Summary

What you will need to prepare in advance of implementing a Tachyon Server in your network. Typically these are tasks that may take some time to organize, depending on how your organization works. A more complete checklist of tasks is provided in Requirements.

Implementation Overview

Please review all tasks to decide how you wish to proceed, and record all configuration details.

Implementation of Tachyon can be extremely quick if all necessary preparations have taken place, and is typically performed in this order:

  1. Obtain the Tachyon License file - ensure it includes entries for the consumer applications you have purchased
  2. Provision the Tachyon Web and SQL server hardware
  3. Optionally pre-create the Tachyon databases (you can allow the Tachyon Server installer to create the databases using default settings)
  4. Prepare the Mail Server
  5. Identify and create AD Accounts and Groups
  6. Review Requirements
  7. Run Tachyon Setup
  8. Manually install Tachyon clients on a few test devices
  9. Use the Tachyon Verification Product Pack to verify the installation
  10. Install other Instruction Definitions - from the Tachyon Platform zip, and from Tachyon Exchange (https://tachyonexchange.1e.com) 
  11. Add the Instruction Definitions to Instruction Sets to determine their permissions
  12. Install Tachyon Consumers (documentation not provided here)
  13. Package the Tachyon client as required by your software deployment tool (see note)
  14. Deploy the Tachyon client to more pilot devices
  15. Pilot testing
  16. Start rollout of Tachyon clients
  17. Use the SDK to begin developing your own instructions and testing your use-cases

If your organization requires the Tachyon client to be packaged, then you can do this once you know the DNS Name(s). Then you can prepare for deploying the Tachyon client in parallel to preparing and installing the Server.

Details required when using Tachyon Setup to install a Tachyon Server

The table below lists details required on each of the Tachyon Setup screens. You can review screens in the Tachyon Setup page. Items marked * can wait until after installation.

Tachyon SetupDocumentation ReferenceAll components installed on a single serverMaster StackResponse StackDMZ Server
License file

License file

Code Signing Certificates *

The Tachyon license file is required to complete Setup, and confirm internet access to the 1E licensing service.The Tachyon license file is required to complete Setup, and confirm internet access to the 1E licensing service.The Tachyon license file is required to complete Setup, and to cross-check number of devices supported by this server.The Tachyon license file is required to complete Setup, and to cross-check number of devices supported by this server.
Check prerequisites

Web Server Certificate

IIS Configuration

SQL Server 2012 Native Client

SQL BCP *

All prerequisites must be checked.All prerequisites must be checked.All prerequisites must be checked.

All prerequisites must be checked.

The list does not include BCP.

Server certificateWeb Server Certificate (server)

A web server certificate is required for:

  • Website (including Explorer, Consumer API, Core and Background Channel)
  • Switch(es)

A web server certificate is required for:

  • Website (including Explorer and Consumer API)

A web server certificate is required for:

  • Website (Core and Background Channel)
  • Switch(es)

A web server certificate is required for:

  • Website (Background Channel)
  • Switch(es)
Client certificatesWeb Server Certificate (clients) *

Decide whether you will require certificates to be presented by the clients.

Import the certificates of any trust authorities used by devices and remote servers that do not match the trust authority used by the Server certificate.

Decide whether you will require certificates to be presented by the clients.

Import the certificates of any trust authorities used by devices and remote servers that do not match the trust authority used by the Server certificate.

Import the certificates of any trust authorities used by devices and remote servers that do not match the trust authority used by the Server certificate.Import the certificates of any trust authorities used by devices and remote servers that do not match the trust authority used by the Server certificate.
Database servers

SQL Databases

Name of the SQL Server instance that will host the new TachyonMaster database.

Name of the SQL Server instance that will host the new TachyonResponses database.

Names of the SQL Server instances that will host the additional databases used by any bundled components that are selected for installation.

Keep old DB or not (n/a for new installation).

If using a remote SQL Server, please refer to Network interfaces.

Name of the SQL Server instance that will host the new TachyonMaster database.

Names of the SQL Server instances that will host the additional databases used by any bundled components that are selected for installation.

Keep old DB or not (n/a for new installation).

Name of the SQL Server instance that hosts the existing TachyonMaster database.

Name of the SQL Server instance that will host the new TachyonResponses database.

Keep old DB or not (n/a for new installation).

If using a remote SQL Server, please refer to Network interfaces.

This page is greyed out.

The DMZ Server does not have direct access to SQL Servers. Access to databases is via the Core API on the internal Response Stack. Manual steps are required to configure access to the Core API, as described in Implementing a Tachyon DMZ Server.

SSAS servers


BI SSAS Database

(Only if the BI component is selected for installation)

Name of the SQL Server SSAS instance that will host the multidimensional data for the BI component.

Account credentials that will be used for the BI services.

Name of the SQL Server SSAS instance that will host the multidimensional data for the BI component.

Account credentials that will be used for the BI services.

n/an/a
Number of devices

Design Considerations - Architecture page

Specify the number of devices supported by this server in order to calculate number of Switches required, as well as the number of Workers and Slots used by the Switches.The number is only used to cross-check against the number in the license file.Specify the number of devices supported by this server in order to calculate number of Switches required.Specify the number of devices supported by this server in order to calculate number of Switches required.
Switch configurationNetwork interfaces

Select an IP Address for each Switch. All Switch IP Addresses will typically use the same DNS Name.

Confirm that when the TachyonResponses database is remote from the server, and the number of devices is more than 500, SQL traffic uses a different IP address to the Switch(es).

This page is greyed out.

The Master Stack does not require Switch configuration.

Select an IP Address for each Switch. All Switch IP Addresses will typically use the same DNS Name.

Confirm that when the TachyonResponses database is remote from the server, and the number of devices is more than 500, SQL traffic uses a different IP address to the Switch(es).

Select an IP Address for each Switch. All Switch IP Addresses will typically use the same DNS Name.

Website configurationIIS ConfigurationRequired for website.Required for websiteRequired for website.

Required for website.

Specify names for the internal facing network interface.

The HTTPS binding for the external facing network interlace is created manually after installation.

Active Directory and email

Requirements - Email Requirements

Requirements - Two-factor Authentication Requirements

Required for Master Stack components.Required for Master Stack components.

n/a

(Uncheck Enable SMTP)

n/a

(Uncheck Enable SMTP)

SLA and 1E CatalogConfiguration for 1E CatalogAccount credentials that will be used for the Catalog Update service.Account credentials that will be used for the Catalog Update service.n/an/a
Nomad synchronization

Nomad synchronization settings

(Only if installing ActiveEfficiency)

If Nomad Sync is to be enabled:

  • Name of the SQL Server used by Configuration Manager.
  • The name of the site database.
  • The synchronization interval in minutes.

If Nomad Sync is to be enabled:

  • Name of the SQL Server used by Configuration Manager.
  • The name of the site database.
  • The synchronization interval in minutes.
n/an/a

Other requirements

Post-installation requirements



License file

You will need to obtain a valid license file from 1E. For more details please refer to the License file heading on the Requirements page.

Whitelisting for license activation and validation

Code Signing Certificates

Server Provisioning

An IIS Web Server should be provisioned. SQL Server can be installed on the same server or the databases can be hosted on remote SQL Server instance(s).

Please refer to Requirements regarding hardware and software specifications for on-premises and cloud servers.

In addition, the Tachyon Server requires the following, which require more thought and preparation, described below.

Network interfaces

A server that hosts Response Stack components requires additional network interfaces depending on the number of client devices it needs to support:

  • Each Switch requires its own network interface for incoming Response traffic. These interfaces can be shared with a Background Channel. Each interface can have its own DNS Name or share the same DNS Name as explained in DNS Names below.
  • If the Tachyon Responses database is not local, and the server supports more than 500 devices, then for performance reasons you should have an additional network interface for outgoing SQL traffic to keep it apart from incoming Switch traffic.
  • If the server hosting the Tachyon Master Stack is also required to host a non-Tachyon client-facing service such as ActiveEfficiency Server for Nomad, or Application Migration, and the number of clients is more than 5,000 then for performance reasons you should do one of the following:
    • install the Tachyon Response Stack on a dedicated server, which should have an additional network interface for connection with the Master Stack, but this is not mandatory. If an additional network interface is used then it requires its own DNS Name and a website binding manually added after installation. The additional DNS Name should be included in the server's web certificate, or a separate web certificate can be used.
    • install the Tachyon Response Stack on the same server as the Master Stack and use an additional network interface for non-Tachyon client traffic and give it its own DNS Name and a website binding manually added after installation. If an HTTPS binding is required, then this additional DNS Name should be included in the server's web certificate, or a separate web certificate can be used.

Administration traffic for a Tachyon Master Stack does not have any additional network requirements.

Number and speed of server network interfaces

Cloud implementations have special configuration requirements for SQL Server and network interfaces described in Requirements: Server sizing for AWS and Azure.

Configuring a persistent route for SQL traffic

The following example steps can be used to configure IPv4 network routing so that a specific network interface is used for all traffic going to the specified SQL Server. The example is for a Response Stack and SQL Server on different subnets but also works if both servers are on the same subnet.

If you add a new interface for SQL traffic after installing Tachyon, then ensure the interface is not registered in DNS using the same DNS Name that devices use to connect to Switches or Background Channel. If you intend using the new interface to support inbound HTTP traffic from remote Response Stacks then you will also need to configure the Tachyon website to include the IP Address of the new interface as described in Implementation issues: IP address and domain restrictions. In our example below we would add 10.0.10.31. Installation and upgrades will automatically configure IP Address and Domain restrictions.

  1. On the Tachyon Server (single-server or Response Stack) open a PowerShell command prompt

  2. The following command should resolve the name and IP Address of the SQL Server, and show the existing network route. In our example the 10.0.20.20.

    pathping ACME-SQL02


  3. If not already installed on the server, add a new interface. Configure its properties as follows:

    • Disable IPv6
    • Configure IPv4 properties and assign a static IP Address and subnet mask. In our example these are 10.0.10.31 and 255.255.255.0.
    • You do not need to configure a default gateway. You can if required, but you will receive a warning later about multiple default gateways and redundancy. However, you do need to know the default gateway for the route to the SQL Server, in our example this is 10.0.10.1.
    • Click Advanced... and click on the DNS tab. Uncheck Register this connection's addresses in DNS so that the interface IP Address is NOT registered in DNS.
    • Click OK twice to save, and then Close
    • You can give the interface a name to help distinguish it from Switch interfaces. In our example this is Interface used for SQL

    This interface must not be registered in DNS if the DNS Name of the server is a CNAME Alias for (A) Host records registered by Switch interfaces, because Tachyon clients need to use the DNS Name to connect to Switches. If you need this interface to be registered in DNS then do this with a (A) Host record.


  4.  Enter the following PowerShell command, which provides all the details you need to confirm interfaces have been configured correctly.

    Get-NetIPConfiguration              


  5. This provides output similar to the following, and tells us the interface index for the new interface. In our example this is 7.

    InterfaceAlias       : Interface used for SQL
    InterfaceIndex       : 7
    InterfaceDescription : Microsoft Hyper-V Network Adapter #4
    NetProfile.Name      : ACME.local
    IPv4Address          : 10.0.10.31
    IPv4DefaultGateway   : 10.0.10.1
    DNSServer            : 10.0.1.2
                           10.0.1.3
    
    InterfaceAlias       : Interface used for Switch 1
    InterfaceIndex       : 5
    InterfaceDescription : Microsoft Hyper-V Network Adapter #3
    NetProfile.Name      : ACME.local
    IPv4Address          : 10.0.10.32
    IPv4DefaultGateway   : 10.0.10.1
    DNSServer            : 10.0.1.2
                           10.0.1.3


  6. Use the route command to add a persistent route. The mask must be 255.255.255.255 and NOT the same as the interface mask configured earlier, because the persistent route to the SQL Server is for its IP Address and not its subnet.

    route -p add <SQL Server IP Address> mask 255.255.255.255 <Interface used for SQL IPv4DefaultGateway> metric 1 if <Interface used for SQL InterfaceIndex>
    

    In our example:

    route -p add 10.0.20.20 mask 255.255.255.255 10.0.10.1 metric 1 if 7


    For networks with no routing, such as a lab, the default gateway is 0.0.0.0. Therefore, <Interface used for SQL IPv4DefaultGateway> must be specified as 0.0.0.0. In our example:

    route -p add 10.0.20.20 mask 255.255.255.255 0.0.0.0 metric 1 if 7

    If your lab has no routing then you should ensure other means for your Tachyon Server to connect to the 1E license service via the Internet.


  7. Enter the following command to confirm that the <SQL Server IP Address> has a persistent route with the details specified. In our example this is 10.0.20.20.

    route print


  8. Enter the following command to verify the route works and uses the correct interface.

    pathping ACME-SQL02

    The first line (hop 0) must show the name of the Tachyon Server and the IP Address of the interface. This IP Address will then be selected as used for SQL in the Switch configuration screen of Tachyon Setup. In our example this would be:

    0  ACME-TCN01.ACME.local [10.0.10.31]



Computername

DNS Names

Where possible the Tachyon Server DNS Name should be a CNAME Alias which references the (A) Host records for each of the Switch network interfaces registered in DNS.

Ensure network interfaces used for anything other than Switches, for example the SQL interface, are not registered in DNS. If they are registered ensure the DNS Name used by Switches only have Switch IP Addresses assigned.

For multiple Switches to share the same DNS Name, the load balancing options include:

  • DNS round-robin. Create a CNAME record which references the (A) Host records for each of the Switch network interfaces registered in DNS.
  • Network Load Balance (NLB) and register the Tachyon Server's DNS Name as the NLB Name, and configure the NLB to forward to each of the Switch IP Addresses.

DNS round-robin provides reasonable load balancing, so that devices should be evenly spread across all Switches. Each device will cache the IP Address given it by DNS and keep using that, even if the Switch using that IP Address is not available, until the TTL expires or the DNS cache is flushed. A Network Load Balancer (NLB) allows all the Switches to share the same DNS Name which is actually the IP Address of the NLB Cluster, which can then intelligently route the connection to a Switch interface.


Service Principal Names

If an SPN is not created the you will see "401 Not authenticated" errors in the browser and/or log files.

Service Principal Names (SPN) are attributes of AD accounts. A domain administrator will need to create an HTTP class SPN for the Tachyon web server service account, by using one of the following methods:

  • by editing the ServicePrincipalName attribute of the web server's computer account
  • using the following SETSPN commands, substituting your DNS Name, server and service account:
setspn -l ACME\ACME-TCN01$
setspn -s http/acme-tcn01.acme.local ACME\ACME-TCN01$
setspn -s http/tachyon.acme.local ACME\ACME-TCN01$

Use each command as follows:

  1. List existing SPNs for the service account. Run this to record details before you request for any new SPN(s) to be created. Re-run this after creation, ensuring you wait sufficient time for AD replication to occur.
  2. Use this if tachyon.acme.local is a CNAME record and its (A) Host record is acme-tcn01.acme.local
  3. Use this if tachyon.acme.local is a (A) Host record.

The above example assumes:

  • The service account for all Tachyon web application pools is Network Service
  • The Tachyon server name is ACME-TCN01 with a computer account in the ACME domain, which means the service account is ACME\ACME-TCN01$
  • The DNS Name for the server is tachyon.acme.local
If in doubt, it does no harm to create an SPN for each DNS Name used to access the Tachyon Server, including its CNAMEs and (A) Host records using: setspn -s http/<DNS Name> ACME\ACME-TCN01$

To determine which type of record a DNS Name is, run the following command:

nslookup tachyon.acme.local
  • If the command returns Name:  acme-tcn01.acme.local and alias tachyon.acme.local then tachyon.acme.local is a CNAME record.
  • If the command returns Name: tachyon.acme.local and no aliases then tachyon.acme.local is a (A) Host record.

More complex scenarios can be configured which requires in-depth knowledge of IIS, SPN and DNS configuration and are beyond the scope of this documentation.


Web Server Certificate

What do I need to begin?

You will need to have requested a Web Server certificate from your Certificate Authority, using the specification below.

To get the certificate in your organization you will have either:

  • Submitted a CSR and received a password protected .pfx file
  • Used the Certificate Enrollment wizard to request a suitable Web Server certificate

In previous version of Tachyon the private key had to be exportable to create certificate files for Tachyon Switches, but this is no longer required for Tachyon 5.0 onwards.

Import the Web Server certificate

Once the Web Server certificate has been provided it must be imported into the Tachyon Server's local computer Personal Certificates store.

After importing, you should give the certificate a Friendly Name, so that you can easily identify it for the post-installation task Confirming the Tachyon website HTTPS binding.

  1. On the Tachyon Server, start certlm.msc (or start mmc and add the certificates snap-in for the local machine) 
  2. Navigate to the Personal Certificates store
  3. Locate the Web Server certificate you have just imported
  4. Right-click on the certificate and select Properties
  5. In the General tab enter a Friendly name, for example Tachyon
  6. Click OK to save

Web Server certificate specification

Switch certificate files

Tachyon Switches use certificates in the Windows Certificate Store. From version 5.0 onwards they no longer use Switch Certificate files.

Windows Server roles and features

Tachyon Setup will create a website named Tachyon with the necessary bindings, therefore please do not pre-create a website of the same name.

The following PowerShell commands can be used to install relevant IIS roles and features, and record the server configuration in a file.

If you intend to install Tachyon by running Tachyon Setup, then you may choose to let the Setup program perform this operation for you instead of downloading and running the script manually. Just click on the "Install missing prerequisites" button after you have run the checks in the "Check prerequisites" page.





Download RolesInstall.ps1...

Import-Module ServerManager

Get-WindowsFeature | Out-file $PSScriptRoot\ServerManager-1.txt -Append
Install-WindowsFeature Web-Server,
Web-Dyn-Compression,
# Web-Basic-Auth,
Web-IP-Security,
Web-Windows-Auth,
Web-Asp-Net45,
Web-Mgmt-Console,
Net-Framework-45-Core,
Net-Framework-45-ASPNET,
MSMQ

Uninstall-WindowsFeature Web-DAV-Publishing
   
Get-WindowsFeature | Out-file $PSScriptRoot\ServerManager-2.txt -Append


You can remove MSMQ if not installing ActiveEfficiency server.


When running the above command, if you receive an error that contains The source files could not be downloaded you will need to supply the source path to your Windows Server OS installation media \Sources\sxs folder.

Append -source X:\Sources\sxs or -source \\Server\Path\Source\sxs to the command line, adjusted for your drive letter or UNC path.


PowerShell always uses 45 in the names of .NET Framework features irrespective of the actual version of .NET Framework 4.X installed on the server. That is 4.6.2 in Windows Server 2016 and 4.7.2 in Windows Server 2019. You can install later versions manually either before or after enabling features.

For details of .NET Framework versions, please refer to https://docs.microsoft.com/en-us/dotnet/framework/get-started/system-requirements#supported-server-operating-systems.



If you prefer to use the Add Roles and Features Wizard to manually enable features then you can use the Display Names listed in the table Requirements: Windows Server roles and features.


You must include Web-Basic-Auth if you will be installing 1E ITSM Connect.







If TLS1.0 is disabled



Web server registry settings

If TLS 1.0 is disabled on the Web server, you must add the following two registry entries, in order for the 1E Catalog Update Service to successfully connect to the 1E Cloud Catalog.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001







SQL Server 2012 Native Client




Tachyon Setup requires SQL Server 2012 Native Client to be installed in order for some of its installers to connect to and validate SQL Server instances. If SQL Server is local then it is probably already installed, but if SQL Server is remote, then you will need to install the SQL Server 2012 Native Client on the web server.

Installer file nameProduct NameWhere to get it from
sqlncli.msiSQL Server 2012 Native Client https://www.microsoft.com/en-us/download/details.aspx?id=50402

The requirement is only for installing Tachyon because the installers require OLE DB drivers provided by SQL Server 2012 Native Client when TLS 1.0 is disabled, and Tachyon Setup assumes TLS 1.0 is disabled. The requirement is not necessary for running because all Tachyon components use .NET Framework which contains the necessary drivers.

You can confirm SQL Server 2012 Native Client is installed by using the ODBC Data Sources utility and looking for SQL Server Native Client 11.0 or by looking in Programs and Features for SQL Server 2012 Native Client.

If SQL Server 2012 Native Client is not installed then installers will fail with Error 27502. Could not connect to Microsoft SQL Server ... SSL Security error.





SQL BCP

The Export all feature is described in Exporting data from Tachyon Explorer. To enable Tachyon users with the appropriate permissions to use the Export all feature you must ensure that Microsoft Bulk Copy Program (BCP) is installed on each Tachyon Response Stack server, specifically where the Core component is hosted.

  • If Microsoft SQL Server is installed on the same server as the Tachyon Response Stack then BCP will normally be present.
  • If the TachyonResponses database is remote to the Tachyon Response Stack and there is no local copy of Microsoft SQL Server then you will need to install BCP.

You can confirm BCP is installed by starting a command prompt and typing bcp and usage information is displayed. The command bcp -v displays the version.

The information here applies regardless of which version of SQL Server is being used. This does not imply that Tachyon itself is supported under every possible version of SQL Server that falls within those ranges. See Requirements for the supported versions and required Service Packs.

Install the following components to get BCP working:

Installer file nameProduct NameWhere to get it from
vc_redist.x64.exeVisual C++ 2017 Redistributablehttps://support.microsoft.com/en-gb/help/2977003/the-latest-supported-visual-c-downloads
msodbcsql.msi Microsoft® ODBC Driver 13.1 for SQL Server®

https://www.microsoft.com/en-us/download/details.aspx?id=53339

This needs to be installed because of a known issue in the Microsoft Command Line Utilities 15 for SQL Server.

msodbcsql.msi Microsoft® ODBC Driver 17 for SQL Server®https://www.microsoft.com/en-us/download/details.aspx?id=56567

MsSqlCmdLnUtils.msi

Microsoft Command Line Utilities 15 for SQL Serverhttps://docs.microsoft.com/en-us/sql/tools/bcp-utility

To verify the components have been installed you can use AppWiz.cpl and check for the Product Name.


Services and NTFS Security

Tachyon and SLA Platform services, including web application pools, use built-in accounts Local System (SYSTEM) and Network Service (NETWORK SERVICE) by default, and 1E recommends this configuration.

You must ensure these built-in accounts have the necessary NTFS security permissions on the Tachyon and SLA Platform installation and log folders.

If you are using default installation settings for Tachyon server on a default configuration of Windows Server, then Local System has the necessary permissions by default, but Network Service requires some additional steps. The simplest method is to add Network Service to the Administrators localgroup, which allows the default installation and logs folders to be created during installation.

However, adding Network Service to the Administrators localgroup is not considered best practice, therefore alternative methods are described below.

The table below lists the Tachyon services and their default service accounts.

Tachyon serviceService account nameDescriptionSID
1E Tachyon Switch Host serviceNT AUTHORITY\SYSTEMLocal SystemS-1-5-18

1E ActiveEfficiency

1E Tachyon Coordinator service

1E SLA Platform services (3)

Web application pools:

  • ActiveEfficiency (1)
  • Catalog (1)
  • SLAPlatform (3)
  • Tachyon (5)
NT AUTHORITY\NETWORK SERVICENetwork ServiceS-1-5-20
1E Catalog Update Service and web application pool<domain account>

The table below lists the default folder locations which must have NTFS security permissions configured for all service accounts.

The Tachyon installation process does not modify permissions, except for the %ProgramData%\1E\Licensing\ folder which does receive full permissions for Network Service.

FolderDefault locationService accountNTFS security
Installation folders

%ProgramFiles%\1E\Catalog\

<domain account>Minimum of read & execute permission (folder, subfolders and files).

%ProgramFiles%\1E\Tachyon\

%ProgramFiles%\1E\SLA Platform\

Network Service
Logs folders%ProgramData%\1E\Catalog\<domain account>Minimum of Full Control permission (folder, subfolders and files).

%ProgramData%\1E\Licensing\

%ProgramData%\1E\Platform Consumer\

%ProgramData%\1E\SLA Platform\

%ProgramData%\1E\Tachyon\

Network Service

For a default installation of Tachyon on a default configuration of Windows Server, Local System has the necessary permissions by default, but Network Service requires some additional steps.

You have a choice of how to configure NTFS security for Network Service, using one of the following options, according to your organization's policies.

You can pre-create the Tachyon installation and logs folders prior to installation and apply NTFS permissions on these instead of their parent folders.

ChoiceMethod
Administrators localgroup

Add NETWORK SERVICE to the Administrators localgroup (this is the simplest method but not best practice).

Users localgroup

Add NETWORK SERVICE to the Users localgroup, and grant this group permissions on the folders.

  • Default INSTALLDIR does not need to be modified because Users localgroup has inherited read & execute permission
  • Default LOGPATH requires the inherited Users  localgroup to be modified to give Full Control  permission
Direct permissions

As above, but grant NETWORK SERVICE direct rights on the folders


The Server Installation Account should be a member of the Administrators localgroup, so that it has full rights on the server.


Using a non-default location for the Installation Folder

If you are installing in a non-default installation folder, or the default installation folder has non-standard NTFS security, then before installation, you must ensure the installation folder is pre-created with suitable NTFS security applied. If this is not done, some services will fail to start, or users will not be able to access the website.

The NTFS security for the service accounts described above, must be explicitly applied.

In addition, the Users or Authenticated Users localgroup must have a minimum of read & execute permission on each of the Web application folders (folder, subfolders and files).  This is simplest to achieve by granting permission on the INSTALLDIR folder.

The example screenshot shows

  • A non-default installation INSTALLDIR=D:\Program Files\1E\Tachyon\
  • RX permissions for the Users group is applied to the 1E folder
  • Other permissions are inherited from the root of the D: drive
  • INSTALLDIR permissions are inherited from the 1E folder
  • NETWORK SERVICE is a member of the Users localgroup

Using non-default permissions for the Switch SSL folder

The NTFS permissions on the SSL folder can be locked down after installation in order to protect the certificate files. The SSL folder exists in the Switch installation folder and inherits its NTFS permissions, which are inherited from the Tachyon installation folder.

If permissions are modified the minimum requirement is for the SYSTEM account to have read & execute permission on the SSL folder and files, assuming that the 1E Tachyon Switch Host service uses the Local System account, which is the default.

The example screenshot shows the same non-default installation described above and the SSL folder has had inheritance removed and the Users local group has been removed.

Using a non-default location for the Logs Folder

The accounts used by Tachyon services and application pools must have a minimum of Full Control permission on the logs folder (folder, subfolders and files.

The example screenshot shows a default installation. For a default installation the only permissions necessary are SYSTEM and Administrators, both Full Control.

SQL Databases

For a basic Tachyon installation with no additional components selected, there are two databases with default names TachyonMaster and TachyonResponses, which can be on the same or separate SQL Server instances.  A SQL Server instance can be on the Tachyon Server (local) or on a remote SQL Server. If you want to select the location and sizes of the Tachyon Master and Responses databases these can be created before installation with appropriate permissions, or you can allow the Tachyon Server installer to create the databases.

For a new installation, and for upgrades, the Server Installation Account requires a SQL Login with appropriate permissions.

If additional components such as 1E Catalog are selected for installation, then they will deploy their own databases, which are described in each product's specific documentation.

Default configuration of databases

If you allow the installer to create new databases they each have the following default settings. Databases will grow automatically to the sizes estimated in Server Sizing.

PropertyValue
Owner

If the Installer is used to create the databases, this will be the Server Installation Account .

Best practice is to change owner to 'sa' as described below.

CollationSQL_Latin1_General_CP1_CI_AS
PathDefault SQL location
Initial Size MDF128MB
Autogrowth MDFBy 128MB
Initial Size LDF128MB
Autogrowth LDF10%
Recovery ModelSimple


If the model system database has been changed to have a larger size than the values specified in the table above, then the Tachyon Server installer may report an error executing 'Bootstrap.sql' on MasterDatabase. Rebooting the SQL Server may cure the error.

Creating your own databases

You may be required to create the Tachyon databases by hand before installation. This is also known as pre-creating databases. Below are some of the reasons why your SQL administrator may require you to do this:

  • the Server Installation Account is only allowed rights on existing databases and not allowed rights to create them
  • the locations of the database files need to be different to the defaults used on the SQL Server instance(s)
  • the initial size of the database files need to be set to their estimated full size given in Server Sizing.

SQL Login for the server installation account

Example SQL scripts for creating a SQL Login and granting roles

The following examples assume ACME\TCNinstaller01 is the Server Installation Account.

When the account is not permitted to have the sysadmin SQL Server role, then a sysadmin can use the following script to create a SQL Login and grant it rights.

USE [master]
GO
CREATE LOGIN [ACME\TCNinstaller01] FROM WINDOWS
GO
GRANT ALTER ANY LOGIN TO [ACME\TCNinstaller01]
GO

If the Server Installation Account is permitted to create the databases, then a sysadmin can use the following script to add the SQL Login to the dbcreator role.

USE [master]
GO
ALTER SERVER ROLE [dbcreator] ADD MEMBER [ACME\TCNinstaller01]
GO

If the databases have been pre-created, then a sysadmin can use the following script to add the SQL Login to the db_owner role on each pre-created database.


USE [TachyonMaster]
GO
CREATE USER [ACME\TCNinstaller01] FOR LOGIN [ACME\TCNinstaller01];
ALTER ROLE [db_owner] ADD member [ACME\TCNinstaller01];
GO
USE [TachyonResponses]
GO
CREATE USER [ACME\TCNinstaller01] FOR LOGIN [ACME\TCNinstaller01];
ALTER ROLE [db_owner] ADD member [ACME\TCNinstaller01];
GO



After the databases have been created, best practice is to change the owner of each database to sa, to avoid issues if the owner's Windows account is deleted in future.

The following script can be used to change the owner of each Tachyon database to sa. This will work even if the sa login has been disabled, which is also best practice.

ALTER AUTHORIZATION ON DATABASE::TachyonMaster To "sa"
GO
ALTER AUTHORIZATION ON DATABASE::TachyonResponses To "sa"
GO


Ensure the Server Installation Account retains the db_owner role on the database to support re-configuration and upgrades. If the account is removed from being owner, then it will also be removed from the db_owner role and will need to be re-assigned, for example by using the Grant db_owner SQL script.

The owner user and db_owner role are both mapped to the database dbo user. It is preferable for the account to be a member of the db_owner role, instead of being the owner user.



SQL Login for the Tachyon service account

Keeping databases during re-installation and upgrade

If re-installing or upgrading Tachyon you need to decide if you will keep the existing databases or create new ones.

The Tachyon Master database contains all the configuration data of the Tachyon system.  If new settings are used during re-installation these will be updated in the database.

The Tachyon Responses database contains transient responses and can be kept or a new database created without loss of system integrity.

MSDTC for ActiveEfficiency

SSAS Databases

If Experience or Business Intelligence is selected for installation, then you will need to provide an instance of SQL Server Analysis Services (SSAS) configured in Multidimensional (not Tabular) mode.

Make sure that the SSAS instance is enabled, reachable, configured in Multidimensional mode, and the Server Installation Account has sufficient permissions. The Setup program is not able to perform a full validation of the SSAS server, so you need to ensure a proper configuration during the preparation phase.

Business Intelligence is a component required by Patch Success, and requires a BI SSAS user.

Email

Tachyon users and approvers require AD accounts with email addresses to support approval workflow and notifications.

Mail Server

For details about mail server requirements, please refer to Requirements: SMTP Server.

Active Directory

Tachyon Server must be installed on a domain-joined server. Tachyon clients do not have to be installed on domain-joined devices, but must have a certificate.

Installation Accounts

Tachyon Server Installation Account

In addition, the server installation account requires SQL rights as described in SQL Databases and SSAS Databases above.

Tachyon client Windows Installation Account

Tachyon client Non-Windows Installation Account

Tachyon Users Accounts

Service accounts

Tachyon uses Network Service or Local system for its services, except for the 1E Catalog Update Service, which requires a domain account.


Anti-Virus and Malware

1E log files should be excluded from scans in order to prevent potential file locking.

See Log files for details of Tachyon Server and 1E Client logs. 


Tachyon client devices preparation

Please ensure devices that will be used to validate and test the Tachyon installation have the following.

Tachyon integration with Nomad on Windows devices

Tachyon client certificate requirements

In organizations that have an established PKI, the Tachyon client devices will probably have a suitable certificate already, along with relevant Trusted Root CA certificates.

For non-Windows devices, the certificate files must be included in the 1E Client installation folder structure, as described below in Configuring the Non-Windows Tachyon certificate using OpenSSL.

Certificate Authority (CA) public keys

Tachyon clients need to authenticate Switches and Switches need to authenticate Tachyon clients.  In each case, one end of a secure connection requires the public key for each CA in the other end's certificate certification path (trust chain).

The Tachyon client needs the public key of each CA in the Switch's certification path. These public keys are stored differently on the Tachyon client device depending on the type of OS.

  • For Windows devices, CA public keys are normally stored in the Windows Trusted Root Certification Authorities store. 
  • For non-Windows devices, CA public keys are stored in a cacert.pem located in the 1E Client installation folder.
  • For macOS devices, you have a choice of storing CA public keys in the macOS KeyStore or using the cacert.pem file approach required by other non-Windows devices.

The following points should be noted for Windows devices:

  • If each Tachyon client device has an identical certification path as the Switch then its CA certificates (public keys) will probably already exist in the Windows Trusted Root Certification Authorities store. This is a typical situation in a small scale lab with a simple PKI.
  • If any Tachyon client device has a different certification path then the certificates (public keys) of the different CAs will need to be added to the corresponding certificate store on Windows devices, either Trusted Root Certification Authorities or Intermediate Certification Authorities.
  • In each of the above cases, the CA certificates (public keys) may have been deployed by Group Policy.

If any of these CAs has its certificate renewed or re-issued then

  • The appropriate Certification Authorities store will need to be updated on the Tachyon Server and Windows devices. Most organizations have automated processes for this task.
  • An updated cacert.pem file must be distributed to non-Windows devices. This should include old and new keys to aid with the transition.

Configuring the Non-Windows Tachyon certificate using OpenSSL

Each non-Windows devices requires its own certificate. Below is a guide for using a Microsoft CA to issue a certificate (which is the same for Windows computers), then exporting it and using OpenSSL to prepare it before installing it on the non-Windows device.

First, you will need to have created a new Certificate template on your Certificate Authority by making a duplicate of either the Computer or Workstation template and configuring it with at least the following properties:

  • General - use a suitable name such as Tachyon Devices and validity period
  • Request Handling - Allow private keys to be exported
  • Subject Name - Allow information to be supplied in the certificate request, rather than being built from Active Directory information
  • Extensions - Application Policies should contain only Client Authentication
  • Security - ensure relevant users and computers will be able to request certificates.

Once the new template is created on the CA, issue it.

Using the issued template, request a certificate for a target device, and export it in .pfx form and remember the password. 

The target device requires a copy of the basic cacert.pem and the .pfx file with its password removed. You can do this using the following steps. Use the relevant OpenSSL version for the OS. OpenSSL is normally available by default on Linux and Mac devices. If you want to follow these steps on Windows you will need to download the open source version appropriate to your OS.

  1. First, extract the certificate:

    openssl pkcs12 -clcerts -nokeys -in <YourPKCSFile>.pfx -out certificate.crt


  2. Second, the CA key: 

    openssl pkcs12 -cacerts -nokeys -in <YourPKCSFile>.pfx -out ca-cert.ca


  3. Now, the private key: 

    openssl pkcs12 -nocerts -in <YourPKCSFile>.pfx -out private.key -passout pass:TemporaryPassword


  4. Remove the passphrase: 

    openssl rsa -in private.key -out new.key -passin pass:TemporaryPassword


  5. Put things together for the new PKCS-File (on Windows, type can be used instead of cat): 

    cat new.key > PEM.pem
    cat certificate.crt >> PEM.pem
    cat ca-cert.ca >> PEM.pem


  6. And create the new .pfx file, when prompted for a password ensure that you enter an empty password (that is press enter when prompted for the password and confirmation without entering any text): 

    openssl pkcs12 -export -nodes -CAfile ca-cert.ca -in PEM.pem -out Tachyon.pfx


Now you have a new PKCS12 key file without passphrase on the private key part. This Tachyon.pfx file and the cacert.pem file, must be placed in one of the following locations - depending on the OS. These are hidden folders.


On Linux and Solaris:

/etc/1E/Client/.sslcerts

On Mac:

/Library/Application Support/1E/Client/.sslcerts

Configuring the Tachyon certificate for macOS

The 1E Client for macOS on-Windows devices supports the Configuring the Non-Windows Tachyon certificate using OpenSSL. approach described above. Alternatively the 1E Client for macOS also supports certificates stored within the macOS Key Store.


1E Catalog

Tachyon Setup will install 1E Catalog on the Tachyon server and ensure the server meets the requirements for installation. If 1E Catalog needs to be on a remote server then you must install that before installing Tachyon, by following guidance in 1E Catalog 2.0 - Implementing 1E Catalog.

ActiveEfficiency

Install SQL Server 2012 Native Client on the Tachyon server if it is remote from the ActiveEfficiency database.

For more ActiveEfficiency using Tachyon Setup you will also need to review the ActiveEfficiency Server 1.10 - Preparation page.