epm server iis hosting guidelines

GfK Media Software SolutionsIIS Server Hosting Guideline

Installation Guide -IIS Server Hosting Guideline (EPM)

_____________________________________________________________________________

© 2011 GfK Media Software Solutions


Revision History

Date Version Description Author

2010-12-23 0.1 Initial version Péter Kovács

2011-01-10 0.2 Minor improvements Péter Kovács

2011-01-11 0.3 Minor improvements Péter Kovács

2011-01-18 0.4 Detailed install steps added Gábor Prótár, Péter Kovács

_____________________________________________________________________________

© GfK Media Software Solutions March 2011/20


Table of Content

1. Objectives 4

2. Requirements 52.1. Software Requirements 52.2. Windows Features 5

3. Administrative tasks 63.1. SSL Configuration 6

3.1.1. Obtaining an SSL Certificate 63.1.2. Generate a self-signed certificate using the IIS Certificate

Management Tool 63.1.3. Install the certificate and the Certificate Authority to the client

machine 113.1.4. Using the Windows SDK with the makecert command line tool 18

3.2. Administrative tasks before install 183.3. Administrative tasks after installation 193.4. Security administration 21

3.4.1. net.tcp 213.4.2. https 21

_____________________________________________________________________________



1. Objectives

This document describes the system administrative tasks required for installing and operating Evogenius Production System Server (EPM server).This document is intended for system administrators, and assumes that the reader has an in depth knowledge in Windows Server 2008 administration.

_____________________________________________________________________________



2. Requirements

2.1. Software Requirements

The EPM server has the following software requirements: Windows Server 2008 or later (for test purposes Windows Vista, or 7 can be

also used)

Internet Information Services 7.5 or later

.NET Framework 4.0 or later (Installer package will install this, if not present)

2.2. Windows Features

The EPM server requires the following Windows Features to be switched on: Windows Communication Foundation HTTP Activation

Windows Communication Foundation non-HTTP Activation

Both features can be found under „Microsoft .NET Framework 3.5.1“ node.

Note: If these two features are switched on after .NET Framework 4.0 has been installed the following command needs to be executed:

aspnet_regiis.exe –iruThe reason for this is that turning on these features will reinstall ASP.NET 3.5 under IIS, and this command will install ASP.NET 4.0, which is also required by the EPM server. This tool can be found at .NET 4.0 framework’s directory (usually this directory is c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ or c:\Windows\Microsoft.NET\Framework\v4.0.30319\ in 32-bit systems.)

_____________________________________________________________________________



3. Administrative tasks

3.1. SSL Configuration

3.1.1. Obtaining an SSL Certificate

A server side certificate is required for a productive EPM installation. A valid certificate must be purchased from a trusted Certificate Authority (eg: VeriSign), otherwise client machines won’t trust the server, and connection won’t be able to be established.

Note: a certificate is connected to a specific domain, it cannot be changed after creation.

For testing purposes it is possible to generate a self-signed certificate using one of these options:1. generate a certificate using the IIS certificate management tool

2. using the makecert command line tool, that is the part of Windows SDK

Note: A self-signed certificate needs an extra configuration when the EPM client and server components are not running on the same machine, because another machine won’t accept it as it is not signed by a trusted certification authority (CA).

3.1.2. Generate a self-signed certificate using the IIS Certificate Management Tool

First select the machine node in the Internet Information Services Manager, and double-click on Server Certificates.

_____________________________________________________________________________



Right-click on the Server Certificates-grid, and select Create Self-Signed Certificate in the context menu.

_____________________________________________________________________________



Note: This creates a certification authority, puts that authority into trusted authorities store in the current machine, and then creates a certificate signed by this CA.

Next a name should be selected for the certificate. Press OK is pressed, the certificate is created.

The generated certificate is then displayed in the Server Certificates-grid.

_____________________________________________________________________________



Important note: When accessing this machine with SSL (https) the client must use the domain name that is displayed in column Issued To. Using alternative address (such as localhost), or IP will make the connection to fail. The reason for this strictness is that a certificate validates an exact domain or machine. That means when installing the client within EvogeniusConfig.xml the "<WebServiceRoot>" entry must contain the exact domain name! Otherwise the client will not be able to authenticate against the server. Regarding that the domain name is NOT case sensitive!

In order that the client machine would accept the certificate, the self-created CA, that signed our self-signed certificate, must be installed as a trusted authority on the client. One way to do this is to export the self-signed certificate to a file and transfer it to the client machine.

Remark: The following steps must be done also in case the EPM client is installed on the same machine as the EPM server!To do this, right-click on the certificate in the Server Certificates-grid and select Export in the context menu.

_____________________________________________________________________________



Note: this will export both the self-signed certificate and the self-created CA.

IIS Manager Tool will then ask for a destination file path, and a password for the certificate file. Click OK to finish the export process.

This file should be transferred to the client machine.

_____________________________________________________________________________



3.1.3. Install the certificate and the Certificate Authority to the client machine

On the client machine the certificate and the CA has to be imported:Start mmc.exe, then select File -> Add/Remove Snap-in.

_____________________________________________________________________________



Select Certificates under Available snap-ins, and click Add.

In the dialog window select Computer Account, and click Next.

_____________________________________________________________________________



In the next page Local computer will be selected by default. This is what is needed, so click Finish.

_____________________________________________________________________________



The certification should be imported to Trusted People store so connection could be established. Right-click on Trusted People node and select All Tasks -> Import.

Please note: if the client operating system is Windows XP, this certificate file needs to be imported to the Trusted Root Certificate Authorities node. This step is done automatically by newer Windows versions (Vista, 7, Server 2008).

An Import Wizard will come up. Click Next in the Welcome page. In the File import page select the certificate file which was transferred from the server, and then click Next.

_____________________________________________________________________________



In the next page give the password for the certificate, and click Next.

_____________________________________________________________________________



The Next page is the page Certificate Store. Trusted People is selected, so simply click Next.

Click Finish on the last page, and both the certificate and CA will be imported in the client machine.

Remark: You can leave the MMC without saving the changes - the new certificate will remain on your PC.

3.1.4. Using the Windows SDK with the makecert command line tool

For a tutorial on how to create self-signed certificates for test purposes see this page: http://msdn.microsoft.com/en-us/library/ff648498.aspx.

3.2. Administrative tasks before install

The web site which will host EPM Server web application has to support the following bindings:

https net.tcp

When adding net.tcp binding to a web site the binding information should be the following:

_____________________________________________________________________________


http://msdn.microsoft.com/en-us/library/ff648498.aspx


<port>: <hostname or ip>. Usually <port>:* is sufficientBe sure to use port 8733 - for IIS hosting a different port is used compared to self hosting.

net.pipeWhen adding net. pipe binding to a web site the binding information should be: *

Binding for net.pipe protocol is mandatory, since authentication service uses it internally. Bindings for https and net.tcp are optional, however at least one of them are necessary otherwise clients won’t be able to use any of the services.

Important note: In rare cases using https binding in conjunction with http can be problematic, so in case of issues try deleting http binding while retaining https binding. If there is a conflict because of being both https and http at the same time in the list of Site Bindings you will receive during the login an "Unknown error occurred" message accompanied by the hint that the service "net.tcp://<machine_name_or_IP>:8733/Evogenius/ProductionSystem/UtilityService/UtilityService.svc" could not be activated. Removing the http binding from the list of Site Bindings solves this problem.

3.3. Administrative tasks after installation

The installer application will create a web application, however before using net.tcp and net.pipe protocols must be enabled. Navigate to the EPM Server web application node in IIS Manager (default is /Evogenius/ProductionSystem). Click Advanced settings in the „Actions“ list to the right. Fill http,net.tcp,net.pipe into the Enabled Protocols field. If either https or net.tcp protocol is not an available binding in the hosting web site, they can be left out from the enabled protocols.

_____________________________________________________________________________



Also be sure that the application pool of the web application uses v4.0 .NET Framework Version. To do that please press the button … at Application Pool in Evogenius IISS site’s the „Advanced Settings“ dialog.

At Select Application Pool please make sure the ASP.NET v4.0 is selected from the combo-box.

_____________________________________________________________________________



3.4. Security administration

3.4.1. net.tcp

By default EPM server uses default security configuration of net.tcp protocol, which uses transport security and Windows authentication. This protocol is used by .NET Framework internally, so no extra configuration is required in IIS, only in the web.config file. Windows authentication makes this protocol usable only in an intranet, using different authentication requires configuration changes both for client and server.

3.4.2. https

By default EPM server uses transport security configuration for http protocol, meaning it can be served as a standard https service, so configuration of https binding is required. Note: For a tutorial on how to create self-signed certificates for test purposes see this page http://msdn.microsoft.com/en-us/library/ff648498.aspx.

_____________________________________________________________________________


http://msdn.microsoft.com/en-us/library/ff648498.aspx

epm server iis hosting guidelines

Documents

windows server

server components

server certificates

ssl certificate

selfsigned certificate

valid certificate

following windows features

present windows