You have to fill in the necessary values in the configuration files of each service at the system deployment stage. Configuration files of all system services reside in the root folder of IIS web applications (default path is %SystemDrive%\inetpub\wwwroot).

Card Monitor service configuration files are located in %ProgramFiles%\Indeed CM\CardMonitor.

Setup of configuration files is carried out using Indeed CM Setup Wizard. The latter runs automatically upon completion of Indeed CM Server Installation Wizard, if the corresponding checkbox is activated.
However, you also can run the Wizard manually at any time (Start - All ProgramsIndeed IdentityIndeed CM).

Figure 9 – Access control selection.

Table 4 features the section of Setup Wizard, along with description of their parameters.

Table 4 – Indeed CM Setup Wizard sections and their description.

SectionDescription
Before starting work

This contains information about the purpose and features of Indeed CM Setup Wizard.

Restore configurationThis allows to load a backup copy of Indeed CM configuration.

System features

  • Common features
  • Microsoft CA
  • AirKey Enterprise
  • Client Agent

Configuration of internal parameters of Indeed CM web applications:

  • Certification Authorities
  • AirKey Enterprise virtual smart card
  • Client agents installed onto user workstations

User catalog

  • Active Directory
Definition of the system user catalog.

Access control

  • Role administrator

Definition of access control parameters for Indeed CM services and account to configure user roles.

Database

  • Active Directory
  • Microsoft SQL
  • Encryption key

Definition of system data storage and encryption algorithm.
Creation of encryption key or backup copy or recovery of key from backup.

Parameters of connection to the storage are defined according to the selected type.

Card Monitor service

The Card Monitor service is intended for control of smart card usage. The service performs:

    • Revocation of removed users’ cards
    • Revocation of expired temporary cards
    • Disabling of cards for the user, whose Active Directory account is disabled
    • Setting/resetting a device content status (about to expire/expired)
    • Update of device contents

If the device was updated through the Agent Indeed CM without automatic approval of certificates by the CA operator.

    • Sending of the following email notifications to the system administrators and users:
      – Expiration of user certificates stored on user card
      – Card issuance approval/rejection
      – Approval or rejection of renewal for certificates on card
      – Card replacement approval/rejection
      – Change of policy applied to user

Confirmation

This contains combined information on settings of all Wizard sections, as well as an opportunity to create a backup copy of Indeed CM configuration.

Results

This displays the Wizard progress in writing the defined values to configuration files of Indeed CM services.

For the Card Monitor service to work correctly, create a service role (say, Card Monitor service) in Roles section (see the Indeed CM Operation Manual), include an account in it, on behalf of which Card Monitor will work with and define the flowing privileges for named role:

  • Updating card
  • Disabling card
  • Revoking card
  • Unassigning card
  • Cleaning card

To perform tasks for the regular launch of the Card Monitor service, the account specified in the setup wizard must have permissions to Log on locally to the Indeed
CM server, or permission to Log on as a batch job.

When installed Indeed CM Server for the first time, set up the required parameters and make a backup copy of those (option Backup current configuration settings in the Confirmation section).

The backup copy of Indeed CM settings contains all the parameters defined for all services during installation, as well as encryption key and algorithm. To use the backup to deploy new Indeed CM servers, specify it in the Restore configuration section of Setup Wizard.

The backup also contains the data of service accounts (the one for user directory and for data storage), encryption key and algorithm. Be sure to store the backup copy file in a safe place.

After the Setup Wizard is complete, the defined values of all parameters are written to the configuration files of all applications and encrypted. Encryption is performed using the Microsoft .NET (NetFramework ConfigurationKey) key. Encryption algorithm is RSA.


  • No labels