ASSA ABLOY - DigitalVA · Title CLIQ Web Manager Server Installation Instructions Category Type...

Title CLIQ Web Manager Server Installation Instructions

Category

CLIQ/Web manager Type

Description Author Document number Revision Date Page (of)

ASSA ABLOY Shared Tech ST-001267 7.0 2017-02-22 1 (19)

ASSA ABLOY AB (Shared Technologies)

ASSA ABLOY

CLIQ Web Manager Server Installation Instructions


Category





Table of Contents

1 INTRODUCTION ............................................................................................ 3

1.1 PURPOSE ..................................................................................................... 3 1.2 SCOPE ........................................................................................................ 3 1.3 DEFINITIONS AND ABBREVIATIONS ....................................................................... 3 1.4 REFERENCES ................................................................................................. 3

2 CLIQ WEB MANAGER AND CLIQ REMOTE OVERVIEW ..................................... 4

3 PREREQUISITES ............................................................................................ 5

3.1 APPLICATION PORTS ........................................................................................ 5 3.1.1 PORTS FOR TOMCAT AND APACHE CONNECTION ...................................... 6 3.1.2 PORT FOR PROXY FOR A CERTIFICATE REVOCATION LIST ACCESS ............. 7

3.2 FIREWALL CONFIGURATION ................................................................................ 8 3.3 TLS SERVER CERTIFICATE ................................................................................ 9

4 CLIQ WEB MANAGER DATABASE ................................................................... 9

4.1 INSTALL MICROSOFT SQL SERVER ....................................................................... 9

5 ADMIN PC ................................................................................................... 11

5.1 INSTALL JAVA SE JRE ....................................................................................11 5.2 INSTALL CLIQ WEB MANAGER SERVICE TOOL AND PREPARE DATABASE ..........................11

6 CLIQ WEB MANAGER SERVER ...................................................................... 11

6.1 PREPARING TO INSTALL ...................................................................................11 6.1.1 DIGITAL CONTENT SERVER INTEGRATION ..............................................12 6.1.2 WEB SERVER TLS CONFIGURATION .......................................................12 6.1.3 DATABASE CONFIGURATION .................................................................12 6.1.4 CREATE WINDOWS ACCOUNTS FOR CLIQ WEB MANAGER SERVICES .........13 6.1.5 SQL SERVER WINDOWS AUTHENTICATION .............................................14 6.1.6 SQL SERVER LOGIN PERMISSIONS ........................................................14

6.2 RUN THE INSTALLER .......................................................................................14 6.3 VERIFY THE INSTALLATION ...............................................................................14 6.4 WEB SERVICE THROTTLING ...............................................................................15 6.5 CONFIGURATION OF TOMCAT SERVER ...................................................................16

7 SET UP A TEST ENVIRONMENT FOR LIVE DATA ........................................... 17

8 RUN MULTIPLE CLIQ LOCKING SYSTEMS ON ONE APPLICATION SERVER ... 17

9 APPENDIX ................................................................................................... 18

9.1 THE CLIQ CERTIFICATE BUNDLE (CCB) FILE ..........................................................18


Category





1 Introduction

1.1 Purpose

This document describes the installation procedure for the CLIQ Web Manager server

environment. For installing CLIQ Remote please see [2].

1.2 Scope

Third-party software/hardware and infrastructure configuration might be mentioned but

will not be fully covered in this guide. Refer to the third-party documentation for details.

The configuration of client PCs is covered in [1].

1.3 Definitions and Abbreviations

Expression Description

Apache A widely used Open Source web server available at

http://httpd.apache.org/

[CLIQ SERVER] The path to your CLIQ Web Manager installation and configuration,

e.g. “C:\Program Files\CLIQ Web Manager”.

CA Certification Authority is an entity that issues digital certificates.

There are many commercial CAs that charge for their services.

There are also several providers issuing digital certificates to the

public at no cost. Institutions and governments may have their

own CAs.

C-key Programming key

CLIQ Web

Manager Service

Tool

A Java application used to create database schema, deleting of

existing key systems, restoring database and importing some of

the import files (*.mnv, *.kwd).

DCS Digital Content Server is a server hosted by Assa Abloy that

provides digital contents such as certificates issued by CLIQ CAs.

Enrolment

Application

Application that handles certificate signing requests to DCS. It is

installed together with either CLIQ Web Manager or CLIQ Remote.

.ccb file The ServerBundle.ccb file is a file containing certificates and keys

for securing communication within the application. The .ccb file is

provided by the local CLIQ provider.

CLIQ Connect CLIQ Connect PC is a PC Client used to communicate with the local

PD from the CWM web interface and also mobile phone apps to

update keys.

1.4 References

[1] ST-001196-CLIQ Web Manager Client Installation

Instructions

[2] ST-001245-CLIQ Remote Server Installation Instructions

http://httpd.apache.org/


Category





[3] ST-001195-CLIQ Web Manager and CLIQ Remote System

Requirements

[4] ST-001135-CLIQ Web Manager and CLIQ Remote Operation

and Maintenance

2 CLIQ Web Manager and CLIQ Remote

Overview

The picture below outlines the main components in a typical setup of CLIQ Web Manager

with CLIQ Remote.

Installation of the CLIQ Remote environment is described in [2].

This document covers the installation and configuration of the CLIQ Web Manager

environment:


Category





CLIQ Web Manager DB

o Microsoft SQL Server handling the database

Admin PC

o CLIQ Web Manager Service Tool

CLIQ Web Manager Server

o Apache web server handling SSL connections acting as a proxy for Tomcat

Application Server

o Tomcat Application Server running the web application

o CLIQ Web Manager web application configuration

o Optional CLIQ Remote plugin configuration

3 Prerequisites

Before starting the installation of CLIQ Web Manager, make sure that you have the

required hardware and software available, see [3] for more information.

Local administrator privileges are required to complete the installation successfully. The

installation procedure assumes that the nodes in the environment have their OS installed

and configured and is setup in a network that enables communication between the nodes

according to the figure in the CLIQ Web Manager Overview above.

CLIQ Web Manager Server requires several network ports available in operating system.

The section 3.1 lists network ports used by the application.

If CLIQ Remote is to be used, this installation procedure requires that the CLIQ Remote

environment is already installed as described in [2].

3.1 Application Ports

List of ports occupied by the application depending on product selection is presented in

the table below.

Product Selection Occupied ports and purpose

CLIQ

Remote

DCS

Integration

80 TCP default web traffic

443 TCP CWM web application and web services traffic

7443 TCP CLIQ Connect PC

8009 TCP Tomcat and Apache connection

*8019 TCP Tomcat and Apache connection for web

services traffic

8081 TCP proxy for a certificate revocation list access


Category








services traffic




7443 TCP CLIQ Connect PC



services traffic


8443 TCP CLIQ Web Manager Enrolment traffic





services traffic


* port 8019 is used when web service throttling is enabled

A change of 80, 443, 7443, 8443 ports is not allowed. Remaining ports can be changed

after CLIQ installation is completed. After ports configuration update restart of the CLIQ

Web Manager and the Apache windows services is required.

3.1.1 Ports for Tomcat and Apache connection

By default, all of traffic between Tomcat and Apache is handled by port 8009. When web

services throttling is enabled the traffic is split into two ports: 8009 and 8019. Port 8009

handles regular CWM web application traffic as well as traffic related to communication to

CLIQ Remote Server, while port 8019 is designated for web services traffic only. A

change of 8009 port requires following configuration update:

In the file <installation_directory>\apache\conf\extra\proxy-ajp.conf find lines:

ProxyPass /CLIQWebManager ajp://127.0.0.1:8009/CLIQWebManager retry=2

ProxyPassReverse /CLIQWebManager ajp://127.0.0.1:8009/CLIQWebManager retry=2

ProxyPass /CLIQWebManagerEnrolment ajp://127.0.0.1:8009/CLIQWebManagerEnrolment retry=2

ProxyPassReverse /CLIQWebManagerEnrolment ajp://127.0.0.1:8009/CLIQWebManagerEnrolment

retry=2

In the file <installation_directory>\tomcat\conf\server.xml find following lines:

Category





<Connector port="8009" protocol="org.apache.coyote.ajp.AjpNioProtocol" redirectPort="8443"

address="127.0.0.1"/>

In both files change all occurrences of 8009 to a desired port number.

If web service throttling is enabled a change of 8019 port requires following configuration

update:

In the file <installation_directory>\apache\conf\extra\proxy-ajp.conf find line:

ProxyPass /CLIQWebManager/ws ajp://127.0.0.1:8019/CLIQWebManager/ws retry=2

In the file <installation_directory>\tomcat\conf\server.xml find following lines:



<Connector port="8019" protocol="org.apache.coyote.ajp.AjpNioProtocol" redirectPort="8443"

address="127.0.0.1" maxThreads="5"/>


When web service throttling is not enabled the port 8019 is not occupied and there is no

need to change configuration related to it.

3.1.2 Port for proxy for a certificate revocation list access

8081 is a port for proxy for a certificate revocation list access. A change of that port

requires following configuration updates:

In the file <installation_directory>\apache\conf\extra\httpd-ssl.conf find lines:

# URLs to fetch the CRL files from:

SSLCRL_Url http://localhost:8081/dcs/CLIQ_ABLOY_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Australia_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_China_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Hong_Kong_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_India_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Japan_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_New_Zealand_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_ABLOY_Singapore_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_ASSA_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_IKON_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_Medeco_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_Mul-T-Lock_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_Ruko_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_Shared_Technologies_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_TrioVing_CA.txt


Category





SSLCRL_Url http://localhost:8081/dcs/CLIQ_Tesa_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_Keso_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_Sargent_CA.txt

SSLCRL_Url http://localhost:8081/dcs/CLIQ_Corbin_Russwin_CA.txt

Listen localhost:8081

In the file <installation_directory>\apache\conf\extra\ proxy-ajp.conf find lines:

<VirtualHost *:8081>

ProxyPass /dcs http://dcscrl.assaabloy.net/

</VirtualHost>


3.2 Firewall Configuration

Ensure that the CLIQ Web Manager Database allows TCP traffic on port 1433 from both

the CLIQ Web Manager Server and the Admin PC, to enable the web application and the

Service Tool to communicate using the TDS protocol with the SQL Server. The default

port for TDS in the Microsoft SQL Server is 1433.

Ensure that the CLIQ Web Manager Server allows TCP traffic on port 443 from the Client

PCs, to enable the client web browsers to communicate using the HTTPS protocol with

the web server.

If integration with DCS is to be used, ensure that TCP/HTTPS traffic on port 443 from the

CLIQ Web Manager Server can reach the internet unaltered. Note that it is not required

to open incoming traffic from the internet for this purpose since this communication will

always be initiated from CLIQ Web Manager. You can also configure proxy server settings

for integration with DCS (then traffic from CLIQ Web Manager Server to DCS will be

forwarded through proxy).

The following applies only if CLIQ Remote is not to be used. The Enrolment application

will be available on port 8443 as default. Ensure that the CLIQ Web Manager Server

allows traffic on this port for the clients to enrol to log in to CLIQ Web Manager, if DCS

integration is used. The CLIQ Connect PC applications will connect to port 7443. Ensure

that the CLIQ Web Manager Server allows traffic on this port for the CLIQ Connect PC

clients to reach the CLIQ Web Manager, if CLIQ Connect PC is to be used.

Product Selection Port to open for traffic on CLIQ Web Manager

CLIQ

Remote

DCS

Integration

443 TCP incoming from Client PCs

7443 TCP incoming for CLIQ Connect


443 TCP outgoing to the CLIQ Remote server

http://localhost:8081/dcs/CLIQ_Corbin_Russwin_CA.txt


Category





80 TCP outgoing to the internet (or another if you use

proxy for connect to internet)




7443 TCP incoming for CLIQ Connect

8443 TCP incoming for user clients to access the enrolment

application






443 TCP outgoing to the CLIQ Remote server

3.3 TLS Server Certificate

The TLS server certificate used by CLIQ Web Manager has to be issued by a certificate

authority (CA) that is trusted by the client web browsers; otherwise the web browsers

cannot authenticate the server. The users will be informed by a security warning that the

server cannot be trusted.

For this reason it is highly recommended to get this certificate issued by a CA that is

trusted by default by the supported web browsers to avoid configuration at each client.

Examples of such CAs are VeriSign, Comodo and RapidSSL and the product name for this

type of certificate is usually “TLS certificate” or “SSL certificate”.

As the certificate must be issued to the correct server host, e.g.

“cliqwebmanager.mycompany.com”, it is only possible to order this certificate from a CA

if you are the legitimate owner of the domain used, in this example “mycompany.com”.

Because web browsers will stop supporting SHA-1 certificates it is highly recommended

to use certificates with SHA-2 signature algorithm.

Address the CA of your choice for instructions on how to purchase a TLS server

certificate. The TLS server certificate is required when installing and configuring the CLIQ

Web Manager server.

4 CLIQ Web Manager Database

This chapter describes the steps to install and configure the software for the CLIQ Web

Manager database server.

4.1 Install Microsoft SQL Server

1. Install Microsoft SQL Server version 2012 or 2014 according to the

instructions provided by Microsoft.


Category





For security reasons, it is highly recommended to use low privilege accounts

for SQL services during the installation. Required service permissions for

each service can be found in Microsoft SQL Server documentation.

It’s also recommended for security reasons to use Windows Authentication

mode to enable Windows Authentication and disable SQL Server

Authentication, i.e. disable the built-in SQL Server system administrator

account (sa account).

The collation should be case insensitive.

2. Install the latest Microsoft SQL Server service pack available at Microsoft.

3. Use the SQL Server Configuration Manager to enable the TCP protocol at

port 1433 for both the database server instance configuration and the client

configuration. Disable other protocols.

4. Connect to the SQL Server instance using SQL Server Management Studio

and:

a. Create a new database for CLIQ Web Manager with a name of your

choice. This name will be referred to as [CLIQWebManagerDB]

below.

If SQL Server Windows Authentication will be used to connect to

[CLIQWebManagerDB], skip remaining steps and see further in

chapter: SQL Server Windows Authentication. Windows

authentication is the recommended connection method.

b. Create a login that CLIQ Web Manager will use to login to the

database server. The login could be either Windows Authentication or

SQL Server authentication, Windows authentication is recommended.

The password must not contain any special characters.

c. To restrict the SQL login permissions follow the instructions in

chapter: SQL Server login permissions.


Category





5 Admin PC

This chapter describes the steps to install and configure the software for the Admin PC.

The Admin PC is used to run the CLIQ Web Manager Service Tool. The Service Tool is

used to create initial database schema. If the integration with DCS is enabled then

import/migration file with key system will be automatically downloaded and processed by

CWM. Otherwise the signed file containing specified system must be manually provided

by administrator.

The CLIQ Web Manager Service Tool should be run from within a network that is local to

the database. The reasons are to minimize exposure of login credentials and any locking

system files used but also to boost performance as there will be intense traffic between

the Service Tool and the database during the import that will suffer from long transition

times.

The sensitive parts of the locking system data are encrypted in the database using an

encryption password. The encryption password is defined by the user at the time the

database is first populated with the Service Tool and must be specified every time the

Service Tool connects to import more data later on. Make sure the encryption password

is not lost.

5.1 Install Java SE JRE

1. Download and install Java SE JRE from: http://www.oracle.com/technetwork/java/javase/downloads/index.html See the System Requirements document to determine the version to use.

2. Open the Windows System Properties dialog, go to the Advanced tab and

open Environment Variables. Define a System variable named JAVA_HOME

and assign the path to the folder where the JRE was installed as its value,

e.g. “C:\Program Files\Java\jre7”.

5.2 Install CLIQ Web Manager Service Tool and Prepare

Database

1. Copy the folder [Delivery Package]\cliq_web_manager\servicetool to a folder

of your choice.

2. Follow the procedure Importing or migrating a CLIQ locking system

described in [4] to create an initial schema in the database.

3. After first login into database the newest database schema will be

automatically installed. Close the Service Tool.

6 CLIQ Web Manager Server

6.1 Preparing to install

Before you start the installer please read through the following. This may help in

understanding the setup.

http://www.oracle.com/technetwork/java/javase/downloads/index.html


Category





6.1.1 Digital Content Server Integration

Digital Content Server (DCS) is hosted by ASSA ABLOY AB and it manages and delivers

digital content, such as certificates, licenses and extension import files, to the

installations securely. You can opt for enabling enrolment and other services from the

DCS during installation. If DCS integration is enabled the CLIQ Web Manager Enrolment

Application is installed.

6.1.2 Web Server TLS Configuration

The TLS server certificate by CLIQ Web Manager must be purchased from a commonly

trusted CA of your choice. The other certificates used by CLIQ Web Manager are included

in the certificate bundle that is provided to you by your CLIQ Provider. It is required to

configure the TLS configuration during an installation.

You will need the following certificate files during the installation:

a) The certificate bundle file (ServerBundle.ccb) from your CLIQ provider.

b) The TLS server certificate to be used by CLIQ Web Manager that is purchased

from a trusted CA.

c) The TLS private key file for CLIQ Web Manager created as part of applying for the

TLS server certificate from a trusted CA.

It is common that the CA issuing the TLS server certificate is using one or more

intermediate CAs. All these certificates must form a chain from the server certificate

followed by the issuer of the previous certificate and so on up to the root CA certificate,

e.g. server cert intermediate CA2 cert intermediate CA1 cert root CA cert. The

root CA certificates are usually bundled with the end user’s web browser.

If you are using a not up to date version of the browser it is recommended to make sure

TLS 1.2 is enabled (and TLS 1.0 disabled) in the browser and Java control panel.

If your TLS server certificate for CLIQ Web Manager was issued by an intermediate CA,

append the content of all the intermediate CA certificate files (PEM format) to the end of

your TLS certificate trust store chain file. The certificates in the file must be ordered

where the server certificate is first in the file followed by the issuer of the previous

certificate and so on until the last intermediate CA in the chain. The root CA does not

have to be included as it is bundled in the end user’s web browser. The content of the

resulting file should be similar to:

-----BEGIN CERTIFICATE-----

MI…

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MI…

-----END CERTIFICATE-----

6.1.3 Database Configuration

As part of the database configuration during installation, you can optionally provide

additional connection parameters that may be required by your SQL Server installation.

The text to be entered in the parameters field consists of one or more key-value pairs.

The key and the value are separated by an equals sign (“=”), and if more than one pair

are included in the string, the pairs are separated by semicolons (“;”).


Category





Some parameters that can be configured are listed in the table below.

encrypt If SSL connections are accepted by the database server,

setting this parameter to true will ensure that SSL(TLS) is

used to encrypt all communication between CLIQ Web

Manager and the database.

trustServerCertificate When using encrypt=true the CLIQ Web Manager end-

point will trust the SQL Server certificate without

validating the certificate. This is usually required for

allowing connections in test environments, such as where

the SQL Server instance has only a self-signed certificate.

6.1.3.1 SQL Server instance

If more than one MS SQL Server instance are run on the database server, and if the

default instance is not to be used, the instance name can be defined according to

following format: <SQL server hostname>[\instanceName], example:

localhost\MSSQLSERVER2014

6.1.4 Create Windows accounts for CLIQ Web Manager services

For security reasons it is highly recommended to run the Windows services for CLIQ Web

Manager with low privilege accounts. During installation of CLIQ Web Manager the

installer application will ask you to specify the accounts to use for both Apache and

Tomcat services. It is possible to select the same account for both services but for higher

security it is recommended to use different accounts.

To create local account(s) follow the steps described below. Alternatively an existing

domain account can be used in such a case follow the instruction in step 2 for the domain

account.

1. Create a local account with the option “User must change password at next login”

unchecked. Memorize account name and its password. Make the account member

of the Users group. The account can be created with the Computer

Management tool by selecting item Local Users and Groups/Users.

2. Grant the newly created account the privilege of

Log on as a service

Act as part of the operating system

Deny log on locally

These privileges can be edited via the Local Security Policy tool by selecting

item Local Policies/User Rights Assignment.

Note, if the above Windows account password is changed then the service password has

to be updated as well, otherwise the CLIQ Web Manager service(s) will stop working. See

the CLIQ Web Manager and CLIQ Remote Operation and Maintenance how to configure

the service password manually.


Category





6.1.5 SQL Server Windows Authentication

When connecting the Tomcat service to the SQL Server database it is recommended to

use Windows authentication. In such case a SQL Server login that is associated to the

Tomcat service account must be created.

Connect to the SQL Server instance using SQL Server Management Studio and:

1. Ensure that the newly created Tomcat service account can be used as a SQL

Server login with Windows authentication in the SQL Server.

2. Create a SQL Server login with Windows Authentication connected to the Tomcat

service user.

3. For database permissions see chapter SQL Server login permissions.

6.1.6 SQL Server login permissions

It’s recommended to restrict the SQL Server login to following minimum permissions.

1. Select the Login Properties/User Mapping option and check the

[CLIQWebManagerDB] database.

2. In the Database role membership for [CLIQWebManagerDB] database, check

the roles: db_datareader and db_datawrite.

Note, it is not required that the login is database owner of the [CLIQWebManagerDB]

database.

6.2 Run the Installer

The CLIQ Web Manger setup is started by running the installer executable. The various

installer steps contain elaborate explanation for the details of configurations required for

the set up. Please refer to the integrated help texts in the installer for the configurations.

If asked about installing Microsoft Visual C++ 2015 redistributable, agree to do that and

continue the CLIQ Web Manager installer afterwards.

Note, during installation of CLIQ Web Manager it is possible that some of anti-virus

software will report a warning message about presence of ncat.exe file in the installation

package (ncat was added to enable sending of Apache logs to external Syslog server). If

the warning notification appears, please see CLIQ Web Manager and CLIQ Remote

Troubleshooting Guide document.

6.3 Verify the Installation

To verify that the installation was successful, perform the following steps.

1. Start the Apache service or restart the service if it was already started. If

you use the Apache status monitor in the task bar, it should look like below

when the service has started (you can also check that the service is started


Category





in Windows Administrative Tools -> Services):

2. The application server should be automatically started. An icon for “CLIQ

Web Manager” is installed in the task bar. The server can be started and

stopped by right-clicking on the icon and selecting Start Service or Stop

Service.

3. Verify that the CLIQ Web Manager starts up properly by examining the log

file cliqWebManager.log located in [CLIQ SERVER]\tomcat\logs\. Make sure

that no errors are logged and that there is a log entry stating “Initializing

CLIQ Web Manager version X, build Y”.

4. If CLIQ Remote is used and the CLIQ Remote server is running, you can

check that the communication with CLIQ Remote is working properly. When

the CLIQ Web Manager has been running for one minute it will begin

communicating with the CLIQ Remote server. Open the log file again and

look for the log entry “CLIQ Remote server status changed to: ONLINE”.

5. Proceed with installing a Client PC using the document ST-001196-CLIQ Web

Manager Client Installation Instructions and then verify that you can log in

from a Client PC and start using CLIQ Web Manager.

6.4 Web Service throttling

High number of Web Service requests can overload application server, which can result in

GUI being non-responsive. To prevent that, Web Service throttling can be turned on. In

order to do that two files have to be modified:

1. Open the file [CLIQ SERVER]\tomcat\conf\server.xml as Administrator in a text

editor.

2. Uncomment/add web service connector:

<Connector port="8019" protocol="org.apache.coyote.ajp.AjpNioProtocol"

redirectPort="8443" address="127.0.0.1" maxThreads="5"/>

3. Turn on throttling setting, by changing attribute “value” from false to true:


Category





<Environment name="throttlingOn" value="false" type="java.lang.Boolean"

override="false"/>

4. Open the file [CLIQ SERVER]\apache\conf\extra\proxy-ajp.conf as Administrator

in a text editor.

5. Add line:

ProxyPass /CLIQWebManager/ws ajp://127.0.0.1:8019/CLIQWebManager/ws

retry=2

6. Restart apache and tomcat services.

Throttling has two phases. First it is performed on connector level that allows only 5

concurrent requests. The number of concurrent web service requests can be adjusted in

server.xml by modifying “maxThreads” value. If this is not sufficient and application server

would still be overloaded, then throttling on application level is turned on and some queries

are discarded until load has decreased. This prevents GUI from being non-responsive.

6.5 Configuration of Tomcat server

If bigger maximum memory pool is needed you should perform the following steps:

1. Go to Tomcat’s bin directory: [CLIQ SERVER]/tomcat/bin/.

2. Run a file: CLIQWebManagerw.exe.

3. Go to Java tab and modify the Maximum memory pool value.


Category





7 Set Up a Test Environment for Live Data

It is often a good idea to set up a replica of the live environment. It can be used to test

and practise product and hardware updates, or database operations and maintenance

without affecting or interrupting the live environment.

How to setup a replicated test environment:

1. Depending on your intentions, current environment and needs, decide on

where to install the replicated environment. It is probably a good idea to

install it separated from the live environment.

2. Install the application in the test environment according to this document.

3. Backup the live database and restore it in the test environment. (You will of

course need to do this every time you want to test something that is related

to the current state of the live database).

4. Start the application and verify that it works.

8 Run multiple CLIQ Locking Systems on One

Application Server

This section contains information about hosting several locking systems in one

installation. This means that several customers will share the same CLIQ Web Manager

and CLIQ Remote Server. The same secure user authentication as in a single locking

system installation will ensure that the clients can only access content related to their

own locking system when logged in to CLIQ Web Manager.

Pros:

Several customers can share the same application server as well as

database server.

Several customers will have their version of CLIQ Web Manager updated at

the same time.

It is really quick to start working with CLIQ Web Manager since the server

environment already exists. The only thing needed is to set up the Admin

and Client PCs.

It is possible to have locking systems both with and without CLIQ Remote in

the same installation.

It is possible to restore a single locking system from a database backup.

It is possible to import a new locking system (or extension) without

disturbing the other customers on the server.

Cons:

All customers will run the same version of CLIQ Web Manager. This might be

a problem if some customers are not prepared to do an update.


Category





The URL and server certificate as well as client trust will be the same for all

locking systems.

The mail server will be the same for all locking systems. E-mails from the

system will be from the same sender to key holders in all locking systems.

It is not recommended to run more than maximum 10 - 15 small locking

systems on the same application server.

9 Appendix

9.1 The CLIQ Certificate Bundle (ccb) file

The ServerBundle.ccb file is a zipped file with the extension ccb. The file is zipped without

password protection, to get the contents of the file simply use your favourite archive

software (WinZip, WinRar or equal).

The contents of the ccb file are the following:

ServerBundle.ccb

|- CA

| |-CliqCA.jks (1)

| |-CliqCA.pem (2)

| |-password.txt (3)

| |-Sha2CliqCA.jks (4)

| |-Sha2CliqCA.pem (5)

|

|- CliqWebManager

| | - Client

| |-cliqCwmClientCertificate.p12 (6)

| |-password.txt (7)

|

|- RemoteServer (optional)

|-cert.pem (8)

|-key.pem (9)

|-Sha2cert.pem (10)

|-Sha2key.pem (11)

CliqCA.jks (1) - Key store containing trusted CLIQ CAs (SHA-1 version)

CliqCA.pem (2) - CLIQ CA SHA-1 certificates for trust (PEM encoded)

password.txt (3) - The JKS (1 and 4) password in clear text

Sha2CliqCA.jks (4) - Key store containing trusted CLIQ CAs (SHA-256 version)

Sha2CliqCA.pem (5) - CLIQ CA SHA-256 certificates for trust (PEM encoded)

cliqCwmClientCertificate.p12 (6) - CLIQ Web Manager SHA-256 certificate and

private key for client authentication

password.txt (7) - The PKCS #12 (6) password in clear text

cert.pem (8) - CLIQ Remote Server SHA-1 certificate used for server authentication


Category





key.pem (9) - CLIQ Remote Server private key used for server authentication with

SHA-1 certificate (8)

Sha2cert.pem (10) - CLIQ Remote Server SHA-256 certificate used for server

authentication

Sha2key.pem (11) - CLIQ Remote Server private key used for server authentication

with SHA-256 certificate (10)

ASSA ABLOY - DigitalVA · Title CLIQ Web Manager Server Installation Instructions Category Type...

Documents

Transcript of ASSA ABLOY - DigitalVA · Title CLIQ Web Manager Server Installation Instructions Category Type...