Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
top
top
This topic describes how to set up an XperienCentral installation in a Windows 2012 and 2016 production environment. The result is that all requests for static content (images, style sheets, and so forth) are handled through the web server and requests for dynamic content (XperienCentral’s HTML) are forwarded by the web server to XperienCentral which processes the requests. In this topic, an environment will be created with two host names:

...

To use Tomcat, Java has to be installed. The Java Development Kit has to be installed before installing XperienCentral. The version made available by Oracle is used which is not the same version that comes with some Microsoft products. Use at least Java version 8 (official support for Java 7 ended in April 2015)11.

To install XperienCentral, Apache Maven is required. Apache Maven is used to build XperienCentral based on the system-specific settings in the settings.xml. Download the Maven ZIP file from http://maven.apache.org/.  Download the latest release of version 3.6.xx (do not use the 4.x.xx versions of Maven). Unzip the ZIP-file into D:\Program Files\. After unzipping, Maven will be installed in:

...

Note

If in the "System Properties" window the value is too long, the complete path is not visible. To see the complete values, the path and/or set command can be executed in a Command prompt.



Back to top


...

Anchor
install_tomcat_8
install_tomcat_8
Install and Configure Apache Tomcat

...

9.

...

0.

...

50

XperienCentral is written in Java and requires a servlet container to run. Apache Tomcat is such a servlet container in which XperienCentral can operate. XperienCentral has been tested with Apache Tomcat 89.50.3550. Follow the steps in this section to install and configure it.

...

Note

GX Software strongly recommends that if you are doing a clean install of a Tomcat installation that you use version 89.50.3550.


Install Tomcat

Download Tomcat 89.50.35 50 from the link available at http://tomcat.apache.org/ (download the Windows Service Installer). Double-click the downloaded file and then follow the wizard to install Tomcat.

...

                Start > All Programs > Apache Tomcat 89.50.35 50 > Monitor Tomcat

Navigate to the Start screen and then select “Monitor Tomcat”.

...

  1. Open the file D:\Program Files\Tomcat 8.x.x\conf\server.xml.
  2. Remove all content from the server.xml and replace it with:

    Code Block
    themeEclipse
    <?xml version='1.0' encoding='utf-8'?>
    <Server port="8005" shutdown="SHUTDOWN">
       <GlobalNamingResources>
          <!-- Userdatabase is used to secure admin pages! Make sure path is ok otherwise the admin jsps will not work -->
          <Resource name="WMUserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="XperienCentral user database" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="D:/Program Files/Tomcat 8.5/conf/admin-users.xml" />
       </GlobalNamingResources>
       <Service name="WebManager">
          <Connector port="8009" enableLookups="false" redirectPort="8443" debug="1" protocol="AJP/1.3" URIEncoding="UTF-8" secretRequired="false" connectionTimeout="600000" />
          <Engine name="WebManager" defaultHost="localhost">
             <Realm className="org.apache.catalina.realm.LockOutRealm" >
                <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="WMUserDatabase"/>
             </Realm>
             <Host name="localhost" unpackWARs="true" autoDeploy="false" deployOnStartup="false" appBase="D:/XperienCentral/deploy">
                <Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
                <Context path="/web" docBase="webmanager-backend-webapp-1.0-SNAPSHOT.war">
                <Valve className="org.apache.catalina.authenticator.DigestAuthenticator" cache="true" />
                <Resource name="jdbc/WebManagerDb" auth="Container" type="javax.sql.DataSource" username="sa" password="admin" driverClassName="net.sourceforge.jtds.jdbc.Driver" url="jdbc:jtds:sqlserver://localhost:1433/webmanagerdb;useLOBs=false" maxTotal="100" maxIdle="10" maxWaitMillis="10000" testWhileIdle="true" timeBetweenEvictionRunsMillis="900000" removeAbandonedOnBorrow="false" removeAbandonedOnMaintenance="false" removeAbandonedTimeout="30" logAbandoned="true" validationQuery="select 1" />
                </Context> 
             </Host> 
          </Engine>
       </Service> 
    </Server>  
    


...

For debugging purposes, XperienCentral uses the authentication mechanism of Tomcat. The server.xml contains a reference to the admin-users.xml file in which one or more users are defined. Create the file D:\Program Files\Tomcat 89.50.3550\conf\admin-users.xml and add the following lines to it:

...

Create the file D:\Program Files\Tomcat 89.50.3550\conf\context.xml and add the following lines to it:

...

  1. Open the D:\Program Files\Tomcat 89.50.3550\conf\logging.properties file.
  2. At the end of the file, add these lines:

...

Obtain a copy of the database driver from the /ext folder of the XperienCentral installation. Copy the driver for your database to the directory D:\Program Files\Tomcat 89.50.3550\lib. Use the following JAR files for the following databases:

  • For MSSQL, copy jtds-x.jar to D:\Program Files\Tomcat 89.50.3550\lib.
  • For Oracle, copy oraclejdbcdriver-x.jar to D:\Program Files\Tomcat 89.50.3550\lib.

    where x in the .jar files above is the version number of the database driver you are using.

    In XperienCentral versions 10.19.1 and earlier, the mysql-connector-java driver was available in the SDK in the /ext and /maven-repository directories. This library has been removed from the 10.20.0 and later SDKs and must be manually downloaded and installed in D:\Program Files\Tomcat 89.50.3550\lib.

ISAPI Redirector

After following all the steps in this part, the webserver (IIS) will receive all the requests for the website. If it’s a request for an image, the webserver can handle that request on its own and will return the image. If the request is for a page, IIS will request the page from XperienCentral (running inside Tomcat). The communication between IIS and Tomcat is handled by the ISAPI Redirector. The ISAPI Redirector can be downloaded from the Tomcat website (http://apache.mirror1.spango.com/tomcat/tomcat-connectors/jk/binaries/windows/).

...

  1. Create the following folder and place the file isapi_redirect.dll in it:

    D:\Program Files\Jakarta Isapi Redirector\bin\

  2. Create the following file:

    D:\Program Files\Jakarta Isapi Redirector\bin\isapi_redirect.properties

  3. Add the following lines to it:


    Code Block
    themeEclipse
    extension_uri=/jakarta/isapi_redirect.dll
    log_file= D:\Program Files\Jakarta Isapi Redirector\logs\isapi_redirect.log
    # Possible Log levels: debug, info, warn, error or trace log_level=info
    worker_file=D:/Program Files/Jakarta Isapi Redirector/conf/workers.properties
    worker_mount_file=D:/Program Files/Jakarta Isapi Redirector/conf/uriworkermap.properties
    



  4. Create the following folder and file:

    D:\Program Files\Jakarta Isapi Redirector\conf\workers.properties

  5. Add the following lines to it:

    Code Block
    themeEclipse
    worker.list=ajp13w
    worker.ajp13w.type=ajp13
    worker.ajp13w.host=localhost
    worker.ajp13w.port=8009
    worker.ajp13w.connection_pool_size=250
    worker.ajp13w.connection_pool_timeout=600
    worker.ajp13w.socket_timeout=600
    


  6. Create the following file:

    D:\Program Files\Jakarta Isapi Redirector\conf\uriworkermap.properties

  7. Add this line to it:

    Code Block
    themeEclipse
    /web/*=ajp13w
    




Back to top


...

Configure the Apache PDFBox Cache Directory

...

Back to top


...

Security Enhancements

...

GX Software constantly performs penetration tests using third parties in order to protect you from the latest security threats. The security tips listed below are frequently updated and added to based on our findings. Please review each tip in order to ensure that your XperienCentral environment is protected from the latest security vulnerabilities.

  • You should install an active virus scanner in the environment where XperienCentral is running. Because files (images, downloads, etc.) can be uploaded to XperienCentral, it is unwise to rely on the client's virus scanner to detect viruses. The installation of the virus scanner is out of scope for the XperienCentral documentation, therefore only this general recommendation is given.

  • To add more enhance security on a DNS level, a DNSSEC (Domain Name Systems Security Extensions) and a CCA CAA (Certification Authority Authorization) should be configured on the domain of a each client's website. This must be configured by the hosting company where with whom the domain is registered. Verify that this is activated for the corresponding website domain.

  • The XperienCentral environment (including Tomcat/Apache) should be isolated (from a security and performance perspective) from other software installations if they reside on the same server. This prevents unauthorized access between applications. When using a dedicated (virtual) server for the XperienCentral installation, this requirement is automatically fulfilled. This ensures that no access is given to other applications on the same server as XperienCentral, and if the website goes down because of performance issues, the other application(s) are not affected.

  • When HTTPS is used in an XperienCentral environment, make sure that the Cipher Suites that the server presents to the browser belonging to the SSL protocol has no weak suites available. Weak suites are a security risk and should not be delivered by the server. You can test the Cipher Suite weaknesses in your environment at ssllabs.com. You can view some examples of an Apache configuration for SSL Cipher Suites at https://ssl-config.mozilla.org/. One such example is:
     


    Code Block
    themeEclipse
    # intermediate configuration - tweak to your own needs
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384


     

     
  • When HTTPS is used, Expect-CT should be added to the response header in order to optimize the security of the SSL connection. This header forces the browser to check the SSL certificate for Certificate Transparency. If the SSL certificate is not transparent, the browser refuses the connection (the enforce option). Add the following header to your Apache configuration in order to enable Expect-CT headers: 

    Expect-CT: max-age=86400, enforce

  • To prevent the malicious use of browser API functions, you should add the response header Feature-Policy to your Apache configuration. This header sets restrictions on the browser API functions. For example, when the browser on a mobile device receives a header with the option camera 'none' then the camera can't be used on that device. The default setting for this header disables all API functions but can of course be customized. GX Software recommends that you add the following header to your default configuration:


    Code Block
    themeEclipse
    Feature-Policy: vibrate 'none'; geolocation 'none'; accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vibrate 'none'; vr 'none';



    The full list of options can be found at OWASP Feature Policy



Back to top