Installing the OctoSAM Web UI¶
The Web UI module offers a browser-based user interface for OctoSAM Inventory, OctoSAM License and OctoSAM Monitor.
Info
Before you install the Web nodule, make sure that at least one full housekeeping cycle has been performed by the import service.
IIS Application Pool account¶
Create a Windows service account that has database read/write access to the central OctoSAM Inventory database. You can use the service account created for the Import Service, but note that the Import Service needs schema modification and bulk import rights, while the IIS Application Pool account needs only read/write rights.
The service account also needs read/write permission for the configured log directories.
Set the .NET CLR Setting of the Application Pool to No Managed Code
Administrators group¶
Designate a group in your IDP (either Active Directory or Entra ID) that contains your OctoSAM Web administrator accounts.
Create an IIS application¶
We recommend that you put the application in a sub-path of your IIS Webserver, do not place it in the server root.
When using Windows Integrated Authentication and Active Directory, configure the IIS application for Integrated Windows Authentication and do not enable Impersonation.
When using Entra ID as your IDP, allow anonymous access in IIS.
Configure the IIS Application to point to the Server\OctoWeb directory. With a standard configuration that would be D:\OctoSAM\Server\OctoWeb.
Configure RBAC replication in the import service¶
The OctoSAM Web Module depends on user information replicated by the Import Service. See the appsettings.json sample configuration file for details.
Note that you can currently use only a single Active Directory domain or a single Entra ID tenant for RBAC.
Configuration files¶
The application uses the appsettings.json configuration file.
Info
In most cases you should not have to modify config files within the OctoWeb folder. If you do, keep in mind that new versions of the software may overwrite this file, and you may have to re-apply your changes.
Bootstrap RBAC authorization¶
Designate an Active Directory or Entra ID group for your OctoSAM Web administrators and make sure that that group gets replicated to your database by the OctoSAM Import Service.
Setting up RBAC requires that at least one full housekeeping was performed on the database. Make sure the Import Service is running or perform manual housekeeping by running
OctoUtil housekeeping
Edit the global appsettings.json file and in the "OctoWeb" section, add the current user in the SubstituteUsers section. Substitute your user with the user 'built-in'. built-in is a special user for the application itself that has full admin rights.
Example with using Windows Authentication and Active Directory:
"OctoWeb": {
//
"SubstituteUsers": {
"mydomain/myuser": "built-in"
},
//
}
Example with using Entra ID as IDP
"OctoWeb": {
//
"SubstituteUsers": {
"john.doe@acme.com": "built-in"
},
//
}
Recycle the IIS Application Pool that you configured for the Web Module.
You can now log on to the OctoSAM Web interface with full administrator rights. Notice the substitute user warning in the header region of the application.
Now you can select the Admin / Roles Menu and add the designated Active Directory Group(s) for the Administrator Role.
Add Service Account to Administrators role
It's OK to add the Service Account directly to the Administrators Role in the Windows Integrated Authentication scenario. This is an exception to the rule that roles should always be assigned to groups only.
Remove the SubstituteUsers configuration after you have completed the configuration of the Administrators role.
Recycle the IIS Application Pool.
You should now be able to log in to the application to configure additional Roles.
Configure the application address¶
Configure the address under which the Application is visible to clients on the Admin - Settings Page. The URL configured here should match the configured SSL certificate. When the application is behind a reverse proxy or Web Application Firewall (WAF), you need to configure the address as seen by the client browsers.
Configure multiple instances of the web module on the same server¶
If you want to run multiple Instances of the Web Module on the same server - for example, to connect to different databases - you can override the OCTOSAM_CONFIGURATION_FOLDER environment variable within IIS. The recommended way to do this is per Application Pool, this also allows you to run the Web Module under different Accounts.
The example will configure the Application Pool "MyPool" to use application settings from D:\OctoSAM\Config\MyConfig\appsettings.json
appcmd.exe can be found in c:/windows/system32/inetsrv if it's not in the PATH. This example requires IIS 10 (Windows Server 2016 or newer).
appcmd stop apppool /apppool.name:MyPool
appcmd.exe set config -section:system.applicationHost/applicationPools /+"[name='MyPool'].environmentVariables.[name='OCTOSAM_CONFIGURATION_FOLDER',value='D:\OctoSAM\Config\MyConfig']" /commit:apphost
appcmd start apppool /apppool.name:MyPool