Plant Optimizer server security and network configuration - Johnson Controls - LIT-12013045 - Software Application - OBEM Central Utility Plant Optimization - v2024.Q2

OpenBlue Plant Optimizer Security and IT Guide

Product name
OBEM Central Utility Plant Optimization
Document type
Security and IT Guide
Document number
LIT-12013045
Version
v2024.Q2
Revision date
2024-07-12

DevOps remote access

If it does not violate the customer's IT security policy, you can give DevOps users remote access to VMs to install software. Remote DevOps users do not need elevated server rights. Open port 10933 on the VPN to facilitate remote software deployment to the VMs.

Updates and patch management

Updates to the virtualization system, hosts, or guests including operating system, anti-virus' and other base image software are the responsibility of the customer as defined by their security and service standards. Johnson Controls is responsible for security patches and updates to the Plant Optimizer software.

Plant Optimizer server requirements

You can run Plant Optimizer on non-dedicated server hardware. The minimum VM allocation requirements depend on the following variables:
  • The number of plants included in the instance
  • The size and complexity of the plants
  • Whether a physical or virtual CPO-NAE is used to integrate the plant automation system.
Plant Optimizer requires up to three VMs:
  • A web application server
  • A database server
  • A CPO-NAE server
After Plant Optimizer is stable and operational, Johnson Controls works with the customer’s IT team to measure resource utilization and adjust the VMs to match the requirements of the site in the most cost-effective way.
Table 1. Hardware and software requirements
Type of Deployment VM use VM OS No. of VMs Cores CPU (GHz) RAM (GB) C: Drive (GB) D: Drive (GB)
All on-premises sites Plant Optimizer Web Application VM (UI + Web Service APIs)  Windows Server® 2019 or later 1 8 >2.5 32 100 100
SQL database VM

SQL Server 2016,

SQL Server 2017,

SQL Server 2019

Enterprise (preferred) or Standard

1 4 >2.5 64 100 1000
Virtual CPO-NAE (NAE85) only CUPO-OAS or CUPO-NAE85 VM  Windows Server 2019 or later 1 4 >2.5 16 100 100
Metasys ADX Metasys ADX

Windows Server 2019 or later

MS SQL Server 2016 Standard or MS SQL Server 2016 Enterprise

1 4 >2.5 32 100 1000
Note:
  • For the Plant Optimizer Web Application VM, the number of cores and RAM size may vary based on number and size of plants.
  • For SQL database VM and Metasys ADX, D: Drive size may vary based on the number and size of plants.
  • ADX virtual server requirements only apply for new construction or brand new Metasys installation.
Table 2. Windows server features and role requirements
Windows server features Windows server roles
.NET Framework 3.5 features
  • NET Framework 3.5 (includes .NET 2.0 and 3.0)
  • HTTP activation
File and storage services
  • Storage services
.NET Framework 4.6 features
  • NET Framework 4.6
  • ASP.NET 4.6
  • WCF services
Web server (IIS)
  • Common HTTP features
    • Default document
    • Directory browsing
    • HTTP errors
    • Static content
Message queuing
  • Message Queuing Server
Health and diagnostics
  • HTTP logging
  • Request monitoring
  • SMTP Server Tools
  • SNMP Tools
Performance
  • Static content compression
SMB 1.0/CIFS File Sharing Support Security
  • Request filtering
  • Windows authentication
SNMP service
  • SNMP WMI provider
Application development
  • .NET Extensibility 3.5
  • .NET Extensibility 4.6
  • ASP.NET 3.5
  • ASP.NET 4.6
  • ISAPI extensions
  • ISAPI filters
Windows Defender features
  • Windows Defender
  • GUI for Windows Defender
Management tools
  • IIS Management Console
  • IIS 6 Management Compatibility
    • IIS 6 Metabase Compatibility
    • IIS 6 Management Console
    • IIS 6 Scripting tools
    • IIS 6 WMI compatibility
  • IIS management scripts and tools
Windows Powershell
  • Windows Powershell 5.1
  • Windows Powershell 2.0 Engine
  • Windows Powershell ISE
 
Windows Process Activation Service
  • Process model
  • .NET Environment 3.5
  • Configuration APIs
WoW64 support
Table 3. Additional Windows component requirements
Additional Windows component requirements
.Net 6.0.19 or later is recommended
Table 4. SQL Server requirements
SQL Server requirement Additional detail
Ensure the most current SQL Server pack is installed. Requires the latest service pack to be installed.
Ensure SQL Server Always-On is applied. Select the Availability Groups (AG) database option. Ensure the instance is named.
Give database owner (DBO) rights to Johnson Controls engineers. Johnson Controls engineers require DBO rights in application databases to configure the application schema.
Set SQL Server collation to sql_latin1_general_cp1_ci_as. sql_latin1_general_cp1_ci_as is the default American install setting for SQL Server collation. This enables the deployment of the database.
Turn on Filestream enabled and broker enabled settings. These settings are not turned on by default.
Enable the Transactional File Stream setting. Enable this setting to ensure that the SQL server functions correctly.
Configure the SQL Server to require mixed-mode authentication. Mixed-mode authentication is a security requirement.
Apply elevated SQL rights to DevOps administrators during installation. You can remove or reduce elevated rights after installation.
SQL Server uses default port 1433. Contact technical support (BTS-CPO-TechSupport@jci.com) if a different port is required.
Note: You can implement SQL data encryption but it is not required.
Note: Plant Optimizer can use either a dedicated SQL server, VM, or a shared server instance such as an existing SQL farm. The network must be configured to allow access from Plant Optimizer Web Application VM to the SQL Server instance. Johnson Controls requires elevated rights on the SQL Server instance during the installation process.