Configuring the system

Created by Mikhail Yakovlev, last modified by Daliya Agletdinova on Feb 16, 2024

During system deployment stage it is necessary to set up configuration files of each service. Configuration files of all system services are located in the root directory of IIS web applications (default path is %SystemDrive%\inetpub\wwwroot).

Card Monitor service configuration files are located in %ProgramFiles%\Axidian CertiFlow\CardMonitor.

Configuration files are set up via Axidian CertiFlow Configuration Wizard, a component which is installed separately.

System requirements for Axidian CertiFlow Configuration Wizard are the same as for Axidian CertiFlow server.

Installing Axidian CertiFlow Configuration Wizard

Run the AxidianCertiFlow.Wizard-<version number>.x64.en-us.msi from Axidian CertiFlow installation package and follow the wizard instructions to complete the installation.

For security reasons, we recommend that you disable the Axidian CertiFlow Configuration Wizard after you complete the system configuration:

Open the Internet Information Services Manager (IIS).
Select Application Pools in the IIS server component tree.
Select Axidian CertiFlow Configuration Wizard in Application Pools list.
Go to Actions menu on the right side of the window and select Stop.

Authentication in Axidian CertiFlow Configuration Wizard

Use a temporary authentication code to access Axidian CertiFlow Configuration Wizard. The authentication code is generated when you start the IIS Axidian CertiFlow Wizard application pool. The code is saved in the wizard_authentication_code.txt file in logs subfolder (C:\inetpub\wwwroot\cm\wizard\logs).

Open wizard_authentication_code.txt and copy the authentication code.

Example:

2023-09-20 09:40:06.1557|AuthenticationCode: "YoQZdL2mJC4pYmKJmC7YT8mXDv3FPj2v"

Open https://<FQDN name of the server>/cm/wizard page in your browser. Enter the authentication code and log in.

Configuring the system

Here are the Axidian CertiFlow Configuration Wizard parameters:

Section	Description
Before starting work	Axidian CertiFlow Setup Wizard purpose and features
Restore configuration	Uploading a backup copy of Axidian CertiFlow configuration.
System features Common features Event Log Microsoft CA AirCard Enterprise Client Agent	Configuring internal settings for Axidian CertiFlow web applications: Management Console Display system summary Enable custom log The custom log is implemented only for system configuration using the Data Storage in Microsoft SQL and PostgreSQL. Organization structure Integration with Axidian Access Internal document management User's password reset in Active Directory Viewing card SO PIN Publishing certificates in the file storage Publishing certificates is not supported for mounted network drives. Set path to the file storage in this format: \\Workstation name\Network directory name Self-Service View card content Create TPM Virtual Smart Card (VSC) Enroll Windows Hello for Business (WHfB) Enable downloads Event Log: Define the user attribute to search in the Event Log. Default value: CN (Common name) Configure connection to Unified Event Log for several CertiFlow servers Microsoft CA: Configure settings for working with Microsoft Certification Authority. AirCard Enterprise: Configure integration with Axidian AirCard Enterprise virtual smart card server. Agent: Configure Axidian CertiFlow Agent.
Users catalog Active Directory Tracked attributes	Information about users catalog and user attributes . The list of tracked user attributes in Microsoft CA certificate templates settings includes the following attributes by default: Common name E-mail User principal name You can track changes in user attributes only in Subject and Subject Alternative Name fields of the certificate.
Access control Role administrator	Defining access settings to system services. Specify an account to configure user privileges in Roles of Axidian CertiFlow Management Console. The specified account must have a User Principal Name (UPN) and belong to the specified users directory.
Database Microsoft SQL PostgreSQL Encryption key	Information about the system's data storage and encryption algorithm. Creating an encryption key, a backup copy or a key recovery from backup. Storage connection settings depend on selected storage type.
Card Monitor service	Card Monitor service controls smart card usage. Operations: Revoking expired temporary cards Deactivating cards and revoking certificates for users with disabled Active Directory accounts (optional) Deleting disabled Active Directory accounts from Axidian CertiFlow users catalog (optional) Revoking and withdrawing cards for deleted users (optional) Setting/resetting a card content status (about to expire/expired) Updating card contents (available if a card is updated through Axidian CertiFlow Agent and the CA operator does not approve certificates automatically) Registering There is no connection from the agent for a long time event in the system log Removing inactive agents (you can set the time when an agent is considered inactive) Sending email notifications to system administrators and users about the following events: Expiring user certificates Approve/reject to issue a card Approve/reject to renew a certificate Approve/reject to replace a card Modifying a system policy applied to a user Changing user attributes in users catalog For the Card Monitor service to run regularly, the account specified in Configuration Wizard must be part of Administrators group on the CertiFlow server and have permission to Log on as a batch job. For Card Monitor service to work properly, create a service role with an account for Card Monitor in Roles section and define the following privileges for the role: Disabling a card Updating a card Canceling a card update Revoking a card Cleaning a card Unassigning a card Removing a card Removing AirCard Removing an agent Removing a record from custom log Set privileges to work with virtual smart cards, if AirCard integration is configured.
Confirmation	Summary of all Configuration Wizard settings. After you click Apply, the specified values for all settings will be saved in configuration files for all applications and stored in the C:\inetpub\wwwroot\cm\wizard\configs folder.
Results	Information about saving the specified values to the service configuration files. You can upload the configuration files to an archive (Save configuration files option) to transfer and apply the settings to the system server. When installing Axidian CertiFlow for the first time, save a copy of your configuration settings (Backup current configuration settings option). To deploy new system servers, upload the backup file in Restore configuration section of the wizard. Configuration backup file includes all settings, as well as the database encryption algorithm and encryption key, and all service accounts data. Keep the backup file in a secure place.

Applying configuration files to the CertiFlow server

Apply the configuration files to the CertiFlow server:

Run PowerShell as administrator and go to C:\inetpub\wwwroot\cm\wizard\configs.
Run the PowerShell script deploy_configuration.ps1:
.\deploy_configuration.ps1
Specify the password of the account that is used to launch the Card Monitor service.

We recommend that you specify a local account that is used to launch the rest of the CertiFlow web applications.

No labels