Advanced (Manual) Installation

Procedure

For the highest scalability and reliability, IBM Security recommends using RabbitMQ. MemoryMQ is an easier but less capable alternative and can be used for trials and proof of concepts but should not be used for production environments. Two exceptions are very small deployments and customers that do not use open-source software for compliance reasons.

Step 1: Downloading the Verify Privilege Vault Application Files

Ensure you have the IIS, .NET Framework, and SQL Server prerequisites installed before following the steps below.

Go to the IBM Fix Central to get a .zip file that contains both Verify Privilege VaultandVerify Privilege Manager files in the manual installation section.  Use this .zip file for the instructions below.

Step 2: Creating Folders and Extracting Contents

  1. Extract the contents of the .zip file downloaded above (Right-click, Extract All...). The original file is named with the latest version number for Verify Privilege Vault.

  2. Extracting this file reveals a nugetCache folder, as well as another zipped folder named ss\_update. For a Verify Privilege Vault-only install, you will not need the contents of the nugetCache folder.

  3. Create a folder called SecretServer in the location C:\inetpub\wwwroot\.

  4. Extract the contents of the ss\_update.zip file (Right-click, Extract All...) to C:\\inetpub\\wwwroot\\SecretServer.

Step 3: Configuring IIS

Open Internet Information Services (IIS) Manager* and create a new application pool:

Our IIS installation sets the .NET trust level to "Full (internal), which may affect other applications on the server.
  1. Right-click Application Pools and select Add Application Pool...

  2. Type a name (for example, SecretServerAppPool).

  3. Ensure that the highest .NET CLR version is selected.

  4. Ensure the Managed pipeline mode is set to Integrated.

  5. Click the OK button.

    The Verify Privilege Vault installer sets the application pool to default to the system Network Service account.  If you selected Windows Authentication Mode during the SQL Installation process, see Running the IIS Application Pool As a Service Account. To use Windows Authentication you must use an Active Directory service account to run the application pool in IIS. We recommend this as a security best practice.
  6. See Changing IIS to Not Stop Worker Process in IIS 7.0 and Later to set the Idle Timeout and Regular Timeout settings to 0 for the application pool in IIS.

  7. Install Verify Privilege Vault as either a virtual directory (4a) or as a website (4b):

Step 4a: Installing Verify Privilege Vault as a Virtual Directory

  1. Right-click Default Web Site and select Add Virtual Directory...

  2. Select an alias for your Verify Privilege Vault. The alias is appended to the website, and it is best to name it the name of your earlier unzipped folder. For example, SecretServer becomes https://myserver/SecretServer.

  3. Select the physical directory for where you unzipped Verify Privilege Vault, for example, C:\inetpub\wwwroot\SecretServer. Do not replaceSecretServerwith anything longer than 20 characters.

  4. Click the OK button.

  5. In the tree, right-click the new virtual directory and select Convert to Application.

  6. Set the Application Pool to the same one you created in the Manual Installation section, for instance, SecretServerAppPool. Verify Privilege Vault is now ready for installation. Skip to Step 5.

Step 4b: Installing Verify Privilege Vault as a Website

  1. In IIS, right-click Sites and select Add Website...

  2. Type a site name.

  3. Click Select... and choose the application pool you created in the Manual Installation section.

  4. Click the OK button.

  5. Click the ... button beside the Physical path field and select the directory containing the unzipped Verify Privilege Vault files, for example C:\inetpub\wwwroot\SecretServer.

  6. Click the OK button.

  7. Click the OK button at the bottom of the Add Website window to save your settings. Verify Privilege Vault is now ready for installation.

Step 5: Completing Verify Privilege Vault Installation from the Website

Your Verify Privilege Vault advanced installation is now ready to complete:

  1. Installing and Configuring SQL Server.

  2. Open a browser and navigate to where your Verify Privilege Vault is located, such as http://localhost/secretserver. You should arrive at a page that says "Verify Privilege Vault (Not Installed or Unable to Access the Database)."

  3. Click the Install Verify Privilege Vault button.

  4. On the SQL Server Location page, specify the server name of your SQL Database Server, <DatabaseMachineName>\InstanceName and then the database name that you created in SQL for Verify Privilege Vault.

  5. If you are using Windows authentication mode to access SQL (recommended), ensure the correct service account is listed.

  6. If you selected mixed mode during the SQL install, select SQL Server Authentication and enter the SQL username and password you created for the SQL account. For information about adding a SQL Server user, see the SQL Server 2016 Standard Edition Installation.

  7. Click the Install Verify Privilege Vault button. Verify Privilege Vault verifies it is able to successfully create the Verify Privilege Vault database. If an error occurs no database changes will be made.

    Verify Privilege Vault attempts to download and install the latest version from the Internet. If you do not have an active Internet connection on your Web server, Verify Privilege Vault will continue to install the version from your downloaded application files.

  8. The install may take a few minutes to complete. Once successful, click the Return to Home button.

  9. Create a username and password for the administrator account for Verify Privilege Vault and store these credentials in a safe location.

  10. Click the Create User button and log on after entering the username and password.

  11. Once logged on Verify Privilege Vault, you are prompted with the Getting Started wizard. The wizard guides you through adding your Licenses, setting up an email server, and creating your first group.

    If you skipped the wizard and would like to return, go to HELP > Getting Started from the top menu.

Verify Privilege Vault is now installed. See our Getting Started Tutorial Overview or contact IBM Security Support about training.

Troubleshooting Notes

  • If the database name you provide does not yet exist in the specified instance of SQL Server, Verify Privilege Vault attempts to create the database using the SQL or Windows account you have specified. For that account to create a database, it needs to have the dbcreator server role in SQL Server. Verify Privilege Vault
  • If using Windows authentication mode (recommended) you need to use a service account to run SS's application pools with appropriate permissions. See Running the IIS Application Pool As a Service Account.