Windows Server: Installation and Setup Guide

Windows Server Installation and Setup

Overview

 The purpose of this guide is to describe the environmental requirements and steps required to configure the PEM Administrator and associated PEM Agent.

What you will need:

1. A Windows Server to host the PEM Administrator. This server should be joined to an Active Directory domain.

2. A SQL Server or PostgreSQL 9.5 Database where PEM Administrator application data will live. Before installing you should obtain:

   1. Database server instance name

   2. Database name

   3. Database username with access to the above database

   4. Database user password

   5. The port the database server connects to

3. An SSL certificate that matches the hostname you wish to use for the PEM Administrator 

4. (optional) A DNS record for "pkwareops.[domain.ext]" published into your internal/external DNS. The PK Protect application will look for this record by default.

5. (optional) To test local search, install Java 11 (AdoptOpenJDK) and ElasticSearch

What this guide will cover:

1. Scripted installation.
2. SQL database requirements and setup.
3. IIS website / application pool requirements and setup.
4. TLS / SSL configuration and connectivity.
5. Deployment of the PEM Administrator.

Active Directory Authentication Note:

Note

The Windows Server that will host the PEM Administrator site/application needs to have access to authenticate with your Active Directory. This authentication occurs over the standard Active Directory Domain Services protocols. For more information about ports that are needed for the Windows Server to have access to the domain, see:  https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Windows Server Core Installations:

Looking for instructions for installing on Windows Server Core? We've got you covered here: 2022-10-06_05-51-19_Windows Server Core Installation and Setup Guide

Scripted Installation

Since v15.3, you have the option to perform a scripted installation of the PEM Administrator. Contact your PKWARE account representative to obtain the appropriate package for your platform.

Steps performed

The script performs the following steps, in order:

1. Checks numerous system dependencies.
2. Installs and configures appropriate Internet Information Services (IIS) Roles and Features.
3. Allows the Administrator to select a database type for PEM Administrator. Choose from:
   1. A local database instance of PostgreSQL. The script will install and configure the database while prompting the Administrator to set a DB Instance Master password and DB access password.
   2. An external MS-SQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
   3. An external PostgreSQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
4. Configures the PEM Administrator website and an associated Application Pool in IIS.
5. Generates and binds a Self-Signed Certificate to the website.
6. Prompts the administrator to supply a default encryption master password.
7. Prompts the administrator to supply a default system administration account for the PEM Administrator.

Notes for the scripted deployment option:

• The use of the Self-Signed Certificate created during the scripted installation is intended for PK Protect use in lab or non-production environments for a proof of concept or evaluation purposes. To install a trusted, rooted or other certificate, please follow the steps below
  

  • To import a certificate in Windows 2012
    

    1. Open the Certificates snap-in for the local machine's certificate store: Start | Run | certlm.msc
    2. In the console tree, click the Personal store
    3. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
    4. Type the file name containing the certificate to be imported. (You can also click Browse and navigate to the file.)
    5. This certificate should have a private key (PKCS #12 file)
    6. Type the password used to encrypt the private key.
    7. (Optional) If you want to back up or transport your keys at a later time, select the Mark key as exportable check box.
    8. Select Place all certificates in the following store, click Browse, and choose the Personal store.
• When this process is completed, a Hosts file (Windows/System32/driver/etc/hosts) or DNS entry, pointing directly to one or more IP addresses (an A record), will be required for client machines to connect back to the Manager.

Running the installation script

1. Log in to the Windows Server environment and copy the SEM installation package to the Windows Server. Extract the .ZIP package.
2. Run Microsoft PowerShell as an Administrator.
3. Change to the directory location where you extracted the SEM installer.
4. Execute ./sc_install.ps1.
5. Press R when asked "Do you want to run <install.ps1>?

The system (if network connected) will attempt to download/install all Windows features required to run the SEM, including all prerequisite Microsoft Internet Information Server (IIS) modules and .NET Core Server.

Installing PostgreSQL

PEM Administrator supports Microsoft SQL Server and PostgreSQL 9.5 database management systems. The SEM installation script will prompt you to "install postgres to use later." Press enter to skip installation, or Y to install and configure PostgreSQL locally.

If you choose not to install PostgreSQL, it is assumed a remote database server will be used.

Below is the sample output from a basic installation. The installation script will also prompt for hostname. This is used to generate a self-signed certificate and set up the hostname and SSL bindings for the site that is created

Configuring PEM Administrator

The script continues to create the PEM Administrator database.

You'll be asked to configure S\PEM.

• Existing or New site: Default is New, but if you have already set up SEM on IIS, type E.
• Name the Site: Default is PK Protect
• Physical Site Location: Default is c:\inetpub\wwwroot. Edit as required.
• Application Name: Default is mds.

The script will display the existing Application Pools on IIS.

• New Application Pool: Default is New. Highly recommended.
• Application Pool Name: Default is PK Protect.
• Hostname: Default is the current machine.
• HTTPS Certificate: Default is to create a new self-signed X.509 certificate for the host.

The script will create a new self-signed certificate, and ask you to confirm that you want to use it.

Connecting to the Database

The script then checks for a connection to the database, and allows you to configure the connection.

• Confirm Database Platform: Default is SQL Server. To change to PostgreSQL, type N and enter postgresql.
• Database Server: Identify the location of the database server.
• Confirm Port: Enter the port for the database.
• Database: Name the database.
• User Id: Identify the owner of the SEM database.
• Password: Supply the database server password for the user you just identified.
• Add Extra Parameter: Default is No. If you want to set an additional required string to access the database, define that here.

The script displays the Connection Information you've entered, and tries to connect. If the database connection is valid, you are asked to confirm the configuration.

Configuring PEM Administrator in IIS

Enter the PEM Administrator Account Password to access SEM.

You'll next be asked to configure the local Administrator user. Supply a username (default is Administrator) and password.

The script will set up an Application Pool, Site and Application in IIS on the server.

You are now able to open SEM on https://<hostname>/mds. If you are not able to reach the site, confirm the hostname is routeable via DNS or a hostfile.

Troubleshooting

Mobile and IOS devices cannot connect to the SMDS when it has been configured with this script. This is because these devices cannot use the self-signed certificate created by the setup script. Installing a trusted certificate will allow these types of devices to connect to SMDS.