View
2
Download
0
Category
Preview:
Citation preview
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 1 (19)
ASSA ABLOY AB (Shared Technologies)
ASSA ABLOY
CLIQ Web Manager Server Installation Instructions
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 2 (19)
ASSA ABLOY AB (Shared Technologies)
Table of Contents
1 INTRODUCTION ............................................................................................ 3
1.1 PURPOSE ..................................................................................................... 3 1.2 SCOPE ........................................................................................................ 3 1.3 DEFINITIONS AND ABBREVIATIONS ....................................................................... 3 1.4 REFERENCES ................................................................................................. 3
2 CLIQ WEB MANAGER AND CLIQ REMOTE OVERVIEW ..................................... 4
3 PREREQUISITES ............................................................................................ 5
3.1 APPLICATION PORTS ........................................................................................ 5 3.1.1 PORTS FOR TOMCAT AND APACHE CONNECTION ...................................... 6 3.1.2 PORT FOR PROXY FOR A CERTIFICATE REVOCATION LIST ACCESS ............. 7
3.2 FIREWALL CONFIGURATION ................................................................................ 8 3.3 TLS SERVER CERTIFICATE ................................................................................ 9
4 CLIQ WEB MANAGER DATABASE ................................................................... 9
4.1 INSTALL MICROSOFT SQL SERVER ....................................................................... 9
5 ADMIN PC ................................................................................................... 11
5.1 INSTALL JAVA SE JRE ....................................................................................11 5.2 INSTALL CLIQ WEB MANAGER SERVICE TOOL AND PREPARE DATABASE ..........................11
6 CLIQ WEB MANAGER SERVER ...................................................................... 11
6.1 PREPARING TO INSTALL ...................................................................................11 6.1.1 DIGITAL CONTENT SERVER INTEGRATION ..............................................12 6.1.2 WEB SERVER TLS CONFIGURATION .......................................................12 6.1.3 DATABASE CONFIGURATION .................................................................12 6.1.4 CREATE WINDOWS ACCOUNTS FOR CLIQ WEB MANAGER SERVICES .........13 6.1.5 SQL SERVER WINDOWS AUTHENTICATION .............................................14 6.1.6 SQL SERVER LOGIN PERMISSIONS ........................................................14
6.2 RUN THE INSTALLER .......................................................................................14 6.3 VERIFY THE INSTALLATION ...............................................................................14 6.4 WEB SERVICE THROTTLING ...............................................................................15 6.5 CONFIGURATION OF TOMCAT SERVER ...................................................................16
7 SET UP A TEST ENVIRONMENT FOR LIVE DATA ........................................... 17
8 RUN MULTIPLE CLIQ LOCKING SYSTEMS ON ONE APPLICATION SERVER ... 17
9 APPENDIX ................................................................................................... 18
9.1 THE CLIQ CERTIFICATE BUNDLE (CCB) FILE ..........................................................18
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 3 (19)
ASSA ABLOY AB (Shared Technologies)
1 Introduction
1.1 Purpose
This document describes the installation procedure for the CLIQ Web Manager server
environment. For installing CLIQ Remote please see [2].
1.2 Scope
Third-party software/hardware and infrastructure configuration might be mentioned but
will not be fully covered in this guide. Refer to the third-party documentation for details.
The configuration of client PCs is covered in [1].
1.3 Definitions and Abbreviations
Expression Description
Apache A widely used Open Source web server available at
http://httpd.apache.org/
[CLIQ SERVER] The path to your CLIQ Web Manager installation and configuration,
e.g. “C:\Program Files\CLIQ Web Manager”.
CA Certification Authority is an entity that issues digital certificates.
There are many commercial CAs that charge for their services.
There are also several providers issuing digital certificates to the
public at no cost. Institutions and governments may have their
own CAs.
C-key Programming key
CLIQ Web
Manager Service
Tool
A Java application used to create database schema, deleting of
existing key systems, restoring database and importing some of
the import files (*.mnv, *.kwd).
DCS Digital Content Server is a server hosted by Assa Abloy that
provides digital contents such as certificates issued by CLIQ CAs.
Enrolment
Application
Application that handles certificate signing requests to DCS. It is
installed together with either CLIQ Web Manager or CLIQ Remote.
.ccb file The ServerBundle.ccb file is a file containing certificates and keys
for securing communication within the application. The .ccb file is
provided by the local CLIQ provider.
CLIQ Connect CLIQ Connect PC is a PC Client used to communicate with the local
PD from the CWM web interface and also mobile phone apps to
update keys.
1.4 References
[1] ST-001196-CLIQ Web Manager Client Installation
Instructions
[2] ST-001245-CLIQ Remote Server Installation Instructions
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 4 (19)
ASSA ABLOY AB (Shared Technologies)
[3] ST-001195-CLIQ Web Manager and CLIQ Remote System
Requirements
[4] ST-001135-CLIQ Web Manager and CLIQ Remote Operation
and Maintenance
2 CLIQ Web Manager and CLIQ Remote
Overview
The picture below outlines the main components in a typical setup of CLIQ Web Manager
with CLIQ Remote.
Installation of the CLIQ Remote environment is described in [2].
This document covers the installation and configuration of the CLIQ Web Manager
environment:
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 5 (19)
ASSA ABLOY AB (Shared Technologies)
CLIQ Web Manager DB
o Microsoft SQL Server handling the database
Admin PC
o CLIQ Web Manager Service Tool
CLIQ Web Manager Server
o Apache web server handling SSL connections acting as a proxy for Tomcat
Application Server
o Tomcat Application Server running the web application
o CLIQ Web Manager web application configuration
o Optional CLIQ Remote plugin configuration
3 Prerequisites
Before starting the installation of CLIQ Web Manager, make sure that you have the
required hardware and software available, see [3] for more information.
Local administrator privileges are required to complete the installation successfully. The
installation procedure assumes that the nodes in the environment have their OS installed
and configured and is setup in a network that enables communication between the nodes
according to the figure in the CLIQ Web Manager Overview above.
CLIQ Web Manager Server requires several network ports available in operating system.
The section 3.1 lists network ports used by the application.
If CLIQ Remote is to be used, this installation procedure requires that the CLIQ Remote
environment is already installed as described in [2].
3.1 Application Ports
List of ports occupied by the application depending on product selection is presented in
the table below.
Product Selection Occupied ports and purpose
CLIQ
Remote
DCS
Integration
80 TCP default web traffic
443 TCP CWM web application and web services traffic
7443 TCP CLIQ Connect PC
8009 TCP Tomcat and Apache connection
*8019 TCP Tomcat and Apache connection for web
services traffic
8081 TCP proxy for a certificate revocation list access
80 TCP default web traffic
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 6 (19)
ASSA ABLOY AB (Shared Technologies)
443 TCP CWM web application and web services traffic
8009 TCP Tomcat and Apache connection
*8019 TCP Tomcat and Apache connection for web
services traffic
8081 TCP proxy for a certificate revocation list access
80 TCP default web traffic
443 TCP CWM web application and web services traffic
7443 TCP CLIQ Connect PC
8009 TCP Tomcat and Apache connection
*8019 TCP Tomcat and Apache connection for web
services traffic
8081 TCP proxy for a certificate revocation list access
8443 TCP CLIQ Web Manager Enrolment traffic
80 TCP default web traffic
443 TCP CWM web application and web services traffic
8009 TCP Tomcat and Apache connection
*8019 TCP Tomcat and Apache connection for web
services traffic
8081 TCP proxy for a certificate revocation list access
* port 8019 is used when web service throttling is enabled
A change of 80, 443, 7443, 8443 ports is not allowed. Remaining ports can be changed
after CLIQ installation is completed. After ports configuration update restart of the CLIQ
Web Manager and the Apache windows services is required.
3.1.1 Ports for Tomcat and Apache connection
By default, all of traffic between Tomcat and Apache is handled by port 8009. When web
services throttling is enabled the traffic is split into two ports: 8009 and 8019. Port 8009
handles regular CWM web application traffic as well as traffic related to communication to
CLIQ Remote Server, while port 8019 is designated for web services traffic only. A
change of 8009 port requires following configuration update:
In the file <installation_directory>\apache\conf\extra\proxy-ajp.conf find lines:
ProxyPass /CLIQWebManager ajp://127.0.0.1:8009/CLIQWebManager retry=2
ProxyPassReverse /CLIQWebManager ajp://127.0.0.1:8009/CLIQWebManager retry=2
ProxyPass /CLIQWebManagerEnrolment ajp://127.0.0.1:8009/CLIQWebManagerEnrolment retry=2
ProxyPassReverse /CLIQWebManagerEnrolment ajp://127.0.0.1:8009/CLIQWebManagerEnrolment
retry=2
In the file <installation_directory>\tomcat\conf\server.xml find following lines:
<!-- Define an AJP 1.3 Connector on port 8009 -->
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 7 (19)
ASSA ABLOY AB (Shared Technologies)
<Connector port="8009" protocol="org.apache.coyote.ajp.AjpNioProtocol" redirectPort="8443"
address="127.0.0.1"/>
In both files change all occurrences of 8009 to a desired port number.
If web service throttling is enabled a change of 8019 port requires following configuration
update:
In the file <installation_directory>\apache\conf\extra\proxy-ajp.conf find line:
ProxyPass /CLIQWebManager/ws ajp://127.0.0.1:8019/CLIQWebManager/ws retry=2
In the file <installation_directory>\tomcat\conf\server.xml find following lines:
<!-- Define an AJP 1.3 Connector on port 8019 for web services-->
<Connector port="8019" protocol="org.apache.coyote.ajp.AjpNioProtocol" redirectPort="8443"
address="127.0.0.1" maxThreads="5"/>
In both files change all occurrences of 8019 to a desired port number.
When web service throttling is not enabled the port 8019 is not occupied and there is no
need to change configuration related to it.
3.1.2 Port for proxy for a certificate revocation list access
8081 is a port for proxy for a certificate revocation list access. A change of that port
requires following configuration updates:
In the file <installation_directory>\apache\conf\extra\httpd-ssl.conf find lines:
# URLs to fetch the CRL files from:
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ABLOY_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Australia_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_China_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Hong_Kong_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_India_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Japan_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_New_Zealand_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Singapore_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_IKON_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Medeco_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Mul-T-Lock_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Ruko_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Shared_Technologies_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_TrioVing_CA.txt
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 8 (19)
ASSA ABLOY AB (Shared Technologies)
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Tesa_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Keso_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Sargent_CA.txt
SSLCRL_Url http://localhost:8081/dcs/CLIQ_Corbin_Russwin_CA.txt
Listen localhost:8081
In the file <installation_directory>\apache\conf\extra\ proxy-ajp.conf find lines:
<VirtualHost *:8081>
ProxyPass /dcs http://dcscrl.assaabloy.net/
</VirtualHost>
In both files change all occurrences of 8081 to a desired port number.
3.2 Firewall Configuration
Ensure that the CLIQ Web Manager Database allows TCP traffic on port 1433 from both
the CLIQ Web Manager Server and the Admin PC, to enable the web application and the
Service Tool to communicate using the TDS protocol with the SQL Server. The default
port for TDS in the Microsoft SQL Server is 1433.
Ensure that the CLIQ Web Manager Server allows TCP traffic on port 443 from the Client
PCs, to enable the client web browsers to communicate using the HTTPS protocol with
the web server.
If integration with DCS is to be used, ensure that TCP/HTTPS traffic on port 443 from the
CLIQ Web Manager Server can reach the internet unaltered. Note that it is not required
to open incoming traffic from the internet for this purpose since this communication will
always be initiated from CLIQ Web Manager. You can also configure proxy server settings
for integration with DCS (then traffic from CLIQ Web Manager Server to DCS will be
forwarded through proxy).
The following applies only if CLIQ Remote is not to be used. The Enrolment application
will be available on port 8443 as default. Ensure that the CLIQ Web Manager Server
allows traffic on this port for the clients to enrol to log in to CLIQ Web Manager, if DCS
integration is used. The CLIQ Connect PC applications will connect to port 7443. Ensure
that the CLIQ Web Manager Server allows traffic on this port for the CLIQ Connect PC
clients to reach the CLIQ Web Manager, if CLIQ Connect PC is to be used.
Product Selection Port to open for traffic on CLIQ Web Manager
CLIQ
Remote
DCS
Integration
443 TCP incoming from Client PCs
7443 TCP incoming for CLIQ Connect
443 TCP incoming from Client PCs
443 TCP outgoing to the CLIQ Remote server
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 9 (19)
ASSA ABLOY AB (Shared Technologies)
80 TCP outgoing to the internet (or another if you use
proxy for connect to internet)
443 TCP incoming from Client PCs
443 TCP outgoing to the internet (or another if you use
proxy for connect to internet)
7443 TCP incoming for CLIQ Connect
8443 TCP incoming for user clients to access the enrolment
application
80 TCP outgoing to the internet (or another if you use
proxy for connect to internet)
443 TCP incoming from Client PCs
443 TCP outgoing to the internet (or another if you use
proxy for connect to internet)
443 TCP outgoing to the CLIQ Remote server
3.3 TLS Server Certificate
The TLS server certificate used by CLIQ Web Manager has to be issued by a certificate
authority (CA) that is trusted by the client web browsers; otherwise the web browsers
cannot authenticate the server. The users will be informed by a security warning that the
server cannot be trusted.
For this reason it is highly recommended to get this certificate issued by a CA that is
trusted by default by the supported web browsers to avoid configuration at each client.
Examples of such CAs are VeriSign, Comodo and RapidSSL and the product name for this
type of certificate is usually “TLS certificate” or “SSL certificate”.
As the certificate must be issued to the correct server host, e.g.
“cliqwebmanager.mycompany.com”, it is only possible to order this certificate from a CA
if you are the legitimate owner of the domain used, in this example “mycompany.com”.
Because web browsers will stop supporting SHA-1 certificates it is highly recommended
to use certificates with SHA-2 signature algorithm.
Address the CA of your choice for instructions on how to purchase a TLS server
certificate. The TLS server certificate is required when installing and configuring the CLIQ
Web Manager server.
4 CLIQ Web Manager Database
This chapter describes the steps to install and configure the software for the CLIQ Web
Manager database server.
4.1 Install Microsoft SQL Server
1. Install Microsoft SQL Server version 2012 or 2014 according to the
instructions provided by Microsoft.
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 10 (19)
ASSA ABLOY AB (Shared Technologies)
For security reasons, it is highly recommended to use low privilege accounts
for SQL services during the installation. Required service permissions for
each service can be found in Microsoft SQL Server documentation.
It’s also recommended for security reasons to use Windows Authentication
mode to enable Windows Authentication and disable SQL Server
Authentication, i.e. disable the built-in SQL Server system administrator
account (sa account).
The collation should be case insensitive.
2. Install the latest Microsoft SQL Server service pack available at Microsoft.
3. Use the SQL Server Configuration Manager to enable the TCP protocol at
port 1433 for both the database server instance configuration and the client
configuration. Disable other protocols.
4. Connect to the SQL Server instance using SQL Server Management Studio
and:
a. Create a new database for CLIQ Web Manager with a name of your
choice. This name will be referred to as [CLIQWebManagerDB]
below.
If SQL Server Windows Authentication will be used to connect to
[CLIQWebManagerDB], skip remaining steps and see further in
chapter: SQL Server Windows Authentication. Windows
authentication is the recommended connection method.
b. Create a login that CLIQ Web Manager will use to login to the
database server. The login could be either Windows Authentication or
SQL Server authentication, Windows authentication is recommended.
The password must not contain any special characters.
c. To restrict the SQL login permissions follow the instructions in
chapter: SQL Server login permissions.
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 11 (19)
ASSA ABLOY AB (Shared Technologies)
5 Admin PC
This chapter describes the steps to install and configure the software for the Admin PC.
The Admin PC is used to run the CLIQ Web Manager Service Tool. The Service Tool is
used to create initial database schema. If the integration with DCS is enabled then
import/migration file with key system will be automatically downloaded and processed by
CWM. Otherwise the signed file containing specified system must be manually provided
by administrator.
The CLIQ Web Manager Service Tool should be run from within a network that is local to
the database. The reasons are to minimize exposure of login credentials and any locking
system files used but also to boost performance as there will be intense traffic between
the Service Tool and the database during the import that will suffer from long transition
times.
The sensitive parts of the locking system data are encrypted in the database using an
encryption password. The encryption password is defined by the user at the time the
database is first populated with the Service Tool and must be specified every time the
Service Tool connects to import more data later on. Make sure the encryption password
is not lost.
5.1 Install Java SE JRE
1. Download and install Java SE JRE from: http://www.oracle.com/technetwork/java/javase/downloads/index.html See the System Requirements document to determine the version to use.
2. Open the Windows System Properties dialog, go to the Advanced tab and
open Environment Variables. Define a System variable named JAVA_HOME
and assign the path to the folder where the JRE was installed as its value,
e.g. “C:\Program Files\Java\jre7”.
5.2 Install CLIQ Web Manager Service Tool and Prepare
Database
1. Copy the folder [Delivery Package]\cliq_web_manager\servicetool to a folder
of your choice.
2. Follow the procedure Importing or migrating a CLIQ locking system
described in [4] to create an initial schema in the database.
3. After first login into database the newest database schema will be
automatically installed. Close the Service Tool.
6 CLIQ Web Manager Server
6.1 Preparing to install
Before you start the installer please read through the following. This may help in
understanding the setup.
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 12 (19)
ASSA ABLOY AB (Shared Technologies)
6.1.1 Digital Content Server Integration
Digital Content Server (DCS) is hosted by ASSA ABLOY AB and it manages and delivers
digital content, such as certificates, licenses and extension import files, to the
installations securely. You can opt for enabling enrolment and other services from the
DCS during installation. If DCS integration is enabled the CLIQ Web Manager Enrolment
Application is installed.
6.1.2 Web Server TLS Configuration
The TLS server certificate by CLIQ Web Manager must be purchased from a commonly
trusted CA of your choice. The other certificates used by CLIQ Web Manager are included
in the certificate bundle that is provided to you by your CLIQ Provider. It is required to
configure the TLS configuration during an installation.
You will need the following certificate files during the installation:
a) The certificate bundle file (ServerBundle.ccb) from your CLIQ provider.
b) The TLS server certificate to be used by CLIQ Web Manager that is purchased
from a trusted CA.
c) The TLS private key file for CLIQ Web Manager created as part of applying for the
TLS server certificate from a trusted CA.
It is common that the CA issuing the TLS server certificate is using one or more
intermediate CAs. All these certificates must form a chain from the server certificate
followed by the issuer of the previous certificate and so on up to the root CA certificate,
e.g. server cert intermediate CA2 cert intermediate CA1 cert root CA cert. The
root CA certificates are usually bundled with the end user’s web browser.
If you are using a not up to date version of the browser it is recommended to make sure
TLS 1.2 is enabled (and TLS 1.0 disabled) in the browser and Java control panel.
If your TLS server certificate for CLIQ Web Manager was issued by an intermediate CA,
append the content of all the intermediate CA certificate files (PEM format) to the end of
your TLS certificate trust store chain file. The certificates in the file must be ordered
where the server certificate is first in the file followed by the issuer of the previous
certificate and so on until the last intermediate CA in the chain. The root CA does not
have to be included as it is bundled in the end user’s web browser. The content of the
resulting file should be similar to:
-----BEGIN CERTIFICATE-----
MI…
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MI…
-----END CERTIFICATE-----
6.1.3 Database Configuration
As part of the database configuration during installation, you can optionally provide
additional connection parameters that may be required by your SQL Server installation.
The text to be entered in the parameters field consists of one or more key-value pairs.
The key and the value are separated by an equals sign (“=”), and if more than one pair
are included in the string, the pairs are separated by semicolons (“;”).
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 13 (19)
ASSA ABLOY AB (Shared Technologies)
Some parameters that can be configured are listed in the table below.
encrypt If SSL connections are accepted by the database server,
setting this parameter to true will ensure that SSL(TLS) is
used to encrypt all communication between CLIQ Web
Manager and the database.
trustServerCertificate When using encrypt=true the CLIQ Web Manager end-
point will trust the SQL Server certificate without
validating the certificate. This is usually required for
allowing connections in test environments, such as where
the SQL Server instance has only a self-signed certificate.
6.1.3.1 SQL Server instance
If more than one MS SQL Server instance are run on the database server, and if the
default instance is not to be used, the instance name can be defined according to
following format: <SQL server hostname>[\instanceName], example:
localhost\MSSQLSERVER2014
6.1.4 Create Windows accounts for CLIQ Web Manager services
For security reasons it is highly recommended to run the Windows services for CLIQ Web
Manager with low privilege accounts. During installation of CLIQ Web Manager the
installer application will ask you to specify the accounts to use for both Apache and
Tomcat services. It is possible to select the same account for both services but for higher
security it is recommended to use different accounts.
To create local account(s) follow the steps described below. Alternatively an existing
domain account can be used in such a case follow the instruction in step 2 for the domain
account.
1. Create a local account with the option “User must change password at next login”
unchecked. Memorize account name and its password. Make the account member
of the Users group. The account can be created with the Computer
Management tool by selecting item Local Users and Groups/Users.
2. Grant the newly created account the privilege of
Log on as a service
Act as part of the operating system
Deny log on locally
These privileges can be edited via the Local Security Policy tool by selecting
item Local Policies/User Rights Assignment.
Note, if the above Windows account password is changed then the service password has
to be updated as well, otherwise the CLIQ Web Manager service(s) will stop working. See
the CLIQ Web Manager and CLIQ Remote Operation and Maintenance how to configure
the service password manually.
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 14 (19)
ASSA ABLOY AB (Shared Technologies)
6.1.5 SQL Server Windows Authentication
When connecting the Tomcat service to the SQL Server database it is recommended to
use Windows authentication. In such case a SQL Server login that is associated to the
Tomcat service account must be created.
Connect to the SQL Server instance using SQL Server Management Studio and:
1. Ensure that the newly created Tomcat service account can be used as a SQL
Server login with Windows authentication in the SQL Server.
2. Create a SQL Server login with Windows Authentication connected to the Tomcat
service user.
3. For database permissions see chapter SQL Server login permissions.
6.1.6 SQL Server login permissions
It’s recommended to restrict the SQL Server login to following minimum permissions.
1. Select the Login Properties/User Mapping option and check the
[CLIQWebManagerDB] database.
2. In the Database role membership for [CLIQWebManagerDB] database, check
the roles: db_datareader and db_datawrite.
Note, it is not required that the login is database owner of the [CLIQWebManagerDB]
database.
6.2 Run the Installer
The CLIQ Web Manger setup is started by running the installer executable. The various
installer steps contain elaborate explanation for the details of configurations required for
the set up. Please refer to the integrated help texts in the installer for the configurations.
If asked about installing Microsoft Visual C++ 2015 redistributable, agree to do that and
continue the CLIQ Web Manager installer afterwards.
Note, during installation of CLIQ Web Manager it is possible that some of anti-virus
software will report a warning message about presence of ncat.exe file in the installation
package (ncat was added to enable sending of Apache logs to external Syslog server). If
the warning notification appears, please see CLIQ Web Manager and CLIQ Remote
Troubleshooting Guide document.
6.3 Verify the Installation
To verify that the installation was successful, perform the following steps.
1. Start the Apache service or restart the service if it was already started. If
you use the Apache status monitor in the task bar, it should look like below
when the service has started (you can also check that the service is started
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 15 (19)
ASSA ABLOY AB (Shared Technologies)
in Windows Administrative Tools -> Services):
2. The application server should be automatically started. An icon for “CLIQ
Web Manager” is installed in the task bar. The server can be started and
stopped by right-clicking on the icon and selecting Start Service or Stop
Service.
3. Verify that the CLIQ Web Manager starts up properly by examining the log
file cliqWebManager.log located in [CLIQ SERVER]\tomcat\logs\. Make sure
that no errors are logged and that there is a log entry stating “Initializing
CLIQ Web Manager version X, build Y”.
4. If CLIQ Remote is used and the CLIQ Remote server is running, you can
check that the communication with CLIQ Remote is working properly. When
the CLIQ Web Manager has been running for one minute it will begin
communicating with the CLIQ Remote server. Open the log file again and
look for the log entry “CLIQ Remote server status changed to: ONLINE”.
5. Proceed with installing a Client PC using the document ST-001196-CLIQ Web
Manager Client Installation Instructions and then verify that you can log in
from a Client PC and start using CLIQ Web Manager.
6.4 Web Service throttling
High number of Web Service requests can overload application server, which can result in
GUI being non-responsive. To prevent that, Web Service throttling can be turned on. In
order to do that two files have to be modified:
1. Open the file [CLIQ SERVER]\tomcat\conf\server.xml as Administrator in a text
editor.
2. Uncomment/add web service connector:
<Connector port="8019" protocol="org.apache.coyote.ajp.AjpNioProtocol"
redirectPort="8443" address="127.0.0.1" maxThreads="5"/>
3. Turn on throttling setting, by changing attribute “value” from false to true:
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 16 (19)
ASSA ABLOY AB (Shared Technologies)
<Environment name="throttlingOn" value="false" type="java.lang.Boolean"
override="false"/>
4. Open the file [CLIQ SERVER]\apache\conf\extra\proxy-ajp.conf as Administrator
in a text editor.
5. Add line:
ProxyPass /CLIQWebManager/ws ajp://127.0.0.1:8019/CLIQWebManager/ws
retry=2
6. Restart apache and tomcat services.
Throttling has two phases. First it is performed on connector level that allows only 5
concurrent requests. The number of concurrent web service requests can be adjusted in
server.xml by modifying “maxThreads” value. If this is not sufficient and application server
would still be overloaded, then throttling on application level is turned on and some queries
are discarded until load has decreased. This prevents GUI from being non-responsive.
6.5 Configuration of Tomcat server
If bigger maximum memory pool is needed you should perform the following steps:
1. Go to Tomcat’s bin directory: [CLIQ SERVER]/tomcat/bin/.
2. Run a file: CLIQWebManagerw.exe.
3. Go to Java tab and modify the Maximum memory pool value.
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 17 (19)
ASSA ABLOY AB (Shared Technologies)
7 Set Up a Test Environment for Live Data
It is often a good idea to set up a replica of the live environment. It can be used to test
and practise product and hardware updates, or database operations and maintenance
without affecting or interrupting the live environment.
How to setup a replicated test environment:
1. Depending on your intentions, current environment and needs, decide on
where to install the replicated environment. It is probably a good idea to
install it separated from the live environment.
2. Install the application in the test environment according to this document.
3. Backup the live database and restore it in the test environment. (You will of
course need to do this every time you want to test something that is related
to the current state of the live database).
4. Start the application and verify that it works.
8 Run multiple CLIQ Locking Systems on One
Application Server
This section contains information about hosting several locking systems in one
installation. This means that several customers will share the same CLIQ Web Manager
and CLIQ Remote Server. The same secure user authentication as in a single locking
system installation will ensure that the clients can only access content related to their
own locking system when logged in to CLIQ Web Manager.
Pros:
Several customers can share the same application server as well as
database server.
Several customers will have their version of CLIQ Web Manager updated at
the same time.
It is really quick to start working with CLIQ Web Manager since the server
environment already exists. The only thing needed is to set up the Admin
and Client PCs.
It is possible to have locking systems both with and without CLIQ Remote in
the same installation.
It is possible to restore a single locking system from a database backup.
It is possible to import a new locking system (or extension) without
disturbing the other customers on the server.
Cons:
All customers will run the same version of CLIQ Web Manager. This might be
a problem if some customers are not prepared to do an update.
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 18 (19)
ASSA ABLOY AB (Shared Technologies)
The URL and server certificate as well as client trust will be the same for all
locking systems.
The mail server will be the same for all locking systems. E-mails from the
system will be from the same sender to key holders in all locking systems.
It is not recommended to run more than maximum 10 - 15 small locking
systems on the same application server.
9 Appendix
9.1 The CLIQ Certificate Bundle (ccb) file
The ServerBundle.ccb file is a zipped file with the extension ccb. The file is zipped without
password protection, to get the contents of the file simply use your favourite archive
software (WinZip, WinRar or equal).
The contents of the ccb file are the following:
ServerBundle.ccb
|- CA
| |-CliqCA.jks (1)
| |-CliqCA.pem (2)
| |-password.txt (3)
| |-Sha2CliqCA.jks (4)
| |-Sha2CliqCA.pem (5)
|
|- CliqWebManager
| | - Client
| |-cliqCwmClientCertificate.p12 (6)
| |-password.txt (7)
|
|- RemoteServer (optional)
|-cert.pem (8)
|-key.pem (9)
|-Sha2cert.pem (10)
|-Sha2key.pem (11)
CliqCA.jks (1) - Key store containing trusted CLIQ CAs (SHA-1 version)
CliqCA.pem (2) - CLIQ CA SHA-1 certificates for trust (PEM encoded)
password.txt (3) - The JKS (1 and 4) password in clear text
Sha2CliqCA.jks (4) - Key store containing trusted CLIQ CAs (SHA-256 version)
Sha2CliqCA.pem (5) - CLIQ CA SHA-256 certificates for trust (PEM encoded)
cliqCwmClientCertificate.p12 (6) - CLIQ Web Manager SHA-256 certificate and
private key for client authentication
password.txt (7) - The PKCS #12 (6) password in clear text
cert.pem (8) - CLIQ Remote Server SHA-1 certificate used for server authentication
Title CLIQ Web Manager Server Installation Instructions
Category
CLIQ/Web manager Type
Description Author Document number Revision Date Page (of)
ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 19 (19)
ASSA ABLOY AB (Shared Technologies)
key.pem (9) - CLIQ Remote Server private key used for server authentication with
SHA-1 certificate (8)
Sha2cert.pem (10) - CLIQ Remote Server SHA-256 certificate used for server
authentication
Sha2key.pem (11) - CLIQ Remote Server private key used for server authentication
with SHA-256 certificate (10)
Recommended