View
214
Download
0
Category
Preview:
Citation preview
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 1 (20)
ASSA ABLOY AB (Shared Technologies)
ASSA ABLOY
CLIQ Remote Server Installation Instructions
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 2 (20)
ASSA ABLOY AB (Shared Technologies)
Table of Contents
TABLE OF CONTENTS .......................................................................................... 2
1 INTRODUCTION ............................................................................................ 3
1.1 PURPOSE ..................................................................................................... 3 1.2 SCOPE ........................................................................................................ 3 1.3 DEFINITIONS AND ABBREVIATIONS ....................................................................... 3 1.4 REFERENCES ................................................................................................. 4
2 CLIQ WEB MANAGER AND CLIQ REMOTE OVERVIEW ..................................... 5
3 PREREQUISITES ............................................................................................ 7
3.1 APPLICATION PORTS ........................................................................................ 7 3.1.1 PORTS FOR TOMCAT AND APACHE CONNECTION ...................................... 7 3.1.2 PORT FOR PROXY FOR A CERTIFICATE REVOCATION LIST ACCESS ............. 8
3.2 FIREWALL CONFIGURATION ................................................................................ 9 3.3 TLS SERVER CERTIFICATE ...............................................................................10
4 CLIQ REMOTE DATABASE ............................................................................ 11
4.1 INSTALL MICROSOFT SQL SERVER ......................................................................11
5 ADMIN PC ................................................................................................... 12
6 CLIQ REMOTE SERVER ................................................................................. 14
6.1 PREPARING TO INSTALL ...................................................................................14 6.1.1 DIGITAL CONTENT SERVER INTEGRATION ..............................................14 6.1.2 WEB SERVER TLS CONFIGURATION .......................................................14 6.1.3 DATABASE CONFIGURATION .................................................................15 6.1.4 MULTIPLE DNS NAMES FOR THE CLIQ WEB MANAGER ENROLMENT ............15 6.1.5 CREATE WINDOWS ACCOUNTS FOR CLIQ WEB MANAGER SERVICES .........16 6.1.6 SQL SERVER WINDOWS AUTHENTICATION .............................................16 6.1.7 DATABASE PERMISSIONS .....................................................................16
6.2 RUN THE CLIQ REMOTE INSTALLER .....................................................................17 6.3 VERIFY THE INSTALLATION ...............................................................................17
7 TIME SYNCHRONIZATION OF THE SERVERS ................................................ 19
APPENDIX A MAIL SERVER CONFIGURATION USING SMTPS .......................... 20
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 3 (20)
ASSA ABLOY AB (Shared Technologies)
1 Introduction
1.1 Purpose
This document describes the installation procedure for the CLIQ Remote environment.
1.2 Scope
This document provides instructions for setting up a new installation of the CLIQ Remote
environment. The instructions should not be used for upgrade of existing CLIQ Remote
installation.
Third-party software/hardware and infrastructure configuration might be mentioned but
will not be fully covered in this guide. Refer to the third-party documentation for details.
Installation of the CLIQ Web Manager environment is described in the document [1] CLIQ
Web Manager Server Installation Instructions and is out of scope for this document.
1.3 Definitions and Abbreviations
Expression Description
Apache HTTP Server A widely used Open Source web server.
[CLIQ Server] The path to your CLIQ Remote installation and configuration,
ex: “C:\Program Files\CLIQ Web Manager”.
[DELIVERY_PACKAGE] The path to the unzipped delivery package, e.g.
“C:\installation-7.0”.
CA Certification Authority is an entity which issues digital
certificates for use by other parties. There are many
commercial CA’s that charge for their services. There are also
several providers issuing digital certificates to the public at no
cost. Institutions and governments may have their own CA’s.
C-key Programming key
Master C-key Master programming key
Local PD Programming device connected to computers which access
CLIQ Web Manager. Used for login and programming keys.
Wall PD A programming device that is used to program keys. Are
mounted on walls and are connected to the remote server via
a wired network. The Wall PD enables programming of keys at
a location remote to the administrators that are issuing key
authorisations using CLIQ Web Manger.
Mobile PD Similar to the Wall PD with the difference that it can connect
to the remote server via a mobile network.
NTP Network Time Protocol
Remote PD A generic term for Wall PDs and Mobile PDs.
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 4 (20)
ASSA ABLOY AB (Shared Technologies)
.war file An archive file holding a web application. The CLIQ Web
Manager and CLIQ Remote web applications are delivered as
.war files.
Microsoft SQL Server
Management Studio
Microsoft SQL Server Management Studio is an SQL Tool for
administering the Microsoft SQL Server Database.
DCS Digital Content Server. Server hosted by ASSA ABLOY
managing digital content and issuing certificates.
Enrolment Application Application handling certificate signing requests. Installed on
the Remote Server. If Remote Service is not used, installed on
Manager Server.
CLIQ Connect CLIQ Connect is a PC Client used to communicate with the
local PD from the CWM web interface and also mobile phone
apps to update keys.
1.4 References
Reference Document
[1] ST-001267-CLIQ Web Manager Server Installation Instructions
[2] ST-001195-CLIQ Web Manager and CLIQ Remote System
Requirements
[3] ST-001861-DCS integrated with CLIQ
[4] ST-001228-CLIQ Web Manager and CLIQ Remote
Troubleshooting Guide
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 5 (20)
ASSA ABLOY AB (Shared Technologies)
2 CLIQ Web Manager and CLIQ Remote Overview
The picture below outlines the main components in a typical setup of CLIQ Web Manager
with CLIQ Remote.
Installation of the CLIQ Web Manager environment is described in the document [1] CLIQ
Web Manager Server Installation Instructions.
This document covers the installation and/or configuration of the following:
CLIQ Remote Database
o Microsoft SQL Server handling the database
Admin PC
o SQL Server Management Studio populating the database
CLIQ Remote Server
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 6 (20)
ASSA ABLOY AB (Shared Technologies)
o Apache HTTP Server handling TLS connections acting as a proxy for
Tomcat Application Server
o Tomcat Server running the web application
o CLIQ Web Manager web application configuration
o DCS integration and Enrolment application
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 7 (20)
ASSA ABLOY AB (Shared Technologies)
3 Prerequisites
Before starting the installation of CLIQ Remote, make sure that you have the required
hardware and software available, see the [2] CLIQ Web Manager and CLIQ Remote
System Requirements document for more information.
Local administration privileges are required to complete the installation successfully.
The installation procedure assumes that the nodes in the environment have their OS
installed and configured and is setup in a network that enables communication between
the nodes according to the figure in the CLIQ Web Manager and CLIQ Remote overview
above.
CLIQ Remote requires several network ports available in operating system. The section
Application ports lists network ports used by the application.
3.1 Application Ports
List of ports occupied by the application depending on product selection is presented in
the table below.
DCS
Integration
Occupied ports and purpose
80 TCP default web traffic
443 TCP CLIQ Web Manager Server and CLIQ Connect PC
traffic
8009 TCP Tomcat and Apache connection
8081 TCP proxy for a certificate revocation list access
80 TCP default web traffic
443 TCP CLIQ Web Manager Server and CLIQ Connect PC
traffic
8009 TCP Tomcat and Apache connection
8010 TCP Tomcat and Apache connection
8081 TCP proxy for a certificate revocation list access
8443 TCP CLIQ Web Manager Enrolment traffic
A change of 80, 443, 8443 ports is not allowed. Remaining ports can be changed after
CLIQ Remote installation is completed. After ports configuration update restart of the
CLIQ Remote and the Apache windows services is required.
3.1.1 Ports for Tomcat and Apache connection
When CLIQ Remote without DCS integration is installed all of traffic between Tomcat and
Apache is handled by port 8009. A change of 8009 port requires following configuration
update:
In the file <installation_directory>\apache\conf\extra\proxy-ajp.conf find lines:
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 8 (20)
ASSA ABLOY AB (Shared Technologies)
ProxyPass /CLIQRemote ajp://127.0.0.1:8009/CLIQRemote retry=2
ProxyPassReverse /CLIQRemote ajp://127.0.0.1:8009/CLIQRemote retry=2
In the file <installation_directory>\tomcat\conf\server.xml find following lines:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="org.apache.coyote.ajp.AjpNioProtocol" redirectPort="8443"
address="127.0.0.1"/>
In both files change all occurrences of 8009 to desired port number.
When CLIQ Remote with DCS integration is installed part of traffic between Tomcat and
Apache is handled by port 8010 as well. A change of 8010 port requires following
configuration update:
In the file <installation_directory>\apache\conf\extra\proxy-ajp.conf find lines:
ProxyPass /CLIQWebManagerEnrolment ajp://127.0.0.1:8010/CLIQWebManagerEnrolment retry=2
ProxyPassReverse /CLIQWebManagerEnrolment ajp://127.0.0.1:8010/CLIQWebManagerEnrolment
retry=2
In the file <installation_directory>\tomcat\conf\server.xml find following line:
<Connector port="8010" protocol="org.apache.coyote.ajp.AjpNioProtocol" redirectPort="8443"
address="127.0.0.1" />
In both files change all occurrences of 8010 to a desired port number.
3.1.2 Port for proxy for a certificate revocation list access
8081 is a port for proxy for a certificate revocation list access. A change of that port
requires following configuration update:
In the file <installation_directory>\apache\conf\extra\httpd-ssl.conf find lines:
# URLs to fetch the CRL files from:
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ABLOY_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Australia_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_China_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Hong_Kong_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_India_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Japan_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_New_Zealand_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Singapore_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_CA.txt
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 9 (20)
ASSA ABLOY AB (Shared Technologies)
SSLCRL_Url http://localhost:8081/dcs/CLIQ_IKON_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Medeco_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Mul-T-Lock_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Ruko_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Shared_Technologies_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_TrioVing_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Tesa_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Keso_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Sargent_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Corbin_Russwin_CA.txt
Listen localhost:8081
In the file <installation_directory>\apache\conf\extra\ proxy-ajp.conf find lines:
<VirtualHost *:8081>
ProxyPass /dcs http://dcscrl.assaabloy.net/
</VirtualHost>
In both files change all occurrences of 8081 to a desired port number.
3.2 Firewall Configuration
The default port for database connection in Microsoft SQL Server is 1433 and the default
port for HTTPS in the web server is 443. Below we assume that you are using these
ports.
Ensure that firewall configuration allows TCP traffic on port 1433, between the Microsoft
SQL Server database and the CLIQ Remote server, and also between Microsoft SQL
Server database and Microsoft SQL Server Management Studio. This is essential for CLIQ
Remote to connect to the Microsoft SQL Server database and to administrate the
database using Microsoft SQL Server Management Studio.
Ensure that firewall configuration allows TCP traffic on port 443 from Remote PDs and the
CLIQ Web Manager server to the CLIQ Remote server. This allows Remote PDs and CLIQ
Web Manager to communicate with CLIQ Remote using the HTTPS protocol.
The Enrolment application will be available for user clients on port 8443. Ensure that this
port can be reached for the clients that will generate their certificate if DCS integration is
enabled.
DCS
Integration
Port to open for traffic on the CLIQ Remote server
443 TCP incoming from CWM
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 10 (20)
ASSA ABLOY AB (Shared Technologies)
443 TCP incoming from remote PDs and CLIQ Connect
80 TCP outgoing to the internet (or another if you use
proxy for connect to internet)
443 TCP incoming from CWM
443 TCP incoming from remote PDs and CLIQ Connect
443 TCP incoming from remote PDs to access enrolment
application when performing certificate enrolment
(assuming that Plug&Play feature is enabled for particular
device)
8443 TCP incoming for user clients to access the enrolment
application
3.3 TLS Server Certificate
The TLS server certificate used by CLIQ Web Manager Enrolment application has to be
issued by a certificate authority (CA) that is trusted by the client web browsers;
otherwise the web browsers cannot authenticate the server. The users will then be
informed by a security warning that the server cannot be trusted.
For this reason it is highly recommended to get this certificate issued by a CA that is
trusted by default by the supported web browsers to avoid configuration at each client.
Examples of such CAs are VeriSign, Comodo and RapidSSL and the product name for this
type of certificate is usually “TLS certificate” or “SSL certificate”.
As the certificate must be issued to the correct server host, e.g.
“cwmenrolment.mycompany.com”, it is only possible to order this certificate from a CA if
you are the legitimate owner of the domain used, in this example “mycompany.com”.
Because web browsers will stop supporting SHA-1 certificates it is highly recommended
to use certificates with SHA-2 signature algorithm.
Address the CA of your choice for instructions on how to purchase a TLS server
certificate. The SSL server certificate is required when installing and configuring the CLIQ
Remote server if using DCS integration.
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 11 (20)
ASSA ABLOY AB (Shared Technologies)
4 CLIQ Remote Database
This chapter describes the steps to install and configure the software for the CLIQ
Remote Database server.
4.1 Install Microsoft SQL Server
1. Install Microsoft SQL Server according to the instructions provided by
Microsoft.
For security reasons, it is highly recommended to select low privilege
accounts for SQL services during the installation. Required service
permissions for each service can be found in Microsoft SQL Server
documentation.
It’s also recommended for security reasons to use Windows Authentication
mode to enable Windows Authentication and disable SQL Server
Authentication, i.e. disable the built-in SQL Server system administrator
account (sa account).
The collation should be case insensitive.
2. Install the latest Microsoft SQL Server service pack available from Microsoft.
3. Use the SQL Server Configuration Manager to enable the TCP protocol at
port 1433 for both the database server instance configuration and the client
configuration. Disable other protocols.
4. Connect to the SQL Server instance using SQL Server Management Studio
and:
a. Create a new database for CLIQ Remote with a name of your choice.
This name will be referred to as [CLIQRemoteDB] below.
If SQL Server Windows Authentication will be used to connect to
[CLIQRemoteDB], skip remaining steps and see further in chapter:
SQL Server Windows Authentication. Windows authentication is the
recommended connection method.
b. Create a login that CLIQ Remote web application will use to login to
the database server. The login could be either Windows
Authentication or SQL Server authentication, Windows authentication
is recommended. The password must not contain any special
characters.
c. To restrict the SQL login permissions follow the instructions in
chapter: Database permissions
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 12 (20)
ASSA ABLOY AB (Shared Technologies)
5 Admin PC
This chapter describes the steps to install and configure the software for the Admin PC.
The Admin PC is used to run SQL scripts to create and edit the CLIQ Remote database.
1. Install the SQL Server Management Studio that is provided with the Microsoft SQL
Server installation media.
2. Run SQL Server Management Studio and open a connection to the CLIQ Remote
database, used SQL Server login must at least have the role db_owner in the
CLIQ Remote database.
3. Open and execute each of the SQL scripts located in folder [Delivery
Package]\cliq_remote\update_scripts\ in the order specified below:
a. Create_database_version-1.6.sql *
b. Prepare_database-1.6.sql *
c. Upgrade_from_1.6_to_2.0.sql
d. Upgrade_from_2.0_to_2.2.sql
e. Upgrade_from_2.2_to_2.5.sql
f. Upgrade_from_2.5_to_2.6.sql
g. Upgrade_from_2.6_to_2.9.sql
h. Upgrade_from_2.9_to_2.10.sql
i. Upgrade_from_2.10_to_2.11.sql
j. Upgrade_from_2.11_to_4.0.sql
k. Upgrade_from_4.0_to_5.0.sql
* Some manual editing of this file is required! Follow the instructions in the file. Also note
that the script will NOT work if you have more than one connection to the database when
you execute it. For example, each query window in the “Microsoft SQL Server
Management Studio” has its own connection to the database, so make sure you only
have one query window open. If you still cannot run the script (the script “hangs”), and
think that you might still have multiple connections to your database, you can try to
close any extra connections before executing the script, by executing the statement:
USE master;
GO
ALTER DATABASE <db-name> SET SINGLE_USER WITH ROLLBACK IMMEDIATE
GO
If you do that, you must also revert the operation by executing the following statement
after the scripts are executed:
USE master;
GO
ALTER DATABASE <db-name> SET MULTI_USER
GO
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 13 (20)
ASSA ABLOY AB (Shared Technologies)
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 14 (20)
ASSA ABLOY AB (Shared Technologies)
6 CLIQ Remote Server
This chapter describes the steps to install and configure the software for the CLIQ
Remote server.
6.1 Preparing to Install
Before you start the installer, please go through the following. This may help in
understanding the setup.
6.1.1 Digital Content Server Integration
Digital Content Server (DCS) is hosted by ASSA ABLOY AB and it manages and delivers
digital content (certificates, etc.) to the customers securely. You can opt for enabling
enrolment of C-key certificates and other services from the DCS during installation. DCS
is integrated by installing the CLIQ Web Manager Enrolment Application.
6.1.2 Web Server TLS Configuration
The TLS server certificate used by the CLIQ Web Manager Enrolment application must be
purchased from a commonly trusted Certificate Authority of your choice. The other
certificates used by CLIQ Remote are included in the Certificate bundle is provided to you
by your CLIQ Provider.
You will need the following certificate files during the installation. Please note that (b)
and (c) are required only if DCS Integration is enabled:
a) The certificate bundle file (ServerBundle.ccb) from your CLIQ provider.
b) The TLS server certificate file to be used by the Enrolment application that you
have purchased from a trusted Certificate Authority.
c) The TLS private key file for your Enrolment application server created as part of
applying for the TLS server certificate from a trusted Certificate Authority.
It is common that the CA issuing the TLS server certificate is using one or more
intermediate CAs. All these certificates should form a chain from the server certificate
followed by the issuer of the previous certificate and so on up to the root CA certificate,
e.g. Server cert Intermediate CA2 cert Intermediate CA1 cert Root CA cert. The
root CA certificates are usually bundled with the end user’s web browser.
If your TLS server certificate for CLIQ Web Manager Enrolment was issued by an
intermediate CA, append the content of all the intermediate CA certificate files (PEM
format) to the end of your TLS server certificate file. The certificates in the file must be
ordered where the server certificate is first in the file followed by the issuer of the
previous certificate and so on until the last intermediate CA in the chain. The root CA
does not have to be included as it is bundled in the end user’s web browser. The content
of the resulting file should be similar to:
-----BEGIN CERTIFICATE-----
MI…
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MI…
-----END CERTIFICATE-----
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 15 (20)
ASSA ABLOY AB (Shared Technologies)
The resulting file should be supplied to the installer application during the installation
process.
6.1.3 Database Configuration
While providing database configuration parameters during installation, you can also
provide some additional connection parameters that may be required by your SQL Server
installation.
The text to be entered in the parameters field consists of one or more key-value pairs.
The key and the value are separated by an equals sign (“=”), and if more than one pair
are included in the string, the pairs are separated by semicolons (“;”).
Some parameters that can be configured are listed in the table below.
encrypt If SSL connections are accepted by the database server,
setting this parameter to true will ensure that SSL(TLS) is
used to encrypt all communication between CLIQ Remote
and the database.
trustServerCertificate When using encrypt=true the CLIQ Remote end-point will
trust the SQL Server certificate without validating the
certificate. This is usually required for allowing connections
in test environments, such as where the SQL Server
instance has only a self-signed certificate.
6.1.3.1 SQL Server instance
If more than one MS SQL Server instance are run on the database server, and if the
default instance is not to be used, the instance name can be defined according to
following format: <SQL server hostname>[\instanceName], example:
localhost\MSSQLSERVER2014
6.1.4 Multiple DNS names for the CLIQ Web Manager Enrolment
If DCS integration is enabled and several DNS names are used to access the CLIQ Web
Manager Enrolment they all need to be manually configured in [CLIQ
SERVER]\apache\conf\extra\httpd-ssl-enrolment.conf. If not added the applet will not
load and cannot be used.
In that file, below <VirtualHost _default_:8443> there is a line with the server name,
similar to “ServerName myserver.com:8443”. To support several DNS names, add all
extra server names as server aliases, see example below.
Example) CLIQ Web Manager Enrolment is accessed on server1.mycompany.com,
server2.mycompany.com and server3.mycompany.com
The SeverName might look like this:
ServerName server1.mycompany.com:8443
Then the ServerAlias should be added on the line below like this:
ServerAlias server2.mycompany.com server3.mycompany.com
Or
ServerAlias *.mycompany.com
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 16 (20)
ASSA ABLOY AB (Shared Technologies)
6.1.5 Create Windows accounts for CLIQ Web Manager services
For security reasons it is highly recommended to run the Windows services for CLIQ Web
Manager with low privilege accounts. During installation of CLIQ Web Manager the
installer application will ask you to specify the accounts to use for both Apache and
Tomcat services. It is possible to select the same account for both services but for higher
security it is recommended to use different accounts.
To create local account(s) follow the steps described below. Alternatively an existing
domain account can be used in such a case follow the instruction in step 2 for the domain
account.
1. Create a local account with the option “User must change password at next login”
unchecked. Memorize account name and its password. Make the account member
of the Users group. The account can be created with the Computer
Management tool by selecting item Local Users and Groups/Users.
2. Grant the newly created account the privilege of
Log on as a service
Act as part of the operating system
Deny log on locally
These privileges can be edited via the Local Security Policy tool by selecting
item Local Policies/User Rights Assignment.
Note, if the above Windows account password is changed then the service password has
to be updated as well, otherwise the CLIQ Web Manager service(s) will stop working. See
the CLIQ Web Manager and CLIQ Remote Operation and Maintenance how to configure
the service password manually.
6.1.6 SQL Server Windows Authentication
When connecting the Tomcat service to the SQL Server database it is recommended to
use Windows authentication, in such case a SQL Server login that is associated to the
Tomcat service account must be created.
Connect to the SQL Server instance using SQL Server Management Studio and:
1. Ensure that the newly created Tomcat service account can be used as a SQL
Server login with Windows authentication in the SQL Server.
2. Create a SQL Server login with Windows Authentication connected to the Tomcat
service user.
3. For database permissions see chapter Database permissions.
6.1.7 Database permissions
It’s recommended to restrict the SQL Server login to following minimum permissions.
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 17 (20)
ASSA ABLOY AB (Shared Technologies)
1. Select the Login Properties/User Mapping option and check the
[CLIQRemoteDB] database.
2. In the Database role membership for [CLIQRemoteDB] database, check the
roles: db_datareader and db_datawrite.
Note, it is not required that the login is database owner of the [CLIQRemoteDB]
database.
6.2 Run the CLIQ Remote installer
The CLIQ Remote setup is started by running the installer executable. The various
installer steps contain elaborate explanation for the details of configurations required for
the set up. Please refer respective help texts for the input fields. If asked about installing
Microsoft Visual C++ 2015 redistributable, agree to do that and continue the CLIQ Web
Manager installer afterwards.
Note, during installation of CLIQ Remote it is possible that some of anti-virus software
will report a warning message about presence of ncat.exe file in the installation package
(ncat was added to enable sending of Apache logs to external Syslog server). If the
warning notification appears, please see [4] CLIQ Web Manager and CLIQ Remote
Troubleshooting Guide.
6.3 Verify the Installation
To verify that the installation was successful, perform the following steps.
1. Start the Apache service or restart the service if it was already started. If you
use the Apache HTTP Server status monitor in the task bar, it should look like
this when the service has started (you can also check that the service is
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 18 (20)
ASSA ABLOY AB (Shared Technologies)
started in Windows Administrative Tools -> Services):
2. The application server should be automatically started. An icon for “CLIQ Web
Manager” is installed in the task bar. If needed to stop or start the server,
right click on the icon and select Stop Service or Start Service respectively.
3. Verify that the Application Server can deploy the web application successfully
by examining the log file cliqRemote.log located in the folder [CLIQ
SERVER]\tomcat\logs. Make sure there are no errors logged and that there is
a log entry stating “FrameworkServlet 'remotingHttpInvoker': initialization
completed”.
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 19 (20)
ASSA ABLOY AB (Shared Technologies)
7 Time Synchronization of the servers
It is very important that CLIQ Web Manager server and CLIQ Remote server
have the same system time, therefore the servers shall be synchronized to an
NTP server.
Title CLIQ Remote Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001245 7.0 2017-02-22 20 (20)
ASSA ABLOY AB (Shared Technologies)
Appendix A Mail server configuration using
SMTPS
Mail server configuration is available in server.xml file in the tomcat directory
([CLIQ_WEB_MANAGER]/tomcat/conf) on CLIQ Web Manager server.
To enable SMTPS, replace the current mail/Session Resource with below example.
Gmail is used in the given example. Please update the host, port, user and password
values.
<Resource name="mail/Session" auth="Container"
type="javax.mail.Session"
mail.transport.protocol="smtp"
mail.smtp.host="smtp.gmail.com"
mail.smtp.port="465"
mail.smtp.auth="true"
mail.smtp.user="username@gmail.com"
password="pass"
mail.smtp.starttls.enable="true"
mail.smtp.socketFactory.class="javax.net.ssl.SSLSocketFactory"/>
Recommended