Install and Configure ControlSuiteConfiguring ControlSuite

Configuring ControlSuite

The Configuration Assistant walks you through the setup of databases, services, security and authentication, and licensing the ControlSuite solution. The configuration assistant must be completed in order, and as you complete the steps, the navigation menu items becomes "active", and you can click on any completed section to review or make changes as needed.
  1. After installing ControlSuite, launch the Configuration Assistant. The Configuration Assistant can either be auto-launched as part of the Install Assistant finishing process, or by running the Configuration Assistant application found in C:\Program Files\Kofax\Configuration Assistant.
  2. Click Get Started on the Welcome page.
  3. A Databases page opens displaying the installed components, database instances and database names.

    The green checkmark beside the component indicates that the database is configured correctly. The red warning means that a particular configuration setting is not valid, and the database information must be updated before the configuration can continue. When the databases are validated, click Next to continue.

    To modify a database, click the Edit icon beside its name to open the Configure Component window, and select a Database Type - SQL Server or SQL Server Azure.

    The available database types depends on the installed ControlSuite component's supported databases.

    If selecting SQL Server, modify the following:

    • Authentication Type - SQL Server or Windows.
      • SQL Server: Enter the user credentials in the Login and Password fields, (this can be another Windows user or a SQL Server user).
      • Windows (default selection): Select this option when the user running the Windows Service account connects to the database server.
    • Instance - Use the default, or select another instance from the drop-down list, or click Find to search for one not in the list.
    • Database Name - Enter the name of the database or select another database from the drop-down list.
    • Click the Test button to verify the database and server and functioning. A green check-mark displays when validated.
    To create an SQL database for Output Manager using the Configuration Assistant, you need to have a Server Role of dbcreator. To use this database, the user or account running the DBM must have at least a db_owner Database Role Membership for the database.

    If selecting SQL Server Azure, modify the following:

    • Authentication Type - SQL Server or Azure Active Directory.
      • SQL Server: Enter the user credentials in the Login and Password fields. (this can be another Windows user or a SQL Server user).
      • Azure Active Directory: Enter the user Azure AD credentials in the Login and Password fields.
    • Instance - Use the default, or enter the name of another instance.
    • Database Name - Use the default, or enter the name of another database.
    • Select Encrypted Connection to ensure a secure connection to the SQL Server database.
    • Select Validate Server Certificate to ensure secure access to the SQL Server.
    • Protocol - Use the default, or enter another protocol type.
    • Port - Use the default, or enter another port number.
    • Click the Test button to verify the database and server and functioning. A green check-mark displays when validated.

    It is recommended that a new database is created when installing Equitrac 6.4 on a server with an existing Equitrac database. Although direct upgrades to Equitrac 6.4 from an earlier 5.x version is not supported, Configuration Assistant may use the existing database and automatically upgrade it as required.

    A Running Database Scripts window opens to locate and connect to the selected databases. When successful, there is a green check-mark beside each item. Close the window when done. A red 'x' indicates that a the database was not setup properly.

  4. A Certificate Management page opens displaying the list of certificates associated with each component.
    1. Select the check box next to the component and select Generate Self-Signed or Import Certificate from the Select Action drop-down menu. Alternatively, click the + icon to generate a self-signed certificate, or click the Open file icon to import a certificate.
      • Generate Self-Signed - A window opens where you can provide Friendly name and Expire date for the certificate. If you select the Save to file check box, enter a Password and File path to where to save the certificate, and click OK to continue.

        A Generate Certificate window opens to create the selected certificates. When successful, there is a green check-mark beside each item. Close the window when done.

      • Import Certificate - A window opens where you can select a certificate Filename and Password, and click OK. Alternatively, click the Browse button to open the location of stored certificates and select the desired file. Click OK to continue.
      Existing custom certificates with Equitrac services for HTTPS can be used when upgrading from Equitrac 6.x to 6.4.
    2. Click Next. A Binding Ports window opens updating the IIS certificates. When successful, there is a green check-mark beside each item. Close the window when done.
    3. Click Next to continue.
  5. A Core Services page opens with a list of the installed core services, along with their service credentials, startup type and current status.
    • Click the Actions icon beside the database service and select Configure if you want to edit its default settings. You can edit the ports used and the data folder and log file locations. Click OK to save the changes or Cancel to leave the defaults. By default this service is not started and it cannot be manually started. The database service will start automatically once the security framework is configured.
    • Click the Actions icon beside the Licensing Service and select Configure if you want to change the Licensing Service Port used. By default Port 44370 is used by the ControlSuite licensing service. Select Start to start the licensing service if it not already running.
    • Click Next.
  6. An Authentication & Security page opens where you provide your Security Framework credentials and connections.

    When Security Framework Service (SFS) is installed, you can create security admin user credentials for the admin to have access to configure ControlSuite security registrations, or you can connect to an existing server where the Security Framework Services are running. The security admin credentials are created when you first install a security framework node, and will be required later.

    Security framework provides a secure infrastructure for ControlSuite shared components. ControlSuite services can register themselves with the Secure Service Discovery Service (SSDS) in order to locate other service locations in distributed deployments. The Authentication and Authorization (AA) service secures component to component communications and also restricts each component to only a specific set of authorized actions based on its component type.

    Select whether to configure a new security framework or to connect to an existing one. All SFS nodes connect to a single SQL database, regarless of the number of SFS nodes in your deployment.

    If you select This is my first deployment of security framework, a new SQL database connection must be configured and initialized.

    1. To connect to the SQL database, click the Edit icon beside its name to open the Configure Component window, and select a Database Type - SQL Server, SQL Express (for single SFS node deployment) or SQL Server Azure.
      If selecting SQL Server, or SQL Express, modify the following:
      • Authentication Type - SQL Server or Windows.
        • SQL Server: Enter the user credentials in the Login and Password fields, (this can be another Windows user or a SQL Server user).
        • Windows Account: Enter Windows user credentials in the Login and Password fields to connect to SFS under IIS.
      • Instance - Select the node with the SQL database from the drop-down list, or click Find to search for one not in the list.
      • Database Name - Enter the name of the database or select another database from the drop-down list.
      • Click the Test button to verify the database and server and functioning. A green check-mark displays when validated.
      To create an SQL database for Output Manager using the Configuration Assistant, you need to have a Server Role of dbcreator. To use this database, the user or account running the DBM must have at least a db_owner Database Role Membership for the database.
      If selecting SQL Server Azure, modify the following:
      • Authentication Type - SQL Server or Azure Active Directory.
        • SQL Server: Enter the user credentials in the Login and Password fields. (this can be another Windows user or a SQL Server user).
        • Azure Active Directory: Enter the user Azure AD credentials in the Login and Password fields.
      • Instance - Use the default, or enter the name of another instance.
      • Database Name - Use the default, or enter the name of another database.
      • Select Encrypted Connection to ensure a secure connection to the SQL Server database.
      • Select Validate Server Certificate to ensure secure access to the SQL Server.
      • Protocol - Use the default, or enter another protocol type.
      • Port - Use the default, or enter another port number.
      • Click the Test button to verify the database and server and functioning. A green check-mark displays when validated.
    2. Security framework admin and Password - Create the security framework admin credentials if they do not exist. The security framework admin is a unique username used to manage the security framework. The username and password are used to add nodes or datacenters to an existing security framework. This username is not associated with your directory services and is not case sensitive.
      When upgrading from Equitrac 6.x to 6.4, all existing Equitrac clients and services will be automatically enrolled after logging in with the Security Admin credentials.
    3. Host name - This is name of the system where Security Framework is installed on.
    4. Datacenter name - The datacenter is where one or more Security Framework Services (SFS) are running.
      The datacenter name is created on the machine where the first instance of the SFS is installed. This datacenter is used to connect any additional SFS machines in your deployment. See Understanding Security Framework Datacenters for more details.
    5. Click Apply.
    If you select I'm adding a new node to an existing security framework, enter the following:
    1. Remote security framework server - This is the hostname of a system running security framework. Typically, this is a primary ControlSuite server.
    2. Port - 8181 is the default Security Framework port.
    3. Security framework admin and Password - The security framework admin is a user that was already created when the first instance of Security Framework was installed and configured.
    4. Click Login.
    5. Host name is pre-populated with the name created in the previous screen.
    6. Datacenter name - The datacenter is where one or more Security Framework Services are running. The drop-down list is populated with all available datacenters.
    7. Click Apply.
    If you select This is a single node security framework deployment, enter the following:
    If you try to add a second SFS node to this deployment, the task will fail with an appropriate error message. This option allows you to use SQLite for the ‘cssfs’ database. However, if you want to add another SFS node in the future, a new cluster would need to be created with an SQL server database as an upgrade from SQLite to a SQL server is not supported.
    1. Security framework admin and Password - The security framework admin is a user that was already created when the first instance of Security Framework was installed and configured.
    2. Host name is pre-populated with the name created in the previous screen.
    3. Datacenter name - The datacenter is where the Security Framework Service is running. The drop-down list is populated with all available datacenters.
    4. Click Apply.
    After selecting the security framework deployment, an Initializing Security Framework window opens to update the configuration and register the database. When successful, there is a green check-mark beside each item. Close the window when done.

    An Authentication & Security summary page opens with the Server Location information and Security Admin Credentials. If all the information is correct, there is a green check-mark beside the Login button. Click Next to continue.

  7. A Security Framework Status page opens displaying all deployed datacenters and security framework nodes along with their status. A security framework node can be removed from a datacenter at any time, however it must be Online in order to remove it.
    • If the status displays Offline, click the Refresh icon to try syncing the node with its database. This can take a few minutes.
    • Click the Actions icon next to the Host and then click Force cache update to initate an update. A Force cache update window shows the status of the update. Close the window when done.
    • Click the Actions icon next to the Host and then click Details to open a Security Framework Node Report which provides information of the node status. Close the report window and proceed with the configuration.
    • Click the Actions icon next to the Online node and then click Remove if you want to remove a live security framework node. Follow the prompts on the pop-up windows to remove the node. See Remove a live Security Framework Service node for details.
    An Enrolling window shows the enrollment status. Close the window when done, and click Next.
  8. A CS Enrollment page opens where you enroll services into the Security Framework.
    • Select all the services that need to be enrolled. By default all servers need to be enrolled. Choose Enroll from the Choose drop-down list. Alternatively, you can select Enroll from the Action option to enroll one or more services at a time. You can also Unenroll and Validate the services from the Action option.
    An Enrolling window shows the enrolling status. Close the window when done, and click Next.
  9. A Universal Print Integration page opens.
    1. Select one of the two registration options:
      • Register Azure Universal Print application at a later time. The Universal Print option will not be available until the Universal Print application is registered. Click Next to continue configuring ControlSuite without Universal Print. See Register the Universal Print application manually in Azure AD.
      • Register Azure Universal Print application now. You need a valid Azure subscription to register this option.
    2. If you select to register Azure Universal Print now, choose one of the following options and enter the required information:
      • I have already registered the Universal Print application on Azure portal and will be retrieving required information from the Azure portal.
        • Tenant Id - This is the GUID that refers to a single instance of Azure AD.
        • Client Secret - This is the string that the application uses to prove its identity when requesting a token.
        • Application Id - This is the GUID that uniquely identifies the application in the Microsoft identity platform. Click the Test button to ensure the ID is valid.
      • I will be registering the Universal Print application here using tenant and subscription IDs.
    3. If you select to register the Universal Print application here, click Open Azure portal to continue, sign in with your Azure AD credentials, and do the following:
      • Select Azure Active Directory and copy the Tenant ID.
      • Select Home > Subscriptions, and then select the active subscription for Universal Print to copy the Subscription Id.
    4. Return to Configuration Assistant. The Tenant Id and Subscription Id fields should be pre-populated. Enter the Client Secret and click the Register button to register this in Azure AD.
      • Tenant Id - This is the GUID that refers to a single instance of Azure AD.
      • Subscription Id - This is the GUID that links to your Azure account.
      • Client Secret - This is the string that the application uses to prove its identity when requesting a token.
      • Application Name - This is the user-facing display name of the application. For example, ControlSuite.
      • Application Id - This is the GUID that uniquely identifies the application in the Microsoft identity platform. Click the Test button to ensure the ID is valid.
    An Azure Universal Print Application Registration window shows the configuration status. Close the window when done, and click Next.
  10. A Services page opens with a list of the installed services, along with their service credentials, start-up type and current status.
    Any service shown in red indicates that it cannot run as LocalSystem, and requires different service credentials.
    1. Select Credentials under the Actions icon for that service, and supply a valid service Account and Password, and then click Test credentials and OK to continue.
      The Username must be in the form of domain\username and this account should have Administrator privileges on all machines on the network running Equitrac services.
    2. Once all the credentials have been provided, Start all the services, and click Next.
      The DBM Service requires ownership of the OM database. When the service is started, the Configuration Assistant tries to determine if the credentials used for the DBM Service has access to the DBM database and is a database owner. You may see a warning message if the DBM does not have database ownership rights or if the Configuration Assistant user does not have rights to verify the database credentials for the DBM. The DBM Service will start, but you may need to verify that permission has been granted within the SQL Server for this account.
  11. A Licensing page opens displaying the License Server location and Server ID.
    See Licensing ControlSuite for licensing details.
    1. If you want to change the License Server location, click the Edit icon beside the Server location field to open the Change License Server Location window.
      • Confirm the License Server location is correct. Optionally, you can change the default License Server location.
      • Click the Preview button to auto-create the License server ID. The License Server ID is used to manage your licenses on the Customer Portal. Any licensed features will populate the list.
        TLS 1.2 must be enabled on the License server to ensure a secure connection. If TLS 1.2 is disabled, a licensing error may display.
      • Click Apply.
      An Apply licenses window opens to initialize and update the product licenses. When successful, there is a green check-mark beside each item. Close the window when done.
    2. Click the Copy icon on the right of the Server ID to copy this ID to the clipboard. The License Server ID is used to register the server and manage your licenses on the Customer Portal.
    3. Click the Open Kofax Customer Portal link to go to the Customer Portal. Alternatively, open a web browser and enter https://register.kofax.com/serialregistration to access the Customer Portal. See Licensing ControlSuite for licensing details.
    4. Once the licenses have been assigned to this License Server, click Refresh Licenses to update the license.
      • Select Update license online and click Apply to communicate with the License Server to synchronize the changes or updates to the licenses on Customer portal.
      • Select This License Server has no access to Internet to update the license file from the binary downloaded from the Customer Portal, then click Download License Request. Open the License File and click Apply.
    5. Click Next to continue.
  12. An Identity Provider page opens to set the Azure Active Directory (AD) connection parameters.
    A Load Identity Provider Configuration window opens to load and display the current identity provider configuration. When successful, there is a green check-mark beside each item. Close the window when done.
    1. Select the Configure Azure AD for ControlSuite checkbox and enter the required information.
      • Discovery endpoint URL: The discovery endpoint can be used to retrieve metadata about your Identity Server. For example, "https://login.microsoftonline.com/(tenant)/v2.0".
      • Application ID: The application ID is created when ControlSuite is registered in Azure AD. This GUID uniquely identifies the application in the Microsoft identity platform.
      • Client secret: This is the string that the application uses to prove its identity when requesting a token.
      • Domain name: The domain name is populated after validating the registration.
      • Administrative role: This is the name of the Azure AD application role needed for administrative permissions in ControlSuite. The acquired Azure AD token can contain this value. It is set to 'ControlSuite.Admin', and it cannot be updated.
    2. Click the Validate registration button to try to connect to the configured Azure AD tenant and check the required permissions. A Validate Azure AD Configuration window shows the progress. Close the window when done.
    3. Click the Update registration button to re-validate the connection parameters.
    4. Click Apply.

    If the connection parameters are validated, press the Apply/Next button to save the parameters. A Save Identity Provider Configuration window shows the progress. Close the window when done.

  13. A System Administrators page opens displaying the configured administrators. Click Next to continue. You can click the Edit icon beside administrator if you want to modify its settings.
  14. A Launch Applications page opens where you can launch any of the installed ControlSuite applications directly from the Configuration Assistant. Alternatively, you can use the Start menu to navigate to the appropriate ControlSuite product.
  15. Click Close to exit the Configuration Assistant.