Encrypted SuiteLink Connection Cannot be Established
SUMMARY
Cross-node encrypted SuiteLink requires both nodes to be joined to the same System Management Server (SMS) server. In some cases, even if SMS is properly configured, a system may encounter the following error and the encrypted SuiteLink connection will fail, even though a Troubleshooting Scan within the AVEVA Common Service Portal may return without errors:
[Multi-Line Message] - Encrypted SuiteLink connection cannot be established.
Problem: SuiteLink connection request was received from un-authorized node <CLIENTNODENAME>.
Possible Reason: Security configuration on node <CLIENTNODENAME> is incorrect.
Possible Solution(s):
1. Ensure the node designated to be the 'System Management Server' is available.
2. ***[IMPORTANT]*** Ensure your applications are using the same 'System Management Server'.
3. For each node, launch the Configurator Utility -> Select the Management Server -> Press Configure -> Verify that the workflow configured successfully (Green configured Icon)
4. For additional details, refer to the 'Security Configuration' section in the product documentation.
CAUSE
This issue can be caused by the suggested problems in the error itself; however, in this case, if the computer name contains lowercase characters, the above error and symptoms may be encountered.
In Platform Common Services (PCS) 7.0.1, the current implementation assumes the following:
- Letters in the Windows hostname (or Computer Name, or NetBIOS name) must be all capital letters (numbers are permitted)
- The hostname part of the FQDN (Fully Qualified Domain Name) must be the same as the short hostname
APPLIES TO
- Platform Common Services (PCS) v7.0.1
- Communication Drivers Pack (CDP) 2023
- Application Server 2023
- InTouch 2023
- Historian 2023
RESOLUTION
Rename the computer hostname with all capital letters (A-Z) and numbers (0-9), using a total of 15 or less characters and avoiding Unicode characters.
- All numeric is not a valid name.
- Hyphens and longer names are permitted, but this is not recommended, as not all software and systems support this.
This is considered a best practice, as computer names in certificates are case sensitive, but DNS names are not case sensitive. A hostname query against a computer with a lower-cased name can return an all-caps result, which will not be an exact match when compared to the name in that computer’s certificate due to the difference in casing.
All Industrial Software Solutions Tech Notes are provided "as is" without warranty of any kind.