Versions Compared

Old Version 180

changes.mady.by.user Matthew Wagner

Saved on

compared with

New Version 209

changes.mady.by.user Matthew Wagner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

XperienCentral uses the Java SE Development Kit (JDK) which can be downloaded from: http://www.oracle.com/technetwork/java/javase/downloads.

  • Use Java version 8, 10 or 1111 or 13.
  • Use the 64-bit version of Java if possible.
  • Official support for Java 7 ended in April 2015.

Download and install the JDK for your platform.

...

Code Block
themeEclipse
CATALINA_HOME=/vol/www/tomcat-mywebsite
JAVA_HOME=/usr/java/jdk1.8jdk11
JAVA_OPTS="${JAVA_OPTS} -Dsun.rmi.dgc.server.gcInterval=600000"
JAVA_OPTS="${JAVA_OPTS} -Dsun.rmi.dgc.client.gcInterval=600000"
JAVA_OPTS="${JAVA_OPTS} -Duser.language=en -Duser.country=US"
JAVA_OPTS="${JAVA_OPTS} -XX:+UseConcMarkSweepGC"
JAVA_OPTS="${JAVA_OPTS} -Djava.awt.headless=true"
JAVA_OPTS="${JAVA_OPTS} -Dwebmanager.clustering.readonly=false"
JAVA_OPTS="${JAVA_OPTS} -Dsun.net.inetaddr.ttl=300"
JAVA_OPTS="${JAVA_OPTS} -Djavax.xml.transform.TransformerFactory=com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl"
JAVA_OPTS="${JAVA_OPTS} -Xmx1024M -Xms512M"
JAVA_OPTS="${JAVA_OPTS} -XX:-ReduceInitialCardMarks"
JAVA_OPTS="${JAVA_OPTS} -Dorg.apache.jasper.runtime.JspFactoryImpl.USE_POOL=false"
JAVA_OPTS="${JAVA_OPTS} –Dwebmanager.clustering.id=x"
JAVA_OPTS="${JAVA_OPTS} -Djava.net.preferIPv4Stack=true"

...

The settings used in the above example are good defaults and need no adjusting. The only parameter that might need adjusting is the Xmx parameter. The number in the Xmx parameter determines the maximum RAM allowed for the Java process in which XperienCentral runs. In this example, the RAM is set at 1024 MB (1 GB). The higher this number is set, the smoother XperienCentral will run.


Note

The Tomcat settings for Java 10 are different than for Java 8. The setenv.sh file has some extra options for Java 10 and these options cannot be used for Java 8 installations. When using Java 10 for XperienCentral, add Add the following options in your setenv.sh file of tomcat:

For JAVA_OPTS:

-Djava.locale.providers=COMPAT,CLDR

For Catalina add:

--illegal-access=warn --add-opens java.base/java.net=ALL-UNNAMED

...

  1. Open the /vol/www/tomcat-mywebsite/conf/logging.properties file.

  2. Replace the line with the handler definition (first uncommented line starting with "handlers = " to reflect) with the following:

    Code Block
    handlers = 1catalina.org.apache.juli.AsyncFileHandler, 5gxsecuritylogging.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler

    This removes unused logfiles localhost.<date>.log, host-manager.<date>.log and manager.<date>.log and adds a special handler for GX security logging.

  3. Do not adjust the line starting with .handlers =.
  4. At the end of the file, add the following lines:


    Code Block
    themeEclipse
    ############################################################
# GX WebManager specific properties.
# Provides for GX WebManager logging.
############################################################
nl.gx.level = WARNING
org.apache.felix.level = WARNING
org.apache.jackrabbit.level = WARNING
org.apache.solr.level = WARNING
org.quartz.level = WARNING
org.springframework.level = WARNING

nl.gx.webmanager.startup.level = INFO
# Upgrade bundle logging
nl.gx.webmanager.services.upgrade.impl.level = INFO

#OpenID
org.verisign.joid.level = WARNING

##
# Logging of sensitive events to separate log file
##
5gxsecuritylogging.org.apache.juli.FileHandler.level = INFO
5gxsecuritylogging.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
5gxsecuritylogging.org.apache.juli.FileHandler.prefix = audit.

nl.gx.webmanager.services.securitylogging.level=INFO
nl.gx.webmanager.services.securitylogging.handlers=5gxsecuritylogging.org.apache.juli.FileHandler

nl.gx.webmanager.services.jaxrs.search.bulkactions.impl.BulkActionJob.level = INFO



JBoss

Download JBoss EAP 67.32.3 0 (httphttps://jbossasdevelopers.jbossredhat.orgcom/downloadsproducts/eap/download) and unpack it in the /vol/www/ directory. Rename the created directory jboss-mywebsite. Add the following lines to /vol/www/jboss-mywebsite/bin/standalone.conf, directly under the first block of commented lines:

...

Code Block
themeEclipse
JAVA_OPTS="${JAVA_OPTS} -Dsun.rmi.dgc.server.gcInterval=600000"
JAVA_OPTS="${JAVA_OPTS} -Dsun.rmi.dgc.client.gcInterval=600000"
JAVA_OPTS="${JAVA_OPTS} -Duser.language=en -Duser.country=US"
JAVA_OPTS="${JAVA_OPTS} -XX:+UseConcMarkSweepGC"
JAVA_OPTS="${JAVA_OPTS} -Djava.awt.headless=true"
JAVA_OPTS="${JAVA_OPTS} -Dwebmanager.clustering.readonly=false"
JAVA_OPTS="${JAVA_OPTS} -Dsun.net.inetaddr.ttl=300"
JAVA_OPTS="${JAVA_OPTS} -Djavax.xml.transform.TransformerFactory=com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl"
JAVA_OPTS="${JAVA_OPTS} -Xmx1024M -Xms512M"
JAVA_OPTS="${JAVA_OPTS} -XX:-ReduceInitialCardMarks" 
JAVA_OPTS="${JAVA_OPTS} -Dorg.apache.jasper.runtime.JspFactoryImpl.USE_POOL=false"
JAVA_OPTS="${JAVA_OPTS} –Dwebmanager.clustering.id=x"
JAVA_OPTS="${JAVA_OPTS}  -Djboss.modules.policy-permissions=true"


By default, the settings in the above example need no further adjusting. The only parameter that you might have to change is the Xmx parameter. The value of the Xmx parameter determines the maximum amount of RAM allowed for the Java process in which XperienCentral runs. In the above example, the maximum amount of RAM is set to 1024 MB (1 GB). The higher this number is set, the better the performance you will have.

See JAVA_OPTS Parameters for more details and explanations on the JAVA_OPTS settings.

Note

The above settings are OK for a standalone setup of XperienCentral and the setup of a read/write node in a clustered environment. For a read-only node one setting has to be adjusted: set the property webmanager.clustering.readonly to true.

Avoiding Clogged Logfiles

With the default settings, the log file will be quickly filled with messages, (INFO, WARNING, and ERROR). To reduce the number of messages that are logged, adjust the (JBoss)/JBoss-My Website/standalone/configuration/standalone.xml file and add the following loggers where the other logger tags are located in the jboss.domain.logging subsystem:


Note

Add the following option to the standalone.conf file of your JBoss installation when using Java 11 for XperienCentral:


# Use the default JRE JAX parsers instead of Xerces. Xerces 1.12.0-SP02 is on the classpath of JBoss 7.2 by default
JAVA_OPTS="${JAVA_OPTS} -Djavax.xml.transform.TransformerFactory=com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl -Djavax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl -Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl"
# Set the locale providers for Java >= 9
JAVA_OPTS="${JAVA_OPTS} -Djava.locale.providers=COMPAT,CLDR"


See JAVA_OPTS Parameters for more details and explanations on the JAVA_OPTS settings.


Note

The above settings are OK for a standalone setup of XperienCentral and the setup of a read/write node in a clustered environment. For a read-only node one setting has to be adjusted: set the property webmanager.clustering.readonly to true.


Avoiding Clogged Logfiles

With the default settings, the log file will be quickly filled with messages, (INFO, WARNING, and ERROR). To reduce the number of messages that are logged, adjust the (JBoss)/JBoss-My Website/standalone/configuration/standalone.xml file and add the following loggers where the other logger tags are located in the jboss.domain.logging subsystem:


Code Block
themeEclipse
<logger category="org.apache.felix"
Code Block
themeEclipse
<logger category="org.apache.felix">
   <level name="WARN"/>
</logger>
<logger category="org.apache.jackrabbit">
   <level name="WARN"/>
</logger>
<logger category="org.apache.solr">
   <level name="WARN"/>
</logger>
<logger category="org.quartz">
   <level name="WARN"/>
</logger>
<logger category="org.springframework">
   <level name="WARN"/>
</logger>
<logger category="nl.gx.webmanager.startup">
   <level name="INFOWARN"/>
</logger>
<logger category="nlorg.gx.webmanager.services.upgrade.implapache.jackrabbit">
   <level name="WARN"/>
</logger>
<logger category="org.apache.solr">
   <level name="INFOWARN"/>
</logger>

Back to top

Apache Web Server


<logger category="org.quartz">
   <level name="WARN"/>
</logger>
<logger category="org.springframework">
   <level name="WARN"/>
</logger>
<logger category="nl.gx.webmanager.startup">
   <level name="INFO"/>
</logger>
<logger category="nl.gx.webmanager.services.upgrade.impl">
   <level name="INFO"/>
</logger>


Back to top


...

Anchor
apache_web_server
apache_web_server
Apache Web Server

Download the latest version of the Apache web server (http://httpd.apache.org/download.cgi) and install it. How to compile Apache is explained in the examples below. Download the latest version of the Apache web server (http://httpd.apache.org/download.cgi) and install it. How to compile Apache is explained in the examples below. It is also possible to use the Apache included in the package.


Tip

Because Apache releases regular updatesnew versions are regularly relased, it is recommended that you configure Apache according to the package standards by including configuration files containing your specific configuration parameters instead of modifying the httpd.conf itself. Doing so ensures that you do not lose custom configuration settings during an update.

...

  • mod_proxy.so
  • mod_proxy_http.so
  • mod_proxy_ajp.so
  • mod_headers.so
  • mod_expires.so
  • mod_security2.so

The The httpd-vhosts.conf file also needs to be read. Locate vhosts in the httpd.conf and delete the # at the beginning of the line:

...

Code Block
themeEclipse
<VirtualHost *:80>
   ServerName www.mywebsite.com
   DocumentRoot "/vol/www/mywebsite/web-docs/"
   ErrorLog logs/www.mywebsite.com_error.log
   CustomLog logs/www.mywebsite.com_custom.log common
   <Directory "/vol/www/mywebsite/web-docs/">
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>
   ProxyPass /web/ ajp://localhost:8009/web/ ttl=600
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REQUEST_URI} !^/web/
      RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher 
    </IfModule>
</VirtualHost>

...

Code Block
themeEclipse
<VirtualHost *:80>
   ServerName edit.mywebsite.com
   DocumentRoot "/vol/www/mywebsite/web-docs/"
   ErrorLog logs/edit.mywebsite.com_error.log
   CustomLog logs/edit.mywebsite.com_custom.log common
   <Directory "/vol/www/mywebsite/web-docs/">
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>
   <Directory "/vol/www/mywebsite/web-docs/wm/b/">
      ExpiresActive ON
      ExpiresDefault "now plus 10 minutes"
      Header set Cache-Control "max-age=600"
   </Directory>
   ProxyPass /web/ ajp://localhost:8009/web/ ttl=600
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REQUEST_URI} !^/web/
      RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PPT,L]
 //xperiencentral versions r36 and higher  
  < </IfModule>
</VirtualHost>

...

Code Block
themeEclipse
<VirtualHost *:80>
   ServerName www.mywebsite.com
   DocumentRoot "/vol/www/mywebsite/web-docs/"
   ErrorLog logs/www.mywebsite.com_error.log
   CustomLog logs/www.mywebsite.com_custom.log common
   <Directory "/vol/www/mywebsite/web-docs/">
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>
   ProxyPass /web/ ajp://localhost:8009/web/ ttl=600
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REQUEST_URI} !^/web/
    RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L]
 //xperiencentral versions r36 and higher  
  < </IfModule>
# Rewrite external requests to https
   <IfModule mod_rewrite.c>
      RewriteEngine On
      LogLevel emerg
      RewriteCond %{HTTPS} off
      RewriteCond %{REMOTE_HOST} !###\###\###\###$ (substitute the #s with the IP address of the backend server)
      RewriteCond %{REMOTE_HOST} !127\.0\.0\.1$
      RewriteCond %{REMOTE_HOST} !localhost$
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
      RewriteRule ^/wm.* - [L]
      RewriteCond %{REQUEST_URI} !^RewriteRule ^/(.*)\.htm$ /web/
      $1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L]
 //xperiencentral versions r36 and higher  
  < </IfModule>
</VirtualHost>

...

Code Block
themeEclipse
<VirtualHost *:80>
   ServerName www.mywebsite.com
   DocumentRoot "/vol/www/mywebsite/web-docs/"
   ErrorLog logs/www.mywebsite.com_error.log
   CustomLog logs/www.mywebsite.com_custom.log common
   <Directory "/vol/www/mywebsite/web-docs/">
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>
   ProxyPass /web/ ajp://localhost:8009/web/ ttl=600
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REQUEST_URI} !^/web/
      RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L]
 //xperiencentral  <versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L] //xperiencentral versions r36 and higher  
   </IfModule>
# Rewrite external requests to https
   <IfModule mod_rewrite.c>
      RewriteEngine On
      LogLevel emerg
      RewriteCond %{HTTPS} off
      RewriteCond %{REMOTE_HOST} !###\###\###\###$ (substitute the #s with the IP address of the frontend server)
      RewriteCond %{REMOTE_HOST} !127\.0\.0\.1$
      RewriteCond %{REMOTE_HOST} !localhost$
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
      RewriteCond %{REQUEST_URI} !^/web/
    RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PT,L]
 //xperiencentral versions r36 and higher  
  < </IfModule>
</VirtualHost>

...

Code Block
themeEclipse
<VirtualHost *:443>
   ServerName   <server name>
   ServerAdmin  <admin e-mail address>
   DocumentRoot  /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x
   ErrorLog      /vol/httpd/logs/errors-edit-ssl
   CustomLog     /vol//httpd/logs/access-edit-ssl combined

   #############
   # SSL
   SSLEngine On
   SSLProxyEngine On
   SSLProtocol +TLSv1
   ## See https://mozilla.github.io/server-side-tls/ssl-config-generator
   ## for information on other rules you should add here for the version
   ## of Apache you are using.


   SSLCertificateFile /vol/httpd/ssl/nolaa.crt
   SSLCertificateKeyFile /vol/httpd/ssl/nolaa.key

   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
   # CustomLog /vol/www/server/logs/ssl/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

   <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x>
      Options +FollowSymLinks +includesnoexec
      AllowOverride All
      Require all granted
   </Directory>

   <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x/wm/b/toolbar/>
      ExpiresActive ON
      ExpiresDefault "now plus 10 minutes"
      Header set Cache-Control "max-age=600"
   </Directory>
   <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x/wm/b/domapi/>
      ExpiresActive ON
      ExpiresDefault "now plus 10 minutes"
      Header set Cache-Control "max-age=600"
   </Directory>

   ProxyPass         /web/ ajp://localhost:19200/web/ttl=600
   ProxyPassReverse  /web/ ajp://localhost:19200/web/
 
   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteLogLevel 0
        RewriteCond %{REQUEST_URI} !^/web/
    RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PPT,L]
 //xperiencentral versions r36 and higher  
  < </IfModule>
   
   Alias /systemlogs /vol/webmanager/apache-tomcat-8.5.31/logs
      <Location /systemlogs>
         <IfModule mod_deflate.c>
            SetOutputFilter DEFLATE
         </IfModule>
         AuthUserFile /vol/httpd/htpasswd
         AuthName ""
         AuthType Basic

         Options +Indexes
         IndexOptions FancyIndexing

         Order Deny,Allow
         Allow from all
         Allow from localhost
         Allow from <IP address>
   </Location>

   ScriptAlias /cgi-bin "/vol/www/server/cgi-bin"
</VirtualHost>

</IfDefine>

...

Code Block
themeEclipse
<VirtualHost *:443>
   ServerName        <server name>
   ServerAdmin       <admin e-mail address>
   DocumentRoot      /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x
   ErrorLog          /vol/httpd/logs/errors-frontend-ssl
   CustomLog         /vol/httpd/logs/access-frontend-ssl combined

   #################
   # SSL

   SSLEngine On
   SSLProxyEngine On
   SSLProtocol +TLSv1
   ## See https://mozilla.github.io/server-side-tls/ssl-config-generator
   ## for information on other rules you should add here for the version
   ## of Apache you are using.

   SSLCipherSuite HIGH:MEDIUM

   SSLCertificateFile /vol/httpd/ssl/<certificate>.crt
   SSLCertificateKeyFile /vol/httpd/ssl/<certificate>.key

   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

   ### CustomLog /vol/www/server/logs/ssl/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

#  Test: Recognize this VirtualHost
   Alias /systemlogs2 /vol/webmanager/apache-tomcat-8.5.31/logs
   <Location /systemlogs2>
      <IfModule mod_deflate.c>
         SetOutputFilter DEFLATE
      </IfModule>
      AuthUserFile /vol/httpd/htpasswd
      AuthName ""
      AuthType Basic

      Options +Indexes
      IndexOptions FancyIndexing
      Order Deny,Allow
      Allow from all
      Allow from localhost
      Allow from <IP address>
   </Location>

   <Directory /vol/webmanager/webmanager-webapps/webmanager-static-webapp/target/webmanager-static-webapp-10.x.x>
      Options +FollowSymLinks +includesnoexec
        AllowOverride All
      Require all granted
   </Directory>

ProxyPass         /web/ajp://localhost:19200/web/ ttl=600
ProxyPassReverse  /web/ajp://localhost:19200/web/

   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteLogLevel 0

      # Give not found on /web/admin/* on frontend url.
      RewriteCond %{REQUEST_URI}^/web/admin
      RewriteRule ^/web/admin - [R=404]

      RewriteCond %{REQUEST_URI} !^/web/
    RewriteRule ^/(.*)\.htm$ /web/$1.htm [PT,L] //xperiencentral versions r35 and lower
	  RewriteRule ^/(.*)\.htm$ /web/seo/$1.htm [PPT,L] //xperiencentral versions r36 and higher  

   </IfModule>
</VirtualHost>

Handling Uploaded Files

Panel
borderColor#0081C0
titleColor#0081C0

The following applies to XperienCentral versions 10.29.3 and higher.

In order to prevent uploaded files from being be opened inside the browser, you need to add a rule that specifies which uploaded files should be treated as an attachment. Add the following rule to one of the Apache httpd.conf include files: 

The .htaccess File

The .htaccess file is needed to also set a CSP policy on static assets that are typically served from disk by Apache httpd. Configure the .htaccess file (if your deployment requires it). See https://httpd.apache.org/docs/2.4/howto/htaccess.html for complete information.

Remove Server Header Configuration

In order to prevent Apache from idenitfying itself, add the following content to /etc/httpd/conf.d/remove-server-header.conf. This configuration step is optional.

<IfModule security2_module>
   SecRuleEngine on
   SecServerSignature " "
</IfModule>

Handling Uploaded Files


Panel
borderColor#0081C0
titleColor#0081C0

The following applies to XperienCentral versions 10.29.3 and higher.


In order to prevent uploaded files from being be opened inside the browser, you need to add a rule that specifies which uploaded files should be treated as an attachment. Add the following rule to one of the Apache httpd.conf include files: 

<Location <Location ~ "(/upload|/upload_mm)">
   Header set Content-Disposition "attachment"
</Location>

...

Note

In the example above, the Content-Security-Policy declarations are set to a very strict level and will, among other things, prevent the embedding of external content using, for example, Oembed. If you want to allow the embedding of external content in the frontend environment or use less strict security, you need to relax one or more of these rules. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy for more information.

Backend Environment


Note

If you want to include an additional rule to set the HttpOnly flag on cookies, make sure to exclude the X-CSRF-Token cookie from that rule because the anti-CSRF protection in XperienCentral is based on the fact that a browser does not allow JavaScript code to read from cookies from another domain and setting the HttpOnly flag disables access to the cookie from all JavaScript code. For example:

# Set HttpOnly and Secure flag on all cookies except for X-CSRF-Token cookie (required for submitting any sort of form in R33 and higher).
Header edit Set-Cookie ^((?!X-CSRF-Token=).*)$ $1;HttpOnly;Secure env=object_is_secure


Backend Environment


Add the headers to the backend environment (internal edit environment of Add the headers to the backend environment (internal edit environment of XperienCentral) (add in your .conf file):

...

Note

In the example above, the declarations are set to a very strict level and will, among other things, prevent the embedding of external content using, for example, Oembed. If you want to allow the embedding of external content in the backend environment or use less strict security, you need to relax one or more of these rules. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy for more information.

 

Content-Security-Policy

In order to add extra security to the XperienCentral environment, it is necessary to add the Content-Security-Policy to the response headers. In the two virtual host (backend and frontend) lists previously mentioned, the header is already added. The value of the header is not a general value -  it is site specific. The value of the Content-Security-Header can be used, but it might block content from the client website be careful when implementing it. There will be a add-on for XperienCentral in the future where the header's value can be generated and altered within XperienCentral itself.

Enable OCSP Stapling on your Server

See https://www.digicert.com/enabling-ocsp-stapling.htm.

Cache-Control and Pragma

It is important to set the cache headers for security reasons. The Pragma header is not used in current browsers - it is a fallback for older implementations. The Pragma header is replaced in the HTTP standard by the Cache-Control header. The Cache-Control header is set for static files like images, CSS, JavaScript files as well as dumped XperienCentral pages. To ensure that dumped content has also a cache header, add the following to the virtualhost setting:

Code Block
themeEclipse
  <LocationMatch "\.html$">
    Header merge Cache-Control "max-age=300"
    Header merge Pragma "no-cache"
  </LocationMatch>

This will set the caching for dumped content to five minutes (300 seconds).

Note

If you want to include an additional rule to set the HttpOnly flag on cookies, make sure to exclude the X-CSRF-Token cookie from that rule, because the anti-CSRF protection in XperienCentral is based on the fact that a browser does not allow Javascript code from reading cookies from another domain and setting the HttpOnly flag disables access to the cookie from all Javascript code. For example:

# Set HttpOnly and Secure flag on all cookies except for X-CSRF-Token cookie (required for submitting any sort of form in R33 and higher).
Header edit Set-Cookie ^((?!X-CSRF-Token=).*)$ $1;HttpOnly;Secure env=object_is_secure


Content-Security-Policy

In order to add extra security to the XperienCentral environment, it is necessary to add the Content-Security-Policy to the response headers. In the two virtual host (backend and frontend) lists previously mentioned, the header is already added. The value of the header is not a general value, but rather site specific. The value of the Content-Security-Header can be used, but it might block content from the client website be careful when implementing it. There will be a add-on for XperienCentral in the future where the header's value can be generated and altered within XperienCentral itself.


Enable OCSP Stapling on your Server

See https://www.digicert.com/enabling-ocsp-stapling.htm.


Cache-Control and Pragma

It is important to set the cache headers for security reasons. The Pragma header is not used in current browsers - it is a fallback for older implementations. The Pragma header is replaced in the HTTP standard by the Cache-Control header. The Cache-Control header is set for static files like images, CSS, JavaScript files as well as dumped XperienCentral pages. To ensure that dumped content has also a cache header, add the following to the virtualhost settingThe following configuration disables browser and proxy caching for pages in order to avoid the caching of personalized pages:


Code Block
themeEclipse
setenvif  Request_URI<LocationMatch "^/(.*)\.htm$html$" object_is_dynamic=true
setenvif Request_URI "^/web/" object_is_dynamic=true
>
    Header merge Cache-Control "nomax-age=300"
    Header merge Pragma "no-cache"
  </LocationMatch>

This will set the caching for dumped content to five minutes (300 seconds).


The following configuration disables browser and proxy caching for pages in order to avoid the caching of personalized pages:


Code Block
themeEclipse
setenvif Request_URI "^/(.*)\.htm$" cache" env=object_is_dynamic=true
setenvif Request_URI "^/web/" object_is_dynamic=true
Header merge Cache-Control "no-cache" env=object_is_dynamic
Header merge Cache-Control "no-store" env=object_is_dynamic
Header merge Cache-Control "private" env=object_is_dynamic
Header merge Pragma "no-cache" env=object_is_dynamic

...

cd /vol/www/webmanager-mywebsite
mvn -s settings.xml -P configure-jcr-repository
mvn -s settings.xml -P build-project
cd /vol/www/mywebsite/
mkdir web-docs
cd web-docs
unzip /vol/www/webmanager-mywebsite/webmanager-webapps/\
webmanager-static-webapp/target/\
webmanager-static-webapp-1.0-SNAPSHOT.war
# For JBoss use:
#  /vol/users/product/jboss/jboss-mywebsite/standalone/deployments
cd /vol/www/tomcat-mywebsite/deploy
cp /vol/www/webmanager-mywebsite/webmanager-webapps/\
webmanager-backend-webapp/target/\
webmanager-backend-webapp-1.0-SNAPSHOT.war .
cd /vol/www/mywebsite/work/edition-bundles
cp /vol/www/webmanager-mywebsite/edition-bundles/*.jar .
cd /vol/www/mywebsite/system/
cp /vol/www/webmanager-mywebsite/settings.xml .
cp /vol/www/webmanager-mywebsite/webmanager-cleansite/target/\
webmanager-cleansite-1.0-SNAPSHOT.jar .
rm /tmp/GX_WebManager_10.x.x_SDK.zip



Back to top

Configuring Tomcat


...

Anchor
configuring_tomcat
configuring_tomcat
Configuring Tomcat

For TomcatFor Tomcat, two files need to be created. Place these files in the /vol/www/tomcat-mywebsite/conf directory.

...

Code Block
themeEclipse
<Server port="8005" shutdown="SHUTDOWN">
   <GlobalNamingResources>
      <!-- Userdatabase is used to secure admin pages! Make sure the path is ok otherwise the admin jsps will not work -->
   <Resource name="WMUserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="XperienCentral user database" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="/vol/www/tomcat-mywebsite/deploy/admin-users.xml" />
   </GlobalNamingResources>
   <Service name="WebManager">
   <Connector port="8009" enableLookups="false" redirectPort="8443" debug="1" protocol="AJP/1.3" secretRequired="false" URIEncoding="UTF-8" connectionTimeout="600000" />
   <Engine name="WebManager" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm" >
         <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="WMUserDatabase"/>
         </Realm>
         <Host name="localhost" unpackWARs="true" autoDeploy="false" deployOnStartup="false" appBase="/vol/www/tomcat-mywebsite/deploy">
            <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="true" showServerInfo="false" /> 
            <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
            <Context path="/web" docBase="webmanager-backend-webapp-1.0-SNAPSHOT.war">
               <Valve className="org.apache.catalina.authenticator.DigestAuthenticator" cache="true" />
            </Context>
         </Host>
      </Engine>
   </Service>
</Server>

...

Code Block
themeEclipse
<Server port="8005" shutdown="SHUTDOWN">
   <GlobalNamingResources>
      <!-- Userdatabase is used to secure admin pages! Make sure the path is ok otherwise the admin jsps will not work -->
      <Resource name="WMUserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="XperienCentral user database" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="/vol/www/tomcat-mywebsite/deploy/admin-users.xml" />
   </GlobalNamingResources>
   <Service name="WebManager">
      <Connector port="8009" enableLookups="false" debug="1" protocol="AJP/1.3" URIEncoding="UTF-8" secretRequired="false" connectionTimeout="600000" />
      <Engine name="WebManager" defaultHost="localhost">
         <Realm className="org.apache.catalina.realm.LockOutRealm" >
            <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="WMUserDatabase"/>
         </Realm>
         <Host name="localhost" unpackWARs="true" autoDeploy="false" deployOnStartup="false" appBase="/vol/www/tomcat-mywebsite/deploy">
            <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="true" showServerInfo="false" />
            <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
            <Context path="/web" docBase="webmanager-backend-webapp-1.0-SNAPSHOT.war">
               <Valve className="org.apache.catalina.authenticator.DigestAuthenticator" cache="true" />
            </Context>
         </Host>
      </Engine>
   </Service>
</Server>

...

Note
titleImportant

If you use integrated functionality such as SAML for single sign-on or a platform like DigiD, eHerkenning or iDeal that redirects visitors to an external system and then back to XperienCentral, or if Interactive Forms are included on external websites, the sameSiteCookies property in the context.xml as shown above should be set to "none":

sameSiteCookies="none"

...

Configuring JBoss can be done manually or automatic, automaticaly if you like to prefer. To manually configure JBoss please , follow the steps below, if . If you want to configure JBoss automatically please , use the maven command "mvn -Pconfigure-jboss" to configure your installation.

Make the Database Driver Available

Obtain a copy of the database driver from the Maven repository. Copy the driver for your database to the directory jboss-mywebsite/modules/system/layers/base. Use the following JAR files for the following databases:

  • For MSSQL, copy mssql-jdbc-7.0.0.jre8.jar to com/microsoft/sqlserver/mssql-jdbc/main.
  • For Oracle, copy oraclejdbcdriver-12.1.0.2.jar to oracle/oraclejdbcdriver/main.

For MySQL, you must download the connector jar JAR yourself — the jar is not available by default in the Maven repository. 

...

Oracle: jdbc:oracle:thin:@mydomain:1521:xe

Disable the Default Welcome Root Web Application

In standalone.xml, set enable-welcome-root to false for the virtual-server name:

:1521:xe


Disable the Default Welcome Root Web (Undertow) Application

In standalone.xml, delete the following two lines in the jboss:domain:undertow  subsystem to disable the default welcome content:


Code Block
themeEclipse
<subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
	<server name="default-server">
		...
		<host name="default-host" alias="${webmanager.backendservername},${webmanager.frontendservername}">
			<location name="/" handler="welcome-content"/> !DELETE THIS LINE!
			<http-invoker security-realm="ApplicationRealm"/>
		</host>
	</server>
	...
	<handlers>
		<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> !DELETE THIS LINE!
	</handlers>
</subsystem>
Code Block
themeEclipse
<virtual-server name="default-host" enable-welcome-root="false">


Add Aliases for Hostnames

In standalone.xml, add the aliases for the hostnames you are using:


Code Block
themeEclipse
<virtual-server<server name="default-hostserver" enable-welcome-root="false">
   <alias name>
	<host name="default-host" alias="mydomain.mycompany.com,alias"/>
   <alias name="myalias"/>	</host>
</virtual-server>


Enable the AJP Connector


Code Block
themeEclipse
<server name="default-server">
	<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
	<https-listener<connector name="httphttps" protocolsocket-binding="HTTP/1.1https" schemesecurity-realm="httpApplicationRealm" socketenable-bindinghttp2="httptrue" />
<connector	<ajp-listener name="ajp" protocolsocket-binding="AJP/1.3ajp" scheme="http" socket-binding="ajp"/>
</server>


Enable the wmadmin Login

In standalone.xml, add the XperienCentral security domain. This is necessary because the XperienCentral file jboss-web.xml references the XperienCentral security domain

...

Code Block
themeEclipse
<subsystem xmlns="urn:jboss:domain:deployment-scanner:12.10">
   	<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" deployment-timeout="1000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem>


Generate and Store the JBoss

...

7.

...

2.

...

0 EAP Application Server Hash

cd /vol/www/jboss-cleansite/bin/client/modules/system/layers/base/org/picketbox/main
/usr/local/java8java11/bin/java -cp jboss-cli-clientpicketbox-5.0.3.Final-redhat-3.jar org.jboss.security.auth.callback.RFC2617Digest wmadmin "XperienCentral" <password>

...