Table of Contents
The purpose of this guide is to describe the environmental requirements and steps required to configure the Smartcrypt Manager and associated Smartcrypt Application (Agent).
What you will need:
A Windows Server to host the Smartcrypt Manager. This server should be joined to an Active Directory domain.
A SQL Server Database where Smartcrypt Manager application data will live. Before installing you should obtain:
Database server instance name
Database username with access to the above database
Database user password
An SSL certificate that matches the hostname you wish to use for the Smartcrypt Manager
(optional) A DNS record for "pkwareops.[domain.ext]" published into your internal/external DNS. The Smartcrypt application will look for this record by default.
What this guide will cover:
- Scripted installation.
- SQL database requirements and setup.
- IIS website / application pool requirements and setup.
- TLS / SSL configuration and connectivity.
- Deployment of the Smartcrypt Manager.
Active Directory Authentication Note:
The Windows Server that will host the Smartcrypt Manager site/application needs to have access to authenticate with your Active Directory. This authentication occurs over the standard Active Directory Domain Services protocols. For more information about ports that are needed for the Windows Server to have access to the domain, see: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
Windows Server Core Installations:
New in 15.3 is the option to perform a scripted installation of the Smartcrypt Manager. Contact your PKWARE account representative to obtain the appropriate package for your platform.
The script performs the following steps, in order:
- Checks numerous system dependencies.
- Allows the Administrator to select a database type for Smartcrypt Manager. Choose from:
- A local database instance of PostgreSQL. The script will install and configure the database while prompting the Administrator to set a DB Instance Master password and DB access password.
- An external MS-SQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
- An external PostgreSQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
- Installs and configures appropriate Internet Information Services (IIS) Roles and Features.
- Configures the Smartcrypt Manager website and an associated Application Pool in IIS.
- Generates and binds a Self-Signed Certificate to the website.
- Prompts the administrator to supply a default encryption master password.
- Prompts the administrator to supply a default system administration account for the Smartycrypt Manager.
Notes for the scripted deployment option:
- The use of the Self-Signed Certificate created during the scripted installation is intended for Smartcrypt use in lab or non-production environments for a proof of concept or evaluation purposes. To install a trusted, rooted or other certificate, please see Importing a SSL Certificate in Windows Server
- When this process is completed, a Hosts file (Windows/System32/driver/etc/hosts) or DNS entry will be required for client machines to connect back to the Manager
Running the installation script
Extract the mds-installer.zip file and browse to the extracted location via PowerShell
Execute the script and follow the prompts
Confirm your selections:
Mobile and IOS devices cannot connect to the SMDS when it has been configured with this script. This is because these devices cannot use the self-signed certificate created by the setup script. Installing a trusted certificate will allow these types of devices to connect to SMDS.
SQL Server database requirements and setup:
The Smartcrypt Manager requires an empty database, appropriate authentication credentials and permissions. Please perform the following actions, consulting the documentation for your version of SQL Server, if necessary.
- Login to your SQL Server and create an empty database
- Give the database a name and note the name down for later (e.g. "Smartcrypt")
- Set the database collation to: Latin1_General_CI_AS
- Create a database user which the Smartcrypt Manager will use to authenticate to this instance (e.g. smartcrypt-user)
- Set a database user password and be sure to uncheck options for "Must change password at next logon
- Give the database user the "db_owner" right to the Smartcrypt database you created above
For More Information about how to authenticate to Microsoft SQL Server, see:
- Using Windows Authentication with SQL Server and Smartcrypt or
- Using SQL Authentication with SQL Server and Smartcrypt
IIS website / application pool requirements and setup:
Perform the following steps on the Windows Server running IIS:
Install the Visual C++ 2012 Runtime
Smartcrypt is developed with Microsoft® Visual Studio® 2012. The Microsoft Visual C++ redistributable enables some required features for Smartcrypt. Since Smartcrypt was created using Visual Studio 2012, the 2012 redistributables are required.
- Download and install the 64-bit version of the redistributable found here: https://www.microsoft.com/en-us/download/details.aspx?id=30679
Configure Internet Information Server for Smartcrypt
Prior to installing the Smartcrypt Manager website, you must have two features installed and configured on IIS. There are important, if slight, differences in the setups depending on which version of Windows Server you are running.
If you already have these features installed and configured, no changes are required. Skip to “Install Smartcrypt Manager.”
Setting up IIS in Windows Server 2012 R2
Setting up IIS in Windows Server 2008 R2
Launch the Server Manager and select IIS
Launch the Server Manager and select Web Server (IIS).
Enabling .NET Framework 4 Support in IIS (Windows Server 2008)
After installing the ASP.NET features in the Server Manager, you must still enable the .NET Framework in Windows Server 2008. This is done from an Administrator command prompt.
Install Web Deploy with Microsoft Web Platform Installer
Install Web Deploy through the Microsoft Web Platform Installer (WPI), a free Microsoft tool to install a variety of products into IIS. Download WPI from http://www.iis.net/downloads/microsoft/web-deploy
After you download wpilauncher.exe, run it to see the Web Platform Installer screen. Click the Search box in the upper right corner and type "Web Deploy." Several options may appear, depending on what applications are supported. For your initial installation, we recommend you select the most recent version of Web Deploy with bundled SQL support. At the time this was written, 3.5 was the latest version so for example, Click Add on Web Deploy 3.5 with bundled SQL support. WPI will install everything you need.
Configure Windows Authentication
After adding Windows Authentication to the Windows Server configuration, you must further configure the IIS Manager to permit this. The steps to allow single sign on are the same for both Windows Server 2008 and 2012:
- Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager)
- In the Management section, select Feature Delegation
- Change the Authentication - Windows setting to Read/Write
- From the main window, click Authentication.
- Right click on Windows Authentication and select Enable (it not already enabled)
Adding an Application Pool
- Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager).
- Click View Application Pools to display existing pools.
- Click Add Application Pool.
- Give the Application Pool a name (possibly something like “MDS"). It is appropriate to accept the remaining default options.
Adding a website
- Download the latest package ZIP file from PKWARE to your server. Note: Do not extract the contents of the ZIP archive.
- In IIS Manager, go to Sites.
- Click Add Website. Name it Smartcrypt Manager. The Add Website dialog will open.
- Choose a Site name. This can be the same as the Application Pool.
- Use the Select button to make sure you select the application pool you created in the previous section.
- Define the physical path to the content directory
- (Optional) Select a host name for the site. If you give the website a host name, make sure your domain has proper routing for the host defined in DNS.
If you are accessing Smartcrypt Manager from outside your internal network domain, you also need to create a public DNS entry.
- Click OK to complete this step and add the website.
Configuring the website for SSL
The Smartcrypt Manager requires an SSL connection to protect data being posted to the server. We need to add a binding to enable SSL for this website.
- Highlight the website you created in the earlier section. Select Bindings from the Edit Site options on the right.
- The Add Site Binding screen appears. Select https from the Type: dropdown menu.
- Use the Select button to choose the SSL Certificate to use for this site.
Verify SSL is working properly!
Verify the site is working properly by pointing your browser to https://<server>/ – you should see the IIS Welcome Page.
Verify the certificate is trusted on your other devices!
If you are using a self-signed certificate, this will require additional steps. Learn how to trust any certificate here.
Installing the Smartcrypt Manager
Now that the prerequisites are fulfilled, we are ready to install the Smartcrypt Manager.
Note: The next section assumes you have a .ZIP file containing the Smartcrypt Manager deployment package.
Importing the .ZIP file containing the Smartcrypt Manager web application with Web Deploy
- Highlight the website created above
- In the Action menu on the right side of the screen, select Import Application from the Deploy section
- Web Deploy will launch and ask you to select the Smartcrypt Manager .ZIP file. Browse to the directory where the Smartcrypt package is located, select the ZIP, and click Next
- Web Deploy will scan the ZIP package contents and display them. Review the contents of the package, and click Next to confirm
- Web Deploy will prompt for some application configuration options on the Enter Application Package Information page:
- Set the Application Path to "mds" without the quotes. This is the name of the web application. This name the will appear in the URL you will use to access the Manager
- Set the Smartcrypt Manager Server Password. This password is used to encrypt your encryption keys. It should be securely backed up and not shared with PKWARE.
- Define a root administrator account for the Smartcrypt Manager. This can be a domain account or a local account.
- Domain Account: set a username (AD SysAdmin) only and leave the next two fields blank.
- Local Account: set a username (Local SysAdmin) and a password (Local SysAdmin Password) and leave the AD SysAdmin field blank.
- Set the parameters of the connection string with the information from your database administrator. This value connects Smartcrypt Manager to the database you initially setup
- datasource: The database server name or IP
- initial catalog: The name of the datbase to be used by the Smartcrypt Manager
- dbuser: The database server username
- dbpassword: The database user password
- Click Next to install Smartcrypt Manager via Web Deploy
Creating the Smartcrypt database schema
Now that the web application is set up and deployed with SSL configured, the last item we need to complete is populating the Smartcrypt database with the initial schema. Smartcrypt comes with a tool to complete this task for you called SmartcryptDB.exe. From the application server running IIS:
- Open a command window (cmd).
- Change directory to the location you installed the website to (above) and look for the bin directory.
- Now execute SmartcryptDB.exe.
- The tool should run and set up the required scheme for the version of the Smartcrypt Manager you have.
Make sure your Application Pool is started and your website is started in IIS. Next, point your browser to https://<server>/<ApplicationPath>/SuperUser to login with the System Administrator credentials (Active Directory or Local) and start using Smartcrypt.