Prepare Encrypted Credentials for Upgrade

This task is optional: if you do not wish to encrypt credentials used in the answer file during upgrade, you may enter them in plain text in the answer file itself (see Prepare Answer File).

For encrypted credentials, you may use either of two approaches:

You may use your own RSA or ECDH certificate. The RSA certificates used with this module must allow Key Encipherment in their Key Usage extension. ECDH certificates must allow the Key Agreement Key Usage extension. If you want to use your own certificate, follow the first steps in the process below to validate that the certificate is usable for both encryption and decryption before attempting any installation.
You can use the process here, along with a supplied PowerShell module, to create both a certificate and a store, along with all the identities required. Provided that you use the same identities on each of your core application servers, you can simply copy the certificate and store to each server as appropriate, where they can be accessed using your configured answer file.

Once credentials are saved in your store, you configure the answer file with store references that allow use of the credentials, without needing to include any password values in the answer file.

Important: The account that prepares these encryption details in this process must be the same account that subsequently runs the unattended installation script.

To prepare encrypted credentials for the upgrade process:

On the first of your target servers, with mapped share or local access to the downloaded and unzipped installation archive, log in using the account that will complete the installation (suggested: fnms-admin).
Launch an elevated PowerShell window (that is, in the Windows start menu, right-click PowerShell and select Run as administrator).
In the PowerShell window, import the supplied Encryption.psm1 module to this PowerShell session:
```
cd path-to-resources\FlexNet Manager Suite\Support
Import-Module Modules\Encryption.psm1
```
If you are using your own RSA or ECDH certificate, verify that your certificate is usable for encryption and decryption:
For example, the following command works for the certificate we will create in this process, and for your own certificate the command should be similar.
```
Get-KeyEncryptionCertificate -RequirePrivateKey
```
To check on parameters for your own certificate, enter the following at your PowerShell prompt:
```
help Get-KeyEncryptionCertificate -full
```
If you are not using a certificate prepared earlier, create one now that can be used to encrypt and later decrypt the credentials. Use the following command (indented lines append to the first command, all on one line), which shows recommended values:
```
$thumbprint = New-CredentialCertificate 
    -Subject 'CN=FNMS Installation, OU=FNMS, O=Flexera' 
    -FriendlyName 'FNMS_Silent_Install'
$thumbprint
```
The first command saves the certificate thumbprint in a PowerShell variable called $thumbprint. The last line displays the value of the variable. The newly-created certificate can now be used to generate a certificate store.
Use the newly-created certificate to create a new credential store for encrypted identities.
The command line is:
```
New-CredentialStore -Certificate $thumbprint
```
where -Certificate identifies your new certificate by way of its thumbprint saved in the PowerShell variable.
Tip: It is possible to specify an optional -PathToStore parameter (for example C:\Credential\fnms.password.store.xml), but this is not recommended. The default behavior is to save a file named fnms.password.store.xml in the secure profile directory of the logged-in user (running the PowerShell session). If you vary either of these, you must continue to specify your custom path/file name in all subsequent commands.
Create the credentials needed in the credential store.
For each identity in turn, use the following command (all on one line):
```
New-StoredCredential 
    -Name 'friendly-name' 
    -Username 'username' 
    -Password 'password'
```
Each use of this command echoes the Username and Name values, along with a StoreReference of the form flexera://friendly-name. Copy the value of each StoreReference, and save them for use in the answer file (as described in Prepare Answer File). You might choose to create separate credentials for each of the following identities; but more common practice is to create one identity for the service account you have created (suggested: svc-flexnet, for which see Authorize the Service Account), and then reference that same identity in each of the following set:
- SuiteAppPoolUser
- ExternalAPIAppPoolUser
- BeaconAppPoolUser
- BusinessReportingAuthUser
- ReconciliationScheduledTaskUser
- RLAppPoolUser
- DLAppPoolUser
- InventoryScheduledTaskUser.
If you are preparing a multi-server implementation, and you wish to use the same encrypted credentials on each of your servers:
1. Export your certificate with the following command that references its thumbprint:
```
Export-CredentialCertificate $thumbprint -Path c:\path-on-disk\SilentInstall.pfx
```
  where the -Path parameter is optional to identify the file path and file name for saving the certificate. If omitted, the path defaults to the working directory of the current PowerShell session.
2. Copy both the exported certificate (suggested: SilentInstall.pfx) and credential store (default: fnms.password.store.xml) together to a temporary location on the other target servers.
3. On each server in turn, install the certificate into the Windows certificate store by providing the path to the local copy:
```
Install-CredentialCertificate -Path C:\temporary-path-on-disk\SilentInstall.pfx
```
4. Validate that you are able to retrieve credentials from the store using the following command:
```
Get-StoredCredential -PathToStore C:\temporary-path-on-disk\fnms.password.store.xml
```
  This command lists all the credentials in the store. The Username field is only populated if the certificate is safely located on the same server.
5. Relocate the store in the correct working directory (the local application data store under the profile directory for the installing account).
  In PowerShell, the shorthand way to do this is:
```
mv C:\temporary-path-on-disk\fnms.password.store.xml $env:LOCALAPPDATA
```

When the credential store and certificate are correctly installed, and identifying all credentials required on each of your servers, you are ready to customize your answer file.