To install ACP with ApacheWindows sspi auth

• This page was written specifically for installing ACP on a new Google Cloud VM, and includes Server creation. If you are installing ACP on an existing server, some of the steps will not apply.
• This is for installing ACP with Apache windows sspi authentication. If you want to install ACP with the default firebase authentication , use the instructions on this page.
• This page is for a new install of ACP on a server. If you want to upgrade to a newer release of ACP or to activate a new license, see this page Upgrade ACP to a new release or activate new license .

To upgrade ACP to a new release, or to activate a new subscription license, go to this page

Upgrade ACP to a new release or activate new license

Create a new VM instance

• Create a windows 2019 datacenter server.
• Allow http traffic and allow https traffic.
• Point your domain to the server

Add a D: drive

• Create folder D:\Acp\Accounts

Install software

• Install Chrome (currently recommended as the browser for ACP) https://www.google.com/chrome/
• Installed notepad++ (optional but nice to have)

Apache

C++ redistributables

• You need to install the Visual C++ 2015-2019 redistributables first available here.

Apache binaries

Apache no longer provides msi packages for Apache - you have to compile it or get it from a 3rd party. I got the latest 64 bit Apache binaries installer here.

• Extract the zipped archive and copy the folder Apache24 to the C drive C:/Apache24
• Then follow the instructions in the readme file (within the folder when extracting the initial zip archive - not the readme in the Apache24 folder).
• Test that apache is working - in an elevated command prompt CD to the Apache24/bin folder and enter httpd.exe

(If everything is working there will be no errors and the cursor will sit and blink on the next line).

• Open a browser to http://localhost - if it's working you should get a web page saying "It works".
• Install apache as a service - in an elevated command prompt enter httpd.exe -k install. You should get a message "The 'Apache2.4' service is successfully installed".
• For now double click the file Apache24/bin/Apachemonitor.exe to continue with setting up and testing the server.
• Copy or move ApacheMonitor.exe to the start up menu C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp so it starts automatically when the computer starts.

Add the Apache WIndows sspi Authorization module

• Download the module and unzip it to a folder.

https://www.apachehaus.net/modules/mod_authnz_sspi/mod_authnz_sspi-0.1.1a1-2.4.x-x64-vc15.zip

• Note that this module is not from Apache. This most recent version is vc15 - this is an add on done by the community .

The most recent Apache version is vs16 which was not supposed to work correctly with this module vc15. (From the instructions - But after reinstalling Apache vc15 and getting Apache authentication to work, I tried it with Apache vs16 and it works. So maybe the instructions are outdated or maybe there is some functionality that is broken but which we are not using). I will leave it as Apache vs16. But here is the link to the Apache24 vc15 build I used in the testing: https://home.apache.org/~steffenal/VC15/binaries/httpd-2.4.52-win64-VC15.zip

• From the downloaded folder: Apache24\modules copy mod_authnz_sspi.so and save to the Apache modules directory.

C:\Apache24\modules\mod_authnz_sspi.so

• Copy: Apache24\bin\sspipkgs.exe and save it in the Apache bin directory.

C:\Apacje24\bin\sspipkgs.exe

Add a new rule to the firewall

• Open the windows defender firewall, advanced settings.
• Select Inbound rules
• Click “New Rule” on the right-hand sidebar.
• In the rule type pane, Select “Port,” and click Next.
• In protocol and ports, select TCP and Select the radio button next to “Specific local ports:” Enter the following into the input box: 80, 443 and Click Next.
  • Note: (LDC) we don't want 8080 included here. We want the firewall to block external traffic from access to that port.
• In the Action pane Select the radio button next to “Allow the connection.” and click next.
• In the Profile pane "where does this rule apply", Ensure all the boxes are checked, then click Next again.
• Enter a name for the rule Allow incoming Apache traffic" and click finish.
• Test if you can access the server from another computer - you should be able to. If you cannot access the server, possibly Apache has turned off. So if this happens, in an elevated command prompt enter C:\Apache24\bin>httpd.exe -k restart.)

SQL server Express

The first time I did this with SQL server express 2018 I had to go back and install the MSSMS package - it doesn't come by default with SQL Express.

Here is a page with instructions and screenshots how to install sql server express

• Get the installer from sql server downloads direct download here
• Right click on the sql express installer and select Open.
• Select a custom installation.
• Accept the default install folder

Wait for the installation files to download...

• In the Sql Server installation center, click the link to New SQL Server stand-alone installation or add features to an existing installation.
• Note that you need to install the Microsoft Sql Management studio separately now if you choose a custom installation. You can do this by clicking on the link for this in the SQL server installer. You will probably need to launch the installer again after finishing the install.
• Accept the license and click [Next].
• Microsoft Updates pane opens - Check the box to use Microsoft Update to check for updates and click [Next]
• The Install rules pane should show, and should say everything passed except the firewall - I got a warning. Ignore the warning and click [Next] here's an explanation a link to click. .
• Feature selection pane shows - screenshot shows what I selected

• Next pane is Instance configuration - accept the defaults and click [Next] and [Next]
• Database configuration pane - select Windows Authentication and add any admins then click [Next], accept the defaults on the other 2 database panes and continue through until finished installation then click [Close]
• In the Sql Server installation center, I then clicked the link to install sql server management tools in the default location.
• Now, if necessary restart the SQL Server installation center and install Microsoft SQL Server Management studio. Or you could probably just install it from an installer downloaded from Microsoft here
• Close the SQL server installation center

SSL certificate

You can ignore this if you are using another SSL certificate source. These instructions are for free lets-encrypt certificates using win-acme. When I tried this the second time I got an error because I had miss-spelled the domain. I tired to start over and got an error about the http listener already in use. I rebooted and tried again - this worked.

• Got the instructions on this page with a couple of minor changes. This page has screenshots also.

Step 1: Log in with RDP into Windows Server 2019
Step 2: Download Let’s Encrypt client. Visit the website of Win-acme to download the latest version. Get the x64 pluggable archive. Extract the downloaded zip to C:\win-acme.
Step 3: Create a batch file with the following command and save it to C:\win-acme\Scripts\RestartApache.bat net stop "Apache2.4" & sc start "Apache2.4"
Step 4: In an elevated command prompt CD into the C:\win-acme folder and start wacs.exe.
Step 5: Issue certificate

• Choose Create certificate with full options - Enter M in the command prompt and enter
• When prompted for how the domain names will be included, Choose manual input - for me it was 2 - and enter
• Enter the domain name you want for the certificate suan-alpha.analytica.com and enter
• When prompted for a friendly name either enter one or leave it blank and then enter
• When prompted how you want to verify you are the owner of the domain, enter the number for Save files on local or network path
• It should then prompt for the root of the site - enter C:\Apache24\htdocs
• When prompted to Copy default web config? enter N no
• When prompted for type of private key - enter the option for RSA
• When prompted how you would like to store the certificate enter the option for PEM encoded files (Apache, nginx, etc.)
• Next at the prompt for where the certificates are stored enter C:\Apache24\conf
• When prompted to store the certificate in another way too? enter the number for No additional store steps.
• When prompted for more steps to update your application, enter the number for Start external script or program
• It will ask for the path to the program, enter C:\win-acme\Scripts\RestartApache.bat
• Next it prompt you enter the parameter format string for the script - enter {StoreType} {StorePath} {RenewalId}
• Next when it asks Add another installation step? enter the number for No.
• Next the path to the terms of service is shown, do you want to open in the default application? Choose nunless you want to see it
• Do you agree with the terms? Select yes
• Next it will ask for an email address for notifications - enter one
• Do you want to specify the user the task will run as? enter yes
• Enter the user - I entered my username
  
• Then enter the user's password
• You should be done, Quit.

Step 6: Enable SSL for ACP (SSL is required for ACP)

• Once you have SSL certificates on the server, send the file name and path of the certificate files to lumina, so we can configure the apache .conf files for your server.

So we need the Path to and file name for the SSL certificate chain file, the key file and the cert file eg C:\Apache24\conf\myservername.com-chain.pem C:\Apache24\conf\myservername.com-key.pem C:\Apache24\conf\myservername.com-crt.pem

• Once Lumina has this certificate information, we will edit the httpd.conf and httpd-ssl.conf. files and send them to you. Save them and continue with the installation steps - you will use them later.

Install the Suan code

• Download the latest current Analytica release currently https://downloads.analytica.com/ana/AnaSetup6_0_10.exe
• Install the latest Analytica release build. Install to the default folder. You will need an ACP3 analytica license.
  • Activate an individual license for edition=ACP3 or edition=ACP3 w/optimizer. Use the key sent to you by Lumina. You can refer to this page if needed. https://wiki.analytica.com/index.php?title=Installation_and_licenses

• Along with the Activation Key, you need the files in this Zip Archive: ACP3_0.zip.

Download this archive and extract it to a folder on your computer.

• Copy these files (from the archive extracted) to C:\Program Files\Lumina\Analytica 6.0. Overwrite any existing files with the same name.
  

Analytica.ini
suan.exe
libssl-3.dll
libcrypto-3.dll
SuanFirebaseAuth.dll

The rest of the files from the extracted archive, in folders assets and build, need to saved to the ACP\ui folder.

• Save these folders to D:\ACP\ui\.

D:\ACP\ui\Assets
D:\ACP\ui\Build

Test this part

• In D:\Acp\ui\Assets\Session.config, Server.config, and SingleInstance.config files, set, temporarily set DesktopUI=1. Save the files.
• In a non-admin CMD prompt:

  CD "c:\program files\lumina\Analytica 6.0"

  .\Suan.exe /config:d:\Acp\ui\assets\server.config

  Expected: An Analytica desktop instance should launch with an architecture drawing. It should stick around and not vanish.

• In Chrome: http://localhost:8080

  Expected: Login page should appear

• Once this test succeeds:
• Quit all Desktop Analytica instances
• Edit both Server.config and Session.config and set:

  DesktopUI=0

Create the Subscription Database

• Launch Start / Microsoft SQL Server Tools 18 / Microsoft SQL Server Management Studio
  • Connect dialog appears.

    Server type=Database engine

    Server name=Yourserver\SQLEXPRESS

    Authentication=Windows Authentication

• Right-click on Databases / New Database...
  • Database name=Suan Subscriptions
  • Press OK

Use the Analytica library to create the tables in the database

• Run: Analytica.exe "d:\Acp\ui\assets\Create Suan DB.ana"
• Press the "Create the Tables" button
• Press the "Populate the Tables" button

Set up application in Apache configuration

• In the Apache\conf directory, rename the default httpd.conf file to httpd-bk.conf so you have it as a backup, then replace it with the httpd.conf file you received from Lumina.
• In the Apache\conf\extra directory, rename the default httpd-ssl.conf file to httpd-ssl-bk.conf so you have it as a backup, then replace it with the httpd-ssl.conf file you received from Lumina.

• Check the apache configuration - in an administrator command prompt

cd C:\Apache24\bin

httpd.exe -t

{Output should be syntax OK} If not then there is a problem .

• If the response is OK, restart apache in the command prompt:

cd C:/Apache24/bin
httpd -k restart

• Test
  • Open a non-admin UI CMD window:

    CD "C:\Program Files\Lumina\Analytica 6.0"

    .\suan.exe /config:d:\Acp\ui\assets\server.config

    Expected: No UI appears. But in Task Manager, you should see a Suan process running.

  • In a browser on the server: Check your url

    Expected: The login page appears. Tests for apache & UI-side code working.

• • Log in - enter an email address and password and press Sign up.

    Expected: Goes to User Portal, with an empty file listing.

• On a computer other than the server, in Chrome: Check your url with https

  Expected: Should get to login screen

• On a computer other than the server, in Chrome: Check your url with http

  Expected: It should convert to https and be an the login screen

Setup account to serve requests

We create a new account with security restrictions that ACP requests (i.e., models) run under.

• Run Computer Management / System Tools / Local Users and Groups / Users
• New User...

  User name = ACPUser

  Description = Account that ACP models run in.

  Password = ***yourpasswordhere***

  User cannot change password + Password never expires

• Press Create. Then Right-click ACPUser/ Properties / MemberOf. Remove from group "Users".

• In a CMD prompt:

  CD "C:\Program Files\Lumina\Analytica 6.0"

  RunAs /user:ACPUser .\Analytica

• When Analytica launches, accept the terms and select the license in Desktop Analytica's Help->Update License dialog
• Test that it saves this info by exiting and restarting, again as ACPUser, and checking the Help-Update License dialog.

Note -- To launch the server now, from CMD, use:

RunAs /user:ACPUser "c:\Program Files\Lumina\Analytica 6.0\Suan /config:d:\Acp\ui\assets\server.config"

Give ACPUser DB access

• In Microsoft SQL Server management Studio / Databases / Suan subscriptions / Security / Users
• New User... / Windows user + SUAN-ALPHA\ACPUser + ACPUser + default schema=dbo
• Membership / db_datawriter + db_datareader

Configure for auto-launch

Configure Windows to automatically launch the Suan server when the computer boots.

• Run Task Scheduler
  • Create a new folder under "Task Scheduler Library" named Lumina
  • Right-click on Lumina / Create Task...
  • General tab

    Name: Start ACP server at boot

    Description: Launches the ACP server process when the server starts up (reboots)

    Press "Change User or Group..." and set to ACPUser

    Run whether user is logged on or not

    Configure for: Windows Server 2019 (I don't think this matters)

  • Trigger tab

    New.... Begin the task at Start Up.

    Delay task for 1 minute (I don't know if this is necessary -- but give everything else a chance to get going first)

  • Actions tab, New...

    Program/script: "c:\Program Files\Lumina\Analytica 6.0\Suan.exe"

    Arguments: /config:d:\Acp\ui\assets\Server.config

  • Settings tab

    Allow task to be run on demand

    Run task as soon as possible after a scheduled start is missed

    Uncheck "Stop if task runs longer than"

• At Start menu, type: "Local security policy"
  • Drill down to: Local security policy / Security Settings / Local Policies / User Rights Assignment / Log on as a batch job / Add User or Group...
  • Add ACPUser [Apply] [Ok]

• Test that this works by

  right-clicking on the Task Scheduler task added above / Run.

  Task manager / Details. Verify that Suan.exe is running under the ACPUser account.

Create a Group Account

So now you should be able to use ACP. Here we will create a Group account with 1 admin user. The admin user will need to verify their email address and create a password, so it needs to be someone who will be watching their inbox.

• Copy

d:\acp\ui\assets\suan account admin.ana
and d:\acp\ui\assets\db driver info.ana
to:
d:\acp\accounts\suan account admin.ana
and d:\acp\accounts\db driver info.ana

• In a command prompt

cd c:\"Program Files\Lumina\Analytica 6.0"
.\suan.exe /config:d:\acp\ui\assets\singleinstance.config "d:\acp\accounts\suan account admin.ana"

When prompted to create a subscription administrator, click yes.

• Open the module Create new Group Subscription.
• In the account type select Group or Premium Group - if you are installing with optimizer select Premium Group
• Enter a Account/Subscription name
  

{If you are using the firebase authentication - the default.}

• Enter an email address for the Group account admin (needs to be someone who can open the email inbox)
  

(If you are using Apache authentication with sspi - windows authentication with windows user names. Enter the windows user name for the Group account admin instead).

• Press the [Create Subscription] Button

Expected: You should get a message box 'Subscription created'. Clear that by Clicking [OK]

• Close the module Create new Group subscription and open the module Manage existing Group subscription
• In the pulldown menu for Subscription Admin, ensure that the new user is selected as the subscription admin.
• Close the suan account admin.ana model for now.

Expected: You should have a group account that you can use with ACP in a browser. And the subscription manager is the user whose email address you entered

• Go to the ACP sign in page (your domain) in a Chrome Browser. (For now we are recommending that users stick with Chrome until we have done more testing in other browsers).
• In the email field enter the email address for the Group account admin
• You need to get a password unless you already have one for this firebase account - click the link get a new password. Should get a message that a password reset email has been sent to the email address.
• Now open the email inbox for the Group account admin and click on the password reset link.
• Enter a password and press Save. You should now be able to sign in to the Group account.
• Go back to the ACP sign in page and enter this password in the password field then press sign in or enter

Expected: You are signed in to ACP with the your Account name in the Account pulldown menu and the Home Project.

That's it . You can upload models, add users and projects now. You can also manage subscription admins. See more here.

Note - you can also create individual accounts by going to the sign in page, entering an email address and password, then pressing Sign up. Currently you cannot create an individual account if the user is part of the Group account.