Auto-logon to remote ClearSCADA Server WebX/VVX

du5tin · ‎2020-10-23

Hi,

We have several clients that are using a distributed ClearSCADA architecture. Larger remote facilities have local ClearSCADA HMIs and then they have a large central ClearSCADA system for small remote wells and little sites that have remote monitoring. Everything is provided to users via WebX (and in the future VVX). Operators and users of the system start at the large central ClearSCADA system and logon. From here the user can navigate to the remote ClearSCADA systems using a vbscript that opens an Internet Explorer window (only way we could 'open a new tab') and then they have to log in again.

Is there a way to pass that user's credentials over to the remote ClearSCADA system from the Central one so when they navigate the user is not prompted to log in again?

Thanks,

-D

BevanWeiss · ‎2020-10-23

Not in a secure manner, no. (and hence it's unlikely any such way would be supported).

The recommendation here would be to use VVX, or ViewX itself, and configure the appropriate connections.

Then when the user logs in for the first time, they would log into all the systems (securely).

Another way is horribly hacky, and from a cyber security perspective you should ABSOLUTELY NOT CONSIDER THIS.

Which is to use a landing page, which is accessible to Everyone. That page would prompt for user credential via a VBscript form, and would cache them somewhere... you would then call the ViewX Logon method and supply the username/password that you just cached. The cached passwords would be stored IN THE CLEAR and in no way encrypted or otherwise protected, they would be trivially accessible to anyone with any technical knowledge and the likelihood of them being inadvertently released externally is astronomical.

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

du5tin · ‎2020-10-26

Thanks Bevan. This makes sense. VVX with multiple connections would be okay... but one customer has 40+ remote HMIs (GeoSCADA) over higher latency cell connections and not all operators in all areas should have access to all remote HMI systems. Running it all through one or more central VVX server(s) would be cumbersome. Needs more research.

One thought I had was using mimic_load on the remote system to "auto-logon" the operator. Those systems often use generic passwords instead. The user would go to the Central host first, logon with the username/domain password to be fully authenticated there. If they are logged on (username <> guest) then on navigate to the remote system we can send them to read-only, non-browsable mimic with a mimic_load subroutine that logs them into the remote system with generic credentials (operator/operator). This still is not a great solution though, probably worse than what you have described.

If there was a way we could store and pass the username and some hash of the password of the remote system centraller and have the remote WebX system pick it up on navigation, accept the user name and decoded hashed password that maybe has potential too? At least then the password is not stored or sent clear text. But... most hashes we can perform in the scripting wouldn't be hard to backwards engineer and now it starts sounding too complicated to manage easily.

Maybe @sbeadle will see this thread and guide me to the right path.

AdamWoodland · ‎2020-10-26

> Running it all through one or more central VVX server(s) would be cumbersome

Also remember that ViewX runs on the VVx server so connecting from the central server over the high latency links might not be as performance happy as you might want.