Platform Deployment Guide

• Platform Deployment Guide
  • Introduction
  • System Specifications
    • Prerequisites
    • Installed Components
    • Targeting an Existing DB Installation (optional)
    • Identity Platform Configuration and User Enrolment
  • Installer Workflow
  • Start Page
    • Initialisation
    • New Installation
    • Existing Installation
    • Installation in Progress
    • Completion Status
  • Authentication Page
    • Microsoft Identity Platform (Entra ID / B2C)
    • JWT Bearer (ADFS)
  • Planning Page
    • Database Configuration
      • Database Connection Dialog
    • MineTrust Data Root
    • TLS Configuration (High-level)
    • Windows Service Options
    • Identity Platform
      • Microsoft Identity mode
      • JWT Bearer (ADFS) mode
      • Shared fields (both modes)
    • TLS Options
    • Advanced Options
    • Reset Defaults
  • Installation Page
    • Ready to Install
    • Installation Progress
    • Completion
    • Logging
  • Finished State and Post-Installation Tasks
    • Verifying Success
    • Post-Installation Checklist
    • Next Steps
    • Troubleshooting
  • Appendix: Parameters Reference

This guide describes how to deploy Datamine's MineTrust Platform using the on-premise bootstrapper wizard. It explains each stage of the installation process, details every configuration parameter, and outlines post-installation tasks.

Introduction

The MineTrust Platform bootstrapper provides a guided installation experience for deploying the platform on Windows servers. It automates installation of prerequisites, database setup, service configuration, TLS enablement, and integration with your chosen identity platform.

The wizard runs as a four-page flow:

1. Start: Accept license, repair/uninstall existing installations.
2. Authentication: Select the authentication mode (Microsoft Identity or JWT Bearer / ADFS).
3. Planning: Configure database, services, TLS, and identity parameters.
4. Installation: Perform the deployment, confirm success and complete post-installation checks.

System Specifications

This section details the specifications of the components involved in an on-premise deployment of MineTrust Platform.

Prerequisites

Before starting installation, ensure the following:

• Operating System: Windows Server 2019 or later (x64).
• Privileges: Administrator rights are required.
• Disk space: At least 10 GB free on the installation drive (not including MineTrust file storage which should be provisioned separately).
• Network: Connectivity to the identity provider – either a Microsoft Entra ID / Entra External ID (B2C) tenant or an ADFS server.
• Certificates (if TLS enabled): Valid .pfx files with passwords.

  Important: It is essential to ensure that the certificates supplied to the bootstrapper are provisioned in advance and trusted for TLS encryption at a machine-level. If TLS is enabled for the MineTrust REST API and the certificate used for the TLS binding is not trusted then this will likely cause the deployment to fail.
  

• MineTrust file storage (where applicable): Suitable locally-available storage in which MineTrust is able to store files.

  Important: If the MineTrust file storage has been provisioned as a network share then it will generally be necessary to provision a domain service account with read/write access to the share folder. In this scenario, the MineTrust Server Windows Service must be configured to log on with this account as a post-installation task. There is no built-in wizard support for handling this configuration.
  

Installed Components

The following components will be installed by the bootstrapper:

• .NET Hosting Runtime: All components of the MineTrust Platform target .NET 10.0.
• Database (optional – see below): One of the following:
  • PostgreSQL 17
  • Microsoft SQL Express 2019
• MineTrust Platform: Consists of the following components (each installed as a Windows Service):
  • MineTrust Server
  • MineTrust Provisioner (Microsoft Identity mode only – omitted in JWT Bearer / ADFS deployments)
  • MineTrust Online

Targeting an Existing DB Installation (optional)

You may optionally target an existing deployment of either database technology. In this case, the database must be accessible from the MineTrust server and meet the following minimum requirements:

• PostgreSQL: Version 17 or later.
• MSSQL: Microsoft SQL Server / SQL Express 2019 or later.

It is generally recommended to configure a dedicated service account on either database platform with which MineTrust may access its own database – these may be entered in the database configuration dialog during the installation.

Note in particular that, depending on the privileges granted to the service account, the following considerations should be made:

• Privileged access: The bootstrapper will attempt to automatically create and initialise the MineTrust database.
• Non-privileged access: In the case where the service account does not have access to create a database, this should be provisioned in advance and entered in the database configuration dialog. Ensure also that the 'Initialise Database' box is checked in this same dialog (in this instance the warning may be safely disregarded).

Identity Platform Configuration and User Enrolment

The bootstrapper supports two authentication modes:

• Microsoft Identity (Entra ID / Entra External ID): Standard OpenID Connect integration. All platform components are deployed, including MineTrust Provisioner.
• JWT Bearer (ADFS): JwtBearer authentication for environments using Active Directory Federation Services or compatible IdentityServer implementations. MineTrust Provisioner is not included in this mode.

For detailed guidance on configuring application registrations and identity bindings, see the Identity Configuration & Setup Guide.

In order for end-users to perform single sign-on journeys and to access the services in the finished deployment, it is necessary to ensure the corresponding authentication configuration on the identity platform:

• Microsoft Identity: Application registrations must be created for MineTrust Server, MineTrust Online, MineTrust Provisioner, and (optionally) MineTrust Connector in your Entra ID / Entra External ID tenant.
• ADFS: An Application Group containing a Server Application (MineTrust Online) and a Web API (MineTrust Server API) must be configured in the ADFS Management console.

In either case, please liaise with your local Datamine representative to ensure that this configuration is in place.

User enrolment onto the MineTrust Platform is handled by one of the following:

• For deployments which use Datamine's Customer Portal as an identity platform, MineTrust enrolment for individual users is administered directly within the Customer Portal.
• For deployments using any other identity platform, users must be manually enrolled onto MineTrust. This will typically involve bespoke configuration and tooling – please contact your local Datamine representative.

Installer Workflow

The bootstrapper enforces a linear workflow:

1. Start page: select action.
2. Authentication page: select authentication mode.
3. Planning page: supply configuration.
4. Installation page: perform deployment and verify upon completion.

The following sections describe each page in detail.

Start Page

Initialisation

When the wizard first opens, it may display:

"The setup engine is initialising…"

This state checks for prerequisites and existing installations.

New Installation

If no installation is detected:

• A welcome message is displayed.
• You must review the license text.
• Select I have read and accept the terms and conditions to proceed.

Existing Installation

If an installation is detected, the following options are offered:

• Repair: Re-apply the installation.
• Uninstall: Remove MineTrust Platform.

Installation in Progress

If an installation is already running, the page displays:

• Current status message.
• A progress bar.
• Interaction is disabled until the task completes.

Completion Status

Once installation ends:

• Success: Displays "Installation complete."
• Failure: Displays error code and provides a link to the log file.

Authentication Page

The Authentication page allows you to select the identity platform mode for the deployment. This choice determines which identity parameters are required on the Planning page and whether MineTrust Provisioner is included.

Microsoft Identity Platform (Entra ID / B2C)

Select this option for deployments using Microsoft Entra ID or Entra External ID (B2C). All platform components are installed, including MineTrust Provisioner. The Planning page will present the full set of Entra-specific identity fields.

JWT Bearer (ADFS)

Select this option for environments using Active Directory Federation Services or a compatible IdentityServer implementation. MineTrust Provisioner is omitted from the deployment and platform initialisation is disabled. The Planning page will present ADFS-specific identity fields (authority, audience, and issuer).

Planning Page

The Planning page is the most detailed section of the wizard. Configuration is grouped into categories. All errors are reported inline, and you cannot proceed until validation succeeds.

The content displayed on this page adapts based on the authentication mode selected on the previous page.

Database Configuration

• Database Type: Displays the selected backend (PostgreSQL or MSSQL).
  • Use Configure to open the Database Connection dialog.

Database Connection Dialog

• Technology Selection: Choose PostgreSQL or MSSQL.
• Server / Port:
  • PostgreSQL default: localhost:5432.
  • MSSQL default: .\SQLEXPRESS.
• Database Name: Default minetrust (PostgreSQL) or MineTrust (MSSQL).
• Username / Password: Service account credentials.
• Install New Database Engine: Install PostgreSQL or SQL Express locally with new admin password.
• Initialise Database: Create schema and tables (warning if existing DB found).
• Test Connection: Mandatory unless installing a new database instance.

Validation rules:

• Password required when installing PostgreSQL/SQL Express.
• Connection must be tested.
• If an existing DB is detected, a warning will be displayed if the option to Initialise Database is enabled.

MineTrust Data Root

• Description: Disk location for storing MineTrust files.
• Validation: Must be accessible or creatable. Supports environment variables.
• Permissions: If the MineTrust Data Root is provisioned as a network share then suitable permissions must be configured in order for MineTrust Server to access this location. This will typically involve post-installation configuration of the Windows Service (to log on as a specific service account).

TLS Configuration (High-level)

• Enable TLS for MineTrust REST API
• Enable TLS for MineTrust Online

Requires certificates (see TLS Options below).

Windows Service Options

Names for the Windows services installed:

• MineTrust Server: Datamine.MineTrustServer (default)
• MineTrust Provisioner: Datamine.MineTrustProvisioner (default) – only visible in Microsoft Identity mode.
• MineTrust Online: Datamine.MineTrustOnline (default)

Must be unique in the system.

• Base logs location: The root directory under which platform log directories and files will be created.

Defaults to the system's local TEMP directory if omitted.

Identity Platform

The fields displayed in this section depend on the authentication mode selected on the Authentication page.

Microsoft Identity mode

The following fields are required for Entra ID / Entra External ID integration:

• Entra ID instance URL.
• Entra ID tenant.
• Default sign-in policy.
• Client IDs for MineTrust Server and MineTrust Provisioner.
• Client secret for MineTrust Provisioner.
• Server application URI ID.
• Extensions application ID (Entra External ID).

JWT Bearer (ADFS) mode

The following fields are required for ADFS integration:

• ADFS authority endpoint (e.g. https://adfs.yourdomain.local/adfs).
• ADFS audience identifier (e.g. https://minetrust/api).
• ADFS issuer URI (e.g. http://adfs.yourdomain.local/adfs/services/trust).

Shared fields (both modes)

• MineTrust Online client ID.
• MineTrust Online client secret.

All fields relevant to the selected mode are required and validated.

TLS Options

If TLS enabled:

• REST API PFX path + password.
• Online PFX path + password.

Certificates must exist and be valid for TLS encryption (trusted at a machine-level).

Advanced Options

• Service UID: Unique string, generated if omitted.
• Service Friendly Name: Human-readable identifier to be associated with the platform.
• MineTrust Server Application URLs: ASP.NET base URLs for MineTrust Server (required). Each URL must include an explicit port number.
• MineTrust Online Application URLs: ASP.NET base URLs for MineTrust Online (required). Each URL must include an explicit port number.
• MineTrust Server Local Endpoint: Local connection string used internally by the MineTrust components (required).

  Important: For TLS-enabled deployments of the MineTrust Platform, it is essential that the Certificate(s) used to secure the deployment are bound to this endpoint. Typically, this will mean that the host part of the MineTrust Server Local Endpoint should match the Subject Name of the TLS certificate used (the wizard will automatically populate this if it is found).
  

• MineTrust Online Public Endpoint: Public connection string identifying the endpoint to which end-users will navigate in their browser (required).

  Important: For TLS-enabled deployments of the MineTrust Platform, it is essential that the MineTrust Online public endpoint be set to the base URL which will publicly expose the web application. This value propagates down to the CORS configuration of MineTrust Server and will likely cause the web application to malfunction if set incorrectly.
  

• Initialise Platform: Whether to deploy default roles and permissions. Only visible in Microsoft Identity mode (disabled automatically in JWT Bearer / ADFS mode).

Reset Defaults

Clicking Reset defaults restores all parameters to installer defaults.

Installation Page

Ready to Install

When configuration is valid:

"Ready to install MineTrust Platform. Click 'Install' to proceed."

Clicking Install locks configuration and begins deployment.

Installation Progress

• A status label shows the current operation.
• A progress bar reflects progress.

Completion

• Success: Displays "Installation complete."
• Failure: Displays error with result code and a link to the log file.

Logging

Installer logs are written to the configured log path. Retain logs for support.

Finished State and Post-Installation Tasks

Verifying Success

• Confirm success message.
• Review logs for warnings or errors.

Post-Installation Checklist

• Windows Services: Ensure MineTrust Server and MineTrust Online are running. In Microsoft Identity mode, also verify that MineTrust Provisioner is running. Perform any post-deployment steps such as service account configuration for MineTrust Server.
• Data Root: Verify directory exists and accessible.
• Database: Confirm schema creation and connectivity.
• Certificates: Check TLS endpoints are bound if enabled.
• Network Endpoints: Test configured URLs.
• Identity Platform: Validate sign-in flow.

Next Steps

• Perform initial login at configured URL.
• Provision roles/permissions if not initialised automatically.
• Enrol users onto the Platform via the Datamine Customer Portal (Microsoft Identity mode) or your organisation's user management process (ADFS mode).
• From a client endpoint, download and install MineTrust Connector and connect to the initialised platform.

Troubleshooting

• Check Event Viewer Logs if services fail to start.
• Check C:\Windows\TEMP for installer logs.
• Validate database access and creation using either pgAdmin or MSSQL SSMS.
• Validate certificates for TLS errors.
• Validate MineTrust Data Root access using the service account configured for MineTrust Server.

Appendix: Parameters Reference

The following table lists all parameters available in the MineTrust Platform installer, grouped by category.

Category	Parameter	Description	Required	Default
Database	Database Technology	The backing database technology (PostgreSQL or MSSQL).	Yes	None
	Server	Server name, IP address, or connection string where the database instance is accessible.	Yes	localhost (PostgreSQL), .\SQLEXPRESS (MSSQL)
	Port	Port on which PostgreSQL is exposed.	Yes (PostgreSQL only)	5432
	Database	Name of the MineTrust database within the instance.	Yes	minetrust (PostgreSQL), MineTrust (MSSQL)
	Username	Service account user ID for database access.	Yes	postgres (PostgreSQL), sa (MSSQL)
	Password	Password for the service account used to connect to the database.	Yes	Empty
	InstallPostgres	Whether to install and configure a new PostgreSQL instance on the local server.	No	False
	InstallSQLExpress	Whether to install and configure a new SQL Express instance on the local server.	No	False
	InitialiseDatabase	Whether to initialise the target database schema.	No	True if installing a new database instance, otherwise False
	DatabaseConnectionString	Complete connection string used to connect to the database.	Yes	Built from other parameters
Data Root	MineTrustDataRoot	File system directory where MineTrust stores files.	Yes	C:\ProgramData\Datamine\MineTrust
Windows Services	MineTrustServerServiceName	Windows service name for MineTrust Server.	Yes	Datamine.MineTrustServer
	MineTrustProvisionerServiceName	Windows service name for MineTrust Provisioner.	Yes (MI mode only)	Datamine.MineTrustProvisioner
	MineTrustOnlineServiceName	Windows service name for MineTrust Online.	Yes	Datamine.MineTrustOnline
	LogsBaseDirectory	Base location under which platform log files are located.	No	C:\WINDOWS\Temp
Authentication	AuthenticationMode	The authentication mode for the deployment (MicrosoftIdentity or JwtBearer).	Yes	MicrosoftIdentity
Identity (MI)	AzureInstance	Microsoft Entra ID instance URL.	Yes (MI mode only)	None
	AzureTenantId	Microsoft Entra ID tenant.	Yes (MI mode only)	None
	AzureDefaultPolicy	Default sign-in user flow or policy.	Yes (MI mode only)	None
	MineTrustServerClientId	Client ID for the MineTrust Server app registration in Entra ID.	Yes (MI mode only)	None
	MineTrustProvisionerClientId	Client ID for the MineTrust Provisioner app registration in Entra ID.	Yes (MI mode only)	None
	MineTrustProvisionerClientSecret	Client secret for the MineTrust Provisioner app registration in Entra ID.	Yes (MI mode only)	None
	MineTrustServerAppUriId	Public application URI ID for the MineTrust Server endpoint.	Yes (MI mode only)	None
	AzureExtensionAppId	ID of the extensions app registration in Entra External ID.	Yes (MI mode only)	None
Identity (ADFS)	AdfsAuthority	ADFS authority endpoint (e.g. https://adfs.yourdomain.local/adfs).	Yes (ADFS mode only)	None
	AdfsAudience	Audience identifier registered on the ADFS Web API (e.g. https://minetrust/api).	Yes (ADFS mode only)	https://minetrust/api
	AdfsIssuer	Valid token issuer URI from ADFS metadata (e.g. http://adfs.yourdomain.local/adfs/services/trust).	Yes (ADFS mode only)	None
Identity (shared)	MineTrustOnlineClientId	Client ID of the MineTrust Online app registration.	Yes	None
	MineTrustOnlineClientSecret	Client secret for MineTrust Online.	Yes	None
TLS Configuration	EnableTLSMineTrustRestApi	Enable TLS on the MineTrust REST API endpoint.	No	False
	EnableTLSMineTrustOnline	Enable TLS on the MineTrust Online endpoint.	No	False
	MineTrustRestApiPFXPath	Path to the .pfx certificate file securing the REST API endpoint.	Yes if TLS enabled	None
	MineTrustRestApiPFXPassword	Password for the REST API .pfx file.	Yes if TLS enabled	None
	MineTrustOnlinePFXPath	Path to the .pfx certificate file securing the Online endpoint.	Yes if TLS enabled	None
	MineTrustOnlinePFXPassword	Password for the Online .pfx file.	Yes if TLS enabled	None
Advanced	MineTrustServiceUID	Unique identifier string for this MineTrust instance (generated if omitted).	No	Generated
	MineTrustServiceFriendlyName	Friendly name used to identify the instance (generated if omitted).	No	Generated
	MineTrustServerAppURLs	ASP.NET application URLs for the MineTrust Server service.	Yes	http://+:9000 (no TLS) or https://+:9001 (TLS enabled)
	MineTrustOnlineAppURLs	ASP.NET application URLs for the MineTrust Online service.	Yes	http://+:8080 (no TLS) or https://+:443 (TLS enabled)
	MineTrustServerLocalEndpoint	Local connection string for the MineTrust Server.	Yes	http://localhost:9000 (no TLS) or https://localhost:9001 (TLS enabled)
	MineTrustOnlinePublicEndpoint	The public endpoint which will be exposed to users for accessing MineTrust Online.	Yes	http://localhost:8080 (no TLS) or https://localhost (TLS enabled)
	DeployProvisionerData	Initialise platform with standard roles and permissions (MI mode only).	No	True (MI mode), False (ADFS mode)