Skip to main content
Version: Axidian CertiFlow 7.2

Configuration Wizard

The Configuration Wizard automatically generates the configuration files for all Axidian CertiFlow services.

Install the Configuration Wizard and authenticate

The Configuration Wizard is a standalone component and is installed separately. Follow the instructions based on the operating system of the workstation where your Axidian CertiFlow server is installed.

  1. Run the AxidianCertiFlow.Wizard-<version number>.x64.en-us.msi file from the AxidianCertiFlow.WindowsServer catalog of the Axidian CertiFlow installation package. The Configuration Wizard is installed to the C:\inetpub\wwwroot\certiflow\wizard catalog.
  2. Obtain the authentication code. Start the AxidianCertiFlow Wizard IIS application pool. The code is saved to the wizard_authentication_code.txt file in the C:\inetpub\wwwroot\certiflow\wizard\logs catalog.
  3. Open the wizard_authentication_code.txt file and copy the authentication code.
  4. Open a web browser and navigate to https://<Server FQDN>/certiflow/wizard.
  5. Enter the code in the Authentication code field and click Login.
info

If the authentication code is not generated, restart the IIS service.

System features

In the Common features section, configure the settings for the Management Console and the Self-Service.

Event Log

Configure Event Log operation.

  1. Specify the attribute for users search in the event log. Default value is CN (Common Name).
  2. Select:
    • Use Windows Event Log to record events from one or more servers in Windows Event Log.
    • Use Log Server to record events from multiple Axidian CertiFlow servers in Windows Event Log, SysLog, Microsoft SQL, or PostgreSQL database.
Use Windows Event Log

Events are recorded in Windows Event Log.

If multiple Axidian CertiFlow servers are deployed in your infrastructure, use the Axidian CertiFlow Event Log Proxy component to have all servers write events in Windows Event Log:

  1. Install and configure the Axidian CertiFlow Event Log Proxy.
    How to install the Axidian CertiFlow Event Log Proxy
  2. Activate the Enable Event Log Proxy option.
  3. Specify the connection URL for the Event Log Proxy (for example, https://server.domain.loc/certiflow/eventlogproxy).
  4. For Windows-based Axidian CertiFlow servers: Enter the credentials of an account with access rights to the unified event log (taken from the authorization section of the Event Log Proxy application's Web.config file).
    For Linux-based Axidian CertiFlow servers: In the Certificate Thumbprint field, specify the thumbprint of the client certificate presented by the Axidian CertiFlow server to connect to the Event Log Proxy (from the allowedCertificateThumbprints parameter in the Event Log Proxy application's appsettings.json file).
Use Log Server

If multiple Axidian CertiFlow servers are deployed in your infrastructure, use the Axidian Log Server application to have all servers write events to Windows Event Log, SysLog, Microsoft SQL, or PostgreSQL database.

  1. Install and configure the Axidian Log Server application.
    How to install the Axidian Log Server

  2. Specify the connection URL for the Axidian Log Server. For example:

    • https://server.domain.loc/ls/api for Windows servers
    • https://server.domain.loc/api for Linux servers

Certificate authorities

Configure integration with the Microsoft Enterprise Certificate Authority (CA).

AirCard Enterprise

Configure the integration with Axidian AirCard Enterprise:

  1. Activate the Enable integration with Axidian AirCard Enterprise option.
  2. Enter the connection URL for the AirCard Enterprise server (for example, https://aircard.domain.loc:3002). Make sure the specified port is open for incoming connections on the AirCard server.
  3. Specify the client certificate thumbprint to establish a secure connection between the Axidian CertiFlow server and the AirCard Enterprise server.
  4. Set the lifetime (in seconds) for unregistered AirCard smart cards. After this period expires, the Card Monitor service automatically deletes unregistered AirCard smart cards. The default value is 120 seconds.

For more information, the Axidian AirCard Enterprise docs.

Client agent

Configure client agents operation.

  1. Install and configure the Axidian CertiFlow Agent.
    How to install the Axidian CertiFlow Agent

  2. Activate the Enable client agent option.

  3. Select the method for identifying an agent within the domain and outside the domain for registration in Axidian CertiFlow:

    • Not set. Default value.
    • Machine GUID. Use the workstation's MachineGuid value.
    • Generate new GUID. Select this option if multiple workstations share the same MachineGuid value.
    • Computer domain SID.
    • Computer SID. Select this option if the agent is installed on a non-domain workstation. The agent identifier is assigned the string value of MachineGuid from the workstation's registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography].
    Change the Agent ID generation strategy

    To change the agent ID generation strategy after the initial Axidian CertiFlow configuration:

    1. Stop the agentregistrationapi and agentserviceapiservices on the Axidian CertiFlow server.
    2. Delete all client agents in the Agents section of the Management Console, or execute a database query against the Axidian CertiFlow database to remove registered agents and their sessions.
    3. Apply the changes in the Configuration Wizard and deploy the updated agentregistrationapi service configuration file to the Axidian CertiFlow server.
    4. Start the agentregistrationapi and agentserviceapi services.

  4. To enable agent registration without administrator approval, activate the Automatic agent registration option. After you install and configure the agent on a workstation, it appears in the Agents section of the Axidian CertiFlow Management Console with the Registered status.

  5. Upload the agent certificate – the root certificate file for the agent services with the private key in JSON format (agent_root_ca.json).

  6. From the Level of agent's event log list, select which agent events are recorded in the event log: all events, only errors, or only warnings and errors.

  7. Fill in the Frequency of receiving data from server (sec) and Interval of repeated performance of task canceled by user (sec) fields.

  8. The HTTP request certificate header name is set by default. If Axidian CertiFlow is used with a load balancer, enable the Pass only certificate's Subject value in the HTTP request headers option to reduce traffic.

User catalog

Configure the connection to the Axidian CertiFlow user catalog. You can connect several user catalogs.

How to configure a user catalog

Click Add and select the user catalog type: Active Directory, Samba AD DC, or FreeIPA.

  1. Specify the credentials of an account with access rights to the user catalog: the name in the DOMAIN\UserName or UserName@DNSDomainName format and the password.
  2. Specify the domain's NetBIOS name.
  3. Specify the DNS name of the domain or the domain controller.
  4. Specify the path to the user container in Distinguished Name format. To work with all users, select the domain root.
  5. If you are using the LDAPS protocol to access the catalog, enable the Use LDAPS option.
  6. To display the user's photo in the Axidian CertiFlow interface or print it on a smart card, select the attribute that contains the user's photo.
  7. Click Save.
How to find the DNS name and NetBIOS name of a domain

Execute the following commands:

  • set USERDNSDOMAIN to find the DNS domain name.
  • set USERDOMAIN to find the NetBIOS domain name.

You can configure a mapping between the Certificate Authority's attributes and the user attributes in the catalog.

If attribute mapping is configured, a new user can be registered in the Certificate Authority when issuing a card for that user in Axidian CertiFlow.

Tracked attributes

You can define a list of Active Directory user attributes that trigger a card certificate update if these attribute values are changed.

You can only track changes for attributes from the Subject and Subject Alternative Name (SAN) certificate fields.

info

By default, Microsoft CA certificate template parameters track the Common Name, Email, and User Principal Name (UPN) attributes.

To track an attribute:

  1. Click Add.
  2. Specify the attribute name in the user catalog.
  3. Specify the display name for the attribute.
  4. Specify the X.500 name or OID of the attribute in the certificate. This value is used to locate the attribute within the certificate.
  5. Click Save.

Access control

Select the access control method for Axidian CertiFlow services:

  • Windows Authentication
    This method allows authentication using the user's Windows OS credentials and is used for Axidian CertiFlow installations on a domain workstation running Windows OS.

  • OpenID Connect Authentication
    This method allows authentication using the OpenID Connect server and is used for Axidian CertiFlow installations on either domain or non-domain workstations running Windows or Linux OS.
    Navigate to the OpenID Connect section and specify the connection parameters for the OpenID Connect server.

caution

Make sure you select the same authentication method during the Axidian CertiFlow server installation on Windows OS.

Role administrator

Specify the role administrator UPN.

Role administrator is an account granted permission to manage roles in Axidian CertiFlow. When you launch Axidian CertiFlow for the first time, you must log in to the Management Console using this account.

The designated account must possess a User Principal Name (UPN) attribute and be a member of the user catalog.

Database

Configure the connection to the data storage.

How to create a data storage

  1. Select the data storage type based on the environment where Axidian CertiFlow is deployed:
    • Microsoft SQL
    • PostgreSQL
  2. Configure the connection to the database. Enter the server name, instance name (for Microsoft SQL), port number, and database name.
  3. Select the authentication method for connecting to the database server:
    • Microsoft SQL: Windows Authentication or SQL Server Authentication. For SQL Server Authentication, enter the username and password.
    • PostgreSQL: Enter the username and password.
  4. (Optional) Configure additional parameters:
    • Minimum pool size
    • Maximum pool size
    • Connection timeout
    • Connection lifetime
    • Number of connection retries
    • Connection retry interval

Encryption Key

Axidian CertiFlow data is stored and transmitted in encrypted form. From the dropdown list, select an encryption algorithm and click Generate. Save a backup copy of the encryption key.

Card Monitor service

Configure the Card Monitor service settings to monitor card usage.

More about the Card Monitor service

The Card Monitor service is automatically installed with the Axidian CertiFlow server and performs the following operations:

  • Revokes and retrieves cards that belong to users with the accounts deleted from the user catalog
  • Revokes temporary cards with expired validity period
  • Disables cards that belong to users with disabled accounts
  • Removes disabled user accounts from the user catalog
  • Sets or resets the card content status
  • Logs the Agent connection lost event in the event log
  • Deletes inactive agents
  • Sends email notifications to administrators and users
  1. Specify the account for the Card Monitor service in the DOMAIN\UserName or UserName@DNSDomainName format. This account must meet the following requirements:
    • Be a member of the Axidian CertiFlow user catalog.
    • Belong to the Administrators group on the Axidian CertiFlow server.
    • Have the Log on as a batch job permission in the Active Directory policy.
  2. Configure the Card Monitor service startup time.
  3. In the Manage users section, you can configure the following settings:
    • Disable cards assigned to users with disabled accounts. Card Monitor disables cards that belong to users whose accounts have been disabled in the user catalog. If the Revoke certificate when card is revoked or disabled option is enabled in the Microsoft CA certificate template parameters, the validity of certificates stored on the devices is suspended and the certificates are revoked in the CA.
    • Set filter to treat disabled users as removed. Disabled user accounts that meet the filter condition are considered deleted from the user catalog. Cards that belong to deleted users are revoked.
      Specify the user attribute and its value. For example, the DistinguishedName attribute with the OU=Fired users,DC=domain,DC=loc value .
    • Withdraw cards from removed users. Cards that belong to deleted users are withdrawn.
  4. In the Agent Operations section, you can configure the following settings:
    • Log an event if agent is inactive for (min). If an agent loses communication with the server, Card Monitor logs this event in the system log after the specified time has elapsed.
    • Remove agent if inactive for (days). If an agent loses communication with the server, Card Monitor deletes the agent from the database after the specified time has elapsed.
info

Create a separate service role for the Card Monitor service.

Confirmation

  1. Review the settings in all sections of the Configuration Wizard.
  2. Click Apply.

All configured parameters are written to the application configuration files and saved to the following catalogs:

  • C:\inetpub\wwwroot\certiflow\wizard\configs for Windows OS
  • /opt/axidian/certiflow/wizard/configs/ for Linux OS

Apply the configuration files to the Axidian CertiFlow server.

Results

Click Download configuration files to export the files.

If you install Axidian CertiFlow for the first time, it is recommended to save a copy of the configured parameters. Click Backup current configuration settings option and set a password for the file.

The backup copy contains all parameters defined during installation for all services, as well as the database encryption algorithm and key. Store the backup file in a secure location.

Restore configuration

You can restore Axidian CertiFlow configuration settings from a backup in the following scenarios:

  • Upgrading the Axidian CertiFlow server.
  • Migrating the server to a new workstation.
  • Installing additional servers.

To restore the configuration from a file:

  1. Go to the Restore configuration section of the Configuration Wizard.
  2. Click Restore configuration settings from backup.
  3. Upload the backup file.
  4. If the backup file was encrypted, enter the password.

Apply the configuration files on the Axidian CertiFlow server

Apply the configuration files generated by the Configuration Wizard to the Axidian CertiFlow server.

  1. Open PowerShell as an administrator.

  2. Open the C:\inetpub\wwwroot\certiflow\wizard\configs catalog.

  3. Run the deploy_configuration.ps1 script.

    .\deploy_configuration.ps1

  4. During the execution of the PowerShell script, enter the password for the account running the Card Monitor service.

tip

It is recommended to specify the same local account for all Axidian CertiFlow web applications.

The configuration files for all Axidian CertiFlow services are located in the IIS web applications root catalog at %SystemDrive%\inetpub\wwwroot\certiflow. The configuration files for the Card Monitor service are located in the %ProgramFiles%\Axidian CertiFlow\CardMonitor catalog.

Encrypt/decrypt the configuration files

It is recommended to encrypt the Axidian CertiFlow configuration files using the Certiflow.Config.DataProtector tool. The tool supports the AES encryption algorithm with an effective key length of 256 bits. The encryption key is stored on the Axidian CertiFlow server.

The encryption key is located at:

  • Windows OS: C:\ProgramData\Axidian\certiflow\keys
  • Linux OS: /etc/axidian/certiflow/keys
caution

Create a backup copy of the encryption key to restore access to encrypted data in case the primary key is lost or corrupted. You can store the key copy alongside the Axidian CertiFlow configuration backup file.

Encryption

  1. Open the Misc\dataprotector catalog in the axidian CertiFlow installation package.
  2. Launch PowerShell as an administrator.
  3. Execute one of the following commands:

  • To encrypt all configuration files located in the standard catalogs (C:\inetpub\wwwroot\<component name>\appsettings.json):

    .\Certiflow.Config.DataProtector.exe protect

  • To encrypt a configuration file of a component:

    .\Certiflow.Config.DataProtector protect --app <component name>
    Example
    .\Certiflow.Config.DataProtector protect --app ManagementConsole

  • To encrypt a configuration file located outside the standard catalog:

    .\Certiflow.Config.DataProtector protect --app <component name> --file "appsettings.json file path"
    Example
    .\Certiflow.Config.DataProtector protect --app CardMonitor --file "C:\Program Files\Axidian CertiFlow\CardMonitor\appsettings.json"

Decryption

  1. Open the Misc\dataprotector catalog in the Axidian CertiFlow installation package.
  2. Launch PowerShell as an administrator.
  3. Execute one of the following commands:

  • To decrypt all configuration files located in the standard catalogs (C:\inetpub\wwwroot\<component name>\appsettings.json):

    .\Certiflow.Config.DataProtector.exe unprotect

  • To decrypt a configuration file of a component:

    .\Certiflow.Config.DataProtector unprotect --app <component name>
    Example
    .\Certiflow.Config.DataProtector unprotect --app ManagementConsole

  • To decrypt a configuration file located outside the standard catalog:

    .\Certiflow.Config.DataProtector unprotect --app <component name> --file "appsettings.json file path"
    Example
    .\Certiflow.Config.DataProtector unprotect --app CardMonitor --file "C:\Program Files\Axidian CertiFlow\CardMonitor\appsettings.json"

Deactivate the Configuration Wizard

For security reasons, it is recommended to disable the Axidian CertiFlow Configuration Wizard web application after you complete the configuration process.

  1. Open the Internet Information Services (IIS) Manager.
  2. In the IIS server component tree, select Application Pools.
  3. From the Application Pools list, choose AxidianCertiFlow Wizard.
  4. In the Actions menu, select Stop.