Quick Start Guide - Microsoft Azure

Prerequisites:  

  • The ActivID Appliance delivery package is available containing two VHD files:

    • ActivID_Appliance_8.7.0.503-disk1.vhd

    • ActivID_Appliance_8.7.0.503-disk2.vhd

  • You have a Microsoft Azure account with the rights to create resources for a new virtual machine

  • You need a minimum of 200 GB free disk space on your host

Create the Virtual Appliance

  1. On your Microsoft Windows host, extract the two VHD files from the ActivID Appliance delivery package.

    Important: You need a minimum of 200 GB free disk space on your host.

  2. Using the Microsoft Azure portal, import the virtual disks:

    1. Create a Resource group - see Use the Azure portal and Azure Resource Manager to Manage Resource Groups - Azure Resource Manager | Microsoft Learn

    2. Create a storage account - see Create an Azure storage account - Azure Storage | Microsoft Learn

      At minimum, set the following values for the storage account:

      • Resource group - select the resource group you just created

      • Primary service - select Azure Blob Storage or Azure Data Lake Storage Gen 2

      Important: Make sure the Enable hierarchical namespace option is NOT enabled.

    3. Once the storage account is created, expand Data storage in the left menu and select Containers.

    4. Create a new container for the ActivID Appliance VHD disks you will upload in the next step.

  3. On your Microsoft Windows host:

    1. Install the Microsoft Azure Storage Explorer - see Get started with Storage Explorer | Microsoft Learn

    2. Using the Azure Storage Explorer, upload the two ActivID Appliance disks to the new container in the Storage account you created above - see Manage Azure Blob Storage resources with Storage Explorer | Microsoft Learn

  4. Using the Microsoft Azure portal, create a Managed Disk:

    1. Select All Services in the left menu and, under Storage, select the Disks service (or use the filter field).

      Alternatively, go to the Microsoft Azure Marketplace and search for Managed Disks.

    2. Click Create.

    3. Create a managed disk with the following values:

      Parameters Values
      Resource group Select the resource group you created above
      Source type Storage Blob

      Source Blob

      1. Click Browse and navigate to the storage account container where you uploaded the ActivID Appliance disks.

      2. Select your first VHD file (ActivID_Appliance_8.7.0.503-disk1.vhd).
      OS type Linux
      VM generation Generation 2
      VM architecture x64
    4. In the Size section, click Change size.

    5. Set the Custom disk size to 100 GiB and click OK.

    6. Set the values of the other parameters according to your requirements.

    Important: Do NOT repeat this procedure for the second VHD file as you will add it to this managed disk in the next section.

  5. Using the Microsoft Azure portal, create a new Virtual Machine:

    1. Refresh your resources and select the managed disk you just created and click Create VM.

    2. Configure the VM Basics parameters:

      Section Parameters Values
      Instance details Image Select the Managed disk name you created above
      VM architecture x64
      Size Click See all sizes and select at least D4s_v3 (in the D-Series v3) category
      Inbound port rules Public inbound ports Allow selected ports
      Select inbound ports HTTPS (443)
      Licensing License type Other

    3. Configure the VM Disks parameters - go the Data disks for<your virtual machine name> section and click Create and attach a new disk and set the parameter values as follows:

      Parameters Values
      Source type Storage blob

      Storage blob

      1. Click Browse and navigate to the storage account container where you uploaded the ActivID Appliance disks.

      2. Select your second VHD file (ActivID_Appliance_8.7.0.503-disk2.vhd.
      Size
      1. Click Change size.

      2. Set the Custom disk size to 100 GiB and click OK.

    4. Configure the VM Networking settings:

      Parameters Values

      Virtual network

      Click Create new to create a new virtual network for your first ActivID Appliance VM

      Note: You will be able to re-use this new virtual network for the second node of your high availability (HA) deployment.
      Public IP None
      NIC network security group Basic
      Public inbound ports Allow selected ports
      Select inbound ports HTTPS (443)

    5. Optionally, configure the VM Monitoring settings:

      1. Under Alerts, select the Enable recommended alert rules option.

      2. Click Configure, select the required alert rules and then click Save.

    6. Click Review + create.

    7. Verify the configuration is correct and then click Create.

    Note: As a best practice, it is strongly recommended that you enable VM disk encryption using one of the Microsoft Azure encryption options that meets your requirements. For further information, see Overview of managed disk encryption options | Microsoft Learn

  6. Configure the inbound security rules:

    1. Expand Networking in the left menu for your ActivID Appliance VM and select Network settings.

    2. In the Rules section, click on the link for the Network security group of your ActivID Appliance VM.

    3. Expand Settings in the left menu and select Inbound security rules.

    4. Click Add and apply the following port configuration on the network firewall(s) in front of your ActivID Appliance VM:

      Source/Source port ranges/Destination/Service Port Protocol For Reference

      Any/*/Any/Custom

      40

      TCP

      Application - sshd service

      Used for Emergency SSH access for administrators

      Note: Adapt the configuration to meet the requirements of your security policy.

      Any/*/Any/Custom

      161

      UDP

      Application - SNMP Monitoring

      Used for SNMP-based notification messaging (opened only if SNMP has been enabled)

      Any/*/Any/Custom

      1004

      TCP

      Application - OpenWire (AMQ)

      Used for ActiveMQ Broker (JMS messaging)

      Any/*/Any/Custom

      1005

      TCP

      Application - HTTPS

      Used for the ActivID Console

      Any/*/Any/Custom

      1812

      UDP

      Application - RADIUS authentication

      User for VPN, Routers, Network and Remote Access Device

      Any/*/Any/Custom

      8443

      TCP

      Application - HTTPS (mutual authentication)

      Used for the ActivID Management Console, Authentication Portal, Self Service Portal, Web Services
      Important: In High Availability mode, ActivID Appliance requires reliable inter-node communication to replicate the data between the two nodes.
      • Make sure that the bandwidth and latency on the route between the two appliances are sufficient for replication.
      • If you have a VLAN between the two nodes, you have to be particularly careful with the resources dedicated to this VLAN.
      • ActivID Appliance uses IPSec to encrypt the communications over the channel.
      • If the appliances are not on the same subnet, then you have to open the IP Protocol ID 50 (required for Encapsulating Security Protocol (ESP) traffic to be forwarded) and the following ports for IPSec communication:
        PortTypeApplicationDescription
        500UDPIKEIPSec Channel
        4500UDPNAT-TransversalNAT

Configure Network Access to the ActivID Appliance

In its current state, the ActivID Appliance is not accessible from outside its Virtual Network even though the SSH and HTTP ports are open.

There are several ways to configure the access to the ActivID Appliance from outside its Virtual Network and obtain the hostname required to access the ActivID Appliance portals.

For example, you can use one of the following methods depending on your requirements:

Note: In test environments, you can assign a public IP address to the ActivID Appliance. However, this is NOT recommended in production environments for security reasons.
Important: Once you have configured access to the ActivID Appliance, make a note of the VM's fully qualified hostname.

Before you configure and initialize the appliance, it is recommended that you create a snapshot of its Initial State.

Set the Initial Network Configuration

You must configure initial network settings before you can initialize the appliance.

For details and illustrations, see Configure the Initial Settings for a Microsoft Azure VM.

Prerequisites: Before configuring the appliance, you must have the following available:

  • You know the ActivID Appliance VM's fully qualified hostname (defined during Configure Network Access to the ActivID Appliance)

  • If you have exposed the ActivID Appliance outside its virtual private network using a public IP address (not recommended), make sure you have the DNS record for the DNS server that is used to register the appliance hostname

    The appliance name and IP can be recorded in your DNS server so that the appliance name is resolved when you enter the URLs for the ActivID Console and ActivID Management Console in a browser to access either the ActivID Appliance (or remotely from a different machine) for administration purposes.

  • An SFTP server is accessible from the ActivID Appliance

  1. In the Microsoft Azure portal, refresh your resources and select the ActivID Appliance virtual machine.

  2. Expand Help in the left menu and select Serial console to launch the ActivID UNIX Terminal.

  3. Log on as the ActivID Appliance administrator (appadmin) using the default credentials:

    • Username – appadmin

    • Password – password01

    You are prompted to change the default password.

  4. Enter the current (default) password.

  5. Enter and confirm a new password.

    Important:

    • Make sure you keep a record of the password

    • The password must contain a minimum of 6 characters

  6. Run the configure_network.sh script to configure the ActivID Appliance network using the following command:

    Copy 
    ./configure_network.sh

  7. When prompted for the fully qualified hostname:

    • If the ActivID Appliance is behind a Microsoft Azure Load Balancer or uses an Azure Application Gateway, enter the required value

      You do not need the DNS record as the IP belongs to the virtual private network and is inaccessible from outside.

    • If you have exposed the ActivID Appliance outside its virtual private network using a public IP address (not recommended), enter the DNS record for the IP address

    Important:

    • Make sure that this name does not contain the _ character as it is not supported by DNS

    • The maximum length of the hostname is 46 characters

  8. Accept default values for all the other prompts.

    In particular, enter the following answers:

    The default gateway 10.0.0.1 is unreachable.

    Do you still want to configure this value [y|n] (n) ? y

    Current DNS servers [ …].

    Do you want to configure DNS servers [y|n] (n) ? n

  9. Review the configuration.

  10. When prompted, enter y to confirm the configuration is correct, and then press Enter.

    The configuration process might take several minutes.

  11. Run the configure_route.sh script to add the network route using the following command:

    Copy 
    ./configure_route.sh

  12. To update the terminal display with the expected keyboard layout, run the configure_keyboard_layout.sh script using the following command:

    Copy 
    ./configure_keyboard_layout.sh

  13. Enter your keyboard layout and press Enter.

    Note:  

    • By default, the appliance is configured with English (us) keyboard layout

    • The Microsoft Azure Serial Console will automatically adapt to the language of the host keyboard (for example, French)

      However, the ActivID UNIX Terminal displays the English (us) keyboard layout. Running the configure_keyboard_layout.sh will set the expected value in the system which could be useful when using another type of terminal.

Initialize the ActivID Appliance (Full)

  1. Log on to the ActivID Console and under Appliance in the left-side menu, select Dashboard.

    The ActivID Appliance License Agreement is displayed.

  2. Accept the agreement and click Next.

  3. In the Initialization section of the Dashboard, select Full installation to install all the ActivID applications.

    The deployment of the Authentication Services and the database are enforced.

    To install only the ActivID Front Ends (ActivID Management Console, Self-Service Portal and RADIUS Front End), follow the instructions in Initialize the ActivID Appliance (Front End).

    Important: Once an installation type is applied, the only way to change it is to revert the appliance to the initial state.

  4. Click Initialize.

    The configuration process might take several minutes.

    When the installation is complete, the appliance Dashboard is displayed.

  5. Under Configuration in the left-side menu, select Security Domains (or click Go to Security Domains in the Dashboard).

  6. To add a security domain, click Add.

    Note: Adding a domain causes an interruption of service and the process might take several minutes.

    When you create a new security domain, it adds a new set of data to your deployment.

    This data is specific to your domain and is defined by the dataset you chose when creating the domain (for example, the default users and permissions included in the dataset).

  7. Enter the Domain Name, select the Dataset from the drop-down list and, optionally, enter a Description.

    Important: You must apply the following rules when creating the domain name:
    • Must contain alphanumeric characters
    • Must not contain any of the special ! # % & ( ) + " ' < > ? * - _ characters
    • Must not start with a numerical character
    • Must be a maximum of 20 characters
    • Must not be a variation of an existing security domain name using a different case for one or more characters (for example, do not use Onlinebank when ONLINEBANK already exists)
    • Oracle reserved keywords are not allowed (that is “SELECT”, “ONLINE”, etc.)

  8. Enter and confirm the password for the ActivID Initialization User (ftinit).

    Important:  

    • This user is the pre-defined administrator account for the security domain.

      Make sure you keep a record of the password

    • The password must:

      • Contain at least one alphabetic and one numeric character

      • Contain at least 3 different characters

      • Be a maximum of 20 characters

      • Be a minimum of 10 characters

      • Be different from any previous password

      • Not contain blacklisted or user-related words

      • Not be a sequence of letters or numbers

      • Not be password01

  9. Then click Add.

  10. Repeat the previous step to create additional domains.

  11. Then click Save.

  12. Click Ok when the creation process is complete.

  13. Under Appliance in the left menu, select Dashboard and then review the appliance status.

When you have completed all the previous steps, go to Your First Steps.

Optional Steps

Configure an External HSM

If you want to integrate a network Entrust® nShield® Connect HSM (all versions) as an external HSM with the ActivID Appliance, you can install and configure the HSM as described in Integrating External Hardware Security Modules.

Enable Security Domains for RADIUS Front End

If you want to use the ActivID RADIUS Front End, you can activate the service on all or a subset of the security domains as described in Enable the RADIUS Front End (Optional).

You can also configure the ActivID RADIUS Front End for the push-based solution.

Configure the ActivID Application Ports

If you want to customize the URLs for the ActivID applications and services by defining the access ports, you can use the ActivID Console to configure the port settings.

Initialize the ActivID Appliance (Front End)

Prerequisites:  

  • The ActivID Authentication Services have already been initialized on the back-end appliance(s) using the Full installation option.

  • You know passwords for the ftinit accounts associated to the security domains(s) that the front-end installation will join.

  • Download the Appliance Root CA certificate for the back-end appliance (or the CA certificate if you customized the back-end TLS server certificate) and make sure that it is accessible from the system where you will install the front-end appliance..

  • You have configured the appliance network using the ActivID UNIX Terminal.

  1. Log on to the ActivID Console and under Appliance in the left-side menu, select Dashboard.

    The ActivID Appliance License Agreement is displayed.

  2. Accept the agreement and click Next.

  3. In the Initialization section of the dashboard, select Front-End installation.

    Important: Once an installation type is applied, the only way to change it is to revert the appliance to the initial state.

  4. For the back-end appliance where you installed the ActivID Authentication Services:

    • Enter the hostname

    • Enter the https port

    • Upload the SSL Server Root CA Certificate (the Appliance Root CA Certificate or the customized CA certificate that you downloaded before starting the installation).

  5. Click Initialize.

  6. Under Configuration in the left-side menu, select Key Stores.

  7. Download the Appliance Root CA Certificate for the front-end appliance that you will need to upload to the back-end appliance.

  8. Log on to the ActivID Console for the back-end appliance and, under Configuration in the left-side menu, select Key Stores.

  9. Browse to the Appliance Root CA Certificate for the front-end appliance and click Import.

  10. Under Configuration in the left-side menu, click Applications, and then click Restart all Applications to establish the trusted connection to the front-end appliance.

  11. Return to the ActivID Console for the front-end appliance and, under Configuration in the left-side menu, click Security Domains.

  12. Click Join.

  13. Enter the name(s) of the Security Domains and the Password(s) for the corresponding ftinit users that the front-end installation should join.

    You can join all or only a subset of the security domains.

    Important: The names of the security domains must be exactly as defined in the back-end appliance (including upper or lower case).

  14. If you want to deploy the ActivID RADIUS Front End on one or more security domains, under Configuration in the left-side menu, select RADIUS Front End.

  15. Select the checkbox(es) of the domain(s) that you want to activate for RADIUS Front End and click Activate on domain(s), and then click OK.

  16. Under Appliance in the left-side menu, select Dashboard and then review the appliance status.

When you have completed all the previous steps, go to Your First Steps.