To install ACP with ApacheWindows sspi auth

Revision as of 05:44, 17 March 2022 by Dpaine (talk | contribs)
  • This page was written specifically for installing ACP on a new Google Cloud VM, and includes Server creation. If you are installing ACP on an existing server, some of the steps will not apply.

To upgrade ACP to a new release, or to activate a renewed license, go to this page

Upgrade ACP to a new release or activate new license

Configuration files

  • Lumina will send you the configuration files for your Apache server separately. This is in addition to the Analytica license. If you are installing on an existing server and already have the information below, please send it to us so we can get the configuration files to you ASAP. If you are starting up a new server , you need to have completed the server configuration and installation of this software up through the SSL certificates first..
  • Please prepare the following information and send it to Lumina so that we can send you the apache .conf files ASAP.
    • The Path to and file name for the SSL certificate chain file, the key file and the cert file eg

C:\Apache24\conf\myservername.com-chain.pem
C:\Apache24\conf\myservername.com-key.pem
C:\Apache24\conf\myservername.com-crt.pem

    • The server name and domain
    • The email address of the server admin (optional).
    • The ip address

Then we will edit the template httpd.conf and httpd-ssl.conf files and send them back to you, and you can just paste them into the Apache folders as described in the To_install_ACP_with_ApacheWindows_sspi_auth#Set_up_application_in_Apache_configuration section.

Create a new VM instance

  • Create a windows 2019 datacenter server.
  • Allow http traffic and allow https traffic.
  • Point your domain to the server

Add a D: drive

  • Create folder D:\Acp\Accounts

Install software

Apache

C++ redistributables

  • Install the (currently 20155-2022) Visual C++ redistributables first available here.

Apache binaries

  • Get the 64 bit Apache package.

Apache no longer provides msi packages for Apache - you have to compile it or get it from a 3rd party.

  • Get the latest 64 bit Apache here.
  • Extract the zipped archive that you downloaded from apache.
  • Copy the folder Apache24 to the C drive C:/Apache24
  • Test that apache is working - in an elevated command prompt CD to the C:\Apache24/bin folder and enter httpd.exe

(If everything is working there will be no errors and the cursor will sit and blink on the next line).

  • Open a browser to http://localhost - if it's working you should get a web page saying "It works".
  • Exit the command prompt loop with CTRL + C together.
  • Install apache as a service - in an elevated command prompt enter

C:\Apache24/bin
httpd.exe -k install. You should get a message
"The 'Apache2.4' service is successfully installed".
Testing httpd.conf....
Errors reported here must be corrected before the service can be started.

(Assuming there is no list of errors here your install worked.)

  • For now double click the file Apache24/bin/Apachemonitor.exe to continue with setting up and testing the server.

If windows defender prevents this program from starting click the more info link, and click run anyway.

  • Copy or move Apache24/bin/Apachemonitor.exe to the start up menu C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp so it starts automatically when the computer starts.

Add the Apache Windows sspi Authentication module

  • Download the module and unzip it to a folder.

https://www.apachehaus.net/modules/mod_authnz_sspi/mod_authnz_sspi-0.1.1a1-2.4.x-x64-vc15.zip

  • Note that this module is not from Apache. This most recent version is vc15 - this is an add on done by the community.

The most recent Apache version is vs16 which was not supposed to work correctly with this module vc15.

  • From the downloaded folder: Apache24\modules copy mod_authnz_sspi.so and save to the Apache modules directory.

C:\Apache24\modules\mod_authnz_sspi.so

  • Copy: Apache24\bin\sspipkgs.exe and save it in the Apache bin directory.

C:\Apache24\bin\sspipkgs.exe

PHP

  • In c:\php Rename php-ini-development.ini to php.ini.
  • Add the php directory to the path
  • In the search box typesenvironment and select edit the system environment variables
  • In system properties select Environment variables
  • Select system variables>Path and press Edit.
  • Select New and add C:\php then press OK. Then exit the system properties dialog.
  • In a command prompt enter php - if you get an error you will probably need to reboot. php should start and you will get a blinking cursor. Press Control + C to get out of the php loop.

Add a new rule to the firewall

  • Open the windows defender firewall, advanced settings.
  • Select Inbound rules
  • Click “New Rule” on the right-hand sidebar.
  • In the rule type pane, Select “Port,” and click Next.
  • In protocol and ports, select TCP and Select the radio button next to “Specific local ports:” Enter the following into the input box: 80, 443 and Click Next.
    • Note: (LDC) we don't want 8080 included here. We want the firewall to block external traffic from access to that port.
  • In the Action pane Select the radio button next to “Allow the connection.” and click next.
  • In the Profile pane "where does this rule apply", Ensure all the boxes are checked, then click Next again.
  • Enter a name for the rule Allow incoming Apache traffic" and click finish.
  • Test if you can access the server from another computer - you should be able to. If you cannot access the server, possibly Apache has turned off. So if this happens, in an elevated command prompt enter C:\Apache24\bin>httpd.exe -k restart.)

SQL server Express

The first time I did this with SQL server express 2018 I had to go back and install the MSSMS package - it doesn't come by default with SQL Express.

Here is a page with instructions and screenshots how to install sql server express

Wait for the installation files to download...

  • In the Sql Server installation center, click the link to New SQL Server stand-alone installation or add features to an existing installation.
  • Note that you need to install the Microsoft Sql Management studio separately now if you choose a custom installation. You can do this by clicking on the link for this in the SQL server installer. You will probably need to launch the installer again after finishing the install.
  • Accept the license and click [Next].
  • Microsoft Updates pane opens - Check the box to use Microsoft Update to check for updates and click [Next]
  • The Install rules pane should show, and should say everything passed except the firewall - I got a warning. Ignore the warning and click [Next] here's an explanation a link to click. .
  • Feature selection pane shows - screenshot shows what I selected

Suanalphawiki07.png

  • Next pane is Instance configuration - accept the defaults and click [Next] and [Next]
  • Database configuration pane - select Windows Authentication and add any admins then click [Next], accept the defaults on the other 2 database panes and continue through until finished installation then click [Close]
  • In the Sql Server installation center, I then clicked the link to install sql server management tools in the default location.
  • Now, if necessary restart the SQL Server installation center and install Microsoft SQL Server Management studio. Or you could probably just install it from an installer downloaded from Microsoft here
  • Close the SQL server installation center

SSL certificate

You can ignore this if you are using another SSL certificate source. These instructions are for free lets-encrypt certificates using win-acme. When I tried this the second time I got an error because I had miss-spelled the domain. I tired to start over and got an error about the http listener already in use. I rebooted and tried again - this worked.

  • Got the instructions on this page with a couple of minor changes. This page has screenshots also.

Step 1: Log in with RDP into Windows Server 2019
Step 2: Download Let’s Encrypt client. Visit the website of Win-acme to download the latest version. Get the x64 pluggable archive. Extract the downloaded zip to C:\win-acme.
Step 3: Create a batch file with the following command and save it to C:\win-acme\Scripts\RestartApache.bat net stop "Apache2.4" & sc start "Apache2.4"
Step 4: In an elevated command prompt CD into the C:\win-acme folder and start wacs.exe.
Step 5: Issue certificate

  • Choose Create certificate with full options - Enter M in the command prompt and enter
  • When prompted for how the domain names will be included, Choose manual input - for me it was 2 - and enter
  • Enter the domain name you want for the certificate suan-alpha.analytica.com and enter
  • When prompted for a friendly name either enter one or leave it blank and then enter
  • When prompted how you want to verify you are the owner of the domain, enter the number for Save files on local or network path
  • It should then prompt for the root of the site - enter C:\Apache24\htdocs
  • When prompted to Copy default web config? enter N no
  • When prompted for type of private key - enter the option for RSA
  • When prompted how you would like to store the certificate enter the option for PEM encoded files (Apache, nginx, etc.)
  • Next at the prompt for where the certificates are stored enter C:\Apache24\conf
  • When prompted to store the certificate in another way too? enter the number for No additional store steps.
  • When prompted for more steps to update your application, enter the number for Start external script or program
  • It will ask for the path to the program, enter C:\win-acme\Scripts\RestartApache.bat
  • Next it prompt you enter the parameter format string for the script - enter {StoreType} {StorePath} {RenewalId}
  • Next when it asks Add another installation step? enter the number for No.
  • Next the path to the terms of service is shown, do you want to open in the default application? Choose nunless you want to see it
  • Do you agree with the terms? Select yes
  • Next it will ask for an email address for notifications - enter one
  • Do you want to specify the user the task will run as? enter yes
  • Enter the user - I entered my username
  • Then enter the user's password
  • You should be done, Quit.

Step 6: Enable SSL for ACP (SSL is required for ACP)

  • Once you have SSL certificates on the server, send the file name and path of the certificate files to lumina, so we can configure the apache .conf files for your server.

So we need the Path to and file name for the SSL certificate chain file, the key file and the cert file eg C:\Apache24\conf\myservername.com-chain.pem C:\Apache24\conf\myservername.com-key.pem C:\Apache24\conf\myservername.com-crt.pem

  • Once Lumina has this certificate information, we will edit the httpd.conf and httpd-ssl.conf. files and send them to you. Save them and continue with the installation steps - you will use them later.

Install the ACP code

  • Along with the Activation Key, you need the files in this Zip Archive: ACP_AW_3_1.zip.

Download this archive and extract it to a folder on your computer.

  • Copy these files (from the archive extracted) to C:\Program Files\Lumina\Analytica 6.1. Overwrite any existing files with the same name.

Analytica.ini
suan.exe
libssl-3.dll
libcrypto-3.dll
SuanFirebaseAuth.dll

The rest of the files from the extracted archive, in folders assets and build, need to saved to the ACP\ui folder.

  • Save these folders to D:\ACP\ui\.

D:\ACP\ui\Assets
D:\ACP\ui\Build


Create the Subscription Database

  • Launch Start / Microsoft SQL Server Tools 18 / Microsoft SQL Server Management Studio
    • Connect dialog appears.
      Server type=Database engine
      Server name=Yourserver\SQLEXPRESS
      Authentication=Windows Authentication
  • Right-click on Databases / New Database...
    • Database name=Suan Subscriptions
    • Press OK

Use the Analytica library to create the tables in the database

  • Run: Analytica.exe "d:\Acp\ui\assets\Create Suan DB.ana"
  • Press the "Create the Tables" button
  • Press the "Populate the Tables" button
  • Assumins no errors, exit Desktop Analytica.


Set up application in Apache configuration

  • In the Apache\conf directory, rename the default httpd.conf file to httpd-bk.conf so you have it as a backup, then replace it with the httpd.conf file you received from Lumina.
  • In the Apache\conf\extra directory, rename the default httpd-ssl.conf file to httpd-ssl-bk.conf so you have it as a backup, then replace it with the httpd-ssl.conf file you received from Lumina.
  • Check the apache configuration - in an administrator command prompt

cd C:\Apache24\bin

httpd.exe -t

{Output should be syntax OK} If not then there is a problem .

  • If the response is OK, restart apache in the command prompt:

cd C:/Apache24/bin
httpd -k restart

  • Test
    • Open a non-admin UI CMD window:
      CD "C:\Program Files\Lumina\Analytica 6.1"
      .\suan.exe /config:d:\Acp\ui\assets\server.config
      Expected: No UI appears. But in Task Manager, you should see a Suan process running.
    • In a browser on the server: Check your url
      Expected: The login page appears. It should prompt for windows username and password. Tests for apache & UI-side code working.
    • Log in - enter a windows user and password and press Sign in.
      Expected: Goes to User Portal, with an empty file listing.
  • On a computer other than the server, in Chrome: Check your url with https
    Expected: Should get to sign in screen
  • On a computer other than the server, in Chrome: Check your url with http
    Expected: It should convert to https and be an the sign in screen

Setup account to serve requests

We create a new account with security restrictions that ACP requests (i.e., models) run under.

  • Run Computer Management / System Tools / Local Users and Groups / Users
  • New User...
    User name = ACPUser
    Description = Account that ACP models run in.
    Password = ***yourpasswordhere***
    User cannot change password + Password never expires
  • Press Create. Then Right-click ACPUser/ Properties / MemberOf. Remove from group "Users".
  • In a CMD prompt:
    CD "C:\Program Files\Lumina\Analytica 6.1"
    RunAs /user:ACPUser .\Analytica
  • When Analytica launches, accept the terms and select the license in Desktop Analytica's Help->Update License dialog
  • Test that it saves this info by exiting and restarting, again as ACPUser, and checking the Help-Update License dialog.

Test - To launch the server now, from CMD, use:

RunAs /user:ACPUser "c:\Program Files\Lumina\Analytica 6.1\Suan /config:d:\Acp\ui\assets\server.config".

Ensure Analytica starts with the correct license then close Analytica

Give ACPUser DB access

  • In Microsoft SQL Server management Studio / Databases / Suan subscriptions / Security / Users
  • New User... / Windows user + <yourcomputername>\ACPUser + (leave login name blank) + default schema=dbo
  • Membership / db_datawriter + db_datareader

Configure for auto-launch

Configure Windows to automatically launch the Suan server when the computer boots.

  • Run Task Scheduler
    • Create a new folder under "Task Scheduler Library" named Lumina
    • Right-click on Lumina / Create Task...
    • General tab
      Name: Start ACP server at boot
      Description: Launches the ACP server process when the server starts up (reboots)
      Press "Change User or Group..." and set to ACPUser
      Run whether user is logged on or not
      Configure for: Windows Server 2019 (I don't think this matters)
    • Triggers tab
      New.... Begin the task at Start Up.
      Delay task for 30 seconds (I don't know if this is necessary -- but give everything else a chance to get going first)
    • Actions tab, New...
      Program/script: "c:\Program Files\Lumina\Analytica 6.1\Suan.exe"
      Arguments: /config:d:\Acp\ui\assets\Server.config
    • Settings tab
      Allow task to be run on demand
      Run task as soon as possible after a scheduled start is missed
      Uncheck "Stop if task runs longer than"
      Click OK
  • At Start menu, type: "Local security policy"
    • Drill down to: Local security policy / Security Settings / Local Policies / User Rights Assignment / Log on as a batch job / Add User or Group...
    • Add ACPUser [Apply] [Ok]
  • Test that this works by
    right-clicking on the Task Scheduler task added above / Run.
    Task manager / Details. Verify that Suan.exe is running under the ACPUser account.

Create a Group Account

So now you should be able to use ACP. Here we will create a Group account with 1 admin user.

  • Copy

d:\acp\ui\assets\suan account admin.ana
and d:\acp\ui\assets\db driver info.ana
to:
d:\acp\accounts\suan account admin.ana
and d:\acp\accounts\db driver info.ana

  • In a command prompt

cd c:\"Program Files\Lumina\Analytica 6.1"
.\suan.exe /config:d:\acp\ui\assets\singleinstance.config "d:\acp\accounts\suan account admin.ana"

When prompted to create a subscription administrator, click yes.

  • Open the module Create new Group Subscription.
  • In the account type select Group or Premium Group - if you are installing with optimizer select Premium Group
  • Enter a Account/Subscription name

(In the Email address filed, because you are using windows authentication. Enter the windows user name for the Group account admin).

  • Press the [Create Subscription] Button.

Expected: You should get a message box 'Subscription created'. Clear that by Clicking [OK]

  • Close the module Create new Group subscription and open the module Manage existing Group subscription.
  • In the pulldown menu for Subscription Admin, ensure that the new user is selected as the subscription admin.
  • Close the suan account admin.ana model for now.

Expected: You should have a group account that you can use with ACP in a browser. And the subscription manager is the user who is the Group account admin you entered

  • Go to the ACP sign in page (your domain) in a Chrome Browser. (For now we are recommending that users stick with Chrome until we have done more testing in other browsers).
  • In the User name field enter the Windows user name for the Group account admin
  • Enter the windows password for this user in the password field then press enter

Expected: You are signed in to ACP with the new group Account, in the Subscription admin project. From here you can manage other users.

That's it . If you click the project pulldown menu, you should have a Home project, to which you can upload models and add users, etc. You can also manage subscription admins. See more here.

Managing Users

  • You can add users as described here. With windows authentication the users will be windows users not email addresses.
  • When using Windows authentication the admin will need to ensure that each user is in the local Windows Users. They also need to notify each user, and create and reset passwords when needed. Unless the users have the permissions to do that themselves with windows.
Comments


You are not allowed to post comments.