Anchor | ||||
---|---|---|---|---|
|
...
To use Tomcat, Java has to be installed. The Java Development Kit has to be installed before installing XperienCentral. The version made available by Oracle is used which is not the same version that comes with some Microsoft products. Use at least Java version 8 (official support for Java 7 ended in April 2015)11.
To install XperienCentral, Apache Maven is required. Apache Maven is used to build XperienCentral based on the system-specific settings in the settings.xml. Download the Maven ZIP file from http://maven.apache.org/. Download the latest release of version 3.6.xx (do not use the 4.x.xx versions of Maven). Unzip the ZIP-file into D:\Program Files\
. After unzipping, Maven will be installed in:
...
Note |
---|
If in the "System Properties" window the value is too long, the complete path is not visible. To see the complete values, the |
...
Anchor | ||||
---|---|---|---|---|
|
...
9.
...
0.
...
50
XperienCentral is written in Java and requires a servlet container to run. Apache Tomcat is such a servlet container in which XperienCentral can operate. XperienCentral has been tested with Apache Tomcat 89.50.3550. Follow the steps in this section to install and configure it.
...
Note |
---|
GX Software strongly recommends that if you are doing a clean install of a Tomcat installation that you use version 89.50.3550. |
Install Tomcat
Download Tomcat 89.50.35 50 from the link available at http://tomcat.apache.org/ (download the Windows Service Installer). Double-click the downloaded file and then follow the wizard to install Tomcat.
...
Start > All Programs > Apache Tomcat 89.50.35 50 > Monitor Tomcat
Navigate to the Start screen and then select “Monitor Tomcat”.
...
- Open the file
D:\Program Files\Tomcat 8.x.x\conf\server.xml
. Remove all content from the
server.xml
and replace it with:Code Block theme Eclipse <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <!-- Userdatabase is used to secure admin pages! Make sure path is ok otherwise the admin jsps will not work --> <Resource name="WMUserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="XperienCentral user database" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="D:/Program Files/Tomcat 8.5/conf/admin-users.xml" /> </GlobalNamingResources> <Service name="WebManager"> <Connector port="8009" enableLookups="false" redirectPort="8443" debug="1" protocol="AJP/1.3" URIEncoding="UTF-8" secretRequired="false" connectionTimeout="600000" /> <Engine name="WebManager" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm" > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="WMUserDatabase"/> </Realm> <Host name="localhost" unpackWARs="true" autoDeploy="false" deployOnStartup="false" appBase="D:/XperienCentral/deploy"> <Valve className="org.apache.catalina.authenticator.SingleSignOn"/> <Context path="/web" docBase="webmanager-backend-webapp-1.0-SNAPSHOT.war"> <Valve className="org.apache.catalina.authenticator.DigestAuthenticator" cache="true" /> <Resource name="jdbc/WebManagerDb" auth="Container" type="javax.sql.DataSource" username="sa" password="admin" driverClassName="net.sourceforge.jtds.jdbc.Driver" url="jdbc:jtds:sqlserver://localhost:1433/webmanagerdb;useLOBs=false" maxTotal="100" maxIdle="10" maxWaitMillis="10000" testWhileIdle="true" timeBetweenEvictionRunsMillis="900000" removeAbandonedOnBorrow="false" removeAbandonedOnMaintenance="false" removeAbandonedTimeout="30" logAbandoned="true" validationQuery="select 1" /> </Context> </Host> </Engine> </Service> </Server>
...
For debugging purposes, XperienCentral uses the authentication mechanism of Tomcat. The server.xml
contains a reference to the admin-users.xml
file in which one or more users are defined. Create the file D:\Program Files\Tomcat 89.50.3550\conf\admin-users.xml
and add the following lines to it:
...
Create the file D:\Program Files\Tomcat 89.50.3550\conf\context.xml
and add the following lines to it:
...
- Open the
D:\Program Files\Tomcat 89.50.3550\conf\logging.properties
file. - At the end of the file, add these lines:
...
Obtain a copy of the database driver from the /ext
folder of the XperienCentral installation. Copy the driver for your database to the directory D:\Program Files\Tomcat 89.50.3550\lib
. Use the following JAR files for the following databases:
- For MSSQL, copy
jtds-x.jar
toD:\Program Files\Tomcat 89.50.3550\lib
. - For Oracle, copy
oraclejdbcdriver-x.jar
toD:\Program Files\Tomcat 89.50.3550\lib
.
where x in the .jar files above is the version number of the database driver you are using.
In XperienCentral versions 10.19.1 and earlier, the mysql-connector-java driver was available in the SDK in the/ext
and/maven-repository
directories. This library has been removed from the 10.20.0 and later SDKs and must be manually downloaded and installed inD:\Program Files\Tomcat 89.50.3550\lib
.
ISAPI Redirector
After following all the steps in this part, the webserver (IIS) will receive all the requests for the website. If it’s a request for an image, the webserver can handle that request on its own and will return the image. If the request is for a page, IIS will request the page from XperienCentral (running inside Tomcat). The communication between IIS and Tomcat is handled by the ISAPI Redirector. The ISAPI Redirector can be downloaded from the Tomcat website (http://apache.mirror1.spango.com/tomcat/tomcat-connectors/jk/binaries/windows/).
...
- Create the following folder and place the file
isapi_redirect.dll
in it:D:\Program Files\Jakarta Isapi Redirector\bin\
- Create the following file:
D:\Program Files\Jakarta Isapi Redirector\bin\isapi_redirect.properties
Add the following lines to it:
Code Block theme Eclipse extension_uri=/jakarta/isapi_redirect.dll log_file= D:\Program Files\Jakarta Isapi Redirector\logs\isapi_redirect.log # Possible Log levels: debug, info, warn, error or trace log_level=info worker_file=D:/Program Files/Jakarta Isapi Redirector/conf/workers.properties worker_mount_file=D:/Program Files/Jakarta Isapi Redirector/conf/uriworkermap.properties
Create the following folder and file:
D:\Program Files\Jakarta Isapi Redirector\conf\workers.properties
Add the following lines to it:
Code Block theme Eclipse worker.list=ajp13w worker.ajp13w.type=ajp13 worker.ajp13w.host=localhost worker.ajp13w.port=8009 worker.ajp13w.connection_pool_size=250 worker.ajp13w.connection_pool_timeout=600 worker.ajp13w.socket_timeout=600
Create the following file:
D:\Program Files\Jakarta Isapi Redirector\conf\uriworkermap.properties
Add this line to it:
Code Block theme Eclipse /web/*=ajp13w
...
Configure the Apache PDFBox Cache Directory
...
...
Security Enhancements
...
GX Software constantly performs penetration tests using third parties in order to protect you from the latest security threats. The security tips listed below are frequently updated and added to based on our findings. Please review each tip in order to ensure that your XperienCentral environment is protected from the latest security vulnerabilities.
- You should install an active virus scanner in the environment where XperienCentral is running. Because files (images, downloads, etc.) can be uploaded to XperienCentral, it is unwise to rely on the client's virus scanner to detect viruses. The installation of the virus scanner is out of scope for the XperienCentral documentation, therefore only this general recommendation is given.
- To add more enhance security on a DNS level, a DNSSEC (Domain Name Systems Security Extensions) and a CCA CAA (Certification Authority Authorization) should be configured on the domain of a each client's website. This must be configured by the hosting company where with whom the domain is registered. Verify that this is activated for the corresponding website domain.
- The XperienCentral environment (including Tomcat/Apache) should be isolated (from a security and performance perspective) from other software installations if they reside on the same server. This prevents unauthorized access between applications. When using a dedicated (virtual) server for the XperienCentral installation, this requirement is automatically fulfilled. This ensures that no access is given to other applications on the same server as XperienCentral, and if the website goes down because of performance issues, the other application(s) are not affected.
When HTTPS is used in an XperienCentral environment, make sure that the Cipher Suites that the server presents to the browser belonging to the SSL protocol has no weak suites available. Weak suites are a security risk and should not be delivered by the server. You can test the Cipher Suite weaknesses in your environment at ssllabs.com. You can view some examples of an Apache configuration for SSL Cipher Suites at https://ssl-config.mozilla.org/. One such example is:
Code Block theme Eclipse # intermediate configuration - tweak to your own needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
- When HTTPS is used,
Expect-CT
should be added to the response header in order to optimize the security of the SSL connection. This header forces the browser to check the SSL certificate for Certificate Transparency. If the SSL certificate is not transparent, the browser refuses the connection (theenforce
option). Add the following header to your Apache configuration in order to enableExpect-CT
headers:Expect-CT: max-age=86400, enforce
To prevent the malicious use of browser API functions, you should add the response header
Feature-Policy
to your Apache configuration. This header sets restrictions on the browser API functions. For example, when the browser on a mobile device receives a header with the optioncamera 'none'
then the camera can't be used on that device. The default setting for this header disables all API functions but can of course be customized. GX Software recommends that you add the following header to your default configuration:Code Block theme Eclipse Feature-Policy: vibrate 'none'; geolocation 'none'; accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vibrate 'none'; vr 'none';
The full list of options can be found at OWASP Feature Policy