Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

You have to fill in the necessary values in the configuration files of each service at the system deployment stage. Configuration files of all system services reside in the root folder of IIS web applications (default path is %SystemDrive%\inetpub\wwwroot).

Info

Card Monitor service configuration files are located in %ProgramFiles%\Indeed CM\CardMonitor.

Setup of configuration files is carried out using Indeed CM Setup Wizard. The latter runs automatically upon completion of Indeed CM Server Installation Wizard, if the corresponding checkbox is activated.
However, you also can run the Wizard manually at any time (Start - All ProgramsIndeed Identity Indeed CM).

Image Modified

Figure 13 – Indeed CM Setup Wizard.

Scroll Pagebreak

Table 4 features the section of Setup Wizard, along with description of their parameters.

Table 4 – Indeed CM Setup Wizard sections and their description. Table auto

SectionDescription
Before starting work

This contains information about the purpose and features of Indeed CM Setup Wizard.

Restore configurationThis allows to load a backup copy of Indeed CM configuration.

System features

  • Common features
  • Event Log
  • Microsoft CA
  • AirKey Enterprise
  • Client Agent

Configuration of internal parameters of Indeed CM web applications:

Management Console

Self-Service


Event Log:

  • Certification Authorities

  • Microsoft CA: Configure settings for working with Microsoft Certification Authority.

    AirKey Enterprise: Configuring integration with Indeed AirKey Enterprise virtual smart card server.

    Client agents installed onto user workstations

    Client Agent: Configuring Indeed CM Client Agent.

    User catalog

    • Active Directory
    • Tracked attributes

    Definition of the system user catalog

    Definition user attributes when changing which requires a certificate update.

    The list of tracked user attributes in the settings of Microsoft CA certificate templates includes the following attributes by default:

    • Common name
    • E-mail
    • User principal name
    Warning
    Tracking changes in user attributes is available for attributes from the Subject and Subject Alternative Name fields of the certificate.


    Access control

    • Role administrator

    Definition

    of access control parameters for Indeed CM services and account to configure user roles

    an account to initially configure user privileges in the Roles section of Indeed CM Management Console.

    Warning

    The specified account must have a User Principal Name (UPN) and be included in the specified user catalog of the system.


    Database

    • Active Directory
    • Microsoft SQL
    • Encryption key

    Definition of system data storage and encryption algorithm.
    Creation of encryption key or backup copy or recovery of key from backup.

    Parameters of connection to the storage are defined according to the selected type.

    Card Monitor service

    The Card Monitor service is intended for control of smart card usage. The service performs:

      • Revocation of removed users’ cardsRevocation of expired temporary cards
      • Disabling of cards for the user, whose Active Directory account is disabled
      • Deactivation (optional) of devices and revocation of certificates for the users whose Active Directory accounts have been disabled
      • Removing accounts (optional) from the Indeed CM user catalog whose Active Directory accounts have been disabled
      • Revocation and withdrawal (optional) of devices of users whose accounts have been removed from the Indeed CM user catalog
      • Setting/resetting a device card content status (about to expire/expired)
      • Update of device card contents
    Info

    If the device card was updated through the Agent Indeed CM without automatic approval of certificates by the CA operator.

      • Event registration There is no connection from the agent for a long time in the system log
      • Sending of the following email notifications to the system administrators and users:
        – Expiration of user certificates stored on user card– User certificate expiration
        – Card issuance approval/rejection
        – Approval – Approval or rejection of renewal for certificates on card
        – Card replacement approval/rejection
        – Change of policy applied to user

    Confirmation

    This contains combined information on settings of all Wizard sections, as well as an opportunity to create a backup copy of Indeed CM configuration.


      • – Approval or rejection of card replacement
        – Change of Indeed CM policy applying to user
        – Changing user attributes in the user directory 

        Warning

        To perform tasks for the regular launch of the Card Monitor service, the account specified in the setup wizard must be in the Administrators group on the Indeed CM server and have permission to Log on as a batch job

    ResultsThis displays the Wizard progress in writing the defined values to configuration files of Indeed CM services
      • .


    For the Card Monitor service to work correctly, create a service role (say, Card Monitor service) in Roles section

    (see the Indeed CM Operation Manual)

    , include an account in it, on behalf of which Card Monitor will work with and define the flowing privileges for named role:

    • Disabling card
    • Updating card
    Disabling
    • Revoking card
    Revoking
    • Clearing card
    • Unassigning card
    Cleaning
    • Removing card
    • Removing AirKey

    Warning
    • Note

      If integration with AirKey Enterprise is configured, then set privileges for working with these virtual smart cards.


    Confirmation

    This contains combined information on settings of all Wizard sections, as well as an opportunity to create a backup copy of Indeed CM configuration.

    Results

    This displays the Wizard progress in writing the defined values to configuration files of Indeed CM services

    To perform tasks for the regular launch of the Card Monitor service, the account specified in the setup wizard must have permissions to Log on locally to the Indeed
    CM server, or permission to Log on as a batch job

    .

    When installed Indeed CM Server for the first time, set up the required parameters and make a backup copy of those (option Backup current configuration settings in the Confirmation section).

    The backup copy of Indeed CM settings contains all the parameters defined for all services during installation, as well as encryption key and algorithm. To use the backup to deploy new Indeed CM servers, specify it in the Restore configuration section of Setup Wizard.

    Warning

    The backup also contains the data of service accounts (the one for user directory and for data storage), encryption key and algorithm. Be sure to store the backup copy file in a safe place.

    After the Setup Wizard is complete, the defined values of all parameters are written to the configuration files of all applications and encrypted. Encryption is performed using the Microsoft .NET (NetFramework ConfigurationKey) key. Encryption algorithm is RSA.