Using a Microsoft Azure file share
This section provides instructions for connecting the ABBYY FlexiCapture Application Server to a file share in Microsoft Azure.
Note: It is assumed that a storage account has already been created in Microsoft Azure Files and is available for use by ABBYY FlexiCapture.
- On the Azure portal, go to your storage account (abbyystorage in this example) and click Files in the storage account pane.
- Create a new file share in your storage account by specifying its name (fcstorage in this example) and a space quota as required.
- Open the created file share and click Connect.
- Copy the cmdkey command to the Clipboard.
- Log on to the virtual machine with the FlexiCapture Application Server as a system user with permissions to access the FlexiCapture services (fcuser in this example), open the command line prompt, and paste and execute the cmdkey command from the Clipboard. This will add the file share credentials to the Windows Credential Manager.
- Open Windows Explorer and make sure that the user can access the file share.
- Open the Internet Information Services (IIS) Manager, select the FlexiCapture application pool, and click Advanced Settings.
- Change the pool identity to the FlexiCapture user account with the required permissions, set Load User Profile to True, confirm the changes by clicking OK, and recycle the application pool.
- In the Administration and Monitoring Console, select the Use external file storage option and specify the path to the file share in Microsoft Azure.
Using Azure Key Vault to Connect to Microsoft Azure Files
Azure Key Vault is a cloud service for securely storing secrets, such as API keys, passwords, certificates, etc. The service enables Azure subscribers to protect their sensitive data used by cloud applications and services. You can create and manage key vaults through the Azure portal (see the Microsoft documentation for details).
To set up a connection to Azure Files:
- On the Azure portal
- Set up virtual machines for your ABBYY FlexiCapture Application Servers.
Important! Your virtual machines with the Application Server installed must be registered in Azure Active Directory. For detailed instructions on how to create and set up virtual machines, see the Microsoft documentation.
- Create a new key vault.
Under Permission model, select Azure role-based access control.
- To be able to save and view secrets, add the Key Vault Secrets Officer role for your account and the Key Vault Secrets User role for the virtual machine objects. For detailed instructions on how to grant permissions to virtual machines, see the Microsoft documentation.
- Add your secret (i.e. your access key) for your Azure Storage account to the key vault. For detailed instructions on how to add a secret to a key vault, see the Microsoft documentation.
Important! To connect to Azure Files, the name of your secret must be the same as your storage account name.
- On each Application Server
Configure your system account to access Azure Files. To do this:
- Save the following PowerShell script on each virtual machine where the Application Server is installed:
Show PowerShell script
The script accepts the following two parameters as input:
- The path to the root of the network Azure folder, for example: “\\<name of Azure Storage account>.file.core.windows.net\<name of network folder>”.
- The URI of the key vault storing the access key for your Azure Storage account.
Your can copy the URI from the Vault URI field on the Overview tab on the Azure portal.
Sample string for running the scripts: powershell.exe <path to file with script> -share \\<name of Azure Storage account>.file.core.windows.net\<name of network folder> -uri https://<name of Azure key vault>.vault.azure.net/.
- To run the script, create a task in Task Scheduler that will be triggered by a system startup event. The task must be run under the System, Network Service, or Local Service user account. The same account must be used to run the IIS application pool.
- Configure the IIS service to be started after the connection script is executed. To do this, open the World Wide Web Publishing Service Properties dialog box, and select Automatic (Delayed Start) from the Startup type drop-down list on the General tab.
- Restart the Application Server.