You will need to obtain a valid license file from 1E. For more details please refer to the License file heading on the Requirements page.
An IIS Web Server should be provisioned. SQL Server can be installed on the same server or the databases can be hosted on remote SQL Server instance(s).
Please refer to Requirements regarding hardware and software specifications for on-premises and cloud servers.
In addition, the Tachyon Server requires the following, which require more thought and preparation, described below.
A server that hosts Response Stack components requires additional network interfaces depending on the number of client devices it needs to support:
Administration traffic for a Tachyon Master Stack does not have any additional network requirements.
Cloud implementations have special configuration requirements for SQL Server and network interfaces described in Requirements: Server sizing for AWS and Azure.
The following example steps can be used to configure IPv4 network routing so that a specific network interface is used for all traffic going to the specified SQL Server. The example is for a Response Stack and SQL Server on different subnets but also works if both servers are on the same subnet.
Where possible the Tachyon Server DNS Name should be a CNAME Alias which references the (A) Host records for each of the Switch network interfaces registered in DNS.
Ensure network interfaces used for anything other than Switches, for example the SQL interface, are not registered in DNS. If they are registered ensure the DNS Name used by Switches only have Switch IP Addresses assigned.
For multiple Switches to share the same DNS Name, the load balancing options include:
DNS round-robin provides reasonable load balancing, so that devices should be evenly spread across all Switches. Each device will cache the IP Address given it by DNS and keep using that, even if the Switch using that IP Address is not available, until the TTL expires or the DNS cache is flushed. A Network Load Balancer (NLB) allows all the Switches to share the same DNS Name which is actually the IP Address of the NLB Cluster, which can then intelligently route the connection to a Switch interface.
If an SPN is not created the you will see "401 Not authenticated" errors in the browser and/or log files.
Service Principal Names (SPN) are attributes of AD accounts. A domain administrator will need to create an HTTP class SPN for the Tachyon web server service account, by using one of the following methods:
Use each command as follows:
The above example assumes:
To determine which type of record a DNS Name is, run the following command:
More complex scenarios can be configured which requires in-depth knowledge of IIS, SPN and DNS configuration and are beyond the scope of this documentation.
You will need to have requested a Web Server certificate from your Certificate Authority, using the specification below.
To get the certificate in your organization you will have either:
In previous version of Tachyon the private key had to be exportable to create certificate files for Tachyon Switches, but this is no longer required for Tachyon 5.0 onwards.
Once the Web Server certificate has been provided it must be imported into the Tachyon Server's local computer Personal Certificates store.
After importing, you should give the certificate a Friendly Name, so that you can easily identify it for the post-installation task Confirming the Tachyon website HTTPS binding.
Tachyon Switches use certificates in the Windows Certificate Store. From version 5.0 onwards they no longer use Switch Certificate files.
Tachyon Setup will create a website named Tachyon with the necessary bindings, therefore please do not pre-create a website of the same name.
The following PowerShell commands can be used to install relevant IIS roles and features, and record the server configuration in a file.
|If you intend to install Tachyon by running Tachyon Setup, then you may choose to let the Setup program perform this operation for you instead of downloading and running the script manually. Just click on the "Install missing prerequisites" button after you have run the checks in the "Check prerequisites" page.|
The Export all feature is described in Exporting data from Tachyon Explorer. To enable Tachyon users with the appropriate permissions to use the Export all feature you must ensure that Microsoft Bulk Copy Program (BCP) is installed on each Tachyon Response Stack server, specifically where the Core component is hosted.
You can confirm BCP is installed by starting a command prompt and typing bcp and usage information is displayed. The command bcp -v displays the version.
Install the following components to get BCP working:
To verify the components have been installed you can use AppWiz.cpl and check for the Product Name.
Tachyon and SLA Platform services, including web application pools, use built-in accounts Local System (SYSTEM) and Network Service (NETWORK SERVICE) by default, and 1E recommends this configuration.
You must ensure these built-in accounts have the necessary NTFS security permissions on the Tachyon and SLA Platform installation and log folders.
If you are using default installation settings for Tachyon server on a default configuration of Windows Server, then Local System has the necessary permissions by default, but Network Service requires some additional steps. The simplest method is to add Network Service to the Administrators localgroup, which allows the default installation and logs folders to be created during installation.
However, adding Network Service to the Administrators localgroup is not considered best practice, therefore alternative methods are described below.
The table below lists the Tachyon services and their default service accounts.
|Tachyon service||Service account name||Description||SID|
|1E Tachyon Switch Host service||NT AUTHORITY\SYSTEM||Local System||S-1-5-18|
1E Tachyon Coordinator service
1E SLA Platform services (3)
Web application pools:
|NT AUTHORITY\NETWORK SERVICE||Network Service||S-1-5-20|
|1E Catalog Update Service and web application pool||<domain account>|
The table below lists the default folder locations which must have NTFS security permissions configured for all service accounts.
The Tachyon installation process does not modify permissions, except for the %ProgramData%\1E\Licensing\ folder which does receive full permissions for Network Service.
|Folder||Default location||Service account||NTFS security|
|<domain account>||Minimum of read & execute permission (folder, subfolders and files).|
|Logs folders||%ProgramData%\1E\Catalog\||<domain account>||Minimum of Full Control permission (folder, subfolders and files).|
For a default installation of Tachyon on a default configuration of Windows Server, Local System has the necessary permissions by default, but Network Service requires some additional steps.
You have a choice of how to configure NTFS security for Network Service, using one of the following options, according to your organization's policies.
You can pre-create the Tachyon installation and logs folders prior to installation and apply NTFS permissions on these instead of their parent folders.
Add NETWORK SERVICE to the Administrators localgroup (this is the simplest method but not best practice).
Add NETWORK SERVICE to the Users localgroup, and grant this group permissions on the folders.
As above, but grant NETWORK SERVICE direct rights on the folders
The Server Installation Account should be a member of the Administrators localgroup, so that it has full rights on the server.
If you are installing in a non-default installation folder, or the default installation folder has non-standard NTFS security, then before installation, you must ensure the installation folder is pre-created with suitable NTFS security applied. If this is not done, some services will fail to start, or users will not be able to access the website.
In addition, the Users or Authenticated Users localgroup must have a minimum of read & execute permission on each of the Web application folders (folder, subfolders and files). This is simplest to achieve by granting permission on the INSTALLDIR folder.
The example screenshot shows
The NTFS permissions on the SSL folder can be locked down after installation in order to protect the certificate files. The SSL folder exists in the Switch installation folder and inherits its NTFS permissions, which are inherited from the Tachyon installation folder.
If permissions are modified the minimum requirement is for the SYSTEM account to have read & execute permission on the SSL folder and files, assuming that the 1E Tachyon Switch Host service uses the Local System account, which is the default.
The example screenshot shows the same non-default installation described above and the SSL folder has had inheritance removed and the Users local group has been removed.
The accounts used by Tachyon services and application pools must have a minimum of Full Control permission on the logs folder (folder, subfolders and files.
The example screenshot shows a default installation. For a default installation the only permissions necessary are SYSTEM and Administrators, both Full Control.
For a basic Tachyon installation with no additional components selected, there are two databases with default names TachyonMaster and TachyonResponses, which can be on the same or separate SQL Server instances. A SQL Server instance can be on the Tachyon Server (local) or on a remote SQL Server. If you want to select the location and sizes of the Tachyon Master and Responses databases these can be created before installation with appropriate permissions, or you can allow the Tachyon Server installer to create the databases.
For a new installation, and for upgrades, the Server Installation Account requires a SQL Login with appropriate permissions.
If additional components such as 1E Catalog are selected for installation, then they will deploy their own databases, which are described in each product's specific documentation.
If you allow the installer to create new databases they each have the following default settings. Databases will grow automatically to the sizes estimated in Server Sizing.
If the Installer is used to create the databases, this will be the Server Installation Account .
Best practice is to change owner to 'sa' as described below.
|Path||Default SQL location|
|Initial Size MDF||128MB|
|Autogrowth MDF||By 128MB|
|Initial Size LDF||128MB|
If the model system database has been changed to have a larger size than the values specified in the table above, then the Tachyon Server installer may report an error executing 'Bootstrap.sql' on MasterDatabase. Rebooting the SQL Server may cure the error.
You may be required to create the Tachyon databases by hand before installation. This is also known as pre-creating databases. Below are some of the reasons why your SQL administrator may require you to do this:
The following examples assume ACME\TCNinstaller01 is the Server Installation Account.
When the account is not permitted to have the sysadmin SQL Server role, then a sysadmin can use the following script to create a SQL Login and grant it rights.
USE [master] GO CREATE LOGIN [ACME\TCNinstaller01] FROM WINDOWS GO GRANT ALTER ANY LOGIN TO [ACME\TCNinstaller01] GO
If the Server Installation Account is permitted to create the databases, then a sysadmin can use the following script to add the SQL Login to the dbcreator role.
USE [master] GO ALTER SERVER ROLE [dbcreator] ADD MEMBER [ACME\TCNinstaller01] GO
If the databases have been pre-created, then a sysadmin can use the following script to add the SQL Login to the db_owner role on each pre-created database.
After the databases have been created, best practice is to change the owner of each database to sa, to avoid issues if the owner's Windows account is deleted in future.
The following script can be used to change the owner of each Tachyon database to sa. This will work even if the sa login has been disabled, which is also best practice.
If re-installing or upgrading Tachyon you need to decide if you will keep the existing databases or create new ones.
The Tachyon Master database contains all the configuration data of the Tachyon system. If new settings are used during re-installation these will be updated in the database.
The Tachyon Responses database contains transient responses and can be kept or a new database created without loss of system integrity.
If Experience or Business Intelligence is selected for installation, then you will need to provide an instance of SQL Server Analysis Services (SSAS) configured in Multidimensional (not Tabular) mode.
Make sure that the SSAS instance is enabled, reachable, configured in Multidimensional mode, and the Server Installation Account has sufficient permissions. The Setup program is not able to perform a full validation of the SSAS server, so you need to ensure a proper configuration during the preparation phase.
Business Intelligence is a component required by Patch Success, and requires a BI SSAS user.
Tachyon users and approvers require AD accounts with email addresses to support approval workflow and notifications.
For details about mail server requirements, please refer to Requirements: SMTP Server.
Tachyon Server must be installed on a domain-joined server. Tachyon clients do not have to be installed on domain-joined devices, but must have a certificate.
Tachyon uses Network Service or Local system for its services, except for the 1E Catalog Update Service, which requires a domain account.
1E log files should be excluded from scans in order to prevent potential file locking.
See Log files for details of Tachyon Server and 1E Client logs.
Please ensure devices that will be used to validate and test the Tachyon installation have the following.
Tachyon integration with Nomad on Windows devices
Tachyon client certificate requirements
In organizations that have an established PKI, the Tachyon client devices will probably have a suitable certificate already, along with relevant Trusted Root CA certificates.
For non-Windows devices, the certificate files must be included in the 1E Client installation folder structure, as described below in Configuring the Non-Windows Tachyon certificate using OpenSSL.
Certificate Authority (CA) public keys
Tachyon clients need to authenticate Switches and Switches need to authenticate Tachyon clients. In each case, one end of a secure connection requires the public key for each CA in the other end's certificate certification path (trust chain).
The Tachyon client needs the public key of each CA in the Switch's certification path. These public keys are stored differently on the Tachyon client device depending on the type of OS.
The following points should be noted for Windows devices:
Configuring the Non-Windows Tachyon certificate using OpenSSL
Configuring the Tachyon certificate for macOS
The 1E Client for macOS on-Windows devices supports the Configuring the Non-Windows Tachyon certificate using OpenSSL. approach described above. Alternatively the 1E Client for macOS also supports certificates stored within the macOS Key Store.
Tachyon Setup will install 1E Catalog on the Tachyon server and ensure the server meets the requirements for installation. If 1E Catalog needs to be on a remote server then you must install that before installing Tachyon, by following guidance in 1E Catalog 2.0 - Implementing 1E Catalog.