General requirements

License

You need a valid license to use Communications Manager. When you purchase Communications Manager, you receive either a SAL activation code or a license XML file. The SAL activation code can be used to obtain the API key for the license server access.

When you install Communications Manager, you must provide either the address of the license server in combination with the obtained API key or the license XML file.

The license XML file can restrict the number of allowed document processors. The installers never create more document processors than the maximum allowed.

If after installation more document processors are added, then those additional document processors cannot be started.

if NumberOfDocumentProcessors is 0 in the license XML file, then there is no license maximum on the number of document processors.

<?xml version="1.0" encoding="utf-8"?>
<ccm:Licence Version="1" xmlns:ccm="http://www.aia-itp.com/licence">
    <ccm:Product Name="ITP Server">
        <ccm:SubLicence Type="Base">
            <ccm:CompanyName></ccm:CompanyName>
            <ccm:NumberOfDocumentProcessors></ccm:NumberOfDocumentProcessors>
            <ccm:ExpirationDate></ccm:ExpirationDate>
            <ccm:Certificate></ccm:Certificate>
            <ccm:Environment></ccm:Environment>
            <ccm:LicenceCode></ccm:LicenceCode>
        </ccm:SubLicence>
        <ccm:SubLicence Type="OnLine">
            <ccm:ExpirationDate></ccm:ExpirationDate>
            <ccm:Certificate></ccm:Certificate>
            <ccm:NumberOfUsers></ccm:NumberOfUsers>
            <ccm:LicenceCode></ccm:LicenceCode>
        </ccm:SubLicence>
    </ccm:Product>
    <ccm:Product Name="ITP MDK Repository">
        <ccm:SubLicence Type="Base">
            <ccm:CompanyName></ccm:CompanyName>
            <ccm:ExpirationDate></ccm:ExpirationDate>
            <ccm:Certificate></ccm:Certificate>
            <ccm:Environment></ccm:Environment>
            <ccm:LicenceCode></ccm:LicenceCode>
            <ccm:NumberOfUsers></ccm:NumberOfUsers>
        </ccm:SubLicence>
        <ccm:SubLicence Type="Model Developer">
            <ccm:CompanyName></ccm:CompanyName>
            <ccm:ExpirationDate></ccm:ExpirationDate>
            <ccm:Certificate></ccm:Certificate>
            <ccm:Environment></ccm:Environment>
            <ccm:LicenceCode></ccm:LicenceCode>
            <ccm:NumberOfUsers></ccm:NumberOfUsers>
        </ccm:SubLicence>
        <ccm:SubLicence Type="Textblock Editor">
            <ccm:CompanyName></ccm:CompanyName>
            <ccm:ExpirationDate></ccm:ExpirationDate>
            <ccm:Certificate></ccm:Certificate>
            <ccm:Environment></ccm:Environment>
            <ccm:LicenceCode></ccm:LicenceCode>
            <ccm:NumberOfUsers></ccm:NumberOfUsers>
        </ccm:SubLicence>
    </ccm:Product>
</ccm:Licence>

Additional information

For MDK Repository Base license, the value for NumberOfUsers must be set to 1.

For development or test purposes, the value for ITP/Server Base license should be "Development and Test". For all other environment elements, the value should be "Development or Test".

Microsoft Word

Communications Manager Core uses Microsoft Word for a number of operations such as printing and conversion of documents. To enable these operations, Microsoft Word must be installed locally on the servers that run Communications Manager Core Document Processors.

You do not need Microsoft Word for conversion to PDF if the conversion is done with the Rendition technology. For more information on this technology, see the section DocToPDF in the Tungsten Communications Manager Core Scripting Language Developer's Guide.

You should disable grammar and spelling tools in Microsoft Word. For more information, see the Adjust settings in Microsoft Word section below.

Also, Microsoft Word requires the presence of a Desktop directory. The location of this directory depends on the versions of Microsoft Word and Microsoft Windows. For 64-bit versions of Microsoft Word, create the following directory: %WINDIR%\System32\config\systemprofile\Desktop.

Communications Manager Core attempts to create this directory if it does not exist yet. If it fails, Communications Manager Core is unable to open Microsoft Word documents.

Microsoft Word must be started interactively at least once under the user account used for Communications Manager Core Document Processors. This initializes Microsoft Word for that account so that it can be used by the Document Processors. If this is omitted, certain Core Script calls, such as DocToPDF, may fail.

Adjust settings in Microsoft Word

Open Microsoft Word and check if the following settings are adjusted correctly:

Navigate to File > Options > Display > Printing Options and select Update fields before printing. Click OK.
Navigate to File > Options > Advanced > Save and clear Allow background saves. Click OK.
Navigate to File > Options > Proofing > AutoCorrect Options and clear everything on all tabs. Click OK.

Ports

This section describes the requirements for ports that must be satisfied for successful Communications Manager installation.

When deployed, by defaultTungsten Communications Manager uses the following ports. You can configure the installation tool parameters to setup other ports if necessary.

Port	Open/Closed	Used by
443	This port is used for external access and should be opened in the firewall.	The main access port for Contract Manager
444	This port is used for external access and should be opened in the firewall.	The Communications Manager Control Center port
10500 and further	These ports should be opened in the internal network of Communications Manager components, but closed for external access. If all Communications Manager components are installed on the same server, these ports should be closed.	These ports are used for communication between Contract Manager and Communications Manager instances. They are assigned incrementally by Communications Manager, starting from a given fixed point. The registration port of the Contract Manager. This port is used by all instances for automatic (un)registration. The port for the web applications of a instance. Each instance uses a separate port, but all web applications of the instance (i.e. Designer, ComposerUI for HTML5, LogServer) use that same port. These web applications are always connected through the Contract Manager. The service port for Communications Manager Core. Each instance runs on its own port. This is not a web application.
10600 and further	These ports are internal for Communications Manager. They must be closed for all networks. The only exception is the repository port. It is used by Designer for Windows to connect to the instance. It must be opened when Designer for Windows is installed.	These ports are assigned incrementally by Communications Manager, starting from a given fixed point. The load balancer port of Communications Manager/Core. Each instance runs on its own port. This is not a web application. The port for Communications Manager Repository Server. Each instance runs on its own port. This is not a web application. The trusted port for Communications Manager Repository Server Each instance runs on its own port. This is not a web application. The port for Content Management API . Each instance runs on its own port. This is a Rest API web application. Six ports for Batch & Output Management.

The order in which ports are assigned by Communications Manager is not fixed. Use the InfoPorts tool after installation to see which ports were assigned to which (web) application.
To prevent a Slow HTTP Denial of Service attack, you should set up your firewall to limit the amount of connections per host for the main access port 443. For example, you can limit the amount to 50 connections per host.

Security

This section describes some decisions you'll have to make during installation regarding the security of communication with Communications Manager server and the artifacts that you have to prepare beforehand.

SSL certificates

All communication with the Communications Manager installation uses HTTPS protocol. Communications Manager Contract Manager and Communications Manager Control Center require a public certificate that must have the external host name of the server in the allowed DNS of its Subject Alternative Name.

Furthermore, most communication within the Communications Manager installation also uses HTTPS protocol. The Communications Manager Server requires an internal certificate that must have the internal (for example, located in the Communications Manager network) host name of the server in the allowed DNS of its Subject Alternative Name.

For both kinds of certificates you must provide a certificate file in a format that is supported by Tomcat (for example, JKS or PKCS12). Additionally, you must ensure that the internal certificates are trusted on their own Communications Manager server, as well on the Communications Manager servers that connect to it (internal connections between the Contract Manager or Communications Manager Control Center and the Communications Manager instances that are registered on it). You can establish the trust by importing the certificate with its trust chain into both the Windows certificate store (with private key on the Communications Manager server, without private key on Communications Manager servers that connect to it) and the Java cacerts trust store (without private key). For the Windows certificate store, use the Personal store of the Local Computer account.

LDAP authentication file

You can set up user authentication at Communication Manager Designer using LDAP.

To set up LDAP authentication, you must provide the LDAP configuration file. See the LDAP properties file topic of this guide for details.

Additional authentication for SOAP calls

You can also set up additional authentication for integrating applications to execute SOAP calls to the Contract Manager. This is possible only after enabling secure connection over SSL.

For more information, see the Applications topic.

(D)DOS attack protection

If it is required to shield the server on which Communications Manager is installed from (D)DOS attacks, you should consider enabling a request rate limiting policy.

Communications Manager does not provide a mechanism for such a policy, so this should be handled by setting up a firewall or proxy server that supports request rate limiting between the Communications Manager installation and the outside network.

Generate self-signed internal certificates

If you find that self-signed certificates are secure enough for internal communication in Communications Manager, then you can have Communications Manager generate the internal certificates.

You must always provide the public certificate yourself.

To generate a self-signed certificate, use the CreateSelfSignedCertificate.exe and ImportSelfSignedCertificate.exe tools, that are located on the top level of the extracted Communications Manager package. You must run these tools before installing Communications Manager.

CreateSelfSignedCertificate.exe

This tool generates a self-signed certificate that can be used as internal certificate on the Communications Manager server where it is generated. It only creates the certificate, but does not yet import it in any certificate store.

This tool has the following parameters:

Parameter	Required/Optional	Description
Internal!HostName	Optional	The internal host name of the Communications Manager server. It is set in the Subject Alternative Name of the self-signed certificate. If omitted, Communications Manager uses the COMPUTERNAME environment variable.
InternalCertificate!KeystoreFile	Required	Location of the generated certificate file. The file may not exist yet.
InternalCertificate!KeystorePassword	Required	Password of the certificate file. The password should match the requirements of the keytool which might depend on the Java version that you use.
Java!KeytoolExe	Optional. May be omitted when the JAVA_HOME environment variable has been set and points to a valid Java installation.	Location of the keytool.exe file of Java.

ImportSelfSignedCertificate.exe

This tool imports a generated self-signed certificate into both the Java cacerts trust store and the Windows certificate store. You can use it both on the Communications Manager server where the certificate was generated and on a different Communications Manager server where the certificate needs to be trusted.

This tool has the following parameters:

Parameter	Required/Optional	Description
InternalCertificate!KeystoreFile	Required	Location of the certificate file.
InternalCertificate!KeystorePassword	Required	Password of the certificate file.
InternalCertificate!Alias	Required	Alias of the certificate in the certificate file. The alias is generated (and reported on the console) by the CreateSelfSignedCertificate.exe tool.
Java!KeytoolExe	Optional. May be omitted when the JAVA_HOME environment variable has been set and points to a valid Java installation.	Location of the keytool.exe file of Java.
Java!TruststoreFile	Optional. May be omitted when the JAVA_HOME environment variable has been set and points to a valid Java installation.	The location of the Java certificate authorities (cacerts) trust store.
Java!TrustStorePassword	Required	The password of the Java certificate authorities (cacerts) trust store.

Database

This section describes the requirements for databases that must be satisfied for successful Communications Manager installation.

Communications Manager uses databases to store production data.

If you plan to deploy Communications Manager only (without Batch & Output Management), you will need a Communications Manager Repository database.

In some cases, you can share the same repository database between multiple Communications Manager installations. For more information, refer to the following topic: Adding a Communications Manager Instance.
If you also plan to deploy Batch & Output Management, you will need a B&OM Repository database and B&OM Runtime database.

You can find the list of supported databases in the Tungsten Communications Manager Technical Specifications document.

The deployment does not require a dedicated database server. You can use the database server that is already operating in your environment.

Create all required databases manually.
Before starting the installation, make sure these databases are empty.
Back up all databases on a regular basis and follow the best practices recommended by your database provider.
Unless following specific instructions from Tungsten Technical Support, do not make database modifications, because they may cause irreversible damage and loss of data.

Communications Manager performs a check on the database access, using the provided database connection string and database user and password. It checks the database access settings before starting the actual execution of various tools. This check is limited and might erroneously show messages about missing permissions.

To override this check, use the Instance!ContinueInstallationOnFailedDatabaseAccessCheck=true or OutputManagement!ContinueInstallationOnFailedDatabaseAccessCheck=trueparameter to indicate that execution should continue even when the check returns a negative result. This does not override the check on an empty database.

Adding trusted ServiceAccounts to KCMTools.ini

The Communications Manager installation and upgrade tools verify that the provided user accounts have the Logon as Service right. This pre-flight check succeeds only if the Logon as Service right is set to the user account directly. When a user account has the Logon as Service as a right via a Group or in any other way, you can disable this check. To do this, use the following steps:

Find the KCMTools.ini file. Before installation or upgrade, this file is located in the Software/KCMTools folder of the extracted Communications Manager 2025.3 package.
Add a section with name ServiceAccounts.
Add a setting with name Trusted and fill it with a comma-separated list of user accounts that should have the Logon as Service pre-flight check disabled. Each user account must appear exactly the same as in the command line.

Cookie rule for Tungsten TotalAgility

The strict cookie path of the session cookie that is returned by the Contract Manager may require proxies between the clients and the Contract Manager to rewrite the cookie. In particular, this applies to the proxy rules in the Tungsten TotalAgility web.config file. For Tungsten TotalAgility versions before 2025.2, the following rule should be added to the configuration/system.webServer/rewrite/outboundRules node:

<rule name="UpdateCCMCookiePath">
    <match serverVariable="RESPONSE_Set_Cookie" pattern="(.*); Path=.+?;(.*)"/>
    <conditions>
        <add input="{CACHE_URL}" pattern="https?://[^/]+(/[^/]*)?/CCM/Proxy/.*"/>
    </conditions>
    <action type="Rewrite" value="{R:1}; Path={C:1}/CCM/Proxy;{R:2}"/>
</rule>