rather Windows-centric and talks mostly about Active Directory, which doesn't really offer much help or fill me with optimism, but I note that the feature is called 'OS Auth' not 'AD Auth'.

If WinCC OA can retrieve users/groups from AD it is performing a LDAP lookup against the directory, and this function *should* work for any LDAP directory. It just needs the hostname of the directory server and the root DN. The User Administration UI does not present any settings to configure this function. What is WinCC OA looking for and how? Is there a config file I can edit or create to set the necessary environment parameters?

I created the file /etc/pam.d/wincc_oa with reference to password-auth which should would if WinCC OA passes authentication requests off to PAM. I just need to know how to import the users/groups into WinCC OA. Any guidance to this end is appreciated.

Regards,
Steve Jones

[leoknipp]

I have switched to OS Auth in a Linux project running WinCC OA 3.16 and patch P016.
The segfault error you have described did not occur and the UI was not stopped.

Which patch level is installed at your system?

Best Regards
Leopold Knipp
Senior Support Specialist

[stephen.jones]

The system is 3.16 patch P016. All RPM files are *-rhel-0-16.x86_64.rpm.
The system is a clean install of WinCC OA, not upgrade on top of a earlier version.
The OS is CentOS 7.5.1804 as the system requirements list RHEL/CentOS 7.5.
I can provide detailed steps of how the system was built if that would be helpful.

Regards,
Stephen Jones

[stephen.jones]

Here are the steps I followed to produce the test system installation.
All Linux VMs are built from this basic template:

1. Create new VM and perform minimal install from CentOS 7.5 ISO image.
2. Disable NetworkManager
3. Edit grub config to disable IPv6 and restore proper NIC naming scheme.
4. Configure network, hostname, etc. and enable network service.
5. Set SELinux to permissive mode.
6. Configure YUM to use local repo mirror of CentOS 7.5.1804 with base and updates enabled.
7. Run yum update.
8. Install vmware tools.
9. Disable firewalld and replace with iptables.
10. Disable chrony and replace with ntp.
11. Install nss-pam-ldapd and openldap-clients and configure PAM, NSS and LDAP to authenticate to directory servers.

For a VM with WinCC OA installed these steps follow the above:

1. Run group install of X Window System.
2. Install Gnome desktop by installing only these packages:
   • gnome-classic-session
   • control-center
   • gnome-terminal
   • nautilus-open-terminal
   • liberation-mono-fonts
   • dejavu-sans-mono-fonts
   This gives a clean minimal DE without the 1000 packages of junk that RH assume we "need" on the desktop.
3. Install vmware desktop tools and set default runlevel 5.
4. Install tigervnc-server and xinetd for remote desktop.
5. Install WinCC OA 3.16 packages.

Installation of WinCC OA is successful, but there is a problem. No WinCC OA application (project admin, console or help) can be launched from the application menu. Nothing happens. Attempting to open a WinCC OA application results in this message in WCCOAui0.log:

WCCOAui: symbol lookup error: /opt/WinCC_OA/3.16/bin/libQt5XcbQpa.so.5: undefined symbol: FT_Get_Font_Format

Searching the web I find others with this FT_Get_Font_Format error with Qt on RHEL/CentOS 7.4 and 7.5, apparently due to an incompatibility with the freetype library. I found this summary of the issue:

The problem is that the freetype library renamed FT_Get_X11_Font_Format to FT_Get_Font_Format somewhere in 2015. The old symbol FT_Get_X11_Font_Format is still defined in the new version of the library for backward compatibility, but the new symbol is of course not defined in the old library. A newer QtCreator will attempt to call the new symbol (through PyQt5) but will not find it.

The solution appears to be either roll back Qt to earlier version or update freetype to a newer version, typically by upgrade to EL 7.6. CentOS 7.5 includes freetype-2.4.11-15, while CentOS 7.6 updates to freetype-2.8-12. I enabled the CentOS 7.5 CR repo and updated freetype to version 2.8-12. The update installed successfully with no dependency updates.

After updating freetype the WinCC OA applications can be started and *appear to* function properly. The FT_Get_Font_Format errors are gone. I am very surprised if ETM and WinCC OA users have not found this already, but there is nothing in the release notes or from searching the forum. I can post this as a separate bug report if that would be 'correct' procedure.

However, this does not account for the segfault error from libLLVM-5.0-rhel.so when trying to import OS user/group. Out of curiosity I checked for updated llvm-private package (which installs the library with X Windows) in the CR repo, but it's a major version update. It will install, updating a couple of mesa-xxx packages in the process (also major version update), but it makes the Gnome UI dysfunctional.

I also repeated the test after doing a 'yum groupinstall GNOME' to install the 'standard' desktop over the top of my minimal desktop to see if that makes a difference, but the issues described above still remain.

Leopold, if you have WinCC OA 3.16 P016 working on RHEL/CentOS 7.5 please advise the build release of the OS and how did you avoid the Qt/freetype problem?

Regards,
Steve Jones

[leoknipp]

According to the WinCC OA Documentation the support operating system for WinCC OA 3.16 P016 is
Linux RedHat Enterprise Linux 7.7 (64bit)
CentOS 7.7 (64bit)

Please do your tests with the supported operating system.

If you still have problems and you need further assistance please get in contact with your common WinCC OA support.

Best Regards
Leopold Knipp
Senior Support Specialist

[stephen.jones]

Well, that would explain things. May I ask which documentation details this?
The WinCC OA software package, passed to me by my colleague (who receives them from ETM), includes release notes in ReadmeLinux_EN.txt and ReadmeP016.txt which I studied. The ReadmeLinux_EN.txt file heading is:

SIMATIC WinCC Open Architecture 3.16 P009 Linux 05-2019

but the file date is 17/12/2019. It states:

II. System Requirements:

RedHat Enterprise Linux 7.5 (64bit)
CentOS 7.5 (64bit)
openSUSE Leap 42.3 (64bit)
SUSE Linux Enterprise Server 12.3 (64bit)

The ReadmeP016.txt file heading is:

Patch P016 "DECEMBER-2019" for WinCC OA Version 3.16 December 2019

but has no mention of the OS requirements. Hence I assumed RHEL/CentOS 7.5 still applied.

Thanks for your assistance. I will update the OS to version 7.7 as suggested. Can you please confirm:

.) Supported Oracle Versions

Following Oracle versions are supported by WinCC OA:

- Oracle Client 12.2.0.1 / 12.2.0.2
- Oracle Server: 12.2.0.2

as stated in ReadmeLinux_EN.txt for 3.16 still applies, or has that also changed?

Regards,
Steve Jones

[leoknipp]

If you want to get the information for the supported software please have a look at the WinCC OA Documentation.
The documentation is updated if the list of supported software changes.

Best Regards
Leopold Knipp
Senior Support Specialist

[stephen.jones]

Sorry, but referring me to the documentation does not help when the documentation is missing, inadequate or wrong.
The only document I find on this site is the technical product description for V3.16, and that states RHEL/CentOS 7.4 - obviously out of date for P016.
The release notes packaged with software are also wrong since that stipulates RHEL/CentOS 7.5, as I have shown above.
I see this is as a real issue and it has caused me to waste much time and effort. I don't want to waste any more. The question still stands.

Regards,
Stephen Jones

[dvribeira]

Hi Stephen,

I know finding proper information might be at times frustrating. Not sure if the OS requirement update was included in the relevant patch release notes, but in the documentation bundled with WinCC OA 3.16 P016 under Software Requiremetns you can find that the supported edition is CentOS 7.7 64bit. This is the WinCC OA Help availabe after installing WinCC OA.

Concerning your actual question for this topic, I am afraid I can't help since I have not played with that. I hope someone in the forums might.

Cheers,
Daniel

[stephen.jones]

Thanks Daniel, I located the version information in the online help where you said it is. Of course, the problem here is you need to install an OS to install WinCC OA to open the help to determine if the OS you already installed is the right one. A little crazy??? And because the help files are in unconventional 'qch' format (not html or pdf) and can only be opened from WinCC OA you can't examine them beforehand. Now IF the help files could be downloaded from this site as html..... Still, the release notes with the software need to be correct!

Regards,
Steve Jones