Skip to main content

AirCard server

Follow these steps to configure the AirCard server:

  1. Install the AirCard server.
  2. Create a signature certificate.
  3. Configure the Axidian AirCard Enterprise settings.
  4. Set up integration with Axidian CertiFlow.

Install the AirCard server

Run the Axidian.AirCard.EnterpriseServer.msi file from Axidian AirCard installation package and follow the configuration wizard instructions. After you install the server, the following access control settings are automatically applied to the Axidian.AirCard.EntServer site:

  • Authentication: Anonymous Authentication
  • SSL Settings: Require SSL and Accept client certificates

Set up a secure connection in IIS (Internet Information Services Manager). To access the AirCard server via HTTPS, bind an SSL/TLS certificate to a port:

  1. Open the IIS Manager.
  2. Select the Axidian.AirCard.EntServer site and go to Bindings....
  3. Click Add....
  4. Select https in the Type drop-down list.
  5. Specify a binding Port:, e.g. 3002.
  6. Specify an SSL certificate and click OK.
caution

Make sure to configure inbound connections for the specified port in Windows firewall.

SSL/TLS certificate can be an RSA certificate issued by any trusted CA for Axidian AirCard server:

  • Subject must contain the Common name value (FQDN of the system server).
  • Subject Alternative Name must contain the DNS Name value (FQDN of the system server). E.g. aircard.demo.local or *. demo.local as a Wildcard certificate.
  • Enhanced Key Usage (EKU) extension must contain the Server Authentication (1.3.6.1.5.5.7.3.1) value.

The server certificate must be issued to the hostname that is used in the web address when connecting to a secure site.

Create a signature certificate

Create a signature certificate so that AirCard virtual smart cards connect to user workstations via client certificates. A client certificate is issued automatically when you first connect an AirCard to a workstation. When addressing the AirCard server, the user workstation provides the client certificate. The server verifies if the certificate is valid and allows to connect the AirCard to the user workstation.

Follow these steps to create a signature certificate:

  1. Run the Axidian.AKES.CertificateGenerator.exe utility as administrator on the AirCard server. The AirCard Enterprise Server CA certificate appears in the Certificates snap-in of the local computer.
  2. Allow the AirCard server to access and read the private key of the server certificate. Follow these steps:
    1. Open the Certificates snap-in window.
    2. Right-click the AirCard Enterprise Server CA certificate and select All tasksManage Private Keys.
    3. Click Add and specify the IIS_IUSRS local group if the IIS version is 7.0, or the IIS AppPool\AxidianAKES local account if the IIS version is 7.5 or higher.
    4. Check the Read box in the Permissions for window and click Apply.
    5. Add the AirCard Enterprise Server CA certificate to the list of Trusted Root Certification Authorities on the AirCard server and on the user workstations to which the AirCards will connect.

Configure the system settings

Configure the settings via Axidian AirCard Enterprise Configuration Wizard. The wizard starts automatically if you check the Run Axidian AirCard Enterprise Configuration Wizard option in Axidian AirCard Server Installation Wizard. Or, run the сonfiguration wizard manually: Start→All Programs→Axidian AirCard.

Here are the options you can set up in the configuration wizard:

TabSettings
Before starting workLearn about purposes and features of the configuration wizard.
Restore configurationUpload a backup copy of the AirCard Enterprise configuration.
Client certificateConfigure the certificate-based access control to the AirCard server.

The certificate that the Axidian CertiFlow server presents when it connects to the AirCard server must match the specified Certificate Filter. The certificate must be issued to the CertiFlow server hostname that is used in the connection address.

Possible values:
- Extended Key Usage OID value of the certificate,
- Thumbprint.
Example:
- EKUs:1.3.6.1.5.5.7.3.2
- Thumbprint:05eac3725eaa791f18ef45118ff3fa269c4d706f

CAUTION: The Enhanced Key Usage (EKU) extension must contain the Client Authentication value.

If you use several Axidian CertiFlow servers in your infrastructure, separate the certificates OID or Thumbprint values of each server with a semicolon :
- EKUs:OID1;EKUs:OID2
- Thumbprint:1;Thumbprint:2
AirCard Smart Card options
Database:
- Active Directory or Microsoft SQL
-Encryption key		Determine the data storage of the system and the data encryption algorithm. Create a backup copy of the encryption key and restore the key from the backup copy.
ConfirmationCheck the wizard settings and back up the Axidian AirCard Enterprise configuration.

You can save a copy of the necessary settings when installing Axidian AirCard Enterprise. Select the Backup current configuration settings option.
You can restore the settings when you deploy a new Axidian AirCard Enterprise server. Upload your backup file in the Restore configuration tab of the configuration wizard.

CAUTION: In addition to all parameters specified during Axidian Aircard installation, the backup copy includes the encryption key and data encryption algorithm. Save the backup file in a secure location.
ResultsAfter the configuration wizard closes, all settings are saved in the configuration file of the application and encrypted with the Microsoft .NET encryption machine key (.NetFrameworkConfigurationKey). The encryption algorithm is RSA.

Configure integration with Axidian CertiFlow

To issue AirCards via Axidian CertiFlow, configure the integration and set up the AirCard server parameters. Follow these steps:

  1. Switch to the Axidian CertiFlow server, run the Axidian CertiFlow Configuration Wizard, and open the AirCard Enterprise tab.
  2. Check the Enable integration with AirCard Enterprise option.
  3. Enter the link and the port to connect to the server in the URL of connection to AirCard Enterprise server field. Make sure that the port is open for inbound connections in the firewall of the AirCard server.
  4. Enter the Thumbprint of the certificate issued to the workstation where Axidian CertiFlow server resides.
  5. Specify the time before the Card Monitor service removes unregistered AirCards. Type a timeout value in seconds in the Lifetime of unregistered AirCard Enterprise smart cards in seconds field. The default value is 120 seconds.
  6. Open the Confirmation tab and click Apply to save your settings. It is recommended to save the Axidian CertiFlow and the AirCard Enterprise backup files in the same secure location.
caution

The Enhanced Key Usage (EKU) extension must contain the Client Authentication value. It is required that the IIS_IUSRS local group (IIS 7.0) or the IIS AppPool\AxidianCertiFlow account (IIS 7.5 or higher) have Read permissions for the private key of the specified сlient certificate.