- Created by Vladislav Fomichev, last modified on Aug 21, 2019
Files of Indeed Access Manager Server Server reside in: indeed AM\Indeed Access Manager Server\<Version number>\
- IndeedAM.Server-x64.msi is installation package of Indeed AM.
- /Misc/Templates folder contains policy templates.
- /Misc/AM.KeyGen.exe is the utility to generate encryption keys.
- /Misc/AccessControlInitialConfig/EA.Server.AccessControlInitialConfig.exe is the initial configuration utility.
- /Misc/AccessControlInitialConfig/EA.Server.AccessControlInitialConfig.exe.config is the file to setup the configuration utility.
- /Misc/AM.Config.Encryptor/EA.Config.Encryptor.exe is the utility to encrypt the configuration file.
- /Misc/AM.Config.Encryptor/EA.Config.Encryptor.exe/encryptConfigs.bat is the script to encrypt all the sections of configuration file.
- /Misc/AM.Config.Encryptor/EA.Config.Encryptor.exe/decryptConfigs.bat is the script to decrypt all the sections of configuration file.
Installation
- Install the Indeed AM by running IndeedAM. Server-x64.msi installer.
Add HTTPS binding in Default Web Site settings of IIS Manager.
Indeed AM is a web application on the basis of IIS. “Require SSL” is a default installation setting, which, in turn, requires active HTTPS binding.
If you do not plan to use HTTPS protocol, then deactivate SSL requirement in IIS settings for easerver and in the server configuration file (C:\inetpub\wwwroot\easerver\Web.config). To do so, change the value of "requireHttps" parameter to "false".
Example:
<appSettings>
<add key="requireHttps" value="false" />
</appSettings>
- Run IIS Manager and expand the Sites item.
- Select the Default Web Site site and click Bindings item in the Actions section.
- Click Add:
- Type - https.
- Port - 443.
- Select the SSL Certificate.
- Save the binding.
Modifying a configuration file.
Errors that appear during AM server deployment (for example, errors in configuration file) are logged according to the LogServer settings.
It is recommended to use AM.KeyGen. exe utility to generate encryption keys, using any available algorithm.
- Open the server configuration file named Web.config (C:\inetpub\wwwroot\easerver\Web.config).
Add a private key to sign the token of "secretKey” parameter of "logonSettings” tag. The "secretKey" parameter is used to create a user token in the "jwt” format.
Example<logonSettings secretKey="67d7e6caec61d61239dc0b05f86063ed899931b581fa1ed8140d7843b320fe02"/>
- Define the system user directory. To do so, edit the adUserCatalogProvider tag parameters:
- id is the unique identifier of the directory.
- serverName is the name of Active Directory domain, where the said directory resides.
- containerPath is the path to the container in the form of Distinguished Name or the domain itself (again as DN), if the whole of the domain is used to store users.
- userName is the name of service account used to connect to the user directory.
password is the password of the service account for the user directory in AD.
Example<adUserCatalogProviders> <adUserCatalogProvider id="UserId" serverName="indeed.local" containerPath="DC=,DC=local" userName="IndeedCatalogUser" password="Q1q2E3e4"/> </adUserCatalogProviders>
- Specify the root identifier of the provider to work with the directory. To do so, edit the rootUserCatalogProviderId attribute of userCatalogProviderSettings tag.
rootUserCatalogProviderId - set it to the value of Id attribute of adUserCatalogProvider tag.
Example<userCatalogProviderSettings rootUserCatalogProviderId="UserId">
- Define the system data storage. If Active Directory is used as data storage, edit the rootDbContextId parameter of dbContextSettings tag and adDbContext tag parameters.
- rootDbContextId is the unique value of storage identifier.
- id - set it to the value of rootDbContextId tag.
- path is LDAP path to the data container in Active Directory. It is recommended to specify it in the "serverless binding” format.
- userName is the name of service account used to connect to the storage.
password is the password of the service account for the user directory in AD.
Example<dbContextSettings rootDbContextId="mssql"> <mssqlDbContexts> <mssqlDbContext id="mssql" connectionString="Data Source=EASERVER\EASERVER;Initial Catalog=AM_Server_7;User Id=Admin- DB;Password=Q1q2E3e4;"/> </mssqlDbContexts> </dbContextSettings>
- Define the encryption key for the system data. To do so, edit the encryptionSettings tag parameters.
- cryptoAlgName specifies the encryption algorithm used.
- cryptoKey contains key values generated by the utility.
certificateThumbprint - Thumbprint of the certificate used to encrypt the key (delete the attribute, if it is not to be used).
Exemple<encryptionSettings cryptoAlgName="Aes" cryptoKey="90ce7dbc3ff94a7867abc6672c23cce2c3717d38af42f04293130cb68a34ecc2"/>
Define the system administrator. To do so, edit the userId parameter of accessControlAdminSettings tag.
The user in question has to be within the user directory.
UserId is the user identifier in the following format: “Directory identifier (rootUserCatalogProviderId); underscore; GUID of system administrator”.
GUID can be found with PowerShell command. For this, Remote Server Administration Tools component has to be installed.
ExampleGet-ADUser YouUserName -Properties * | Select ObjectGUID
- Specify the url to connect to log server. To do so, edit the logServer tag.
URL is url to connect to log server in the following format http(s)://full_dns_name_of_server/ils/api.
If several servers are used, then you have to specify the load balancer address.
- CertificateThumbprint - this is to be defined if the private key is stored in the registry, and the certificate is in the PC storage.
- CertificateFilePath - this is to be defined, if the key pair is stored in pfx.
- CertificateFilePassword is the password for pfx.
Encryption / decryption of configuration file.
- Run command line as Administrator.
In command line, switch to encryption utility folder.
The utility encrypts the following sections: logServer, logonSettings, userCatalogProviderSettings, encryptionSettings, dbContextSettings. It is recommended to encrypt all the sections.
Encryption / decryption of separate sections.
To encrypt a separate section, you have to execute the following command: EA. Config.Encryptor /encrypt "Path to server configuration file" "Section name”
ExampleEA.Config.Encryptor /encrypt "C:\inetpub\wwwroot\easerver\Web.config" "logServer"
To decrypt a separate section, you have to execute the following command: EA. Config.Encryptor /decrypt "Path to server configuration file" "Section name”
ExampleEA.Config.Encryptor /decrypt "C:\inetpub\wwwroot\easerver\Web.config" "logServer"
Encryption/decryption of all sections.
- To encrypt all sections, run encryptConfigs.bat.
- To decrypt all sections, run decryptConfigs.bat.
Initial configuration setup
- Open the EA.Server.AccessControlInitialConfig.exe.config file for editing.
Edit the key attribute - value parameter is to be set to true, if Windows Token is planned to be used for authentication. If the server is within the domain, you can use one of the following providers: windows password, emailOTP, smsOTP. To do so, value is to be set to false.
Example<appSettings> <add key="eaServerUrl" value="http://192.168.1.2/easerver/"/> <add key="isWindowsAuth" value="true"/> </appSettings>
- Run the EA.Server.AccessControlInitialConfig.exe utility at the domain machine under the user account, which is to become system administrator and which defined as administrator in the accessControlAdminSettings tag.
- No labels