Installation Guide - : IIS Server Hosting Guideline (EPM)
Installation Guide - : IIS Server Hosting Guideline (EPM)
Installation Guide - : IIS Server Hosting Guideline (EPM)
Revision History Date 2010-12-23 2011-01-10 2011-01-11 2011-01-18 Version 0.1 0.2 0.3 0.4 Description Initial version Minor improvements Minor improvements Detailed install steps added Author Pter Kovcs Pter Kovcs Pter Kovcs Gbor Prtr, Pter Kovcs
Table of Content 1. Objectives .............................................................................................. 4 2. Requirements .......................................................................................... 5 2.1. Software Requirements.....................................................................................................5 2.2. Windows Features............................................................................................................5 3. Administrative tasks ................................................................................. 6 3.1. SSL Configuration.............................................................................................................6 3.2. Administrative tasks before install...................................................................................17 3.3. Administrative tasks after installation..............................................................................18 3.4. Security administration....................................................................................................20
1.
Objectives
This document describes the system administrative tasks required for installing and operating Evogenius Production System Server (EPM server). This document is intended for system administrators, and assumes that the reader has an in depth knowledge in Windows Server 2008 administration.
2. 2.1.
The EPM server has the following software requirements: Windows Server 2008 or later (for test purposes Windows Vista, or 7 can be also used) 2.2. Internet Information Services 7.5 or later .NET Framework 4.0 or later (Installer package will install this, if not present) Windows Features
The EPM server requires the following Windows Features to be switched on: Windows Communication Foundation HTTP Activation Windows Communication Foundation non-HTTP Activation Both features can be found under Microsoft .NET Framework 3.5.1 node.
Note: If these two features are switched on after .NET Framework 4.0 has been installed the following command needs to be executed: aspnet_regiis.exe iru The reason for this is that turning on these features will reinstall ASP.NET 3.5 under IIS, and this command will install ASP.NET 4.0, which is also required by the EPM server. This tool can be found at .NET 4.0 frameworks directory (usually this directory is c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ or c:\Windows\Microsoft.NET\Framework\v4.0.30319\ in 32-bit systems.)
3. 3.1.
3.1.1. Obtaining an SSL Certificate A server side certificate is required for a productive EPM installation. A valid certificate must be purchased from a trusted Certificate Authority (eg: VeriSign), otherwise client machines wont trust the server, and connection wont be able to be established. Note: a certificate is connected to a specific domain, it cannot be changed after creation. For testing purposes it is possible to generate a self-signed certificate using one of these options: 1. generate a certificate using the IIS certificate management tool 2. using the makecert command line tool, that is the part of Windows SDK Note: A self-signed certificate needs an extra configuration when the EPM client and server components are not running on the same machine, because another machine wont accept it as it is not signed by a trusted certification authority (CA). 3.1.2. Generate a self-signed certificate using the IIS Certificate Management Tool First select the machine node in the Internet Information Services Manager, and double-click on Server Certificates .
Right-click on the Server Certificates-grid, and select Create Self-Signed Certificate in the context menu.
Note: This creates a certification authority, puts that authority into trusted authorities store in the current machine, and then creates a certificate signed by this CA. Next a name should be selected for the certificate. Press OK is pressed, the certificate is created.
Important note: When accessing this machine with SSL (https) the client must use the domain name that is displayed in column Issued To. Using alternative address (such as localhost), or IP will make the connection to fail. The reason for this strictness is that a certificate validates an exact domain or machine. That means when installing the client within EvogeniusConfig.xml the "<WebServiceRoot>" entry must contain the exact domain name! Otherwise the client will not be able to authenticate against the server. Regarding that the domain name is NOT case sensitive! In order that the client machine would accept the certificate, the self-created CA, that signed our self-signed certificate, must be installed as a trusted authority on the client. One way to do this is to export the self-signed certificate to a file and transfer it to the client machine. Remark: The following steps must be done also in case the EPM client is installed on the same machine as the EPM server! To do this, right-click on the certificate in the Server Certificates-grid and select Export in the context menu.
Note: this will export both the self-signed certificate and the self-created CA. IIS Manager Tool will then ask for a destination file path, and a password for the certificate file. Click OK to finish the export process.
This file should be transferred to the client machine. _____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 10/22
3.1.3. Install the certificate and the Certificate Authority to the client machine On the client machine the certificate and the CA has to be imported: Start mmc.ex e, then select File -> Add/Remove Snap-in.
In the next page Local computer will be selected by default. This is what is needed, so click Finish .
The certification should be imported to Trusted People store so connection could be established. Right-click on Trusted People node and select All Tasks -> Import . Please note: if the client operating system is Windows XP, this certificate file needs to be imported to the Trusted Root Certificate Authorities node. This step is done automatically by newer Windows versions (Vista, 7, Server 2008).
An Import Wizard will come up. Click Next in the Welcome page. In the File import page select the certificate file which was transferred from the server, and then click Next.
In the next page give the password for the certificate, and click Next.
The Next page is the page Certificate Store. Trusted People is selected, so simply click Next.
Click Finish on the last page, and both the certificate and CA will be imported in the client machine. Remark: You can leave the MMC without saving the changes - the new certificate will remain on your PC. 3.1.4. Using the Windows SDK with the makecert command line tool For a tutorial on how to create self-signed certificates for test purposes see this page: http://msdn.microsoft.com/en-us/library/ff648498.aspx. 3.2. Administrative tasks before install
The web site which will host EPM Server web application has to support the following bindings: https net.tcp When adding net.tcp binding to a web site the binding information should be the following: <port>: <hostname or ip>. Usually <port>:* is sufficient _____________________________________________________________________________ GfK Media Software Solutions March 2011 Page 17/22
Be sure to use port 8733 - for IIS hosting a different port is used compared to self hosting. net.pipe When adding net. pipe binding to a web site the binding information should be: *
Binding for net.pipe protocol is mandatory, since authentication service uses it internally. Bindings for https and net.tcp are optional, however at least one of them are necessary otherwise clients wont be able to use any of the services. Important note: In rare cases using https binding in conjunction with http can be problematic, so in case of issues try deleting http binding while retaining https binding. If there is a conflict because of being both https and http at the same time in the list of Site Bindings you will receive during the login an "Unknown error occurred" message accompanied by the hint that the service "net.tcp://<machine_name_or_IP>:8733/Evogenius/ProductionSystem/UtilityService/UtilityServi ce.svc" could not be activated. Removing the http binding from the list of Site Bindings solves this problem. 3.3. Administrative tasks after installation
The installer application will create a web application, however before using net.tcp and net.pipe protocols must be enabled. Navigate to the EPM Server web application node in IIS Manager (default is /Evogenius/ProductionSystem). Click Advanced settings in the Actions list to the right. Fill http,net.tcp,net.pipe into the Enabled Protocols field. If either https or net.tcp protocol is not an available binding in the hosting web site, they can be left out from the enabled protocols.
Also be sure that the application pool of the web application uses v4.0 .NET Framework Version. To do that please press the button at Application Pool in Evogenius IISS sites the Advanced Settings dialog.
At Select Application Pool please make sure the ASP.NET v4.0 is selected from the combo-box.
3.4.
Security administration
3.4.1. net.tcp By default EPM server uses default security configuration of transport security and Windows authentication. This protocol internally, so no extra configuration is required in IIS, only in authentication makes this protocol usable only in an intranet, requires configuration changes both for client and server. 3.4.2. https By default EPM server uses transport security configuration for http protocol, meaning it can be served as a standard https service, so configuration of https binding is required. Note: For a tutorial on how to create self-signed certificates for test purposes see this page http://msdn.microsoft.com/en-us/library/ff648498.aspx. net.tcp protocol, which uses is used by .NET Framework the web.config file. Windows using different authentication