Skip to main content

Core Server

Axidian Core Server (Core Server) is the main server module responsible for:

  • Centralized storage of authenticators, passwords, and user settings.
  • Centralized management and administration.
  • Centralized receiving and processing of requests from other modules of the system.
  • Coordinating the actions of individual modules and the system in general.

Core Server caches data when retrieving a user, group, container, authorization scenarios, and business logic. Main catalog requests include retrieving a user, group, container by ID. These requests are from cache. All other requests (by name, by phone, email) only update the cache with data from the catalog. The first user request by ID also updates the cache, subsequent ones are taken from cache. Object lifetime in cache is 10 minutes.

Installation files

Files for the Axidian Access Core Server installation are located at /version number:

  • Axidian.Server-version number.x64.ru-ru.msi: Package for installing Core Server.
  • \Misc\AccessManager.Tools.KeyGen.Console.exe: Utility for generating a key pair for user token signing.
  • \Misc\AccessControlInitialConfig\EA.Server.AccessControlInitialConfig.exe: Initial configuration utility.
  • \Misc\AccessControlInitialConfig\EA.Server.AccessControlInitialConfig.exe.config: Configuration utility settings file.
  • \Misc\EA.Config.Encryptor\EA.Config.Encryptor.exe: Utility for encrypting the configuration file.
  • \Misc\EA.Config.Encryptor\encryptConfigs.bat: Script for encrypting all sections of the configuration file.
  • \Misc\EA.Config.Encryptor\decryptConfigs.bat: Script for decrypting all sections of the configuration file.

Install Core Server

System requirements

To install Core Server, run Axidian.Server-<version number>.x64.en-us.msi.

HTTPS binding in IIS Manager

Core Server is a web application that runs on IIS. During installation, the mandatory SSL requirement is enabled by default in the settings, which in turn requires an enabled HTTPS binding.

  1. Start IIS Manage and expand the Sites item.
  2. Select Default Web Site and in the Actions section, click Bindings.
  3. Click Add:
    • Type: https.
    • Port: 443.
    • Select SSL Certificate.
  4. Save the binding.

If you do not plan to use the HTTPS protocol, disable the SSL requirement in the IIS settings for Core and in C:\inetpub\wwwroot\am\core\Web.config change the value of the requireHttps parameter to false.

<appSettings>
<add key="requireHttps" value="false" />
</appSettings>

Configuration wizard

The configuration wizard runs automatically by default after you install Core Server, unless you abort the wizard start.

To launch the wizard manually, execute C:\Program Files\Axidian\Wizard\EA.Server.Wizard.exe.

info

The wizard includes automatic validation of entered data. If the data is correct, the field becomes green, and you can proceed to the next step. If the data is entered incorrectly, the fields are highlighted in red, and you cannot proceed to the next step until you specify correct data.

The following steps vary depending on the database used.

Microsoft SQL database

  1. On the Before You Begin step, click Next.

  2. On the Restore Settings step, click Next.

  3. On the User Catalog step, click Add and specify the following parameters:

    • Domain name (FQDN): Fully qualified domain name of the Active Directory domain where the catalog is located, such as domain.local.
    • Service account: Service account that has access rights to the user catalog. Click Edit and specify the account credentials.
    • LDAP path to catalog: Path to catalog with users. Click Select and choose a container or the entire domain

    Click Configure attribute mapping to set the mapping between Active Directory and Axidian Access attributes.

    Attribute list
    • FirstName: User first name.
    • MiddleName: User middle name.
    • LastName: User last name.
    • Email: User email address.
    • Phone: User phone number.
    • Name: User display name.
    • CanonicalName: User canonical name, such as domain.com/Users/testuser.
    • PrincipalName: User unique name in a specific format, such as testuser@domain.com.
    • SamCompatibleName: User name compatible with the Security Account Manager (SAM) system. For example, domain\testuser.
    • DistinguishedName: Unique name of an object in the Active Directory hierarchy consisting of the full path to the object. For example, CN=testuser,OU=Users,DC=domain,DC=com.
    • Sid: Unique security identifier assigned to each object in Active Directory. Sid is used to manage access to resources and authentication of users and objects.

    Click Configure catalog object filtering to set search criteria for records in user catalogs.

    List of filters

  4. On the Data Storage step, select the Microsoft SQL storage type.

  5. In the Database connection string, click Edit to specify the data for connecting to the database that will be used as the Axidian Access data storage.

    • Server name: Database server name.
    • Select the SQL Server Authentication authentication method and specify the service user credentials with full permissions for the database.
    • In the Select or enter a database name section, select or specify the database that will be used as the Axidian Access storage.
    • After completing the setting, click Test Connection. If the configuration is correct, a window with Test connection succeeded appears.
    • Click Ok in all windows.

  6. Step Encryption Key. Select the encryption algorithm, click Generate and then click Next.

    Tip

    We recommend you to create a backup of the encryption key and save it in a secure location.

  7. On the Log Server step, specify the following data:

    Note

    To avoid errors when testing the connection, a fully configured Log Server with a configured database or installed EventLog component is required. If the log server is not ready for operation, you can skip this step.

    • Log Server address: URL for connecting to the server in the format http(s)://full_dns_server_name/ls/, such as http://logserver.demo.local/ls/.
    • Certificate: Certificate for configuring two-way TLS connection between Core Server and Log Server.
    Important

    This setting is optional. Current version of Axidian Access does not support two-way TLS connection.

    • Logged catalog object field: Specify the format in which the username will be logged.
    • Logged computer field: Specify the format in which the Computer field will be logged.
    Note

    For logging in DNS format, additional configuration is required.

  8. Session secret. To generate a key pair for signing the user token, click Generate.

    The public key is saved in the SessionPublicKey.pub file. Add this key to all computers with Windows Logon or ESSO Agent installed. Use the Session public key settings policy located in Axidian version number\Misc\ADMX Templates.

  9. File encryption. You can perform encryption of the configuration file settings.

    Tip

    For security purposes, we recommend you to encrypt the configuration file.

  10. Confirmation. Verify the correctness of the specified data and click Apply.

    Tip

    We recommend you to make a backup of the configuration file, by default the option Save backup of configuration parameters is active.

  11. Results. Settings verification and connection testing to Core Server is performed.

System administrator setting

Note

A user specified as a system administrator must be in the user catalog.

  1. On the System Administrator step, specify the service account of the Axidian Access administrator. The specified account will be granted primary system administrator rights.

    Note

    For administrator setting, install Windows Password (Axidian version number\Axidian Providers\Windows Password Provider\version number), since when granting initial rights to the specified user, authentication is performed on Core Server.

  2. The Results step displays the status of the configuration file setting and the status of the system administrator setting.

Manual configuration

info

We recommend you to edit the configuration file with regard to the peak server load.

To save changes to the configuration file, run the editor as administrator.

Errors that occur during Core Server installation (for example, an error in the configuration file) are logged based on the Log Server settings.

Requirements for characters in the password for service users

If the following characters are used in the password for service users: &, ", ;, , space, then the password should be specified as follows:

  • Ampersand character (&): When specifying the password for a user from AD or SQL, the character must be replaced with the &amp; combination Example (AD\SQL): password="Q1q2E3e4&"\Password='Q1q2E3e4&amp;'
  • The double quote symbol ("): When specifying a password for a user from AD or SQL, the symbol must be replaced with the &quot; combination.  For a user from SQL, it is additionally required to specify the password in single quotes. Example(AD\SQL): password="Q1q2E3e4""\Password='Q1q2E3e4&quot;'
  • The semicolon symbol (;): When specifying a password for a user from AD, no additional actions are required. For a user from SQL, the password must be specified in single quotes. Example(AD\SQL): password="Q1q2E3e4;"\Password='Q1q2E3e4;'
  • The less than symbol (<): When specifying a password for a user from AD or SQL, the symbol must be replaced with the &lt; combination. Example(AD\SQL): password="Q1q2E3e4<"\Password='Q1q2E3e4&lt;';
  • The space symbol: When specifying a password for a user from AD, no additional actions are required; for a user from SQL, the password must be specified in single quotes. Example(AD\SQL): password="Q1q2E3e4 "\Password='Q1q2E3e4 '
  • The single quote symbol ('): When specifying a password for an AD user, no additional actions are required; for an SQL user, the password must be specified as the &quot; combination, the quote symbol should be specified in its regular form. Example(AD\SQL): password="Q1q2E3e4'"\Password=&quot;Q1q2E3e4'&quot;

  1. Open C:\inetpub\wwwroot\am\core\Web.config for editing.

  2. In the sessionEncryptionSettings parameter, specify the public and secret keys for signing the user token. To generate keys, run the AccessManager.KeyGen.Console.exe tool located in the Axidian Access Manager Server/version number/Misc catalog.

    In the --name parameter, specify the file names. This is a required parameter. Files are generated with the same name. However, the public key file has the PUB extension.

    In the --output-directory parameter, specify the path to the catalog where the key pair files are saved. You can specify a relative or absolute path. This is an optional parameter. If you do not specify a path, the key pair files are saved in the Misc catalog.

  3. To specify the system user catalog, edit the following parameters in the adUserCatalogProvider tag:

    • id: Arbitrary unique catalog identifier.
    • serverName: Active Directory domain name in which the catalog is located.
    • containerPath: Path to the container in the Distinguished Name format or the entire domain if the entire domain is used for storing users.
    • userName: Name of the service account for connecting to the user catalog.
    • password: Password of the service account in the Active Directory user catalog.
    <adUserCatalogProviders> 
        <adUserCatalogProvider id="UserId" serverName="axidian.local" containerPath="DC=demo,DC=local" userName="AxidianCatalogUser"    password="Q1q2E3e4"/> 
    </adUserCatalogProviders>

  4. To specify the root user catalog provider identifier, edit the rootUserCatalogProviderId attribute in the userCatalogProviderSettings tag.

    • rootUserCatalogProviderId : Set the value that has already been set in the tag adUserCatalogProvider in the attribute id.
    <userCatalogProviderSettings rootUserCatalogProviderId="UserId">

  5. Set the system data storage. For data storage in SQL Server, edit the tag dbContextSettings and create the tag mssqlDbContext with parameters id and connectionString.

    • rootDbContextId : Set an arbitrary unique value for the data storage identifier.
    • id: Set the value that is set in the tag rootDbContextId.

  6. Add the connectionString parameter with built-in parameters:

    • Data Source: Specifies the server instance. This property is required for all connections. Valid values include the network name or IP address of the server, local or localhost for local connections.
    • Initial Catalog: Specifies the database name.
    • User Id: User name for connecting to the database.
    • Password: User password for connecting to the database.
    <dbContextSettings rootDbContextId="mssql"> <mssqlDbContexts> <mssqlDbContext id="mssql" connectionString="Data Source=EASERVER\EASERVER;Initial Catalog=AM_Server_7;User Id=Admin-DB;Password=Q1q2E3e4;"/> </mssqlDbContexts> </dbContextSettings>

  7. Set the system data encryption key. Edit the parameters in the tag encryptionSettings.

    • cryptoAlgName: Specify the encryption algorithm used. Possible values:
      • DES
      • TripleDES
      • RC2
      • AES
      • Rijndael
    • cryptoKey: Key value generated by the utility.
    • certificateThumbprint: Certificate thumbprint used to encrypt the key (to ignore, remove the attribute).
    <encryptionSettings cryptoAlgName="Aes" cryptoKey="90ce7dbc3ff94a7867abc6672c23cce2c3717d38af42f04293130cb68a34ecc2"/>

  8. Set the system administrator. Edit the userId parameter of the accessControlAdminSettings tag.

    • userId: User identifier in the format <Catalog identifier><underscore><System Administrator GUID>.
    info

    The user must be located in the user catalog.

    When using multiple user containers, the Catalog identifier specifies the container id where the system administrator is located.

    <accessControlAdminSettings userId="UserId_84e9ccd9-73a2-43c7-abc6-604a16902037"/>
    info

    To obtain the GUID, use a PowerShell command. You must first install the Remote Server Administration Tools component:

    Get-ADUser YouUserName -Properties * | Select ObjectGUID

  9. Set the url to connect to Log Server. Edit the logServer tag.

    • URL: The url address to connect to Log Server in the format http(s)://server name/ls/api.
    Note

    If you use multiple servers, specify the load balancer address.

    • CertificateThumbprint: If the private key is in the registry and the certificate is in the computer certificate store.
    • CertificateFilePath: If the key pair is in pfx.
    • CertificateFilePassword: Password for the pfx.
    <logServer Url="http://log.axidian.local/ls/api/" CertificateThumbprint="" CertificateFilePath="" CertificateFilePassword=""/>

Encrypt/Decrypt the configuration file

  1. Run the command prompt as administrator.
  2. In the command prompt, navigate to the folder with the encryption utility.
Tip

The utility encrypts the logServer, logonSettings, userCatalogProviderSettings, encryptionSettings, dbContextSettings sections. We recommend you to encrypt all sections.

  • Encrypt/Decrypt individual sections. To encrypt an individual section, execute a command, such as:

    EA.Config.Encryptor /encrypt "Path to server configuration file Section name"
    Command example
    EA.Config.Encryptor /encrypt "C:\inetpub\wwwroot\am\core\Web.config" "logServer"

  • To decrypt an individual section, execute the following command:

    EA.Config.Encryptor /decrypt "Path to server configuration file" "Section name"
    Command example
    EA.Config.Encryptor /decrypt "C:\inetpub\wwwroot\am\core\Web.config" "logServer"

  • Encrypt/Decrypt all sections. To encrypt all sections, run the script encryptConfigs.bat.

  • To decrypt all sections, execute the script decryptConfigs.bat.