6.3 Running the installation program

Important: The MyID uninstallation process requires a folder of PowerShell scripts that is located next to the MyID server installation program. If you move or delete this folder, you will be unable to uninstall MyID using the Windows Control Panel Programs and Features option; when it is unable to locate the scripts, the uninstallation process displays an error. You are strongly recommended to retain the MyID installation folder in the location from which you originally ran the installation program; this may influence your choice of folder from which to install MyID.

If you are installing MyID on a system with multiple servers, see section 6.2, Split deployment for details of the order in which you must install each component.

You must install MyID with a user account that has sufficient permissions. See section 4.1.1, Installation account for details of the permissions required.

Important: These scripts are signed. If your system is configured to allow only signed PowerShell scripts to be run, you must trust Intercede as a publisher before you run the installation program. If you do not follow these instructions, the installer will freeze and stop responding.

To trust Intercede as a publisher:

1. In the InstallationScripts folder that is provided alongside the installation program in the Installer folder, right-click the following script:

   InstallerCheck.ps1

2. In the Properties dialog, click the Digital Signatures tab.

3. Select the Intercede signature in the signing list, and click Details.

4. Click View Certificate.

5. Click Install Certificate.

6. Select Local Machine, and click Next.

7. Select Place all certificates in the following store, click Browse, select the Trusted Publishers store, and click OK.

8. Click Next, then click Finish.

   The certificate is now installed to the Trusted Publishers store.

   

   Note: This certificate depends on Thawte certificates:

   

   You must obtain the thawte SHA256 Code Signing CA and thawte Primary Root CA certificates from Thawte if your PC does not already have them.

To install MyID:

1. Log on to the MyID server using the installation account.

2. Close all application windows.

   Note: Once you have started the installation process, do not leave the installer program idle. Windows UAC may cancel the installation if you leave the program idle for too long, depending on your Windows environmental settings.

3. From the Installer folder in the MyID release, right-click the installation program – for example, MyIDServer-12.0.0.exe – then from the pop-up menu select Run as administrator.

   

4. Click Next.

   

5. Read the license agreement, accept the terms, and click Next.

   

   By default, MyID installs to C:\Program Files\Intercede\MyID.

   Click Browse to select a different installation folder.

6. Click Next.

   

7. Select the roles and features you want to install:

   • Application Server – contains the MyID application components.
   • Database Server – contains the MyID database.
   • Web Server – contains the MyID web server.
   • Web Services Server – contains the MyID web services. You are recommended to install this on the same server as the Web Server; if you want to install the services on a different server, you must carry out additional configuration. See the Setting up the MyID web services on a standalone server section in the Web Service Architecture guide for details.
     • MyID Client Web Service – required for MyID Desktop, the Self-Service App, the Self-Service Kiosk, and mobile clients.
     • Lifecycle API – see the Lifecycle API guide.
     • Credential Web Service – see the Credential Web Service guide.
     • Device Management API – see the Device Management API guide.
     • Mobile iOS OTA – see the Setting up iOS OTA provisioning section in the Mobile Identity Management guide.
     • Reporting Web Service – see the Reporting Web Service API guide.
     • Derived Credentials Notifications Listener – see the Derived Credentials Notifications Listener API guide.
     • SCEP API – see the Managing devices section in the Administration Guide.
     • MyID Verification Service – see the MyID Verification Service section in the Mobile Authentication guide.
     • Self-Service Request Portal Web Service – see the Derived Credentials Self-Service Request Portal guide.
   • MyID External Authentication Server – contains web services for use with external authentication. Select the following options:
     • ADFS Auth Web Service – see the Setting up the ADFS Auth web service section in the MyID Authentication Guide.
     • web.oauth2.ext – see the Setting up the standalone authentication service section in the MyID Authentication Guide.
   • Archive Database Server – contains a database that can contain an archive of some parts of the MyID database. Creating the database does not set up the archiving procedures; the Database configuration section in the Advanced Configuration Guide for details.

   The roles and features you select determine which screens appear in the installation program. For example, the database screens appear only if you are installing the Database Server or Archive Database Server.

   Click Next.

   

   Note: You must have at least one web site configured in IIS.

8. Select the web site to use for the MyID virtual directory and web services, then click Next.

   

9. Type the MyID Server URL.

   Specify the URL of the server, but not the full MyID Operator Client URL; that is, use an URL similar to:

   https://myserver.example.com

   and not:

   https://myserver.example.com/MyID/OperatorClient/

   This option is case sensitive, and must be consistent with the casing of the DNS Name in the web server's TLS certificate.

   Note: The web services used by the MyID Operator Client (rest.core and web.oath2) require SSL/TLS; if you do not connect through HTTPS, you cannot use the MyID Operator Client. See section 4.10, Setting up SSL/TLS for details.

   If you experience any problems with this URL setting after installation, refer to the MyID Operator Client advanced configuration section in the MyID Operator Client guide for information on troubleshooting connection problems and manually configuring the URL.

   Click Next.

   

10. Type the User Name and Password for the MyID COM+ user, then click Next.

    See section 4.1.2, MyID COM+ account for details of the requirements of this user.

    

11. Type the User Name and Password for the MyID IIS user, then click Next.

    See section 4.1.3, IIS user account for details of the requirements of this user.

    

12. Type the User Name and Password for the MyID Web Service user, then click Next.

    See section 4.1.4, Web service user account for details of the requirements of this user.

    

13. Type the User Name and Password for the MyID Auth Web Service user, then click Next.

    See section 4.1.5, MyID Authentication account for details of the requirements of this user.

    

14. Type the database server name.

    If you are installing the database directly on the database server, you can select (local) from the drop-down list. Otherwise, you must type the name of the database server.

    If your database server uses a named instance, type the name as server\instance – for example, MYSERVER\myinstance.

    If your database server uses a port other than the default TCP 1433, type the name as server,port – for example, MYSERVER,1499.

15. Select the authentication type:

    • Windows authentication – the user account being used to run the installation program is used to access the SQL Server database.

    • SQL Server authentication – you must specify the Login ID and Password for the user you want to use to authenticate to the SQL Server database.

      Note: SQL Server authentication is supported only for Microsoft Azure databases. You must create your databases before running the installation program. See the Prerequisites section in the Microsoft Azure Integration Guide for details.

16. Type the Database Name for the MyID database you want to create on the database server.

    The default is MyID.

    Alternatively, you can click Browse to select an existing database.

    Click Next.

    

17. Type the database server name for the archive database.

    If you are installing the database directly on the database server, you can select (local) from the drop-down list. Otherwise, you must type the name of the database server.

18. Select the authentication type.

    The authentication options are the same as for the primary MyID database.

19. Type the Database Name for the MyID archive database you want to create on the database server.

    The default is MyID_Archive.

    Alternatively, you can click Browse to select an existing database.

    Click Next.

    

20. Type the database server name for the authentication database.

    The authentication database contains information on audited authentication attempts. You can use this database for reporting; see the Reporting on the authentication database section in the MyID Authentication Guide for details.

    If you are installing the database directly on the database server, you can select (local) from the drop-down list. Otherwise, you must type the name of the database server.

21. Select the authentication type.

    The authentication options are the same as for the primary MyID database.

22. Type the Database Name for the MyID authentication database you want to create on the database server.

    The default is MyIDAuth.

    Alternatively, you can click Browse to select an existing database.

    Note: You can use the same database as the main MyID database; however, you are strongly recommended to use a separate database for your production system. If you are using the web.oauth2.ext standalone authentication web service, security is enhanced by giving the authentication user under which the service runs read-write access to the authentication database, and read-only access to the main MyID database.

    Click Next.

    

23. If you are upgrading an existing installation, select the Upgrade the MyID databases selected on the previous stages option, then click Next.

    Note: If you select this option, the installation program does not run the GenMaster program at the end of the installation – you do not need to run GenMaster if you are upgrading a system.

    

24. Review the options you have select, then click Install to start the installation process,

    Note: If an error appears that says that a service has failed to start, you may not have configured one or more of your service accounts to have Log on as a service. See section 4.1, Setting up user accounts for details.

    The GenMaster application starts. GenMaster allows you to secure your MyID installation with a master key, and to set up a startup user that you can use to access the system for the first time.

    See section 6.5, Using GenMaster for details.

    Once you have completed the GenMaster setup, close the Card Manager Startup dialog:

    

25. Finally, click Finish.

    

6.3.1 Updates

Intercede may have provided you with an update to your system that you must install after running the main MyID installation program. See section 7, Updating MyID for details.

6.3.2 Windows Event Viewer messages

You may notice event log messages after the installation. For example:

During installation of this component into a COM+ application a registry value was changed from its original value. If you are experiencing activation problems with this component then please check the registry values.

This can happen for the edeficeBOL_PKI.dll.

You may also see an error in the event log relating to MsiExec.exe, which is related to a message in the MSI installer log with a corresponding timestamp and the following text:

EEUI - Install failure: Calling shutdown on EEUI DLL

These messages are expected and do not affect the installation.