IPSec Tunnel Subscription (ITS) Getting Started

Introduction

IPSec Tunnel Subscription (ITS) is an application that runs on MindSphere platform. It enables secure aggregated data transmit from several assets at customer site into the MindSphere Time Series store and Data Lake via a shared IPsec tunnel. Key ITS activities such as configuration changes in user or asset management are logged in an audit trail to further alleviate compliance with regulatory constraints.

.

 

Using and Configuring the System

This section gives an overview on how to use and configure IPSec Tunnel Subscription. Furthermore, all relevant terms and definitions are introduced.

 


 

In Asset System Management the general term Customer Asset (or Asset) is used for any kind of equipment located at the customer side, which shall either provide data to other MindSphere applications via IPSec Tunnel Subscription. A Customer Asset might for instance be a machine in a manufacturing line or a part of a power plant.

Customer Assets are managed by means of a tree-shaped Organization Structure, such a tree allows for grouping assets according to Regions (geographical or logical) and on the lowest hierarchy level according to customer-specific Sites. This in turn enables for convenient handling of all equipment at a selected location.

To alleviate working with different types of assets at a given site, assets are associated with a customer-defined logical Product type, which allows for instance for distinguishing manufacturing machinery from energy-generating machinery or machinery used for transporting goods on the factory floor. 


Note: Customer-site routers and gateways are also handled as assets.


Each MindSphere user working with IPSec Tunnel Subscription must also be registered as a User at the User Management in ITS and every user may have one or more User Roles, which grant the user certain access rights depending on the responsibilities and duties that person must fulfill at a given point of time. Such grants apply only to a certain scope and are marked as "partly" while others cannot be configured but only "used" as outlined in the table below.


NoteCertain network specifics at the customer or Service Provider side might require involving respective IT departments for initial connectivity setup.


Registered Users may have the following roles:

IPsec Tunnel Subscription (ITS) related roles

  • Tenant Administrator

A person that is authorized to administrate RTS objects (add, modify, or delete customer assets, user accounts, and so on) or to grant other users the authorization to use ITS functions. An administrator is assigned to one tenant and may administrate only that tenant’s objects and grants. Within that scope the Tenant Administrator may also operate and control connectivity to customer assets.

  • Remote User

This is a basic role that can connect only to the assets which are configured by the Tenant administrator. A Remote User may work within an assigned Organizational Tree of Assets.


 

Create Product Structure for Classifying Assets

Responsible Roles: Tenant Administrator

To create a new product, follow these steps:

  1. Click Structure Management under the Dashboard tab of the Home page.

  2. Click Product Structure on the Structure Management page.

  3. Select the Product from the product structure tree to which you want to create a new product.
  4. Click Add New.

  5. Complete the fields by entering the Product Name (example: Wind Turbine) and the Annotation.

  6. Click Add to tree.

Product (Wind Turbine) has been added to the Product Structure and is displayed in the Product structure tree. 

 

Create Organization Structure for Managing Assets

Create Region

Responsible Roles: Tenant Administrator

Let us create a Region, for example, country, company, etc. To create a new region, follow these steps:

  1. Click Structure Management under the Dashboard tab of the Home page.

  2. Click Organization Structure on the Structure Management page.

  3. Select the region from the organization structure tree to which you want to create a new region.
  4. Click Add New. 

  5. Complete the fields by entering the Organization Name (example: India) and an Annotation outlining the purpose of your input.

Region (India) has been added to the Organization Structure and displayed in the System tree.


 

Create Sites

Responsible Roles: Tenant Administrator

Let us create a Site "Wind power station". To create a new site, follow these steps:

  1. Click Structure Management under the Dashboard tab of the Home page.

  2. Click the Region tab on the System Management page.

  3. Select the region (example: India) from the Organization tree to which you want to create a new site.

  4. Click Add Site in the upper-right corner.

  5. Enter information describing the site into the fields and click Save.

A new site 'Wind power station' has been created and displayed on the System Management page.

 

Create Assets

Responsible Roles: Tenant Administrator

Let us create an Asset 'Vortex Generator' under the sample site 'Wind power station'. To create an asset, follow these steps:

  1. Click System Management under the Dashboard tab of the Home page.
  2. Click the Region tab on the System Management page and select the sample Region India.
  3. Click the remote site 'Wind power station'.
  4. Click New Device upper-right corner of the device table.

  5. Enter the Asset and Location information in the fields.

  6. Click Add Products in the upper-right corner of the Product field and mark true against the product Wind Turbine and click Select.

  7. Click Save.

A new asset 'Vortex Generator' has been created under the site Wind power station.

 

Managing Users for IPSec Tunnel Subscription

Responsible Roles: Tenant Administrator

In order to make use of ITS, we need Users with grants. Now, let us create a new user John S. To create a new user, follow these steps:

  1. Click User Management under the Dashboard tab of the Home page.

  2. Click the Users tab on the User Management page and click Add User Account.

  3. Enter the User information and necessary additional details in the fields and click Save.

User 'John S' has been created.

 

Assign Roles to Users

Responsible Roles: Tenant Administrator

When a user is created, the new user is assigned with the default role 'Remote User'. User 'John S' has been created in the previous step. Now the roles he requires for his service tasks are to be assigned to him.
To assign a role to a user, follow these steps:

  1. Click the Associate Roles tab on the Edit user 'John S' page.

  2. Assign the roles as required and click Save.

 

Assign Users with Grants for Scopes of Assets

Responsible Roles: Tenant Administrator

John has been assigned Remote User and Tenant Administrator roles. Now in order to access subsets of the Organization and Product structures, John must be assigned some asset-specific grants.
To assign asset-specific grants to a user, follow these steps:

  1. Click the Attribute based Grants tab.

  2. Click Add Organizational Structure in the upper-right corner of the Organizational Structure field.

  3. Select the required site, for example, Wind power station and click Select.

  4. Click Add Products in the upper-right corner of the Products field.

  5. Select the required product, for example, Wind Turbine and click Select.

  6. Click Add Roles in the upper-right corner of the Roles field.

  7. Select the required roles that you want to assign click Select.

  8. Click Add to Grants and Save.