RavenDB Certificates
How to Configure RavenDB Certificates | Use the Ingeniux CMS 10.5 Site Instance Wizard to configure server and client certificates for Raven DB 4.x authentication.
Use the Ingeniux CMS Site Instance Wizard to generate server and client X.509 security certificates or provide your own for the Ingeniux CMS 10.5 instance and the Raven Database (RavenDB) 4.x instance.
The RavenDB service uses the server certificate to perform behind-the-scenes operations (e.g., data encryption on disk, SSL resolution).
The CMS application and DSS Preview clients connect to the RavenDB. The RavenDB client uses the client certificate to validate the identities of users. In RavenDB 4.x, all authentication is accomplished through certificates; therefore, in CMS 10.5, only users who attempt to access RavenDB from clients with authorized client certificates gain access to the database. The application of this RavenDB authentication certificate depends on if you intend to install RavenDB on the same server as the CMS instance installation or remotely. Administrators set up a certificate to access RavenDB at one of two junctures within the Ingeniux CMS 10.5 Site Instance Wizard.
- To install the RavenDB on the same server as the CMS, select the Local Install option in the wizard. In following views, the wizard prompts you to indicate the server certificate type to use for the RavenDB server and then prompts you to configure how you would like the client certificate for the RavenDB client to be generated.
- Alternatively, to install RavenDB on a server other than where your CMS will reside, select the External URI option. The wizard prompts you to indicate the client certificate to use for the RavenDB client.
Server and Client Certificates for Local RavenDB Servers
To configure a server certificate for a local RavenDB server:
- If you choose the Local Install option for RavenDB, click Next.
The RavenDB Server Configuration view displays, where you can select the type of certificate to use for the RavenDB server.
- Choose one of the following options:
- Select Self-Signed Certificate to generate the certificate via the CMS instance installer process, then complete the associated fields.
Additional Info:
A self-signed certificate is a security certificate that is not signed by a certificate authority (CA); rather, it is signed by the same entity that it certifies. This option creates and registers the certificate on the system during the CMS instance installer process. The certificate authenticates the RavenDB instance and CMS instance. A self-signed certificate may be particularly useful for temporary or staging server scenarios. After you provide the RavenDB host name and port number on the RavenDB server, the Ingeniux CMS installation creates the self-signed certificate for you.
Field Description Server Certificate Password Enter a server certificate password. If you choose a password, password validation becomes required to access the server certificate. RavenDB Host Enter the appropriate RavenDB host (e.g., raven.server.com or 127.0.0.1). The CMS instance name displays as the default.
Note: We recommend maintaining the CMS instance name. If you have multiple RavenDB services, maintaining the name helps you to clarify which RavenDB host associates with each CMS instance.
Raven Server Port Number Enter the filepath to the appropriate RavenDB instance port number. A wildcard character (*) will notify the system to check for and select an available port number.
The system starts checking at 8080. If unavailable, the system runs a loop, incrementing the port number up by one until the system finds an available port number. This port check is performed on this screen and an available port is displayed.
RavenDB Service Account drop-down list Version Notes: CMS 10.5.114 Based on your CMS implementation, select one of the following drop-down list options: -
LocalService. This option is selected by default. In general, we recommend selecting this option.
-
LocalSystem. If you use a Windows 2012/2012 R2 environment, then the installer requires you to select this option. Running the database service as LocalService will not provide adequate permissions to the certificate store required for RavenDB authentication. Select LocalSystem to bypass these conflicts when working with Windows 2012/2012 R2.
Caution: In CMS 10.5.94, the RavenDB Service Account drop-down list is unavailable. If you use a Windows 2012/2012 R2 environment with CMS 10.5.94, then Ingeniux CMS requires you to install CMS 10.5.114.
-
- Select Manual Certificate to provide your own certificate, then complete the associated fields.
Additional Info:
Rather than having the installation wizard create a self-signed certificate, you can provide a server certificate for your local RavenDB server, manually. This may be particularly useful if you require the certificate to be signed by a certification authority.Field Description Certificate File Path Enter the filepath to the appropriate certificate (.pfx file). Server Certificate File Password (optional) This field is optional. Enter the password for the indicated server certificate file. RavenDB Host Enter the appropriate RavenDB host URI (e.g., raven.server.com or 127.0.0.1). The CMS instance name displays as the default.
Note: We recommend maintaining the CMS instance name. If you have multiple RavenDB services, maintaining the name helps you to clarify which RavenDB host associates with each CMS instance.
Raven Server Port Number Enter the filepath to the appropriate RavenDB instance port number. A wildcard character (*) will notify the system to check for and select an available port number.
The system starts checking at 8080. If in use, the installation wizard increments upwards to find the next available port. The wizard will automatically perform this check on this step and display an available port.
RavenDB Service Account drop-down list Version Notes: CMS 10.5.114 Based on your CMS implementation, select one of the following drop-down list options: -
LocalService. This option is selected by default. In general, we recommend selecting this option.
-
LocalSystem. If you use a Windows 2012/2012 R2 environment, then the installer requires you to select this option. Running the database service as LocalService will not provide adequate permissions to the certificate store required for RavenDB authentication. Select LocalSystem to bypass these conflicts when working with Windows 2012/2012 R2.
Caution: In CMS 10.5.94, the RavenDB Service Account drop-down list is unavailable. If you use a Windows 2012/2012 R2 environment with CMS 10.5.94, then Ingeniux CMS requires you to install CMS 10.5.114.
-
- Select Self-Signed Certificate to generate the certificate via the CMS instance installer process, then complete the associated fields.
- Click Next. The RavenDB Client Configuration view displays. Use this view to configure the client certificate settings.
- Choose one of the following options:
- Select Default to use a client certificate generated by the RavenDB server. The certificate file will be placed on disk and the CMS will reference this file for client authentication.
- Optional: If you choose a client certificate password, password validation becomes required to access the client certificate.
- Select Thumbprint to use a client certificate already installed on your machine. The machine references the certificate from the Local Machine Store via thumbprint ID. Each certificate contains a thumbprint ID. The client certificate will not exist on disk if this option is used.
- Select Default to use a client certificate generated by the RavenDB server. The certificate file will be placed on disk and the CMS will reference this file for client authentication.
- Click Next.
Client Certificates for Remote RavenDB Servers
Choose this option if the RavenDB instance will reside on a server other than the one where the CMS instance resides. This option requires the site administrator to set up the RavenDB instance beforehand. If RavenDB will be installed on a server other than the CMS server (External URI option), you must provide the URI to the server where RavenDB will be located and the path to the .pfx file.
To configure a security certificate for a remote RavenDB server:
- If you choose the External URI installation option for RavenDB, complete the associated fields.
Field Description RavenDB URI Enter the appropriate external RavenDB instance URI. Client Certificate File Path Enter the filepath to the appropriate client certificate (*.pfx file). - Click Next.
Next Steps:
After configuring RavenDB 4.x and its security certificate, return to the appropriate set of wizard instructions to complete the process.
- To complete the wizard for the Ingeniux CMS 10.5 installation, return to Creating CMS 10.5 Site Instances.
- To complete the wizard for the upgrade of an existing site to Ingeniux CMS 10.5, return to Upgrading to CMS 10.5.
- To complete the wizard for the replacement of an instance of an earlier CMS to Ingeniux CMS 10.5, return to Replacing Site Instances with CMS 10.5.
- To complete the wizard for the migration of Ingeniux CMS 8.x to CMS 10.5, return to Migrating from CMS 8.x to 10.5.