Copyright

Copyright © 2018 Schlumberger. All rights reserved.

This work contains the confidential and proprietary trade secrets of
Schlumberger and may not be copied or stored in an information retrieval
system, transferred, used, distributed, translated or retransmitted in any form
or by any means, electronic or mechanical, in whole or in part, without the
express written permission of the copyright owner.

Trademarks & Service Marks

Schlumberger, the Schlumberger logotype, and other words or symbols used to
identify the products and services described herein are either trademarks, trade
names or service marks of Schlumberger and its licensors, or are the property of
their respective owners. These marks may not be copied, imitated or used, in
whole or in part, without the express prior written permission of Schlumberger.
In addition, covers, page headers, custom graphics, icons, and other design
elements may be service marks, trademarks, and/or trade dress of
Schlumberger, and may not be copied, imitated, or used, in whole or in part,
without the express prior written permission of Schlumberger. Other company,
product, and service names are the properties of their respective owners.
Merak® is a mark of Schlumberger.
An asterisk (*) is used throughout this document to designate other marks of
Schlumberger.

Security Notice
The software described herein is configured to operate with at least the
minimum specifications set out by Schlumberger. You are advised that such
minimum specifications are merely recommendations and not intended to be
limiting to configurations that may be used to operate the software. Similarly,
you are advised that the software should be operated in a secure environment
whether such software is operated across a network, on a single system and/or
on a plurality of systems. It is up to you to configure and maintain your
networks and/or system(s) in a secure manner. If you have further questions as
to recommendations regarding recommended specifications or security, please
feel free to contact your local Schlumberger representative.

Schlumberger Private - Customer Use

Merak Planning, Risk & Reserves

Table of Contents
About Single Sign On ............................................................................................................................ 1
Before you start ................................................................................................................................... 1
Setting up Merak Service Host ............................................................................................................. 1
To install Merak Services ............................................................................................................... 1
To create a secure SSO account .................................................................................................... 2
To configure a data source ............................................................................................................ 2
To configure an Authorized Active Directory Group (optional step) ............................................ 4
Running Merak Service Host using Windows Services or IIS ............................................................... 4
To run Merak Services from the Windows Services dialog box .................................................... 4
To run Merak Services on an IIS server ......................................................................................... 5
Mapping Active Directory Accounts in the MAC ................................................................................. 7
To map Active Directory group accounts in the MAC ................................................................... 7
To map Active Directory user accounts in the MAC...................................................................... 7
To bulk synchronize Merak groups with Active Directory groups (optional)................................ 8
Viewing event reports .......................................................................................................................... 9
To view Event Reports ................................................................................................................... 9
Appendix ............................................................................................................................................ 10
Configuring IIS Server .................................................................................................................. 10
Enabling SSL in SSO ...................................................................................................................... 11
Configuring a Firewall Port Exception for the SQL Server instance ............................................ 16
How to reach us ................................................................................................................................. 16

i
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

About Single Sign On

Administrators install Single Sign On (SSO) so that Merak users’ login credentials are
based on their Active Directory settings. This way, administrators no longer need to
manage a separate batch of logins for the Merak suite. SSO also enables enhanced
security, as new random passwords are automatically generated each time a Merak
user launches a product in the Merak suite.
After completing the steps in this document, if you required additional support, refer to
How to reach us, on p. 16 in order to request a copy of, Troubleshooting Login Errors
for Merak Secure and Single Sign On.

Before you start

Ensure the following is installed on the computer where you are installing Merak
Service Host:
 .NET 4.5
Administrative privileges. Type (do not Copy/Paste) the following command to enable
non-administrative users to run the service host: netsh http add urlacl
url=http://+:10459/SingleSignOn.svc/ user=DIR\XYZ, where DIR is the domain
name, and XYZ is the user account name.
 In order to create ODBC connections for Merak Service Host, Oracle 12.2 client or
SQL Server Native Client 11 (as applicable) must be installed on the machine.
 For Oracle: Install the 32-bit Oracle Data Access Components (ODAC). At present,
the desired installer is ODTwithODAC122011.zip.
 For SQL: Install the SQL Server Native Client 11. At present, the desired installer is
SQL Server Native Client 11.

Setting up Merak Service Host

Install Merak Service Host, set-up an SSO account, and then set-up the mapping
between the Merak Service Host and a production database.

To install Merak Services

1. Using the DVD on which Merak shipped, navigate to the MerakService\Install folder
and then double-click Merak Service Setup.exe.
2. Click Next through the installation wizard screens accepting the defaults, and then
click Close.

1
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

To create a secure SSO account

When SSO launches (either running as a Windows service, or running on an IIS
server), it uses the SSO database account to read, synchronize, update, create, and
verify the Merak user’s credentials.
A database user account is granted SSO permissions based on the database platform.

SQL
The Database Administrator creates a user who has permissions to log in to the
database server:
1. A login is created at the server level: <SQLServer>\Security\Logins. This login is
associated with a database user created at the database level.
2. A database user (associated with the previously created login) is created for
each secure Merak database that will be used with SSO:
<SQLServer>\Databases\<Databasename>\Security\Users.
3. The Database Administrator makes appropriate edits to the SS_SSOUser.sql
script (located in the Merak\Resource\Database Scripts\ folder on the Merak
installation disc) and then runs it to grant SSO permissions to the user account.

Oracle
The Database Administrator creates a schema user who has permissions to log in to
the database server:
1. A schema user is created and granted permissions to start a database session
(an example to create the schema user is provided in the Ora_SSOUser.sql script
in the commented section).
2. The Database Administrator makes appropriate edits to the Ora_SSOUser.sql
script (located in the Merak\Resource\Database Scripts\ folder on the Merak
installation disc) and then runs it to grant SSO permissions to the user account.

To configure a data source

Create a data source on the host machine that is running Merak Service Host. All of the
data sources to expose to Merak users are configured on this machine. The data source
is pushed to client machines.
1. Click Start > All Programs > Schlumberger > Merak Service Host, and then
right-click Merak Service Host, and select Run as administrator from the context
menu.
2. Using the Merak Service Host window, click Edit > ODBC Administrator.
The ODBC Data Source Administrator dialog box appears.

2 Merak Planning, Risk, & Reserves

Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

3. Click the System DSN tab and verify that an ODBC connection to a secure data
source is listed; (otherwise, create one), and then click OK.
The connection string for the SQL data source on the server must specify a machine
name or IP address instead of the default (localhost)\. This connection string is
copied to client machines when their ODBC connection is created. A connection
string that displays (localhost)\ instead of a specific machine name will not connect
to the Merak Service Host server. Also, the connection string on the server and on
the client must be identical.
4. Using the Merak Service Host window, click Edit > Configuration > Single Sign
On.
The Merak Service Host – SSO Configuration dialog box appears.
5. Using the ODBC Data Sources tab, click in the ODBC DSN cell, and from the drop-
down list select the secure database that also appears in the System DSN tab of the
ODBC Data Source Administrator dialog box above.

TIP: An alias is used for the ODBC data source name (DSN), for example
Production, so that the name of the actual DSN does not appear in the
application. This facilitates administrative work on the database and
enhances security.

6. Type the user account created in the To create a secure SSO account procedure on
p. 2 above. For a SQL Server data source, use the login created (not the database
user). For an Oracle data source use the schema user name.
For Active Directory user accounts that are not mapped to a Merak user account using
the MAC, a new Merak user account is created the first time the user logs into Merak
using SSO. The new Merak user account that is automatically created inherits the
credentials of whatever Merak user account is typed into the Template User field of the
Merak Service Host ODBC Data Sources tab as depicted below:

The Template User name typed above must match a Merak user account created in the
MAC. Ensure that the database credentials assigned to the Template User in the MAC
are those that you want all unmapped Active Directory accounts to inherit.

3
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

7. Using the Merak Service Host dialog box, click the Application Data Sources tab,
and in the ODBC Data Source Name column, specify the database alias available to
various login dialog boxes throughout Merak and the associated login type (Boot
User) --the Boot User Password can also be changed-- and then click Save.
The name of the ODBC connection must be identical on the service host machine
and on the client machines.

To configure an Authorized Active Directory Group

(optional step)
Complete this step to add an additional level of security to Merak SSO. In this case,
anyone who is not a member of the specified Active Directory group cannot access
SSO; however, access to Merak applications -such as Peep, are controlled using the
MAC.
1. Launch the Merak Service Host utility as explained in the process above.
2. Go to the main Merak Service Host window and select Edit > Configuration >
Single Sign On to display the Merak Service Host – SSO Configuration dialog
box.
3. Type the name of an Active Directory group that exists in your corporate
environment into the Required Active Directory Group field at the bottom of the
window.

Running Merak Service Host using Windows

Services or IIS
Merak Service Host runs either as a Windows Service or in Internet Information
Services (IIS), both of which support secure sockets layer (SSL) communication.
Setting up SSL in your organization should be done by someone knowledgeable about
the unique infrastructure and security requirements in your organization.
Windows Service is configured using the Windows Services dialog box. The service host
can be set to run automatically when the computer where it is installed is running. This
service runs regardless of whether a user is logged into the computer.
Internet Information Services (IIS) runs the service host as a web application in a
clustered environment where any computer in the cluster can run the host service.

To run Merak Services from the Windows Services dialog

box
1. Click Start > Control Panel > Administrative Tools > Services and ensure
Merak Service Host appears in the Services pane, that its Startup Type is listed as
Automatic, and that its Status is currently blank, which indicates that it is not
running.

4 Merak Planning, Risk, & Reserves

Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

2. Using the Services pane in the Services dialog box, right-click Merak Service Host
and from the context menu, click Start.
The Status in the Services pane displays as Started.
3. On every client machine that will be using Merak SSO, navigate to C:\Program Files
(x86)\Schlumberger\Merak 2017.2\, open the Merak.config file using a text editor,
and then scroll down to the <endpoint> node and for the address=”” attribute,
specify address=" http://123.123.1.12:10459/SingleSignOn.svc", where
123.123.1.12 is the IP address of the host machine on which the Merak Service
Host is running.
To make sure that the Merak Service Host is running, configure your firewall settings to
enable the Merak Service Host service to pass-through, and then launch an application
in the Merak suite. Specify Single Sign On as the Authentication method and select a
secure database as the DataSource, and then attempt to log on.
For instructions setting up a firewall inbound rule that enables remote client machines
to connect to SQL server, see Configuring a Firewall Port Exception for the SQL Server
instance on p. 16.

To run Merak Services on an IIS server

This process assumes that IIS is already installed in your environment. For an example
of one of the ways you may choose to install IIS in your environment, see Configuring
IIS Server, on p. 10.
1. Click Start > Control Panel > Administrative Tools > Internet Information
Services (IIS) Manager. The Internet Information Services (IIS) Manager dialog
box appears.
2. Using the Connections pane, with the Sites > Default Web Site node selected, in
the Actions pane that appears on the right of the Internet Information Services
(IIS) Manager dialog box, in the Deploy pane near the bottom, click Import
Application.
The Import Application Package dialog box appears.
3. Click Browse and then navigate to the Slb.Merak.ServiceHost.WebApp.zip file
located in C:\Program Files (x86)\Schlumberger\MerakService\Webapp\, and then
click Next.
4. Accept the defaults on the remaining wizard screens clicking Next.
5. Using the Connections pane in the left of the Internet Information Services (IIS)
Manager dialog box, expand the Default Web Site node, right-click
Slb.Merak.ServiceHost.WebApp, and click Explore from the context menu.
6. Navigate to the Slb.Merak.ServiceHost.WebApp.zip file located in the C:\Program
Files (x86)\Schlumberger\MerakService\Webapp\ folder and copy the contents of
the unzipped Slb.Merak.ServiceHost.WebApp\Content\Default Web
Site\Slb.Merak.SsoService.WebApp folder of that zip file to the IIS webapp folder,
C:\inetpub\Slb.Merak.SsoService.WebApp.

5
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

7. Using the Connections pane of the Internet Information Services (IIS) Manager
dialog box, click Application Pools and note that the new Merak application pool
appears in the Application Pools pane.
8. Type the following string into the URL address bar of your browser
http://localhost/Slb.Merak.ServiceHost.WebApp/SingleSignOn.svc where localhost is
the address of the service host machine.
If an http error message appears because asp.net needs to be registered with IIS, run
the following command prompt as administrator: aspnet_regiis.exe –i.
The aspnet_regiis.exe file is typically located in the
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ folder.
9. Navigate to C:\Program Files (x86)\Schlumberger\MerakService\Shell\ and open
the file Slb.Merak.ServiceHost.exe.Config in a text editor.
10.Using the text editor, scroll down to and select and copy the entire <SSO> section.
11.Navigate to the location where you copied the web app in step 5 above
(C:\inetpub\Slb.Merak.SsoService.WebApp\), and open the web.config file using a
text editor in administrator mode.

TIP: You can also navigate to the above folder using the Internet Information
Services (IIS) Manager dialog box by right-clicking
Slb.Merak.ServiceHost.Webapp and then clicking Explore from the
context menu.

12.Using the web.config file in the text editor, scroll down to and select the entire
<SSO> section and paste the contents of your Windows Clipboard to overwrite the
<SSO> section in the web.config file. It does not matter whether the <SSO>
section in the Slb.Merak.ServiceHost.exe.Config file is encrypted.

NOTE: If there are multiple nodes in the cluster, the above action must be
completed for the web.config file for every node in the cluster.

13.Still viewing the web.config file in the text editor, copy the service host URL
(http://localhost/Slb.Merak.ServiceHost.WebApp/SingleSignOn.svc, by default) to
the Windows Clipboard.
14.Using the client machine, navigate to C:\Program Files (x86)\Schlumberger\Merak
2017.2\ and open the Merak.config file using a text editor, and then scroll down to
the <endpoint> section, overwrite the URL with the URL copied above.

6 Merak Planning, Risk, & Reserves

Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

Mapping Active Directory Accounts in the MAC

Using the MAC, map Merak group accounts or user accounts with Active Directory
group accounts or user accounts. Group accounts enable you to manage users via
Active Directory. Group mapping is ideal for a brand new Merak installation where
specific Merak user accounts are not already associated with Merak artifacts such as
cases. The association between Merak artifacts and a users’ Active Directory account
will not exist unless the Active Directory account is mapped specifically to the Merak
account that has access to the specific Merak artifacts.

Procedures for both mapping groups and for mapping users in the MAC appear below.

To map Active Directory group accounts in the MAC

Map a Merak group to an Active Directory group to automatically populate that Merak
group with the Active Directory user accounts in the mapped group. Before you map
the Merak group to the Active Directory group, ensure that you set up a template user
from which the imported Active Directory users inherit their database credentials. For
details, see step 6 of the procedure, To configure a data source, p. 2.
1. Launch the MAC as an administrator.
2. Using the left navigation pane, double-click User Administration.
Users and Groups tabs appear in the content pane.
3. With the Groups tab displayed, select the group to modify in the content pane, and
then click Edit.
The Group Details dialog box appears.
4. Click Browse to the right of the Domain Group box to display the Select Group
dialog box and type the first few characters of the Active Directory group name with
which to associate the Merak group, and then click Check Names.
Active Directory group names that start with the character(s) you typed above, and
that are associated with the Group object type appear.
5. Select the Active Directory group account with which to map the Merak group, and
then click OK.
6. Click Save to close the Group Details dialog box.
The name of the mapped Active Directory group appears in the Domain Group column
in the MAC Groups tab.

To map Active Directory user accounts in the MAC

Map Merak user accounts to their Active Directory account to preserve existing
relationships established between their Merak user account and Merak artifacts, such
as cases.
1. Launch the MAC as an administrator.
2. Using the left navigation pane, double-click User Administration.
Users and Groups tabs appear in the content pane.

7
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

3. With the Users tab displayed, in the User display pane select a user account, and
then to the right of the User display pane, click Edit.
The User Details dialog box appears.
4. Click Browse to the right of the Domain User box to display the Select User dialog
box and type the first few characters of the Active Directory user name with which
to associate the Merak user, and then click Check Names.
Active Directory user names that start with the character(s) you typed above, and
that are associated with the User object type appear.
5. Select the Active Directory user account with which to associate the Merak user,
and then click OK.
6. Complete the above steps for every Merak user to link to an Active Directory
account, and then click Save to close the User Details dialog box, and exit the MAC.
The name of the mapped Active Directory user account appears in the Domain User
column in the MAC Users tab.

To bulk synchronize Merak groups with Active Directory

groups (optional)
If you are logged in to MAC using SSO, the Sync Groups button that appears on the
Groups tab is enabled. Although you can click this button to bulk synchronize the users
in all Merak groups with the current members in the associated Active Directory
groups, by default when a Merak user logs in using SSO, their group memberships and
privileges are automatically updated. Allowing users credentials to be established when
they log in to Merak products may be preferable to forcing a bulk synchronization using
the Sync Groups process as depending on the size of your user base and IT
infrastructure, bulk synchronization may take some time. MAC does not notify you
when the bulk synchronization process is complete.
In order to log into the MAC using SSO, your administrator account must be linked to
your Active Directory account. For details on setting this up, see To map Active
Directory user accounts in the MAC, p. 7.
1. Log into the MAC, and select the User Administration document.
2. Click the Groups tab and to the right of the Groups display pane, click Sync
Groups.
MAC does not notify you when the bulk synchronization process is complete.
3. Press F5 to refresh the display so that the current status of groups and users
appear in the MAC display pane.

8 Merak Planning, Risk, & Reserves

Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

Viewing event reports

View event reports to review logged activity for the host service and for logons.

To view Event Reports

1. Using Windows, click the Windows Start button, select Control Panel > System
and Security > Administrative Tools.
2. Double-click Event Viewer, and in the left navigation pane, click Windows Logs >
Application.
3. Using the Actions pane in the top-right of the Event Viewer dialog box, and click
Filter Current Log to display the Filter Current Log dialog box.
4. Using the Event Sources drop-down list, scroll to SsoWindowsService, select the
check box to the left of it, and then press TAB.
5. Select the desired time period and event level type, and other details, and then click
OK.
Events that match the criteria specified above appear in the Application pane.
6. Click a desired event in the Application pane and then view details about that event
in the Details tab in the pane that appears at the bottom of the Event Viewer dialog
box.
OR
Double-click an event to display the Event Properties dialog box, where you view
event details.

9
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

Appendix
Procedures in this section are not core to the Merak Service Host Installation, but have
been included as suggested examples.

Configuring IIS Server

Run Merak Service Host using either Internet Information Services or Windows
Services, which is detailed in To run Merak Services from the Windows Services dialog
box, p. 4.
In the following procedure, you enable IIS, ASP.net, and Windows authentication and
in particular its feature, Windows .NET Foundation HTTP Activation. If you already
configured an IIS server in your environment, skip this procedure and continue with To
run Merak Services on an IIS server on p. 5.

NOTE: If installing IIS on a Windows 7 computer, instead of selecting Server Manager

below, click Turn Windows features on or off.

1. Click Start > Control Panel > Programs and Features > Server Manager to
display the Server Manager dialog box, and then click Add Roles and Features.
2. Using the Windows Features dialog box that appears, select the following options:
 Internet Information Services > Web Management Tools > IIS Management
Console
 Internet Information Services > World Wide Web Services > Application
Development Features > .NET Extensibility; ASP.NET; ISAPI Extensions; ISAPI
Filters
 Internet Information Services > World Wide Web Services > Security > Request
Filtering; Windows Authentication
 Microsoft .NET Framework 3.5.1 > Windows Communication Foundation HTTP
Activation
3. Click OK to apply all of the above changes.
4. Install the Microsoft Web Deployment tool by navigating to the following location in
a browser: http://go.microsoft.com/?linkid=9278654 and clicking Web
Deployment Tool Installation in the bottom of the left navigation pane to display
the page from which to download the Msiexec.exe installer. Depending on your
machine specifications, download either 32 or 64 bit.

NOTE: Only install the Web Deployment Tool after IIS is installed otherwise components of the Web
Deployment Tool that are integrated with IIS will not install correctly.

5. Install the Web Deployment Tool downloaded above by launching the

WebDeploy_2_10_amd*_en-US.msi.
Where * in the file name above is either 32 or 64.

10 Merak Planning, Risk, & Reserves

Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

NOTE: On the Choose Setup Type window, select Custom and then select the
Remote Agent Service option along with the IIS Manager UI Module.
The Remote Agent Service option enables you to set up a remote agent on
one of the computers in the cluster so that the Web Deployment Tool can
then connect to and install the services host files without using Remote
Desktop Protocol.

6. Click Start > Control Panel > System and Security > Administrative Tools >
Internet Information Services (IIS) Manager.
The Internet Information Services (IIS) Manager dialog box appears.
7. Using the Connections pane, expand the root node and select Application Pools.
Ensure that at least one application pool is installed.

Enabling SSL in SSO

We recommend that SSO be used in conjunction with some secure transport protocol,
e.g. TLS/SSL. SSL configuration is frequently dictated by organization-wide security
policies specific to that organization. Following is some information about WCF security
that may influence your decision: https://msdn.microsoft.com/en-
us/library/ms735093(v=vs.110).aspx
Below is a sample generic SSL configuration that is suitable for preliminary testing and
as a starting point for creating an organization-specific configuration. Please contact
your security team for guidance on how to modify this example to conform to your
organization’s policies.
In the procedure below, “localhost” is typically replaced by the name or IP address of
the host machine.

11
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

Configuring HTTPS for self-hosted WCF SSO service

1. Modify Build\Debug\slb.merak.servicehost.exe.config. The changes are
underlined and highlighted in the sample below.
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="HttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="HttpBehavior">
<!-- To receive exception details in faults, set to true. This is used to
display more meaningful error messages in the login dialog, but can be turned
off for enhanced security. -->
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="Slb.Merak.SsoService.SsoService"
behaviorConfiguration="HttpBehavior">
<!-- The host element is not needed when hosting under IIS -->
<host>
<baseAddresses>
<add baseAddress="https://localhost:10459/SingleSignOn.svc"/>
</baseAddresses>
</host>
<endpoint name="HttpEndpoint"
binding="basicHttpBinding"
bindingConfiguration="HttpBinding"
contract="Slb.Merak.SsoService.ISsoService"/>
<endpoint contract="IMetadataExchange"
binding="mexHttpsBinding"
address="mex" />
</service>
</services>
</system.serviceModel>
2. Create self-signed "root trusted authority" certificate (in command line) and
enter new password when asked.
>makecert -n "CN=RootCertificateName" -r -sv RootCertificateName.pvk
RootCertificateName.cer

12 Merak Planning, Risk, & Reserves

Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

3. Run mmc and select File > Add/Remove Snap-in >

(select Certificates) Add… > Select Computer Account > Next > Finish
(select Certificates) Add… > Select Current User Account > Next > Finish
> Close > OK.
4. Trusted certificates > Certificates > All tasks (context menu) > Import >
follow instructions to import <user_name>RootCA.
5. Create certificate signed by "trusted root authority":
>makecert -n "CN=localhost" -ic RootCertificateName.cer -iv
RootCertificateName.pvk -sr localmachine -ss my CertificateStoreName.cer

You can find the certificate in the Personal store.

6. Double-click CertificateStoreName. From the Details tab scroll to and click
Thumbprint, and then copy the hexadecimal characters from the box.
Remove spaces between the hexadecimal numbers.
For example, the thumbprint "a9 09 50 2d d8 2a e4 14 33 e6 f8 38 86 b0 0d 42
77 a3 2a 7b" would become "a909502dd82ae41433e6f83886b00d4277a32a7b".
7. To bind the SSL certificate to the port type the following from the command line shell:
>netsh http add sslcert ipport=0.0.0.0:10459
certhash=d40a980a553451b42130b258e714862e0180af67 appid={AB0B9E22-
DB8F-42DE-9A02-0BFBB9493886}
The certhash parameter specifies the thumbprint of the certificate.
The ipport parameter specifies the IP address and port, 0.0.0.0 means all IP with given
port.
The appid parameter is a GUID that can be used to identify the owning application (it is
arbitrary. For example, you can use a guide of the service SSO assembly, which you
can find in project properties).
8. Verify that you can connect to Error! Hyperlink reference not valid..
9. To remove certificate binding, run the following in the Command Line shell:
>Netsh http delete sslcert ipport=0.0.0.0:10459
Certificates created in the preceding steps can be deleted from trusted
authorities.
10.Proceed to Modify the Merak.config file on p. 15 to configure the client.

Configuring HTTPS for WCF SSO service hosted in IIS

1. Create a self-signed certificate in InetMgr.exe (IIS manager) by selecting Server
Certificates in the Internet Information Services (IIS) Manager dialog box, and
then selecting Create Self-Signed Certificate in the Actions pane of the Server
Certificates dialog box that appears.
2. Using the Internet Information Services (IIS) Manager dialog box, click
Bindings in the Actions pane to open the Site Bindings dialog box, where you
click Add to display the Edit Site Binding dialog box where you specify a Type of
https type, a Port of 443, and the certificate created above.

13
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

3. Configure SSL for service by selecting Sites > Default Web Site >
Slb.Merak.ServiceHost.WebApp in the Connections pane, and then clicking
SSL Settings in the display pane to the right.
4. Using the SSL Settings pane, specify Require SSL and Ignore Client
Certificates.
5. Edit the Framework\slb.verak.servicehost.webapp\webapp.config file. The
changes are underlined and highlighted in the sample below.

<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="HttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="HttpBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="Slb.Merak.SsoService.SsoService"
behaviorConfiguration="HttpBehavior">
<endpoint name="HttpEndpoint"
binding="basicHttpBinding"
bindingConfiguration="HttpBinding"
contract="Slb.Merak.SsoService.ISsoService" />
<endpoint contract="IMetadataExchange"
binding="mexHttpsBinding
address="mex" />
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"
multipleSiteBindingsEnabled="true" />
</system.serviceModel>
6. Copy the valid SSO section from the
Build\Debug\Slb.Merak.ServiceHost.exe.Config file to the
Framework\Slb.Merak.SsoService.WebApp\Web.config file.

14 Merak Planning, Risk, & Reserves

Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

7. IIS7 runs as "IIS APPPOOL\DefaultAppPool" user and doesn’t have enough

permission to access Active Directory.
Change it to Network service in IIS manager.
Look at the properties of SSO webapp and find out what application pool it uses
by selecting Sites > Default Web Site > Slb.Merak.ServiceHost.WebApp in
the Connections pane.
8. In the Connections pane, select Application Pools and then click Advanced
Settings in the pane to the right to display the Advanced Settings dialog box
where you specify a Process Model > Identity of NetworkService.
9. Restart default web site
10.Modify the Merak.config file on the client machine as follows. The changes are
underlined and highlighted in the sample below:

<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="HttpBinding" sendTimeout="00:01:00">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="HttpEndpoint"
address=" https://<IIS Server machine>
Slb.Merak.ServiceHost.WebApp/SingleSignOn.svc "
binding="basicHttpBinding"
bindingConfiguration="HttpBinding"
contract="ISsoService" />
</client>
</system.serviceModel>
11.Be sure to set up ODBC data source with the same name as the name in the
SSO service configuration file (ODBC source should have same name on client
machine and service machine).
12.Try to reach the service in IE. There will be an untrusted certificate issue unless
you import the self-signed server certificate. Importing the certificate using the
browser places it in the Current User store instead of the local machine store, so
you will need to move it there after importing it. This can be done using
mmc.exe (described above).
13.Restart IE and ensure that error untrusted certificate issue is gone.

15
Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

Configuring a Firewall Port Exception for the SQL Server

instance
If running the Merak Service Host Windows service instead of the IIS implementation,
the Windows Firewall on the SQL server must be opened to allow communication on a
specific port.
1. Open the Windows Firewall with the Advanced Security utility by typing
Windows Firewall with Advanced Security in the Windows Start Menu.
2. In the navigation pane, click Inbound Rules, and then click New Rule... in
the Actions pane.
3. Using the New Inbound Rule Wizard that appears, select Port, then click
Next, and in the Specific local ports box, type the default port 10459. This
port number is defined in the <host> <baseAddresses> node of the
Slb.Merak.ServiceHost.exe.Config file.
4. Click Next (accepting defaults) until you reach the Name page, and then type
a name for the rule, for example, SQL Server Static Port, and then click
Finish to dismiss the Wizard.
5. Close the Windows Firewall with Advanced Security utility.

How to reach us
The Schlumberger Information Solutions (SIS) Support Portal
(support.software.slb.com) provides a single, online location for all your support needs.
Search a vast knowledge base for the answers you need, participate with your peers in
discussion forums, and receive the latest news about SIS products and services.

16 Merak Planning, Risk, & Reserves

Schlumberger Private - Customer Use
Merak Planning, Risk & Reserves

All support requests are entered into the SIS Customer Care Center incident tracking
system, where they are resolved by local support staff. For those times when you need
to speak with a support specialist, obtain assistance from local experts by calling one of
the numbers listed below.

United States
Houston Tel.: 1-866-829-0234
Canada
Calgary Tel.: 1-888-986-4357 (toll-free)

International United Kingdom

Offices Tel.: 0800 328 9055 (toll-free)
Russia and Caspian
Russia Tel.: 8 800 7000 282 (toll-free from Russia)
Kazakhstan Tel.: 8 800 080 7638 (toll-free from
Kazakhstan)
Turkmenistan, Azerbaijan, Uzbekistan via Russian and
Kazakhstan offices:
+7 495 935 8200/+7 3452 520 060 – Russia,
+7 7172 7075 86/87 – Kazakhstan
South America
Mexico Tel.: 001 866 326 0174
Argentina Tel.: 0 800 444 0919
Brazil Tel.: 000811 005 9068
Colombia Tel.: 980912 3029
Venezuela Tel.: 0800 1 00 3588
Middle East and Asia Pacific
Egypt Tel.: +20 2 768 4881
United Arab Emirates Tel.: +971 2 632 2065
Kuwait Tel.: +965 9 720 3573
Malaysia Tel.: +60-3-21694266
Indonesia Tel.: +62-21-5229343
Australia Tel.: +61-1800001112
Thailand Tel.: +66-2-9371300
China Tel.: +86-10-64746699 Ext. 2816

17
Schlumberger Private - Customer Use