Product Documentation

Install and configure the Encryption Service

Jun 05, 2015
Updated: 2014-08-29
Important: Install and configure the Encryption Service before installing any other platform server roles. This ensures the Configuration Tool can access the service's encrypted key when other platform components and services are installed.

Additionally, Citrix strongly recommends using SSL with the Encryption Service. Because the traffic to and from the service contains sensitive data, using SSL ensures this traffic is encrypted appropriately.

When you configure the Encryption Service, the Configuration Tool performs the following actions:
  • Creates a service account in Active Directory. By default, the service account name is csm_core_svc.
  • Creates an application pool and web site in IIS and configures authorization rules to limit access to the Domain Admins group or the CortexWSUsers group.
  • Generates an encryption key and stores it in Windows Registry.

To install and configure the Encryption Service using the graphical interface

  1. From the installation media, double-click Setup.exe and then click Get Started.
  2. On the Select Deployment Task page, select Install CloudPortal Services Manager.
  3. On the Install CloudPortal Services Manager page, select Configure Encryption Service.
  4. On the License Agreement page, accept the license agreement and click Next.
  5. On the Ready to Install page, click Install. The Deploying Server Roles page indicates the progress of installing prerequisites, the Configuration Tool, and the Encryption Service.
  6. On the Deployment Complete page, click Finish.
  7. On the Configure Application Pool Identity page, enter a password for the Encryption Service's service account. By default, the username is csm_core_svc. Click Next.
  8. On the Configure Site Binding page, select Use SSL and select the SSL certificate you want to use. Click Next.
  9. On the Summary page, click Commit.
  10. After the configuration is completed, click Finish to return to the Install CloudPortal Services Manager page.

To install and configure the Encryption Service using the command line

  1. On the server you prepared to host the Encryption Service, log on as a domain administrator.
  2. Open a command line window and navigate to the CortexSetup directory on the Services Manager installation media.
  3. At the command prompt, enter CortexSetupConsole.exe /install:EncryptionService. The Setup Tool installs the service and returns the command prompt.
  4. At the command prompt, enter install-locationConfigurationCortexConfigConsole.exe and specify the following properties:
    Property Description
    /ESUserName:username The application pool user for the Encryption Service.
    /ESPassword:password The application pool password.
    /ESPort=port The port number to use when creating a site binding for the service. Default = 443
    /AutoCreateESUser:True | False Optional. Automatically create the application pool user account in Active Directory if the account does not exist already. Default = True
    /ESSslCertificate The friendly name of the SSL certificate to use in the site binding. Optional if /ESUseSsl is set to False.
    /ESUseSsl:True | False Whether or not to use SSL. Default = False

    Install-location denotes the web service installation directory on the local computer. The default directory is C:Program Files (x86)CitrixCortex.