Typical Installation
This section describes how to perform a full installation of ActivID CMS. Please read the Setup Type section before proceeding.
If you want to perform a specific installation of ActivID CMS, that is, selecting the components that you want to install (for instance, if you are installing a peer server), go to Custom Installation.
If you want to install ActivID CMS with a hotfix in one operation, refer to Install ActivID CMS with a Hotfix.
-
Log on to the ActivID CMS server with a Windows account with local administrative rights.
Note: To install ActivID CMS with SQL in Windows authentication mode, you have to log in as User or Administrator of the domain; if you use a local account, you are not able to install ActivID CMS. -
In the ActivID CMS distribution, run the HID Credential Management System.msi program.
Note: The program name has changed with respect to previous versions ("HID Credential Management System" instead of "ActivID Credential Management System").Important: If you do not want to grant the ActivID CMS database administrator privileges, you can create and configure ActivID CMS databases manually using the scripts found in the DBScripts folder of the ActivID CMS distribution. Refer to the release-note.txt file in the folder for a description of all the scripts.The Welcome page appears:
-
Click Next.
The License Agreement page appears:
-
Read the license agreement. If you wish to proceed with the execution of the license agreement, select I accept the terms in the license agreement. Otherwise, click Cancel to quit the setup.
-
Click Next.
The Setup Type page appears:
-
Select Typical, and then click Next.
A typical installation installs both the ActivID CMS binaries and configures the databases for use with ActivID CMS. If you prefer to have your database administrator perform these functions, select Custom, and proceed to Custom Installation.
The Select Java Runtime Environment page appears:
-
Select Use the default Java Runtime Environment, and then click Next.
This option automatically installs the default Java Runtime Environment (JRE) provided with the ActivID CMS set-up. If you prefer to use a JRE that is already installed on the machine, choose Select an existing Java Runtime Environment and indicate the path to the home directory of the JRE to be used.
Important: It is not possible to change the JRE subsequently if the Use the default Java Runtime Environment option is chosen during ActivID CMS installation.Note:If you choose not to use the default JRE, you must make sure that the JRE selected using the Select an existing Java Runtime Environment option meets the minimum requirements for ActivID CMS.
JRE 11 is the minimum requirement for ActivID CMS 5.3 and higher.
JRE 17 is the most recent version currently supported for ActivID CMS.
You can also customize the JRE after installation using the CMS_JAVA_HOME environment variable, but only if the Select an existing Java Runtime Environment option was used during ActivID CMS installation.
The Database Server Information page appears:
Here you must configure the database server information to specify the database location and the authentication credentials. ActivID CMS uses this information to create databases in your database management system.
Important: ActivID CMS only offers to install a database for which it has found a client on the machine. If it finds only one client, for instance MS SQL, then “Microsoft SQL Server” becomes the only option in the drop-down list.
What If My Server’s Name is Not in the List?If the name of your server does not appear in the server list, then enter the IP address (and Instance name for Oracle database) in the Database Server field on the Database Server Information page. For SQL servers to be detected, the corresponding SQL Server Browser service must be enabled and started.
What is the Database Administrator Password Used for?
The Database Administrator Password is used by the installation to create six databases (AIMSEE, AIMSAUDIT, AIMSLGI, AIMSCTI, AIMSRQI, and AIMSUSER) during setup. This password is not stored by ActivID CMS after the setup.
What is the Database Owner Password Used for?
The Database Owner Password is used to access each of the six databases. Each of the databases has an owner named after the database name (for example, AIMSEE) with the Database Owner Password that you are defining here.
-
Make sure that the Database Server Type drop-down list is set to the correct database type (Microsoft SQL Server or Oracle).
-
In the Database Server field, enter the database server IP address (for example, "192.168.10.63").
-or-
Next to the Database Server field, click Browse to locate your server on the network. (The Browse function is available only if you installed the Microsoft SQL Server Client or Oracle Client Tools.)
-
If you have a database backup server, enter the database server IP address in the Backup Server field, or click Browse to locate your server on the network.
-
Under Connect using, select SQL Server authentication or Windows authentication. This specifies which connection mode is used by ActivID CMS to connect to the databases. For more information about database authentication modes, see Database Authentication Type.
-
If you select Windows authentication mode, in the User Account and Password fields, enter the login name and password of the Windows user account for the ActivID CMS database owner respectively.
-
If you select SQL Server authentication mode, under Database Administrator Credentials, enter the login name and the password of the database Administrator. Under Database Owner Password, create a Database Owner password and confirm it.
Note: If the SQL Server authentication mode is selected, the SQL Server must be explicitly configured to accept SQL authentication. -
-
Click Next.
The Web Server Configuration page appears:
Note:-
The above example shows the Web Server Configuration page if you selected SQL Server as the database authentication mode.
-
The ActivID CMS user is a standard user configured as indicated in Running ActivID CMS as a Standard User.
-
-
In the Web Site Name field, enter the same website name that is used to create the ActivID CMS website in IIS. You can leave the default CMS Web Site, or choose another name.
The website name appears in the IIS console under Web Sites. It is not related to the Web server public certificate.
For example:
-
In the HTTP Port field, enter a port number, or leave the default value.
The HTTP port is required by IIS to create the ActivID CMS website. Be sure that the port is not being used by another application to avoid interfering with other applications.
-
In the HTTPS Port field, enter the port number (or leave the default value) that is used by the users to connect to the ActivID CMS Operator Portal and User Portal.
Important: Make sure that your Windows firewall does not interfere with the selected HTTP and HTTPS ports. -
Under CMS Server user account:
-
If you selected Windows authentication on the Database Information Server page, those credentials are re-used (Use SQL Server NT Credentials option is selected).
-
If you chose SQL Server authentication on the Database Information Server page, then the Use SQL Server NT Credentials option is unavailable, and you must provide an account for ActivID CMS.
Note: This is the account under which ActivID CMS operates within IIS and CMS Server services. It does NOT have to be a Domain Administrator account. A Local Administrator account is required. There is an exception when using a Microsoft CA; in this case, the account needs to be a Domain User (with Local Administrator privileges on the machine where ActivID CMS is installed). For more details about the required privileges for this account, see Required Account Types and Privileges. -
-
Click Next. The Security Key Management page appears:
-
Select the startup mode for the servers. For more information about startup modes, see Attended Startup Mode vs. Unattended Startup Mode.
-
In the Password field, create the ActivID CMS Security Key password.
The Security Key Password must contain at least six characters and not exceed 30 characters. The Security Key password protects a cipher key which encrypts sensitive fields in the six ActivID CMS databases. Without this password, ActivID CMS cannot decrypt the content of the databases, and thus fails to launch.
If you install ActivID CMS in unattended mode, then this password is stored in an ActivID CMS configuration file, obfuscated. If using attended mode, an ActivID CMS administrator has to provide the password at each startup.
-
In the Confirm Password field, re-enter the password. (If peer servers are implemented, you must provide this same password for each instance of ActivID CMS that starts.)
-
Select Yes (Recommended) or No for the Hardware Security Module (HSM) option. For more information, see About HSMs.
If you select Yes (Recommended), then you need to browse for the appropriate HSM Library File. Next, enter the HSM PIN in the Operator PIN field. If you select No, then a warning message appears when you click Next.
The Library File refers to the HSM drivers that must be installed manually. Each HSM comes with its own installation program for installing the HSM drivers. For information about how to install the HSM drivers on the ActivID CMS server machine, refer to your HSM documentation.
Note: With ActivID CMS, the required HSM drivers to be used are 64-bit drivers.The Operator PIN protects the access to the keys stored in the HSM. You must specify the HSM Operator PIN that was set when you initialized the HSM with the Key Management System (not applicable for network HSMs).
-
Click Next.
The SSL Configuration page appears:
Certificates and RSA key-pairs are used by ActivID CMS to establish an SSL connection between the server, the portal, and the operators’ browsers.
-
In the Host Name field, enter the host name of the server.
For example:
The Host Name must match the Web server certificate’s subject name. For instance, if you have already issued a Web server certificate to the name "cmspool1.corp.com", you must enter the same name here.
If you are using your own certificates for your SSL connection, then the name you specify for the host must be the Web server certificate’s subject name that ActivID CMS creates.
-
If you want to use your own certificates for your SSL connection, leave I have my own certificates selected (default).
-or-
If you want to automatically generate certificates for your SSL connection, select Certificates are generated by the setup, click Next, and then go to step 31. These certificates are stored in %PROGRAMDATA%\HID Global\Credential Management System\Local Files\Certificates.
For more information about the SSL certificates, see Required Certificates.
Important: It is recommended that you use your own certificates, that is, certificates generated by a trusted CA.
If you need to use certificates generated by the setup, make sure to replace them as soon as possible. For more information, see Replace a Certificate Generated by Setup by a Trusted CA-Generated Certificate. -
Browse for the Server Certificate File.
The server certificate is used by ActivID CMS when communicating between server components, and also in the SSL authentication to any client browser (ActivID CMS operators and users). It is a .pfx file that contains the Web server certificate and its private key. This must be created beforehand.
-
In the Server Certificate Password field, enter the password required for opening the .pfx file.
-
Browse for the CA Certificate File.
The CA certificate is a root certificate of the CA commonly trusted by ActivID CMS server and client browsers. It ensures successful SSL authentication between the server and the clients. It is a .cer file containing the root certificate of your CA that you generated and stored on the ActivID CMS server. It is not protected by a password.
-
Browse for the Client Certificate File.
The client certificate is used by ActivID CMS when communicating between server components, and also by the first ActivID CMS operator (ActivID CMS administrator) to connect to the ActivID CMS Operator Portal. It is a .pfx file issued to the account that becomes the original and first ActivID CMS administrator.
-
In the Client Certificate Password field, enter the password required for opening the .pfx file.
-
Click Next.
The Ready to Install the Program page appears:
-
Click Install.
-
When the User Account Control screen appears, click Yes:
The Installing ActivID Credential Management System page appears:
After the install is complete, the InstallShield Wizard Completed page appears:
-
Click Finish.
The setup restarts the IIS and CMS Server services.
Note: You may be required by the setup to restart.If you selected:
-
Attended startup mode during setup, you must provide the Security Key password, Database Owner password, and HSM PIN (if using an HSM) in order to start the ActivID CMS server.
When ActivID CMS is configured in attended mode, the value of the Securedata.mode property is set to “securesite”. This property is found in the securedata.properties file in:
%PROGRAMDATA%\HID Global\Credential Management System\Local Files\services\repositories
For more information, see Provide Passwords in Attended Startup Mode.
- Unattended startup mode during setup, you do not need to provide any passwords, and ActivID CMS retrieves them from an encrypted location on the disk.
Important: The URLs for the Operator Portal and User Portal must both be added as Trusted Sites in the user’s browser. -
If you selected attended startup mode, then you must provide the Security Key password, Database Owner password, and HSM PIN (if using an HSM) to be able to start ActivID CMS, and every time you want to restart the server. In order to provide the passwords and start ActivID CMS server, follow the procedure below:
-
Launch your browser and enter the following URL:
https://<cms hostname>:<cms port>/aims/enterprise/admin
Note:-
<cms port> contains the SSL port you defined during the ActivID CMS installation.
-
This page can also be started from the ActivID CMS Start menu by using the shortcut HID Global > Credential Management System > Connect to CMS Admin.
-
This version of ActivID CMS supports Google Chrome™ and Microsoft Edge browsers. Refer to ActivID CMS System Environment for details about the current browser versions that are supported.
The Attended Startup Password Entry page appears:
-
-
Next to Security Key Password, enter your security password. This is the password that you defined during setup. For more information, see step 19 in Install ActivID CMS and Its Databases.
-
Next to HSM Pin, enter your HSM PIN code (only if you use an HSM).
-
Next to Database Password, enter your database password. This is the password that you defined during setup. For more information, see step 11 in Install ActivID CMS and Its Databases.
Note: This only applies to Oracle and SQL Servers in SQL authentication mode. For SQL Servers in Windows authentication mode, the database password is no longer requested. -
Click Continue.
The ActivID CMS portal should be started successfully.
Note: When ActivID CMS is started, or if ActivID CMS fails to start, a Health check button is displayed so that you can check the CMS startup status. This is particularly useful when ActivID CMS fails to start (see below).Important: If you do not provide the correct passwords when prompted, you cannot launch ActivID CMS and the following message appears:When ActivID CMS fails to start, you can click on the Health check button for a detailed diagnostic on the probable error causes, such as:
Invalid password (Security password, database password, HSM password), or
Invalid HSM configuration files.
For example:
In this case, close your browser window, restart the CMS Server service, log back on to the Attended Startup login page, and re-enter the passwords following the procedure above.
The CMS Server service is started during ActivID CMS startup. Two processes are running simultaneously when ActivID CMS is started – IIS and CMS Server. Both processes communicate through ajp13 protocol.
To stop/restart the ActivID CMS server, you must first stop/restart the CMS Server service, then stop/restart the IIS service.
You can stop/restart the CMS Server service from Administrative Tools > Services as illustrated above.