Versions Compared

Old Version 33

changes.mady.by.user Mikhail Yakovlev

Saved on

compared with

New Version Current

changes.mady.by.user Daliya Agletdinova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

You have to fill in the necessary values in the During system deployment stage it is necessary to set up configuration files of each service at the system deployment stage. Configuration files of all system services reside are located in the root folder directory of IIS web applications (default path is %SystemDrive%\inetpub\wwwroot). 

Info

Card Monitor service configuration files are located in %ProgramFiles%\Indeed CMAxidian CertiFlow\CardMonitor.

Setup of configuration files is carried out using Indeed CM Setup Wizard. The latter runs automatically upon completion of Indeed CM Server Installation Wizard, if the corresponding checkbox is activated.
However, you also can run the Wizard manually at any time (Start - All ProgramsIndeed IdentityIndeed CM).

Image RemovedFigure 13 – Indeed CM Setup Wizard.

Scroll Pagebreak

Table 4 features the section of Setup Wizard, along with description of their parameters.

Table 4 – Indeed CM Setup Wizard sections and their description.

Configuration files are set up viaAxidian CertiFlow Configuration Wizard, a component which is installed separately.

Tip

System requirements for Axidian CertiFlow Configuration Wizard are the same as for Axidian CertiFlow server

Installing Axidian CertiFlow Configuration Wizard

Run the AxidianCertiFlow.Wizard-<version number>.x64.en-us.msi from Axidian CertiFlow installation package and follow the wizard instructions to complete the installation.  

Note

For security reasonswe recommend that you disable the Axidian CertiFlow Configuration Wizard after you complete the system configuration:

  1. Open the Internet Information Services Manager (IIS).
  2. Select Application Pools in the IIS server component tree.
  3. Select Axidian CertiFlow Configuration Wizard in Application Pools list.
  4. Go to Actions menu on the right side of the window and select Stop.

Authentication in Axidian CertiFlow Configuration Wizard

Use a temporary authentication code to access Axidian CertiFlow Configuration Wizard. The authentication code is generated when you start the IIS Axidian CertiFlow Wizard application pool. The code is saved in the wizard_authentication_code.txt file in logs subfolder (C:\inetpub\wwwroot\cm\wizard\logs).

  1. Open wizard_authentication_code.txt and copy the authentication code.

    Code Block
    titleExample:
    2023-09-20 09:40:06.1557|AuthenticationCode: "YoQZdL2mJC4pYmKJmC7YT8mXDv3FPj2v"


  2. Open https://<FQDN name of the server>/cm/wizard page in your browser.Enter the authentication code and log in.

Scroll Pagebreak

Configuring the system

Here are the Axidian CertiFlow Configuration Wizard parameters:

table-auto

To perform tasks for the regular launch of the Card Monitor service, the account specified in the setup wizard must be in the Administrators group on the Indeed CM
SectionDescription
Before starting work

This contains information about the Axidian CertiFlow Setup Wizard purpose and features of Indeed CM Setup Wizard.

Restore configurationThis allows to load Uploading a backup copy of Indeed CM Axidian CertiFlow configuration.

System features

  • Common features
  • Event Log
  • Microsoft CA
  • AirKey AirCard Enterprise
  • Client Agent
Configuration of internal parameters of Indeed CM

Configuring internal settings for Axidian CertiFlow web applications:

Management Console

Indeed
Manager
  • Viewing device content in self-service mode
  • Viewing device SO PIN
    • Own organizational structure

    Self-Service

  • Enable Custom logs
    • Event Log: Configuration of connection to the unified event log for several Indeed CM servers.

    Event Log:

    Microsoft CA: Configure settings for working with Microsoft Certification Authority.

    AirKey

    AirCard Enterprise:

    Configuring

    Configure integration with

    Indeed AirKey

    Axidian AirCard Enterprise virtual smart card server.

    Client

    Agent:

    Configuring Indeed CM Client

    Configure Axidian CertiFlow Agent.

    User Users catalog

    • Active Directory
    • Tracked attributes

    Information about users catalog and user attributes . 

    The list of tracked user attributes in Microsoft CA certificate templates settings includes the following attributes by default:

    • Common name
    • E-mail
    • User principal name
    Warning
    You can track changes in user attributes only in Subject and Subject Alternative Name fields of the certificate
    Definition of the system user catalog
    .


    Access control

    • Role administrator

    Defining access settings to system services.

    Specify an

    Definition of access control parameters for Indeed CM services and

    account to configure user privileges in Roles of Axidian CertiFlow Management Console. 

    Warning

    The specified account must have a User Principal Name (UPN) and belong to the specified users directory.


    Database

    • Microsoft SQL
    • PostgreSQL

    Database

    • Active Directory
    • Microsoft SQL
    • Encryption key

    Definition of system Information about the system's data storage and encryption algorithm.
    Creation of Creating an encryption key or , a backup copy or a key recovery of key from backup. Parameters of connection to the storage are defined according to the selected Storage connection settings depend on selected storage type.

    Card Monitor service

    The Card Monitor service is intended for control of controls smart card usage. The service performsOperations:

    • Revocation of removed user's cards
      • Revocation of
      • Revoking expired temporary cards
      • Disabling of
      • Deactivating cards
      • for the user, whose Active Directory account is disabled
      • and revoking certificates for users with disabled Active Directory accounts (optional)
      • Deleting disabled Active Directory accounts from Axidian CertiFlow users catalog (optional)
      • Revoking and withdrawing cards for deleted users (optional)
      • Setting/resetting a
      • device
      • card content status (about to expire/expired)
    • Update of device contents
    Info

    If the device was updated through the Agent Indeed CM without automatic approval of certificates by the CA operator.

    Sending of the following email notifications to the system administrators and users:
    – Expiration of user certificates stored on user card
    – Card issuance approval/rejection
    – Approval or rejection of renewal for certificates on card
    – Card replacement approval/rejection
    – Change of policy applied to user

      • Updating card contents (available if a card is updated through Axidian CertiFlow Agent and the CA operator does not approve certificates automatically)
      • Registering There is no connection from the agent for a long time event in the system log
      • Removing inactive agents (you can set the time when an agent is considered inactive)
      • Sending email notifications to system administrators and users about the following events:
        • Expiring user certificates
        • Approve/reject to issue a card
        • Approve/reject to renew a certificate
        • Approve/reject to replace a card
        • Modifying a system policy applied to a user
        • Changing user attributes in users catalog 
    Warning

    For the Card Monitor service to run regularly, the account specified in Configuration Wizard must be part of Administrators group on the CertiFlow

    Warning

    server and have permission to Log on as a batch job.

    Confirmation

    This contains combined information on settings of all Wizard sections, as well as an opportunity to create a backup copy of Indeed CM configuration.

    Results

    This displays the Wizard progress in writing the defined values to configuration files of Indeed CM services.

    For

    the

    Card Monitor service to work

    correctly

    properly, create a service role

    (say,

    with an account for Card Monitor

    service)

    in Roles section

    , include an account in it, on behalf of which Card Monitor will work with

    and define the

    flowing

    following privileges for

    named

    the role:

    • Disabling a card
    • Updating a card
    • Canceling a card update
    • Revoking a card
    Clearing
    • Cleaning a card
    • Unassigning a card
    • Removing a card

    • Removing AirCard

    • Removing an agent

    • Removing

    AirKey

    • a record from custom log

      Note

    If integration with AirKey Enterprise is configured, then set privileges for working with these virtual smart cards.

    When installed Indeed CM Server for the first time, set up the required parameters and make a backup copy of those (option Backup current configuration settings in the Confirmation section).

    The backup copy of Indeed CM settings contains all the parameters defined for all services during installation, as well as encryption key and algorithm. To use the backup to deploy new Indeed CM servers, specify it in the Restore configuration section of Setup Wizard.

    Warning

    The backup also contains the data of service accounts (the one for user directory and for data storage), encryption key and algorithm. Be sure to store the backup copy file in a safe place.

    After the Setup Wizard is complete, the defined values of all parameters are written to the configuration files of all applications and encrypted. Encryption is performed using the Microsoft .NET (NetFramework ConfigurationKey) key. Encryption algorithm is RSA.

    • Set privileges to work with virtual smart cards, if AirCard integration is configured.


    Confirmation

    Summary of all Configuration Wizard settings.

    After you click Apply, the specified values for all settings will be saved in configuration files for all applications and stored in the C:\inetpub\wwwroot\cm\wizard\configs folder.

    Results

    Information about saving the specified values to the service configuration files.

    You can upload the configuration files to an archive (Save configuration files option) to transfer and apply the settings to the system server.

    When installing Axidian CertiFlow for the first time, save a copy of your configuration settings (Backup current configuration settings option).

    To deploy new system servers, upload the backup file in Restore configuration section of the wizard. 

    Warning

    Configuration backup file includes all settings, as well as the database encryption algorithm and encryption key, and all service accounts data. Keep the backup file in a secure place.


    Applying configuration files to the CertiFlow server

    Apply the configuration files to the CertiFlow server:

    1. Run PowerShell as administrator and go to C:\inetpub\wwwroot\cm\wizard\configs.

    2. Run the PowerShell script deploy_configuration.ps1

      .\deploy_configuration.ps1


    3. Specify the password of the account that is used to launch the Card Monitor service.
    Tip

    We recommend that you specify a local account that is used to launch the rest of the CertiFlow web applications.



    Divbox

    Table of Contents