Versions Compared

Old Version 1

changes.mady.by.user Vladislav Fomichev

Saved on

compared with

New Version Current

changes.mady.by.user Vladislav Fomichev

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

Files of Indeed Access Manager Server Server reside in: indeed AM\Indeed Access Manager Server\<Version number>\

  • IndeedAM.Server-x64.msi is installation package of Indeed AM.
  • /Misc/Templates folder contains policy templates.
  • /Misc/AM.KeyGen.exe is the utility to generate encryption keys.
  • /Misc/AccessControlInitialConfig/EA.Server.AccessControlInitialConfig.exe is the initial configuration utility.
  • /Misc/AccessControlInitialConfig/EA.Server.AccessControlInitialConfig.exe.config is the file to setup the configuration utility.
  • /Misc/AM.Config.Encryptor/EA.Config.Encryptor.exe is the utility to encrypt the configuration file.
  • /Misc/AM.Config.Encryptor/EA.Config.Encryptor.exe/encryptConfigs.bat is the script to encrypt all the sections of configuration file.
  • /Misc/AM.Config.Encryptor/EA.Config.Encryptor.exe/decryptConfigs.bat is the script to decrypt all the sections of configuration file.

Installation

  1. Install the Indeed AM by running IndeedAM. Server-x64.msi installer.

  2. Add HTTPS binding in Default Web Site settings of IIS Manager. 

    Info

    Indeed AM is a web application on the basis of IIS. “Require SSL” is a default installation setting, which, in turn, requires active HTTPS binding.

    If you do not plan to use HTTPS protocol, then deactivate SSL requirement in IIS settings for  easerver and in the server configuration file (C:\inetpub\wwwroot\easerver\Web.config). To do so, change the value of "requireHttps" parameter to "false".

    Example:

    <appSettings>

    <add


    Code Block
    languageyml
    <appSettings><add key="requireHttps" value="false" /
    > <
    ></appSettings>



    1. Run IIS Manager and expand the Sites item.
    2. Select the Default Web Site site and click Bindings item in the Actions section.
    3. Click Add:
      1. Type - https.
      2. Port - 443.
      3. Select the SSL Certificate.
    4. Save the binding.

How to use the configuration wizard to customize the settings

Note

The configuration wizard be launched automatically after Indeed AM Server installation, unless disabled by the user. To launch the wizard manually, execute this file: C:\Program Files\Indeed EA\Wizard\EA. Server.Wizard.exe.


Info

The wizard includes automatic data checks. If the data has been entered correctly, the field will be highlighted in green, meaning that you can proceed to the next step. Incorrect entries will be highlighted in red, meaning that you can only proceed to the next step after inserting correct data.

  1. At the Before You Start step, click Next
  2. At the Restore Settings step, click Next
  3. Please set the following parameters, at the User Directory step: 
    1. Domain name (FQDN) − specify full domain name, for example, domain.local. 
    2. Service user account − specify the service user account with access rights to the user directory. 
    3. Click the Edit button and add relevant user account information. LDAP path to the directory − specify the path to the user directory. Image Added
    4. Click the Select button and choose a relevant container or an entire domain.
  4. At the Data Storoge step, please select Microsoft SQL as your storage vault. 
  5. fsdfsdfsdsdfsd
    1. Domain name (FQDN) − specify full domain name, for example, domain.local. 
    2. Service user account − specify a service user account with full access rights to the container that will be used as the Indeed data vault. Click theImage Added Edit button and add relevant user account information. 
    3. LDAP path to the directory − specify the path to the user directory. Click the Select button and choose a relevant container or an entire domain.Image AddedImage AddedImage AddedImage AddedImage AddedImage Added
  6. The Encryption Key step. Please select the encryption algorithm, click Generate, and then click Next. Note. We strongly recommend that you create a back-up copy of your encryption key and keep it at a secure location.
  7. At the Log Server step, please add the following information: Note. To avoid errors during connection testing, make sure you have completed full customization of your log server settings and have properly configured the database, or have a pre-installed EventLog component. If your log server is not ready, you can skip this step.
    1. Log server address − URL for server connections presented in the following format: http(s)://full_dns_server_name/ls/ (for example, http://logserver.demo.local/ls/). 
    2. Certificate − select a certificate to set up a two-way TLS connection. 
    3. Logged fields for objects in the catalog − specify the format for logging usernames. 

    4. Logged computer field − specify the format for logging the Computer field.

      Info

      DNS logging will require additional settings.

      Image Added

  8. The Session Secret step. Create a secret for token signature by clicking Generate. After that, click Next.

  9. The File Encryption step You have an option to encrypt configuration file settings.

    Note

    We recommend encrypting the configuration file to improve security.


  10. The Confirmation step Make sure that you have added correct data and click Apply.

    Note

    We recommend making a backup copy of the configuration file. The option Save a backup copy of configuration parameters is active by default.


  11. The Results step. At this step, you can check the settings and test the Indeed AM Server connection.Image Added

How to customize the system administrator settings 

Note

The user in question has to be within the user directory.

  1. At the System Administrator step, please select the Indeed administrator user account. This user account will be assigned primary administrator rights.


    Note

    To customize the administrator settings, you will need a pre-installed Indeed AM Windows Password since assignment of primary administrator rights to a given user requires Indeed AM server authentication.


  2. At the Results step, you can view the status of the configuration file settings and the system administrator settings.

How to manually customize the system

Modifying a configuration file

.

Info

Errors that appear during AM server deployment (for example, errors in configuration file) are logged according to the LogServer settings.

Info

It is recommended to use AM.KeyGen. exe utility to generate encryption keys, using any available algorithm.

  1. Open the server configuration file named Web.config (C:\inetpub\wwwroot\easerver\Web.config).

  2. Add a private key to sign the token of "secretKey” parameter of "logonSettings” tag. The "secretKey" parameter is used to create a user token in the "jwt” format. 

    Code Block
    languageyml
    titleExample
    <logonSettings secretKey="67d7e6caec61d61239dc0b05f86063ed899931b581fa1ed8140d7843b320fe02"/>


  3. Define the system user directory. To do so, edit the adUserCatalogProvider tag parameters:
    1. id is the unique identifier of the directory.
    2. serverName is the name of Active Directory domain, where the said directory resides.
    3. containerPath is the path to the container in the form of Distinguished Name or the domain itself (again as DN), if the whole of the domain is used to store users.
    4. userName is the name of service account used to connect to the user directory.

    5. password is the password of the service account for the user directory in AD.

      Code Block
      languageyml
      titleExample
      <adUserCatalogProviders> 
	<adUserCatalogProvider id="UserId" serverName="indeed.local" containerPath="DC=,DC=local" userName="IndeedCatalogUser" 		password="Q1q2E3e4"/> 
</adUserCatalogProviders>


  4. Specify the root identifier of the provider to work with the directory. To do so, edit the rootUserCatalogProviderId attribute of userCatalogProviderSettings tag.

    1. rootUserCatalogProviderId - set it to the value of Id attribute of  adUserCatalogProvider tag.

      Code Block
      languageyml
      titleExample
      <userCatalogProviderSettings rootUserCatalogProviderId="UserId">


  5. Define the system data storage. In SQL Server, edit dbContextSettings tag and create mssqlDbContext tag with id and connectionString parameters.
    1. rootDbContextId is an the unique value of storage identifier.
    2. id - set it to the value of rootDbContextId tag.
    3. Add the connectionString parameter with built-in parameters:

      1. Data Source - this defines the server instance. The parameter is mandatory for all connections. Admissible values are: network name or server IP address, local or  localhost for local connections.

      2. Initial Catalog defines the database name.

      3. User Id is the user name to connect to the database.

      4. Password is user password to connect to the database.

        Code Block
        languageyml
        titleExample
        <dbContextSettings rootDbContextId="mssql"> 
	<mssqlDbContexts> 
		<mssqlDbContext id="mssql" connectionString="Data Source=EASERVER\EASERVER;Initial Catalog=AM_Server_7;User Id=Admin-		DB;Password=Q1q2E3e4;"/> 
	</mssqlDbContexts> 
</dbContextSettings>


  6. Define the encryption key for the system data. To do so, edit the encryptionSettings tag parameters.
    1. cryptoAlgName specifies the encryption algorithm used.
    2. cryptoKey contains key values generated by the utility.

    3. certificateThumbprint - Thumbprint of the certificate used to encrypt the key (delete the attribute, if it is not to be used). 

      Code Block
      languageyml
      titleExample
      <encryptionSettings cryptoAlgName="Aes" cryptoKey="90ce7dbc3ff94a7867abc6672c23cce2c3717d38af42f04293130cb68a34ecc2"/>


  7. Define the system administrator. To do so, edit the userId parameter of accessControlAdminSettings tag. 

    Note

    The user in question has to be within the user directory.


    1. UserId is the user identifier in the following format: “Directory identifier (rootUserCatalogProviderId); underscore; GUID of system administrator”. 

      Info

      GUID can be found with PowerShell command. For this, Remote Server Administration Tools component has to be installed.

      Code Block
      languagepowershell
      titleExample
      Get-ADUser YouUserName -Properties * | Select ObjectGUID



  8. Specify the url to connect to log server. To do so, edit the logServer tag.

    1. URL is url to connect to log server in the following format http(s)://full_dns_name_of_server/ils/api

      Note

      If several servers are used, then you have to specify the load balancer address.


    2. CertificateThumbprint - this is to be defined if the private key is stored in the registry, and the certificate is in the PC storage.
    3. CertificateFilePath - this is to be defined, if the key pair is stored in pfx.
    4. CertificateFilePassword is the password for pfx.

Initial configuration setup

  1. Open the EA.Server.AccessControlInitialConfig.exe.config file for editing.

  2. Edit the key attribute - value parameter is to be set to true, if Windows Token is planned to be used for authentication.  If the server is within the domain, you can use one of the following providers: windows password, emailOTP, smsOTP. To do so, value is to be set to false.

    Code Block
    languageyml
    titleExample
    <appSettings>
	<add key="eaServerUrl" value="http://192.168.1.2/easerver/"/> 
	<add key="isWindowsAuth" value="true"/> 
</appSettings>


  3. Run the EA.Server.AccessControlInitialConfig.exe utility at the domain machine under the user account, which is to become system administrator and which defined as administrator in the accessControlAdminSettings tag.

Image Added


How to configure settings for multiple user directories

Note

If you want to configure settings for multiple directories during an active Indeed system session (after granting primary rights to the system administrator) and need to change the location of the system administrator or the prefix indicated in the accessControlAdminSettings parameter, you will need to revoke all previously granted permissions and restart the primary configuration utility. To revoke permissions, delete all data from the DbAccessGroupMembers table in the Indeed database.


Info

If your containers are located in different domains/forests, you will need to create a new user for reading container data in your domain/forest.

  1. Add new strings to enable container connection in the adUserCatalogProviders tag. 

    Code Block
    languageyml
    <userCatalogProviderSettings rootUserCatalogProviderId="user">
    <userCatalogProviders>
      <sqlUserCatalogProviders></sqlUserCatalogProviders>
      <adUserCatalogProviders>
        <adUserCatalogProvider id="Ad1" serverName="demo.local" containerPath="OU=Indeed_Users,DC=demo,DC=local" userName="demo\ind-user" password="Q1q2E3e4" />
        <adUserCatalogProvider id="Ad2" serverName="demo.local" containerPath="OU=inDomainUsers,DC=demo,DC=local" userName="demo\ind-user" password="Q1q2E3e4" />
        <adUserCatalogProvider id="Ad3" serverName="inforest.demo.local" containerPath="OU=UsersInForest,DC=inforest,DC=demo,DC=local" userName="inforest\cataloguser1" password="Q1q2E3e4" />
        <adUserCatalogProvider id="Ad4" serverName="newforest.local" containerPath="OU=Usersoutforest,DC=newforest,DC=local" userName="newforest\cataloguser2" password="Q1q2E3e4" />
      </adUserCatalogProviders>
    </userCatalogProviders>


  2. Insert orUserCatalogProviders tag with the id parameter inside the orUserCatalogProvider tag.

    Note

    The id parameter should match the value of the rootUserCatalogProviderId parameter.


  3. Insert userCatalogProviders tag inside the orUserCatalogProvider tag. Inside the userCatalogProviders tag, insert userCatalogProvider tags with id parameter indicating the user container ID and ignoreExceptions parameter set to true. This way the system will ignore connection errors when you try to connect to a directory if this directory is unavailable.


    Note

    These tags may be missing in the configuration file if relevant parameters have not been specified during the previous encryption. If the tags are missing, please add them manually. The complete file structure is presented below.


    Code Block
    languageyml
    <orUserCatalogProviders>
    <orUserCatalogProvider id="user">
       <userCatalogProviders>
          <userCatalogProvider id="Ad1" ignoreExceptions="true" />
          <userCatalogProvider id="Ad2" ignoreExceptions="true" />
          <userCatalogProvider id="Ad3" ignoreExceptions="true" />
          <userCatalogProvider id="Ad4" ignoreExceptions="true" />
       </userCatalogProviders>
    </orUserCatalogProvider>
</orUserCatalogProviders>

    Example file structure

    Code Block
    languageyml
    <accessControlAdminSettings userId="UserId_891f2b6c-9a55-4e1a-b69b-b4d6418f4c4c"/>
  <logonSettings secretKey="*****"/>
  <userCatalogProviderSettings rootUserCatalogProviderId="user">
    <userCatalogProviders>
        <sqlUserCatalogProviders>
        </sqlUserCatalogProviders>
        <adUserCatalogProviders>
            <adUserCatalogProvider id="UserId" serverName="new.loc" containerPath="DC=new,DC=loc"
                userName="indeed-users" password="Q1q2E3e4" />
            <adUserCatalogProvider id="UserId1" serverName="test.new.loc" containerPath="DC=test,DC=loc"
                userName="indeed-users" password="Q1q2E3e4" />
        </adUserCatalogProviders>
    </userCatalogProviders>
    <combineRules>
        <orUserCatalogProviders>
            <orUserCatalogProvider id="user">
               <userCatalogProviders>
                  <userCatalogProvider id="UserId" ignoreExceptions="true" />
                  <userCatalogProvider id="UserId1" ignoreExceptions="true" />
               </userCatalogProviders>
            </orUserCatalogProvider>
        </orUserCatalogProviders>
        <andUserCatalogProviders>
        </andUserCatalogProviders>
    </combineRules>
  </userCatalogProviderSettings>


Encryption / decryption of configuration file.

  1. Run command line as Administrator.

  2. In command line, switch to encryption utility folder. 

    Note

    The utility encrypts the following sections: logServer, logonSettings, userCatalogProviderSettings, encryptionSettings, dbContextSettings. It is recommended to encrypt all the sections.

    Encryption / decryption of separate sections.

  3. To encrypt a separate section, you have to execute the following command: EA. Config.Encryptor /encrypt "Path to server configuration file" "Section name”

    Code Block
    languageyml
    titleExample
    EA.Config.Encryptor /encrypt "C:\inetpub\wwwroot\easerver\Web.config" "logServer"


  4. To decrypt a separate section, you have to execute the following command: EA. Config.Encryptor /decrypt "Path to server configuration file" "Section name” 

    Code Block
    languageyml
    titleExample
    EA.Config.Encryptor /decrypt "C:\inetpub\wwwroot\easerver\Web.config" "logServer"

    Encryption/decryption of all sections.

  1. To encrypt all sections, run  encryptConfigs.bat.
  2. To decrypt all sections, run  decryptConfigs.bat.

Initial configuration setup

  • Open the EA.Server.AccessControlInitialConfig.exe.config file for editing.

    • Edit the key attribute - value parameter is to be set to true, if Windows Token is planned to be used for authentication.  If the server is within the domain, you can use one of the following providers: windows password, emailOTP, smsOTP. To do so, value is to be set to false.

    Code Block
    languageyml
    titleExample
    <appSettings>
	<add key="eaServerUrl" value="http://192.168.1.2/easerver/"/> 
	<add key="isWindowsAuth" value="true"/> 
</appSettings>
  • Run the EA.Server.AccessControlInitialConfig.exe utility at the domain machine under the user account, which is to become system administrator and which defined as administrator in the accessControlAdminSettings tag.

    • Image Removed

    backtotop


    Backtotop

    Table of Contents
    classrightFloat