Readme

Contents

• Web Servers
  • Application Pool Identity
  • Database Login
  • iManager
  • Seating Assistant
  • iCMS Web API
• Communications Server
  • Service Login
  • Database Login
• Integration Server
  • Service Login
  • Database Login
  • Digital Certificate
  • Custom Ports
• Maintenance Server
  • Service Login
  • Database Login
• Scheduler Server
  • Service Login
  • Database Login
• User Account Control
• Diagnostics

Web Servers

Application Pool Identity

It is recommended that the identity used by the iCMS application pools (iManagerAppPool, SeatingAssistantAppPool, iCMSAPIAppPool) is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Given read/write permissions to <INSTALLDIR>\Web\iManager\Downloads. Applies to iManagerAppPool identity only.
2. Given read/write permissions to <INSTALLDIR>\LogFiles.
3. Given full control permissions to all existing iManager.log files in the <INSTALLDIR>\LogFiles folder. Applies to iManagerAppPool identity only.
4. Given full control permissions to all existing WebApi.log files in the <INSTALLDIR>\LogFiles folder. Applies to iCMSAPIAppPool identity only.
5. Given full control permissions to all existing WebApi-Serilog.log files in the <INSTALLDIR>\LogFiles folder. Applies to iCMSAPIAppPool identity only.
6. Given full control permissions to all existing SeatingAssistant.log files in the <INSTALLDIR>\LogFiles folder. Applies to SeatingAssistantAppPool identity only.

Database Login

It is recommended that the account used by the iCMS application pools (iManagerAppPool, SeatingAssistantAppPool, iCMSAPIAppPool) to connect to the database is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Configured (along with the password) in the 'sbcmsConnectionString' of the <INSTALLDIR>\Web\iManager\Web.config. *Password is only need for SQL Server authentication.
2. Configured (along with the password) in the 'sbcmsConnectionString' of the <INSTALLDIR>\Web\Api\appsettings.json. *Password is only need for SQL Server authentication.
3. Configured (along with the password) in the 'sbcmsConnectionString' of the <INSTALLDIR>\Web\SeatingAssistant\appsettings.json. *Password is only need for SQL Server authentication.
4. Added as a login within SQL Server and added to the cms_ServiceAccess role in the iCMS database. *For Windows authentication the account is the same as the service login account.

iManager

iManager is available at URL https://<hostname>/icms/imanager.
In order to use iManager correctly, JavaScript must be enabled on the client web browser.

Seating Assistant

The Seating Assistant is available at URL https://<hostname>/icms/seatingassistant.
In order to use the Seating Assistant correctly, JavaScript must be enabled on the client web browser. It is highly recommended that the WebSockets protocol is installed and enabled on the hosting IIS server.

iCMS Web API

The iCMS web API is available at URL https://<hostname>/icms/api.
Documentation for the iCMS web API is available at URL https://<hostname>/icms/api/api-docs.

ARIA Platform / AYRE Microsoft Authentication

To use Microsoft Azure Entra (Azure AD) authentication within the ARIA Platform or AYRE, application registrations (for the iCMS web API and the ARIA/AYRE web applications) need to be configured in Microsoft Azure by an appropriate administrator. Configuration within Azure is not covered by this readme.

If configured within Azure before installation then the iCMS web API registration configuration can be entered during iCMS installation/upgrade. If configured within Azure after installation of the iCMS, then configuration parameters from Azure need to be configured manually for the iCMS web API:

1. Open the <INSTALLDIR>\Web\Api\appsettings.json config file in a text editor, e.g. notepad.
2. Find the ValidOidcAudience property and set the value to the application (client) id from the iCMS web API app registration in Azure, e.g.
   "ValidOidcAudience": "abcdef12-1234-abcd-5678-fedbca654321"
3. Find the ValidOidcIssuer property and set the value to the issuer, where the GUID is the tenant id from Azure, e.g.
   "ValidOidcIssuer": "https://login.microsoftonline.com/aabbcc11-1122-aabb-5566-ffeeddcc2211/v2.0"
4. Find the OidcStsDiscoveryEndpoint property and set the value to the secure token service discovery endpoint, e.g.
   "OidcStsDiscoveryEndpoint": "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration"
5. Find the OidcDeviceCodeEndpoint property and set the value to the secure device code endpoint, where the GUID is the tenant id from Azure, e.g.
   "OidcDeviceCodeEndpoint": "https://login.microsoftonline.com/aabbcc11-1122-aabb-5566-ffeeddcc2211/oauth2/v2.0/devicecode"
6. Find the OidcTokenEndpoint property and set the value to the secure token endpoint, where the GUID is the tenant id from Azure, e.g.
   "OidcTokenEndpointt": "https://login.microsoftonline.com/aabbcc11-1122-aabb-5566-ffeeddcc2211/oauth2/v2.0/token"

Communications Server

Service Login

It is recommended that the account used by the communications service is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Granted the SeServiceLogonRight privilege in the local security policy.
2. Given read/write permissions to <INSTALLDIR>\LogFiles.
3. Given full control permissions to all existing Comms.log files in the <INSTALLDIR>\LogFiles folder.
4. Given full permissions to <INSTALLDIR>\Temp.

Database Login

It is recommended that the account used by the communications service to connect to the database is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Configured (along with the password) in the 'sbcmsConnectionString' of the <INSTALLDIR>\Bin\CMSCommsService.exe.config. *SQL Server authentication only.
2. Added as a login within SQL Server and added to the cms_ServiceAccess role in the iCMS database. *For Windows authentication the account is the same as the service login account.

Integration Server

Service Login

It is recommended that the account used by the integration service is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Granted the SeServiceLogonRight privilege in the local security policy.
2. Given read/write permissions to <INSTALLDIR>\LogFiles.
3. Given full control permissions to all existing Integration.log files in the <INSTALLDIR>\LogFiles folder.
4. Given full permissions to <INSTALLDIR>\Temp.
5. On the machine running the integration service:
   1. Open a command prompt with administrative level privileges.
   2. Run the following command to delete the existing HTTPS URL reservation, replacing the 8080 port number with a custom port (if used).
      netsh http delete urlacl url=https://*:8080/
   3. Run the following command to delete the existing HTTP URL reservation, replacing the 8081 port number with a custom port (if used).
      netsh http delete urlacl url=http://*:8081/
   4. Run the following command to add a new HTTPS URL reservation, replacing username with the name of the new account, e.g. MYMACHINE\MyUser, and replacing the 8080 port number with a custom port (if used).
      netsh http add urlacl url=https://*:8080/ user=username
   5. Run the following command to add a new HTTP URL reservation, replacing username with the name of the new account, e.g. MYMACHINE\MyUser, and replacing the 8081 port number with a custom port (if used).
      netsh http add urlacl url=http://*:8081/ user=username

To view the details of a URL reservation:

1. On the machine running the integration service, open a command prompt with administrative level privileges.
2. Run the following command to view the HTTPS URL reservation, replacing the 8080 port number with a custom port (if used).
   netsh http show urlacl url=https://*:8080/
3. Run the following command to view the HTTP URL reservation, replacing the 8081 port number with a custom port (if used).
   netsh http show urlacl url=http://*:8081/

Database Login

It is recommended that the account used by the integration service to connect to the database is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Configured (along with the password) in the 'sbcmsConnectionString' of the <INSTALLDIR>\Bin\CMSIntegrationService.exe.config. *SQL Server authentication only.
2. Added as a login within SQL Server and added to the cms_ServiceAccess role in the iCMS database. *For Windows authentication the account is the same as the service login account.

Digital Certificate

If the administrator wishes to use a signed, digital security certificate for the integration service then the administrator must install a new certificate as follows:

1. Install the new certificate into the Windows Local Machine Trusted Root Certification Authorities store.
2. On the machine running the integration service, open a command prompt with administrative level privileges.
3. Run the following command to delete any existing certificate, replacing the 8080 port number with a custom port (if used).
   netsh http delete sslcert ipport=0.0.0.0:8080
4. Run the following command to add the new certificate, replacing thumbprint with the thumbprint from the certificate being installed (a series of of hex characters - spaces and separators must be removed), and replacing the 8080 port number with a custom port (if used).
   netsh http add sslcert ipport=0.0.0.0:8080 appid={12345678-db90-4b66-8b01-88f7af2e36bf} certhash=thumbprint

To view the details of the application running on the given port:

1. On the machine running the integration service, open a command prompt with administrative level privileges.
2. Run the following command, replacing the 8080 port number with a custom port (if used).
   netsh http show sslcert ipport=0.0.0.0:8080

Custom Ports

The iCMS Integration Server contains a web service that other applications can use to query information in the iCMS database. By default, this is installed using ports 8080 (HTTPS) and 8081 (HTTP). These port numbers are configured in the installation wizard of the iCMS, or to change them manually (post-install) then:

1. Open the <INSTALLDIR>\Bin\CMSIntegrationService.exe.config file in notepad and:
   1. Find <add key="cmsApiHttpsPort" value="8080"/> and change the HTTPS port number.
   2. Find <add key="cmsApiHttpPort" value="8081"/> and change the HTTP port number.
2. On the machine running the integration service, open a command prompt with administrative level privileges.
3. If changing the HTTPS port:
   1. Run the following command to delete the existing certificate binding, where 8080 is the existing HTTPS port.
      netsh http delete sslcert ipport=0.0.0.0:8080
   2. Run the following command to delete the existing HTTPS URL reservation, where 8080 is the existing HTTPS port.
      netsh http delete urlacl url=https://*:8080/
   3. Run the following command to add a URL reservation, replacing port with the custom HTTPS port number, and replacing username with the name of the account the integration service runs as, e.g. MYMACHINE\CMSIntegration.
      netsh http add urlacl url=https://*:port/ user=username
      To confirm the URL reservation has been added, run the following command to show the URL reservation, replacing port with the custom HTTPS port number.
      netsh http show urlacl url=https://*:port/
   4. Run the following command to add a certificate binding, replacing port with the custom HTTPS port number, and replacing thumbprint with the thumbprint from the iCMS certificate (a series of of hex characters - spaces and separators must be removed).
      netsh http add sslcert ipport=0.0.0.0:port appid={12345678-db90-4b66-8b01-88f7af2e36bf} certhash=thumbprint
      To confirm the certificate binding has been added, run the following command to show the certificate binding, replacing port with the custom HTTPS port number.
      netsh http show sslcert ipport=0.0.0.0:port
4. If changing the HTTP port:
   1. Run the following command to delete the existing HTTP URL reservation, where 8081 is the existing HTTP port.
      netsh http delete urlacl url=http://*:8081/
   2. Run the following command to add a URL reservation, replacing port with the custom HTTP port number, and replacing username with the name of the account the integration service runs as, e.g. MYMACHINE\CMSIntegration.
      netsh http add urlacl url=http://*:port/ user=username
      To confirm the URL reservation has been added, run the following command to show the URL reservation, replacing port with the custom HTTP port number.
      netsh http show urlacl url=http://*:port/
5. Open the Services Management Console and restart the Speakerbus iCMS Integration Server service for the port changes to take effect.

NOTE: Applications which connect to the iCMS Integration Server's web service will need to connect using the same port numbers, so they must also be updated if the port numbers are changed, e.g. the Speakerbus iWS.

Maintenance Server

Service Login

It is recommended that the account used by the maintenance service is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Granted the SeServiceLogonRight privilege in the local security policy.
2. Given read/write permissions to <INSTALLDIR>\LogFiles.
3. Given full control permissions to all existing Maintenance.log files in the <INSTALLDIR>\LogFiles folder.

Database Login

It is recommended that the account used by the maintenance service to connect to the database is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Configured (along with the password) in the 'sbcmsConnectionString' of the <INSTALLDIR>\Bin\CMSMaintenanceService.exe.config. *SQL Server authentication only.
2. Added as a login within SQL Server and added to the db_owner role in the iCMS database. *For Windows authentication the account is the same as the service login account.

Scheduler Server

Service Login

It is recommended that the account used by the scheduler service is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Granted the SeServiceLogonRight privilege in the local security policy.
2. Given read/write permissions to <INSTALLDIR>\LogFiles.
3. Given full control permissions to all existing Scheduler.log files in the <INSTALLDIR>\LogFiles folder.

Database Login

It is recommended that the account used by the scheduler service to connect to the database is only configured by the iCMS software installation program. If, however, the administrator wishes to change the account post-install then that account must be:

1. Configured (along with the password) in the 'sbcmsConnectionString' of the <INSTALLDIR>\Services\Scheduler\appsettings.json. *SQL Server authentication only.
2. Added as a login within SQL Server and added to the cms_ServiceAccess role in the iCMS database. *For Windows authentication the account is the same as the service login account.

User Account Control

If the User Account Control feature of Windows is being used the user may be prompted to allow the iCMS installation program to run and make changes on the system. The iCMS installation program must be run using an Administrator account, or using the Run as administrator feature of Windows.

Diagnostics

For the purpose of diagnosing issues with the software or installation log files are written to the LogFiles folder, located underneath the installation target folder:

• Comms.log - Logging information from the iCMS Communications service.
• Install.log - Logging information from the iCMS InstallShield setup.
• Integration.log - Logging information from the iCMS Integration service.
• Maintenance.log - Logging information from the iCMS Maintenance service.
• MaintenanceApplication.log - Logging information from the iCMS Maintenance application.
• Scheduler.log - Logging information from the iCMS Scheduler service.
• iManager.log - Logging information from the iCMS iManager web application.
• WebApi.log - Logging information from the iCMS web API.
• WebApi-Serilog.log - Additional logging information from the iCMS Web API.
• SeatingAssistant.log - Additional logging information from the iCMS Seating Assistant.

When reporting issues back to Speakerbus Technology Ltd, please include these log files. In certain circumstances it may also be necessary to return as additional information, to aid the diagnostic process, the Windows System and Application Event Logs as well as a backup of the SQL Server iCMS database.