Liquid Machines Document Control Administration Guide ...downloads.checkpoint.com/fileserver/SOURCE/direct/ID/10997/FILE/lmdc_7_1...Liquid Machines Document Control Administration

Liquid Machines Document Control Administration Guide

Version 7.1

Liquid Machines, Inc.

100 Fifth Avenue, 5th Floor

Waltham, MA 02451

1.877.88LIQUID (1.877.885.4784)

www.liquidmachines.com

http://www.liquidmachines.com/


Liquid Machines, Inc. Page ii

Copyright/Disclaimer

Copyright © 2003 - 2008 Liquid Machines, Inc. All rights reserved. Confidential and proprietary information of Liquid Machines, Inc.

The material in this document may not in whole or in part be copied, photocopied, reproduced, translated, or converted to any electronic or machine-readable form without the prior written consent of Liquid Machines. The information in this document is for informational use only, is subject to change without notice, and should not be construed as a commitment by Liquid Machines. Liquid Machines assumes no responsibility or liability for any errors or inaccuracies that may appear in this document.

This document and the software described in this document are furnished under a license accompanying the software and may be used only in accordance with the terms of such license. By using this document, you agree to the terms and conditions of that license.

>> For other copyright and trademark information, see the Liquid Machines Copyright, included in this document package.

How to Contact Liquid Machines, Inc.

Liquid Machines, Inc.

100 Fifth Avenue, 5th Floor

Waltham, MA 02451

Phone: 877.88LIQUID (1.877.885.4784)

Fax: 781.693.3699

Email: [email protected]

www.liquidmachines.com

http://www.liquidmachines.com/


Liquid Machines, Inc. Page iii

Table of Contents

Copyright/Disclaimer ....................................................................................................................... ii

Preface ......................................................................................................................................... vii

Book Conventions ...................................................................................................................... vii

Intended Audience ..................................................................................................................... vii

Using this Manual ...................................................................................................................... viii

Chapter 1: Supported Equipment .............................................................................................. 1-1

Introduction .............................................................................................................................. 1-2

Requirements ........................................................................................................................... 1-2

Server Requirements ............................................................................................................ 1-2

Client Requirements ............................................................................................................. 1-3

Viewer Requirements ............................................................................................................ 1-4

Typical Deployment Configuration ............................................................................................ 1-5

Basic Installations ................................................................................................................. 1-5

Enterprise Installations and Fault Tolerance ......................................................................... 1-5

Liquid Machines Document Control Services ........................................................................ 1-6

Advanced Architectures ........................................................................................................ 1-7

Microsoft RMS ...................................................................................................................... 1-7

Chapter 2: Installing the Liquid Machines Document Control Server ......................................... 2-1

Prerequisites ............................................................................................................................ 2-2

Building the Server Platform.................................................................................................. 2-2

DNS Aliases for Scalability and Recovery ............................................................................. 2-2

SSL Certificate ...................................................................................................................... 2-3

Master Encryption Key .......................................................................................................... 2-3

Service Accounts and Logins ................................................................................................ 2-3

Directory Services ................................................................................................................. 2-4

Installing a New Liquid Machines Document Control 6.x Server ............................................... 2-4

Overview ............................................................................................................................... 2-4

Installing the Software ........................................................................................................... 2-5

Running the Post-Install Configuration on the First Server .................................................... 2-6

Configuring Security Services ............................................................................................. 2-14


Liquid Machines, Inc. Page iv

Load Balancing and Configuring Additional Servers ............................................................... 2-22

Aliasing the Service ............................................................................................................ 2-22

Copying Master Keys.......................................................................................................... 2-22

Installing Additional Servers................................................................................................ 2-23

Running the Post-Install Configuration on Additional Servers ............................................. 2-23

Unattended Server Installation ............................................................................................ 2-24

Parameters Required by the Unattended Install.................................................................. 2-25

Reimporting Master Keys ................................................................................................... 2-26

Removing a Server ................................................................................................................ 2-26

Removing Additional Files and Web Site Settings .............................................................. 2-26

Chapter 3: Upgrading the Server .............................................................................................. 3-1

Unattended Server Upgrade .................................................................................................... 3-3

Chapter 4: Installing the Liquid Machines Document Control Client .......................................... 4-1

Prerequisites ............................................................................................................................ 4-2

Microsoft RMS: Adjusting Internet Explorer Security Settings .................................................. 4-2

Specifying a Control Service .................................................................................................... 4-3

Installing the Client Software .................................................................................................... 4-3

Chapter 5: Upgrading the Client ................................................................................................ 5-1

Upgrading the Client ................................................................................................................ 5-2

Chapter 6: Using Default Policies .............................................................................................. 6-1

Configuring Default Policies ..................................................................................................... 6-2

Setting Up Default Policies ................................................................................................... 6-3

Chapter 7: Installing Application Security Module Updates ....................................................... 7-1

Loading the Application Security Modules ................................................................................ 7-2

Chapter 8: Liquid Machines Document Control Client Troubleshooting ..................................... 8-1

Changing the Client State ........................................................................................................ 8-2

Enabled ................................................................................................................................ 8-3

Standby ................................................................................................................................ 8-4

Disabled ............................................................................................................................... 8-4

Windows Event Log and Logging Options ................................................................................ 8-5

Configuring Liquid Machines Document Control Client Logs................................................. 8-5

Viewing Liquid Machines Document Control Client Events ................................................... 8-6

Liquid Machines Document Control Client Events ................................................................ 8-8

Gathering Diagnostics .............................................................................................................. 8-9

Tips on Gathering Diagnostics ............................................................................................ 8-13

Enabling the Diagnostics Gathering Function ..................................................................... 8-14


Liquid Machines, Inc. Page v

Chapter 9: Disaster Recovery ................................................................................................... 9-1

Preparing for Disaster Recovery ............................................................................................... 9-2

Backing Up the SQL Database ............................................................................................. 9-2

Backing Up the Master Key File for Server Recovery ............................................................ 9-2

Exporting the Server Keys for Document Recovery .............................................................. 9-2

Testing Disaster Recovery ........................................................................................................ 9-4

Testing the Infrastructure Restore Procedure ........................................................................ 9-4

Testing the Document-Only Restore Procedure .................................................................... 9-4

Disaster Recovery .................................................................................................................... 9-5

Server Recovery with Database and Master Key Backups .................................................... 9-5

Document-Only Restore ........................................................................................................ 9-6


Liquid Machines, Inc. Page vi


Liquid Machines, Inc. Page vii

Preface

Welcome to Liquid Machines, Inc. Liquid Machines Document Control Administration Guide.

Book Conventions

CAUTION: Cautions the user of actions that may result in operational issues or data loss.

NOTE: Identifies important points, helpful hints, special circumstances, or alternative methods.

This guide also uses the following typographical conventions:

>> Blue indicates a cross-reference. A cross reference provides the location of additional information related to the topic. For example: >> For more information, see Intended Audience on page vii.

Bold Indicates the selection from a menu or a button name. For example, From the File menu, select Exit.

Screenshots All screenshots included in this guide were taken on a system running Windows Vista with default settings. The screens you see on your system may vary depending on the operating system you are running and the display settings you have selected.

Intended Audience This guide is intended for system administrators responsible for installing, upgrading, and maintaining the Liquid Machines Document Control Client.


Liquid Machines, Inc. Page viii

Using this Manual This user guide contains the following chapters:

Chapter 1: Supported Equipment

Chapter 2: Installing the Liquid Machines Document Control Server

Chapter 3: Upgrading the Server

Chapter 4: Installing the Liquid Machines Document Control Client

Chapter 5: Upgrading the Client

Chapter 6: Using Default Policies

Chapter 7: Installing Application Security Module Updates

Chapter 8: Liquid Machine Document Control Client Troubleshooting

Chapter 9: Disaster Recovery


Liquid Machines, Inc. Page 1-1

Chapter 1: Supported Equipment

This chapter introduces the requirements and typical deployment configuration for the Liquid Machines Document Control Client.

Topics included in this chapter:

Requirements

Typical Deployment Configuration



Introduction Liquid Machines Document Control servers must have access to a Microsoft SQL Server 2000 SP4 or SQL 2005 database server instance. The Microsoft SQL Server instance can:

Be installed on a Liquid Machines server.

Be installed on a separate server machine.

Come from an existing SQL Server infrastructure.

For high availability, Liquid Machines recommends that you either cluster SQL Server, or that you use log shipping to store data on a warm spare SQL Server instance.

If you want users to automatically and transparently use their Active Directory login credentials when logged into Windows, you must join the Liquid Machines servers to the Active Directory forest or trust realm where the user accounts reside.

For a Microsoft Windows Rights Management Services (RMS) security service, Liquid Machines Document Control employs the primary email address of a user as the identifier in protected documents. This means that, when integrating with Active Directory, only mail-enabled users, mail-enabled groups, and distribution lists, can be used as parameters in defining roles in policies for protecting documents. For your convenience, when using Liquid Machines Document Control with an RMS security service, Liquid Machines filters out the users who do not have email addresses.

Finally, if you will enable Microsoft RMS as a security service that supports the Liquid Machines installation, you must have already deployed and configured a fully working Microsoft RMS installation in the production environment where you will install the Liquid Machines Document Control server.

Requirements Liquid Machines supports U.S. English versions of the operating systems and applications listed below.

Server Requirements

Hardware

500 MHz Pentium IV

1 GB RAM

20 GB disk space

Software

Windows Server 2003, all service packs

Internet Information Server (IIS) 6.0, enabled with an SSL certificate

Microsoft .NET Framework 2.0

Internet Explorer 6.0 or 7.0, or Mozilla Firefox 1.x or 2.x, all service packs

You must install the Application Server role and enable ASP.NET. You must then install .NET 2.0 and reconfigure IIS to use the 2.0 Framework. Further instructions follow.



Client Requirements

Hardware

Pentium IV

512 MB RAM

1 GB disk space

Software

One of the following:

Windows 2000 Workstation SP4

Windows XP Professional SP2 or greater (x86 or x64 editions)

Windows Vista (Business, Enterprise, Ultimate), (x86 or x64 editions), all service packs

Windows Server 2003 (x86 or x64 editions), (for Citrix or terminal services installations), SP1 or later

To use Microsoft RMS as a security service, you must also install the Microsoft RMS Client SP1 or SP2 or Active Directory Rights Management Services (ADRMS).

Applications

The Liquid Machines Client supports the following applications:

Adobe

Adobe Acrobat, version 6 and 7

Adobe Reader, version 7, 8, and 9

Microsoft

Microsoft Visio 2002 or 2003

Microsoft Word, Excel, and PowerPoint 2000, 2002, 2003, and 2007

From the following suites of Office Applications

Microsoft Office 2007

Standard Edition

Basic Edition

Small Business Edition

Professional Edition

Professional Plus Edition

Enterprise Edition

Ultimate Edition




Standard Edition



Microsoft Office XP

Standard Edition


Professional Special Edition

Professional with FrontPage Edition

Developer Edition

Premium Edition


Standard Edition



Premium Edition

Developer Edition

Note: Use of Word as the editor in Outlook is supported; however, the Liquid Machines functionality is not available to Word when it is acting as an Outlook editor.

Viewer Requirements

Hardware

Pentium IV

256 MB RAM

1 GB disk space

Software

One of the following:

Windows 2000 Workstation SP4

Windows XP Professional SP2 or greater (x86 or x64 editions)

Windows Vista (Business, Enterprise, Ultimate), (x86 or x64 editions), all service packs

Windows Server 2003 (x86 or x64 editions), (for Citrix or terminal services installations), SP1 or later

To use Microsoft RMS as a security service, you must also install the Microsoft RMS Client SP1 or SP2 or Active Directory Rights Management Services (ADRMS).



Typical Deployment Configuration

Basic Installations The most common and recommended configuration for smaller installations is one server dedicated to Microsoft SQL Server 2000 or 2005 and one server dedicated to Liquid Machines Document Control server.

Enterprise Installations and Fault Tolerance For enterprise installations, Liquid Machines Document Control servers can be configured to utilize a single common database and act as a single application or server farm. A third-party load-balancing solution, such as Windows Load Balancing Services, must be used to provide a single point of access to the servers.

For enterprise installations, Liquid Machines also recommends a highly available or fault tolerant configuration for the Microsoft SQL Server. One supported approach is to cluster SQL Server. The other supported approach is to use log shipping to duplicate the database onto a warm spare SQL Server. In the event the primary SQL Server fails, you can quickly configure the Liquid Machines servers to access the warm spare.

If users outside your organization or network perimeter will access the Liquid Machines servers, it is possible to place servers in a DMZ and have them access the same SQL database. DMZ servers must be able to access the SQL Server and LDAP port 389 on any domain controllers for Active Directory domains where user accounts reside.

For details on how to implement any of these configurations, contact Liquid Machines Product Support.



Liquid Machines Document Control Services The Liquid Machines server infrastructure provides three different kinds of services to the client:

A control service

A policy service

A security service, sometimes called a key service

Control Service

As a control service, the Liquid Machines Document Control server is responsible for managing the client. It supplies the client with communications information, specifies policy server configuration, and delivers client software updates and information about supported applications. This information is delivered to the client at workstation startup, during periodic client polling (based on the configurable polling period), or after an explicit user request through the Client Console.

Users can specify only one control service during a custom client installation; however, one is not required. If a server is specified as a control service, a policy service is automatically created with the same name. Such a policy service and control service are said to be co-resident; they cannot be removed through the common user interface. The control service defines global policy services through its own co-resident policy service to every user who has identified the server as a control service. If a control service is not specified, clients will not automatically get client software updates.

Policy Service

As a policy service, the Liquid Machines Document Control server distributes policies and keys that are specific to an authenticated user. The policy service also receives audit information from authenticated users.

At least one policy service must be identified on the client computer for the user to be able to protect documents or access protected documents. The policy service may be the co-resident policy service (created with the control service), or there may be policy services that have been identified separately. In either case, the user must be a member of a role in a policy on that policy service and have the appropriate rights to access protected documents.

Users can manage their policy services list manually by adding and removing policy services and setting the stored credentials for each policy service. Policy services can also be added automatically when a user attempts to open a document that is protected by a policy in a new policy service. A policy service that is co-resident with a control service cannot be removed through the common user interface.

The client checks the server for updated policy information during any of these events:

System login and shutdown

Reconnect to the server

Scheduled updates

Explicit updates requested by the user through the Client Console

When access to a protected document is denied, to determine if the user’s rights have expanded to allow access



Security Service

Liquid Machines Document Control persistently protects documents through a transparent encryption process. The Liquid Machines Document Control server does not store the documents. When users protect their documents with a policy, the Liquid Machines Document Control client uses a random key to encrypt the document.

When the system protects documents, users can safely distribute them however they choose. When a user attempts to open a protected document, the client verifies the rights defined for the user.

When authorized Liquid Machines Document Control users need to access protected documents offline, they can do so as they would any document. If the user is allowed access, the client decrypts the content through the policy keys. The keys remain on the client machine until the end of the offline period defined in the role. If users need to work offline beyond that time, they must connect to the network to renew their keys.

If a user changes the policy that protects a document, and the current policy allows the change, the system re-encrypts the document and associates it with the keys of the new policy.

If users remove protection from documents (decrypting the files), and the current policy allows it, the client no longer checks user access when they open the documents, because the files no longer need keys to encrypt and decrypt their content.

The keys being used, and the authorizations being made in all these transactions, are based on a security service, an underlying infrastructure that provides for key generation, authorization, and so on.

One such security service is Microsoft RMS. If you have installed and configured Microsoft RMS at your company, you can configure the Liquid Machines Document Control server to make use of it.

Liquid Machines also offers its own security service, the Liquid Machines Security Service. You can configure the server to make use of this service, which requires no additional infrastructure and is hosted by the Liquid Machines server itself.

During the installation process, you configure the server to use the RMS Security Service, the Liquid Machines Security Service, or both. You can configure both services to operate simultaneously and choose which policies will make use of which services.

Advanced Architectures You can design an infrastructure in which one set of Liquid Machines servers acts as a control service for all clients in your organization, and other sets of servers act as different policy services for departmental or divisional needs. To determine whether such an infrastructure might be appropriate for your organization, contact Liquid Machines Professional Services.

It is always true that a policy on a particular server or server farm makes use of the security services configured on that server or farm. It is not possible to have one set of servers for configuring and/or hosting the security service and another for hosting policies.

Microsoft RMS If you will enable Microsoft RMS as a security service supporting the installation, the Liquid Machines Document Control server requires a working Microsoft RMS installation. If you will serve users outside the organization or network perimeter, RMS must also be configured to support them. For more information, see the Microsoft RMS documentation.





Chapter 2: Installing the Liquid Machines Document Control Server

This chapter describes how to install the Liquid Machines Document Control Server.

Topics included in this chapter are:

Prerequisites

Installing a New Liquid Machines Document Control 6.x Server

Load Balancing and Configuring Additional Servers

Removing a Server



Prerequisites

Building the Server Platform We recommend that you build each Liquid Machines server platform according to the follow procedure:

1. Install Windows 2003 Server.

2. From Start Menu > All Programs > Administrative Tools, select Manage Your Server. Use the Server Manager to add the Application Server role. In the Add Role wizard for an Application Server, be sure to select the Enable ASP.NET check box.

3. If your Windows 2003 installation media was not already updated to Service Pack 1, install Service Pack 1 now.

4. Install any additional Windows updates you might choose or that are approved or required by your company.

5. Install Microsoft .NET 2.0 Framework Runtime. The framework is available for download from the Microsoft Web site at: http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en

6. Open a command window. Use the change directory command to go to c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727. Run the following command: aspnet_regiis –i

Warning: This will upgrade all existing .NET applications on the machine to 2.0. For this reason, we strongly recommend that the machine be dedicated to the Liquid Machines product.

It is possible to host both Microsoft RMS and Liquid Machines Document Control Services on the same server; this configuration is supported by Liquid Machines.

If you intend for users to automatically and transparently make use of their Windows credentials when accessing the Liquid Machines server, then the RMS server must be joined to the same Active Directory forest where those user accounts reside.

DNS Aliases for Scalability and Recovery We strongly suggest that you create a DNS alias that Liquid Machines Document Control clients can use to access the Liquid Machines server or server farm. Using such a DNS alias allows you to easily configure a load-balancing or failover mechanism for Liquid Machines Document Control servers now or later. For example, create a DNS alias securedoc.acme.com and configure it to point to the canonical host name of the first Liquid Machines server you will install.

We strongly suggest that you create a DNS alias that Liquid Machines servers can use to access the SQL Server instance. Using such a DNS alias allows you to easily switch over to a new SQL Server instance should the primary one fail or need to be repurposed. For example, create a DNS alias lmsql.acme.com and configure it to point to the canonical host name of the SQL Server instance.

http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en

http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en



SSL Certificate You must enable IIS to support SSL over HTTP or HTTPS communication. To do so, you must acquire and install an SSL certificate into IIS on each Liquid Machines Document Control server.

The common name of the certificate should exactly match the DNS alias you created for the Liquid Machines server.

You may issue the certificate from an internal authority if you so choose. If persons outside your company will access a given Liquid Machines server, it may make sense to acquire the certificate from a widely trusted authority, such as Verisign. Using a certificate from your internal authority will mean that the certificate is untrusted outside your network, and this may cause problems for external users’ Web proxies, their RMS Client installation if they make use of it, or other network infrastructure.

It is possible to install a single certificate, issued to a single common name, on multiple servers. You would do this, for example, to support load-balanced servers in a farm. You export the certificate, including the private key, from the first server, and then import it into other servers. A public authority such as Verisign may require an additional licensing fee for the legal right to do this.

If you need help acquiring, installing, importing, or exporting an SSL certificate, contact Liquid Machines Product Support.

Master Encryption Key You must obtain a PFX or PKCS#12 file that contains an x.509 certificate with a private key.

Service Accounts and Logins

Web Application Service Account

The Liquid Machines server is a .NET Web application. You will need to create an Active Directory account under which this application runs. The one identity is used by all servers in an installation.

The identity must have both the Log on as a batch job and the Allow Logon Locally privileges on the server machine. While these privileges will be granted by the automated configuration procedure below, you must ensure that no Active Directory Group Policy will override and remove the privilege.

The service account used to access a given Active Directory domain directory entry must be a member of the Pre-Windows 2000 Compatible Access group in the Builtin container at the root of the domain. If it is not, a user who is a member of a role through their membership in a group cannot download that policy to their client.

SQL Security Login

You must create a SQL Server security login for use by the Liquid Machines Document Control server.

You may create a blank database on your SQL Server for use with Liquid Machines. If you choose to do so, then the SQL login must have Database Owner privileges on this database during the initial configuration.

Alternatively, you can allow the configuration to create the database for you. In that case, the login must have at least Database Creator privileges during the initial configuration.



After the initial configuration, you can lower the login’s privileges to Reader/Writer privileges on the configured database.

You can create a login that uses SQL database authentication. You specify these credentials during part of the initial configuration phase documented below.

Alternatively, you can create a login that uses Windows domain-based authentication. If you use Windows authentication, then the login will need to be the same Windows credentials as the one under which the Liquid Machines Web application runs, the one you created previously as the service account.

Directory Services Both Active Directory and Sun ONE LDAP directories are supported; one is configured as the default during installation. For each directory you will connect to the Liquid Machines installations, each Liquid Machines server must be able to query and find in the directory any user, group, or distribution list object and read the relevant properties on that object. You will need to create a user account in the directory that has sufficient privileges to execute a query.

Communication between the Liquid Machines Document Control server and supported directory services are done through .NET Directory Services. Active Directory connections always use LDAP port 389 and a combination of the following authentication types:

AuthenticationTypes.Secure: Uses Windows Security Support Provider Interface (SSPI), similar to a Negotiate protocol.

AuthenticationTypes.Signing: Uses the signing capabilities of SSPI to provide tamper-proof messaging.

AuthenticationTypes.Sealing: Uses the encryption capabilities of SSPI to provide secure messaging.

Connections to a Sun ONE LDAP server can be made over any configured port and can use SSL (recommended) or non-SSL. If an SSL port is specified, the AuthenticationTypes.SecureSocketsLayer authentication type is used. This requires that an SSL certificate be loaded on the LDAP server and trusted by the Liquid Machines Document Control server.

Installing a New Liquid Machines Document Control 6.x Server

Overview In a load-balanced scenario, you must install the software on the first server machine. You must then initialize the database and create the initial configuration for that server machine. After that, you can install the software on additional servers and copy the master key file to all subsequent installations that will point to the same database.

For additional servers, do not attempt to access the application on a server in any way—not via the Server Administration Console, nor by configuring a client to access it—until you have properly configured all Liquid Machines Document Control servers to point to the shared database.



Installing the Software The installation does not need any configuration parameters. The installation copies code files into the Web root of the default Web site and configures them for use with IIS and .NET. You do not need to reboot the machine or restart IIS. The software must be installed by a logged in user with local administrator privileges.

1. Copy the server files from the delivery media to the hard disk of the server machine.

2. From the Server folder, run setup.exe.

3. To move past the welcome screen, click Next.

4. Read the license agreement, select I Agree if you choose to accept the license, and click Next.

5. To confirm the installation, click Next.

6. As the installation completes, you are prompted to enter the credentials of the service account you created previously (see Figure 2-1). These credentials will be used to configure the application pool under which the Liquid Machines .NET Web application runs.

Figure 2-1: Enter Credentials of Service Account Page

a. Enter the Active Directory Domain where the service account resides, for example, acme.com.

b. Enter the service account Username.

c. Enter the service account’s Password.

d. When you are finished, click OK.

7. To exit the Installation wizard, click Close.

8. If you are performing a server upgrade from one 6.x version to another 6.x version according the instructions in Chapter 3: Upgrading the Server on page 3-1, do not perform the steps described in the Running the Post-Install Configuration on the First Server section that follows. Instead, return to Chapter 3: Upgrading the Server on page 3-1 and continue with Step 5 on page 3-2.



Running the Post-Install Configuration on the First Server You must now initialize the database for use with all servers. As part of this process, you will also automatically and transparently configure the first server.

Important: If you are performing a server upgrade from one 6.x version to another 6.x version according the instructions in Chapter 3: Upgrading the Server on page 3-1, do not perform these steps. Instead, return to Chapter 3: Upgrading the Server on page 3-1 and continue with Step 5 on page 3-2.

TLS 1.0 must be enabled for the browser connecting to servers where FIPS 140-2 compliance is required.

1. Log in to the Liquid Machines server as a user with local administrator privileges.

2. From Start Menu > All Programs > Liquid Machines Document Control, click Login.

3. A Web browser is launched. If an SSL certificate warning message appears, click Continue.

4. If a message indicates that Microsoft Internet Explorer’s enhanced security configuration is enabled, you can select In the future, do not show this message. To close the dialog box, click OK. The Database Connection Details page appears (see Figure 2-2).

Database Connection Details

On this page, you must configure the database connection. This step is required.

Figure 2-2: Database Connection Details Page



1. DATABASE SERVER NAME: Enter the DNS alias you created for the SQL database, the one that Liquid Machines servers will use to access the SQL Server instance. Note: Liquid Machines does not support SQL instances other than the default, unnamed instance on a given SQL server.

2. Select one of the following:

Use this existing database: (must already exist, all data in db will be lost). Note: This only reuses the database container and files. All existing data and schema will be removed from the database. This means the SQL login you use must have at least Database Owner rights on the existing database. This feature is meant to permit reuse of the container, not to preserve existing data.

Create a new database with this name:. Note: If the database already exists, it will be dropped and all data will be lost.

Use a prepopulated, existing database, maintaining the data. Note: This choice requires that the database has already been set up, generally because this is an upgrade, or is an install as part of a cluster.

3. DATABASE NAME: Enter the name that the configuration program will use when it creates the SQL database. The name must conform to SQL Server requirements and conventions.

4. Select one of the following:

Use Integrated Windows Authentication: If you will use Windows authentication to access the database. The credentials used will be the same ones you used in the Service Account Credentials dialog box, described on page 2-5.

Use the following SQL Server credentials: If you will use SQL authentication to access the database.

USERID: Enter the login name of the SQL login you created, the one that has at least Database Creator privileges.

PASSWORD: Enter the password for this SQL login.

CONFIRM PASSWORD: Enter the password again.

5. When you are finished, click Next. The Directory Service Settings page appears.

Directory Services

On this page, you must configure a connection to either an Microsoft Active Directory Server or a Sun ONE LDAP Server. This will become the default directory service.

1. Select a directory type.

Microsoft Active Directory Server (see page 2-8)

Sun ONE LDAP Server (see page 2-9)



Microsoft Active Directory Server

Figure 2-3: Directory Service Settings Page for Microsoft Active Directory Server

1. For directory type Microsoft Active Directory Server (see Figure 2-3), complete the following fields.

DOMAIN NAME: Enter the Active Directory fully qualified domain name of the domain you will access, for example acme.com.

DESCRIPTION: Enter the Active Directory description.

DIRECTORY SERVICE CREDENTIALS: Select one of the following:

Use the credentials of the service account.

Use the following credentials:

USER ACCOUNT: Enter the plain user account login, for example, lmadmin.

PASSWORD: Enter the user’s password.

CONFIRM PASSWORD: Enter the user’s password again.

2. When you are finished, click Next. The Add Administrator for this Server page appears (see Figure 2-4).

3. Go to Add Administrator for this Server on page 2-11.



Sun ONE LDAP Server

Figure 2-4: Directory Service Settings Page for Sun ONE LDAP Server

1. For directory type Sun ONE LDAP Server (see Figure 2-4), complete the following fields.

SERVICE NAME: How the directory will be referenced. When logging into the Liquid Machines server as a Sun ONE LDAP user, the form of the name will be userID@ServiceName. For example, if the Login Attribute is the user’s unique ID, and the service name is Acme.com, the login might look like [email protected]. The Service Name must be unique. Note: The Service Name provides a level of indirection for referencing the server, so that an Active Directory domain server and a Sun ONE LDAP server could potentially share the same name space.

SERVER HOST NAME: The actual DNS name of the Sun ONE server.



PORT: The port of the Sun ONE Directory Server. A non-SSL port should only be used in secure testing environments or when the security of directory information is considered unimportant. Passwords and other sensitive information are passed in the clear and are subject to discovery by network sniffers.

USE SSL: Select this check box to use the secure SSL port of the Sun ONE Directory Server. The Directory Server must be configured with a certificate used for identification and encryption. The signer of the certificate must be trusted by the Liquid Machines Server (that is, added to the Trusted CA certificates list).

DESCRIPTION: A descriptive name for the directory service. This name appears in the Select Users and Select Administrators dialog boxes.

LOGIN ATTRIBUTE: In LDAP, objects are authoritatively defined by their distinguished name (dn; for example, uid=fsmith,ou=People,dc=Acme,dc=com). Every directory object has a number of attributes that describe it. For the Login Attribute, the login sequence will first search the directory for a person that has the defined attribute with a value equal to the login name. The dn of the person is obtained from the object found, and the actual login to the server proceeds, using the dn and the password. For Sun ONE LDAP, the default login attribute is uid. Specify an attribute that is unique to your environment. Only the first user found with a matching login attribute value will be used. If this parameter is omitted, the default login attribute will be used. Note: A user can always log in with their full distinguished name and service name.

USER SEARCH ROOT: In LDAP, it is common to set up a hierarchical structure based on organizational units (ou). This segregation helps searches to be more efficient. The User Search Root allows you to define where your directory tree users are defined. This can be the root of the tree or any child branch. Users are only searched at the level of the User Search Root and below. If this parameter is omitted, the root directory of the service will be used.

GROUP SEARCH ROOT: This is similar to the User Search Root. When determining a user’s group membership, only groups at this level and below will be found. If this parameter is omitted, the root directory of the service will be used.

DIRECTORY SERVICE CREDENTIALS:

USER ACCOUNT: This must be a distinguished name (for example, uid=fsmith,ou=People,dc=Acme,dc=com). No other formats will be accepted.

PASSWORD: Enter the domain password for the user.

CONFIRM PASSWORD: Enter the domain password for the user again, to verify its accuracy.

2. When you are finished, click Next. The Add Administrator for this Server page appears (see Figure 2-5).

3. Go to Add Administrator for this Server on page 2-11.



Add Administrator for this Server

On this page, you must configure the first administrator account. This step is required.

Figure 2-5: Add Administrator for this Server Page

1. USER NAME: Enter the user name of a user account in the Directory Service you just configured. Use the simple login name with no domain qualifier. This user account will have Full Administrator privileges on the Liquid Machines installation, and you will use it to log in to the Server Administration Console and further manipulate the installation. With the Server Administration Console, you can add other accounts as administrators or remove this one later.

2. When you are finished, click Next. The Server Information page appears (see Figure 2-6).



Server Information

On this page, you must enter some additional information that will affect how clients connect to the server.

Figure 2-6: Server Information Page

1. Client-facing Hostname: Enter the DNS alias you created as part of the prerequisites, the one that clients will use to connect to the Liquid Machines server. When you install clients, you will configure them to point to this DNS alias.

2. Server Friendly Name: Enter a name that will clearly identify this server installation to your client users, for example, ACME Document Protection Server. This name will be visible to users in the client interface when they make choices that protect documents.

3. When you are finished, click Next. The Configuration Progress page appears (see Figure 2-7).



Configuration Progress

The Configuration Progress page shows the steps it will take after you finish.

Figure 2-7: Configuration Progress Page

1. When you are finished, click Finish to complete the configuration process. The configuration program now creates the SQL database on the SQL Server instance or uses the specified database and initializes it with configuration data. The program also automatically configures this server to use the database. It immediately presents you with a login page to the administrative interface for the installation (see Figure 2-8).



Log In

Figure 2-8: Log In Page

You can now log in, using the account you chose as an administrator during the configuration process, and further configure the installation. For more information, see the online Server Administration Help.

Configuring Security Services Before clients can use the Liquid Machines server to protect documents, it must be configured with at least one security service. Log in to the Server Administration Console and configure the security service now. You can choose the Liquid Machines Security Service, the Microsoft RMS Security Service, or both.

1. If you have not already logged in, log in to the Liquid Machines Server Administrator Console as the administrator you defined in the configuration. The first time you log in to the first server, after you have completed the post-install configuration, the Security Services page opens (see Figure 2-9), where you can define security services.



Security Services

Figure 2-9: Security Services Page

2. Enable the Liquid Machines Security Service (see page 2-16), the Microsoft RMS Security Service (see page 2-20), or both.



Enabling the Liquid Machines Security Service

1. To enable the Liquid Machines Security Service, on the Security Services page, next to Liquid Machines Security Service, click Edit. The LMKS Master Key Configuration page appears (see Figure 2-10).

LMKS Master Key Configuration

On this page, you will be required to upload an X.509 certificate with private key.

Figure 2-10: LMKS Master Key Configuration Page

The Master Key File Name (Master.pfx) appears; you cannot change it.

2. Master Key Location: Enter the fully qualified path where the master key store is to be created. The path must be a directory on the server's fixed hard drive; UNC paths, mapped network drives, and removable drives are not supported.

Create directory if it does not already exist: To create the directory for the master key, select this check box. If you do not select this check box, the directory for the master key must already exist. Notes:

The Master Key Location must be the same across all servers in a cluster.

The Master Key Location directory must be manually configured on subsequent Liquid Machines Document Control server installations in a clustered environment. The directory must be identical to the first installation.

If you selected the option to use a prepopulated database during post-install configuration, this option is not available.

3. Master Key Password: Enter a password to protect the master key.



4. Confirm Password: Enter the Master Key Password again, for confirmation. Note: Make sure you write down the password and store it in a safe location. The password for the master key cannot be recovered by any means.

5. Fully Qualified Domain: Enter the fully qualified domain name of the service account.

6. User Account: Enter the login name for the service account.

7. Account Password: Enter the password for the service account.

8. When you are finished, click Save. The Liquid Machines Security Service page appears (see Figure 2-11).

Liquid Machines Security Service

Figure 2-11: Liquid Machines Security Service Page



9. Select the check box to Enable the Liquid Machines Security Service. The other fields become activated (see Figure 2-12).

Figure 2-12: Additional Fields Enabled on the Liquid Machines Security Service Page

10. Content Key: Select the encryption algorithm and bit strength for the keys that will protect each individual document.

11. Policy Key: Select the encryption algorithm and bit strength for the keys that will protect a given set of content keys associated with a policy.

12. Issue new key every: Select the number of days for which a key will be considered valid. This value is used in conjunction with a policy’s configured offline time to determine the number of keys issued to a user.

13. For the following situations, select the check box to Upload a new master key:

When you are enabling the Liquid Machines Security Service for the first time.

When the current master key is about to expire. The expiration date for the current master key is displayed on the About this Application page, which is available from Settings.

When you select this check box, you must also browse to select the Master Key File and enter the Password for the master key.



Master Key File Requirements:

When FIPS 140-2 compliance is not required: You will need a Master Key file that must be RSA 1024, RSA 2048, or RSA 4096 and must be valid at the time of the upload. The uploaded file must be in Personal Interchange Format (commonly called PFX or PKCS#12).

For a FIPS 140-2 compliant X.509 certificate and private key:

The certificate must be valid with respect to its start and end dates.

The certificate and keys must use FIPS 140-2 approved algorithms.

Keys must be RSA or RSA 2048. (DSA and ECDSA are not supported.)

Digital signatures must be DES or 3DES with SHA-1.

The enhanced key usage must include Server Authentication (1.3.6.1.5.5.7.3.1).

The certificate should be valid for both signing and key/data encipherment.

The X.509 certificate and private key must be exported to a PKCS#12 file before it can be uploaded to the Liquid Machines Document Control server:

The PKCS#12 file must contain one and only one X.509 certificate.

The PKCS#12 file must contain the private key associated with the public key of the X.509 certificate.

The PKCS#12 file may use non-FIPS algorithms to encrypt or sign its contents as per the PKCS#12 specification. We recommend using a certificate and private key that has been exported to a PKCS#12 file from the Microsoft Windows Certificate snap-in. A PKCS#12 file generated in this manner will have the following characteristics:

Certificate encrypted using pbeWithSHA1And40BitRC2-CBC

Private key encrypted using pbeWithSHA1And3-KeyTripleDES-CBC

14. FIPS 140-2 compliance: To enable compliance with Federal Information Processing Standard (FIPS) Publication 140-2, select this check box and follow the Master Key File Requirements for a FIPS 140-2 compliant X.509 certificate and private key, above.

15. To activate your changes, click Save.

16. Restart the IIS service.

17. Immediately back up the master key store and server database. Store the backups in a secure location, protected against unauthorized use. These backups will be required if disaster recovery is needed in the future. For details, see Preparing for Disaster Recovery on page 9-2.



Enabling the Microsoft RMS Security Service

1. To enable the Microsoft RMS Security Service, on the Security Services page (see page 2-15), next to Microsoft RMS Security Service, click Edit. The Microsoft RMS Security Service page appears (see Figure 2-13). Note: When using RMS as a security service, only Active Directory users and groups can be used as members of a policy; Microsoft RMS does not support Sun One LDAP.

Microsoft RMS Security Service

Figure 2-13: Microsoft RMS Security Service Page

2. Select the check box to Enable the Microsoft RMS Security Service.

3. CERTIFICATION SERVICE URL: Enter the certification URL for your RMS installation. It is typically found on the home page of the RMS Web Administration Console.

4. LICENSING SERVICE URL: Enter the licensing URL for your RMS installation. It is typically found on the home page of the RMS Web Administration Console.

5. RMS TEMPLATE DIRECTORY: Enter the directory where you store RMS templates, the one where RMS clients look to find them. If you do not use RMS templates, you can skip this step.

6. To activate your changes, click Save. The Security Services page appears (see Figure 2-14).



Selecting a Default Security Service

When you enable a security service, you allow client applications to use that service as the infrastructure when protecting documents. On the Security Services page, when more than one security service is configured, you can select one as the default. The default security service appears as the first, or most accessible, option in the client application.

Security Services

Figure 2-14: Security Services Page

Below the service you want as the default, select Set as Default.

Aliasing the Service

If you followed our recommendation and created a DNS alias for the Liquid Machines Document Control installation, we assume you entered it as the Client-facing Hostname (see Step 1 of the Server Information on page 2-12).

If you did not, follow the steps described in Aliasing the Service on page 2-22 to configure the server with the DNS alias.



Load Balancing and Configuring Additional Servers

Aliasing the Service To load balance several servers against the same configuration, you must first alias the service name by which clients will address these servers. We assume you already did this as part of Running the Post-Install Configuration on the First Server on page 2-6. If you did not, we strongly recommend that you take this step now, even if you do not plan to load balance. Taking this step will give you broader options in the future for scalability and help streamline disaster recovery.

First, choose a DNS name by which clients will address the load-balanced servers, or service. Choose a name that makes sense given your company’s DNS infrastructure and the scope of installation. For example, if this is a company-wide installation and you will support users outside the company, choose a name at the root of your DNS domains, and one that is published to the Internet, for example, lmdc.acme.com.

For now, create a DNS alias with this name and make its target be the canonical host name or IP address of your first Liquid Machines server. Later, when you have configured your load balancer and prepared additional Liquid Machines servers for use with it, you can set this DNS alias to have the load balancer’s IP address as its target.

Now you must reset the Client-facing Hostname of the Liquid Machines configuration. (To ensure client connectivity, these steps must be completed before copying to additional machines).

1. Log in to the Liquid Machines Server Administrator Console as the administrator you defined in the configuration.

2. Click in the upper-right corner.

3. Click in the navigation bar at the left.

4. In the Client-facing Hostname field, enter the fully qualified DNS alias you defined above, for example lmdc.acme.com.

5. To save your changes, click Save.

Copying Master Keys To configure additional servers to make use of the installation, you must copy the master key from a working server. It isn't absolutely necessary to stop IIS, but client polls will fail until the redundant server's master keys have been updated.

If you enabled the Liquid Machines Security Service on the working server, you must copy the Master.pfx file from the master key location on the working server to the same location on the new server. The Master.pfx file will be in the directory you specified on the LMKS Master Key Configuration page (see page 2-16). You must also grant the Web Application Service Account full rights to this location on the new server.



Installing Additional Servers Install the new version on the first server, according to the instructions in Installing the Software Installing the Software on page 2-5. Do not continue with the steps in Running the Post-Install Configuration on the First Server on page 2-6. Instead, follow the steps in Running the Post-Install Configuration on Additional Servers page 2-23

Alternatively, you can perform an unattended installation to install multiple application nodes in a load-balanced environment. Before you can do so, an operational Liquid Machines Document Control server database must be running, and that database must correlate to the version of the application being installed (see Unattended Server Upgrade on page 3-3).

Running the Post-Install Configuration on Additional Servers Note: This step is not required with an unattended server installation.

1. Log in to the Liquid Machines server as a user with local administrative privileges.

2. From Start Menu > All Programs > Liquid Machines Document Control, click Login.

3. A Web browser is launched. If an SSL certificate warning message appears, click Continue to close it.

4. If a message indicates that Microsoft Internet Explorer’s enhanced security configuration is enabled, you can select In the future, do not show this message. To close the dialog box, click OK.

5. The Database Connection Details page appears. On this page, you must configure the database connection. This step is required.

6. DATABASE SERVER NAME: Enter the same database server name as on the first server and select Use a prepopulated, existing database, maintaining the data.

7. DATABASE NAME: Use the same method and credentials as on the first server.

8. When you are finished, click Next. The Login page appears, and the machine is ready for use.

You can now configure clients to access this server, or your load-balancing or failover configuration to consider this server as available.

You can also log in to this server’s Server Administration Console and further configure the installation. Changes you make to the installation on any server will be written to the shared database and automatically affect all servers. Refer to the online server help for more information.



Unattended Server Installation Before you can install additional application nodes in unattended mode, you must perform one attended installation and complete the post-installation configuration process. The first installation will generate a database connection string and a service account, which are required command-line input to the unattended installation. You can install additional application nodes by running an attended or unattended installation on the target machine.

Generating the Unattended Install Script

The unattended installation must be executed with several parameters to be able to run to completion without further user input. These parameters are:

The database connection string

The service account username

The service account password

The GenUnattendedUpgradeScript tool collects these parameters from an existing installation node and outputs a script (a Windows .cmd file) that automates the steps to upgrade the server. GenUnattendedUpgradeScript takes a single parameter that designates the name of the script file to generate (for example, GenUnattendedUpgradeScript upgrade.cmd).

Run GenUnattendedUpgradeScript on an existing Liquid Machines Document Control application node (either a server to be upgraded or an already upgraded server) to collect the information it needs. You can then run the resulting script on any application node that needs to be upgraded or on any new server on which the prerequisites for the Liquid Machines Document Control server have been installed.

Running the Unattended Install Script

To run the generated install script, follow these steps. These steps use the example script file name upgrade.cmd; use the name designated for your script file.

1. Copy LiquidMachines-DocumentControl.msi from the installation folder to the target server machine.

2. Copy upgrade.cmd to the same folder on the target server machine.

3. Execute upgrade.cmd on the target server machine.

This process has been designed to allow using the Windows Rexec utility or Sysinternals PsExec to remotely execute upgrade.cmd from a central server, to enable an automated push of upgrades to a server farm.



Parameters Required by the Unattended Install Running the installer in unattended mode requires that three MSI parameters be passed to the installer on the command line (see Table 2-1).

Table 2-1: MSI Parameters for Unattended Mode

Parameter Name Description Sample Value

LMAPPPOOLACCOUNT The name of the user account under which the Liquid Machines Document Control server Web applications will run.

SOMEDOMAIN\SomeUser

-or-

[email protected]

LMAPPPOOLPASSWORD The LMAPPPOOLACCOUNT user's password.

Myp@assword!

LMDBSTR The database connection string. This database must have already been created and populated by an attended installation.

"Data Source=SQLSVR1;Initial

Catalog=LMDCServer;Integrate

d Security=True"

To run an unattended installation directly (as opposed to generating and using the upgrade script), you must first uninstall the previous version of the Liquid Machines Document Control server (if any). To uninstall the existing software in unattended mode, execute the following command from a command prompt:

cmd /c msiexec /q /x {A5D605ED-47E2-4ED4-A12D-D3E23C79D0A1}

After this command completes, execute the new version's installer directly from the command line, with the following options:

LiquidMachines-DocumentControl.msi /qb- LMAPPPOOLACCOUNT=SOMEDOMAIN\SomeUser

LMAPPPOOLPASSWORD=Myp@assword! LMDBSTR="Data Source=SQLSVR1;Initial

Catalog=LMDCServer;Integrated Security=True"

The /qb- switch instructs the Windows Installer to display a progress bar but not to display any UI that requires a user response.

/q or /qn causes a completely silent install.



Reimporting Master Keys Master keys can be changed on the Liquid Machines Security Service page, as described on page 2-18. Whenever the master keys on any server are modified, you must copy the updated Master.pfx from the server where you modified the keys to each of the other servers. Because all the servers are sharing a database that maintains information about the current key, redundant servers should be temporarily stopped before copying the modified Master.pfx to a redundant server. A failure to stop a redundant server will not result in a fatal error, but it will result in failed client polls until the master keys are updated on the redundant server.

1. Make a copy of the Master.pfx on the updated server.

2. Make a backup copy of the Master.pfx on each redundant server.

3. Replace the Master.pfx on each redundant server with the updated copy you made in Step 1.

4. Restart the redundant servers. Note: While there is no notion of a primary or master server, Liquid Machines recommends that you select a specific server from which you will maintain your master keys. Before uploading a new X.509 certificate, you should always make a backup copy of the existing Master.pfx.

Removing a Server You can remove any server from the installation at any time. There is no notion of a primary or master server. All servers are equal peers; the SQL database holds the master configuration.

1. Make sure you mark the server as unavailable in your load-balanced or failover configuration, or otherwise remove client access to it.

2. Uninstall the software using the Windows Control Panel Add/Remove Programs.

Removing Additional Files and Web Site Settings You might need to take additional manual action to fully uninstall the server software:

1. In IIS Manager, delete the LiquidMachines-DocumentControl and Services folders from the default Web site.

2. Also in IIS Manager, delete the LiquidMachines application pool that was created during the installation.

3. On the file system, delete the LiquidMachines-DocumentControl and Services folders from the root folder of the default Web site, typically c:\inetpub\wwwroot.

4. If you enabled the Liquid Machines Security Service, after making sure you backed up the master key and its password, delete the master key and the folder that was created to house it.



Chapter 3: Upgrading the Server

This chapter describes upgrading a server from one version of 6.X to another.



This section covers upgrading a server from one version of 6.X to another. Do not use these instructions to upgrade a server from version 5.x to version 6.x. If you want to upgrade your version 5.x server, contact Liquid Machines Product Support.

Important! Upgrading your Liquid Machines server installation might require running migration tasks to convert some or all of the data used by the server into a new format. This data could involve the SQL database and/or the Master Key file (Master.pfx) Before you begin any upgrade, you must contact Liquid Machines Product Support to determine whether such a conversion is required. If you need to convert the database, Liquid Machines Product Support will instruct you in the use of a tool called LmServerMigration. How this tool is used depends both on the version you have installed now and the version to which you will upgrade. If the data to be migrated includes the Master.pfx file, the LmServerMigration tool must be run on the machine hosting the Liquid Machines server.

The procedure for performing an attended server upgrade follows. Alternatively, you can perform an unattended upgrade (see Unattended Server Upgrade on page 3-3).

1. To stop IIS on all Liquid Machines servers, use the following command: iisreset /stop Back up the SQL database that houses the Liquid Machines data. Also make a backup of the Master.pfx file. Warning: Do not skip this step or perform it out of order. If you do, and the conversion process later fails, you could permanently corrupt your database.

2. Uninstall the Liquid Machines server software from all servers according to the instructions in Removing a Server on page 2-26.

3. Install the new version on the first server, according to the instructions in Installing the Software on page 2-5. Do not continue with the steps in Running the Post-Install Configuration on the First Server on page 2-6.

4. If Liquid Machines Product Support has instructed you to perform a database schema migration, execute that procedure, with their oversight, now.

5. When installation and any migration are complete, start IIS on the first server, using the following command: iisreset /start

6. Log in to the Server Administration Console. The Database Connection Details page displays (see Figure 2-2 on page 2-6).

7. Complete the fields on the Database Connection Details page. Specify the DNS alias for the SQL server that contains the Liquid Machines database in the Database Server Name field and select the third bullet below the Database Server Name field:

Use a prepopulated, existing database, maintaining the data*

Specify the name of the Liquid Machines database in the Database Name field and complete the remaining fields on this page as described on page 2-7. When you are finished, click Next. The Policies page displays.



8. Examine the server administration console to verify that your policy group and policy data are correct and that audit reports and configuration settings are intact. From a client computer, verify that legacy data is still accessible and users can successfully obtain policy service and control service updates. Verify that the Policy Droplet control and the Client Console retain the Liquid Machines policies in which the users are role members.

>> Refer to the Liquid Machine Document Control Server online help for details on the Policies page.

9. When you are satisfied that the server is operating correctly, install additional servers, according to the instructions in Load Balancing and Configuring Additional Servers on page 2-22.

Unattended Server Upgrade To perform an unattended server upgrade, an operational Liquid Machines Document Control server database must be running the upgraded version, and the database must correlate to the version of the application being installed.

Before you can upgrade a server in unattended mode, you must perform the database migration, using the command line utility, as described above. After the database has been migrated, you can continue by generating and running an Unattended Install Script. See Unattended Server Installation on page 2-24. For an unattended server upgrade to work, the .msi file must be present on and run from the local machine; otherwise, a security warning appears.

To upgrade application nodes, run either attended or unattended installations on the target machine(s). Note that you must provide the credentials of the user account under which the application runs to the installation process as well.





Chapter 4: Installing the Liquid Machines Document Control Client

This chapter describes how to install the Liquid Machines Document Control Client.


Prerequisites

Microsoft RMS: Adjusting Internet Explorer Security Settings

Specifying a Control Service

Installing the Client Software



Prerequisites >> For a listing of client desktop operating system and application version requirements, please

see Client Requirements on page 1-3.

Microsoft RMS: Adjusting Internet Explorer Security Settings If you will use Microsoft RMS as a security service, it is a best practice to adjust Internet Explorer security settings to accommodate the RMS system. The Microsoft RMS Client uses Internet Explorer to communicate with RMS servers. Faulty Internet Explorer security settings can disrupt this communication.

1. In Internet Explorer, on the Tools menu, click Internet Options.

2. In the Internet Options dialog box, click the Security tab.

3. Click Local Intranet and then click Sites.

4. Click Advanced.

5. Under Add this website to the zone, enter the host names in your RMS Licensing and Certification URL, for example, rms.acme.com. Then click Add.

6. To return to the Security tab, click OK twice.

7. Click Custom Level.

8. In the Security Settings dialog box, scroll to the bottom of the Settings list. Under User Authentication, Logon, make sure that Automatic Logon Only in Intranet Zone is selected.

9. To close the dialog boxes, click OK twice.

You can use Active Directory Group Policy or the Internet Explorer Administration Kit to distribute these settings automatically to all workstations. For more information, search the Microsoft KnowledgeBase.



Specifying a Control Service As part of the client installation, you can specify a control service. For more information on control services, see Typical Deployment Configuration on page 1-5.

Installing the Client Software 1. To start the Client Installation wizard, double-click the appropriate file in the Client folder:

Liquid Machines lmdc-client-x64.msi (any x64 edition OS)

Liquid Machines lmdc-client-x86.msi (any OS other than x64)

The Preparing to Install window appears.

2. Follow the Installation wizard through the process. The list below describes the pages displayed during the installation and the action required.

Customer Information: Enter a User Name and your Company Name and then click Next.

Setup Type: Select the type of installation:

Standard: If no Liquid Machines Document Control service will be used or if you’re not sure which option to choose.

Custom: If a Liquid Machines Document Control service will be used. Enter the Liquid Machines Document Control 6.x control service as servername.domainname.com.

Liquid Machines Control Service: Enter the name of the Liquid Machines Control Service if one is being used (see Figure 4-1) and then click Next to continue.

Figure 4-1: Liquid Machines Control Service Page

To continue, click Next.



Custom Setup: Select the program features you want to (see Figure 4-2) and then select Next to continue.

Figure 4-2: Custom Setup Page

Ready to Install the Program: To continue, click Install. A series of progress bars appear while the Liquid Machines Document Control Client software is installed.

InstallShield Wizard Complete: The appearance of this window indicates that the installation process is completed. To continue, click Finish.

3. When the software installation process is completed, you are prompted to restart the computer.

To begin using the Liquid Machines Document Control Client immediately, click Yes to restart your computer.

To restart at a later time, click No.



Chapter 5: Upgrading the Client

This chapter describes upgrading the Client.


Upgrading the Client



Upgrading the Client To install a Liquid Machines client software update, you can use the appropriate file supplied with the product CD or download:

Liquid Machines lmdc-client-x64.msi (any x64 edition OS)

Liquid Machines lmdc-client-x86.msi (any OS other than x64)

1. On the client computer, open a command window and change directories to the Client folder on the Liquid Machines product CD or download. To install the upgrade, double-click

2. the appropriate .msi file. The .msi file recognizes the previously installed version of the client software and installs the update over it, retaining the settings from the previous installation.

3. When the update is completed, you are prompted to reboot the client computer. Reboot the computer.



Chapter 6: Using Default Policies

This chapter describes configuring default policies.


Configuring Default Policies



Configuring Default Policies The Liquid Machines Document Control Client allows you to apply a default policy to new documents when the documents are initially created in an application. You can set up the default policy so that a single policy applies to new documents created in all applications, or you can set up this feature so that application-specific policies are applied to each document created using specific applications.

For example, if you use application-specific policies, any document created in Excel would receive the Excel-specific policy, while any document created PowerPoint would receive the PowerPoint-specific policy.

Documents that are created before the default policies are enabled will not be affected by the default policies.

Note that although the default policy greatly increases the likelihood that a document will be protected, it is not a guarantee of protection. There are instances where a default policy is not applied. For example, when the initiation of the new document is outside the application (the document was created by right-clicking on the Desktop, selecting New from the drop-down menu, and then selecting an application.)

If you want to configure multiple Client computers with default policies from a single server, you can use a Group Policy Object (GPO) Push to configure the default policies. This may be useful if you want all employees or members of a group to have the same default policies. Refer to the Microsoft documentation for details on using a GPO Push.



Setting Up Default Policies To set up a default policy to be applied to ALL new documents that are created:

1. Create or locate the policy to be used as the default policy.

>> For more information on creating policies, refer to the Liquid Machines Document Control Server documentation.

2. Create the following Registry key using regedit:

For 32-bit machines, create the following key:

HKEY_CURRENT_USER\Software\Policies\Liquid Machines\DefaultPolicy

For 64-bit machines, create the following key:

HKEY_CURRENT_USER\Software\Wow6432Node\Policies\Liquid Machines\

DefaultPolicy

3. To apply a single policy to all new documents, regardless of the application used to create them, double click on the Default value for the Registry key on the right side of the Registry Editor screen and then enter the name of the policy in the Value data field in the following format :

<name of policy server>|\\<group name>\< policy name>

If there is no group name, then enter the name of the policy in the following format:

<name of policy server>|< policy name>

For example, if your policy name was Corporate Default, the group name was General, and the policy server was lmpolicyserver.mycompany.com, you would enter the following in the Value data field (see Figure 6-1):

lmpolicyserver.mycompany.com|\\General\Corporate Default

Figure 6-1: Configure One Default Policy in the Registry

If this is the only default policy, it will be applied to every new document that is created and it would appear in the Policy Droplet control in the new documents that are created.



4. To apply default policies for specific applications, use regedit to create additional string values under the DefaultPolicy key for each application. Table 6-1 list the name of the application and the Value Name and Value Data to assign for each application.

Table 6-1: Value Names for Default Policies (by Application)

Application Name Value Name Value Data (Policy Name for the Application)

Adobe Acrobat adobe-acrobat-pro <name of policy server>|\\<Group name>\<Name of policy for new Adobe Acrobat documents>

Adobe Reader adobe-acrobat-reader <name of policy server>|\\<Group name>\<Name of policy for new Adobe Reader documents>

Microsoft Excel ms-office-excel <name of policy server>|\\<Group name>\<Name of policy for new Microsoft Excel documents>

Microsoft PowerPoint ms-office-ppt <name of policy server>|\\<Group name>\<Name of policy for new Microsoft PowerPoint documents>

Microsoft Visio ms-office-visio <name of policy server>|\\<Group name>\<Name of policy for new Microsoft Visio documents>

Microsoft Word ms-office-winword <name of policy server>|\\<Group name>\<Name of policy for new Microsoft Word documents>

NOTE: If you set a default policy for a selected application, that default policy will override any default policy that was set for all new documents. New documents created with the selected application will receive the application-specific policy, while all other documents will received the main default policy (if one has been created.



For example you may want to create application policies for new Microsoft Excel and PowerPoint documents as follows:

Excel

Policy Name: Finance

Policy Group: Department Only

Policy Server: lmpolicycserver.mycompany.com

PowerPoint

Policy Name: Marketing

Policy Group: Department Only

Policy Server: lmpolicycserver.mycompany.com

To do this, create two new string values in the registry (with Value Names of ms-office-excel and ms-office-ppt and Value data as shown in Figure 6-2.

Figure 6-2: Configure Application-Specific Default Policies

5. Once you have set up the default policies, any new Excel or PowerPoint documents that you create will be automatically protected with the appropriate application-specific default policy or policies. All other new documents will be protected by the default policy that is not application-specific.





Chapter 7: Installing Application Security Module Updates

This chapter describes how to use your Liquid Machines server to distribute client software upgrades to your Liquid Machines Document Control clients via Application Security Modules.


Loading the Application Security Modules



You can use your Liquid Machines server to distribute client software upgrades to the Liquid Machines Document Control clients via Application Security Modules.

Loading the Application Security Modules The server control service automatically distributes code updates to all clients that have specified that server as a control service during client installation. These updates are distributed similarly to how virus definitions might be in a centrally managed installation. They do not require any invasive measures on client workstations, including any reboots, restart of any applications, or any user dialogs or intervention.

NOTE: You can use control service updates to update between secondary point releases (for example, from 7.0.1 to 7.0.2). However, you cannot use control service updates to update between secondary point releases and major point releases (for example, you cannot use them to upgrade from 7.0.1 to 7.1).

In Liquid Machines Document Control 6.x, code updates are called Application Security Modules. They can be installed on the server by a server administrator with System Configuration privileges.

To load Application Security Modules:

1. Log in to a Liquid Machines Server Administration Console.

2. In the upper-right corner, click .

3. In the navigation bar at left, click .

4. To find and select the Application Security Modules package file, click Browse. Application Security Module package files are distributed with the Liquid Machines client software and are located in the Server\App Config subfolder as a file named lmdc-app-config.lmdc-pkg.

5. To install the new Application Security Modules, click .

6. By default, all applications in the list are disabled.

To enable all applications, select the Select All checkbox in the column heading bar and then click Enable.

Alternatively, enable only the applications you choose.

Application Security Modules are written to the Liquid Machines Document Control databases and then distributed by all servers to all clients at the next client polling cycle.



Chapter 8: Liquid Machines Document Control Client Troubleshooting

This chapter provides troubleshooting information for the Liquid Machines Document Control Client.


Changing the Client State

Windows Event Log and Logging Options

Gathering Diagnostics



Changing the Client State The Liquid Machines Document Control client can be installed in any of three states and changed to the other states as needed. The current state appears at the top of the Client State tab of the Liquid Machines Client Console (see Figure 8-1).

Figure 8-1: Client State Tab on the Liquid Machines Client Console

Using the buttons that appear below the Current State, you can change the state of the client to one of the following:

Enabled

Standby

Disabled

>> For detailed instructions on how to change from one state to another, refer to the instructions provided in the online Help available on the Client Console.



Enabled When the state of the Liquid Machines Document Control client is Enabled, the Liquid Machines Policy Droplet appears in the title bar of secured applications (see Figure 8-2), and you can create and protect documents and work with protected documents according to your rights.

Figure 8-2: Policy Droplet Control Appears When Client State is Enabled

The Client State Tab of the Liquid Machines Client displays the Current State Enabled (see Figure 8-3).

Figure 8-3: Client State is Enabled

When you transition from Enabled to Standby, the state change takes place immediately. When you transition from Enabled to Disabled, you must perform a reboot for the change to take effect. The system will be in Standby until the reboot is complete.



Standby When the Liquid Machines Document Control client is on Standby, the Liquid Machines Policy Droplet does not appear in the title bar of secured applications, and you cannot protect documents or work with protected documents. But Liquid Machines Document Control is still running in the background, so it can check for new or changed policies, and you can view policies and manage policy services. The Client State tab of the Liquid Machine Client displays the Current State Standby (see Figure 8-4).

Figure 8-4: Client State is Standby

When you transition from Standby to Enabled, the state change take place immediately, but any applications that are running must be restarted before the Policy Droplet control will be available. When you transition from Standby to Disabled, you must perform a reboot for the change to take effect. The system remains in Standby until the reboot is complete.

Disabled When the state of the Liquid Machines Document Control client is Disabled, the Liquid Machines Policy Droplet control does not appear in the title bar of secured applications, and you cannot protect documents or work with protected documents. Liquid Machines Document Control is not running in the background, so it cannot check for new or changed policies, and you cannot view policies or manage policy services. The Client State tab of the Liquid Machines Client Console displays the Current State Disabled (see Figure 8-5).

Figure 8-5: Client State is Disabled

When you transition from Disabled to Enabled or Standby, you must perform a reboot for the change to take effect. The system remains in the Disabled state until the reboot is complete.



Windows Event Log and Logging Options The Liquid Machines Document Control Client logs events to the Windows Event Log. All of the events logged by the Client can be viewed from the Event Viewer in a log called Liquid Machines.

Event logging is enabled by default. The section describes how to specify the types of events to be logged. It also describes how to view the Liquid Machines Document Control Client logs and provides a list of events that may appear in the Liquid Machines log.

Configuring Liquid Machines Document Control Client Logs By default, event logging is enabled and all types of events (Info, Warning, Error, and Fatal) are logged. These events are listed from the least severe (Info) to the most severe (Fatal).

To change the types of events that are logged, modify the following Registry key:

For a 32-bit machine, modify:

HKEY Liquid Machines\Software\Liquid Machines\Client\Event Logging

For a 64-but machine, modify:

HKEY Liquid Machines\Software\Wow6432Node\Liquid Machines\Client\

Event Logging

To disable logging of Liquid Machines client events:

Change the string value of severity to None.

To change the types of events that are logged:

Change the value of severity to the name of the least severe event type you want to log. All events more severe than the selected type will be logged. The following lists the events types from least severe to most severe:

Info

Warning

Error

Fatal

For example, if you only wanted to log Error and Fatal events, you would set severity to Error. If you want to log all events, you would set severity to Info. (The severity values are not case sensitive.)

You can also set the severity value to:

All – to log all events

None – to log no events

Unlike the other severity values, the values All and None will never appear in the event log, but they can be used to configure the events to be logged.

NOTE: Fatal events appears as Error events in the Event Log, but are separated for configuration purposes. Fatal events are errors which cause the process to terminate.



Viewing Liquid Machines Document Control Client Events To view Liquid Machines Document Control Client Events:

1. Select Start and then select Control Panel. Select Administrative Tools.

2. Select Event Viewer.

3. For Windows Vista, expand the Applications and Services Log to display the Liquid Machines log, or for versions of Windows prior to Vista, select Liquid Machines.

The Event Log displays differently, depending on the Windows operating system.

For Windows Vista, all Liquid Machines Client events that have been logged are displayed in the center part of the Event Viewer screen (see Figure 8-6).

Figure 8-6: Liquid Machines Event Viewer (with Windows Vista)

When you select any of the events in the top center part of the screen, details for the selected event display in the lower part of the screen. In the example above, the Error event is selected and the details are displayed in the lower part of the screen.



For versions of Windows prior to Vista, all Liquid Machines Client events that have been logged are displayed on the Event Viewer screen (see Figure 8-7).

Figure 8-7: Liquid Machines Event Viewer (with Windows XP)

When you select any of the events from this screen, details for the selected event display in an Event Properties dialog box (see Figure 8-8).

Figure 8-8: Liquid Machines Event Properties Dialog Box (with Windows XP)

In the example above, the Error event is selected in the Event Viewer screen and the details for that event display in the Event Properties dialog box.



Liquid Machines Document Control Client Events Table 8-1 lists the Liquid Machines Document Control Client events that may be appear in the Event Viewer. These events will have Liquid Machines Client displayed in the Source field in the Event Viewer. When you view details for any of these events, the information provided in the table below is displayed (see Figure 8-6 or Figure 8-8 for examples of Liquid Machines Client events). Note that any data that appears in angle brackets (for example, <timestamp>) in the table below specifies a generic field that will contain information specific to the event (such as the actual time and date when the event occurred).

Table 8-1: Liquid Machines Document Control Client Events

Event ID Event Type

User Identify

Event Text

100 Error1 <Any user> A fatal error has occurred.

Time: <timestamp>

Module: <exe or dll which failed>

Module Version: <4-part version> (Build ID: <build id>)

Process ID: <process id (pid)>

<diagnostic information>

101 Error <Any user> A serious error has occurred.

Time: <timestamp>

Module: <exe or dll which failed>

Module Version: <4-part version> (Build ID: <build id>)

Process ID: <process id (pid)>

<diagnostic information>

2100 Info <Logged on User>

Successfully updated data for a Liquid Machines Policy Server. Download and upload succeeded for server <locator> (ID = <GUID>) using credentials for <server-side username or “logged on user”>.

2101 Warning <Logged on User>

Failed to updated data for a Liquid Machines Policy Server. Download and upload failed for server <locator> (ID = <GUID>) using credentials for <server-side username or “logged on user”>.

<failure description>

<diagnostics information>

2200 Info LMQI_DCI_ AUTHORITY

Successfully updated data for a Liquid Machines Control Server. Download and upload succeeded for server <locator>.

2201 Warning LMQI_DCI_ AUTHORITY

Failed to updated data for a Liquid Machines Control Server. Download and upload failed for server <locator>.

<failure description> 1 Although this event appears as an Error in the log, it is treated as a Fatal event for purposes of the severity configuration.



Gathering Diagnostics This section describes how to collect diagnostic information to allow a Liquid Machines Product Support representative to identify and correct problems or issues you are having with the Liquid Machines Document Control Client. You can collect information on problems that are reproducible. If this function is enabled, you start data collection and then perform the activities causing erroneous behavior. When the activities are complete, you stop the data collection. The information gathered will be saved in a .ZIP archive and can be sent to Liquid Machines Product Support for analysis.

IMPORTANT: The process required to collect diagnostic information may affect the performance of the Liquid Machines Document Control Client and the applications it manages. DO NOT start this feature unless you have been instructed to do so for troubleshooting purposes. ALWAYS stop the diagnostics gathering function as soon as you are finished demonstrating the problem to ensure optimal Liquid Machines Document Control Client performance.



To gather diagnostics:

1. Enable the diagnostics gathering function if it has not been enabled. You will know the function has been enabled if the Diagnostics tab displays on the Client Console (see Figure 8-9).

Figure 8-9: Diagnostics Tab on Client Console

>> For detailed instructions on enabling the Diagnostics Gathering Function, see Enabling the Diagnostics Gathering Function on page 8-14.



2. Start the diagnostics gathering function by selecting the Diagnostics tab on the Client Console and selecting the Start button (see Figure 8-9).

NOTE: Diagnostic logging may have a negative impact on application performance. You should only start diagnostic logging when instructed to do so for troubleshooting purposes.

The contents of the tab changes to indicate the diagnostic collection is in progress (see Figure 8-10).

Figure 8-10: Diagnostics Collection is in Progress

3. Perform the activities that caused the erroneous behavior. By performing these activities with the diagnostics gathering function turned on, you can log extensive diagnostic information about the system’s behavior that can be analyzed by Liquid Machines Product Support.



4. When you are ready, stop the diagnostics gathering function by pressing the Stop button. When you stop gathering data, a Save As dialog displays, prompting you to save the data (see Figure 8-11). Once you specify the location where data will be saved, the system will remember where you saved data and will open in that location the next time you perform this task.

Figure 8-11: Save As Dialog Box

The Liquid Machines Document Control Client provides a unique default name for the ZIP archive, or you can enter a name in the File name field.

5. If you press Cancel, no ZIP archive is created. (If you select Cancel, you can still collect the log files by selecting the Start button, followed immediately by pressing the Stop button.)

If you select Save. A dialog displays indicating the progress of the save (see Figure 8-12). This may take several minutes to complete. The data is archived to a ZIP file.

Figure 8-12: Progress of Save



6. During the process of archiving the diagnostic output, the Client runs a utility called WinAudit to collect general information about the user environment. A dialog displays indicating the progress of WinAudit (see Figure 8-13).

Figure 8-13: Progress of WinAudit Utility

7. When the archiving is complete, the Cancel button below the progress dialog is replaced with an Ok button (see Figure 8-14).

Figure 8-14: Archiving of Diagnostic Output Files is Complete

8. Select Ok. The message on the Diagnostics tab updates. Also the message in the Diagnostics tab updates to Press Start to begin collection of diagnostic output.

9. Send the ZIP archive file to Liquid Machines Product Support for analysis.

Tips on Gathering Diagnostics If you see a message indicating, Failed to apply one or more registry settings, when selecting Start or Stop on the Diagnostics Tab, it indicates that you do not have the appropriate rights to modify the registry settings required for the logging functionality.

If this occurs when you select Start, the initiation cleans up any partial settings. If this occurs when you selects Stop, it indicates that registry permissions changed after you started the logging and now you do not have appropriate permissions to turn it off.

In this case logging will continue until an administrator can modify the registry permission settings to enable you to stop logging. This situation will cause adverse performance impact and should be remedied as soon as possible.



Enabling the Diagnostics Gathering Function You enable the diagnostics gathering function by editing the following Registry key:

For a 32-bit machine, modify:

HKEY Liquid Machines\Software\Liquid Machines\Client\ClientState

For a 64-but machine, modify:

HKEY Liquid Machines\Software\Wow6432Node\Liquid Machines\Client\

ClientState

The value name to edit is

DiagnosticsUI

If it contains a DWORD (numeric) non-zero value, the diagnostics gathering function is enabled. Otherwise, the function is disabled.

By default the diagnostics gathering function is enabled (the Diagnostic tab displays on the Client Console).

To enable and disable the Diagnostics Gathering function:

1. From the Start button, select Run and type regedit in the Open field of the Run dialog (see Figure 8-15).

Figure 8-15: Use regedit to Enabled or Disable Diagnostics Gathering



2. In the Registry Editor screen, navigate to the appropriate ClientState Registry key

(depending on whether you are using a 32-bit or 64-bit machine). Figure 8-16 shows an example using a 32-bit machine:

Figure 8-16: Registry Key Used to Enable or Disable Diagnostics Gathering (For a 32-bit Machine)

3. Double click on Diagnostics UI value on the right side of the screen display the Edit DWORD dialog (see Figure 8-17).

Figure 8-17: Edit DWORD Dialog Box to Enable or Disable Diagnostics Gathering



4. To enable or disable the diagnostics gathering function:

To enable the diagnostics gathering function, enter 1 in the Value data field.

To disable the diagnostics gathering function, enter 0 in the Value data field.

5. Select Ok.

If the diagnostics gathering function is enabled, the Diagnostics tab on the Client Console displays.

If the diagnostics gathering function is disabled, the Diagnostics tab on the Client Console does not display.



Chapter 9: Disaster Recovery

This chapter describes disaster recovery procedures.


Preparing for Disaster Recovery

Testing Disaster Recovery

Disaster Recovery



Preparing for Disaster Recovery To prepare for disaster recovery:

You must back up the SQL database that was created as part of configuration.

If you enable the Liquid Machines Security Service, you must also back up the Liquid Machines server master key file for server recovery and export the server keys for document recovery, as described in the sections that follow.

Note: All references to master keys apply only when the Liquid Machines Security Service is enabled. The master key is not used by the RMS Security Service.

Backing Up the SQL Database The database is critical to recovery and houses all necessary recovery information.

1. Back up the Liquid Machines database in its entirety. We suggest you back up the database, whether as a checkpoint, incrementally, or fully, at least once a day.

2. Copy the backup file to an external location, not on the machine that hosts the SQL server.

Backing Up the Master Key File for Server Recovery The Liquid Machines server master key is stored in a password-protected PKCS#12 file named Master.pfx. The file is located in the install directory, which is by default C:\Program Files\Liquid Machines. To back up the Liquid Machines server master key file, copy Master.pfx to a reliable external location. This copy will be protected with the password assigned during installation to protect the original master key file (see page 2-16), and it will be used to recover the server in the event of failure.

Exporting the Server Keys for Document Recovery To support document recovery, you must export the master key, using the export tool, LmExportKeys. The LmExportKeys tool is distributed with the server software, in the Tools subfolder. It creates a ZIP file that contains multiple files, depending on the number of keys in the system; it contains a manifest.xml file and a .pfx file for each key that is exported. This ZIP file is needed for LmUnsecure, the tool that removes protection from documents to provide access in the event of a disaster involving the Liquid Machines server.

Because the ZIP file contains password-protected PKCS#12 files, you must know the password that was assigned to the files during installation. In addition, the LmExportKeys tool requires that you specify a password for access to the ZIP file it creates. Make sure you write down the password for the ZIP file and store it in a safe location. The passwords for the master key and the ZIP file cannot be recovered by any means.

IMPORTANT: If you use the Server Administration Console to change the parameters of the key, for example, its bit strength or encryption algorithm, you must make a new backup both before and after saving your changes.



Using LmExportKeys to Export Keys

To export the Liquid Machines server master key for document recovery purposes:

1. Run LmExportKeys with the following options:

LmExportKeys key-store=<location of Master.pfx>

key-output=<location and name of resulting Zip file>

fips-enabled=<true or false>

Example: LmExportKeys key-store="C:\Program Files\Liquid Machines\master.pfx" key-

output="C:\Program Files\Liquid Machines\masterbkup.zip" fips-enabled=false

Note: To print out detailed usage information on LmExportKeys, at the command prompt, type one of the following commands:

LmExportKeys ?

LmExportKeys --help

2. When you run LmExportKeys, you are prompted to specify and then confirm a password to protect the resulting ZIP file. The password must be at least 8 characters long and contain at least one of each of the following:

Uppercase character

Lowercase character

Digit

Special character (@#$%^&+=)

3. After you specify and confirm the export key password, you are asked to provide the master key password that was assigned during server installation.

4. A message indicates a successful export and the location of the resulting ZIP file (the location you specified in the key-output option).

5. Copy the ZIP file to a secure external location.

Be sure to follow Testing Disaster Recovery on page 9-4 to test that the exported key is valid.



Testing Disaster Recovery

Testing the Infrastructure Restore Procedure To simulate a disaster recovery scenario, create an isolated infrastructure that includes at least DNS, Active Directory, workstations built using production images, and the SQL and IIS servers necessary to house the Liquid Machines installation.

The test infrastructure should mirror as closely as possible your production infrastructure:

You must be able to resolve in DNS the same server identifier that is used in production.

User accounts that will be used for the test must match similar user accounts in production. The match must occur in that the canonical name, or CN, must be the same.

Before you begin the test, create protected content in the production installation, and then save this content to an area you can access from the test installation. Create several documents with different kinds of protections.

Use the procedures documented above to restore your installation to the test infrastructure.

When you have completed the restore, attempt to access the protected content you created, with the same users and in the same ways as you would in production, but using the test installation. There should be no loss of functionality in accessing content.

Testing the Document-Only Restore Procedure To restore files to their unprotected state, use the LmUnsecure utility. It is distributed with the client software, in the Tools subfolder.

Before you begin the test, create protected content in the production installation, and then save this content to an area you can access from the test installation. Create several documents with different kinds of protections.

1. Locate the exported keys ZIP file created by LmExportKeys.exe.

2. Load this file onto the same machine where you have protected documents you need to recover.

3. For each test file:

a. Using the LmUnsecure command-line utility, in combination with the exported keys ZIP file, remove the protections from one of the test files. For detailed usage information, see the documentation provided with the LmUnsecure tool.

b. Open the test file and verify that it is not protected and that the original data is fully intact.



Disaster Recovery

Server Recovery with Database and Master Key Backups Disaster recovery procedures assume the following conditions:

All infrastructure, including the SQL server and all Liquid Machines servers, is lost.

The goal is to restore the server-side infrastructure to an operational state, one that allows client applications to access existing protected content, as well as generate new protected content.

You have followed the LmExportKeys procedure (see Using LmExportKeys to Export Keyspage on page 9-3) to create a ZIP file that includes the master keys associated with the server installation and the passwords that protect them, and you have access to a known-good backup of these keys and passwords.

You have backed up the MS SQL databases for the Liquid Machines installation and have access to a known-good copy of these databases.

The high-level outline of the disaster recovery procedure is as follows:

1. Per company procedures, install Microsoft SQL Server into your infrastructure and make it ready to support the Liquid Machines databases.

2. Restore the backup copy of the Liquid Machines databases to the server.

3. Create a SQL security login that has read/write access to the Liquid Machines databases.

4. Create a DNS alias, for example lmsql.acme.net, that has as its target the SQL server you have prepared. This alias may already exist in your infrastructure from the prior installation, and so you may need to update its target.

5. Per company procedures, prepare a Windows Server 2000 or 2003 machine that will house the Liquid Machines primary server, as per Liquid Machines installation requirements.

6. Install the Liquid Machines server software, according to the installation instructions for a new server, as described in Installing a New Liquid Machines Document Control 6.x Server on page 2-4.

7. Log in to the Admin UI of the server for post-install. Select Use a prepopulated, existing database, maintaining the data, and enter the information for the restored database.

8. Copy the backed up Master.pfx file obtained from the procedure described in Backing Up the Master Key File for Server Recovery on page 9-2, to its original location. By default, the

Master.pfx file would be created in C:\Program Files\Liquid Machines. However, if you chose an install location other then the default, place the Master.pfx file into the location specified during installation.

9. Start IIS.



10. Create a DNS alias so that the new server has the alias of the old server.

You can now add additional Liquid Machines secondary servers the same as you would under normal circumstances. For further instructions, see Load Balancing and Configuring Additional Servers on page 2-22.

11. Go to the client machine and verify that:

The protected files can be opened.

New protected files can be created.

All other operations are normal.

Document-Only Restore To restore files, use the LmUnsecure utility. It is distributed with the client software, in the Tools subfolder.

1. Locate the exported keys ZIP file created by LmExportKeys.exe (as described in Using LmExportKeys to Export Keys on page 9-3).

2. Load the export ZIP file onto the same machine where you have protected documents you need to recover.

3. Use the LmUnsecure command-line utility, in combination with the exported keys ZIP file, to remove protections from files.