Manual Installation

If you need to manually install Verify Privilege Manager on a system and you already have an existing server installation, refer to the installation instructions described under the High Availability Set-up for Verify Privilege Manager. Otherwise follow the steps below.

IBM Security recommends to always use the setup.exe installer to verify that your system meets the prerequisites.

Download Verify Privilege Manager Application Files

Make sure you have the prerequisites (IIS, .NET Framework, and SQL Server) installed before following the steps listed below.

After clicking the download link on the Software Downloads page, you will be able to download a .zip file that contains both Verify Privilege Manager and Verify Privilege Manager files.

Zip File Extraction Tool

You will also need to install a zip application like winzip or 7-zip to extract files for this install. 7-zip is used in the instructions below and can be downloaded for free here.

Manual Installation (no setup.exe)

Clicking the download link above will take you to a portal page where you can choose to download a .zip file that contains the application files. Use this .zip file for the instructions below. Privilege Manger can be installed in a few different ways, as a:

  • virtual Directory
  • website

Installing as a Virtual Directory

  1. Extract the contents of the .zip file and select the nugetCache folder. Move the contents of that folder to a temporary location like C:\ProgramData\ (Recommended)

  2. Create a folder called TMS in the location C:\inetpub\wwwroot\

  3. Navigate back to C:\ProgramData\nugetCache\ and using any zip application (e.g., 7-zip, winzip, winrar), open ThycoticTms.xx.x.xxxx.nupkg

    To do this with 7-zip, right click ThycoticTms.xx.x.xxxx.nupkg and navigate to 7-zip | Open Archive.

    nugetCache

  4. Open the Content directory and enter Ctrl-A to select all of its contents. Copy these to the location C:\inetpub\wwwroot\TMS\

    Copy to...

    Path information

  5. In C:\inetpub\wwwroot\TMS\ where you have extracted the TMS Site files, create a new file and right click New | Text Document called connectionstrings.config

    Create the connectionstring.config file

  6. Next, decide what mode you want to use to access your SQL database and follow the corresponding steps:

    • Mixed Mode/"Integrated Security=False" (for easiest configuration): Mixed Mode is required if you intend on using a SQL Server account to authenticate Verify Privilege Manager to your SQL Server instance. If you are doing an evaluation and using the Verify Privilege Manager setup.exe installer, we recommend using Mixed Mode with a SQL authentication account. This option will also require you to set a password for the SQL Server system administrator (sa) account. See the Integrated Security=False section below to use Mixed Mode.
    • Windows Authentication Mode/"Integrated Security=True" (recommended for best security): This will prevent SQL Server account authentication and requires a Windows Service account to run the Verify Privilege Manager website. This will also require additional configuration in IIS once Verify Privilege Manager is installed. Follow the steps under the Integrated Security=True section below to use Windows Authentication.

Integrated Security=False

Open in Notepad the connectionstrings.config file created in step 5 and copy in the following text, replacing the SQL Server Name, Database Name, User Name, and Password (highlighted in bold below) with values for your environment. Save changes.

Copy 
<connectionStrings>
            <add name="ApplicationServerWorkflowInstanceStoreConnectionString"
               connectionString="Data Source=SQLServerAddress;Initial Catalog=DatabaseName;Integrated Security=False;User ID=myUserName;Password=myPassword;Application Name='Arellia Management Server - WF'" />
            <add name="AmsConnectionString"
                connectionString="Data Source=SQLServerAddress;Initial Catalog=DatabaseName;Integrated Security=False;User ID=myUserName;Password=myPassword;Application Name='Arellia Management Server'" />
            </connectionStrings>

Integrated Security=True

If you choose to set Integrated Security to True, you will need to ensure that the application pool service accounts have access to the database server in a later step.

Open in Notepad the connectionstrings.config file created in step 54 and copy in the following text, replacing the SQL Server Name and Database Name (highlighted in bold below) with values for your environment. Save changes.

Copy 
<connectionStrings>
            <add name="ApplicationServerWorkflowInstanceStoreConnectionString"
               connectionString="Data Source= SQLServerAddress;Initial Catalog= DatabaseName;Integrated Security=True;Application Name='Arellia Management Server - WF'" />
            <add name="AmsConnectionString"
              connectionString="Data Source= SQLServerAddress;Initial Catalog= DatabaseName;Integrated Security=True;Application Name='Arellia Management Server'" />
            </connectionStrings>

Continue: Installing as a Virtual Directory

  1. Open Internet Information Services Manager (InetMgr.exe).

  2. Under your local server, right-click Application Pools and select Add Application Pool... Add three new application pools. Name one "TMS," name another "TMSAgent," and name the third "TMSWorker."

    Adding new application pools

  3. When creating your connection string, if you selected Integrated Security=True in step 6, change the Identity for your application pools to a service account that has DBOwner rights on the SQL database & make sure that the Identity for the three app pools have Modify rights to the folder that you put the Verify Privilege Manager files into. To setup the service account correctly and set folder permissions and the Identities for these app pools, follow all of the steps in Using a Service Account to run the IIS App pool now.

  4. Right click Default Web Site in IIS and select Add Virtual Directory.

    Adding the Virtual Directory

  5. Select an alias for your Verify Privilege Manager. The alias is what will be appended to the website. For instance, "TMS" in http://myserver/TMS.

  6. Next, enter the physical directory where you unzipped Verify Privilege ManagerC:\inetpub\wwwroot\TMS\.

  7. Click OK.

    Alias and path

  8. In the tree, right click the new virtual directory and select Convert to Application.

  9. Set the Application pooll to the one called TMS. Click OK.

    Alias and path

  10. In the virtual directory expand the new TMS site, right click the Agent sub-folder and select Convert to Application.

  11. Set the Application pooll to the one called TMSAgent and click OK.

  12. Next, in the virtual directory navigate to the ServiceBus sub-folder. Right click and select Convert to Application.

  13. Set the Application Pool to the one called TMSWorker. Click OK.

    Setting the application pool

  14. In the virtual directory, select the Services sub-folder, right click the new virtual directory and select Convert to Application. Ensure that the Application Pool is set to the one called TMS. Click OK.

  15. In the virtual directory, select the Setup sub-folder, right click the new virtual directory and select Convert to Application. Ensure that the Application Pool is set to the one called TMS. Click OK.

  16. In the virtual directory, select the Worker sub-folder, right click the new virtual directory and select Convert to Application. Set the Application Pool to the one called TMSWorker. Click OK.

  17. Select your TMS virtual directory, double click Authentication in the features pane and make sure that only Anonymous Authentication is set to Enabled. Everything else should be set to disabled.

    Enable Anonymous Authentication

  18. Select the Setup directory, double click Authentication in the features pane and make sure that Anonymous Authentication and Windows Authentication are both set to Enabled. Everything else is disabled.

    Verify the Authentication setting

  19. Select the Worker, double click Authentication in the features pane and make sure that Anonymous Authentication and Windows Authentication are both set to Enabled. Everything else is disabled.

  20. In Regedit.exe, create a new Registry key (HKEY_LOCAL-MACHINE\ right click on Software | New | Key, name the new key "Thycotic." Next, right click Thycotic | New | Key and name the new key "TMS."

    Create the TMS Registry Key

    1. Create a new string value in the TMS folder. Right-click TMS | New | String Value for webapp and a value of TMS (double click to assign value).

      Create the TMS Registry Key

    2. Create a second new string value with a name of the website and a value of the URL to the root of the site you will be using (i.e., "testlab" for a website of https://testlab/TMS)

    3. Create a new string value with a name of "Webdir" and a value of the path you put your Verify Privilege Manager files in (i.e., C:\inetpub\wwwroot\TMS\)

  21. Ensure that the Verify Privilege Manager folder has the proper permissions by checking that the account running the application pool in IIS has Modify permissions on the folder where Verify Privilege Manager is installed. (i.e., C:\inetpub\wwwroot\ right click TMS | Properties | Security tab, if the service account created in Using a Service Account to run the IIS App pool is not listed, Edit | Add | find account via Check Names | OK. Click on the account, check Modify | Apply.)

  22. If your server does not have internet access you will need to ensure that your solutionCenter is configured for the directory that you deposited the nupkg files into.

    1. Go to the directory where you have installed the TMS site (i.e., C:\inetpub\wwwroot\TMS)

    2. Open the web.config file with Notepad and find the line:

      Copy 
      <add key="nuget:source:SolutionCentre" value="http://tmsnuget.thycotic.com"" /

    3. Replace the value with the directory from step 1 (usually c:\ProgramData\NugetCache\). Save changes.

      Create the TMS Registry Key

      Make sure if using a local path to include the final slash.

Verify Privilege Manager is now ready to be configured. Continue with Completing Verify Privilege Manager Installation from the website.

Installing as a Website

  1. In IIS, right Sites and select Add Website.
  2. Enter a Site name.
  3. Click Select and choose the application pool you created in the Manual Installation section from the drop-down menu. Click OK.
  4. Click the beside the Physical path field and select the directory containing the unzipped Verify Privilege Manager files (i.e., C:\inetpub\wwwroot\TMS). Click OK.
  5. At the bottom of the Add Website window, click OK to save your settings.

Completing Verify Privilege Manager Installation from Website

Verify Privilege Manager is now ready to complete installation. Open a browser and navigate to where your Verify Privilege Manager Setup is located, for example: https://localhost/TMS/Setup. It will request windows credentials which must be the credentials for a local administrator on the web server.

The site will detect that is does not have the proper database configuration and walk you through installing the initial database objects.

Install Database screen

After this initial step, you will be presented with a list of Verify Privilege Manager features you can choose to install.

  1. Select Add/Remove Product Features​.

  2. Select Application Control and Verify Privilege Manager. This will automatically also select any prerequisites they require.

    Each feature is delivered as a NuGet Package, the package will unzip, add files to the Privilege Manger website, and update the database with its required objects. Installing the database and features may take several minutes.

  3. Click Show Install Log​ to reveal installation progress.

Once all features have been installed, Verify Privilege Manager is ready to use! Refer to the Getting Started section for setup and configuration advice.

IBM Security recommends to create a back-up copy of the Verify Privilege Manager web application folder after installation or upgrades.