Académique Documents
Professionnel Documents
Culture Documents
Security Notice
The software described herein is configured to operate with at least the
minimum specifications set out by Schlumberger. You are advised that such
minimum specifications are merely recommendations and not intended to be
limiting to configurations that may be used to operate the software. Similarly,
you are advised that the software should be operated in a secure environment
whether such software is operated across a network, on a single system and/or
on a plurality of systems. It is up to you to configure and maintain your
networks and/or system(s) in a secure manner. If you have further questions as
to recommendations regarding recommended specifications or security, please
feel free to contact your local Schlumberger representative.
Table of Contents
About Single Sign On ............................................................................................................................ 1
Before you start ................................................................................................................................... 1
Setting up Merak Service Host ............................................................................................................. 1
To install Merak Services ............................................................................................................... 1
To create a secure SSO account .................................................................................................... 2
To configure a data source ............................................................................................................ 2
To configure an Authorized Active Directory Group (optional step) ............................................ 4
Running Merak Service Host using Windows Services or IIS ............................................................... 4
To run Merak Services from the Windows Services dialog box .................................................... 4
To run Merak Services on an IIS server ......................................................................................... 5
Mapping Active Directory Accounts in the MAC ................................................................................. 7
To map Active Directory group accounts in the MAC ................................................................... 7
To map Active Directory user accounts in the MAC...................................................................... 7
To bulk synchronize Merak groups with Active Directory groups (optional)................................ 8
Viewing event reports .......................................................................................................................... 9
To view Event Reports ................................................................................................................... 9
Appendix ............................................................................................................................................ 10
Configuring IIS Server .................................................................................................................. 10
Enabling SSL in SSO ...................................................................................................................... 11
Configuring a Firewall Port Exception for the SQL Server instance ............................................ 16
How to reach us ................................................................................................................................. 16
i
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves
1
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves
SQL
The Database Administrator creates a user who has permissions to log in to the
database server:
1. A login is created at the server level: <SQLServer>\Security\Logins. This login is
associated with a database user created at the database level.
2. A database user (associated with the previously created login) is created for
each secure Merak database that will be used with SSO:
<SQLServer>\Databases\<Databasename>\Security\Users.
3. The Database Administrator makes appropriate edits to the SS_SSOUser.sql
script (located in the Merak\Resource\Database Scripts\ folder on the Merak
installation disc) and then runs it to grant SSO permissions to the user account.
Oracle
The Database Administrator creates a schema user who has permissions to log in to
the database server:
1. A schema user is created and granted permissions to start a database session
(an example to create the schema user is provided in the Ora_SSOUser.sql script
in the commented section).
2. The Database Administrator makes appropriate edits to the Ora_SSOUser.sql
script (located in the Merak\Resource\Database Scripts\ folder on the Merak
installation disc) and then runs it to grant SSO permissions to the user account.
3. Click the System DSN tab and verify that an ODBC connection to a secure data
source is listed; (otherwise, create one), and then click OK.
The connection string for the SQL data source on the server must specify a machine
name or IP address instead of the default (localhost)\. This connection string is
copied to client machines when their ODBC connection is created. A connection
string that displays (localhost)\ instead of a specific machine name will not connect
to the Merak Service Host server. Also, the connection string on the server and on
the client must be identical.
4. Using the Merak Service Host window, click Edit > Configuration > Single Sign
On.
The Merak Service Host – SSO Configuration dialog box appears.
5. Using the ODBC Data Sources tab, click in the ODBC DSN cell, and from the drop-
down list select the secure database that also appears in the System DSN tab of the
ODBC Data Source Administrator dialog box above.
TIP: An alias is used for the ODBC data source name (DSN), for example
Production, so that the name of the actual DSN does not appear in the
application. This facilitates administrative work on the database and
enhances security.
6. Type the user account created in the To create a secure SSO account procedure on
p. 2 above. For a SQL Server data source, use the login created (not the database
user). For an Oracle data source use the schema user name.
For Active Directory user accounts that are not mapped to a Merak user account using
the MAC, a new Merak user account is created the first time the user logs into Merak
using SSO. The new Merak user account that is automatically created inherits the
credentials of whatever Merak user account is typed into the Template User field of the
Merak Service Host ODBC Data Sources tab as depicted below:
The Template User name typed above must match a Merak user account created in the
MAC. Ensure that the database credentials assigned to the Template User in the MAC
are those that you want all unmapped Active Directory accounts to inherit.
3
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves
7. Using the Merak Service Host dialog box, click the Application Data Sources tab,
and in the ODBC Data Source Name column, specify the database alias available to
various login dialog boxes throughout Merak and the associated login type (Boot
User) --the Boot User Password can also be changed-- and then click Save.
The name of the ODBC connection must be identical on the service host machine
and on the client machines.
2. Using the Services pane in the Services dialog box, right-click Merak Service Host
and from the context menu, click Start.
The Status in the Services pane displays as Started.
3. On every client machine that will be using Merak SSO, navigate to C:\Program Files
(x86)\Schlumberger\Merak 2017.2\, open the Merak.config file using a text editor,
and then scroll down to the <endpoint> node and for the address=”” attribute,
specify address=" http://123.123.1.12:10459/SingleSignOn.svc", where
123.123.1.12 is the IP address of the host machine on which the Merak Service
Host is running.
To make sure that the Merak Service Host is running, configure your firewall settings to
enable the Merak Service Host service to pass-through, and then launch an application
in the Merak suite. Specify Single Sign On as the Authentication method and select a
secure database as the DataSource, and then attempt to log on.
For instructions setting up a firewall inbound rule that enables remote client machines
to connect to SQL server, see Configuring a Firewall Port Exception for the SQL Server
instance on p. 16.
5
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves
7. Using the Connections pane of the Internet Information Services (IIS) Manager
dialog box, click Application Pools and note that the new Merak application pool
appears in the Application Pools pane.
8. Type the following string into the URL address bar of your browser
http://localhost/Slb.Merak.ServiceHost.WebApp/SingleSignOn.svc where localhost is
the address of the service host machine.
If an http error message appears because asp.net needs to be registered with IIS, run
the following command prompt as administrator: aspnet_regiis.exe –i.
The aspnet_regiis.exe file is typically located in the
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ folder.
9. Navigate to C:\Program Files (x86)\Schlumberger\MerakService\Shell\ and open
the file Slb.Merak.ServiceHost.exe.Config in a text editor.
10.Using the text editor, scroll down to and select and copy the entire <SSO> section.
11.Navigate to the location where you copied the web app in step 5 above
(C:\inetpub\Slb.Merak.SsoService.WebApp\), and open the web.config file using a
text editor in administrator mode.
TIP: You can also navigate to the above folder using the Internet Information
Services (IIS) Manager dialog box by right-clicking
Slb.Merak.ServiceHost.Webapp and then clicking Explore from the
context menu.
12.Using the web.config file in the text editor, scroll down to and select the entire
<SSO> section and paste the contents of your Windows Clipboard to overwrite the
<SSO> section in the web.config file. It does not matter whether the <SSO>
section in the Slb.Merak.ServiceHost.exe.Config file is encrypted.
NOTE: If there are multiple nodes in the cluster, the above action must be
completed for the web.config file for every node in the cluster.
13.Still viewing the web.config file in the text editor, copy the service host URL
(http://localhost/Slb.Merak.ServiceHost.WebApp/SingleSignOn.svc, by default) to
the Windows Clipboard.
14.Using the client machine, navigate to C:\Program Files (x86)\Schlumberger\Merak
2017.2\ and open the Merak.config file using a text editor, and then scroll down to
the <endpoint> section, overwrite the URL with the URL copied above.
Procedures for both mapping groups and for mapping users in the MAC appear below.
7
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves
3. With the Users tab displayed, in the User display pane select a user account, and
then to the right of the User display pane, click Edit.
The User Details dialog box appears.
4. Click Browse to the right of the Domain User box to display the Select User dialog
box and type the first few characters of the Active Directory user name with which
to associate the Merak user, and then click Check Names.
Active Directory user names that start with the character(s) you typed above, and
that are associated with the User object type appear.
5. Select the Active Directory user account with which to associate the Merak user,
and then click OK.
6. Complete the above steps for every Merak user to link to an Active Directory
account, and then click Save to close the User Details dialog box, and exit the MAC.
The name of the mapped Active Directory user account appears in the Domain User
column in the MAC Users tab.
9
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves
Appendix
Procedures in this section are not core to the Merak Service Host Installation, but have
been included as suggested examples.
1. Click Start > Control Panel > Programs and Features > Server Manager to
display the Server Manager dialog box, and then click Add Roles and Features.
2. Using the Windows Features dialog box that appears, select the following options:
Internet Information Services > Web Management Tools > IIS Management
Console
Internet Information Services > World Wide Web Services > Application
Development Features > .NET Extensibility; ASP.NET; ISAPI Extensions; ISAPI
Filters
Internet Information Services > World Wide Web Services > Security > Request
Filtering; Windows Authentication
Microsoft .NET Framework 3.5.1 > Windows Communication Foundation HTTP
Activation
3. Click OK to apply all of the above changes.
4. Install the Microsoft Web Deployment tool by navigating to the following location in
a browser: http://go.microsoft.com/?linkid=9278654 and clicking Web
Deployment Tool Installation in the bottom of the left navigation pane to display
the page from which to download the Msiexec.exe installer. Depending on your
machine specifications, download either 32 or 64 bit.
NOTE: Only install the Web Deployment Tool after IIS is installed otherwise components of the Web
Deployment Tool that are integrated with IIS will not install correctly.
NOTE: On the Choose Setup Type window, select Custom and then select the
Remote Agent Service option along with the IIS Manager UI Module.
The Remote Agent Service option enables you to set up a remote agent on
one of the computers in the cluster so that the Web Deployment Tool can
then connect to and install the services host files without using Remote
Desktop Protocol.
6. Click Start > Control Panel > System and Security > Administrative Tools >
Internet Information Services (IIS) Manager.
The Internet Information Services (IIS) Manager dialog box appears.
7. Using the Connections pane, expand the root node and select Application Pools.
Ensure that at least one application pool is installed.
11
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves
13
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves
3. Configure SSL for service by selecting Sites > Default Web Site >
Slb.Merak.ServiceHost.WebApp in the Connections pane, and then clicking
SSL Settings in the display pane to the right.
4. Using the SSL Settings pane, specify Require SSL and Ignore Client
Certificates.
5. Edit the Framework\slb.verak.servicehost.webapp\webapp.config file. The
changes are underlined and highlighted in the sample below.
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="HttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="HttpBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="Slb.Merak.SsoService.SsoService"
behaviorConfiguration="HttpBehavior">
<endpoint name="HttpEndpoint"
binding="basicHttpBinding"
bindingConfiguration="HttpBinding"
contract="Slb.Merak.SsoService.ISsoService" />
<endpoint contract="IMetadataExchange"
binding="mexHttpsBinding
address="mex" />
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"
multipleSiteBindingsEnabled="true" />
</system.serviceModel>
6. Copy the valid SSO section from the
Build\Debug\Slb.Merak.ServiceHost.exe.Config file to the
Framework\Slb.Merak.SsoService.WebApp\Web.config file.
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="HttpBinding" sendTimeout="00:01:00">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="HttpEndpoint"
address=" https://<IIS Server machine>
Slb.Merak.ServiceHost.WebApp/SingleSignOn.svc "
binding="basicHttpBinding"
bindingConfiguration="HttpBinding"
contract="ISsoService" />
</client>
</system.serviceModel>
11.Be sure to set up ODBC data source with the same name as the name in the
SSO service configuration file (ODBC source should have same name on client
machine and service machine).
12.Try to reach the service in IE. There will be an untrusted certificate issue unless
you import the self-signed server certificate. Importing the certificate using the
browser places it in the Current User store instead of the local machine store, so
you will need to move it there after importing it. This can be done using
mmc.exe (described above).
13.Restart IE and ensure that error untrusted certificate issue is gone.
15
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves
How to reach us
The Schlumberger Information Solutions (SIS) Support Portal
(support.software.slb.com) provides a single, online location for all your support needs.
Search a vast knowledge base for the answers you need, participate with your peers in
discussion forums, and receive the latest news about SIS products and services.
All support requests are entered into the SIS Customer Care Center incident tracking
system, where they are resolved by local support staff. For those times when you need
to speak with a support specialist, obtain assistance from local experts by calling one of
the numbers listed below.
United States
Houston Tel.: 1-866-829-0234
Canada
Calgary Tel.: 1-888-986-4357 (toll-free)
17
Schlumberger Private - Customer Use