MSI Integration Prerequisites

Before beginning the integration of MSI, it is necessary to check the configuration of certain components in the system. This section will cover these prerequisites.

Access Rights Configuration

The MSI interface of system:inmation is implemented via the Web API and uses the provided access control mechanism as follows:

In order to connect with the MSI interface, an access token is required, which is issued on a 'per user' basis. In this case, a 'user' does not refer to a specific person, but to a user account within the system. This system account sends and reads data from the MessageProcessor object created within the I/O Model.

Communication from MES-to-Shopfloor requires a write operation and for Shopfloor-to-MES, a read operation is needed. Therefore, the user needs write and read access on the Message Processor object. If the connected user doesn’t have sufficient user rights, the http request will return an error 401 with an additional error message.

Access Rights are managed in the Access Model. For detailed information regarding the administration of Access Rights, see the Access Model Hands On.

Access Rights Configuration - IO-Model
Figure 1. Access Rights


The Web API is the system component that is used to transfer messages between the layers, so it is important to check that the Web API is both running and configured correctly. In DataStudio, go to the Server Model, select the Web API object and look at the Object Properties panel.

Web API Properties
Figure 2. Web API Properties
  • The Base Address port number (default 8002) should be noted as it may be needed later for firewall configuration.

  • For security reasons, the Enable Run Script property should not be enabled.

If the Web API is running and appropriately configured, it should display two green lights in the Server Model.

Web API - Good State in Server Model
Figure 3. Web API - Good State in Server Model

Web API Encryption

In the standard configuration, the Web API permits a connection using Basic Authentication with a Profile, using TLS-SRP for encryption. For a production environment, a dedicated Profile/User is recommended.

Please see the documentation on Web API encryption and authentication for more details.

Also, for further information about using Profiles for authentication, see the Working with System Security JumpStart.


Prior to further configuration, a System ID and System Name for the MSI interface in PAS-X need to be defined. The System ID is used by PAS-X to route the messages received from the system internally. The System Name is used within the Master Batch Record (MBR) to address the right system with the Interface BF. The System Name is not used by the system and so, only the chosen System ID needs to be configured as a property in the Message Broker I/O model object.

Object Location

All MSI related objects of the I/O model must be located on a Core component, which the Web API must also communicate with. If the Web API is assigned to a different core, or the MSI objects are placed on a Connector component, then communication between the Web API and Message Broker is not possible.