Prerequisites

• You must already have your SSL certificate on your server (chain.pem and privkey.pem / .crt and .rsa files). You can buy an SSL certificate from a reputable source for your Pyramid site or create a self-signed one (not recommended).
  If you have only pfx file, please refer to the following article on how to extract the private key and chains from the pfx file.
• Port 443 must be open inwards on both the server (that you Nginx is installed on), firewall and any external firewalls.

1) Install Nginx as follows (we assume the install is being done on Ubuntu but any Linux version that Nginx supports can be used.)

sudo apt-get update
sudo apt-get install nginx

2) Create the folder called "certs" and then copy across your two certificate files to this folder.

cd /etc/nginx/
sudo mkdir certs

3) Configure Nginx by running the following commands:

sudo unlink /etc/nginx/sites-enabled/default
cd /etc/nginx/sites-available/
sudo nano reverse-proxy.conf

The last command will open a text file, and the below should be pasted into it.
(Edit the names of the "chain.pem" and "privkey.pem" to the names of your certificate files.)
If the Pyramid web server is not running on the same server, then change localhost to the name of the server on which the Pyramid web service is running.
Update the "yourServername.mycompany.com" to the DNS site name that will be used to browse Pyramid

upstream backend{
      server <pyramid_server_1>:8181;
      server <pyramid_server_2>:8181;
   }

   # This server accepts all traffic to port 80 and passes it to the upstream.
   # Notice that the upstream name and the proxy_pass need to match.

   server {
  listen 443 ssl;
    ssl_certificate /home/master/fullchain.crt;
    ssl_certificate_key /home/master/privkey.key;
    server_name yourServername.mycompany.com;
    access_log /var/log/nginx/nginx.vhost.access.log;
    error_log /var/log/nginx/nginx.vhost.error.log;

      location / {
          proxy_pass https://backend;
      }
   }

4) Enable the site 

sudo ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

5) Test to make sure there are no errors and restart Nginx 

sudo nginx -t
sudo service nginx restart

6) Test to see if you can browse to your site using SSL and if relevant that any Pyramid Pulse servers can connect to your Pyramid instance. 

Please refer to the following commands to extract the key and chain from the certificate:

Create an encrypted key file:

openssl pkcs12 -in certificate.pfx -nocerts -out privkey.key

Extract the server certificate:
 

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.crt

Extract the CA chain:
 

openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out chain.crt

Create a full chain file:
 

cat cert.crt chain.crt > fullchain.crt

Prerequisites

• You must already have your SSL certificate on your server (chain.pem and privkey.pem / .crt and .rsa files). You can buy an SSL certificate from a reputable source for your Pyramid site or create a self-signed one (not recommended).
  If you have only pfx file, please refer to the following article on how to extract the private key and chains from the pfx file.
• Port 443 must be open inwards on both the server (that you Nginx is installed on), firewall and any external firewalls.
• You have purchased a public DNS record which is pointing to your Public IP address which in turn is pointing to the server that will have Nginx install on.

1) Install Nginx as follows (we assume the install is being done on Ubuntu but any Linux version that Nginx supports can be used.)

sudo apt-get update
sudo apt-get install nginx

2) Create the folder called "certs" and then copy across your two certificate files to this folder.

cd /etc/nginx/
sudo mkdir certs

3) Configure Nginx by running the following commands:

sudo unlink /etc/nginx/sites-enabled/default
cd /etc/nginx/sites-available/
sudo nano reverse-proxy.conf

The last command will open a text file, and the below should be pasted into it.
(Edit the names of the "chain.pem" and "privkey.pem" to the names of your certificate files.)
If the Pyramid web server is not running on the same server, then change localhost to the name of the server on which the Pyramid web service is running.
Update the "yourServername.mycompany.com" to the DNS site name that will be used to browse Pyramid

server {
  listen 443 ssl;
    ssl_certificate /etc/nginx/certs/chain.pem;
    ssl_certificate_key /etc/nginx/certs/privkey.pem;
    server_name yourServername.mycompany.com;
    access_log /var/log/nginx/nginx.vhost.access.log;
    error_log /var/log/nginx/nginx.vhost.error.log;
    client_max_body_size 300M;
    location / {
proxy_pass http://localhost:8181;
    }
location /events {
proxy_pass http://localhost:8181/events;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }
}

4) Enable the site 

sudo ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

5) Test to make sure there are no errors and restart Nginx 

service nginx configtest
sudo service nginx restart

6) Test to see if you can browse to your site using SSL and if relevant that any Pyramid Pulse servers can connect to your Pyramid instance. 

The following explains how we have mitigated the problems based on the latest component versions from the relevant vendors.

Pyramid

2020.20 / 2020.21

In 2020.22, Pyramid has replaced the old Log4J with version 2.17.0 - the most up-to-date, and issue free version available. The 5 affected JDBC drivers with Log4J problems are mitigated as follows:

• Apache Hive: takes the Log4J library used in the main application (so its 2.17.0)
• Apache Drill: takes the Log4J library used in the main application (so its 2.17.0)
• Neo4J: takes the Log4J library used in the main application (so its 2.17.0)
• Apache/Cloudera Impala: Pyramid has removed the offending code from the JDBC JAR file. This is included in the upgrade installation.
• Apache Spark: Pyramid has removed the offending code from the JDBC JAR file. This is included in the upgrade installation.

Bottom Line: Upgrade 2020.20 and 2020.21 to 2020.22.

2020.18

For those customers that are still operating 2020.18, the Log4J is an older version (1.x) that does not have the critical vulnerability. The 3 affected JDBC drivers with Log4J problems are mitigated as follows:

• Apache Hive: takes the Log4J library used in the main application (so its 1.x)
• Apache Drill: takes the Log4J library used in the main application (so its 1.x)
• Apache/Cloudera Impala: Pyramid has removed the offending code from the JDBC JAR file. Admins need to manually switch out the problematic JDBC JAR files. Instructions are provided below.

Log4J 1.x has other issues (although not graded critical). The latest Log4J version addresses these older problems. 

Bottom Line: Change the Impala JDBC drivers in 2020.18. Alternatively, upgrade the entire version to 2020.22.

Replacing The Impala JDBC JAR files

• Log into to each machine hosting Pyramid.
• Stop all services
  • For Windows: use the Services Manager
  • For Linux: in a terminal run:

    • sudo systemctl stop {service name}

    • Service names to shut down (in this order) are: pyramidAgent, pyramidFs, pyramidRTE, pyramidTE, pyramidAI, pyramidWeb, pyramidRTR
• Go to the installation folder, find the "LIB" sub directory and replace the Impala JAR file with the version found here. (Unzip it first).
• Restart all services
  • For Linux:

  • sudo systemctl start {service name}

2020.17 or older

For those customers that are still operating 2020.17 or older, the Log4J is an older version (1.x) that does not have the critical vulnerability. The 3 affected JDBC drivers (in 2020.17) with Log4J problems are mitigated as follows:

• Apache Hive: takes the Log4J library used in the main application  (so its 1.x)
• Apache Drill: takes the Log4J library used in the main application  (so its 1.x)
• Apache/Cloudera Impala: the included Log4J library is old and does not have the vulnerability.

Log4J 1.x has other issues (although not graded critical). The latest Log4J version addresses these older problems. 

Bottom Line: Do nothing or upgrade the entire version to 2020.22.

Kubernetes

Due to the complexity of manually tweaking Kubernetes containers, the right remedy for Kubernetes deployments is to upgrade the deployment to version 2020.22.

Pulse

Pulse, like the main Pyramid application, contains the same issues as described above. The remedies are identical:

• 2020.20/21 - upgrade to 2020.22, to get the latest Log4J and JDBC driver fixes
• 2020.18 - the main Log4J does not have the vulnerability. So manually switch out the Impala driver (link provided above). Alternatively upgrade.
• 2020.17 and earlier versions - do nothing or upgrade.

If you  would like any other guidance, please contact support.

The versions of the Log4J library that are affected by this critical issue are found in "Log4J2" for versions 2.0 through 2.14.1 (as documented in CVE-2021-44228 and described here and elsewhere on the internet). 

Pyramid, however, uses Log4J 1.2.17 which does NOT contain this problem and is therefore not exposed to this vulnerability.

In the next release (2020.22) we will upgrade this component to a new version and correct any issues found in older versions of the Log4J component (which are not considered critical). 

DEC-23-2021 :SEE THE UPDATED POSTING PROVIDING UPDATED REMEDIES FOR THE LOG4J VULNERABILITY

"Failed to read file list: SSLException: No PSK available. Unable to resume"

RESOLUTION: 

This can be resolved by making the following change in the file below:

In Windows:

"c:\Program Files\Pyramid\java\conf\security\java.security"

In Linux:

"/opt/Pyramid/java/conf/security/java.security"

Add TLSv1.3  into the line shown below:

 jdk.tls.disabledAlgorithms=TLSv1.3, SSLv3, RC4, DES, MD5withRSA, DH keySize

**Before editing the file please create a copy of the file first**

Once the above change has been made, restart all Pyramid services and then try to run the ETL again.

The above change should be done on all Pyramid task engine servers in your deployment. 

Some organizations security policy require a change of passwords periodically,
in which case the Pyramid repository credentials may need to be updated in the Pyramid config.ini.
Since the password is encrypted, you'll require the attached utility. 

UPDATE:

If you are using  Pyramid 2020.20 and above, then there is a maintenance tool name "run" that can change the password and the path to it is- C:\Program Files\Pyramid\core\maintenance

For more info, please see our help article here

Steps to resolve:

1. Download the utility tool called "updateCredentials .zip" here

2. Extract the contents and then open a command prompt from that location

3. Run the following command (before doing so, take a backup of the config.ini file found in the Pyramid install directory)

"C:\Program Files\Pyramid\java\bin\java" -classpath "lib/*;classes/*;conf/*" com.pa.tools.maintenance.Maintenance"

Once entering the command the tool will start to run as shown below.

Notes

• you may need to adjust the location of your Pyramid installation to match your local install.
• if you are using Pyramid 2018 you must download and install this version of Java in order to be able to run the tool.
  https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html#license-lightbox
  Once downloaded and installed, point to this Java and not the one in the Pyramid install folder.

4. You will then be asked a number of questions to point it to the Pyramid install
such as the install location, the new SQL credentials, database name and for a Pyramid admin credentials. (You may see some warning messages, these can be ignored)

5. Once finished, the tool will update the Pyramid config.ini with the new details provided in the above steps. You should get a message as below the the "credentials updated successfully"

6. Restart all Pyramid services and check that they stay started and that you can log in to Pyramid.
If the services do not stay started, It may indicate a problem with the new given credentials, so these should be checked to make sure they are correct and work.

On a multi-server deployment, the above steps should be repeated for all the Pyramid servers in the deployment.
Or, you can just update the other config.ini files manually with the new encrypted password taken from the first config.ini file and the username if this has been changed too.

Update the username, password and contentID(to get the ID, right click on the item to embed >Metadata) to those relevant to your Pyramid setup. If using a filter then update with the filter hierarchy, level and filter item you want to filter by. If no filter is required then just comment it out as below
//var filters = Filter.create();

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Simple Embed Example</title>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
    <script src="https://cdn.jsdelivr.net/npm/js-cookie@2/src/js.cookie.min.js"></script>
    <script src="https://MyPyramidSite.com/no-shell/pyramid-embed-js.min.js"></script>
    <meta charset="UTF-8">
</head>

<body>
    <h1>My Report</h1>
    <div id="myContainer" style="width:1000px;height:400px;"></div>

<script>
        function embedDemo() {
            var client = new PyramidEmbedClient('https://MyPyramidSite.com', 'username', 'password!');

var filters = Filter.create();
            filters.add("dates", "year", "2015");

client.embed(document.getElementById('myContainer'), {
                contentId: '7ce217a0-edb4-4c2a-a590-3199c3b5afbc',
                filters: filters,
            });
        }

$(document).ready(function(){
            embedDemo();
        });
    </script>
</body>
</html>

For futher reading please see our extensive help site embed section. For a general over view click here and for futher reading click here

These logs can provide information about the client-side script that runs the application.

First - open the DevTools window of Chrome by pressing F12 or:

To get the console logs:
If it’s a client-side error then it's important to see the console errors as shown.
Click on the Console and you will see the errors. Click on "Save as" for each row and save it + send a screenshot showing the console.

To get the HAR file:

Click on the Network tab and get Pyramid ready to reproduce the issue. Before you reproduce it - click on the clear button (red arrow) + tick the box Preserver logs and disable cache,  then reproduce the issue. Then right-click on any of the rows and choose “save all as HAR content”

This means that the Database/SAML authentication is selected but the Pyramid user has no proxy user defined for it.
This is needed to be able to connect to a cube or tabular data source when the connection is set to use effective user as shown below:

 If the data source is set to use EffectiveUserName then the Proxy Account as shown below must have an AD user setup.
Either domain\Username or username@domain

If cube security is not required then the Window Domain Access can be set to "Don't use cube security" and it is therefore not needed to set up a proxy user for each Pyramid user.

Overview 

The password for the internal  system account used with Pyramid installations on Linux servers is not being set correctly to a random value during installation.

If Linux servers are exposed outside network security barriers (both internal or external), this can compromise the security of the host servers. If servers are well protected, urgency around this issue is reduced.

Note: This does not affect the application client exposed via browsers and mobile devices.

Affected Versions

All Linux (Ubuntu, Centos, Debian, Oracle, RedHat) installations of Pyramid, versions 2020.00 - 2020.05.

Remedies

Immediate Remedy

Admins are advised to immediately change the password of the "pyramid" user account on all Linux systems using the following example command. The user changing the password needs to have root privileges.

sudo passwd pyramid

This should be immediately applied to all existing installations of Pyramid on Linux OS servers.

Long Term Remedy

The flaw has been corrected and is fixed for all new installations using version 2020.10 on wards. 

The fix will upgrade all installations as well.

Any SSL certificates must be uploaded through the Pyramid Application and not directly into the Java store (in less login to Pyramid is not possible, then it can be done manually as explained later on in this article). See the help link below on how to do this:

https://help.pyramidanalytics.com/Content/Root/AdminClient/security/Certificate_Manager.htm?tocpath=Admin%20Help%7CSecurity%7CCertificate%20Manager%7C_____0

In order to configure LDAPS or set up migration environments on environments that are running with SSL, you must start by exporting the certificate and load it into the java cacerts keystore.

It must be done where the Runtime Engine, Task Engine, and the Web Server has been installed.

The certificated must be the same as you have configured on the LDAPS server.

In newer versions of Pyramid, the certificate can be uploaded in Pyramid by navigating to the Admin Console, expanding the Security section, and selecting Certificate Manager. For more information, please refer to the link below.

https://help.pyramidanalytics.com/2023/Content/Root/AdminClient/security/Certificate_Manager.htm?cshid=1641

If your version of Pyramid does not have the Certificate Manager then the SSL certificate will need to be uploaded to the keystore manually.

For instructions on how to do this see below:

1.     Open the Run dialog, select the Windows and R keys.

2.     Open the Microsoft Management Console (MMC) by entering mmc in the Run dialog, then select OK.

3.     On the User Account Control prompt, click Yes to launch MMC as administrator.

4.     From the File menu, click Add/Remove Snap-in...

5.     In the Certificates snap-in wizard, choose Computer account, then select Next.

6.     On the Select Computer page, choose Local computer: (the computer this console is running on), then select Finish.

7.     In the Add or Remove Snap-ins dialog, click OK to add the certificates snap-in to MMC.

8.     In the MMC window, expand Console Root. Select Certificates (Local Computer), then expand the Personal node, followed by the Certificates node.

9. Choose the certificate in the step as shown, such as yourdomain.com. Right-select this certificate, then choose  All Tasks > Export...

1.     Do not export the private key.
2.     Select either the first or second option (ending in .CER).
3.     Select relevant path and file name

10.   Open 'Command Prompt' and use 'keytool' to import the certificate to Java.

1. Enter the path to the keytool and enter the command in the example below. Note that the keytool is located within the bin folder in the Java directory (like C:\Program Files\Pyramid\java\bin)
2. For Linux /opt/pyramid/java/bin 

Example:

For Pyramid 2020 onwards:

Windows

keytool -keystore "C:\Program Files\Pyramid\java\lib\security\cacerts" -import -alias certificate -file “[saved-path]\[certificate-name].cer”

Linux:

sudo keytool -keystore "/opt/pyramid/java/lib/security/cacerts" -import -alias certificate -file "[saved-path]/[certificate-name].cer”

If the keytool is not found, you will get prompted with the command to run to install it. Install it using the command relevant to your Linux version. 

The location could be in another place depending on Pyramid version.

IMPORTANT

Be aware of the difference between the two examples above, and use the appropriate option. Depending on which option is relevant to you, there may or may not be a space in "Pyramid"

NOTE:

Saved-path – the location where the Certificate.pfx was saved.

Certificate-name - this is the name that the certificate was saved as.

1. Next, click Enter and enter the password (the default password is 'changeit') and click Enter.
2. Next, under Trust this computer, enter 'y' and press Enter.
    

11.   Open task manager, go to services, restart the Runtime Engine, Task Engine, and Web service.

In order to delete the uploaded certificated please use the following command:

keytool -delete -alias certificate -keystore "C:\Program Files\Pyramid\java\lib\security\cacerts" -storepass changeit

12. After you have imported the certificate and restart the services go to:

1. Pyramid Admin console 

2. Security> Authentication and update the following settings:

LDAP Address change to your LDAPS address

Change the port to 636 or 3269 if the first one does not work. 

Click the Apply button.

Resources:

How to import a certificate into Java: Here

How to export the certificated from the PC: Here

The reason might be that your LDAP address sometimes returns Domain Controllers (DC) that do not work. To check what domain controller is being returned by the LDAP address at the time of the login issue, ping the LDAP address from the Pyramid server(s) to see what IP address is returned. With the IP it is then possible to know which domain controller it is that might not be working correctly.

To resolve the problem, use ONE of the following three suggested solutions.

1. The preferred option is to get your LDAP DNS fixed so that it only returns good working domain controllers.
    
2. The next best option is to add an entry to the local Host file of the Pyramid server(s) that points your LDAP address to one good known domain controller* that works.
   The host entry would look like the example below:
   
   If my LDAP address is LDAP://DC=TEST,DC=EXAMPLE,DC=COM
   And one of the Domain Controllers IP = 172.29.3.211
   
   Then you would add the following to the host file:
   172.29.3.211 TEST.EXAMPLE.COM
   
   the host file can be found at:
   C:\Windows\System32\drivers\etc

* to get a list of domain controllers the below command can be run from the command prompt.

nslookup -type=all _ldap._tcp

3. The third but unrecommended option is to log in to the Admin console and point Pyramid directly to one of your Domain Controllers without the need to edit the local host file on each Pyramid machine.
The disadvantage to this is that if this one domain controller fails there will be no way to login to the Pyramid application in order to update it to another one. Please see below on how you would point to one domain controller:

Under Admin>Access>domain settings - the bold text is where the domain controller would be specified followed by the LDAP address.
LDAP://TESTDC1.TEST.EXAMPLE.COM/DC=TEST,DC=EXAMPLE,DC=COM

Note that support for configuring a DC in the LDAP path was only introduced in version 2018.05.163. 

• Pyramid File Server - 12150**
• Pyramid Agent - 12190**
• Pyramid Task Engine  - 12110
• Pyramid Runtime Engine - 12100,12101
• Pyramid Router Server - 12120
• Pyramid Windows Connector (Windows Cx) -12140,12141 
• Pyramid Web Server - 8181 *
• Pyramid Web Server (internal communication) - 8282
• Pyramid In-memory Database - 12170
• Internal PostgreSQL Database Repository - 12130
• Augmented Analytics server ("AI") (DS/ML) - 12200
• Pyramid NLP (Natural Language Query) - 12300

All Pyramid services must be able to communicate with each other directly so all the ports must be open between all the servers in the Pyramid install.

NOTE:
If the designated port is in use when the service starts up, it will try to use the next available port.
This is why you should allow a range of ports and not specific ones.
You should allow a range between 12100–12310, PLUS the web server ports.
The ports that are being used can be confirmed by looking at the diagnostic page found at http://MyPyramidSite.com/Diagnostic

For disabling the port incrementation behavior to prevent a situation when an incremented port is not available, add into the table [dbo].[admin_tbl_settings] in the Pyramid repository a row called "autoAdvancePort" and set its value to false. This option is available only from version 2020.23.120.

* The web servers are accessible through port 8181. In production, reverse proxies are usually setup to communicate with the web servers on this port only. Then, the proxies typically expose ports 80 (HTTP) or 443 (HTTPS) to users. So, port 8181 need only be accessible inside the firewall.

**The agent and file server are installed on each Pyramid server where one of the other services have been installed.

Below is a simple example of a web page that displays Pyramid content and authenticates to the Pyramid Embed API in order to create a cookie for authentication. You must have the embed add on included in your licence for the embed feature to work.

1) Replace the div tag with one of your report div tags as shown in the screenshot below:

Click on the Action panel on the content you want to embed>Click on the "embed" icon">choose copy without the script (see attached screenshots)

  
2) Add a username and password from your pyramid system that has access to the content. If you need to add your AD domain name it should be included with the username so domain\\UserName
3) Update the 2 lines in bold to your Pyramid 2018 URL

Its important to note that the file you create should be saved as a html file and run from a web server.

<html>
 <head>
 <meta charset="UTF-8">
 </head>
 <body>
  <!-- add the jquery & js-cookie scripts -->
  <script src="https://code.jquery.com/jquery-2.2.4.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.2.0/js.cookie.min.js"></script>

<div data-id="cee1d574-1a9c-48d1-8825-2bae245c4f12" data-type="discovery" class="pyramid-embed pyramid-auto" style="width:1000px;height:400px;" data-host="http://PyramidURL.com"></div>

<script>
  function GetAuthentication(userName, password) {
    var credentials = {data: {userName: userName, password: password,domain: document.domain}};

$.ajax({ 
    type: "POST",
    url: "http:// PyramidURL.com /API2/auth/authenticateUserEmbed",
    data: JSON.stringify(credentials),
    }).done(function(token){
    Cookies.set('PyramidEmbeddedAuth', token);
    pyramidInit();
    });
  };

if (Cookies.get('PyramidEmbeddedAuth') == null) {
    GetAuthentication("USERNAME", "PASSWORD");
  }
  </script>

<script src="http://PyramidURL.com/no-shell/embed.js"></script>

</body>
</html>

For further reading on how to use the embed feature please see our online help section here

Note that this cannot be used to change to port 80. To do you need to use an external webserver /load balancer. Once such possibility is IIS. To configure IIS please see this article:

https://community.pyramidanalytics.com/t/635fyg/how-to-create-a-pyramid-2018-website-in-iis-after-an-install

First, you need to install the following IIS modules :

To install "IIS URL Rewrite Module 2" and "Microsoft Application Request Routing 3.0" please download and install them using the links below:
Note, that before installing them, you'll need to close IIS first.

• Microsoft Application Request Routing 3.0: 
  https://www.iis.net/downloads/microsoft/application-request-routing
• IIS URL Rewrite Module 2: https://www.iis.net/downloads/microsoft/url-rewrite
  NOTE: The Application Request Routing should include the IIS URL Rewrite Module, but if it's not, here is the URL to install it.

Once the above two IIS add-on's have been downloaded, run the installer and follow the on-screen prompts.

Once the above two models have been installed, activate the proxy as shown below:
Open IIS >Double click on the server name(1)>Double Click on "Application Request Routing Cache"(2)
 
Click on "Server Proxy Settings..."(3)

Then Tick the box "Enable proxy"(4)>Click on Apply(5)

Secondly, create a new website and point it to the following location:

C:\program files\pyramid 2018\repository\iis

For the site name call it "pyramid2018", for the Physical path point it to C:\program files\pyramid 2018\repository\iis, for the hostname it can be anything but please note that you must add this to your DNS or local host file.

Then double click on the newly created site >URL Rewite. Double click on the first rule and make sure the Rewrite URL is: http://localhost:8181/{R:1}

Once the above steps have been done, please do an IISRESET and then try to access Pyramid 2018 again using the newly created IIS website.

NOTE: Ensure that the relevant ports are open on the firewall: 80 for HTTP and 443 for HTTPS.

1. Add your Pyramid's Web site to the list of TRUSTED SITES or Local intranet in the browser through Tools > internet options > Security > Trusted sites > Sites

2. Configure IE for automatic logon with current credentials by enabling "Automatic Logon with current username and password" in Tools > Internet Options > Security >Trusted sites(or Local intranet) > Custom level.

 3. Make sure Internet Explorer is configured for Integrated Windows Authentication through: Tools > Internet options > Advanced > Scroll all the way down and make sure that "Enable integrated Windows authentication" option is checked.

4) If users are still getting a login prompt please make sure that you have a valid HTTP spn for the site name. To set this SPN you must be a domain admin. Open a command prompt and use the following command

setspn -s HTTP/MyPyramidSite.com.FQDN ServerName$

setspn -s HTTP/ MyPyramidSite.com  ServerName$

*replace "MyPyramidSite.com" with your pyramid website address

*replace "FQDN" with your fully qualified domain name.

*replace "ServerName" with the machine name of the Pyramid web server. In most cases the machine name is used. If you are using IIS and running the application pools under a AD user, then user domain\ADUser instead of the machine name.

To setup google chrome or firefox for windows authentication please see the link below:

Please note there is only a need to do the below setup, if the users are getting a login prompt after windows authentication has been turned in the Pyramid 2018 admin and you have confirmed that you have a valid HTTP spn for the Pyramid site as explained above in number 4.

https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication

In case you are still having issues logging into Pyramid using Windows Authentication, please contact support.

If either or both "IIS URL Rewrite Module 2" and "Microsoft Application Request Routing 3.0" have not been installed, please download and install them using the links below:
Note, that before installing them, you'll need to close IIS first.

• Microsoft Application Request Routing 3.0https://www.iis.net/downloads/microsoft/application-request-routing
• IIS URL Rewrite Module 2
  https://www.iis.net/downloads/microsoft/url-rewrite

Once the above two IIS add-on's have been downloaded, run the installer and follow the on-screen prompts.

Once Pyramid 2018 installed, activate the proxy that will be installed as shown below:
Open IIS >Double click on the server name(1)>Double Click on "Application Request Routing Cache"(2)
 

Tick the box "Enable proxy"(3)>Click on Apply(4)
 
Once the above steps have been done, please do an IISRESET and then try to access Pyramid 2018 again.

1. Right Click on the "Pyramid" site and choose edit bindings(1)>Click on Add(2)>Choose "https"(3)>set the required 
   host name(4) > Choose your SSL certificate(5)
    
2. Edit the web.config of the site, which by default is: C:\program files\pyramid\repository\iis\web.config
   
   Add the following lines (in Bold text):
   By adding these lines in the web.config, all HTTP requests will be redirected to HTTPS.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true">
          <match url="(.*)" />
          <conditions logicalGrouping="MatchAny">
            <add input="{SERVER_PORT_SECURE}" pattern="^0$" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
        </rule>
        <rule name="ReverseProxyInboundRule1" stopProcessing="true">
          <match url="(.*)" />
          <action type="Rewrite" url="http://localhost:8181/{R:1}" />
        </rule>
      </rules>
    </rewrite>
    <defaultDocument>
      <files>
        <clear />
        <add value="readme.html" />
      </files>
    </defaultDocument>
  </system.webServer>
 </configuration>