Upload
dophuc
View
224
Download
2
Embed Size (px)
Citation preview
Pre-Installation Checklist for Multi-Server Installation
of the Apprenda Platform
Last updated for Apprenda 5.5.5/5.0.6
Prior to beginning your Apprenda Platform installation, make sure that you have fulfilled these
requirements and filled in the information relevant to your Platform configuration. This checklist is
intended to give you an at-a-glance assessment of installation prerequisites; additional information for
fulfilling these requirements has been provided in the Preparing for the Apprenda Platform section below.
Windows Checklist Complete this checklist before installation of your Apprenda environment.
Infrastructure Requirements
.NET 4.5 installed on every Windows machine
Windows Firewall disabled for all profiles (it can be enabled after install if required)
Confirm that all servers can resolve each other by host name (not just FQDN)
Confirm WMI access for every server that will be running Apprenda services
o WMI access can be confirmed by running the following command: get-wmiobject
win32_operatingsystem -comp <computername>
If a DMZ is to be set for the Load Managers, the machines should be inside the network for
Apprenda installation and then moved out
Configure the Platform Repository Network Share and requisite folders
Configure the IIS Configuration Share (if installing multiple Load Managers)
Confirm that File Sharing is allowed across Firewall zones (if applicable)
If using a hardware Load Balancer, confirm that incoming traffic is allowed on ports 80 and 443;
traffic incoming on port 80 may be redirected to 443
Software Requirements
Server Roles are properly installed and configured from Server Administration snap-in
o Web Server role for machines that will be hosting websites
Configure MSDTC for every SQL Server Nodes
Anti-Virus software is disabled/configured not to interfere with Apprenda
UAC is disabled (For Apprenda installations earlier than version 5.0.5)
All servers are time-synced
Any HTTP proxies have been removed or disabled from all servers and the machine from which
the Installer will be run. This includes any proxies for the user under which the Installer will be run,
as well as any accounts under which Apprenda services may run (including the Apprenda Admin
account, Apprenda System account, IIS Shared Configuration account, Local Service, and Local
System); confirm that no Group Policies are in place that will recreate or re-enable such proxies.
2
Active Directory and Network Requirements
User account under which the Apprenda Installer will be run (this may be the Apprenda Admin or
System user account) created in Active Directory and granted the following:
o Username: __________________________________
o Password: __________________________________
o Local admin rights on all Windows machines where Apprenda services will run
o Read/write access to the Apprenda Repository Shares
o Read/write access to the IIS Configuration Share (if installing on multiple Load Managers)
Apprenda Admin user account created in Active Directory
o Username: __________________________________
o Password: __________________________________
o Read/write access to the Apprenda Repository Shares
Apprenda System user account created in Active Directory
o Username: __________________________________
o Password: __________________________________
Admin and System accounts have “Log on as a service” and “Allow log on locally” rights
System account has “Impersonate a client after authentication” rights
IIS Shared Configuration user account created in Active Directory for accessing the IIS
Configuration Share (if using multiple Load Managers) and granted the following:
o Username: __________________________________
o Password: __________________________________
o Local admin on all Load Manager nodes
o “Log on as a service” rights on all Load Manager nodes (if using multiple Load Managers)
o Read/write access to the IIS Configuration Share (if using multiple Load Managers)
o In Windows Server 2012 and later, if UAC is enabled this user may need explicit
permissions to access the C:\Windows\System32\inetsrv directory
Apprenda SQL Server account created in SQL Server and given sysadmin and serveradmin roles
o Username: __________________________________
o Password: __________________________________
o The password should be set to not expire (if possible)
o The account must permit remote access to the SQL Server instance(s)
URL for your Apprenda environment (provide one entry per cloud if installing on multiple clouds)
o cloudURL: ___________________________________
Path-based URL host (subdomain) for your Apprenda environment, which is configurable in the
Installer (the default value is “apps”)
o Path-based URL host: ___________________________________
A DNS entry for the cloudURL value(s) noted above
DNS entries (for the cloud URL value(s) provided above) for one of the following:
o Wildcard subdomain (*.cloudURL)
OR
3
o The path-based URL host followed by the cloudURL (subdomain.cloudURL) AND “www”
followed by the cloudURL (www.cloudURL)
Email Account that will be used for the Apprenda Platform (you can use Apprenda’s free email
provider if you prefer)
o Address: ________________________
o Password: ________________________
o Server: ________________________
o Port: _________________________
SSL and Signing Certificates
SSL certificate(s) generated by the Apprenda Installer will be used OR an SSL certificate with one
of the following certificate subjects has been provided for each cloud:
o Wildcard subdomain (*.cloudurl)
OR
o The path-based URL host followed by the cloudURL (subdomain.cloudURL)
Signing certificate generated by the Apprenda Installer will be used OR a certificate has been
provided that can be used for signing claims.
If WS-Federation will be used for an External User Store or enabled on a per-Organization account basis:
A server or web farm with Active Directory Federation Services (AD FS) that Apprenda can
manage as a relying party security token service with the appropriate DNS entry in place. Please
see the Setup Procedures for AD FS Node section below for additional requirements.
o Apprenda managed AD FS Host: ____________________________________________________________
o Apprenda managed AD FS federation endpoint: ____________________________________________
Linux Checklist Complete this checklist if your Apprenda environment will include at least one Linux node for Java Web
Application hosting.
‘Root’ Account Access Requirements (Platform version 5.0.x)
‘Root’ account has identical password on each node
o Password: __________________________________
‘Root’ account has the ability to create local accounts; alternately, a local account named
‘apprenda’ can be created on each node.
Install User Account Access Requirements (Platform version 5.5.x)
Account that you plan to use for installing Apprenda on Linux nodes is created identically on each
node
o Name: _____________________________________
o Password: __________________________________
o (If not using the ‘Root’ account) Elevation method (SU or SUDO): ______________
4
If you plan to allow Apprenda to auto-create a default workload account for Java workloads,
ensure that the ‘Root’ account has the ability to create local accounts; if not, the local account you
plan to use as a default workload account must be created identically on all Linux nodes
o Account: ____________________________________
Infrastructure Requirements
Iptables is disabled (and set not to restart on reboot) or configured to not block Apprenda’s ARR
service.
All servers are time-synced
Apprenda Platform Repository mount directories are created
o “System” mount point: ____________________________________________________________________
o “Application” mount point: ________________________________________________________________
Software Requirements
‘Libcgroup’ library is installed.
‘Cgconfig’ service is started and set to restart on reboot.
Any HTTP proxies have been removed or disabled from all servers
If you intend to use JBoss for Apprenda’s Java container (the Platform defaults to Tomcat), JBoss 6
is installed to the same install path on each Linux server
o Install path: _________________________________________________________________________________
Oracle Checklist Complete this checklist if your Apprenda environment will include at least one Oracle RDBMS Installation.
Administrator Account Requirements
Database Administrator account is created on all Oracle nodes and has been granted the
appropriate permissions.
o Username: __________________________________
o Password: ___________________________________
Software Requirements
DATA_PUMP_DIR directory object is mapped to an OS path with adequate storage to
accommodate schema patching
5
Preparing for the Apprenda Platform This document provides instructions on how to set up an environment for the Apprenda Platform.
Minimum Hardware Requirements (Windows and Linux) Apprenda relies on distributing application jobs throughout a grid of networked computers. This creates a
scenario where there are no onerous requirements on any specific server, so long as the network as a
whole can satisfy demand.
For a given Windows host, Apprenda requires:
2 Cores
2 GB RAM required, 4GB recommended
40 GB Hard Drive
Network Interface
For a given Linux host, Apprenda requires:
2 Cores
2 GB RAM required, plus 0.5 GB RAM for every individual Java Web Application workload the
node will host
40 GB Hard Drive
Network Interface
Apprenda may not behave correctly on computers that do not meet these minimum requirements. Note
that this is a minimum configuration and is not intended for production environments.
In order for the Platform to function correctly, Apprenda requires that all machines be able to resolve each
other by host name (and not just by FQDN).
Additionally, certain software should be turned off or must be configured in a manner to not interfere
with Apprenda:
Power management
Automatic update services
Any potential time skews among nodes should be eradicated by insuring that all nodes are time
synced (NTP is recommended for this)
Password expiration (for the Apprenda accounts)
Only for Apprenda installations earlier than version 5.0.5: for Windows servers, user account
security (UAC) should be off for every machine. For Windows Server 2012/R2, this will also require
changing the EnableLUA value (typically located at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System) in the
registry to “0”. Make sure to restart the server after disabling UAC\updating the registry value.
Firewall software (e.g. Windows Firewall, iptables)
Anti-virus software (e.g., Symantec Anti-Virus, for which live monitoring of the file system
interferes with key Platform functions). If disabling Anti-Virus software is not a viable option for
security reasons, it must be configured (in some cases via Group Policy) to have an exception for
the root Apprenda folder (the location of this folder is configurable in the Installer; the default
location is C:\ApprendaPlatform) on each node.
6
Primary Domain Controller Setup (Windows) As noted in the Active Directory and Network Requirements section of the checklist above, Apprenda
requires a number of network-level security accounts as determined by the specific configuration of your
installation (all configurations require what are called the “Apprenda System” and “Apprenda
Administrator” accounts). The specific permissions that each account requires are listed in the checklist.
Notably, the user under which the Apprenda Installer is run must be part of the Administrators group (i.e.,
have local admin rights) on all Windows servers that are provisioned for use by Apprenda, as various
portions of Apprenda operations require the ability to modify the system registry, copy & delete files, and
run Windows Services. Using Active Directory to establish an authentication mechanism for these
accounts ensures that effective permissions are consistent across all Apprenda nodes. Please refer to
Microsoft documentation for configuring Active Directory and DNS servers. Note: the Apprenda Platform
cannot be installed on a Domain Controller.
Setup Procedures for Cache Nodes and Platform Coordination Nodes
Software Prerequisites
Microsoft Windows Server 2008/R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium,
Professional or Enterprise (64-bit required in each case)
.NET Framework 4.5
Cache Nodes only: MS Visual C++ Redistributable Packages for Visual Studio 2013 (if not found
on designated cache nodes, the Installer will offer a repair option that will attempt to install this)
Account Setup
For all machines, the Apprenda System account and Apprenda Administrator account should be granted
“Log on as a service” and “Allow log on locally” rights.
Setup Procedures for Windows Web Servers and/or Load Managers
Software Prerequisites
Microsoft Windows Server 2008/R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium,
Professional or Enterprise (64-bit required in each case)
.NET Framework 4.5
IIS 7 or above; IIS request filtering must allow DELETE, GET, POST, and PUT requests
iisnode (available in your installation package at Installer\IISModules\iisnode-full-v0.2.11-x64.msi
or at https://github.com/tjanczuk/iisnode)
ARR (Load Managers only)
Roles Setup
Web Server role needs to be installed with the following services turned on: ASP.NET and ASP.
7
Account Setup
For all machines, the Apprenda System account and Apprenda Administrator account should be granted
“Log on as a service” and “Allow log on locally” rights. The Apprenda System account must also have
“Impersonate a client after authentication” rights. Additional account setup (as described below) are
required if installing using a shared IIS configuration.
Shared IIS Configuration Share Setup
Installing multiple Load Manager nodes requires the use of a shared IIS configuration housed in a network
share. This share is a folder that must be set up manually prior to running the Installer, and to which a
designated network account is granted full control. The Apprenda Installer will create the actual shared
configuration automatically, so only the share itself should be created prior to installation. Any existing
shared configuration should be disabled in IIS prior to running the Apprenda Installer (as it will cause the
IIS Configuration step to fail). For IIS 8 and later, the Web Server Role may require the Web
Server>Security>Centralized SSL Certificate Support option in order for to successfully set up Shared
Configuration.
Because the Load Manager service will run as the IIS Shared Configuration account, the IIS Shared
Configuration account must be part of the Administrators group (i.e., have local admin rights) and have
“Log on as a service” rights on all Load Manager nodes (local admin rights are necessary to update URL
rewrite rules). This account must also have read/write access to the IIS Configuration Share (and may also
require explicit permissions to access the C:\Windows\System32\inetsrv directory on Load Manager
nodes) when UAC is enabled. The user under which the Apprenda Installer is run must also have
read/write access to the IIS Configuration Share.
Application Request Routing (ARR) Installation
Load Managers require ARR and its dependencies. For Load Managers running Windows Server 2008/R2,
the Apprenda Installer will install and configure the appropriate version of ARR and its dependencies. For
Windows Server 2012/R2, ARR version 2.5 or higher (and its dependencies) must be installed manually.
The optimal method of installing ARR is through the MS Web Platform Installer, which will install and
configure your selected version of ARR and its dependencies in the appropriate order and with the
requisite IIS service restart. If this is not a viable install solution, alternate installation instructions can be
found at http://blogs.iis.net/erez/archive/2013/11/27/installing-arr-manually-without-webpi.aspx
Setup Procedures for Windows Application Servers
Software Prerequisites
Microsoft Windows Server 2008/R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium,
Professional or Enterprise (64-bit required in each case)
.NET Framework 4.5
SMO 2012 on Application servers designated as Storage Controlling Services hosts
8
Account Setup
For all machines, the Apprenda System account and Apprenda Administrator account should be granted
“Log on as a service” and “Allow log on locally” rights. The Apprenda System account must also have
“Impersonate a client after authentication” rights.
SMO Setup for Storage Controlling Services Hosts
It is necessary that at least one Windows Application Server per cloud host Apprenda’s Storage
Controlling Services, which interfaces with SQL Server and Oracle to configure guest application storage.
These servers are required to have SQL Server Management Objects (SMO) 2012 installed. At installation,
the Platform will mark any Windows Application Servers with SMO installed as capable of hosting the
Storage Controlling Services and will deploy this component to those servers. If no suitable host is found,
it will install the required SMO version on a single Application Server. In order to control which
Application Servers are designated as Storage Controlling Services Hosts on multi-node Platform
configurations, we recommend installing a supported version of SMO (version 11.0 or higher) on
Application servers that you would like to designate as Storage Controlling Services hosts prior to running
the Apprenda Installer. As needed, after installation additional Application servers can be configured as
Storage Controlling Services hosts by installing SMO on the servers and then designating them as such in
the System Operation Center (SOC).
Setup Procedures for Windows AD FS Nodes Note: AD FS nodes will also act as Windows Application Servers, as they host the Apprenda Federation
WCF service. As needed they may also be configured to act as Storage Controlling Service hosts per the
instructions above.
Software Prerequisites
Microsoft Windows Server 2008/R2 or 2012 Professional or Enterprise (64-bit required in each
case) Please note: Windows Server 2012 R2 cannot be used, as it supports only AD FS 3.0 (which
is not supported for this version of the Apprenda Platform)
.NET Framework 4.5
Supported version of AD FS
o AD FS 2.0 (available at http://www.microsoft.com/en-us/download/details.aspx?id=10909)
o AD FS 2.1 (available as a role in Windows Server 2012)
IIS 7 or above
Account Setup
For all machines, the Apprenda System account and Apprenda Administrator account should be granted
“Log on as a service” and “Allow log on locally” rights. The Apprenda System account must also have
“Impersonate a client after authentication” rights.
AD FS Setup
Please contact your Client Services representative for additional setup instructions. Additional accounts
and setup will be required if using an AD FS web farm.
9
Setup Procedures for Linux Servers
Software Prerequisites
CentOS 6, Red Hat Enterprise Linux 6.
‘Root’ Account Access (Platform version 5.0.x)
So that the Apprenda Platform can access each Linux node with one given set of credentials, ensure that
the ‘Root’ account for each node has an identical password. The ‘Root’ account will also need permission
to create users, as an account named ‘apprenda’ will be created as the run-as account for java workloads.
Alternately, the ‘apprenda’ local account can be created manually on all nodes. After installation a
different account can be specified via the Hosting.Linux.DefaultLinuxContainerWorkloadUserAccount
setting in the Configuration>Platform Registry page in the System Operation Center.
Install User Account Access (Platform version 5.5.x)
So that the Apprenda Platform can access each Linux node with one given set of credentials, ensure that
the account you plan to use as the Install User account is created on each node and has an identical
password and elevation method (SU or SUDO). If you plan to use the ‘Root’ account, simply ensure that
the account has an identical password on all nodes. Also, during installation you will need to choose a
local account to be used as the Default Workload Account for running Java Web App workloads; if you
plan on setting Automatic Workload Account Creation to “Enabed” during installation, then Apprenda will
auto-create the account for you on all nodes at install time. In that case, you need to ensure that the
‘Root’ account has the ability to create local accounts. If you plan to set Automatic Workload Account
Creation to “Disabled,” however, you will need to manually create a local account identically on all Linux
nodes that will be used as the Default Workload Account.
Platform Repository Mounts
Use method of choice for mounting the Apprenda Platform Repository (cifs-utils is a tested method):
Create two different directories on each Linux node to use as mount points for Platform
Repository share folders; the names and locations of the directories must be identical across all
Linux nodes that will be part of your environment. You will need to enter the directory paths you
have set for the “System” and “Application” directories during Platform installation.
Mount these Platform Repository shares, respectively, to the “System” and “Application” mount
points that were created in the previous step (assuming that the Platform Repository has been
automatically configured by the Apprenda Installer):
o //{platformRepoHost}/apprenda
o //{platformRepoHost}/applications
Ensure that the shares will be re-mounted in case of server restart/reboot; one method is
described here:
o http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-nfs-config-autofs.html
10
Libcgroup Library Installation
Install the ‘libcgroup’ library. For installation of necessary libraries on a CentOS node, CentOS’s ‘yum’
package management system is recommended. Example terminal command:
yum install libcgroup
Firewall Management
Any operating firewalls, such as ‘iptables,’ will likely interfere with the Platform’s Application Request
Routing service when contacting the node. Either configure these firewalls to allow access to the ARR
service (contact Apprenda Client Services for specific details), or ensure that the firewalls are disabled. For
example, run these terminal commands to prevent ‘iptables’ from starting on reboot, and then to turn it
off:
chkconfig iptables off
service iptables stop
Cgconfig Service Management
Start the ‘cgconfig’ service and set it to start on reboot:
service cgconfig start
chkconfig cgconfig on
JBoss Installation (optional)
By default, Apprenda installs and uses Tomcat as the Java container host for deployed Java Web
Applications on Linux servers. If you intend to use JBoss instead, ensure that JBoss 6 is installed to an
identical install path on each Linux server. Some post-installation configuration of the Apprenda Platform
is necessary to enable JBoss deployment of Java Web Application workloads.
Setup Procedures for SQL Server Nodes (Windows) SQL Server should be installed using the planned instance name, and be configured to permit direct
database logins (mixed-mode authentication is acceptable).
Software Prerequisites
Microsoft Windows Server 2008/R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium,
Professional or Enterprise
One of these (with the SQL Server Browser Service enabled):
o SQL Server 2005 Standard edition or higher
o SQL Server 2008 Express edition or higher
o SQL Server 2008 R2 Express edition or higher
o SQL Server 2012 Express edition or higher
MSDTC Configuration
MSDTC must be configured manually for any machines hosting SQL Server instances that do not also host
Apprenda services. MSDTC can be configured as follows (steps should be repeated for each machine
hosting a SQL instance):
11
1. Run "dcomcnfg" from a command prompt; this will open a Component Services configuration
window
2. Expand “Component Services” > “Computers” > “My Computer” > “Distributed Transaction
Coordinator” > “Local DTC”.
3. Right click on "Local DTC" and select “Properties”.
4. Click on the “Security” tab.
5. Check the following options, then click "OK:
a. Network DTC Access
b. Allow Remote Clients
c. Allow Inbound
d. Allow Outbound
e. No Authentication Required
f. Enable XA Transactions
g. Enable SNA LU 6.2 Transactions (if available)
Database Server Connectivity
This section leads you through configuration of SQL Server for usage by Apprenda.
Configuring Server Logins
Create the account that is intended for use by Apprenda. This account should have these roles:
sysadmin
serveradmin
Allowing Remote Server Connections
Configure the database server to allow remote server connections. In SQL Server Management Studio,
follow these steps:
1. Right-click on the database server in Object Explorer after connecting and choose Properties.
2. Choose the Connections page.
3. Check Allow remote connections to this server.
It may be necessary to adjust the network configuration to permit TCP/IP connections. Using SQL Server
Configuration Manager:
1. Locate SQL Server 2005 (2008/2012) Network Configuration -> Protocols (for your database
instance).
2. Ensure TCP/IP is set to Enabled.
3. Restart the SQL Server Service if this setting was changed.
12
Setup Procedures for Oracle RDBMS (Windows and Linux)
Software Prerequisites
No specific OS is required for an Oracle RDBMS installation; Red Hat Enterprise Linux 6 and
Windows 7 have been tested successfully.
Oracle Database 11g
o Oracle RAC is not supported in Apprenda 5.0
o The Oracle directory object ‘DATA_PUMP_DIR’ must be mapped to an OS path with
sufficient space to accommodate backups of any hosted guest application schemas that
may undergo patching at any one time. DATA_PUMP_DIR is created by default when
Oracle 11g is installed on Windows or Unix; if the directory object does not exist, it must
be created manually.
Administrator Account Setup (Platform Version 5.0.5 and higher)
1. Locate the admin.sql script in the Binaries>Oracle folder of your installation package (if running
the Express Installer, this folder will appear in a temp>Apprenda folder on your primary drive
once the Apprenda.Express executable has been launched).
2. Copy the script locally and make the following alterations as needed:
a. Replace all instances of the placeholder “&APPRENDA_ADMIN_USER” with the user name
you wish to use.
b. If the user needs to be created, replace the placeholder “password” with the password
you wish to use, and uncomment the first line by removing the “--“.
3. Run the updated script against each Oracle node to create the user (if needed) and configure
administrator permissions.
Administrator Account Setup (Platform Version 5.0.4 and earlier)
As the admin.sql script describe above will not be available in the installation package for versions 5.0.4
and earlier, the following steps must be performed:
1. Run the following script on each Oracle node to create the database administrator account,
replacing “APPRENDAADMIN” with the name you wish to use and “PASSWORD” with the
password you wish to use:
CREATE USER APPRENDAADMIN IDENTIFIED BY PASSWORD ACCOUNT UNLOCK ;
/
GRANT DBA TO APPRENDAADMIN; / ALTER USER APPRENDAADMIN DEFAULT ROLE DBA; /
2. Run the Apprenda Installer and be sure to specify the account created in step 1 as the
administrator account for all Oracle nodes. Validation will fail because the Oracle administrator
account does not have the appropriate permissions. The Installer will prompt you to configure
permissions with a script displayed in the Installer. 3. Copy the displayed script locally and modify it to apply to the administrator account you created
in step 1. 4. Run the updated script against each Oracle node to configure administrator permissions.
13
Setup Procedures for the Platform Repository Network Share The Apprenda Platform requires a network share location which will serve as the repository for all Platform
and guest application binaries. It can be located on one of the Windows Application servers on the
Platform, which can be configure by the Apprenda Installer, or on a network share (ideally located on a
SAN or NAS), which must be configured manually.
Account Setup
The Apprenda Administrator Account and the account under which the Installer will be run have read/
write access.
Automatic Configuration (using the Apprenda Installer)
If one of the Windows Application servers specified in the Installer is chosen for the Platform Repository,
during validation the Installer will attempt to create the necessary folder and shares on the specified
server. The Installer will create a folder called “Partitions” on the drive specified for Platform content, and
will create three separate shares within this folder:
Applications
Apprenda
SAC
If for some reason the user account under which the Apprenda Installer will be running does not have
enough permissions to create the folder and shares, follow the Manual Configuration Steps.
Manual Configuration
If you need to manually configure the share location, create the following three folders and make sure
that the Apprenda Administrator Account and the account under which the Installer will be run have
read/write access:
Applications
Apprenda
SAC
The folders may be created as three folders within a single share or as three separate shares accessible
through the same base path. Due to character path limits in Windows, the base path to these folders must
contain no more than 50 characters.
Additional Configuration for Extensibility Services
Once installation is complete, the Extensibility Services application—which is necessary for both Add-On
and Bootstrap Policy functionality—runs by default under the Apprenda System Account (which, as
indicated above, requires read and write access to all the Platform shares). For security reasons, it is
possible to configure services to run under more limited user accounts. In most cases, these accounts do
not require access to the Platform shares; however, in order for Platform Add-On creation to function
properly, the user account under which the Extensibility Services runs must have read access to the
AddOns folder created during installation within the Apprenda share. If the Apprenda Extensibility
Service is configured to run under a user account that does not have full access to the Platform shares,
read-only share and security access to the folder for the account under which this service will run should
be configured after Platform installation is complete. In addition, the user account must be granted
“Impersonate a client after authentication” rights in order for Bootstrap Policy functionality to work.