If you’re reading this post, you’ve almost certainly at least heard of DCOM. And, possibly, you’re one of many who have struggled over the years with the trials of configuring remote OPC Classic connections between machines where DCOM inevitably increased your time and difficulty for what should be a relatively painless task.
DCOM hardening with no option to disable it is coming up fast - March 14, 2023. If you haven't already made a plan to either migrate away from DCOM communications entirely or address how to keep your process systems that will still rely on remote OPC Classic over DCOM working reliably, time is running out. Downtime is costly and a system that is using OPC Classic and hasn't been evaluated to determine the effects of DCOM hardening could be vulnerable to communication breaks.
This blog post discusses 6 types of options to relieve DCOM hardening pain. These include alternatives to DCOM that cover a range of use cases depending on what software you already have installed and your existing system architecture. We also have a comprehensive guide that you'll be able to request that addresses what DCOM changes will be needed if you're not in a position to migrate currently. Our technical support team are also willing to discuss your specific requirements with you, so you're not on your own out there!
Software Toolbox Products DCOM Readiness and Action FAQs
Like many of you, I've certainly had my share of interactions with troublesome DCOM issues over the many years that I’ve worked with OPC Classic clients and servers on different machines (local connections where the OPC Classic client and server are on the same machine are fortunately not affected). While DCOM is an integral part of many Microsoft components and remote OPC Classic clients and servers rely on it for remote connectivity and security, there have been several alternatives for years that many have already taken advantage of to ease the burden of dealing with DCOM.
With the June 14, 2022 Microsoft updates, DCOM hardening became a reality that everyone still using OPC Classic clients and servers that are on different machines have to deal with. Yes, it’s possible to still technically “turn off” this DCOM hardening with a Microsoft sanctioned DCOM entry – but it’s merely a stop-gap for when Microsoft permanently hardens DCOM coming up on March 14, 2023 (with no off button, at that time).
So all users that still have OPC Classic software have to make a choice for how they will address DCOM hardening. Let’s discuss the options available to you (both with DCOM and those eliminating DCOM) so you can make an informed decision that best meets the needs of your system.
Until such time, Microsoft (in KB5004442) has provided a registry change that will disable the hardening of DCOM to give users a little more time to make their decisions. However, it is highly recommended to make plans to update your systems sooner rather than later.
AFTER MARCH 14, 2023, temporary disabling of DCOM hardening will no longer be an option
Since Microsoft's DCOM hardening is, technically, targeted at making your systems more secure, you may decide to update your DCOM Configuration settings on your client and server machines. Fair enough, but remember that DCOM is still DCOM – quirks between different operating systems, the difference between workgroups and domains and even the differences between implementations of different OPC Classic vendors contribute to DCOM configuration headaches.
Recognizing that DCOM is still a reality for many, our DCOM Hardening general FAQ provides answers to any questions this post doesn’t cover, including links to Software Toolbox solution specific FAQs and our DCOM tutorial. You should also request your free copy of our detailed Remote OPC DA Classic (DCOM) Configuration Guide.
Our recommendation, though, as it has been for many years is to consider how much time, effort and stress your DCOM connections are causing – many times, the alternatives to DCOM can pay for themselves by eliminating that time, effort, and stress from your day-to-day activities, freeing you up to focus on other important tasks.
If your system architecture is such that it’s possible to move either the OPC Classic client to the server machine or vice versa, this can greatly simplify things for you going forward. Even when DCOM hardening is permanent in March 2023, if your connections are local, they won’t be affected since local connections don’t rely on DCOM.
We understand this may not be possible due to reasons outside of your control (maybe your OPC Classic server is on a specific machine due to requiring network connectivity that isn’t possible from the machine with the OPC Classic client is located and it isn’t possible to move the OPC Classic client). For such situations, keep reading for alternatives that can still help you eliminate DCOM while maintaining secure and reliable remote connectivity between your OPC clients and servers.
Software Toolbox adopted OPC UA from its infancy and has a wide variety of OPC UA capable solutions including TOP Server for AVEVA, OmniServer, OPC Data Logger, SLIK-DA with UA, OPC Data Client and more (Click for a list of all Software Toolbox solutions supporting OPC UA). If you’re still not overly familiar with OPC UA, I always recommend having a look at our Exploring OPC UA blog series for a deep dive on OPC UA. You can also request your free copy of our Exploring OPC UA Security Concepts E-Book for OPC UA and cybersecurity topics relevant for any industrial control system.
If your OPC Classic clients and OPC Classic servers (if you’re using an OPC solutions from Software Toolbox, there is a really good chance that it either already supports OPC UA or is easily convertible to OPC UA, and in most cases OPC UA will already come available with your existing Software Toolbox license), some configuration changes may be all you need to switch to OPC UA natively between your clients and servers.
And, if you cannot change both of your OPC Classic client and server applications to directly use OPC UA (maybe only one supports OPC UA or neither do), you can still enable further future-proofing that eliminates the need for DCOM, using one of several solutions, depending on one of the following use cases:
And each of these alternative solutions offer fully functional free trials and getting started videos so you can pilot test implementations on your system and confirm the desired functionality in advance.
Of course, if neither your OPC client or servers support OPC UA, there’s always secure tunneling, where tunneling software is placed on both the OPC Classic client and server machines, the OPC Classic connections are local and the two tunneling nodes pass communications between machines via secure tunnel. And secure tunneling is even more efficient from a bandwidth perspective than remote DCOM connections.
And, again, DataHub is available as a fully functional free trial to test things out and get started.
And last, but certainly not least, you may want to consider a migration to MQTT for sharing data remotely. While still a relatively new technology, MQTT adoption is certainly growing. MQTT is a good way to move data from a variety of remote locations to a central location (which can be either cloud-based or premise-hosted) for access by other systems that support acting as an MQTT client. And MQTT doesn’t rely on DCOM, either.
While MQTT is a significant architectural shift from traditional OPC client/server systems, if your goal is gathering data from one or more OPC (and/or other) systems and sharing that data remotely, especially if remote is off-site, MQTT could be a good option. To that end, the Cogent DataHub Smart MQTT SparkplugB Client and MQTT SparkplugB Broker solutions provide secure and automatic conversion from OPC to MQTT, streamlining the process and making the complexities of MQTT transparent to you, the user. And with DataHub’s many other interfaces, you’re not limited to only sharing OPC data via MQTT.