Configuring IIS 7 and IIS 8

For a three-tier configuration using IIS 7 or IIS 8, there are no configuration changes required on the ActivID CMS application server. To install the IIS redirector on an IIS 7 server or IIS 8.0 server (tier 1), complete the following steps.

Note: The procedure illustrates options for IIS 7.

  1. Go to the ISAPI folder and copy ISAPI folder <CMS install path>\ISAPI\ from the installed ActivID CMS server to the IIS 7 server that is acting as the redirector server.    

  2. To add a new ActivID CMS website to the IIS redirector server, go to the Connections panel in the Internet Information Services (IIS) Manager main window.

  3. Right-click on Sites, and then click Add Web Site. The Add Web Site dialog is displayed.

  4. Enter the Site name of the ActivID CMS website (in this example, the name is CMS website).

  5. Verify that the Physical path contains a valid path (in this example, it is C:\ISAPI\bin).

  6. Select https as the Binding Type.

    The Binding enables you to configure the binding to https (Hypertext Transfer Protocol Secure).

  7. Select the SSL certificate that was generated previously for this server (in this example, the SSL certificate is W2K8-RedirIIS7). 

  8. Optionally, select the option Start Web site immediately.

  9. Click OK. This creates the ActivID CMS website.

  10. From the IIS Manager main window, select the IIS Server in the Connections panel. The IIS Server Home page appears.

  11. Scroll down to locate the IIS panel of the Home page.

    (Make sure that you have selected the IIS server in the Connections panel.)

  12. Click ISAPI and CGI. The ISAPI and CGI Restrictions page appears.

    From this page, you can add ISAPI and CGI restrictions at the IIS server level.

  13. On the ISAPI and CGI Restrictions page, right-click to display the shortcuts menu, and then click Add ISAPI and CGI Restrictions.

  14. In the Add ISAPI or CGI Restriction dialog, click Browse to locate the ISAPI or CGI path for the server file.

  15. Enter a meaningful Description (for example “Admin”).

  16. Select the option Allow extension path to execute.

  17. Click OK. The ISAPI and CGI Restrictions page appears with the new values you just configured (see the red arrow in the next illustration).

        

  18. From the Home page, click ISAPI and CGI again. The ISAPI and CGI Restrictions page reappears.

  19. Click Browse to locate the ISAPI or CGI path for the server ID file.

  20. Enter a meaningful Description (for example, “MyID”).

  21. Select the option Allow extension path to execute.

  22. Click OK to configure these restrictions settings. The ISAPI and CGI Restrictions page appears with the new values you just configured.

  23. Return to the Connections panel, and then expand the Sites folder, if needed.

  24. In the Connections panel, click CMS Website. The CMS Website Home page appears (where you will configure two ISAPI filters).

  25. Click ISAPI Filters. The ISAPI Filters page appears.

    From the ISAPI Filters page, you can add ISAPI filters at the IIS server level.

  26. Right-click to display the shortcuts menu, and then click Add ISAPI Filter.

  27. Enter a Filter name for the first of two filters (for example, “MyID”).

  28. Click the browse button to locate and enter the full path to the Executable .dll file.

  29. Click OK to configure the ISAPI filter settings for the first filter.

  30. Repeat step 27 to 29 for the second filter.

  31. Return to the Connections panel.

  32. In the Connections panel, under CMS Website, click Administration. The Administration Home page appears.

  33. In the IIS panel in the Admin Home page, click SSL Settings. The SSL Settings page appears.

  34. To configure SSL settings in the Admin virtual directory (and SSL Settings window), select the Require SSL option.

  35. Under Client certificates, select the Require option.

  36. In the Actions panel, click on Apply to save the changes.

  37. In the Connections panel under CMS Website, click MyDigitalID. The MyDigitalID Home page appears.

  38. In the IIS panel, click SSL Settings. The SSL Settings window reappears.

  39. To configure SSL settings in the MyDigitalID virtual directory (and SSL Settings window), select the Require SSL option.

  40. Under Client certificates, select the Ignore option.

  41. In the Actions panel, click on Apply to save the changes.

The next step is to Configure Handler Mappings.

Configure Handler Mappings

  1. In the Connections panel, under CMS Website, click Administration.    

  2. On the Administration Home page, click Handler Mappings. The Handler Mappings page appears.

  3. On the Handler Mappings page, right-click to display the shortcuts menu, and then click Edit Feature Permissions. The Edit Feature Permissions dialog appears.

  4. To configure Handler Mappings in the Admin virtual directory, select the Script option and the Execute option.

  5. Click OK to save your configuration choices.

  6. To configure the Edit Feature Permissions for the MyID virtual directory, in the Connections panel, select the CMS Website.

  7. Click MyDigitalID.

  8. In the Handler Mappings page, right-click to display the shortcuts menu, and then click Edit Feature Permissions. The Edit Feature Permissions dialog appears.

  9. To configure Handler Mappings in the MyDigitalID virtual directory, select the Script option and the Execute option.

  10. Click OK to save your configuration choices.

The next step is to Enable Anonymous Authentication for Anonymous Users .

Enable Anonymous Authentication for Anonymous Users

To enable anonymous authentication for ActivID CMS anonymous users, perform the following steps.

  1. In the Connections panel, select the CMS Website.

  2. Click Authentication. The Authentication page appears. 

  3. In the Authentication page, right-click to display the shortcuts menu, and then click Edit Anonymous Authentication Credentials. The Edit Anonymous Authentication Credentials dialog appears.

  4. Select the Specific user option. The default username appears automatically.

  5. Optionally, click Set.

    The Set Authentication Credentials dialog appears. You can enter a specific username, and enter and confirm a password to authenticate the credentials for a specific user.

  6. Click OK to save your configuration settings.

The next step is to Update the ISAPI Configuration Properties File .

Update the ISAPI Configuration Properties File

To update the ISAPI configuration properties file with the host name of the ActivID CMS server, perform the following steps.

  1. Go to the directory where the properties files reside (in this example, it is “C:\ISAPI\conf”).

  2. Double-click the configuration properties file, it launches the file in a common text editor, such as Notepad.

    In this example, it is the workers.properties file. The workers.properties file contains the host= line that defines the host name of the ActivID CMS server. In this example, it is worker.ajp13.host=.

  3. Edit the existing host= line to define the name of the ActivID CMS server. In this example, it is W2K8-VM5.

  4. Add a line starting with the parameter worker.ajp13.secret, where the value is the required secret from the above standalone.xml entry (named secret-checker) from the Tier 2 ActivID CMS server as described in section Configuring the Tier 2 ActivID CMS Server (screenshot below).

    In this example, it is:

    Copy 
    worker.ajp13.secret=27CE7144C6455F228511668EE95DFE
    Warning!
    In cases where modifications are made that alter the ActivID CMS application on the ActivID CMS server itself, make sure that you perform the above two steps. This is required because during a repair procedure, the standalone.xml file is reconfigured and a new secret is generated.

  5. To save your configuration changes, select the File menu, and then click Save.

  6. To update the install path in the isapi_redirect.properties file for the UserPortal folder, go to the directory where this properties file resides. In this example, it is C:\ISAPI\bin\MyDigitalID.

  7. Double-click the properties file that you want to update, it launches the file in a common text editor, such as Notepad.

    In this example, it is the isapi_redirect.properties file. This properties file contains the path location in the log_file= line that defines the path name of the ISAPI Redirector log file. In this example, the path to the Redirector log file is:

    C:\Program Files\HID Global\Credential Management System\ISAPI\logs\isapi_redirect-myID.log

  8. Change the path to C:\ISAPI\logs\isapi_redirect-myID.log.

  9. Change the work_file= and work_mount_file= paths accordingly.

  10. From the File menu, click Save to save the changes made to the isapi_redirect.properties file.

  11. To update the install path in the isapi_redirect.properties file for the Administration folder, go to the directory where the ISAPI properties files reside (in this example, it is C:\ISAPI\bin\Administration).

  12. Double-click the ISAPI Redirector properties file you want to update, it launches the file in a common text editor, such as Notepad.

    In this example, it is the isapi_redirect.properties file. The selected properties file contains the path location in the log_file= line that defines the path name of the ISAPI Redirector log file. In this example, the path to the Redirector log file is: 

    C:\Program Files\HID Global\Credential Management System\ISAPI\logs\isapi_redirector.log isapi_redirect-admin.log

  13. Change the path to C:\ISAPI\logs\isapi_redirect-admin.log.

  14. Change the work_file= and work_mount_file= paths accordingly.

  15. From the File menu, click Save to save the changes made to the isapi_redirect.properties file.

  16. Go to the directory where your security certificates are stored (in the following example, it is the Security Certificate folder in the root directory).

  17. Double-click the directory where the security certificates reside. The Certificate Import Wizard dialog appears.

  18. In the Certificate Import Wizard dialog, select the Place all certificates in the following store option.

  19. Browse to locate and enter the path to the Certificate store. This location is the certificate store where you can place all certificates if the root certificate authority (CA) is not trusted.

  20. Click Next at the bottom of the dialog (not illustrated).

  21. Click Finish.