Run the IndeedCM.Server.msi file from the Indeed Certificate Manager installation package and follow the wizard instructions to complete the installation. During the installation process, you shall be prompted to select a method of access control for all the system applications (see Figure 12).
Figure 12 – Access control selection.
The Indeed CM system consists of a number of services:
- Management console (icm web application)
- Self-service (icmservice web application)
- Remote self-service (icmremote web application)
- Smart card unlock service (credprovapi web application)
- API service (icmapi web application)
- Smart card status monitoring (no web application provided)
Each service has its own configuration files and access settings.
When Windows authentication is selected, the following access control parameters are set:
- Authentication: Windows (other methods are disabled) for icm, icmservice, icmapi applications
- Authentication: Anonymous (other methods are disabled) for credprovapi application.
- Authentication: Anonymous and using Forms for icmremote application. Other methods are disabled.
- Require SSL for all applications.
- Client certificate: Ignore for all applications.
When Authentication by user’s personal certificates is selected, the following access control parameters are set:
- Authentication: Anonymous for icm, icmservice, icmapi applications. Other methods are disabled.
- Authentication: Anonymous and using Forms for icmremote application. Other methods are disabled.
- Require SSL – for all applications.
- Client certificate: Required – for icm, icmservice, icmapi applications.
- Client certificate: Ignore – for credprovapi and icmremote applications.
If the user directory is in Active Directory, then the certificates used for authentication should contain User Principal Name. The certificates without UPN cannot be used for logging into web applications.
After the system is installed, you can set SSL settings for each application separately, using the IIS Management Console.