Configuring WebOffice FTS-Index
This chapter describe the opportunities for configuring the WebOffice FTS-Index.
Configuring permitted hosts (IP Filter)
After a default installation of WebOffice FTS-Index an IP filter is activated on localhost. |
For security reasons WebOffice FTS-Index is preconfigured to block all requests that do not originate from localhost. This applies both to access the Web-Admin interface via a browser as well as to third-party applications such as WebOffice 10.9 R4, which want to use WebOffice FTS-Index. This restriction is intended to prevent the indexed data from being accessed or modified by unauthorized persons.
This default setting is correct for a Solr Standalone installation, where WebOffice and WebOffice FTS-Index are typically on the same machine. In a load-balancing scenario it has to be specified which additional hosts should also have access. This concerns the machine on which the LoadBalancer is installed.
The authorised IP addresses can be listed and added to the SOLR_IP_ALLOWLIST in the file "C:\Program Files (x86)\VertiGIS\WebOffice FTS-Index\bin\solr.in.cmd".
Access filtering via IP address
Troubleshooting: HTTP ERROR 403
If an HTTP Error 403 occurs in the browser while connecting to WebOffice FTS-Index it is likely that the computer on which the browser was started is not listed in the SOLR_IP_ALLOWLIST (Path: "C:\Programme (x86)\VertiGIS\WebOffice FTS-Index\bin\solr.in.cmd"). Therefore the access was denied.
Connection from this host is not allowed due to the IP filter
WebOffice FTS-Index via a secured connection (SSL/TLS)
SSL/TLS is not enabled after a default installation of WebOffice FTS-Index. This means that the URL cannot be called using https. |
SSL can be activated by placing the following block in the file ..\WebOffice FTS-Index\bin\solr.in.cmd:
Configuring the SSL connection in the file solr.in.cmd
The following points must be considered:
•SOLR_SSL_KEY_STORE and SOLR_SSL_TRUST_STORE must be specified in quotation marks if the path contains a space.
•In SOLR_SSL_KEY_STORE and SOLR_SSL_TRUST_STORE all special characters such as opening and closing parentheses must be masked with five (!) ^' ('circumflex'). If no quotation marks are used, there are only three ^'.
•SOLR_SSL_TRUST_STORE typically points to the default TrustStore of Java (cacerts). The default password of this TrustStore is changeit'.
•SOLR_SSL_KEY_STORE is a PKCS12 container, which can be created with the tool KeyStore Explorer' (http://keystore-explorer.org/). The private certificate (of type PEM, with password) which has to be used for the server must be imported into this password-protected container.
•Do not set the attribute SOLR_SSL_NEED_CLIENT_AUTH to true, because the Solr server would not start in this case.
Additional it is possible to integrate a certificate directly with the use of the SOLR_SSL_KEY_STORE parameter. Therefore a encrypted certificate (*.pfx) has to be used. To encrypt the password accordingly the secret key has to be defined in the SOLR_SSL_KEY_STORE_PASSWORD parameter. The following configuration shows the use of such a keystore:
SSL configuration of pfx certificat within file solr.in.cmd
It is important the the value PKCS12 is set within the SOLR_SSL_KEY_STORE_TYPE value for this type of certificate. |
Furthermore if certificate is in use the issued name of the certificate (f.e. server name) should be configured in the solr.in.cmd configuration within the SOLR_HOST parameter and the section should be activated in the configuration. The following section shows an example of the configuration parameter:
Konfiguration des Hostnamen in solr.in.cmd
•As usual, WebOffice must trust the certificate presented by the server to access a secured connection via SSL. To do this, the corresponding certificate must be imported into the cacerts truststore, for example with the installCert.bat tool. •In this context, please check with which host name (e.g. internal ws-server vs. external ws-server.domain.intern) the FTS-Index is configured in WebOffice or that the configured name matches the host name of the SSL certificate. |
For more information, see Importing Import of SSL/TLS-Certificates. |
Wildcard certificates are currently not supported. See the following error message from the WebOffice 10.9 R4 log file:
Error message: The host name does not match the certificate precisely
•This manual is only applicable if Solr Standalone is used. •A SolrCloud installation with LoadBalancing is much more complex, because there are additional connection paths (e.g. between the individual Zookeeper instances) which should also be encrypted. |
Once the WebOffice FTS-Index has been started with a working SSL configuration, the Solr Admin UI can no longer be accessed via HTTP. The attempt merely displays an error message or a cryptic character string.
Access via HTTPS is of course possible, but the complete URL (including protocol at the beginning) must be entered in the browser: https://localhost:8983/solr
Connection via HTTP is no longer possible: above Microsoft Internet Explorer, middle Mozilla Firefox, below Google Chrome
FTS-Index password protect access (Basic Authentication)
Basic Authentication is enabled afer a default installation of WebOffice FTS-Index. User: weboffice Password: weboffice4ever |
The file ..\WebOffice\FTS-Index\server\solr\security.json contains the configuration that defines the authentication for access to the WebOffice FTS-Index. If necessary, the password protection can be removed by deleting this file (and restarting the Windows service WebOffice FTS Index).
The content of the file security.json can be viewed at http://localhost:8983/solr/admin/authentication.
In the Security section of the Solr Admin UI (available at http://localhost:8983/solr/#/~security) the user name and password for access to WebOffice FTS-Index can be changed.
Set the password for access to FTS-Index
The changed access information must also be saved in the file ..\WebOffice FTS Index\bin\solr.in.cmd:
Configuration of the Basic Authentication access data for starting the Windows service
Change admin-user in security.json
If the default user has been changed or a new user has been added, this user must be configured as administrator. This setting must also be made in the file ..\WebOffice\FTS-Index\server\solr\security.json.
In the item user-role the weboffice-user is preconfigured as admin-user. Here you can insert the new user instead of the weboffice-user. In the following screenshot the user fts was assigned the admin-role.
Configuration of a new admin-user