Installing the Axiom certificate

In order to install the Axiom Application Server on your on-premise server, a signed Axiom certificate must be present on the server. This is a one-time step that must be performed before the initial installation.

The certificate causes various installation and configuration options to become available within the Axiom Software Manager, including the ability to install the Axiom Application Server. If a signed certificate is not present on the server, these options are hidden.

The certificate is only required to be present on the server(s) where you want to install the Axiom Application Server. The certificate is not required to install the Axiom Scheduler Service.

The general steps for this process are:

  1. Create/install a certificate on the server.
  2. Send the certificate file to Axiom Support so that an encrypted key file can be generated for you.
  3. Place the encrypted key file on the server.

Generally speaking, new releases of Axiom do not require new certificates or key files. Once this process is complete, the certificate and key file can be used indefinitely. If a future architecture change or policy change requires clients to obtain a new certificate or key file, this will be communicated in the release notes for the affected version.

Creating a certificate on the server

On the server where you want to install Axiom Application Server, create a certificate with a private key. One way to create an appropriate certificate is to use the following PowerShell script. 

$cert = New-SelfSignedCertificate -DnsName 'Axiom Software Manager Encryption' -CertStoreLocation "Cert:\LocalMachine" -KeyUsage  KeyEncipherment,DataEncipherment,KeyAgreement -Type DocumentEncryptionCert -NotAfter (Get-Date).AddYears(100) -KeySpec KeyExchange
				
Export-Certificate -Cert $cert  -FilePath \temp\certificate.cer
				
$pwd = ConvertTo-SecureString -String "your-strong-password-here" -Force -AsPlainText
				
Export-PfxCertificate -Cert $cert  -FilePath \temp\certificate.pfx -Password $pwd

This script should be updated as follows:

  • Replace "your-strong-password-here" with a password that meets your organization's security requirements.
  • You can change the export file location for the certificate and key files if desired.
  • The certificate store location can be either LocalMachine (default) or CurrentUser.
    • If LocalMachine, then the certificate will be available to any user that is able to log on to the server.
    • If CurrentUser, then the certificate must be installed (possibly through group policy) for each user account that needs to use the Axiom Software Manager on the application server.
  • By default, the name of the certificate is assumed to be 'Axiom Software Manager Encryption'. If you use this name, then no registry configuration is required for the certificate. However, if you use a different name, then the following registry key must be configured for the change: HKEY_CURRENT_USER\Software\Axiom EPM\Axiom Software Manager\EncryptionCertificateName

NOTES:  

  • The same certificate should be used for all of your on-premise Axiom Application Servers (for example, production and test). The exported certificate.pfx file and password can be used to install the certificate on additional servers.

  • The exported certificate.pfx file is a backup of your private key. It should be stored, along with the password, in a safe and secure location.

  • None of the exported files or your password are required at run time by the Axiom Software Manager or the Axiom Application Server.

Obtaining the encrypted key file from Axiom Support

Once you have generated the certificate, send the exported certificate.cer file to Axiom Support. If you are not already in contact with Axiom Support about the installation, you can create a new case using the Syntellis Central client portal.

Axiom Support will use this certificate file to generate a symmetrickeys.enc file. They will deliver this generated file back to you, so that you can place it on the application server for use with the Axiom Software Manager.

Placing the encrypted key file on the server

Once you have obtained the symmetrickeys.enc file from Axiom Support, copy it to a local folder on the server where you want to install Axiom Application Server. By default, the assumed location for this key file is:

C:\Program Files\Axiom EPM\symmetrickeys.enc

If you use the default location for the key file, then no registry configuration is required. However, if you change this location, then the following registry key must be configured for the change: HKEY_CURRENT_USER\Software\Axiom EPM\Axiom Software Manager\SymmetricKeyFilePath

You should now be able to start the Axiom Software Manager on this machine and install the Axiom Application Server. For more information, see: