1 of 1

Step 2: Installation of HWF (HORIZONT Web Framework)

ProcMan requires PHP and a Webserver, which we deliver in the so-called HORIZONT Web Framework (HWF). This document only describes how to install HWF for ProcMan.

1. Download HWF

Download the latest HWF installation package from the HORIZONT customer portal (e.g. HWF V6.0.6) and extract it somewhere on the target system.

2. Optional: Install/update the Microsoft Visual Studio C++ runtime

Install/update the Microsoft Visual Studio C++ runtime (MSVC) manually. Navigate to ../hwf/contrib/ and search for all the vcredist_x64-YYYY.exe files. Run them all as administrator.

3. Run the setup.cmd

Now run the setup.cmd in the downloaded HWF package as administrator and follow the installation steps.

Important things to consider:

In step 1 set the correct installation directory of the existing HWF installation.
In step 4 choose "no" if you decided to install/update the MSVC manually.
There is no need to set the TNS_ADMIN and DB2INSTANCE options in the HWF installation dialog for ProcMan, as they are ignored. They can be left empty (which is the default).
Do not install HDB (HORIZONT Database Module) after the HWF installation, which is asked in the HWF installation dialog after HWF installation finished.

4. Enable full version of DB2 client

There is a light version of the DB2 Client installed with HWF. After the installation of HWF the PATH system variable contains the path to this light version of the DB2 client in the beginning, which disables the full version of the DB2 client required by ProcMan.

To correct this, after HWF installation, remove from the content of the PATH variable the following part:

%HWF_ROOT%\LIB\DB2\BIN;

After changing the content of the PATH variable you have to restart the Web Server (e.g. in Windows’s Services dialog restart the HORIZONT HTTP Server service) before the change takes effect.

5. Verify HWF installation

6. Recommended: Configuring the HWF service to run with a special user

For security reasons it is strongly recommended to change the user under which the by HWF installed service HORIZONT HTTP Server runs.

Windows

By default, the HORIZONT HTTP Server service runs under the Local System account, which is highly privileged—more so than a standard administrator account in certain areas. For better security and manageability, it is strongly recommended to run the service under a dedicated local or domain user account with limited privileges.

This guide walks you through:

Creating or assigning a restricted user
Granting required filesystem and DB2 access
Running the service under the new user
Configuring permissions to allow restarting the service from ProcMan

Step 1: Create or Select a Service User

Create a local user in Windows or use an existing local/domain user.
Ensure the user has a non-expiring password.
Grant this user modify permissions on the HORIZONT installation directory (by default C:\HORIZONT) and all its subdirectories.

Step 2: Assign DB2 Access (if applicable)

If the DB2 Client was installed with Windows Authentication, it creates two local user groups:

DB2ADMNS
DB2USERS

Add the service user to the DB2USERS group to allow DB2 access while maintaining minimal privilege.

Step 3: Configure the Service to Run Under the User

Open the Services management console:
Control Panel → System and Security → Administrative Tools → Services
Locate the HORIZONT HTTP Server service.
Double-click to open its properties and go to the Log On tab.
Select "This account", enter the user credentials created/selected in Step 1, and confirm.
Click OK and restart the service.

Step 4: Allow the User to Restart the Service via ProcMan

By default, only administrators and system accounts can start/stop services. To allow the non-admin service user to restart the web server (e.g. via ProcMan), follow these steps using the Microsoft Management Console (MMC):

A. Prepare a Custom Security Template

Open MMC as administrator:
- Press Win + R, type mmc, and press Enter.
From the menu: File → Add/Remove Snap-in…
Add the following snap-ins:
- Security Templates
- Click OK
In the Security Templates tree, select a directory (e.g., C:\Windows\Security\Templates) and then:
- Action → New Template
Enter a name and (optional) description for the template and click OK.

B. Define Service Permissions in the Template

Under your new template, go to: System Services → HORIZONT HTTP Server
Right-click and select: Action → Properties
In the dialog:
- Check: "Define this policy setting in the template"
- Set Startup mode to Automatic
- Click Edit Security
In the security dialog:
- Add the dedicated service user
- Grant the permission: Start, stop, and pause
Click OK to close all dialogs and save the template.

C. Apply the Security Template

Again, open: File → Add/Remove Snap-in…
Add: Security Configuration and Analysis Click OK
In the snap-in:
- Action → Open Database
- Choose a name for the database file (e.g. horizont_service_config)
When prompted, select the template you created earlier.
Then run: Action → Configure Computer Now
After applying, restart the HORIZONT HTTP Server service once manually as an administrator to ensure new permissions take effect.

Important Notes

These permission changes are persistent and survive system restarts.
The MMC interface may vary slightly between Windows versions.
Always verify service functionality after changing its user context or security settings.

Linux

The web server switches automatically after it is started to run under a lower privileged user. So there is nothing to be done explicitly.

If it should be later possible to restart the web server by an administrator from the ProcMan dialog, the user under which the web server is running, has to be authorized to restart the web server. For this the user has to be authorized to start the httpd program as a super user using the sudo command without a tty session and without entering a password. To allow this open the file /etc/sudoers for editing. If there is a line like this

Defaults requiretty

comment it out with a hash (#) in the beginning of the line. Further add a line like this

<httpd_user>     ALL=    NOPASSWD: <http_path>/httpd

in the file /etc/sudoers. Replace <httpd_user> by the proper user name. Replace <httpd_path> by the proper path to the httpd program. For example:

procman     ALL=     NOPASSWD: /usr/sbin/httpd

Step 2: Installation of HWF (HORIZONT Web Framework)

ProcMan requires PHP and a Webserver, which we deliver in the so-called HORIZONT Web Framework (HWF). This document only describes how to install HWF for ProcMan.

1. Download HWF

Download the latest HWF installation package from the HORIZONT customer portal (e.g. HWF V6.0.6) and extract it somewhere on the target system.

2. Optional: Install/update the Microsoft Visual Studio C++ runtime

Install/update the Microsoft Visual Studio C++ runtime (MSVC) manually. Navigate to ../hwf/contrib/ and search for all the vcredist_x64-YYYY.exe files. Run them all as administrator.

3. Run the setup.cmd

Now run the setup.cmd in the downloaded HWF package as administrator and follow the installation steps.

Important things to consider:

In step 1 set the correct installation directory of the existing HWF installation.
In step 4 choose "no" if you decided to install/update the MSVC manually.
There is no need to set the TNS_ADMIN and DB2INSTANCE options in the HWF installation dialog for ProcMan, as they are ignored. They can be left empty (which is the default).
Do not install HDB (HORIZONT Database Module) after the HWF installation, which is asked in the HWF installation dialog after HWF installation finished.

4. Enable full version of DB2 client

To correct this, after HWF installation, remove from the content of the PATH variable the following part:

%HWF_ROOT%\LIB\DB2\BIN;

After changing the content of the PATH variable you have to restart the Web Server (e.g. in Windows’s Services dialog restart the HORIZONT HTTP Server service) before the change takes effect.

5. Verify HWF installation

To check if the HWF installation was successful, open . As user type admin with an empty password. You should now see the HWF System Info.

6. Recommended: Configuring the HWF service to run with a special user

For security reasons it is strongly recommended to change the user under which the by HWF installed service HORIZONT HTTP Server runs.

Windows

This guide walks you through:

Creating or assigning a restricted user
Granting required filesystem and DB2 access
Running the service under the new user
Configuring permissions to allow restarting the service from ProcMan

Step 1: Create or Select a Service User

Create a local user in Windows or use an existing local/domain user.
Ensure the user has a non-expiring password.
Grant this user modify permissions on the HORIZONT installation directory (by default C:\HORIZONT) and all its subdirectories.

Step 2: Assign DB2 Access (if applicable)

If the DB2 Client was installed with Windows Authentication, it creates two local user groups:

DB2ADMNS
DB2USERS

Add the service user to the DB2USERS group to allow DB2 access while maintaining minimal privilege.

Step 3: Configure the Service to Run Under the User

Open the Services management console:
Control Panel → System and Security → Administrative Tools → Services
Locate the HORIZONT HTTP Server service.
Double-click to open its properties and go to the Log On tab.
Select "This account", enter the user credentials created/selected in Step 1, and confirm.
Click OK and restart the service.

Step 4: Allow the User to Restart the Service via ProcMan

A. Prepare a Custom Security Template

Open MMC as administrator:
- Press Win + R, type mmc, and press Enter.
From the menu: File → Add/Remove Snap-in…
Add the following snap-ins:
- Security Templates
- Click OK
In the Security Templates tree, select a directory (e.g., C:\Windows\Security\Templates) and then:
- Action → New Template
Enter a name and (optional) description for the template and click OK.

B. Define Service Permissions in the Template

Under your new template, go to: System Services → HORIZONT HTTP Server
Right-click and select: Action → Properties
In the dialog:
- Check: "Define this policy setting in the template"
- Set Startup mode to Automatic
- Click Edit Security
In the security dialog:
- Add the dedicated service user
- Grant the permission: Start, stop, and pause
Click OK to close all dialogs and save the template.

C. Apply the Security Template

Again, open: File → Add/Remove Snap-in…
Add: Security Configuration and Analysis Click OK
In the snap-in:
- Action → Open Database
- Choose a name for the database file (e.g. horizont_service_config)
When prompted, select the template you created earlier.
Then run: Action → Configure Computer Now
After applying, restart the HORIZONT HTTP Server service once manually as an administrator to ensure new permissions take effect.

Important Notes

These permission changes are persistent and survive system restarts.
The MMC interface may vary slightly between Windows versions.
Always verify service functionality after changing its user context or security settings.

Linux

The web server switches automatically after it is started to run under a lower privileged user. So there is nothing to be done explicitly.

Defaults requiretty

comment it out with a hash (#) in the beginning of the line. Further add a line like this

<httpd_user>     ALL=    NOPASSWD: <http_path>/httpd

in the file /etc/sudoers. Replace <httpd_user> by the proper user name. Replace <httpd_path> by the proper path to the httpd program. For example:

procman     ALL=     NOPASSWD: /usr/sbin/httpd