Canary 24 Technical Deep Dive

00:10
Ken
Okay, I think I’m on here. There we go. We try to make it a fast transition here. So just a few topics that I wanted to dive a little deeper in on Canary version 24. So we talked about Identity and that being a brand new service. Quickly show you the ins and outs of that. We’ll talk a little bit about Axiom and then just very quickly touch on store and forward and some work that we did in calculations. So we’ll start with Identity and around the architecture of that. So, as I said, we’re getting into larger deployments where we have more and more servers sitting at a particular network layer. Before, you had to go to every server, you had to go to every service and you had to do your access control list or your ACLs.

00:57
Ken
So now, ideally, if we can get a single identity service per network layer, then the configuration’s gonna be a lot faster. And that configuration applies to every server and every service that you have installed at that network layer we’re currently working on. We know right now if you do an architecture like this, Identity is a single failure point. So we’re actively working on getting Identity working behind a load balancer as well so that you can have always on connectivity. Now, if you happen to have Canary residing in multiple network layers, typically your OT and your IT are gonna have different domains, and so you’re not gonna be able to share an identity service. You may not be able to get the right ports opened and allow traffic through anyways. So in that case, you would be running an identity service.

01:49
Ken
At level three, you’re your OT layer, and then potentially another identity service at level four to handle all your corporate, enterprise or cloud needs. So before anyone who’s used Canary, you know, when you go to sign in to the administrator, there wasn’t a sign in to the administrator. You basically, if you had access to it, you’re in. We do have one configuration where you could turn that off and enforce a username password prompt. Very few people use that. Only a certain industry that had requested that did that. Now you’ll be able to see multiple options. You know, you can sign in anonymously, you can have SAML set up, you can obviously sign with Active Directory, you can enable Kerberos. And my top option here was actually an IDP that I just called Azure.

02:47
Ken
Because at Canary we actually run two different domains because we have so much cloud hosted infrastructure as well as on site infrastructure. So our active directory is our local and then our Azure is actually our hosted provider. As I had pointed out this morning, our ACLs, our access control list have moved into the Identity, of course, and we are starting to add some more granularity. So before Acxiom, you were basically a user or you were an admin and that opened up, you know, specific permissions or specific functions that you could do. Now we’re starting to kind of flush out more function based activities. Axiom is the first one that we’ve done that on.

03:34
Ken
I’m sure that we’re going to continue to add to this list to get more granularity around security and role based on what users are permitted or potentially not permitted to do. Canary, we never maintained our own user subsystem, you know, because we depended on Windows ad. Everything was outside of Canary. Now that we are introducing IDPs and things like that, we’ve actually now introduced Canary users and Canary groups. But we’re not, you know, again we’re not going to store passwords. We’re basically mapping users that sign into the system to a Canary user. Those Canary users can be assigned to groups and those groups are then used in the access control list. And finally, in my PowerPoint here, I don’t wanna do a lot of PowerPoint. So identity tokens and tag security. Again, Views is the gatekeeper for all data requests.

04:31
Ken
And so Tag security resided in the Views service that’s now moved to Identity. So Identity is the only place that you’re doing configuration for security, and that includes your tag security. As I mentioned earlier. Also ideally, you’re gonna use APIs for all access. So Views previously had the concept of tokens that you could do for reading. These tokens now apply to writing data as well. So now you can actually have a single token that you can hand off to a vendor or third party partner, and they can write data as well as read data through that same token. Now, okay, enough PowerPoint, wait for things to resize. I did want to point out we already have a fair amount of documentation on the Identity service. You know, some of it, we have some videos that are going to be coming out soon as well.

05:32
Ken
But we do have a series of articles under Our knowledge base, version 24, system admin duties identity. That will go into much more detail than what I’m going to cover here today. So version 24 out of the box still works with Windows AD. So going from 23 to 24, you actually don’t have to do anything. It will still work with ad. But if you do have other identity providers that give you multi factor authentication, things like that, we do have a series of articles already to walk you through that. So let me jump to my VM that I have. There we go. Okay, so I have my admin pinned at the taskbar. If I launch my administrator now on my VM, I have multiple authentication methods. I’m just gonna go ahead and sign in with my Kerberos.

06:22
Ken
So it’s using my Windows, and you can see that we have a new identity tile. You can also see my new store and forward tiles here. But you can also see sender receiver still present. We didn’t get rid of those. So if I go into identity. Just going to give you a quick walkthrough of what we’ve done in here. So if I choose the first screen, it comes to is a list of the providers. So you can see I’ve enabled anonymous access, I’ve enabled Kerberos. Of course, with Kerberos, if you want to use that in your browser for Axiom, there might be additional work that you have to do for your browser. And I have Active directory. So those were the three options.

07:01
Ken
If I had another IDP that I wanted to add into the system, I would simply click the add, populate all the relevant fields and all the claim IDs and all the fun stuff that goes along with configuring an IDP. So if I hit cancel next things, I want to just kind of walk through. So this is kind of a repeat of the PowerPoint, but kind of showing you in the app, sometimes it’s a little hard to see up here, the PowerPoint was a little easier maybe to recognise. So here’s my access control list. If I go to Security at the bottom immediately, it takes me into these. If I was to expand them, you’re gonna get the same permissions that you had out of the box before. So we have a new permission level called Data Entry Control. By default, only administrators.

07:49
Ken
And if I expand these, I can see that most of these were things that were secured only for administrators. Some of them, of course, everyone had access to Logon. I do have a new field here called Scripting, which if you’ve used Axiom before, only administrators were able to use scripting. But I’ve actually created another group inside here. So if I jump to my users and groups, I can see I’ve actually created an Axiom scripting group. And so very easily now, instead of only administrators having access to that, I could come in here and I could say, this is gonna be a group and I’m going to choose my Axiom scripting, and I’m gonna of course grant permission to that. So very easily by defining other groups inside our administrator here, you can then use those very easily over there. Same with users.

08:52
Ken
So I said that every user that comes into the system has a canary user generated and mapped to. So on my VM here I’ve logged in anonymously, I have a local account and I’ve logged in as my Kerberos user. And I can see that these have all generated Canary IDs. I can use these Canary IDs to then do assignments inside groups. And so now we kind of have a middle layer of security that we’ve never had before or that we’ve never had to maintain. Just real briefly, here’s our tokens. We do have some tokens that we generate out of the box just for inter process communication. But of course you can always come in and oops. And come in and choose to additional tokens. You’d be attaching it to a username, of course, and what the expiration policy is.

09:45
Ken
And all we’re doing is generating a GUID that you would then hand off to whoever needs to use that token. And just the last thing in Identity, here you’ll see tag security. Tag security is identical to what it was in 23. It’s just residing in a different tile. And I can actually do configuration of multiple view services from here. By default, it’s connecting to the local one. I can target another machine sitting at the same network layer and do the configuration all from a single identity tile. Okay, enough about Identity. Gonna jump over to Axiom here quick. So same thing. Signing into Axiom is gonna look just slightly different, and I have multiple options set up.

10:34
Ken
One thing I should point out with Identity so perhaps how your users are gonna authenticate in Axiom maybe is a little different than how you as an administrator might be authenticating in the administrator. We do have some settings kind of behind the scenes that you can control which providers are used on which applications. We don’t have UI around that right now, but we have that coming where you can really get granular on which providers are going to be applicable to various processes. For now, I’m going to go ahead and sign in with Kerberos. Oh, how nice. I messed with my identity service. Let’s try this again. Oh, there we go. Okay, that probably sat there too long. Okay, so I touched on just briefly: we have a new workflow.

11:33
Ken
So one of the most confusing things about Axiom previously was we always had this little menu hanging up in the right corner that no one ever saw, said application or chart that’s actually gone. So now you’re just going to be determining if you’re going to be opening an existing asset, such as a chart or an application, or choosing a new one. And if I choose new now, I’m going to ask which type are you creating? So now, if I say chart, now I’m into Trend graph as I always was before. One thing I wanted touch on was some of the new drawing styles that we’ve added in Trend Graph. So if I come in here and choose add, and I don’t want those tags, I want to go to, I want my integer tags. So here I have three integer tags.

12:27
Ken
I’m going to drag on to my. I have no space to work my mouse. So the way Canary is always drawn, if you’ve ever used Axiom, is we use the. The step style of drawing, you know, so our assumption is that if I have a value, that value holds, and that value is good until I have a value change. And so we always draw in a stepped pattern. Not everyone likes that. It’s one of the things that we get complained about the most. And so we finally added support for additional drawing styles. So I’m going to take the trend that I have on the top and I’m actually going to duplicate that a couple of times. I’m going to add it again and I’m going to add it a third time.

13:11
Ken
So now I have my grey and my orange; they match the red at the top. So, now if I go in and adjust a couple properties, if I choose my grey tag, I want to choose my interpretive aggregate now. And so if I choose this, and you can see behind the scenes, I no longer have a step style. I have the Excel or the nicely smooth interpretive drawing, and hopefully that makes people happy and they stop complaining about our step drawing. So we get that a lot from people coming from other systems. It’s just how they’re used to seeing the data. They’re assuming that it’s constantly in change. And so we’re finally coming, adapting, and getting with the times here. Now I have the same trend added a third time. We’ve added a new drawing style called State.

14:06
Ken
So for something that is potentially like an enum, that indicates the type of process, and those different stages or integer values represent something, you can actually come in here, choose state. And now I can start defining what those states are. So I’ll put in a value of zero, going to keep the colour white, and I’m going to say that’s an off state. I could then choose state number one. We’ll give that a little light blue and just very easily we’ll call that stage one and see how quickly I can type here. We’ll give that a little bit of a green, potentially. Stage two, three, we’re going to be over here in some oranges, and I assume you can see what’s happening behind the screens here. So this will be a little pale red.

15:15
Ken
Stage four, finally, if I reach stage five, we’re going to say that’s actually bad and were overheating or something. So now instead of drawing visually with a pen or a trend line, we now have state drawing. I can hover very easily. I can see the description of these right now. This maintenance only resides inside Axiom. We have future plans to be able to do this inside a modelling to basically have table lookups, something along that concept where you can define what those enum values represent, and then Axiom will be able to inherit or incorporate those as well. Okay, moving on to the feature that everyone asked about forever, and we finally did. I’m going to open up application I have here. So people wanted the ability to copy controls way easier than what we had previously. So I have an example application here.

16:21
Ken
I have some oil wells, and I have an expression here that says how I want to sort these. Maybe I wanted to duplicate this display and put a different expression in so I can, you know, have different criteria on how I which wells I’m trying to identify. So if I go into my design mode and I come over to this little handy button now that says duplicate current screen very quickly, we’re going to take that and the screen gets copied completely as is. If I jump back to the original one, it’s going to still be there. And I’m running on a really weak VM, and I think I just hung my Axiom already. But the idea is we will copy the screen as is. You can then make additional edits to present the data however you need to on the clone of the screen.

17:13
Ken
Backend didn’t save my changes. So that was the duplicating of a screen. Maybe I just need to copy controls from one screen to another instead of duplicating the entire thing. So I have another pretty basic screen over here. Thank you for the error. I didn’t mean to drag my mouse. Okay, so there we go again. If I go into edit mode and I highlight this control and I do a control C, I could maybe start a brand new application and click in my well and Do a Control V. And there we go. In case you wondered, because I did, I can also paste it over here. And here’s the garbly goop that looks like behind the scenes. So. So that’s the ability to copy controls, you know, from one screen to another or one application to another.

18:18
Ken
The way we put it into clipboard. One more thing that I wanted to point out while I’m in here is if I get out of design mode, we’re always enhancing what we can do with our automated reports. So automated reports are basically, you know, generating a report on a schedule. So rather than knowingly go to axiom, say at 8:00 Monday morning, you can actually have a report delivered to your inbox. So I have a sample that I set up here if I choose Edit. So what we added here was actually the ability to have multiple applications combined into a single PDF to be sent to your inbox. So you can see I’ve defined two pages. One is an application called Canary Oil, and I told it which screen I wanted, which was the summary screen, of course.

19:11
Ken
Then I have a second application called Drawing Styles that I’ve also included in this report. So now instead of having to set up multiple triggers, I can actually do this all in one workflow now and have a single report sent out to me on whatever schedule I desired. Okay, going to jump back to the administrator. Just a couple more quick things that I want to cover. So I want to talk about Store and forward. So obviously, this is a brand new service. It functions the same as what Sender Receiver did. But we did add some additional functionality in here that we needed. Some of our collectors, you go in and you define a static list. I want to log these hundred tags.

19:53
Ken
A lot of our collectors are very dynamic, such as our module from Ignition, some other collectors that we target, other SCADA systems. It’s kind of a black hole. Like we turn the collector on, it goes and discovers some tags and starts sending those across. But it was really hard to even see what tags were in those sessions. And we would get calls and support saying, hey, this tag’s not logging, and so you have to start troubleshooting. And it was actually, you could look at some files behind the scenes, but it wasn’t really easy for the user to actually identify what tags were in those sessions. So just some easy things that we’ve done. If I choose a session in here and I hit the compare button, I can actually get a list of what all tags is being actively logged within this session.

20:37
Ken
So just some Little troubleshooting things. As I mentioned earlier, we can also pause a stream. So maybe I’m doing some maintenance on the data set that this session is being routed to for some reason. And so rather than shutting the whole service down, which stops all data logging, to do some maintenance on the historian side, now I can pause one particular stream, and if I come out to my home screen, this data doesn’t log very fast, so I’m not even buffering anything yet. But you would be able to see now something came in, so you’d be able to see the impact of pausing a single stream. Obviously, my buffer count did start to climb here.

21:22
Ken
And then when my maintenance is done, or for whatever reason I had it off, I can come in, simply hit unpause, and the buffer will flush, obviously as quickly as possible. And finally, the last thing I touched on, my CALCS and events and the ability to backfill a little better. So if I come into here initially, when I did set up this calculation, it was just the other day, so my data only went back to 1021. But if I made any adjustment to the calculation down here, maybe I didn’t want to backfill all the data. Maybe I had an outage. And this was a periodic calculation that just kept firing every hour. And I know that when this fired, overnight date log data wasn’t coming in. So all these calculations are not going to be accurate.

22:16
Ken
We could come over here before, and we could say, remove all data, and it would remove everything and recreate that entire stream back to the beginning of time. Now we have some more granularity. Maybe I don’t want to go all the way back to the 21st. I would only have to do, you know, overnight from yesterday. And so now, instead of rewriting and using a lot of compute power to rewrite potentially years worth of data, now I have much more granular control over how much data I need to backfill based on whatever incident occurred. So that’s all I wanted to cover. And thank you for your attention.