...
After installing XperienCentral, a directory structure is created. You are free to choose your own structure, but GX Software recommends the following:
...
XperienCentral uses the Java SE Development Kit (JDK) which can be downloaded from: http://www.oracle.com/technetwork/java/javase/downloads.
- Use Java version 8, 10 or 1111 or 13.
- Use the 64-bit version of Java if possible.
- Official support for Java 7 ended in April 2015.
Download and install the JDK for your platform.
...
Code Block | ||
---|---|---|
| ||
CATALINA_HOME=/vol/www/tomcat-mywebsite JAVA_HOME=/usr/java/jdk1.8jdk11 JAVA_OPTS="${JAVA_OPTS} -Dsun.rmi.dgc.server.gcInterval=600000" JAVA_OPTS="${JAVA_OPTS} -Dsun.rmi.dgc.client.gcInterval=600000" JAVA_OPTS="${JAVA_OPTS} -Duser.language=en -Duser.country=US" JAVA_OPTS="${JAVA_OPTS} -XX:+UseConcMarkSweepGC" JAVA_OPTS="${JAVA_OPTS} -Djava.awt.headless=true" JAVA_OPTS="${JAVA_OPTS} -Dwebmanager.clustering.readonly=false" JAVA_OPTS="${JAVA_OPTS} -Dsun.net.inetaddr.ttl=300" JAVA_OPTS="${JAVA_OPTS} -Djavax.xml.transform.TransformerFactory=com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl" JAVA_OPTS="${JAVA_OPTS} -Xmx1024M -Xms512M" JAVA_OPTS="${JAVA_OPTS} -XX:-ReduceInitialCardMarks" JAVA_OPTS="${JAVA_OPTS} -Dorg.apache.jasper.runtime.JspFactoryImpl.USE_POOL=false" JAVA_OPTS="${JAVA_OPTS} –Dwebmanager.clustering.id=x" JAVA_OPTS="${JAVA_OPTS} -Djava.net.preferIPv4Stack=true" |
...
The settings used in the above example are good defaults and need no adjusting. The only parameter that might need adjusting is the Xmx
parameter. The number in the Xmx
parameter determines the maximum RAM allowed for the Java process in which XperienCentral runs. In this example, the RAM is set at 1024 MB (1 GB). The higher this number is set, the smoother XperienCentral will run.
Note |
---|
The Tomcat settings for Java 10 are different than for Java 8. The For JAVA_OPTS:
For Catalina add:
|
...
Note |
---|
In a clustered environment, substitute the |
...
- Open the
/vol/www/tomcat-mywebsite/conf/logging.properties
file. Replace the line with the handler definition (first uncommented line starting with "handlers = " to reflect) with the following:
Code Block handlers = 1catalina.org.apache.juli.AsyncFileHandler, 5gxsecuritylogging.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
This removes unused logfiles
localhost.<date>.log
,host-manager.<date>.log
andmanager.<date>.log
and adds a special handler for GX security logging.- Do not adjust the line starting with
.handlers =
. - At the end of the file, add the following lines:
Code Block theme Eclipse ############################################################ # GX WebManager specific properties. # Provides for GX WebManager logging. ############################################################ nl.gx.level = WARNING org.apache.felix.level = WARNING org.apache.jackrabbit.level = WARNING org.apache.solr.level = WARNING org.quartz.level = WARNING org.springframework.level = WARNING nl.gx.webmanager.startup.level = INFO # Upgrade bundle logging nl.gx.webmanager.services.upgrade.impl.level = INFO #OpenID org.verisign.joid.level = WARNING ## # Logging of sensitive events to separate log file ## 5gxsecuritylogging.org.apache.juli.FileHandler.level = INFO 5gxsecuritylogging.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 5gxsecuritylogging.org.apache.juli.FileHandler.prefix = audit. nl.gx.webmanager.services.securitylogging.level=INFO nl.gx.webmanager.services.securitylogging.handlers=5gxsecuritylogging.org.apache.juli.FileHandler nl.gx.webmanager.services.jaxrs.search.bulkactions.impl.BulkActionJob.level = INFO
JBoss
Download JBoss EAP 67.32.3 0 (httphttps://jbossasdevelopers.jbossredhat.orgcom/products/downloadseap/download) and unpack it in the /vol/www/
directory. Rename the created directory jboss-
mywebsite
. Add the following lines to /vol/www/jboss-mywebsite/bin/standalone.conf
, directly under the first block of commented lines:
...
Code Block | ||
---|---|---|
| ||
JAVA_OPTS="${JAVA_OPTS} -Dsun.rmi.dgc.server.gcInterval=600000" JAVA_OPTS="${JAVA_OPTS} -Dsun.rmi.dgc.client.gcInterval=600000" JAVA_OPTS="${JAVA_OPTS} -Duser.language=en -Duser.country=US" JAVA_OPTS="${JAVA_OPTS} -XX:+UseConcMarkSweepGC" JAVA_OPTS="${JAVA_OPTS} -Djava.awt.headless=true" JAVA_OPTS="${JAVA_OPTS} -Dwebmanager.clustering.readonly=false" JAVA_OPTS="${JAVA_OPTS} -Dsun.net.inetaddr.ttl=300" JAVA_OPTS="${JAVA_OPTS} -Djavax.xml.transform.TransformerFactory=com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl" JAVA_OPTS="${JAVA_OPTS} -Xmx1024M -Xms512M" JAVA_OPTS="${JAVA_OPTS} -XX:-ReduceInitialCardMarks" JAVA_OPTS="${JAVA_OPTS} -Dorg.apache.jasper.runtime.JspFactoryImpl.USE_POOL=false" JAVA_OPTS="${JAVA_OPTS} –Dwebmanager.clustering.id=x" JAVA_OPTS="${JAVA_OPTS} -Djboss.modules.policy-permissions=true" |
By default, the settings in the above example need no further adjusting. The only parameter that you might have to change is the Xmx
parameter. The value of the Xmx
parameter determines the maximum amount of RAM allowed for the Java process in which XperienCentral runs. In the above example, the maximum amount of RAM is set to 1024 MB (1 GB). The higher this number is set, the better the performance you will have.See JAVA_OPTS Parameters for more details and explanations on the JAVA_OPTS
settings.
Note |
---|
The above settings are OK for a standalone setup of XperienCentral and the setup of a master node in a clustered environment. For a slave node one setting has to be adjusted: set the property |
Avoiding Clogged Logfiles
With the default settings, the log file will be quickly filled with messages, (INFO, WARNING, and ERROR). To reduce the number of messages that are logged, adjust the (JBoss)/JBoss-My Website/standalone/configuration/standalone.xml
file and add the following loggers where the other logger tags are located in the jboss.domain.logging
subsystem:
Add the following option to the # Use the default JRE JAX parsers instead of Xerces. Xerces 1.12.0-SP02 is on the classpath of JBoss 7.2 by default |
See JAVA_OPTS Parameters for more details and explanations on the JAVA_OPTS
settings.
Note |
---|
The above settings are OK for a standalone setup of XperienCentral and the setup of a read/write node in a clustered environment. For a read-only node one setting has to be adjusted: set the property |
Avoiding Clogged Logfiles
With the default settings, the log file will be quickly filled with messages, (INFO, WARNING, and ERROR). To reduce the number of messages that are logged, adjust the (JBoss)/JBoss-My Website/standalone/configuration/standalone.xml
file and add the following loggers where the other logger tags are located in the jboss.domain.logging
subsystem:
Code Block | ||
---|---|---|
| ||
<logger category="org.apache.felix | ||
Code Block | ||
| ||
<logger category="org.apache.felix"> <level name="WARN"/> </logger> <logger category="org.apache.jackrabbit"> <level name="WARN"/> </logger> <logger category="org.apache.solr"> <level name="WARN"/> </logger> <logger category="org.quartz"> <level name="WARN"/> </logger> <logger category="org.springframework"> <level name="WARN"/> </logger> <logger category="nl.gx.webmanager.startup"> <level name="INFOWARN"/> </logger> <logger category="nlorg.gx.webmanager.services.upgrade.implapache.jackrabbit"> <level name="WARN"/> </logger> <logger category="org.apache.solr"> <level name="INFOWARN"/> </logger> |
Apache Web Server
<logger category="org.quartz">
<level name="WARN"/>
</logger>
<logger category="org.springframework">
<level name="WARN"/>
</logger>
<logger category="nl.gx.webmanager.startup">
<level name="INFO"/>
</logger>
<logger category="nl.gx.webmanager.services.upgrade.impl">
<level name="INFO"/>
</logger>
|
...
Anchor | ||||
---|---|---|---|---|
|
Download the latest version of the Apache web server (http://httpd.apache.org/download.cgi) and install it. How to compile Apache is explained in the examples below. Download the latest version of the Apache web server (http://httpd.apache.org/download.cgi) and install it. How to compile Apache is explained in the examples below. It is also possible to use the Apache included in the package. Because of the Apache package updates
Tip |
---|
Because new versions are regularly relased, it is recommended that you configure Apache |
...
according to the package standards |
...
by including configuration files containing your specific configuration parameters instead of modifying |
...
|
Configuration of httpd.conf
...
mod_proxy.so
mod_proxy_http.so
mod_proxy_ajp.so
mod_headers.so
mod_expires.so
mod_security2.so
The httpd-vhosts.conf
file also needs to be read. Locate vhosts
in the httpd.conf
and delete the #
at the beginning of the line:
...
The httpd-vhosts.conf
file is located in the /vol/www/server/conf/extra
directory of Apache. The configurations for VirtualHosts
of the front end and back-end frontend and backend are located here.
Code Block | ||
---|---|---|
| ||
<VirtualHost *:80> ServerName www.mywebsite.com DocumentRoot "/vol/www/mywebsite/web-docs/" ErrorLog logs/www.mywebsite.com_error.log CustomLog logs/www.mywebsite.com_custom.log common <Directory "/vol/www/mywebsite/web-docs/"> Options +FollowSymLinks +includesnoexec AllowOverride All Require all granted </Directory> ProxyPass /web/ ajp://localhost:8009/web/ ttl=600 <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !^/web/ RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher </IfModule> </VirtualHost> |
...
Code Block | ||
---|---|---|
| ||
<VirtualHost *:80> ServerName edit.mywebsite.com DocumentRoot "/vol/www/mywebsite/web-docs/" ErrorLog logs/edit.mywebsite.com_error.log CustomLog logs/edit.mywebsite.com_custom.log common <Directory "/vol/www/mywebsite/web-docs/"> Options +FollowSymLinks +includesnoexec AllowOverride All Require all granted </Directory> <Directory "/vol/www/mywebsite/web-docs/wm/b/"> ExpiresActive ON ExpiresDefault "now plus 10 minutes" Header set Cache-Control "max-age=600" </Directory> ProxyPass /web/ ajp://localhost:8009/web/ ttl=600 <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !^/web/ RewriteRule ^/(.*)\.htm$ /web/$1.htm [PPT,L] //xperiencentral versions r35 and lower RewriteRule </IfModule> </^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher </IfModule> </VirtualHost> |
Backend Configuration of httpd-vhosts.conf for a Redirect to HTTPS
...
Code Block | ||
---|---|---|
| ||
<VirtualHost *:80> ServerName www.mywebsite.com DocumentRoot "/vol/www/mywebsite/web-docs/" ErrorLog logs/www.mywebsite.com_error.log CustomLog logs/www.mywebsite.com_custom.log common <Directory "/vol/www/mywebsite/web-docs/"> Options +FollowSymLinks +includesnoexec AllowOverride All Require all granted </Directory> ProxyPass /web/ ajp://localhost:8009/web/ ttl=600 <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !^/web/ RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher < </IfModule> # Rewrite external requests to https <IfModule mod_rewrite.c> RewriteEngine On LogLevel emerg RewriteCond %{HTTPS} off RewriteCond %{REMOTE_HOST} !###\###\###\###$ (substitute the #s with the IP address of the backend server) RewriteCond %{REMOTE_HOST} !127\.0\.0\.1$ RewriteCond %{REMOTE_HOST} !localhost$ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L] RewriteRule ^/wm.* - [L] RewriteCond %{REQUEST_URI} !^/web/ RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral </IfModule> versions r35 and lower RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher </IfModule> </VirtualHost> |
Frontend Configuration of httpd-vhosts.conf for an HTTPS Redirect
...
Code Block | ||
---|---|---|
| ||
<VirtualHost *:80> ServerName www.mywebsite.com DocumentRoot "/vol/www/mywebsite/web-docs/" ErrorLog logs/www.mywebsite.com_error.log CustomLog logs/www.mywebsite.com_custom.log common <Directory "/vol/www/mywebsite/web-docs/"> Options +FollowSymLinks +includesnoexec AllowOverride All Require all granted </Directory> ProxyPass /web/ ajp://localhost:8009/web/ ttl=600 <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !^/web/ RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher < </IfModule> # Rewrite external requests to https <IfModule mod_rewrite.c> RewriteEngine On LogLevel emerg RewriteCond %{HTTPS} off RewriteCond %{REMOTE_HOST} !###\###\###\###$ (substitute the #s with the IP address of the frontend server) RewriteCond %{REMOTE_HOST} !127\.0\.0\.1$ RewriteCond %{REMOTE_HOST} !localhost$ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L] RewriteCond %{REQUEST_URI} !^/web/ RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher < </IfModule> </VirtualHost> |
...
Code Block | ||
---|---|---|
| ||
<VirtualHost *:443> ServerName <server name> ServerAdmin <admin e-mail address> DocumentRoot /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x ErrorLog /vol/httpd/logs/errors-edit-ssl CustomLog /vol//httpd/logs/access-edit-ssl combined ############# # SSL SSLEngine On SSLProxyEngine On SSLProtocol +TLSv1 ## See https://mozilla.github.io/server-side-tls/ssl-config-generator ## for information on other rules you should add here for the version ## of Apache you are using. SSLCertificateFile /vol/httpd/ssl/nolaa.crt SSLCertificateKeyFile /vol/httpd/ssl/nolaa.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 # CustomLog /vol/www/server/logs/ssl/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x> Options +FollowSymLinks +includesnoexec AllowOverride All Require all granted </Directory> <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x/wm/b/toolbar/> ExpiresActive ON ExpiresDefault "now plus 10 minutes" Header set Cache-Control "max-age=600" </Directory> <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x/wm/b/domapi/> ExpiresActive ON ExpiresDefault "now plus 10 minutes" Header set Cache-Control "max-age=600" </Directory> ProxyPass /web/ ajp://localhost:19200/web/ttl=600 ProxyPassReverse /web/ ajp://localhost:19200/web/ <IfModule mod_rewrite.c> RewriteEngine On RewriteLogLevel 0 RewriteRule RewriteCond %{REQUEST_URI} !^/web/ ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PPT,L] //xperiencentral versions r36 and higher < </IfModule> Alias /systemlogs /vol/webmanager/apache-tomcat-8.5.31/logs <Location /systemlogs> <IfModule mod_deflate.c> SetOutputFilter DEFLATE </IfModule> AuthUserFile /vol/httpd/htpasswd AuthName "" AuthType Basic Options +Indexes IndexOptions FancyIndexing Order Deny,Allow Allow from all Allow from localhost Allow from <IP address> </Location> ScriptAlias /cgi-bin "/vol/www/server/cgi-bin" </VirtualHost> </IfDefine> |
...
Code Block | ||
---|---|---|
| ||
<VirtualHost *:443> ServerName <server name> ServerAdmin <admin e-mail address> DocumentRoot /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x ErrorLog /vol/httpd/logs/errors-frontend-ssl CustomLog /vol/httpd/logs/access-frontend-ssl combined ################# # SSL SSLEngine On SSLProxyEngine On SSLProtocol +TLSv1 ## See https://mozilla.github.io/server-side-tls/ssl-config-generator ## for information on other rules you should add here for the version ## of Apache you are using. SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /vol/httpd/ssl/<certificate>.crt SSLCertificateKeyFile /vol/httpd/ssl/<certificate>.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 ### CustomLog /vol/www/server/logs/ssl/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" # Test: Recognize this VirtualHost Alias /systemlogs2 /vol/webmanager/apache-tomcat-8.5.31/logs <Location /systemlogs2> <IfModule mod_deflate.c> SetOutputFilter DEFLATE </IfModule> AuthUserFile /vol/httpd/htpasswd AuthName "" AuthType Basic Options +Indexes IndexOptions FancyIndexing Order Deny,Allow Allow from all Allow from localhost Allow from <IP address> </Location> <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x> Options +FollowSymLinks +includesnoexec AllowOverride All Require all granted </Directory> ProxyPass /web/ajp://localhost:19200/web/ ttl=600 ProxyPassReverse /web/ajp://localhost:19200/web/ <IfModule mod_rewrite.c> RewriteEngine On RewriteLogLevel 0 # Give not found on /web/admin/* on frontend url. RewriteCond %{REQUEST_URI}^/web/admin RewriteRule ^/web/admin - [R=404] RewriteCond %{REQUEST_URI} !^/web/ RewriteRule ^/(.*)\.htm$ /web/$1.htm [P,L]PT,L] //xperiencentral versions r35 and lower RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher </IfModule> </VirtualHost> |
HTTP/2 Support
Beginning with Apache Web server version 2.4.17, the HTTP/2 protocol is supported. Starting with version 10.12.0, XperienCentral is also tested on HTTP/2 over TLS. In principle, earlier 10.x versions of XperienCentral should also work over HTTP/2 but they have not been tested by GX Software.
Note |
---|
Apache states on its website that the configuration of HTTP/2 is still an evolving process and that the |
In order to support HTTP/2, the Apache module mod_http2
must be loaded. HTTP/2 support is enabled by the following rule within mod_http2
:
Code Block | ||
---|---|---|
| ||
# HTTP/2
Protocols h2 http/1.1 |
For more information on the mod_http2
module, see https://httpd.apache.org/docs/2.4/mod/mod_http2.html.
...
The .htaccess File
The .htaccess file is needed to also set a CSP policy on static assets that are typically served from disk by Apache httpd. Configure the .htaccess file (if your deployment requires it). See https://httpd.apache.org/docs/2.4/howto/htaccess.html for complete information.
Remove Server Header Configuration
In order to prevent Apache from idenitfying itself, add the following content to /etc/httpd/conf.d/remove-server-header.conf
. This configuration step is optional.
<IfModule security2_module>
SecRuleEngine on
SecServerSignature " "
</IfModule>
Handling Uploaded Files
Panel | ||||
---|---|---|---|---|
| ||||
The following applies to XperienCentral versions 10.1629.1 3 and higher. |
Browsers can restrict or deny the loading of a web page inside a frame, iframe or other object by reacting to the HTTP response header X-Frame-Options associated with that page. Setting this property correctly can prevent click-jacking attacks (https://en.wikipedia.org/wiki/Clickjacking).
This property has three options:
DENY
- The page may never be loaded inside another page.SAMEORIGIN
- The page may only be loaded inside another page if it has the same origin.ALLOW-FROM <origin>
- The page may only be loaded inside another page if it is from the indicated origin (www.mywebsite.com, for example).
Note |
---|
The option |
In general you are advised to use this property with the option SAMEORIGIN
in order to prevent click-jacking attacks. For the frontend environment you can also choose the DENY
option, but be aware that with this option pages can no longer be embedded in frames, iframes or other objects.
Configuring the Apache HTTP server for X-Frame-Options is effective for pages served both by XperienCentral and external static pages.
Frontend Environment
Add the header for X-Frame-Options to the frontend environment (add in your .conf
file):
Code Block | ||
---|---|---|
| ||
<VirtualHost *:80>
ServerName www.mywebsite.com
...
Header always set X-Frame-Options SAMEORIGIN
...
</VirtualHost> |
Instead of SAMEORIGIN
you can also specify DENY
which will disable all embedding of pages into iframes, frames and other objects.
Backend Environment
Add the header for X-Frame-Options to the back end environment (internal edit environment of XperienCentral) (add in your .conf
file):
Code Block | ||
---|---|---|
| ||
<VirtualHost *:80>
ServerName edit.mywebsite.com
...
Header always set X-Frame-Options SAMEORIGIN
...
</VirtualHost> |
For the backend environment you cannot use DENY
because XperienCentral itself uses frames.
X-Content-Type-Options and X-XSS-Protection
Note |
---|
The following applies to XperienCentral versions 10.17 and higher. GX Software strongly recommends that you consult with us before implementing the X-Content-Type-Options and/or X-XSS-Protection configuration(s) described below in order to ensure that either or both are appropriate for your XperienCentral implementation. |
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Frontend Environment
Add the headers to the frontend environment (add in your .conf
file):
In order to prevent uploaded files from being be opened inside the browser, you need to add a rule that specifies which uploaded files should be treated as an attachment. Add the following rule to one of the Apache httpd.conf
include files:
<Location ~ "(/upload|/upload_mm)">
Header set Content-Disposition "attachment"
</Location>
HTTP/2 Support
Beginning with Apache Web server version 2.4.17, the HTTP/2 protocol is supported. Starting with version 10.12.0, XperienCentral is also tested on HTTP/2 over TLS. In principle, earlier 10.x versions of XperienCentral should also work over HTTP/2 but they have not been tested by GX Software.
Note |
---|
Apache states on its website that the configuration of HTTP/2 is still an evolving process and that the |
In order to support HTTP/2, the Apache module mod_http2
must be loaded. HTTP/2 support is enabled by the following rule within mod_http2
:
Code Block | ||
---|---|---|
| ||
# HTTP/2
Protocols h2 http/1.1 |
For more information on the mod_http2
module, see https://httpd.apache.org/docs/2.4/mod/mod_http2.html.
X-Frame Options
Panel | ||||
---|---|---|---|---|
| ||||
The following applies to XperienCentral versions 10.16.1 and higher. |
Browsers can restrict or deny the loading of a web page inside a frame, iframe or other object by reacting to the HTTP response header X-Frame-Options associated with that page. Setting this property correctly can prevent click-jacking attacks (https://en.wikipedia.org/wiki/Clickjacking).
This property has three options:
DENY
- The page may never be loaded inside another page.SAMEORIGIN
- The page may only be loaded inside another page if it has the same origin.ALLOW-FROM <origin>
- The page may only be loaded inside another page if it is from the indicated origin (www.mywebsite.com, for example).
Note |
---|
The option |
In general you are advised to use this property with the option SAMEORIGIN
in order to prevent click-jacking attacks. For the frontend environment you can also choose the DENY
option, but be aware that with this option pages can no longer be embedded in frames, iframes or other objects.
Configuring the Apache HTTP server for X-Frame-Options is effective for pages served both by XperienCentral and external static pages.
Frontend Environment
Add the header for X-Frame-Options to the frontend environment (add in your .conf
file):
Code Block | ||
---|---|---|
| ||
<VirtualHost *: | ||
Code Block | ||
| ||
<VirtualHost *:80> ServerName www.mywebsite.com ... Header always set X-Content-TypeFrame-Options nosniffSAMEORIGIN Header always set X-XSS-Protection "1; mode=block" Header always set Strict-Transport-Security "max-age=63072000" env=HTTPS... </VirtualHost> |
Instead of SAMEORIGIN
you can also specify DENY
which will disable all embedding of pages into iframes, frames and other objects.
Backend Environment
Add the header for X-Frame-Options to the backend environment (internal edit environment of XperienCentral) (add in your .conf
file):
Code Block | ||
---|---|---|
| ||
<VirtualHost *:80> ServerName edit.mywebsite.com ... Header always set ContentX-SecurityFrame-Policy "default-src 'self' 'unsafe-inline'; connect-src 'self'; frame-src 'self'; worker-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: wss:" ... </VirtualHost> |
Note |
---|
In the example above, the Content-Security-Policy declarations are set to a very strict level and will, among other things, prevent the embedding of external content using, for example, Oembed. If you want to allow the embedding of external content in the frontend environment or use less strict security, you need to relax one or more of these rules. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy for more information. |
Backend Environment
Options SAMEORIGIN
...
</VirtualHost> |
For the backend environment you cannot use DENY
because XperienCentral itself uses frames.
X-Content-Type-Options and X-XSS-Protection
Note |
---|
The following applies to XperienCentral versions 10.17 and higher. GX Software strongly recommends that you consult with us before implementing the X-Content-Type-Options and/or X-XSS-Protection configuration(s) described below in order to ensure that either or both are appropriate for your XperienCentral implementation. |
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Frontend Environment
Add the headers to the frontend environment Add the headers to the backend environment (internal edit environment of XperienCentral) (add in your .conf
file):
Code Block | ||
---|---|---|
| ||
<VirtualHost *:80> ServerName editwww.mywebsite.com ... Header always set X-Content-Type-Options nosniff Header always set X-XSS-Protection "1; mode=block" Header always edit Set-Cookie (.*) "$1; SameSite=strict" Header always set Strict-Transport-Security "max-age=63072000" env=HTTPS Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; connect-src 'self'; frame-src 'self'; worker-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: wss:" ... </VirtualHost> |
Note |
---|
In the example above, the |
Content-Security-Policy
In order to add extra security to the XperienCentral environment, it is necessary to add the Content-Security-Policy
to the response headers. In the two virtual host (backend and frontend) lists previously mentioned, the header is already added. The value of the header is not a general value - it is site specific. The value of the Content-Security-Header can be used, but it might block content from the client website be careful when implementing it. There will be a add-on for XperienCentral in the future where the header's value can be generated and altered within XperienCentral itself.
Enable OCSP Stapling on your Server
See https://www.digicert.com/enabling-ocsp-stapling.htm.
Cache-Control and Pragma
Note |
---|
If you want to include an additional rule to set the
|
Backend Environment
Add the headers to the backend environment (internal edit environment of XperienCentral) (add in your .conf
file)It is important to set the cache headers for security reasons. The Pragma header is not used in current browsers - it is a fallback for older implementations. The Pragma header is replaced in the HTTP standard by the Cache-Control header. The Cache-Control header is set for static files like images, CSS, JavaScript files as well as dumped XperienCentral pages. To ensure that dumped content has also a cache header, add the following to the virtualhost setting:
Code Block | ||
---|---|---|
| ||
<VirtualHost <LocationMatch "\.html$"> *:80> ServerName edit.mywebsite.com ... Header always merge Cache-Control "max-age=300" set X-Content-Type-Options nosniff Header mergealways Pragma "no-cache" </LocationMatch> |
This will set the caching for dumped content to five minutes (300 seconds).
The following configuration disables browser and proxy caching for pages in order to avoid the caching of personalized pages:
Code Block | ||
---|---|---|
| ||
setenvif Request_URI "^/(.*)\.htm$" object_is_dynamic=true
setenvif Request_URI "^/web/" object_is_dynamic=true
Header merge Cache-Control "no-cache" env=object_is_dynamic
Header merge Cache-Control "no-store" env=object_is_dynamic
Header merge Cache-Control "private" env=object_is_dynamic
Header merge Pragma "no-cache" env=object_is_dynamic |
Unpacking the XperienCentral Release
Before XperienCentral can be configured, the release has to be unpacked. To unpack the XperienCentral release, proceed as follows:
cd /vol/www/
mkdir webmanager-mywebsite
cd webmanager-mywebsite
unzip /tmp/GX_WebManager_x.x.x_SDK.zip
Modifying settings.xml
The XperienCentral configuration is set in settings.xml
. This file is located in the root of the unpacked XperienCentral release (/vol/www/webmanager-mywebsite/
). See JAVA_OPTS Parameters for more details and explanations on the JAVA_OPTS
settings..
Creating the Database(s)
XperienCentral data is stored in a relational database (MSSQL, MySQL, or Oracle). Create the databases desired for this installation. A complete XperienCentral installation requires only one database. In certain cases (performance/security), it is possible to save specific items in separate databases. A separate database can be created for the following components:
- XperienCentral core (JCR repository storage)
- XperienCentral other (externaldb)
The database for MySQL and MSSQL can be created with one single command and filled with the necessary tables. To create databases and the standard tables for Oracle, you have to use the standard Oracle tools (SQL Plus can be used, for instance). The initial scripts for all databases are: /vol/www/webmanager-mywebsite/webmanager-sqlscripts/
.
Actions for MySQL
cd /vol/www/webmanager-mywebsite
mvn -s settings.xml -P create-mysql-db
# If the content of JCR should be stored in another DB, then run:
# mysqladmin create wm9mywebsite_jcr -u root -p
Actions for MSSQL
cd /vol/www/webmanager-mywebsite
mvn -s settings.xml -P create-mssql-db
# If the content of JCR should be stored in another DB, then
# create the DB using the Enterprise Manager
Actions for Oracle
cd /vol/www/webmanager-mywebsite
mvn -s settings.xml -P create-oracle-db
# If the content of JCR should be stored in another DB, then
# create the DB using the Enterprise Manager
Installing the XperienCentral Release
The basic server setup is now complete. To install the release, proceed as follows:
set X-XSS-Protection "1; mode=block"
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
Header always set Strict-Transport-Security "max-age=63072000" env=HTTPS
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'; connect-src 'self'; frame-src 'self'; worker-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: wss:"
...
</VirtualHost> |
Note |
---|
In the example above, the declarations are set to a very strict level and will, among other things, prevent the embedding of external content using, for example, Oembed. If you want to allow the embedding of external content in the backend environment or use less strict security, you need to relax one or more of these rules. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy for more information. |
Note |
---|
If you want to include an additional rule to set the
|
Content-Security-Policy
In order to add extra security to the XperienCentral environment, it is necessary to add the Content-Security-Policy
to the response headers. In the two virtual host (backend and frontend) lists previously mentioned, the header is already added. The value of the header is not a general value, but rather site specific. The value of the Content-Security-Header can be used, but it might block content from the client website be careful when implementing it. There will be a add-on for XperienCentral in the future where the header's value can be generated and altered within XperienCentral itself.
Enable OCSP Stapling on your Server
See https://www.digicert.com/enabling-ocsp-stapling.htm.
Cache-Control and Pragma
It is important to set the cache headers for security reasons. The Pragma header is not used in current browsers - it is a fallback for older implementations. The Pragma header is replaced in the HTTP standard by the Cache-Control header. The Cache-Control header is set for static files like images, CSS, JavaScript files as well as dumped XperienCentral pages. To ensure that dumped content has also a cache header, add the following to the virtualhost setting:
Code Block | ||
---|---|---|
| ||
<LocationMatch "\.html$">
Header merge Cache-Control "max-age=300"
Header merge Pragma "no-cache"
</LocationMatch> |
This will set the caching for dumped content to five minutes (300 seconds).
The following configuration disables browser and proxy caching for pages in order to avoid the caching of personalized pages:
Code Block | ||
---|---|---|
| ||
setenvif Request_URI "^/(.*)\.htm$" object_is_dynamic=true
setenvif Request_URI "^/web/" object_is_dynamic=true
Header merge Cache-Control "no-cache" env=object_is_dynamic
Header merge Cache-Control "no-store" env=object_is_dynamic
Header merge Cache-Control "private" env=object_is_dynamic
Header merge Pragma "no-cache" env=object_is_dynamic |
...
Unpacking the XperienCentral Release
Before XperienCentral can be configured, the release has to be unpacked. To unpack the XperienCentral release, proceed as follows:
cd /vol/www/
mkdir webmanager-mywebsite
cd webmanager-mywebsite
unzip /tmp/GX_WebManager_x.x.x_SDK.zip
...
Modifying settings.xml
The XperienCentral configuration is set in settings.xml
. This file is located in the root of the unpacked XperienCentral release (/vol/www/webmanager-mywebsite/
). See JAVA_OPTS Parameters for more details and explanations on the JAVA_OPTS
settings..
...
Creating the Database(s)
XperienCentral data is stored in a relational database (MSSQL, MySQL, or Oracle). Create the databases desired for this installation. A complete XperienCentral installation requires only one database. In certain cases (performance/security), it is possible to save specific items in separate databases. A separate database can be created for the following components:
- XperienCentral core (JCR repository storage)
- XperienCentral other (externaldb)
The database for MySQL and MSSQL can be created with one single command and filled with the necessary tables. To create databases and the standard tables for Oracle, you have to use the standard Oracle tools (SQL Plus can be used, for instance). The initial scripts for all databases are: /vol/www/webmanager-mywebsite/webmanager-sqlscripts/
.
Actions for MySQL
cd /vol/www/webmanager-mywebsite
mvn -s settings.xml -P create-mysql-db
# If the content of JCR should be stored in another DB, then run:
# mysqladmin create wm9mywebsite_jcr -u root -p
Actions for MSSQL
cd /vol/www/webmanager-mywebsite
mvn -s settings.xml -P create-mssql-db
# If the content of JCR should be stored in another DB, then
# create the DB using the Enterprise Manager
Actions for Oracle
cd /vol/www/webmanager-mywebsite
mvn -s settings.xml -P create-oracle-db
# If the content of JCR should be stored in another DB, then
# create the DB using the Enterprise Manager
...
Installing the XperienCentral Release
The basic server setup is now complete. To install the release, proceed as follows:
cd /vol/www/webmanager-mywebsite mvn -s settings.xml -P configure-cd /vol/www/webmanager-mywebsite mvn -s settings.xml -P configure-jcr-repository mvn -s settings.xml -P build-project cd /vol/www/mywebsite/ mkdir web-docs cd web-docs unzip /vol/www/webmanager-mywebsite/webmanager-webapps/\ webmanager-static-webapp/target/\ webmanager-static-webapp-1.0-SNAPSHOT.war # For JBoss use: # /vol/users/product/jboss/jboss-mywebsite/standalone/deployments cd /vol/www/tomcat-mywebsite/deploy
cp /vol/www/webmanager-mywebsite/webmanager-webapps/\
webmanager-backend-webapp/target/\
webmanager-backend-webapp-1.0-SNAPSHOT.war .
cd /vol/www/mywebsite/work/edition-bundles
cp /vol/www/webmanager-mywebsite/edition-bundles/*.jar . cd /vol/www/mywebsite/system/ cp /vol/www/webmanager-mywebsite/settings.xml . cp /vol/www/webmanager-mywebsite/webmanager-cleansite/target/\ webmanager-cleansite-1.0-SNAPSHOT.jar . rm /tmp/GX_WebManager_10.x.x_SDK.zip
...
Anchor | ||||
---|---|---|---|---|
|
For Tomcat, two files need to be created. Place these files in the /vol/www/tomcat-mywebsite/conf
directory.
...
Code Block | ||
---|---|---|
| ||
<Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <!-- Userdatabase is used to secure admin pages! Make sure the path is ok otherwise the admin jsps will not work --> <Resource name="WMUserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="XperienCentral user database" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="/vol/www/tomcat-mywebsite/deploy/admin-users.xml" /> </GlobalNamingResources> <Service name="WebManager"> <Connector port="8009" enableLookups="false" redirectPort="8443" debug="1" protocol="AJP/1.3" secretRequired="false" URIEncoding="UTF-8" connectionTimeout="600000" /> <Engine name="WebManager" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm" > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="WMUserDatabase"/> </Realm> <Host name="localhost" unpackWARs="true" autoDeploy="false" deployOnStartup="false" appBase="/vol/www/tomcat-mywebsite/deploy"> <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="true" showServerInfo="false" /> <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> <Context path="/web" docBase="webmanager-backend-webapp-1.0-SNAPSHOT.war"> <Valve className="org.apache.catalina.authenticator.DigestAuthenticator" cache="true" /> </Context> </Host> </Engine> </Service> </Server> |
...
Code Block | ||
---|---|---|
| ||
<Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <!-- Userdatabase is used to secure admin pages! Make sure the path is ok otherwise the admin jsps will not work --> <Resource name="WMUserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="XperienCentral user database" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="/vol/www/tomcat-mywebsite/deploy/admin-users.xml" /> </GlobalNamingResources> <Service name="WebManager"> <Connector port="8009" enableLookups="false" debug="1" protocol="AJP/1.3" URIEncoding="UTF-8" secretRequired="false" connectionTimeout="600000" /> <Engine name="WebManager" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm" > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="WMUserDatabase"/> </Realm> <Host name="localhost" unpackWARs="true" autoDeploy="false" deployOnStartup="false" appBase="/vol/www/tomcat-mywebsite/deploy"/tomcat-mywebsite/deploy"> <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="true" showServerInfo="false" /> <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> <Context path="/web" docBase="webmanager-backend-webapp-1.0-SNAPSHOT.war"> <Valve className="org.apache.catalina.authenticator.DigestAuthenticator" cache="true" /> </Context> </Host> </Engine> </Service> </Server> |
...
Code Block | ||
---|---|---|
| ||
<?xml version="1.0" encoding="UTF-8"?> <Context sessionCookiePath="/"> <WatchedResource>WEB-INF/web.xml</WatchedResource> <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" /> </Context> sessionCookiePath="/"> <WatchedResource>WEB-INF/web.xml</WatchedResource> <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" /> </Context> |
Note | ||
---|---|---|
| ||
If you use integrated functionality such as SAML for single sign-on or a platform like DigiD, eHerkenning or iDeal that redirects visitors to an external system and then back to XperienCentral, or if Interactive Forms are included on external websites, the
|
The JDBC Drivers
The JDBC Drivers have to be copied to the /vol/www/tomcat-mywebsite/lib
directory:
...
Configuring JBoss can be done manually or automatic, automaticaly if you like to prefer. To manually configure JBoss please , follow the steps below, if . If you want to configure JBoss automatically please , use the maven command "mvn -Pconfigure-jboss
" to configure your installation.
Make the Database Driver Available
Obtain a copy of the database driver from the Maven repository. Copy the driver for your database to the directory jboss-mywebsite/modules/system/layers/base
. Use the following JAR files for the following databases:
- For MSSQL, copy
mssql-jdbc-7.0.0.jre8.jar
tocom/microsoft/sqlserver/mssql-jdbc/main
. - For Oracle, copy
oraclejdbcdriver-12.1.0.2.jar
tooracle/oraclejdbcdriver/main
.
For MySQL, you must download the connector jar JAR yourself — the jar is not available by default in the Maven repository.
...
MSSQL: jdbc:sqlserver://mydomain:2433;databaseName=webmanager9181;useLOBs=false
MySQL: jdbc:mysql://mydomain:3306/webmanager9181?autoReconnect=true
Oracle: jdbc:oracle:thin:@mydomain:1521:xe
Disable the Default Welcome Root Web Application
In standalone.xml
, set enable-welcome-root
to false
for the virtual-server name:
=false
MySQL: jdbc:mysql://mydomain:3306/webmanager9181?autoReconnect=true
Oracle: jdbc:oracle:thin:@mydomain:1521:xe
Disable the Default Welcome Root Web (Undertow) Application
In standalone.xml
, delete the following two lines in the jboss:domain:undertow
subsystem to disable the default welcome content:
Code Block | ||
---|---|---|
| ||
<subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<server name="default-server">
...
<host name="default-host" alias="${webmanager.backendservername},${webmanager.frontendservername}">
<location name="/" handler="welcome-content"/> !DELETE THIS LINE!
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
...
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> !DELETE THIS LINE!
</handlers>
</subsystem> | ||
Code Block | ||
| ||
<virtual-server name="default-host" enable-welcome-root="false">
|
Add Aliases for Hostnames
In standalone.xml
, add the aliases for the hostnames you are using:
Code Block | ||
---|---|---|
| ||
<virtual-server<server name="default-hostserver" enable-welcome-root="false"> <alias name> <host name="default-host" alias="mydomain.mycompany.com,alias"/> <alias name="myalias"/> </host> </virtual-server> |
Enable the AJP Connector
Code Block | ||
---|---|---|
| ||
<connector<server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/> <https-listener name="httphttps" protocolsocket-binding="HTTP/1.1https" schemesecurity-realm="httpApplicationRealm" socketenable-bindinghttp2="httptrue" /> <connector <ajp-listener name="ajp" protocolsocket-binding="AJP/1.3ajp" scheme="http" socket-binding="ajp"/> </server> |
Enable the wmadmin Login
In standalone.xml
, add the XperienCentral security domain. This is necessary because the XperienCentral file jboss-web.xml
references the XperienCentral security domain
...
Code Block | ||
---|---|---|
| ||
<subsystem xmlns="urn:jboss:domain:deployment-scanner:12.10"> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" deployment-timeout="1000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/> </subsystem> |
Generate and Store the JBoss
...
7.
...
2.
...
0 EAP Application Server Hash
cd /vol/www/jboss-cleansite/bin/client/modules/system/layers/base/org/picketbox/main
/usr/local/java8java11/bin/java -cp jboss-cli-clientpicketbox-5.0.3.Final-redhat-3.jar org.jboss.security.auth.callback.RFC2617Digest wmadmin "XperienCentral" <password>
...