AirCard server

Follow these steps to configure the AirCard server:

Install the Axidian AirCard Enterprise server.
Create a signing certificate.
Configure the Axidian AirCard Enterprise settings.
Integrate with Axidian CertiFlow.

Install the Axidian AirCard Enterprise server

Run the Axidian.AirCard.EnterpriseServer.msi file from Axidian AirCard installation package and follow the configuration wizard instructions. After you install the server, the following access control settings are automatically applied to the Axidian.AirCard.EntServer site:

Authentication: Anonymous Authentication
SSL Settings: Require SSL and Accept client certificates

Set up a secure connection in IIS (Internet Information Services Manager). To access the AirCard server via HTTPS, bind an SSL/TLS certificate to a port:

Open the IIS Manager, select the Axidian.AirCard.EntServer site and go to Bindings....
Click Add... and select https in the Type list.
Specify a binding Port:. For example, 3002.
Select an SSL certificate and click OK.

caution

Make sure to configure inbound connections for the specified port in Windows firewall.

SSL/TLS certificate can be an RSA certificate issued by any trusted CA for Axidian AirCard server:

Subject must contain the Common name value (FQDN of the AirCard server).
Subject Alternative Name must contain the DNS Name value (FQDN of the AirCard server). For example, aircard.demo.local or *. demo.local as a wildcard certificate.
Enhanced Key Usage (EKU) extension must contain the Server Authentication (1.3.6.1.5.5.7.3.1) value.

The server certificate must be issued to the hostname that is used in the web address when connecting to a secure site.

Create a signing certificate

A signing certificate is required for issuing certificates to user workstations.

More about the signing certificate

A client certificate is issued automatically when you first connect an AirCard to a workstation. When addressing the AirCard server, the user workstation provides the client certificate. The server verifies if the certificate is valid and allows to connect the AirCard to the user workstation.

Follow these steps to create a signing certificate.

Run the AirCard.VTServer.CertificateGenerator.exe utility as administrator on the AirCard server (\AxidianACES\Misc\CertificateGenerator). The AirCard Enterprise Server CA certificate appears in the Certificates snap-in of the local computer.
Allow the AirCard server to access and read the private key of the server certificate.
1. Open the Certificates snap-in window.
2. Right-click the AirCard Enterprise Server CA certificate and select All tasks→Manage Private Keys.
3. Click Add and specify the IIS_IUSRS local group if the IIS version is 7.0, or the IIS AppPool\AxidianAKES local account if the IIS version is 7.5 or higher.
4. Check the Read box in the Permissions for window and click Apply.
5. Add the AirCard Enterprise Server CA certificate to the list of Trusted Root Certification Authorities on the AirCard server and on the user workstations to which the AirCard virtual smart cards will connect.

Configure the Axidian AirCard Enterprise settings

Open the configuration file appsettings.json. The file is located at C:\inetpub\wwwroot\aircard\server`.
Fill in the required parameters.
Save your changes.

Parameter	Description
`adminFilter`	Optional parameter. Specify the Axidian CertiFlow's client certificate information to authenticate to the Axidian Aircard Enterprise server: Object Identifier (OID) in the Enhanced Key Usage section For example, `EKUs:1.3.6.1.5.5.7.3.2`. Thumbprint For example, `Thumbprint:05eac3725eaa791f18ef45118ff3fa269c4d706f`. If you have multiple Axidian CertiFlow servers in your environment, specify the OID or Thumbprint of the certificate for each server, separated by a semicolon `;`.
`isCardsAllowedForAllUsers`	`true` – all AirCard virtual smart cards connected to the workstation are displayed in a user's active session. `false` – only the connected AirCard virtual smart cards assigned to the current user are displayed in a user's active session, while cards assigned to other users are not be displayed.
`serverCertThumbprint`	Thumbprint of the signing certificate
`storage`	Data storage: `SqlServer` or `PostgreSql`
`connectionString`	Data storage connection string
`cryptoAlgName`	Encryption algorithm
`cryptoKey`	Encryption key

Example configuration file using Microsoft SQL as data storage

{
  "certificateAccessControlSettings": {
    "adminFilter": "EKUs:1.3.6.1.5.5.7.3.1"
  },
  "airCardSettings": {
    "isCardsAllowedForAllUsers": true,
    "serverCertThumbprint": "138c1215787e4cb3460b7af46be77291bd4c7c1a"
  },
  "storage": "SqlServer",
  "sqlPersistenceSettings": {
    "connectionString": "Data Source=DC;Initial Catalog=AirCard;User ID=Admin;Password=P@ssword;TrustServerCertificate=True",
    "cryptoAlgName": "AES",
    "cryptoKey": "9542a73b8208b601b50fc7ef53ab8065254394048e1ca155fac1e954fe965a71"
  },
  "eventLogAuditSettings": {
    "providerGuid": "{79A2642D-FDC4-4B29-88E6-972D2B7CECF7}"
  },
  "logging": {
    "logLevel": {
      "default": "Information",
      "microsoft": "Warning",
      "microsoft.Hosting.Lifetime": "Information"
    }
  },
  "allowedHosts": "*"
}

Example configuration file using PostgreSQL as data storage

{
  "certificateAccessControlSettings": {
    "adminFilter": "EKUs:1.3.6.1.5.5.7.3.1"
  },
  "airCardSettings": {
    "isCardsAllowedForAllUsers": true,
    "serverCertThumbprint": "138c1215787e4cb3460b7af46be77291bd4c7c1a"
  },
  "storage": "PostgreSql",
  "sqlPersistenceSettings": {
    "connectionString": "Host=DC;Database=AirCard;Username=Adm;Password=P@ssword",
    "cryptoAlgName": "AES",
    "cryptoKey": "9542a73b8208b601b50fc7ef53ab8065254394048e1ca155fac1e954fe965a71"
  },
  "eventLogAuditSettings": {
    "providerGuid": "{79A2642D-FDC4-4B29-88E6-972D2B7CECF7}"
  },
  "logging": {
    "logLevel": {
      "default": "Information",
      "microsoft": "Warning",
      "microsoft.Hosting.Lifetime": "Information"
    }
  },
  "allowedHosts": "*"
}

Configure integration with Axidian CertiFlow

To issue AirCard virtual smart cards in Axidian CertiFlow, configure the integration and set up the Axidian AirCard Enterprise server parameters.

Switch to the Axidian CertiFlow server, run the Axidian CertiFlow Configuration Wizard, and open the AirCard Enterprise tab.
Enable the Enable integration with AirCard Enterprise option.
Enter the link and the port to connect to the server in the URL of connection to AirCard Enterprise server field. Make sure that the port is open for inbound connections in the firewall of the AirCard server.
Enter the Thumbprint of the certificate issued to the workstation where Axidian CertiFlow server resides.
Specify the time before the Card Monitor service removes unregistered AirCard virtual smart cards. Type a timeout value in seconds in the Lifetime of unregistered AirCard Enterprise smart cards in seconds field. The default value is 120 seconds.
Open the Confirmation tab and click Apply to save your settings. It is recommended to save the Axidian CertiFlow and the AirCard Enterprise backup files in the same secure location.

caution

The Enhanced Key Usage (EKU) extension must contain the Client Authentication value. The IIS_IUSRS local group (IIS 7.0) or the IIS AppPool\AxidianCertiFlow account (IIS 7.5 and higher) must have Read permissions for the private key of the specified сlient certificate.

Install the Axidian AirCard Enterprise server​

Create a signing certificate​

Configure the Axidian AirCard Enterprise settings​

Configure integration with Axidian CertiFlow​

Install the Axidian AirCard Enterprise server

Create a signing certificate

Configure the Axidian AirCard Enterprise settings

Configure integration with Axidian CertiFlow