Setup Overview

In a default ActivID CMS configuration, the web server and the ActivID CMS application server both reside on the same system.

In a three-tier or multi-platform configuration, the presentation, the application processing, and the data management are all logically separate processes. For ActivID CMS, this means:

  • Tier 1 is where the Microsoft® Windows® Internet Information Services (IIS) server and ISAPI redirector reside.

  • Tier 2 is where the ActivID CMS server resides.

  • Tier 3 is where the ActivID CMS database resides.

One Microsoft Windows Server server serves as the location for the Web server and the IIS redirector server. Another Windows Server server acts as the ActivID CMS application server (where the ActivID CMS software resides).

IIS servers provide a set of Internet-based tools and services for creating, managing, and securing websites. IIS servers can function as web-based application servers for use with Microsoft Windows-based networks.

It is strongly recommended that the communication between Tier 1 and Tier 2 must be secured with a firewall and by using a security mechanism such as IPsec (Internet Protocol Security). This protocol suite secures IP communications by authenticating and encrypting the IP packets in a data stream.

You must configure the IIS redirector server using the Internet Server Application Programming Interface (ISAPI), an API for the IIS web server services.  Please refer to the following figure, which illustrates the concept of the three-tier or multi-platform client-server architecture for ActivID CMS.

Three-Tier Architecture

This release of ActivID CMS supports the following environments for the three-tier configuration.

The following steps describe a Windows Server 2008, but the same apply to later versions as well.

For IIS 7.0 three-tier configuration—a Windows Server 2008 server for the web server and IIS redirector, and a Windows Server 2008 server for the ActivID CMS application server. If IIS 7.0 is installed on a Windows Server 2008 server, then the role of ISAPI Extensions and ISAPI Filters and Management Tools are enough. (For details, please see the following two illustrations.)

For three-tier configuration, you must meet the following prerequisites:

  • A Secure Socket Layer (SSL) certificate has been generated for the IIS redirector server. An SSL certificate establishes a private communication channel that enables the encryption of any data that is transmitted. Encryption creates an envelope that encapsulates and keeps the transmitted data secure and private.

    Note: This private communication channel is between the Tier 1 and the end-point client. This channel does not protect the communication between Tier 1 and Tier 2 servers.

  • You must secure communication between Tier 1 and Tier 2 servers using a mechanism such as IPsec. This is similar to using a load balancer to perform SSL termination. If the link between a Tier 1 and Tier 2 server is not secured, then the risk exists for information disclosure as well as elevation of access privileges. The IPsec configuration should be set to allow a Tier 2 server to receive packets only from a Tier 1 server and NO other systems.

This section explains how to set up and configure a Tier 2 ActivID CMS server so that it accepts requests only from a Tier 1 server. On Tier 2 ActivID CMS server systems, the Apache Tomcat configuration needs to be updated to allow access from the Tier 1 IIS server:

  1. Edit the server.xml file located in the following conf directory:

    C:\Program Files\HID Global\Credential Management System\tomcat\conf

  2. Locate the line for the ajp13 connector, for example:

    Copy 
    <Connector address="127.0.0.1" port="8009" protocol="AJP/1.3" redirectPort="8443" requiredSecret="DD86CAD283C9ABB7AA1A229122535B"></Connector>

  3. Remove the address="127.0.0.1" parameter, which results in the following example:

    Copy 
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" requiredSecret="DD86CAD283C9ABB7AA1A229122535B"></Connector>

  4. After you have made these changes, save the server.xml file.

  5. Restart the ActivID CMS server.

Important: In cases where modifications are made that alter the ActivID CMS application on the ActivID CMS server, make sure that you perform the above steps again. This is required because during a modification (or a Repair) procedure, the server.xml file is reconfigured, and a new random number is generated.