Settings in the PCo Management Console

PCo provides services for the integration with the SAP Digital Manufacturing Cloud. These cloud services are hosted by the PCo main service. They can be called by applications from the SAP Digital Manufacturing Cloud and can ultimately be used to access the service providers at machine level.

Access to these cloud services is controlled by business-oriented roles that are defined specifically for each service call. PCo only grants access to a particular service if either the user that is configured locally in PCo, or the user groups maintained centrally in the SAP Digital Manufacturing Cloud, contain the required role. The user and user group information is part of the JSON Web Token (JWT) that is sent with the service request. The settings of the default user group apply if the request is a background call and does not contain a JWT.

Ensure that the cloud services are activated in the PCo Management Console. In the menu, choose Tools Options Global Settings Main Service. The Active checkbox must be selected in the Cloud Services screen area. Maintain a port.
To make the settings for cloud integration, choose Tools Cloud Integration from the menu in the PCo Management Console.
To enable the distribution of user groups from the Digital Manufacturing Cloud, you must maintain at least one local user with the Administrator role in each PCo installation. This user runs the cloud services that are used to create and change the user groups. No further users should be maintained in PCo.

Note

If you are still using principal propagation, you have to maintain users for which the ID of the user corresponds to the principal propagation settings that you made earlier in the Cloud Connector. The principal propagation is set to name by default, which means that CN=$(name) is set in the Subject Pattern field in the Cloud Connector. In this case, you need to enter the user name in the ID field in PCo. The user name in CN=$(name) also needs to be defined in the common name of the certificate that you use for authentication between the Cloud Connector and PCo. This name is then checked in PCo in the cloud registry.

If CN= $ (mail) has been entered in the principal propagation settings of the Cloud Connector, you have to enter the e-mail address of the user in the ID field in PCo.
Select the roles that you want to be assigned to the user. For more information, please see the documentation for the User Configuration Tab in the application help.

Go to the Server Security Settings tab and maintain the following data:

Server Security Settings
Field	Description
JSON Web Tokens and Principal Propagation	Select the JSON Web Tokens and Principal Propagation checkbox.
Certificate	Select the Certificate checkbox
Server Certificate	Select the server certificate that you created for the server where PCo is installed. This certificate is of the type X.509-v3. It enables secure communication between PCo and the Cloud Connector. It should be issued for the host name of the computer on which PCo is running and can be self-signed or be embedded in a hierarchy of certificates. For more information about the server certificate settings, see Key Usage for Server Certificate. When a PCo system is created, the SAP Digital Manufacturing Cloud requests the public key of the server certificate specified here. PCo forwards the public key to the DMC. The DMC needs this public key so that it can transfer the passwords, which you have specified for specific configuration elements in the Machine Model, in encrypted form to PCo. Only the PCo system that has the appropriate private key can decrypt the passwords. The public key of the certificate is automatically put into the trusted folder of the host of the cloud services. This is needed so that the agent instances can communicate with the host of the cloud services via a Websocket connection. The trusted folder can be found under: C:\ProgramData\SAP\PCo\CertificateStores\CloudServicesHost\Trusted\certs
Client Certificate section	In the screen section for client certificates, you specify how the certificates, which are exchanged during communication between PCo as a server and the Cloud Connector as a client, or between PCo as a WebSocket server and the service providers as clients, are processed.
Store Type	File System is predefined as store type. The certificates used when the connection to the client is set up are stored in fixed storage folders in the file system. You can find these folders as subfolders under %ProgramData%\SAP\PCo\ CertificateStores\CloudServicesHost.
Revocation Check	Select No Check on Revoked Certificates.
Revocation Check Scope	Select Check End Certificate Only.

For more information, see Settings for Cloud Integration in the PCo application help.