Support General
Overview: Dongle, Windows installation, Windows security, Driver under Windows 7, Driver under Windows 10, Driver under Windows XP, Rockwell controllers, S7-1500, BACnet station search, Rockwell PLC station search, certificate know how, installation in docker, tcpdump short usage, ssl library considerations.
Answer:
Please check first in the license overview with the dongle list if the dongle is recognized by the PC.
The dongle must be pluged in if the software starts up. Mostly the software starts during power on of the system.
It need to be started before a user has logged in.
You can restart the Windows service "ConfigServer" or the Linux daemon "ConfigServer". You can restart the pc also.
Answer:
Older Windows versions as Windows 7 before 2014, Windows Server 2012 with updates before 2014, Windows Server 2008
with updates before 2014 will need service packs which are offered by Microsoft since October 2014.
This example handles this for Windows Server 2012:
- Install update KB2919355 (download over Windows Update).
Install update KB2999226 (Windows 10 Universal C Runtime, bad formated name for this update is: Windows8.1-KB2999226-x64.msu).
Other Windows versions will need other updates. The updates are affected also from the language your Windows is using. Ask Microsoft for details.
The standard libraries Tani ships with its products are handled by Microsoft Windows Update.
Answer:
Instructions to add Tani OPC Server and PlcEngine as exceptions to the Virus detection
Viruses and threat protection
Viruses & threat protection - Manage settings
Exclusions in the bottom - Add or remove exclusions
Add exclusions
Folders
c:\Program Files\Tani
c:\Windows\System32\Tani
After this settings it is sometimes necessary to install Tani Software again.
Firewall
The shown entries of the firewall are added from the installation if you have selected this option.
Instructions to start Tani OPC Server and PlcEngine services delayed
However, especially with virtual machines, it also happens that the network has not yet run up when the Tani services started. For this reason, the starup of the Tani software should be started delayed.
Tani configserver service - Automatic (delayed start)Tani Logger Service - Manual Start
PLC Engine Service - Manual Start
Answer:
Install Update KB3033929.
Microsoft and all suppliers for certificates did stop using the unsafe
SHA1. Older Windows versions do support SHA1 only. So an older Windows
does not recognize the certificate and prevents starting the driver.
Windows from version 7 requires valid certificates for drivers.
Windows XP is not affected because it does not check certificates for
drivers. There are no updates for XP from Microsoft. But the latest XP service packs need to be installed.
On some Windows XP versions - mostly from Compaq or IBM - the driver will not be installed properly.
The solution is installing it by hand over the network settings in the system control panel.
Answer:
Switch off secure boot in your BIOS.
In the secure boot mode Microsoft only accepts certificates for drivers which are signed by the Windows test and signing center.
This is made for mass producing companies, it can not be used outside.
Answer:
This may happen if the latest XP fixes are not installed.
Install the latest fixes and reinstall the diver.
Alternatively install the driver per hand: Open the system control panel, open the network settings. Choose any network adapter.
Choose "settings", add a protocol (install, protocol, disc, search).
The driver lies in the area the Tani product was installed (Tani, H1 Driver, H1). Select the .inf file.
Press "open" and multiple times "Ok".
Answer:
The whole field can be handled easily with accessing over browsing. If the array is very big (some kilobytes) it is recommended not the whole array but parts of it. Start and len will be given with the item syntax. If the variable is named "MyBigArray" and has 10k elements You can access 100 elements from element 1000 as follows: "MyBigArray[1000,100]". Arrays in structures are handled in the same manner. A single element of the array is handled with "MyBigArray[1000]".
Answer:
The OPC Server checks each ten seconds for changes in the controller. If a change is detected it reorganizes internally all necessary things. But it is preferred not to write into the controller if the controller data elements are changed frequently. Reading data is secure always.
Answer:
Two variants exists:
- The modern version with support of the "Optimized Data Blocks".
During the configuration of the connection in the TSAP windows choose the entry with function "S7 1200/1500".
If you do not have a controller at configuration time use the TSAP
Own TSAP 0601 (binary)
Destination TSAP SIMATIC-ROOT-ES (ASCII). - The old S7 protocol. The optimized data blocks can not be accessed with this. Select a TSAP pair from the list.
With the new protocoll all variables as inputs, outputs, data block variables and flags will be browsed online. The old protocol and a S7 300/400 please use the item syntax or import the symbols from the Step7 or TIA project.
Answer:
In your firewall enable the UDP broadcast receiving for port 47808. A Linux firewall will show the rule as follows:
iptables -I 1 INPUT -p udp -m pkttype --pkt-type broadcast -m udp --dport 47808 -j ACCEPT
All standard firewall frontends are supporting this. It mostly will be found under "Broadcast" "External Zone".
The BACnet station search reauest will be answered via broadcast. So the station search only will work in a subnet.
For searching in other networks please use BBMD.
Without the station serarch the device id need to be entered manually.
Answer:
In your firewall enable the UDP receiving after sending a broadcast for port 44818. A Linux firewall will show the rule as follows:
ipset -exist create udprec hash:ip,port timeout 3
iptables -A INPUT -p udp -m set --match-set udprec dst,dst -j ACCEPT
iptables -A OUTPUT -d 255.255.255.255/32 -p udp -m udp --dport 44818 -j SET --add-set udprec src,src --exist
This rule set defines a rule named udprec.
After a broadcast search request for three seconds all UDP answers on the given port are not filtered out.
These are the answers from the Rockwell controllers.
All standard firewall frontends are supporting this. It mostly will be found under "Broadcast" "External Zone".
The station search naturally will work in one subnet only. Routers do not deliver broadcasr requests.
Answer:
There are many file names and file formats for certificate files.
The Tani products are using the .pem format.
More information to the formats, and information for converting one format into another format comes under
certificate details
Answer:
All the Tani products are working fine in Docker, Kubernetes and other lightwight virtualization environments.
This exampe is made for installing PLC Engine in a Docker container with Ubuntu running inside. It is tested on
hosts running Suse Leap 15.2 and the Linux subsystem on Windows 10.
The configuration files are shared into the container. Additionally the needed ports are shared also.
Download the example: Dockerfile
Answer:
tcpdump is a Linux command line tool for recordings on a network.
In general doing a network recording is an administrative task. It requires root rights.
sometimes the tool need to be installed before, all distributions are offering tcpdump.
First the correct network adapter need to be choosen. The command
tcpdump --list-interfaces
or tcpdump -D
lists the adapters.
then the recording can be started.
tcpdump --interface eth0
or tcpdump -i eth0
starts the recording on eth0. Use one of the adapters of the adapters list.
You can record on all adapters with
tcpdump --interface any
but it is not recommended doing so.
Recording filters reduce the load and increases the security.
host filters for an IP address are
tcpdump -i eth0 host 192.168.2.2
or
tcpdump -i eth0 port 102
Multiple adapters and hosts and ports can be given.
Saving the recording to a file
tcpdump -i eth0 -w recording.pcapng
Ideally adapters, host and port addresses and a file name are given, combine wtof or and colons. Example
tcpdump -i eth0 (host 192.168.2.2 or host 192.168.2.3) (port 102 or port 4840) -w recording.pcapng
More options are available in the Linux manpages.
The files can be shown easily with Wireshark
, so copy it to another machine with a graphical screen and handle it there.
Answer:
The SSL libraries are used for all encryption things. Multiple software is basing on them as
OPC UA, the Siemens S7 1500 protocols, MQTT, HTTPS and the connection between the graphical
configuration software and the core software.
Because of its security functionality sometimes the things are changing. This can break compatibility.
Protocols which has been found of insecure will be dropped, and automatic selections of weaker
encryption methods are stopped. Mostly this is driven by insurances and governments.
From July 2023 the Tani software did switch to SSL 3.1. The previous SSL version was 1.1.1.
There may be some inconveniences, but security goes over compatibility. SSL 1.x is no longer supported
by the SSL maintainer, all users need change to 3.x as the minimum.
Beware that some more modern security software like firewalls may stop running older software using
SSL 1.x. This is not in the hand of Tani. The only solution is using actual software.