Configuring the Configuration Server

  • Article

You must run the following steps on the server after installing Config Server:

Edit web.config file

You must ensure that the AssertionDecoderPlugin and the CachePlugin entries in the web.config file, located in <wwwrootDir>\Microsoft.CCF.ConfigurationSystem.Server.ConfigurationService folder, appropriately as shown below:

<Microsoft.Ccf.ConfigurationSystem.ServerSection CertificateIssuer="CN=CONFIG_SERVER_TEST_1" CertificateSerialNumber="f0 08 1e 67 a7 06 2a a4 49 f7 e2 a7 c2 7b 53 a9" ReaderWriterLock="10000">
   <Plugins>
      <add name="AssertionDecoderPlugin" type=" Microsoft.Ccf.Plugins.DefaultDecoder, Microsoft.Ccf.AssertionDecoderPlugin" />
      <add name="CachePlugin" type="Microsoft.Ccf.Plugins.CacheContainer, Microsoft.Ccf.CacheProviderPlugin" />
   </Plugins>
</ Microsoft.Ccf.ConfigurationSystem.ServerSection >

The Cache plug-in is used to provide request/response caching. The default cache plug-in provides a basic request/response caching using Dictionary and Hashtable. You can create your own request/response caching by implementing the ICachePlugin<ConfigurationRequest, ConfigurationResponse> interface.

The Assertion Decoder plug-in takes in a set of assertions (that are passed with the request and present in WCF security tokens), and returns an ordered dictionary of category/claim value pairs. The Assertion Decoder plug-in should implement the interface ***IAssertionDecoderPlugin.***The default decoder accepts assertions in the form of name/value pair (For example, “Department=IT”, “Role=Developer”), and returns a Dictionary with category as the key.

To use the default plug-in provided with the code, you must pass assertions to the APIs in the form of name-value pairs. For example, to call an API InitializeConfiguration define the assertions as:

ConfigurationUpdater updater = ConfigurationUpdater.Instance;
   string[] assertions = new string[] { "Organization=MGSI", "Status=FTE", "Role=Developer" };
   Configuration config = updater.InitializeConfigurationStorage(<applicationName>,<shouldSign>,assertions);

The interfaces are defined in the Microsoft.Ccf.ConfigurationSystem.Server.ConfigurationServiceassembly. You must implement a custom plug-in to return category claim value based on custom criteria. Both the plug-ins are mandatory and must be implemented and placed in the bin folder of the Virtual Directory.

Install Certificate using the makecert command

Install a certificate that will be used for signing the document in the server, using the makecert command (located in C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin). Below is an example of the command:

makecert -r -pe -n "CN=CONFIG_SERVER" -b startdate -e enddate -sky signature -ss mycertstore -sr certlocation certname.cer
  • -r : is used to create a self-signed certificate.
  • -pe: is used to enable including the private key in the certificate.
  • -n "CN=CONFIG_SERVER": is the subject’s certificate name.
  • -b and –e: is used to define the start and end date of the certificate.
  • -sky signature: is used to define that the key type is signature.
  • -ss mycertstore: is used to define the store name that stores the output certificate.
  • -sr certlocation certname.cer: is used to define the location and the certificate name.

Give permissions in IIS to read certificate

Run the following command to provide IIS to give permission to read from the certificate store in the server.

C:\Program Files\Microsoft WSE\v3.0\Samples>winhttpcertcfg -g -c mycertstore -s "CONFIG_SERVER" -a "NETWORK SERVICE"
  • -g: is used to grant access to private key for an account with specified certificate
  • -c: is used to indicate the certificate location.
  • -s: is used to indicate the subject’s certificate name.
  • -a: is used to indicate the user account used to configure the service.

Note

You must install Samples during WSE installation to get the above-mentioned command.

Update web.config file

Update the web.config, located in <wwwrootDir>\Microsoft.CCF.ConfigurationSystem.Server.ConfigurationService folder, with the name of the certificate Issuer (CertificateIssuer) and its serial number(CertificateSerialNumber) as shown below:

<Microsoft.Ccf.ConfigurationSystem.ServerSection CertificateIssuer="CN=CONFIG_SERVER_TEST_1" CertificateSerialNumber="f0 08 1e 67 a7 06 2a a4 49 f7 e2 a7 c2 7b 53 a9" ReaderWriterLock="10000"> 
<Plugins><addname="AssertionDecoderPlugin" type="Microsoft.CCF.ConfigurationSystem.Server.DefaultDecoder, Microsoft.CCF.ConfigurationSystem.Server.AssertionDecoder" /><addname="CachePlugin" type="Microsoft.CCF.ConfigurationSystem.Server.CacheContainer, Microsoft.CCF.ConfigurationSystem.Server.CacheProvider" /></Plugins>
</ Microsoft.Ccf.ConfigurationSystem.ServerSection >

Where, ReaderWriterLock is the ReaderWriter Lock timeout period. The default is 10000.

Update Machine.config

Modify the Machine.config file, located in the <Microsoft .Net Framework Runtime Install path>\Config directory, in all client machines and add the following sections.

<section name="Microsoft.Ccf.ConfigurationSystem.ClientSection" type="Microsoft.Ccf.ConfigurationSystem.Common.ConfigClientSection, Microsoft.Ccf.ConfigurationSystem.Common"/>
<Microsoft.Ccf.ConfigurationSystem.ClientSection CertificateIssuer="CN=CONFIG_SERVER_TEST_1" CertificateSerialNumber="f0 08 1e 67 a7 06 2a a4 49 f7 e2 a7 c2 7b 53 a9" ReaderWriterLock="10000"/>
  • CertificateIssuer is the certificate name
  • CertificateSerialNumber is the certificate serial number
  • ReaderWriterLock is the ReaderWriter Lock timeout period. The default is 10000.

Modify the app.config file

Modify the app.config file on the AgentDesktop machine to add the endpoint tag as shown below. The endpoint tag refers to the WCF endpoint (hosted by windows service) to access the physical storage for storing the file.

<system.serviceModel>
   <bindings>
      <basicHttpBinding>
         <binding name="FileUpdater" />
      </basicHttpBinding>
   </bindings>

   <client>
      <endpoint address=https://localhost/ConfigurationUpdaterService/FileUpdaterService binding="basicHttpBinding" bindingConfiguration="FileUpdater" contract="FileUpdaterService.IFileUpdaterService" name="FileUpdater1">
      </endpoint>
   </client>
</system.serviceModel>