| Anchor | ||||
|---|---|---|---|---|
|
...
To use Tomcat, Java has to be installed. The Java Development Kit has to be installed before installing XperienCentral. The version made available by Oracle is used which is not the same version that comes with some Microsoft products. Use at least Java version 8 (official support for Java 7 ended in April 2015)11.
To install XperienCentral, Apache Maven is required. Apache Maven is used to build XperienCentral based on the system-specific settings in the settings.xml. Download the Maven ZIP file from http://maven.apache.org/. Download the latest release of version 3.6.xx (do not use the 4.x.xx versions of Maven). Unzip the ZIP-file into D:\Program Files\. After unzipping, Maven will be installed in:
...
| Note |
|---|
If in the "System Properties" window the value is too long, the complete path is not visible. To see the complete values, the |
...
| Anchor | ||||
|---|---|---|---|---|
|
...
9.
...
0.
...
50
XperienCentral is written in Java and requires a servlet container to run. Apache Tomcat is such a servlet container in which XperienCentral can operate. XperienCentral has been tested with Apache Tomcat 89.50.3550. Follow the steps in this section to install and configure it.
...
| Note |
|---|
GX Software strongly recommends that if you are doing a clean install of a Tomcat installation that you use version 89.50.3550. |
Install Tomcat
Download Tomcat 89.50.35 50 from the link available at http://tomcat.apache.org/ (download the Windows Service Installer). Double-click the downloaded file and then follow the wizard to install Tomcat.
...
Start > All Programs > Apache Tomcat 89.50.35 50 > Monitor Tomcat
Navigate to the Start screen and then select “Monitor Tomcat”.
...
For debugging purposes, XperienCentral uses the authentication mechanism of Tomcat. The server.xml contains a reference to the admin-users.xml file in which one or more users are defined. Create the file D:\Program Files\Tomcat 89.50.3550\conf\admin-users.xml and add the following lines to it:
...
Create the file D:\Program Files\Tomcat 89.50.3550\conf\context.xml and add the following lines to it:
...
- Open the
D:\Program Files\Tomcat 89.50.3550\conf\logging.propertiesfile. - At the end of the file, add these lines:
...
Obtain a copy of the database driver from the /ext folder of the XperienCentral installation. Copy the driver for your database to the directory D:\Program Files\Tomcat 89.50.3550\lib. Use the following JAR files for the following databases:
- For MSSQL, copy
jtds-x.jartoD:\Program Files\Tomcat 89.50.3550\lib. - For Oracle, copy
oraclejdbcdriver-x.jartoD:\Program Files\Tomcat 89.50.3550\lib.
where x in the .jar files above is the version number of the database driver you are using.
In XperienCentral versions 10.19.1 and earlier, the mysql-connector-java driver was available in the SDK in the/extand/maven-repositorydirectories. This library has been removed from the 10.20.0 and later SDKs and must be manually downloaded and installed inD:\Program Files\Tomcat 89.50.3550\lib.
ISAPI Redirector
After following all the steps in this part, the webserver (IIS) will receive all the requests for the website. If it’s a request for an image, the webserver can handle that request on its own and will return the image. If the request is for a page, IIS will request the page from XperienCentral (running inside Tomcat). The communication between IIS and Tomcat is handled by the ISAPI Redirector. The ISAPI Redirector can be downloaded from the Tomcat website (http://apache.mirror1.spango.com/tomcat/tomcat-connectors/jk/binaries/windows/).
...
- Create the following folder and place the file
isapi_redirect.dllin it:D:\Program Files\Jakarta Isapi Redirector\bin\ - Create the following file:
D:\Program Files\Jakarta Isapi Redirector\bin\isapi_redirect.properties Add the following lines to it:
Code Block theme Eclipse extension_uri=/jakarta/isapi_redirect.dll log_file= D:\Program Files\Jakarta Isapi Redirector\logs\isapi_redirect.log # Possible Log levels: debug, info, warn, error or trace log_level=info worker_file=D:/Program Files/Jakarta Isapi Redirector/conf/workers.properties worker_mount_file=D:/Program Files/Jakarta Isapi Redirector/conf/uriworkermap.properties
Create the following folder and file:
D:\Program Files\Jakarta Isapi Redirector\conf\workers.propertiesAdd the following lines to it:
Code Block theme Eclipse worker.list=ajp13w worker.ajp13w.type=ajp13 worker.ajp13w.host=localhost worker.ajp13w.port=8009 worker.ajp13w.connection_pool_size=250 worker.ajp13w.connection_pool_timeout=600 worker.ajp13w.socket_timeout=600
Create the following file:
D:\Program Files\Jakarta Isapi Redirector\conf\uriworkermap.propertiesAdd this line to it:
Code Block theme Eclipse /web/*=ajp13w
...
Configure the Apache PDFBox Cache Directory
...
- You should install an active virus scanner in the environment where XperienCentral is running. Because files (images, downloads, etc.) can be uploaded to XperienCentral, it is unwise to rely on the client's virus scanner to detect viruses. The installation of the virus scanner is out of scope for the XperienCentral documentation, therefore only this general recommendation is given.
- To enhance security on a DNS level, a DNSSEC (Domain Name Systems Security Extensions) and a CAA (Certification Authority Authorization) should be configured on the domain of each client's website. This must be configured by the hosting company with whom the domain is registered. Verify that this is activated for the corresponding website domain.
- The XperienCentral environment (including Tomcat/Apache) should be isolated (from a security and performance perspective) from other software installations if they reside on the same server. This prevents unauthorized access between applications. When using a dedicated (virtual) server for the XperienCentral installation, this requirement is automatically fulfilled. This ensures that no access is given to other applications on the same server as XperienCentral, and if the website goes down because of performance issues, the other application(s) are not affected.
When HTTPS is used in an XperienCentral environment, make sure that the Cipher Suites that the server presents to the browser belonging to the SSL protocol has no weak suites available. Weak suites are a security risk and should not be delivered by the server. You can test the Cipher Suite weaknesses in your environment at ssllabs.com. You can view some examples of an Apache configuration for SSL Cipher Suites at https://ssl-config.mozilla.org/. One such example is:
Code Block theme Eclipse # intermediate configuration - tweak to your own needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
- When HTTPS is used,
Expect-CTshould be added to the response header in order to optimize the security of the SSL connection. This header forces the browser to check the SSL certificate for Certificate Transparency. If the SSL certificate is not transparent, the browser refuses the connection (theenforceoption). Add the following header to your Apache configuration in order to enableExpect-CTheaders:Expect-CT: max-age=86400, enforce To prevent the malicious use of browser API functions, you should add the response header
Feature-Policyto your Apache configuration. This header sets restrictions on the browser API functions. For example, when the browser on a mobile device receives a header with the optioncamera 'none'then the camera can't be used on that device. The default setting for this header disables all API functions but can of course be customized. GX Software recommends that you add the following header to your default configuration:Code Block theme Eclipse Feature-Policy: vibrate 'none'; geolocation 'none'; accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vibrate 'none'; vr 'none';
The full list of options can be found at OWASP Feature Policy
...