WIXLIB

TitleCLIQ Web Manager Server Installation InstructionsCategoryTypeCLIQ/Web managerDescriptionAuthorDocument numberRevisionDatePage (of)ASSA ABLOY Shared TechST-0012677.02017-02-228 (19)SSLCRL Urlhttp://localhost:8081/dcs/CLIQ Tesa CA.txtSSLCRL Urlhttp://localhost:8081/dcs/CLIQ Keso CA.txtSSLCRL Urlhttp://localhost:8081/dcs/CLIQ Sargent CA.txtSSLCRL Urlhttp://localhost:8081/dcs/CLIQ Corbin Russwin CA.txtListen localhost:8081 In the file installation directory \apache\conf\extra\ proxy-ajp.conf find lines: VirtualHost *:8081 ProxyPass /dcs http://dcscrl.assaabloy.net/ /VirtualHost 3.2In both files change all occurrences of 8081 to a desired port number.Firewall ConfigurationEnsure that the CLIQ Web Manager Database allows TCP traffic on port 1433 from boththe CLIQ Web Manager Server and the Admin PC, to enable the web application and theService Tool to communicate using the TDS protocol with the SQL Server. The defaultport for TDS in the Microsoft SQL Server is 1433.Ensure that the CLIQ Web Manager Server allows TCP traffic on port 443 from the ClientPCs, to enable the client web browsers to communicate using the HTTPS protocol withthe web server.If integration with DCS is to be used, ensure that TCP/HTTPS traffic on port 443 from theCLIQ Web Manager Server can reach the internet unaltered. Note that it is not requiredto open incoming traffic from the internet for this purpose since this communication willalways be initiated from CLIQ Web Manager. You can also configure proxy server settingsfor integration with DCS (then traffic from CLIQ Web Manager Server to DCS will beforwarded through proxy).The following applies only if CLIQ Remote is not to be used. The Enrolment applicationwill be available on port 8443 as default. Ensure that the CLIQ Web Manager Serverallows traffic on this port for the clients to enrol to log in to CLIQ Web Manager, if DCSintegration is used. The CLIQ Connect PC applications will connect to port 7443. Ensurethat the CLIQ Web Manager Server allows traffic on this port for the CLIQ Connect PCclients to reach the CLIQ Web Manager, if CLIQ Connect PC is to be used.Product SelectionCLIQRemotePort to open for traffic on CLIQ Web ManagerDCSIntegration443 TCP incoming from Client PCs7443 TCP incoming for CLIQ Connect443 TCP incoming from Client PCs443 TCP outgoing to the CLIQ Remote serverASSA ABLOY AB (Shared Technologies)

TitleCLIQ Web Manager Server Installation InstructionsCategoryTypeCLIQ/Web managerDescriptionAuthorDocument numberRevisionDatePage (of)ASSA ABLOY Shared TechST-0012677.02017-02-229 (19)80 TCP outgoing to the internet (or another if you useproxy for connect to internet)443 TCP incoming from Client PCs443 TCP outgoing to the internet (or another if you useproxy for connect to internet)7443 TCP incoming for CLIQ Connect8443 TCP incoming for user clients to access the enrolmentapplication80 TCP outgoing to the internet (or another if you useproxy for connect to internet)443 TCP incoming from Client PCs443 TCP outgoing to the internet (or another if you useproxy for connect to internet)443 TCP outgoing to the CLIQ Remote server3.3TLS Server CertificateThe TLS server certificate used by CLIQ Web Manager has to be issued by a certificateauthority (CA) that is trusted by the client web browsers; otherwise the web browserscannot authenticate the server. The users will be informed by a security warning that theserver cannot be trusted.For this reason it is highly recommended to get this certificate issued by a CA that istrusted by default by the supported web browsers to avoid configuration at each client.Examples of such CAs are VeriSign, Comodo and RapidSSL and the product name for thistype of certificate is usually “TLS certificate” or “SSL certificate”.As the certificate must be issued to the correct server host, e.g.“cliqwebmanager.mycompany.com”, it is only possible to order this certificate from a CAif you are the legitimate owner of the domain used, in this example “mycompany.com”.Because web browsers will stop supporting SHA-1 certificates it is highly recommendedto use certificates with SHA-2 signature algorithm.Address the CA of your choice for instructions on how to purchase a TLS servercertificate. The TLS server certificate is required when installing and configuring the CLIQWeb Manager server.4CLIQ Web Manager DatabaseThis chapter describes the steps to install and configure the software for the CLIQ WebManager database server.4.1Install Microsoft SQL Server1. Install Microsoft SQL Server version 2012 or 2014 according to theinstructions provided by Microsoft.ASSA ABLOY AB (Shared Technologies)

TitleCLIQ Web Manager Server Installation InstructionsCategoryTypeCLIQ/Web managerDescriptionAuthorDocument numberRevisionDatePage (of)ASSA ABLOY Shared TechST-0012677.02017-02-2210 (19)For security reasons, it is highly recommended to use low privilege accountsfor SQL services during the installation. Required service permissions foreach service can be found in Microsoft SQL Server documentation.It’s also recommended for security reasons to use Windows Authenticationmode to enable Windows Authentication and disable SQL ServerAuthentication, i.e. disable the built-in SQL Server system administratoraccount (sa account).The collation should be case insensitive.2. Install the latest Microsoft SQL Server service pack available at Microsoft.3. Use the SQL Server Configuration Manager to enable the TCP protocol atport 1433 for both the database server instance configuration and the clientconfiguration. Disable other protocols.4. Connect to the SQL Server instance using SQL Server Management Studioand:a. Create a new database for CLIQ Web Manager with a name of yourchoice. This name will be referred to as [CLIQWebManagerDB]below.If SQL Server Windows Authentication will be used to connect to[CLIQWebManagerDB], skip remaining steps and see further inchapter: SQL Server Windows Authentication. Windowsauthentication is the recommended connection method.b. Create a login that CLIQ Web Manager will use to login to thedatabase server. The login could be either Windows Authentication orSQL Server authentication, Windows authentication is recommended.The password must not contain any special characters.c. To restrict the SQL login permissions follow the instructions inchapter: SQL Server login permissions.ASSA ABLOY AB (Shared Technologies)

TitleCLIQ Web Manager Server Installation InstructionsCategoryTypeCLIQ/Web managerDescriptionAuthorDocument numberRevisionDatePage (of)ASSA ABLOY Shared TechST-0012677.02017-02-2211 (19)5Admin PCThis chapter describes the steps to install and configure the software for the Admin PC.The Admin PC is used to run the CLIQ Web Manager Service Tool. The Service Tool isused to create initial database schema. If the integration with DCS is enabled thenimport/migration file with key system will be automatically downloaded and processed byCWM. Otherwise the signed file containing specified system must be manually providedby administrator.The CLIQ Web Manager Service Tool should be run from within a network that is local tothe database. The reasons are to minimize exposure of login credentials and any lockingsystem files used but also to boost performance as there will be intense traffic betweenthe Service Tool and the database during the import that will suffer from long transitiontimes.The sensitive parts of the locking system data are encrypted in the database using anencryption password. The encryption password is defined by the user at the time thedatabase is first populated with the Service Tool and must be specified every time theService Tool connects to import more data later on. Make sure the encryption passwordis not lost.5.1Install Java SE JRE1. Download and install Java SE JRE /downloads/index.htmlSee the System Requirements document to determine the version to use.2. Open the Windows System Properties dialog, go to the Advanced tab andopen Environment Variables. Define a System variable named JAVA HOMEand assign the path to the folder where the JRE was installed as its value,e.g. “C:\Program Files\Java\jre7”.5.2Install CLIQ Web Manager Service Tool and PrepareDatabase1. Copy the folder [Delivery Package]\cliq web manager\servicetool to a folderof your choice.2. Follow the procedure Importing or migrating a CLIQ locking systemdescribed in [4] to create an initial schema in the database.3. After first login into database the newest database schema will beautomatically installed. Close the Service Tool.66.1CLIQ Web Manager ServerPreparing to installBefore you start the installer please read through the following. This may help inunderstanding the setup.ASSA ABLOY AB (Shared Technologies)

TitleCLIQ Web Manager Server Installation InstructionsCategoryTypeCLIQ/Web managerDescriptionAuthorDocument numberRevisionDatePage (of)ASSA ABLOY Shared TechST-0012677.02017-02-2212 (19)6.1.1Digital Content Server IntegrationDigital Content Server (DCS) is hosted by ASSA ABLOY AB and it manages and deliversdigital content, such as certificates, licenses and extension import files, to theinstallations securely. You can opt for enabling enrolment and other services from theDCS during installation. If DCS integration is enabled the CLIQ Web Manager EnrolmentApplication is installed.6.1.2Web Server TLS ConfigurationThe TLS server certificate by CLIQ Web Manager must be purchased from a commonlytrusted CA of your choice. The other certificates used by CLIQ Web Manager are includedin the certificate bundle that is provided to you by your CLIQ Provider. It is required toconfigure the TLS configuration during an installation.You will need the following certificate files during the installation:a) The certificate bundle file (ServerBundle.ccb) from your CLIQ provider.b) The TLS server certificate to be used by CLIQ Web Manager that is purchasedfrom a trusted CA.c) The TLS private key file for CLIQ Web Manager created as part of applying for theTLS server certificate from a trusted CA.It is common that the CA issuing the TLS server certificate is using one or moreintermediate CAs. All these certificates must form a chain from the server certificatefollowed by the issuer of the previous certificate and so on up to the root CA certificate,e.g. server cert intermediate CA2 cert intermediate CA1 cert root CA cert. Theroot CA certificates are usually bundled with the end user’s web browser.If you are using a not up to date version of the browser it is recommended to make sureTLS 1.2 is enabled (and TLS 1.0 disabled) in the browser and Java control panel.If your TLS server certificate for CLIQ Web Manager was issued by an intermediate CA,append the content of all the intermediate CA certificate files (PEM format) to the end ofyour TLS certificate trust store chain file. The certificates in the file must be orderedwhere the server certificate is first in the file followed by the issuer of the previouscertificate and so on until the last intermediate CA in the chain. The root CA does nothave to be included as it is bundled in the end user’s web browser. The content of theresulting file should be similar to:-----BEGIN CERTIFICATE----MI -----END CERTIFICATE---------BEGIN CERTIFICATE----MI -----END CERTIFICATE-----6.1.3Database ConfigurationAs part of the database configuration during installation, you can optionally provideadditional connection parameters that may be required by your SQL Server installation.The text to be entered in the parameters field consists of one or more key-value pairs.The key and the value are separated by an equals sign (“ ”), and if more than one pairare included in the string, the pairs are separated by semicolons (“;”).ASSA ABLOY AB (Shared Technologies)

TitleCLIQ Web Manager Server Installation InstructionsCategoryTypeCLIQ/Web managerDescriptionAuthorDocument numberRevisionDatePage (of)ASSA ABLOY Shared TechST-0012677.02017-02-2213 (19)Some parameters that can be configured are listed in the table below.encryptIf SSL connections are accepted by the database server,setting this parameter to true will ensure that SSL(TLS) isused to encrypt all communication between CLIQ WebManager and the database.trustServerCertificate When using encrypt true the CLIQ Web Manager end-point will trust the SQL Server certificate withoutvalidating the certificate. This is usually required forallowing connections in test environments, such as wherethe SQL Server instance has only a self-signed certificate.6.1.3.1 SQL Server instanceIf more than one MS SQL Server instance are run on the database server, and if thedefault instance is not to be used, the instance name can be defined according tofollowing format: SQL server hostname [\instanceName], example:localhost\MSSQLSERVER20146.1.4 Create Windows accounts for CLIQ Web Manager servicesFor security reasons it is highly recommended to run the Windows services for CLIQ WebManager with low privilege accounts. During installation of CLIQ Web Manager theinstaller application will ask you to specify the accounts to use for both Apache andTomcat services. It is possible to select the same account for both services but for highersecurity it is recommended to use different accounts.To create local account(s) follow the steps described below. Alternatively an existingdomain account can be used in such a case follow the instruction in step 2 for the domainaccount.1. Create a local account with the option “User must change password at next login”unchecked. Memorize account name and its password. Make the account memberof the Users group. The account can be created with the ComputerManagement tool by selecting item Local Users and Groups/Users.2. Grant the newly created account the privilege of Log on as a service Act as part of the operating system Deny log on locallyThese privileges can be edited via the Local Security Policy tool by selectingitem Local Policies/User Rights Assignment.Note, if the above Windows account password is changed then the service password hasto be updated as well, otherwise the CLIQ Web Manager service(s) will stop working. Seethe CLIQ Web Manager and CLIQ Remote Operation and Maintenance how to configurethe service password manually.ASSA ABLOY AB (Shared Technologies)

TitleCLIQ Web Manager Server Installation InstructionsCategoryTypeCLIQ/Web managerDescriptionAuthorDocument numberRevisionDatePage (of)ASSA ABLOY Shared TechST-0012677.02017-02-2214 (19)6.1.5SQL Server Windows AuthenticationWhen connecting the Tomcat service to the SQL Server database it is recommended touse Windows authentication. In such case a SQL Server login that is associated to theTomcat service account must be created.Connect to the SQL Server instance using SQL Server Management Studio and:1. Ensure that the newly created Tomcat service account can be used as a SQLServer login with Windows authentication in the SQL Server.2. Create a SQL Server login with Windows Authentication connected to the Tomcatservice user.3. For database permissions see chapter SQL Server login permissions.6.1.6 SQL Server login permissionsIt’s recommended to restrict the SQL Server login to following minimum permissions.1. Select the Login Properties/User Mapping option and check the[CLIQWebManagerDB] database.2. In the Database role membership for [CLIQWebManagerDB] database, checkthe roles: db datareader and db datawrite.Note, it is not required that the login is database owner of the [CLIQWebManagerDB]database.6.2Run the InstallerThe CLIQ Web Manger setup is started by running the installer executable. The variousinstaller steps contain elaborate explanation for the details of configurations required forthe set up. Please refer to the integrated help texts in the installer for the configurations.If asked about installing Microsoft Visual C 2015 redistributable, agree to do that andcontinue the CLIQ Web Manager installer afterwards.Note, during installation of CLIQ Web Manager it is possible that some of anti-virussoftware will report a warning message about presence of ncat.exe file in the installationpackage (ncat was added to enable sending of Apache logs to external Syslog server). Ifthe warning notification appears, please see CLIQ Web Manager and CLIQ RemoteTroubleshooting Guide document.6.3Verify the InstallationTo verify that the installation was successful, perform the following steps.1. Start the Apache service or restart the service if it was already started. Ifyou use the Apache status monitor in the task bar, it should look like belowwhen the service has started (you can also check that the service is startedASSA ABLOY AB (Shared Technologies)

TitleCLIQ Web Manager Server Installation InstructionsCategoryTypeCLIQ/Web managerDescriptionAuthorDocument numberRevisionDatePage (of)ASSA ABLOY Shared TechST-0012677.02017-02-2215 (19)in Windows Administrative Tools - Services):2. The application server should be automatically started. An icon for “

80 TCP default web traffic 443 TCP CWM web application and web services traffic 8009 TCP Tomcat and Apache connection *8019 TCP Tomcat and Apache connection for web services traffic 8081 TCP proxy for a certificate revocation list access * port 8019 is used when web service throttling is enabled A change of 80, 443, 7443, 8443 ports is not allowed.