Versions Compared

Old Version 70

changes.mady.by.user Unknown User (ivan.lobanov)

Saved on

compared with

New Version Current

changes.mady.by.user Daliya Agletdinova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

You have to fill in the necessary values in the During system deployment stage it is necessary to set up configuration files of each service at the system deployment stage. Configuration files of all system services reside are located in the root folder directory of IIS web applications (default path is %SystemDrive%\inetpub\wwwroot). 

Info

Card Monitor service configuration files are located in %ProgramFiles%\Indeed CMAxidian CertiFlow\CardMonitor.

Setup of configuration files is carried out using Indeed CM Setup Wizard. The latter runs automatically upon completion of Indeed CM Server Installation Wizard, if the corresponding checkbox is activated.
However, you also can run the Wizard manually at any time (Start - All ProgramsIndeed Identity).

Image Removed

Scroll Pagebreak

Table 4 features the section of Setup Wizard, along with description of their parameters.

Configuration files are set up viaAxidian CertiFlow Configuration Wizard, a component which is installed separately.

Tip

System requirements for Axidian CertiFlow Configuration Wizard are the same as for Axidian CertiFlow server

Installing Axidian CertiFlow Configuration Wizard

Run the AxidianCertiFlow.Wizard-<version number>.x64.en-us.msi from Axidian CertiFlow installation package and follow the wizard instructions to complete the installation.  

Note

For security reasonswe recommend that you disable the Axidian CertiFlow Configuration Wizard after you complete the system configuration:

  1. Open the Internet Information Services Manager (IIS).
  2. Select Application Pools in the IIS server component tree.
  3. Select Axidian CertiFlow Configuration Wizard in Application Pools list.
  4. Go to Actions menu on the right side of the window and select Stop.

Authentication in Axidian CertiFlow Configuration Wizard

Use a temporary authentication code to access Axidian CertiFlow Configuration Wizard. The authentication code is generated when you start the IIS Axidian CertiFlow Wizard application pool. The code is saved in the wizard_authentication_code.txt file in logs subfolder (C:\inetpub\wwwroot\cm\wizard\logs).

  1. Open wizard_authentication_code.txt and copy the authentication code.

    Code Block
    titleExample:
    2023-09-20 09:40:06.1557|AuthenticationCode: "YoQZdL2mJC4pYmKJmC7YT8mXDv3FPj2v"


  2. Open https://<FQDN name of the server>/cm/wizard page in your browser.Enter the authentication code and log in.

Scroll Pagebreak

Configuring the system

Here are the Axidian CertiFlow Configuration Wizard parameters:

Table 4 – Indeed CM Setup Wizard sections and their description.

To perform tasks for the regular launch of the Card Monitor service
      • Approve/reject to issue a card
      • Approve/reject to renew a certificate
      • Approve/reject to replace a card
      • Modifying a system policy applied to a user
      • Changing user attributes in users catalog 
    • SectionDescription
    Before starting work

    This contains information about the Axidian CertiFlow Setup Wizard purpose and features of Indeed CM Setup Wizard.

    Restore configurationThis allows to load Uploading a backup copy of Indeed CM Axidian CertiFlow configuration.

    System features

    • Common features
    • Event Log
    • Microsoft CA
    • AirKey AirCard Enterprise
    • Client Agent

    Configuration of internal parameters of Indeed CM Configuring internal settings for Axidian CertiFlow web applications:

    Management Console

    Self-Service

    Event Log:

    Microsoft CA: Configure settings for working with Microsoft Certification Authority.

    AirKey AirCard Enterprise: Configuring Configure integration with Indeed AirKey Axidian AirCard Enterprise virtual smart card server.

    Client Agent: Configuring Indeed CM Client Configure Axidian CertiFlow Agent.

    User Users catalog

    • Active Directory
    • Tracked attributes

    Definition of the system user catalog. 

    Definition user attributes when changing which requires a certificate update.Information about users catalog and user attributes . 

    The list of tracked user attributes in the settings of Microsoft CA certificate templates settings includes the following attributes by default:

    • Common name
    • E-mail
    • User principal name
    Warning
    Tracking You can track changes in user attributes is available for attributes from the only in Subject and Subject Alternative Name fields of the certificate.


    Access control

    • Role administrator

    Defining access settings to system services.

    Specify Definition an account to initially configure user privileges in the Roles section of Indeed CM Axidian CertiFlow Management Console. 

    Warning

    The specified account must have a User Principal Name (UPN) and be included in belong to the specified user catalog of the systemusers directory.


    Database

    Active Directory

    • Microsoft SQL
    • PostgreSQL
    • Encryption key

    Definition of system Information about the system's data storage and encryption algorithm.
    Creation of Creating an encryption key or , a backup copy or a key recovery of key from backup. Parameters of connection to the storage are defined according to the selected Storage connection settings depend on selected storage type.

    Card Monitor service

    The Card Monitor service is intended for control of controls smart card usage. The service performsOperations:

    • Revocation of removed user's cards
      • Revocation of
      • Revoking expired temporary cards
      • Disabling cards 
      • Deactivating cards and revoking certificates for users with disabled Active Directory accounts (optional)
      • for the user whose
      • Deleting disabled Active Directory accounts
      • have been disabledRemoving accounts (optional) from the Indeed CM user catalog whose Active Directory accounts have been disabled
      • from Axidian CertiFlow users catalog (optional)
      • Revoking and withdrawing cards for deleted users (optional)
      • Setting/resetting a card content status (about to expire/expired)
      • Update of
      • Updating card contents
    Info

    If the card was updated through the Agent Indeed CM without automatic approval of certificates by the CA operator.

      Event registration
      • (available if a card is updated through Axidian CertiFlow Agent and the CA operator does not approve certificates automatically)
      • Registering
      • There is no connection from the agent for a long timeevent in the system log
      • Sending of the following
      • Removing inactive agents (you can set the time when an agent is considered inactive)
      • Sending email notifications to
      • the
      • system administrators and users about the following events:
          • – Expiration of
            • Expiring user certificates
          • stored on user card
          – Card issuance approval/rejection
          – Approval or rejection of renewal for certificates on card
          – Card replacement approval/rejection
          – Change of policy applied to user  
      Warning
      Warning

      For the Card Monitor service to run regularly, the account specified in

      the setup wizard

      Configuration Wizard must be

      in the

      part of Administrators group on the

      Indeed CM

      CertiFlow server and have permission to Log on as a batch job.

      For the Card Monitor service to work correctlyproperly, create a service role (say, with an account for Card Monitor service) in Roles section , include an account in it, on behalf of which Card Monitor will work with and define the flowing following privileges for named the role:

      • Disabling a card
      • Updating a card
      • Canceling a card update
      • Revoking a card
      • Clearing Cleaning a card
      • Unassigning a card
      • Removing a card

      • Removing AirCard

      • Removing an agent

      • Removing AirKeya record from custom log

        Note

        If integration with AirKey Enterprise is configured, then set privileges for working with these Set privileges to work with virtual smart cards, if AirCard integration is configured.


      ConfirmationThis contains combined information on settings

      Summary of all

      Wizard sections, as well as an opportunity to create a backup copy of Indeed CM configuration.Results

      This displays the Wizard progress in writing the defined values to configuration files of Indeed CM services.

      When installed Indeed CM Server for the first time, set up the required parameters and make a backup copy of those (option Backup current configuration settings in the Confirmation section).

      The backup copy of Indeed CM settings contains all the parameters defined for all services during installation, as well as encryption key and algorithm. To use the backup to deploy new Indeed CM servers, specify it in the Restore configuration section of Setup Wizard.

      Warning

      The backup also contains the data of service accounts (the one for user directory and for data storage), encryption key and algorithm. Be sure to store the backup copy file in a safe place.

      After the Setup Wizard is complete, the defined values of all parameters are written to the configuration files of all applications and encrypted. Encryption is performed using the Microsoft .NET (NetFramework ConfigurationKey) key. Encryption algorithm is RSA.

      Configuration Wizard settings.

      After you click Apply, the specified values for all settings will be saved in configuration files for all applications and stored in the C:\inetpub\wwwroot\cm\wizard\configs folder.

      Results

      Information about saving the specified values to the service configuration files.

      You can upload the configuration files to an archive (Save configuration files option) to transfer and apply the settings to the system server.

      When installing Axidian CertiFlow for the first time, save a copy of your configuration settings (Backup current configuration settings option).

      To deploy new system servers, upload the backup file in Restore configuration section of the wizard. 

      Warning

      Configuration backup file includes all settings, as well as the database encryption algorithm and encryption key, and all service accounts data. Keep the backup file in a secure place.


      Applying configuration files to the CertiFlow server

      Apply the configuration files to the CertiFlow server:

      1. Run PowerShell as administrator and go to C:\inetpub\wwwroot\cm\wizard\configs.

      2. Run the PowerShell script deploy_configuration.ps1

        .\deploy_configuration.ps1


      3. Specify the password of the account that is used to launch the Card Monitor service.
      Tip

      We recommend that you specify a local account that is used to launch the rest of the CertiFlow web applications.



      Divbox

      Table of Contents