You will need to obtain a valid license file from 1E. For more details please refer to the License file heading on the Requirements page.
Whitelisting for license activation and validation
Code Signing Certificates
An IIS Web Server should be provisioned. SQL Server can be installed on the same server or the databases can be hosted on remote SQL Server instance(s).
Please refer to Requirements regarding hardware and software specifications for on-premises and cloud servers.
In addition, the Tachyon Server requires the following, which require more thought and preparation, described below.
Administration traffic for a Tachyon Master Stack does not have any additional network requirements.
Number and speed of server network interfaces
Cloud implementations have special configuration requirements for SQL Server and network interfaces described in Requirements: Server sizing for AWS and Azure.
Configuring a persistent route for SQL traffic
Where possible the Tachyon Server DNS Name should be a CNAME Alias which references the (A) Host records for each of the Switch network interfaces registered in DNS.
Ensure network interfaces used for anything other than Switches, for example the SQL interface, are not registered in DNS. If they are registered ensure the DNS Name used by Switches only have Switch IP Addresses assigned.
For multiple Switches to share the same DNS Name, the load balancing options include:
- DNS round-robin. Create a CNAME record which references the (A) Host records for each of the Switch network interfaces registered in DNS.
- Network Load Balance (NLB) and register the Tachyon Server's DNS Name as the NLB Name, and configure the NLB to forward to each of the Switch IP Addresses.
DNS round-robin provides reasonable load balancing, so that devices should be evenly spread across all Switches. Each device will cache the IP Address given it by DNS and keep using that, even if the Switch using that IP Address is not available, until the TTL expires or the DNS cache is flushed. A Network Load Balancer (NLB) allows all the Switches to share the same DNS Name which is actually the IP Address of the NLB Cluster, which can then intelligently route the connection to a Switch interface.
Service Principal Names
If an SPN is not created the you will see "401 Not authenticated" errors in the browser and/or log files.
Service Principal Names (SPN) are attributes of AD accounts. A domain administrator will need to create an HTTP class SPN for the Tachyon web server service account, by using one of the following methods:
Use each command as follows:
The above example assumes:
To determine which type of record a DNS Name is, run the following command:
More complex scenarios can be configured which requires in-depth knowledge of IIS, SPN and DNS configuration and are beyond the scope of this documentation.
Web Server Certificate
What do I need to begin?
You will need to have requested a Web Server certificate from your Certificate Authority, using the specification below.
To get the certificate in your organization you will have either:
- Submitted a CSR and received a password protected .pfx file
- Used the Certificate Enrollment wizard to request a suitable Web Server certificate
In previous version of Tachyon the private key had to be exportable to create certificate files for Tachyon Switches, but this is no longer required for Tachyon 5.0 onwards.
Import the Web Server certificate
Once the Web Server certificate has been provided it must be imported into the Tachyon Server's local computer Personal Certificates store.
After importing, you should give the certificate a Friendly Name, so that you can easily identify it for the post-installation task Confirming the Tachyon website HTTPS binding.
- On the Tachyon Server, start certlm.msc (or start mmc and add the certificates snap-in for the local machine)
- Navigate to the Personal Certificates store
- Locate the Web Server certificate you have just imported
- Right-click on the certificate and select Properties
- In the General tab enter a Friendly name, for example Tachyon
- Click OK to save
Web Server certificate specification
Switch certificate files
Tachyon Switches use certificates in the Windows Certificate Store. From version 5.0 onwards they no longer use Switch Certificate files.
Windows Server roles and features
Tachyon Setup will create a website named Tachyon with the necessary bindings, therefore please do not pre-create a website of the same name.
|If you intend to install Tachyon by running Tachyon Setup, then you may choose to let the Setup program perform this operation for you instead of downloading and running the script manually. Just click on the "Install missing prerequisites" button after you have run the checks in the "Check prerequisites" page.|
If TLS1.0 is disabled
SQL Server 2012 Native Client
The Export all feature is described in Exporting data from Tachyon Explorer. To enable Tachyon users with the appropriate permissions to use the Export all feature you must ensure that Microsoft Bulk Copy Program (BCP) is installed on each Tachyon Response Stack server, specifically where the Core component is hosted.
You can confirm BCP is installed by starting a command prompt and typing bcp and usage information is displayed. The command bcp -v displays the version.
Install the following components to get BCP working:
To verify the components have been installed you can use AppWiz.cpl and check for the Product Name.
Services and NTFS Security
Tachyon and SLA Platform services, including web application pools, use built-in accounts Local System (SYSTEM) and Network Service (NETWORK SERVICE) by default, and 1E recommends this configuration.
You must ensure these built-in accounts have the necessary NTFS security permissions on the Tachyon and SLA Platform installation and log folders.
If you are using default installation settings for Tachyon server on a default configuration of Windows Server, then Local System has the necessary permissions by default, but Network Service requires some additional steps. The simplest method is to add Network Service to the Administrators localgroup, which allows the default installation and logs folders to be created during installation.
However, adding Network Service to the Administrators localgroup is not considered best practice, therefore alternative methods are described below.
The table below lists the Tachyon services and their default service accounts.
|Tachyon service||Service account name||Description||SID|
|1E Tachyon Switch Host service||NT AUTHORITY\SYSTEM||Local System||S-1-5-18|
1E Tachyon Coordinator service
1E SLA Platform services (3)
Web application pools:
|NT AUTHORITY\NETWORK SERVICE||Network Service||S-1-5-20|
|1E Catalog Update Service and web application pool||<domain account>|
The table below lists the default folder locations which must have NTFS security permissions configured for all service accounts.
The Tachyon installation process does not modify permissions, except for the %ProgramData%\1E\Licensing\ folder which does receive full permissions for Network Service.
|Folder||Default location||Service account||NTFS security|
|<domain account>||Minimum of read & execute permission (folder, subfolders and files).|
|Logs folders||%ProgramData%\1E\Catalog\||<domain account>||Minimum of Full Control permission (folder, subfolders and files).|
For a default installation of Tachyon on a default configuration of Windows Server, Local System has the necessary permissions by default, but Network Service requires some additional steps.
You have a choice of how to configure NTFS security for Network Service, using one of the following options, according to your organization's policies.
You can pre-create the Tachyon installation and logs folders prior to installation and apply NTFS permissions on these instead of their parent folders.
Add NETWORK SERVICE to the Administrators localgroup (this is the simplest method but not best practice).
Add NETWORK SERVICE to the Users localgroup, and grant this group permissions on the folders.
As above, but grant NETWORK SERVICE direct rights on the folders
The Server Installation Account should be a member of the Administrators localgroup, so that it has full rights on the server.
If you are installing in a non-default installation folder, or the default installation folder has non-standard NTFS security, then before installation, you must ensure the installation folder is pre-created with suitable NTFS security applied. If this is not done, some services will fail to start, or users will not be able to access the website.
In addition, the Users or Authenticated Users localgroup must have a minimum of read & execute permission on each of the Web application folders (folder, subfolders and files). This is simplest to achieve by granting permission on the INSTALLDIR folder.
The example screenshot shows
- A non-default installation INSTALLDIR=D:\Program Files\1E\Tachyon\
- RX permissions for the Users group is applied to the 1E folder
- Other permissions are inherited from the root of the D: drive
- INSTALLDIR permissions are inherited from the 1E folder
- NETWORK SERVICE is a member of the Users localgroup
The NTFS permissions on the SSL folder can be locked down after installation in order to protect the certificate files. The SSL folder exists in the Switch installation folder and inherits its NTFS permissions, which are inherited from the Tachyon installation folder.
If permissions are modified the minimum requirement is for the SYSTEM account to have read & execute permission on the SSL folder and files, assuming that the 1E Tachyon Switch Host service uses the Local System account, which is the default.
The example screenshot shows the same non-default installation described above and the SSL folder has had inheritance removed and the Users local group has been removed.
The accounts used by Tachyon services and application pools must have a minimum of Full Control permission on the logs folder (folder, subfolders and files.
The example screenshot shows a default installation. For a default installation the only permissions necessary are SYSTEM and Administrators, both Full Control.
For a new installation, and for upgrades, the Server Installation Account requires a SQL Login with appropriate permissions.
If additional components such as 1E Catalog are selected for installation, then they will deploy their own databases, which are described in each product's specific documentation.
Default configuration of databases
If the Installer is used to create the databases, this will be the Server Installation Account .
Best practice is to change owner to 'sa' as described below.
|Path||Default SQL location|
|Initial Size MDF||128MB|
|Autogrowth MDF||By 128MB|
|Initial Size LDF||128MB|
If the model system database has been changed to have a larger size than the values specified in the table above, then the Tachyon Server installer may report an error executing 'Bootstrap.sql' on MasterDatabase. Rebooting the SQL Server may cure the error.
Creating your own databases
You may be required to create the Tachyon databases by hand before installation. This is also known as pre-creating databases. Below are some of the reasons why your SQL administrator may require you to do this:
- the Server Installation Account is only allowed rights on existing databases and not allowed rights to create them
- the locations of the database files need to be different to the defaults used on the SQL Server instance(s)
- the initial size of the database files need to be set to their estimated full size given in Server Sizing.
SQL Login for the server installation account
Example SQL scripts for creating a SQL Login and granting roles
The following examples assume ACME\TCNinstaller01 is the Server Installation Account.
When the account is not permitted to have the sysadmin SQL Server role, then a sysadmin can use the following script to create a SQL Login and grant it rights.
USE [master] GO CREATE LOGIN [ACME\TCNinstaller01] FROM WINDOWS GO GRANT ALTER ANY LOGIN TO [ACME\TCNinstaller01] GO
If the Server Installation Account is permitted to create the databases, then a sysadmin can use the following script to add the SQL Login to the dbcreator role.
USE [master] GO ALTER SERVER ROLE [dbcreator] ADD MEMBER [ACME\TCNinstaller01] GO
If the databases have been pre-created, then a sysadmin can use the following script to add the SQL Login to the db_owner role on each pre-created database.
After the databases have been created, best practice is to change the owner of each database to sa, to avoid issues if the owner's Windows account is deleted in future.
The following script can be used to change the owner of each Tachyon database to sa. This will work even if the sa login has been disabled, which is also best practice.
SQL Login for the Tachyon service account
Keeping databases during re-installation and upgrade
If re-installing or upgrading Tachyon you need to decide if you will keep the existing databases or create new ones.
The Tachyon Master database contains all the configuration data of the Tachyon system. If new settings are used during re-installation these will be updated in the database.
The Tachyon Responses database contains transient responses and can be kept or a new database created without loss of system integrity.
MSDTC for ActiveEfficiency
Make sure that the SSAS instance is enabled, reachable, configured in Multidimensional mode, and the Server Installation Account has sufficient permissions. The Setup program is not able to perform a full validation of the SSAS server, so you need to ensure a proper configuration during the preparation phase.
Business Intelligence is a component required by Patch Success, and requires a BI SSAS user.
Tachyon users and approvers require AD accounts with email addresses to support approval workflow and notifications.
For details about mail server requirements, please refer to Requirements: SMTP Server.
Tachyon Server must be installed on a domain-joined server. Tachyon clients do not have to be installed on domain-joined devices, but must have a certificate.
Tachyon Server Installation Account
Tachyon client Windows Installation Account
Tachyon client Non-Windows Installation Account
Tachyon Users Accounts
Tachyon uses Network Service or Local system for its services, except for the 1E Catalog Update Service, which requires a domain account.
Anti-Virus and Malware
1E log files should be excluded from scans in order to prevent potential file locking.
See Log files for details of Tachyon Server and 1E Client logs.
Tachyon client devices preparation
Please ensure devices that will be used to validate and test the Tachyon installation have the following.
- Be a supported device platform, capable of having the 1E Client installed
- Have appropriate scripting support - please refer to Design Considerations: Tachyon client scripting requirements
- Have a computer certificate suitable for use by the Tachyon client features of 1E Client
Tachyon integration with Nomad on Windows devices
Tachyon client certificate requirements
In organizations that have an established PKI, the Tachyon client devices will probably have a suitable certificate already, along with relevant Trusted Root CA certificates.
For non-Windows devices, the certificate files must be included in the 1E Client installation folder structure, as described below in Configuring the Non-Windows Tachyon certificate using OpenSSL.
Certificate Authority (CA) public keys
Tachyon clients need to authenticate Switches and Switches need to authenticate Tachyon clients. In each case, one end of a secure connection requires the public key for each CA in the other end's certificate certification path (trust chain).
The Tachyon client needs the public key of each CA in the Switch's certification path. These public keys are stored differently on the Tachyon client device depending on the type of OS.
The following points should be noted for Windows devices:
The 1E Client for macOS on-Windows devices supports the Configuring the Non-Windows Tachyon certificate using OpenSSL. approach described above. Alternatively the 1E Client for macOS also supports certificates stored within the macOS Key Store.
Tachyon Setup will install 1E Catalog on the Tachyon server and ensure the server meets the requirements for installation. If 1E Catalog needs to be on a remote server then you must install that before installing Tachyon, by following guidance in 1E Catalog 2.0 - Implementing 1E Catalog.
Install SQL Server 2012 Native Client on the Tachyon server if it is remote from the ActiveEfficiency database.
For more ActiveEfficiency using Tachyon Setup you will also need to review the ActiveEfficiency Server 1.10 - Preparation page.