Axidian CertiFlow server

Axidian CertiFlow includes the following services:

• Management Console – the mc web application
• Self-Service – the ss web application
• Remote Self-Service – the rss web application
• Smart card unlock service – the credprovapi web application
• API – the api web application
• OpenID Connect server – the oidc web application
• Smart card monitoring service – the Card Monitor service
• Agent registration service – the agentregistrationapi web application
• Agent service for remote tasks – the agentserviceapi web application

info

Each service has its configuration files and access settings.

Install the server

Follow the instructions for the operating system of the workstation where you plan to install the Axidian CertiFlow server.

Windows

1. Run the AxidianCertiFlow.Server-<version number>.x64.en-us.msi file from the AxidianCertiFlow.WindowsServer catalog of the installation package.

2. Select the access control method: Windows Authentication, OpenID Connect Authenticatio, or Certificate Authentication.

   Windows

   c Windows Authentication, the following access control settings are configured automatically:

   • Authentication:
     • Windows Authentication is enabled for the mc, ss and api applications. Other methods are disabled.
     • Anonymous Authentication is enabled for the credprovapi, agentregistrationapi and agentserviceapi applications.
     • Anonymous Authentication and Forms Authentication are enabled for the rss application.
     • SSL Settings:
     • Require SSL is enabled for all web applications.
     • Client certificates:
       • Ignore for the mc, ss, rss, credprovapi, api and agentregistrationapi applications.
       • Require for the agentserviceapi application.

   OpenID Connect

   When you select OpenID Connect authentication, the following access control settings are configured automatically:

   • Authentication:
     • Anonymous Authentication is enabled for all web applications. Other methods are disabled.
     • Anonymous Authentication and Forms Authentication are enabled for the rss application.
   • SSL Settings:
     • Require SSL is enabled for all web applications.
     • Client certificates:
       • Ignore for the mc, ss, rss, credprovapi, api and agentregistrationapi applications.
       • Require for the agentserviceapi application.

   Certificate

   caution

   If the user catalog is confogured in Active Directory, the certificates used for authentication must contain a User Principal Name (UPN) attribute. Access to web applications is denied if the certificate does not contain a UPN attribute.

   When you select user personal certificate authentication, the following access control settings are configured automatically:

   • Authentication:
     • Anonymous Authentication is enabled for all web applications. Other methods are disabled.
     • Anonymous Authentication and Forms Authentication are enabled for the rss application.
   • SSL Settings:
     • Require SSL is enabled for all web applications.
     • Client certificates:
       • Ignore for the rss, credprovapi and agentregistrationapi applications.
       • Require for the mc, ss, api and agentserviceapi applications.

   After you install the Axidian CertiFlow server, you can edit the SSL Settings for each application in the Internet Information Services (IIS) Manager.

   caution

   Select the same authentication method when you configure access control for the Axidian CertiFlow web applications in the Configuration Wizard.

3. Issue an SSL/TLS certificate.

   SSL/TLS certificate requirements for IIS

   The certificate's Subject must contain the Common Name (CN) attribute (the FQDN of the Axidian CertiFlow server).

   The certificate's Subject Alternative Name (SAN) must contain the DNS Name attribute (the FQDN of the Axidian CertiFlow server). For example: server.domain.loc or a corresponding wildcard entry: *.domain.loc (Wildcard certificate).

   The certificate's Enhanced Key Usage (EKU) must contain the Server Authentication value.

4. Add the SSL/TLS certificate to the Default Web Site:

   1. Launch the Internet Information Services (IIS) Manager.
   2. Select the Default Web Site and navigate to Bindings....
   3. Click Add..., select Type: https and Port: 443.
   4. Select the SSL certificate: and click OK.

Linux

1. Install the server using the package manager from the Axidian CertiFlow installation package. Root privileges are required to use the package manager.

   Debian

   sudo dpkg -i certiflow.-<version number>_amd64.deb
   RHEL

   sudo rpm -i certiflow.-<version number>.x86_64.rpm

2. Install Windows TrueType fonts for the proper operation of the Remote Self-Service.

   Debian

   wget http://ftp.ru.debian.org/debian/pool/contrib/m/msttcorefonts/ttf-mscorefonts-installer_3.8.1_all.deb
   sudo dpkg -i ttf-mscorefonts-installer_3.8.1_all.deb
   fc-cache -f -v
   RHEL

   sudo yum install -y msttcore-fonts-installer
   fc-cache -f -v

3. Configure application management.

   During server installation, systemd service files are created for managing the applications. Systemd allows applications to be launch automatically when the Axidian CertiFlow server starts and keeps them running without user interaction.

   By default, systemd launches Axidian CertiFlow applications under the www-data user account.

   info

   In RHEL-based operating systems, the www-data user account does not exist by default. You can add the www-data account using the useradd tool, or replace the active user account in the certiflow-<service_name>.service files located in the /etc/systemd/system catalog.

   Example command to create a www-data user

   useradd -d /var/www -m www-data -s /sbin/nologin
   Example of a Management Console service file running under the non-standard user account

   [Unit]
   Description=Axidian CertiFlow Management Console Application
   
   [Service]
   WorkingDirectory=/opt/axidian/certiflow/mc/
   ExecStart=/opt/axidian/certiflow/mc/AxidianCertiFlow.Web.ManagementConsole
   Restart=always
   RestartSec=10
   KillSignal=SIGINT
   SyslogIdentifier=certiflow-mc
   User=certiflow_adm
   Environment=ASPNETCORE_URLS="http://localhost:5001"
   Environment=ASPNETCORE_ENVIRONMENT=Production
   Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
   
   [Install]
   WantedBy=multi-user.target

   To enable automatic launch of the applications, execute the start-certiflow-services.sh script file from the Axidian CertiFlow installation package:

   chmod +x start-certiflow-services.sh
   sudo ./start-certiflow-services.sh
   caution

   To execute a script file, that file must have execute permissions. Root privileges are required to run the script.

4. For the applications to function correctly, configure the Axidian CertiFlow settings using the Configuration Wizard (recommended) or manually.

5. To securely access the server from other workstations, configure the web server. The instructions cover binding SSL/TLS certificates and configuring HTTPS connection.