Prefixes, code signing certificates and licensing
If you want to develop your own custom Tachyon instructions, or modify others, then you will need to sign them using your own code signing certificate so that they can be licensed, imported and run in your Tachyon system. You don't need to do this for instructions that are provided with the product or that have been downloaded from the Tachyon Exchange as they've already been code signed and licensed using the Platform and Exchange certificates from 1E.
Ideally all of your Tachyon instruction developers should share a single code signing certificate between them. Each code signing certificate must be registered in your Tachyon license and associated with a particular instruction name prefix. Ideally you would have one prefix to go with one signing certificate that could be used for all your custom instructions. When you have chosen your prefix and have your code signing certificate(s) you then need to send details of these to 1E, who will update your Tachyon license. This will then automatically activate on your Tachyon Server (assuming it has connection to the Internet).
The following points apply to the importing and running of custom Tachyon instructions:
Tachyon will only allow instructions to be importedif they have been signed and the public key of the code-signing certificate exists in the Tachyon Server's Trusted Publishers certificate store.
Tachyon will only allow instructions to be run if their prefix and the thumbprint of their code-signing certificate have been registered in the Tachyon Server's license file (even if instructions have been successfully imported they will be flagged as unlicensed if the license information is not there).
Registering a prefix and code signing certificate and updating the Tachyon license
The following steps may seem complex on initial viewing, but the process has been designed to verify that your code signing certificate can be used to sign instructions before you ask for it to be registered and added to the Tachyon License - as this may take several days to complete you don't want to have to wait for registration only to find that you want to use a different prefix or the signing certificate cannot be used. The general outline of the process is as follows:
Decide what prefix you will use
Obtain a code signing certificate, and export as a PFX for use on other computers
Install the certificate on the Tachyon Server
Local user Personal store - for use by TIMS (optionally add to the Local computer store if multiple user accounts will use TIMS on the Server)
Local computer Trusted Publishers store - for use by the Server
Install TIMS and confirm it can see the code signing certificate
Create a test instruction, sign and import it
Before you can run the test instruction, you need to register your prefix and certificate thumbprint with 1E
Once registration is complete you can run the test instruction
Finally you should delete the test instruction to avoid any confusion
Prerequisites
Before you start you will need the following:
Tachyon Server is already installed and licensed in the lab, has been verified and is connected to the Internet
TIMS installer MSI
Assumptions
There are many ways to define the code signing certificate and configure your Tachyon environment. Here we make some basic assumptions about the type of certificate and Tachyon environment to show the end-to-end process simply. If you want more details on other certification options please refer to the online Tachyon SDK documentation.
These steps are recommended for a lab environment with the following:
A Microsoft CA has been installed
A code signing template must be issued on the issuing CA. The default Code Signing template is sufficient
All users will sign Tachyon Instructions on the Tachyon Server
TIMS must be started as local administrator, so all users developing Tachyon Instructions must be AD domain user accounts that are also members of the Administrators local group on the Tachyon Server. This is one of the requirements for the Tachyon Server installation account anyway.