The purpose of this guide is to describe the environmental requirements and steps required to configure the Smartcrypt Manager and associated Smartcrypt Application (Agent).
What you will need:
A Windows Server joined to an AD domain with IIS installed.
An SQL Server Database (database server instance name, username, password, database name).
An SSL certificate for the Smartcrypt Manager that matches the hostname you wish to use.
A DNS record for "pkwareops.[domain.ext]" (optional).
What this guide will cover:
- SQL database requirements and setup.
- IIS website setup and configuration.
- Configuration of TLS/SSL connectivity.
The Windows Server that will host the Smartcrypt Manager site/application needs to have access to authenticate with your Active Directory. This authentication occurs over the standard Active Directory Domain Services protocols. For more information about ports that are needed for the Windows Server to have access to the domain, see: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
Looking for instructions for installing on Windows Server Core? We've got you covered here: Windows Server Core Installation and Setup Guide
SQL database requirements / setup:
Before installing Smartcrypt Manager, you must create an empty database. The database should use the Latin1_General_CI_AS collation. The database user requires db_owner of the Smartcrypt database. Please consult the documentation for your version of SQL Server, if necessary.
For More Information about SQL Server Setup, see:
IIS website setup and configuration
On the Windows Server running IIS:
- Install the Visual C++ 2012 Runtime
- Install Web Deploy with Microsoft Web Platform Installer
- Configure Internet Information Server (IIS) for Smartcrypt
- Configure Windows Authentication for the Application
- Install Smartcrypt Manager Web Application
Install the Visual C++ 2012 Runtime
Smartcrypt is developed with Microsoft® Visual Studio® 2012. The Microsoft Visual C++ redistributable enables some required features for Smartcrypt.
- Go to https://www.microsoft.com/en-us/download/details.aspx?id=30679. This site hosts the current version of this runtime application.
- Click Download.
- Select the vcredist_x86 file. This is the 32-bit version of the runtime.
- Click Next to begin the download.
- Run the file to install.
Configure Internet Information Server for Smartcrypt
Prior to installing the Smartcrypt Manager website, you must have two features installed and configured on IIS. There are important, if slight, differences in the setups depending on which version of Windows Server you are running.
If you already have these features installed and configured, no changes are required. Skip to “Install Smartcrypt Manager.”
Setting up IIS in Windows Server 2012 R2
- From Server Manager, go to IIS.
- Click Add Roles and Features.
- Skip the Before you begin page. Click Next.
- On the Installation Type page, select Role-based or feature-based installation. Click Next.
- On the Select destination server page, choose the server you will install Smartcrypt on. Click Next.
- On the Server Roles page, select Web Server (IIS).
- On the Features page, check ASP.NET 4.5. Click Next.
- Under Web Server Role (IIS), go to Role Services.
- On the Role Services page, check Windows Authentication (under Security) and ASP.NET 4.5 (under Application Development). Click Next.
10. Click Add Features when the Wizard asks you to Add:
- .NET Extensibility 4.5
- ISAPI Extensions
- ISAPI Filters
11. Confirm your installation selections and click Install.
These features are now active.
Install Web Deploy with Microsoft Web Platform Installer
Next, include the Web Deploy tool from Microsoft. Get Web Deploy through the Microsoft Web Platform Installer (WPI), a free Microsoft tool to install a variety of products into IIS. Download WPI from http://www.iis.net/downloads/microsoft/web-deploy
After you download wpilauncher.exe, run this file to see the Web Platform Installer screen. Click the Search box in the upper right corner and type Web Deploy. Several options may appear, depending on what applications are supported. For your initial installation, we recommend you select the most recent version of Web Deploy with bundled SQL support. Click Add on Web Deploy 3.5 with bundled SQL support. WPI will install everything you need.
Setting up IIS in Windows Server 2008 R2
- From the Server Manager, go to Web Server (IIS).
- If ASP.NET and/or Windows Authentication appear as Not Installed in the Role Services list, click Add Role Services.
- Under Application Development, check ASP.NET.
- Click Add Required Role Services when the Wizard asks you to Add:
- .NET Extensibility
- ISAPI Extensions
- ISAPI Filters
- To enable Windows Authentication, open Security.
- Check the Windows Authentication box.
- Click Install to add these features.
Enabling .NET Framework 4 Support in IIS (Windows Server 2008)
After installing the ASP.NET features in the Server Manager, you must still enable the .NET Framework in Windows Server 2008. This is done from an Administrator command prompt.
- Open the Command Prompt.
- Go to C:\Windows\Microsoft.NET\Framework64\v4.0.XXXXX.
- Run aspnet_regiis.exe -i.
- ASP.NET RegIIS will install ASP.NET.
Configure Windows Authentication for the Application
After adding Windows Authentication to the Windows Server configuration, you must further configure the IIS Manager to permit this. The steps to allow single sign on are the same for both Windows Server 2008 and 2012:
- Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager)
- In the Management section, select Feature Delegation
- Change the Authentication - Windows setting to Read/Write
- From the main window, click Authentication.
- Right click on Windows Authentication and select Enable (it not already enabled)
Install Smartcrypt Manager
Now that the prerequisites are fulfilled, we are ready to install the Smartcrypt Manager.
Adding an Application Pool
- Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager).
- Click View Application Pools to display existing pools.
- Click Add Application Pool.
- Give the Application Pool a name (possibly something like “MDS"). It is appropriate to accept the remaining default options.
Now configure the Application Pool to allow 32 bit applications.
- Under Edit Application Pool, click Advanced Settings for your new pool.
- Select Enable 32-Bit Applications, Select True from the dropdown menu. This allows 32-bit applications (like Smartcrypt) to run on 64-bit Windows.
Adding a website
- Download the latest package ZIP file from PKWARE to your server. Note: Do not extract the contents of the ZIP archive.
- In IIS Manager, go to Sites.
- Click Add Website. Name it Smartcrypt Manager. The Add Website dialog will open.
- Choose a Site name. This can be the same as the Application Pool.
- Use the Select button to make sure you select the application pool you created in the previous section.
- Define the physical path to the content directory
- (Optional) Select a host name for the site. If you give the website a host name, make sure your domain has proper routing for the host defined in DNS.
If you are accessing Smartcrypt Manager from outside your internal network domain, you also need to create a public DNS entry.
- Click OK to complete this step and add the website.
Importing the web application with Web Deploy
- Highlight the website created above.
- In the Action menu on the right side of the screen, select Import Application from the Deploy section.
- Web Deploy will launch and ask you to select the Smartcrypt Manager .ZIP file. Browse to the directory where the Smartcrypt package is located, select the ZIP, and click Next.
- Web Deploy will scan the ZIP package contents and display them. Review the contents of the package, and click Next to confirm.
- Web Deploy will prompt for some application configuration options on the Enter Application Package Information page:
- Application Path: This is the name of the web application. This name the will appear in the URL you will use to access the Manager.
Smartcrypt Manager Server Password: This is the password that secures your Satellite account with PKWARE. It is used for encryption of all your keys. It should be securely backed up.
If this password is lost, no users will be able to use any existing Smartkey in Smartcrypt. It’s important the password is secure.
You need to define the first system administrator who can log in to the Smartcrypt Manager. You can do this through Active Directory, or a local username and password.
- AD SysAdmin: Select the preferred Active Directory account here. Leave empty to use a local account instead.
- Local SysAdmin: Enter the username to select a locally defined user. Leave empty if you are using an Active Directory account.
- Local SysAdmin Password: If you selected a locally defined username, enter that user’s password here. Leave empty if you are using an Active Directory account.
- Connection String: Connects Smartcrypt Manager to the database you set up at the start. Edit this line with the data source (database server), initial catalog (the name of the database to be used by Smartcrypt), and the login credentials of the database admin (dbuser and dbpassword).
When you have finished filling out this page, click Next to install Smartcrypt Manager. Web Deploy will process and complete the setup.
Enabling SSL for the Website
The Smartcrypt Manager requires an SSL connection to protect data being posted to the server. We need to add a binding to enable SSL for this website.
- Highlight the website you created in the earlier section. Select Bindings from the Edit Site options on the right.
- The Add Site Binding screen appears. Select https from the Type: dropdown menu.
- Use the Select button to choose the SSL Certificate to use for this site.
Remember a certificate needs to be trusted on your devices. If you are using a self-signed certificate, this will require additional steps. Learn how to trust any certificate here.
Creating the Smartcrypt database schema
Now that the web application is set up and deployed with SSL configured, the last item we need to complete is populating the Smartcrypt database with the initial schema. Smartcrypt comes with a tool to complete this task for you called SmartcryptDB.exe.
- Open a command window (cmd).
- Change directory to the location you installed the website to (above) and look for the bin directory.
- Now execute SmartcryptDB.exe.
- The tool should run and set up the required scheme for the version of the Smartcrypt Manager you have.
Make sure your Application Pool is started and your website is started in IIS. Next, point your browser to https://<server>/<ApplicationPath>/SuperUser to login with the System Administrator credentials (Active Directory or Local) and start using Smartcrypt.