Some of the technical content on this site is only available in English.

Checking Space configuration

Overview

After you've installed the Space software, you must check its configuration settings. It has to be done from the tabs available in the ProAccess Space Configurator:

  • Service properties
  • Service ports
  • Database
  • Advanced

Checking configuration

To check the configuration settings for Space, do the following:

  1. Ensure that the appropriate database has been set up in Space.

  2. Double-click the ProAccess Space Configurator icon on your desktop. The ProAccess Space Configurator launches.

  3. Select the Database tab.

'Database' tab'Database' tab

  1. Ensure the server name in the Server name field is correct. You can verify the data in Microsoft SQL Server Management Studio (SSMS), if installed.

  2. Ensure the database name in the Database field is correct. You can verify the data in Microsoft SQL Server Management Studio (SSMS), if installed.

  3. Ensure the Windows authentication option is selected if you are working in a Windows domain. If you are not working in a Windows domain, select the SQL Server authentication option. You must enter the appropriate SQL Server username and password.

  4. Click Save. Note that the Space service must be stopped to save any change on the ProAccess Space Configurator and then restarted. Remember that Space will not work unless you restart the Space service.

  5. Click the Service properties tab.

'Service properties' tab'Service properties' tab

  1. Ensure that Automatic is selected as the Startup type option. This value is selected so that when the PC reboots, the Space service starts automatically.

  2. Under Start as, you can select:

  • Virtual Service Account (NT SERVICE\ProAccessSpaceService), which uses a system‑managed account with limited privileges.
  • Or a User account, where you specify a Windows user and password, recommended when the service requires elevated permissions, such as for automatic certificate renewal.

The required permissions of the account specified are not automatically verified when saving the configuration. It is the responsibility of the person configuring the software to ensure that the account has sufficient privileges.

See next steps for more information on Automatic refresh certificate mode.

  1. Click Save.

  2. Click the Service ports tab.

'Service ports' tab'Service ports' tab

  1. Select the Enable TCP/IP ports for web application checkbox. The default ports can be changed in accordance with your requirements. In the case of UDP ports, Space selects a random free port in a given range by default but ports can be also limited to one rather than a range. See also the dedicated section on connectivity considerations. To use the secure version of HTTP (namely HTTPS), you will first need to specify a valid certificate (use the ProAccess Space Configurator to select one among the registered certificates within the server machine).

For security reasons, we highly recommend that you use HTTPS instead of HTTP.

See Appendix B: Provision of certification for HTTPS.

When using HTTPS, you must select one of the available modes:

  • Static certificate mode, where the selected certificate needs to be updated manually. Note that the selected certificate must also be valid in the client machines in order to:

    • Avoid the "untrusted connection" warning message shown by the browser
    • Allow browsers to receive real-time notifications (such as door openings) from the server.

  • Automatic refresh certificate mode, where the certificate is updated automatically. Note that when using this non-license-dependent mode:

    • The Space service must be configured to run under an administrator account (in the Service Properties tab in the ProAccess Space Configurator)
    • The Space service does not need to be stopped to rotate the certificate, since the service will handle the rotation automatically
    • The certificate must exist in the specified store (within the local machine where Space is installed)
    • The certificate must be signed by a trusted Certificate Authority installed in the client machines in order to avoid any error messages
    • The certificate must not be expired

To configure the Automatic refresh certificate mode:

  1. Enter the Certificate store name (LocalMachine) (for example, My, Root, CA). Use the system store name, not the friendly name shown in the Windows Certificate Manager (MMC). Example: enter My(shown as Personal in the UI).
  2. Select the required Identification method (Subject CN (Subject Common Name), Subject Full DN (Subject Full Distinguished Name), Issuer).
  3. Enter the Match value, which must be the exact certificate attribute value to match. The comparison is strict (exact equality), so the value must match the certificate content precisely, including attribute order, casing, spacing, and special characters. The value can be:
  • The CN attribute (such as, www.google.com).
  • The full Distinguished Named (DN) as a comma-and-space separated list of key=value pairs (for example, CN=www.google.com, O=Google Trust Services, C=US).
  • The Issuer.

The expected format is a comma-and-space separated list of key=value pairs. Any deviation (including different spacing or attribute order) will cause the match to fail. To ensure accuracy, retrieve the value directly from Windows using PowerShell and copy it as returned:

$cert = Get-ChildItem Cert:\LocalMachine\{certStore}\{Thumbprint}

Distinguished Name

$cert.Subject

Issuer

$cert.Issuer

  1. Choose the Selection strategy (if multiple) in case more than one certificate meeting the filters are available. Select Newest NotBefore date to use the certificate whose "NotBefore" date (date from which the certificate is valid) is most recent, that is, the certificate that started being valid latest. Choose Latest NotAfter date to use the certificate which "NotAfter" date (date from which the certificate is considered expired) is latest, that is, the one that expires latest in the future.

Before saving, check that the required criteria are met to avoid any error messages.

The Space service may start and remain accessible even without administrator privileges, but certificate rotation will fail. If rotation is not working as expected, check the logs for:

Error binding certificate to port: Access is denied (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Ensure the service account has administrator privileges.

During startup, if any errors occur when loading the certificate or initializing the web server, the Space service will continue the startup to keep the rest of the functionalities operational. However, the periodic certificate rotation task will not be responsible for starting the web server if it fails to do so correctly during startup. This issue can be diagnosed from the setup tool ProAccess Space Configurator, where the icon below will be displayed.

For more information, please contact your Salto technical support team.

Icon indicating that errors occurred during startupError icon shown in the 'ProAccess Space Configurator' tool

Space supports the TLS 1.2 protocol. Note: this protocol can be defined at PC server level and not in the Space service. See more info on security protocols.

  1. Click Save. The link to open Space that displays on this tab should now become active.

See Logging in for information about how to log in to Space and set up bookmarks in your browser for easy access.

Log files tracing level

The Tracing level panel in the ProAccess Space configurator Advanced tab deals with the registration level of software logs. From this tab you can manage the tracing level, which can be set to Low, Medium, or High.

The default tracing level is Low.

Leave the tracing level at Low unless your Salto technical support contact recommends that you change it.

The tracing should only be set to High during troubleshooting, for example, and reset to Low afterwards. If the tracing level is set to High, this creates a more detailed report but the log file increases in size, which could cause the service to slow down.

Tracing level in the 'Advanced' tabTracing level in the 'Advanced' tab

Salto Systems, S. L. uses third-party data storage and retrieval devices in order to allow secure browsing and gain a better understanding of how users interact with the website in order to improve our services. You can accept all cookies by clicking the "Accept cookies" button or reject their use by clicking the "Reject cookies" button. For more information, visit our Cookies Policy