FbF bioServer + App Server install process

v1.0 (09/12/2024)

1. Install FbF bioServer
2. Install FbF AppServer backend
3. Install FbF AppServer admin-app
4. Accessing the AppServer APIs
Appendix A: Specs
- Minimum specs
- Recommended specs
Appendix B: Configuring a bioServer instance to act as a new cluster node
Appendix C: Manual AppServer DB configration
Appendix D: List of ports
- FbF bioServer
- FbF AppServer

1. Install FbF bioServer

Open a command prompt as administrator.
Change your directory to the directory where you downloaded the bioServer installer (FbFBioServer.Setup.WIX-v3.0.XX.X.msi) using the "cd" command.
Run the installer by typing: FbFBioServer.Setup.WIX-v3.0.XX.X.msi (where the version number varies, for example: FbFBioServer.Setup.WIX-v3.0.94.0.msi, FbFBioServer.Setup.WIX-v3.0.97.2.msi)
When prompted for a License Key, copy/paste your bioServer activation key.
Click on the "Activate" button. Once successfully activated, click on "Continue".
Make sure to input the right DB configuration (host name, database name and credentials).
When prompted for the default taxonomy, you can leave the default values.
When prompted for a service account, select "Local System Account".
When prompted for Matching Server Configuration, keep the default values.
When prompted for Palm Vein configuration:
- If you have purchased a PalmSecure application key, make sure to input it in the application key field.
- otherwise, leave the default value.
Fiinish the bioServer install process by completing the installer.

Once the bioServer install is complete, check that the FBF/rpc IIS application uses an x64 Application Pool in IIS.

2. Install FbF AppServer backend

Launch the file install/install.bat in your install package. The DB configuration assistant will launch first.

The DB configuration assistant will first attempt to connect to a database using the configuration available in the AppServer configuration file (config/config.json). If the connection fails, you will be prompted with a set of questions. Answer those questions until you obtain a successful connection. The following example shows a full session of the DB config assistant:

-------------------------------------------------------
Welcome to the FbF AppServer DB configuration assistant
Loading DB configuration from ../backend/config/config.json
Current configuration:
{
  provider: 'mongodb-dev',
  uri: 'mongodb://127.0.0.1:27017',
  database: 'app-server',
  maxPoolSize: 20,
  socketTimeoutMS: 480000,
  keepAlive: true
}
Testing DB connection...
Connection error: connect ECONNREFUSED 127.0.0.1:27017

DB type [mssql/mongodb] (Default: mongodb): mssql

SQL Server host (Default: localhost):
Using default value localhost

SQL instance name (ex: SQLEXPRESS for localhost\SQLEXPRESS): SQLEXPRESS

Database name (Default: appserver): appserver-dev

Authentication type [sql/windows] (Default: sql):
Using default value sql

SQL username (Default: fulcrumuser):
Using default value fulcrumuser

SQL password: MyDbPassword203$

Enable `trusted connection`? (true for servers using a self-signed certificate, or accessible via IP address) [true/false] (Default: false):
Using default value false

Current configuration:
{
  provider: 'mssql-unencrypted',
  driver: 'mssql',
  server: 'localhost\\SQLEXPRESS',
  database: 'appserver-dev',
  user: 'fulcrumuser',
  password: '********',
  requestTimeout: 10000,
  pool: { min: 0, max: 100, acquireTimeoutMillis: 10000 },
  options: { encrypt: false, useUTC: true, trustedConnection: 'false' }
}
Testing DB connection...
Connection successful!
Do you want to save the DB settingS? [yes/no] (Default: yes):
Using default value yes

Writing to ../backend/config/config.json
Press ENTER to terminate...

Once the assistant has successfully connected to a DB, you will be asked if you want to save the configuration. Accept and finish following the instructions to move on to the file copy.

The installer script will copy the AppServer files to the following locations:

AppServer background process: C:\Program Files\Fulcrum Biometrics\appserver
AppServer administration application: C:\inetpub\wwwroot\admin-app
AppServer dedicated API endpoint: C:\inetpub\wwwroot\appserver

Once the files are successfully copied, the install helper will start and display the following output:

{"level":"info","message":"Initializing db","timestamp":"2024-02-23T18:45:46.527Z"}
{"level":"info","message":"Starting processor install","timestamp":"2024-02-23T18:45:46.817Z"}
------------ FbF App Server install ------------
---------- Step 1: Vault key generation
Input private key (or leave empty to auto-generate) then press ENTER:

If installing App Server on multiple servers with load balancing, reuse the private key generated on the first installed server then press ENTER.
If installing App Server on a single server (or on the first server of a cluster), do not input anything. Press ENTER to generate the key. The install helper will display the following output:

key: [private key] - Close this window ASAP!
Writing to ./config/config.json
Config successfully updated.

The new private key string can then be copied and installed on multiple instances of App Server. Multiple instances of App Server using a single database must use the same private key. We strongly recommend storing this key securely in a credentials manager for example.

Next, the install helper will display the following output:

---------- Step 2: License activation
Activation key? (Press ENTER without any key to skip)

Paste the AppServer activation key provided by Fulcrum. Make sure the activation key does not contain any trailing space, then press ENTER. You can skip this step by pressing ENTER without typing or pasting a key. If you choose to skip this step, refer to ---------- Step 3 further down.

The install helper will then display the following output:

Env? (prod|qa|offline). Default prod.

Skip this question by pressing ENTER. The install helper will then gather the required information and obtain a license from the Fulcrum license server (requires an internet connection using TCP port 443, host dev.fulcrumbiometrics.com).

Gathering computer information...
Host information { bios: '3Z0RGT2' }
POSTing https://dev.fulcrumbiometrics.com/lic/api/license/activation
Activation started...
GETting https://dev.fulcrumbiometrics.com/lic/api/license/activation/XXX
GETting https://dev.fulcrumbiometrics.com/lic/api/license/activation/XXX
License saved! You may now start the App Server

Next, the install helper will ask you define a default password the your AppServer admin account. The following output will be displayed:

---------- Step 3: admin.app password definition
Enter admin.app password:

Type-in the desired password. There is no complexity requirement. The password being typed will not be hidden, so make sure you are not sharing your screen at the time. We recommend you change your password upon logging into admin-app for the first time. After typing the password and pressing ENTER, the install helper will display the following output:

admin.app successfully created.

You will be able to log into admin-app using the username "admin.app" and this password.

Next, the install helper will create the AppServer windows service as displayed in the console:

---------- Step 4: Windows service install

To confirm everything has been configured properly so far, the install helper will launch AppServer manually. First, the following output will be displayed:

---------- Step 5: Manual launch test
Press ENTER to start the launch. After launch, press CTRL+C twice to terminate

Press ENTER and AppServer will start up. App Server should display an output similar to the following snippet:

C:\Program Files\Fulcrum Biometrics\app-server>node ./config/config.json
{"message":"Initializing db","level":"info","timestamp":"2021-01-13T15:02:54.419Z"}
{"message":"Starting processor startApp","level":"info","timestamp":"2021-01-13T15:02:54.649Z"}
{"eventId":"user-created","username":"admin","type":"superAdmin","level":"audit","message":"Created main admin account","timestamp":"2021-01-13T15:02:55.349Z"}
{"message":"Registering post /api/app","level":"info","timestamp":"2021-01-13T15:02:55.415Z"}
{"message":"Registering get /api/apps","level":"info","timestamp":"2021-01-13T15:02:55.415Z"}
...
{"message":"Clearing expired semaphore dedup-queue","level":"info","timestamp":"2021-01-13T15:02:55.447Z"}
{"message":"Successfully acquired semaphore dedup-queue","level":"info","timestamp":"2021-01-13T15:02:55.450Z"}
{"message":"6570232a - No more incoming, sleep","level":"info","timestamp":"2021-01-13T15:02:55.460Z"}

Note: The output is abridged (...) for clarity purposes.

Upon successful launch, the server firewall may warn you about an attempt to open a port. If necessary, update the local App Server port in the configuration. Then allow the port through the firewall.

Once you have confirmed AppServer launched successfully, press CTRL+C twice to end the process. After closing the AppServer launch test, the remaining command prompt windows may indicate errors. As long as the launch test was successful, you can ignore these errors.

You may now use the Windows Services user interface to manage the App Server service. You may change its startup mode and credentials as needed.

3. Install FbF AppServer admin-app

3.1 Install the web application

The previous install script copies admin-app into the default IIS location C:\inetpub\wwwroot\admin-app. If you want to use a different location, follow these steps:

Copy the admin-app folder to the desired target location.
In IIS, select the target web site (usually Server > Sites > "Default website").
Right click on the target web site and select "Add Virtual Directory". If "admin-app" already exists, you can skip these bullet points and move on to the note about file system permissions.
In the "Alias" field, type in admin-app.
In the "Physical path", browse to the location of your admin-app folder.

Note: IIS must have Read and Write file system permissions on the admin-app directory.

3.2 Configure an SSL certificate

Admin-app will not operate if the web server is not configured to use SSL. Please refer to IIS documentation for more information on how to configure SSL in IIS.

3.3 Accessing admin-app

You can now access admin-app. By default, the address should be https://localhost/admin-app

Default login: admin.app
Password: See password defined earlier.

After successfully logging in, we recommend immediately changing the password (top menu > Change password)

3.4 Enabling biometrics

To enable biometrics, define the FbF bioServer endpoint:

Log into admin-app.
In the main menu, go to "Cluster Status" then click on the "Configure" button.
Configure the cluster with a single endpoint: Fill in the bioServer REST endpoint address. It should follow the form "http://localhost/FBF/rpc/api", and must end with /api.

To check the status of bioServer, refresh the "Cluster Status" page.

4. Accessing the AppServer APIs

You can access the AppServer APIs via 2 different endpoints:

via admin-app. In which case, the default API URL is https://localhost/admin-app/api (for example, https://localhost/admin-app/api/ready).
If you do not want to expose admin-app outside of the server, you can use an alternative endpoint created by the install scripts: https://localhost/appserver/api (for example, https://localhost/appserver/api/ready). This endpoint doesn't include the admin-app web application.

Appendix A: Specs

Minimum specs

OS: Windows Server 2019
RAM: 8 GB
CPU: Intel i5 (or Xeon equivalent) with 4 cores
Disk: 512 GB disk

Recommended specs

OS: Windows Server 2022
RAM: 16 GB
CPU: Intel i5 (or Xeon equivalent) with 16 cores
Disk: 512 GB disk

The number of available cores directly impacts matching speed. As the population size increases, the number of cores and available RAM should be increased as well.

Appendix B: Configuring a bioServer instance to act as a new cluster node

After installing bioServer:

Open a text editor as Administrator.
Open the file: C:\Program Files\Fulcrum Biometrics\FbF bioServer\FbFServerEngine\FbFEngineHostManager.exe.config.
Look for the following settings:

    <add key="pv.start" value="0" />
    <add key="pv.end" value="10000" />

Define the start and end values in a way to split your total population evenly across the total number of nodes. For example, splitting a population of 120,000 templates over 3 nodes would be done using configuration such as:

	start	end
node 1	0	40000
node 2	40000	80000
node 3	80000	120000

After changing this configuration:

Restart the impacted VMs.
Log into AppServer's admin-app and configure your nodes in the Settings > bioServer menu.

Appendix C: Manual AppServer DB configration

The AppServer DB configuration can be updated by manually editting the AppServer configuration file (appserver/config/config.json) with a text editor. The following examples can be used as a basis to tweak the configuration.

SQL Server + SQL authentication example

    "db": {
        "provider": "mssql-unencrypted",
        "server": "localhost\\SQLEXPRESS",
        "driver": "mssql",
        "database": "appserver",
        "user": "...",
        "password": "...",
        "requestTimeout": 1000,
        "pool": {
            "min": 0,
            "max": 100,
            "acquireTimeoutMillis": 10000
        },
        "options": {
            "encrypt": false,
            "useUTC": true,
            "trustedConnection": false,
            "instanceName": "SQLEXPRESS"
        }
    },

SQL Server + Windows authentication example

Note: Windows Authentication is not supported on Windows Server 2022.

    "db": {
        "provider": "mssql-unencrypted",
        "server": "localhost\\SQLEXPRESS",
        "driver": "mssql/msnodesqlv8",
        "database": "appserver",
        "requestTimeout": 10000,
        "pool": {
            "min": 0,
            "max": 100,
            "acquireTimeoutMillis": 10000
        },
        "options": {
            "encrypt": false,
            "useUTC": true,
            "trustedConnection": true,
            "instanceName": "SQLEXPRESS"
        }
    },

MongoDB example

    "db": {
        "provider": "mongodb-dev",
        "uri": "mongodb://username:password@127.0.0.1:27017/appserver",
        "database": "appserver",
        "maxPoolSize": 20,
        "socketTimeoutMS": 480000,
        "keepAlive": true
    },

Appendix D: List of ports

FbF bioServer

Inbound
- TCP 443
Outbound
- TCP 443 for host licenses.fulcrumbiometrics.com (Only necessary at install time. Can be disabled once the install is complete.)
Internal ports (these ports must be accessible locally but must absolutely not be reachable externally)
- 8523
- 8524

Notes: bioServer will use IIS default's configuration in terms of ports. By default, the Defaut Website in IIS is accessible over http (TCP 80). Make sure to disable the use of port 80 and enable https (TCP 443). In addition, bioServer must be able to reach the database server.

FbF AppServer

Inbound
- TCP 443
Outbound
- TCP 443 for host dev.fulcrumbiometrics.com (Only necessary at install time. Can be disabled once the install is complete.)
Internal port (this port must be accessible locally but must absolutely not be reachable externally)
- 9999

Notes: AppServer admin-app will use IIS default's configuration in terms of ports. By default, the Defaut Website in IIS is accessible over http (TCP 80). Make sure to disable the use of port 80 and enable https (TCP 443). In addition, AppServer must be able to reach the database server.