The first time Triplesec is started after an install it does not start up fully. The server instead starts a web application on port 8383 of the localhost here and waits for the administrator to configure the server. After the configuration wizard is completed, the server reconfigures itself with the new settings provided, and starts up fully. The rest of this HOWTO describes the configuration settings for each page of the Wizard.
Realm Configuration
Here users configure the primary realm for the Triplesec server as well as some parameters for controlling SSO settings. Yes this setting effects the LDAP directory setup and the Kerberos server within Tripleesc. Here's a screenshot of this screen:
Primary Realm Name
This is the default realm used by the server. If you are setting up the server to manage AAA for specific domain you'll want to use that domain name here.
This setting effects both the LDAP and Kerberos configuration of the server. For example when using the realm example.com this results in the creation of the dc=example,dc=com LDAP partition in the server. All users, applications and groups will be created in this partition. The Kerberos realm will be EXAMPLE.COM and principals such as for user mcurie will be mcurie@EXAMPLE.COM.
The selection of the primary realm will hence effect how you configure Kerberos clients and LDAP clients. For Kerberos clients and OS configurations the krb5.ini or krb5.conf files will need to set the default realm accordingly.
The rest of the settings on the Realm Configuration screen effect tickets issued by the server and their lifetimes. We recommend using the default settings.
LDAP Configuration
Here the port for the LDAP service is configured along with whether or not anonymous access is allowed. For dev and test environments we recommend enabling LDAP. Enabling anonymous access is at your discretion. However we highly recommend disabling anonymous access for production environments. 
On the next screen users can configure the LDAPS service which we recommend highly for production environments where LDAP access occurs across the open Internet. Note that you can provide your own SSL certificate path to an existing file here. If however the file does not exist Triplesec will create one for you using your realm configuration information for certifcate settings.
SMS and Email Setup
Triplesec can use both Email or SMS to provision custom built Hauskeys applications. If Email is used users are sent a link for downloading the J2ME application and have to install the application on their cell phones using a PC link. This is not very convenient for mass provisioning. We therefore highly recommend using the SMS feature. However to use this feature an SMS service provider is needed.
Below is the SMS configuration screen:
If you don't have an SMS service provider just use a bogus password and URL for now. The server's SMS features simply will not work and Email based provisioning can be used instead. If you would like to register for a supported service provider please contact NMSI for their special Triplesec (Safehaus) user promotions here. NMSI is currently the only supported provider. In the futue Safehaus (curtosy of NMSI) will offer free SMS testing accounts for Triplesec users. Point your RSS reader to the following page for more information to come on free test accounts: Free SMS Test Accounts.
The next screen below is used to configure Email server settings:
Enter the SMTP server hostname which delivers email for your domain. The subject field is the subject field used when sending email to users. The from feild is the from and reply to address that will be used when sending the email.
If your SMTP server requires authentication you can optionally configure that using a username and password. Check with your system administrator to determine what to use for these settings.
Web Server Settings
Triplesec comes packaged with optional web applications which are included in the installer and are embedded into Triplesec. Triplesec runs these applications on port 8383 by default but this port can be configured on yet another configuration wizard screen. One application for registering users in the system and another is for account activation and Hauskeys provisioning. Both apps can be used for self service to create and provision Hauskeyss applications to new users. Don't worry users don't have access to any applications in the system except the demo application for testing purposes when using these applications.
The following screen effects the configuration of these applications:
Presentation Base Url
When provioning the Hauskeys application the registration application sends an SMS or Email containing the URL to goto to download Hauskeys either to a PC or to the user's cell phone. The link presented to the user is controlled by the presentation base URL parameter on this screen.
When deploying Triplesec users will put Triplesec behind a firewall and often setup a vhost to forward requests from port 80 to port 8383 (or whatever http server port is configured) on the server. For example.com the admin may configure www.example.com:80 to forward to www.example.com:8383 or to another server all together. When notifications are sent out the base address delivered should point to http://www.example.com and not to http://www.example.com:8383. The presentation base URL is used for this purpose.
Redirect URL
The registration application can redirect users to another application after creating a new account. This can be configured on this screen along with a presentation base URL.
Web Server Port Configuration
On the following screen you can disable the web server complete where these applications will not run. Sometimes this is desired if you have custom activation and registration applications or have deployed these applications standalone separate from Triplesec. The following screen allows you to turn off the embedded web server and set the port it runs on.
Also note that you can set the administrator's password for the entire server on this screen. Seems a bit weird to have it with the http settings so we may change this down the road to be on it's own screen.
Enabling Demo Accounts
There are a number of demo accounts you can enable/disable them and the demo application on this screen.
And thats it!
