Installation Instructions
Database installation
-
Create three empty databases, you can name them with your own choosing but the names need to follow this criteria:
-
Net iD Portal ← Main Database
-
Net iD Portal_log ← Log Database
-
Net iD Portal_logClient ← Client log database
As long as you name the two log databases as
<main>_log
and<main>_logClient
, where <main> is the name of your main database name, the installation will work.In this example we have chosen to name the main database NiPInstallationGuide:
-
-
Unzip files.zip to the server.
-
Open the Commander folder.
-
Run SecMaker.NiP.Commander.exe with administrator privilegies.
-
Select [1] – Server Manager.
============================================================================= Available commands: [0] - Quit with no action [1] - Server Manager [2] - Utilities Select: _
-
Select [6] – Install/Upgrade Net iD Portal database.
============================================================================= Available commands: [0] - Quit with no action [1] - Back to main [2] - Install all server components [3] - Install Internet Information Services only [4] - Install Application Server only [5] - Install Certificate Authority only [6] - Install/upgrade Net iD Portal database Select: _
-
Enter information regarding the database:
-
database connection info
-
username
-
password
-
database name
============================================================================= Available commands: [0] - Quit with no action [1] - Back to main [2] - Install all server components [3] - Install Internet Information Services only [4] - Install Application Server only [5] - Install Certificate Authority only [6] - Install/upgrade Net iD Portal database Select: 6 Output: - Install&upgrade Net iD Portal database on the computer. SetServerName ((SERVER)\(INSTANCE)): .\SQLEXPRESS SetServerPort: SetCredentialUserName: sa SetCredentialPassword: ******************************* SetCredentialDomainName: SetDatabaseName: NiPInstallationGuide ConnectionString: Data Source=.\SQLEXPRESS;Initial Catalog=NiPInstallationGuide;User Id=sa;Password=*******************************;MultipleActiveResultSets=True; - Is this connection string correct? [Y] or [NO]
-
-
If everything is correct, type 'Y’ to start the installation/creation of the databases.
-
If the installation has been successful the message 'Database successfully installed/upgraded’ will appear.
ConnectionString: Data Source=.\SQLEXPRESS;Initial Catalog=NiPInstallationGuide;User Id=sa;Password=*******************************;MultipleActiveResultSets=True; - Is this connection string correct? [Y] or [NO] - Connecting to database... - Connecting with database established successfully. - Initializing install... - This process can take several minutes. - Intalling, please wait... - Database successfully installed/upgraded. - Press any key to continue.
Internet Information Services
The Internet Information Server should be installed with the following components.
Core installation
Unzip the latest "files.zip" (Net iD Portal installations files) to the server. The zip file contains the following directories:
Directory | Description |
---|---|
GenericService |
The GenericService is a Windows service who acts as a Trace Server and Log Server for the main application. |
TimerService |
The TimerService is a Windows Service who handles the sending of orders to the card manufacturer (Gemalto). |
WebServiceApplication |
Contains the Net iD Portal API’s. |
WebServiceExternal |
Contains the external API that is customer specific. |
Core installation on Server
-
Create a folder structure on the server where you want to install the application, for example C:\Program Files\Net iD Portal\, and copy the folders from the zip file.
The folder structure should look like this: -
Modify the following files with the SQL server connection string given below:
-
X:\Program Files\Net iD Portal\GenericService\SecMaker.NiP.GS.exe.config
-
X:\Program Files\Net iD Portal\TimerService\SecMaker.NiP.TS.exe.config
-
X:\Program Files\Net iD Portal\WebServiceApplication\Web.config
-
X:\Program Files\Net iD Portal\WebServiceExternal\Web.config
SQL server connection string:
<add name="nip" connectionString="Data Source=SQL.domain.local\InstanceName;Initial Catalog=NiP;Integrated Security=SSPI;MultipleActiveResultSets=False;" /> <add name="nip_log" connectionString="Data Source=QL.domain.local\InstanceName;Initial Catalog=NiP_EFOS_log;Integrated Security=SSPI;MultipleActiveResultSets=False;" /> <add name="nip_logClient" connectionString="Data Source=QL.domain.local\InstanceName;Initial Catalog=NiP_EFOS_logClient;Integrated Security=SSPI;MultipleActiveResultSets=False;" />
-
-
Create a service account in Active Directory, for example nipapi.
-
Give the service account write permissions to the following folders:
-
X:\Program Files\Net iD Portal\GenericService\texts
-
X:\Program Files\Net iD Portal\TimerService\texts
-
X:\Program Files\Net iD Portal\WebServiceApplication\texts
-
X:\Program Files\Net iD Portal\WebServiceExternal\texts
-
-
Create a SSL Certificate to use with the API.
-
Give the service account read permissions to the SSL Certificate.
(MMC Snap-in > Local Certificates > Right click SSL Certificate and click Manage private keys). -
Start IIS Manager and click Application Pools.
-
Add a new Application Pool.
-
Enter the information as shown in the picture and then click OK.
-
Right click the newly created application pool and click Advanced Settings.
-
In the Identity box change from ApplicationPoolIdentity to your service account.
-
Change Load User Profile from False to True.
-
Add Website. The "Default Web Site" node can be used as well, the process is the same.
Make sure you choose the right Application Pool and to bind both http:// and https:// to this website. -
Right click the newly created website, and then click Add Virtual Directory….
-
In the Alias box, enter an appropriate name, for example api.
-
In the Physical path box, browse to the WebServiceApplication folder and select it.
-
Click OK.
-
Right click the newly created Virtual Directory, click Convert to application, and then click OK.
Install Generic Service
-
Edit the included PowerShell script to match the $exePath with your current configuration.
$serviceName = "Net iD Portal Generic Service" $exePath = "C:\Program Files\Net iD Portal\GenericService\SecMaker.NiP.GS.exe" "Installing SecMaker NiP Generic Service" New-Service -BinaryPathName $exePath -Name $serviceName -StartupType Automatic
-
Run the PowerShell script.
-
Run services.msc to make sure that the service was installed correctly.
Install Timer Service
-
Edit the included PowerShell script to match the $exePath with your current configuration.
$serviceName = "Net iD Portal Timer Service" $exePath = "C:\Program Files\Net iD Portal\TimerService\SecMaker.NiP.TS.exe" "Installing SecMaker NiP Timer Service" New-Service -BinaryPathName $exePath -Name $serviceName -StartupType Automatic
-
Run the PowerShell script.
-
Run services.msc to make sure that the service was installed correctly.
Service account permissions
To enable to run Net iD Portal with its service accounts permissions set to 'Domain User’ do the following (or run as LocalAdmin):
-
On the webserver where Net iD Portal is installed, grant the service account the right to log on locally.
Open gpedit.msc and go to:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on locally -
It is necessary to grant the service account the rights to communicate directly to the windows services. Thus, you need to modify the Windows Service DACL. To do so locate the service accounts SID, either through Net iD Portal Trace or by using PsTools.
Modifying the DACL for the Windows Service "Net iD Portal Generic Service":
-
To enable Trace on Net iD Portal, open the file web.config and change the value <log4net threshold="OFF"> to "ON".
-
Make a connection from a client computer to Net iD Portal.
-
Open the file Trace.txt located in Net iD Portal core folder.
-
Locate the string "Impersonated Windows identity reference" and copy its value.
Example of configuration:
S-1-5-21-298909477-21806885-2252563535-1119
-
Start the command Prompt with Administrator privileges.
-
At the command prompt, type sc sdshow "Net iD Portal Generic Service" to display the current DACL permissions on the service.
-
Copy and paste the information to Notepad.
C:\>sc sdshow "Net iD Portal Generic Service" D:<A;;CCLCSWRPWPDTLOCRRC;;;SY><A;;CCLCSWRPWPDTLOCRSDRCWDWO;;;BA><A;;CCLCSWLOCRRC;;;IU><A;;CCLCSWLOCRRC;;;SU><A;;CCLCSWRPWPDTLOCRSDRCWDWO;;;SO>S:<AU;FA;CCDCLCSWEPWDTLOCRSDRCWDWO;;;WD>
-
To set the Net iD Portal Service account SID to the DACL of the service and add the following to the dacl:
A;;CCLCRPWPFAFXFWLOCR;;;SID-OF-SERVICEACCOUNT
Example:
A;;CCLCRPWPFAFXFWLOCR;;;S-1-5-21-298909477-21806885-2252563535-1119
-
To set the new DACL to the service, enter the following command:
C:\>sc sdset "Net iD Portal Generic Service" "SD in SDDL format"
Example:
C:\>sc sdset "Net iD Portal Generic Service" D:<A;;CCLCSWRPWPDTLOCRRC;;;SY><A;;CCLCSWRPWPDTLOCRSDRCWDWO;;;BA><A;;CCLCSWLOCRRC;;;IU><A;;CCLCSWLOCRRC;;;SU><A;;CCLCSWRPWPDTLOCRSDRCWDWO;;;SO><A;;CCLCRPWPFAFXFWLOCR;;;S-1-5-21-298909477-21806885-2252563535-1119S:<AU;FA;CCDCLCSWEPWDTLOCRSDRCWDWO;;;WD> [SC] SetServiceObjectSecurity SUCCESS
-
To view the new value, enter the command: sc sdshow "Net iD Portal Generic Service"
C:\>sc sdshow "Net iD Portal Generic Service" D:<A;;CCLCSWRPWPDTLOCRRC;;;SY><A;;CCLCSWRPWPDTLOCRSDRCWDWO;;;BA><A;;CCLCSWLOCRRC;;;IU><A;;CCLCSWLOCRRC;;;SU><A;;CCLCSWRPWPDTLOCRSDRCWDWO;;;SO><A;;CCLCRPWPFAFXFWLOCR;;;S-1-5-21-298909477-21806885-2252563535-1119S:<AU;FA;CCDCLCSWEPWDTLOCRSDRCWDWO;;;WD> [SC] SetServiceObjectSecurity SUCCESS
-
Restart the service.
Service Settings
-
Right click the newly created windows services (GenericService and TimerService).
-
On the Log On tab do the following settings:
-
Click This account and specify the service account created earlier. See section 3.4.1 Core installation on Server.
-
Do this for both services.
-
-
On the Recovery tab do the following settings:
-
In the First failure box, select Restart the Service.
-
In the Second Failure box select Restart the Service.
-
In the Subsequent failures box, select Restart the service.
Make these configurations for both windows services.
-
-
Start the services.
-
If the services do not start, you might need to register the service URL manually. To register the service URL manually, open an elevated command prompt and type the following:
Netsh http add urlacl url=http://+:61234/TimerService/ user=DOMAIN\SERVICEACCOUNT
-
Start the services.
-
Information about users and groups objects
Net iD Portal uses common LDAP lookups when accessing objects in Active Directory and uses the distinguishedName attribute as a unique identifier of the current user or group.
GUI Installation
-
Unzip the latest "NiP_vX.X.XX.zip" (Net iD Portal GUI files) to the server.
The zip file contains the following files and directories:Directory/file Description Gui.Version.Number
Gui assemblies
Index.html
Main GUI file
GUI Installation on Server
-
Copy the extracted files to your Net iD Portal Installation Directory. In the previous step we chose C:\Program Files\Net iD Portal\ as our Installation directory. The folder structure should now look like this:
-
Open the file config.js located in the folder <Gui.Version.Number>. In this example the file has the path:
C:\Program Files\Net iD Portal\1.5.18\config.js -
Edit config.js and change the following so that it matches the URL of your installation:
"backendUrl": "http://devtest.secmaker.com/dev/"
In the example backendUrl has been edited to:
"backendUrl": "https://nip.company.com/api/"
https://nip.company.com/api/ is the URL to the Net iD Portal API that was created earlier.
-
Save the file.