Configuring WebOffice FTS-Index

This chapter describe the opportunities for configuring the WebOffice FTS-Index.

Configuring permitted hosts (IP Filter)

 

icon_comment

After a default installation of WebOffice FTS-Index an IP filter is activated on localhost.

 

For security reasons WebOffice FTS-Index is preconfigured to block all requests that do not originate from localhost. This applies both to access the Web-Admin interface via a browser as well as to third-party applications such as WebOffice 10.9 SP1, which want to use WebOffice FTS-Index. This restriction is intended to prevent the indexed data from being accessed or modified by unauthorized persons.

 

This default setting is correct for a Solr Standalone installation, where WebOffice and WebOffice FTS-Index are typically on the same machine. In a load-balancing scenario it has to be specified which additional hosts should also have access. This concerns the machine on which the LoadBalancer is installed.

 

The authorised IP addresses can be listed and added to the SOLR_IP_ALLOWLIST in the file "C:\Program Files (x86)\VertiGIS\WebOffice FTS-Index\bin\solr.in.cmd".

 

Access filtering via IP address

Access filtering via IP address

 

Troubleshooting: HTTP ERROR 403

If an HTTP Error 403 occurs in the browser while connecting to WebOffice FTS-Index it is likely that the computer on which the browser was started is not listed in the SOLR_IP_ALLOWLIST (Path: "C:\Programme (x86)\VertiGIS\WebOffice FTS-Index\bin\solr.in.cmd"). Therefore the access was denied.

 

Connection from this host is not allowed due to the IP filter

Connection from this host is not allowed due to the IP filter

 

WebOffice FTS-Index via a secured connection (SSL/TLS)

 

icon_comment

SSL/TLS is not enabled after a default installation of WebOffice FTS-Index. This means that the URL cannot be called using https.

 

SSL can be activated by placing the following block in the file ..\WebOffice FTS-Index\bin\solr.in.cmd:

 

Configuring the SSL connection in the file solr.in.cmd

Configuring the SSL connection in the file solr.in.cmd

 

The following points must be considered:

SOLR_SSL_KEY_STORE and SOLR_SSL_TRUST_STORE must be specified in quotation marks if the path contains a space.

In SOLR_SSL_KEY_STORE and SOLR_SSL_TRUST_STORE all special characters such as opening and closing parentheses must be masked with five (!) ^' ('circumflex'). If no quotation marks are used, there are only three ^'.

SOLR_SSL_TRUST_STORE typically points to the default TrustStore of Java (cacerts). The default password of this TrustStore is changeit'.

SOLR_SSL_KEY_STORE is a PKCS12 container, which can be created with the tool KeyStore Explorer' (http://keystore-explorer.org/). The private certificate (of type PEM, with password) which has to be used for the server must be imported into this password-protected container.

Do not set the attribute SOLR_SSL_NEED_CLIENT_AUTH to true, because the Solr server would not start in this case.

 

Additional it is possible to integrate a certificate directly with the use of the SOLR_SSL_KEY_STORE parameter. Therefore a encrypted certificate (*.pfx) has to be used. To encrypt the password accordingly the secret key has to be defined in the SOLR_SSL_KEY_STORE_PASSWORD parameter. The following configuration shows the use of such a keystore:

 

SSL configuration of pfx certificat within file solr.in.cmd

SSL configuration of pfx certificat within file solr.in.cmd

 

icon_comment

It is important the the value PKCS12 is set within the SOLR_SSL_KEY_STORE_TYPE value for this type of certificate.

 

Furthermore if certificate is in use the issued name of the certificate (f.e. server name) should be configured in the solr.in.cmd configuration within the SOLR_HOST parameter and the section should be activated in the configuration. The following section shows an example of the configuration parameter:

Konfiguration des Hostnamen in solr.in.cmd

Konfiguration des Hostnamen in solr.in.cmd

 

icon_comment

As usual, WebOffice must trust the certificate presented by the server to access a secured connection via SSL. To do this, the corresponding certificate must be imported into the cacerts truststore, for example with the installCert.bat tool.

In this context, please check with which host name (e.g. internal ws-server vs. external ws-server.domain.intern) the FTS-Index is configured in WebOffice or that the configured name matches the host name of the SSL certificate.

 

icon_cross-reference

For more information, see Importing Import of SSL/TLS-Certificates.

 

Wildcard certificates are currently not supported. See the following error message from the WebOffice 10.9 SP1 log file:

 

Error message: The host name does not match the certificate precisely

Error message: The host name does not match the certificate precisely

 

icon_comment

This manual is only applicable if Solr Standalone is used.

A SolrCloud installation with LoadBalancing is much more complex, because there are additional connection paths (e.g. between the individual Zookeeper instances) which should also be encrypted.

 

Once the WebOffice FTS-Index has been started with a working SSL configuration, the Solr Admin UI can no longer be accessed via HTTP. The attempt merely displays an error message or a cryptic character string.

Access via HTTPS is of course possible, but the complete URL (including protocol at the beginning) must be entered in the browser: https://localhost:8983/solr

Connection via HTTP is no longer possible: above Microsoft Internet Explorer, middle Mozilla Firefox, below Google Chrome

Connection via HTTP is no longer possible: above Microsoft Internet Explorer, middle Mozilla Firefox, below Google Chrome

 

FTS-Index password protect access (Basic Authentication)

 

icon_cross-reference

Basic Authentication is enabled afer a default installation of WebOffice FTS-Index.

User: weboffice                Password: weboffice4ever

 

The file ..\WebOffice\FTS-Index\server\solr\security.json contains the configuration that defines the authentication for access to the WebOffice FTS-Index. If necessary, the password protection can be removed by deleting this file (and restarting the Windows service WebOffice FTS Index).

The content of the file security.json can be viewed at http://localhost:8983/solr/admin/authentication.

 

In the Security section of the Solr Admin UI (available at http://localhost:8983/solr/#/~security) the user name and password for access to WebOffice FTS-Index can be changed.

 

Set the password for access to FTS-Index

Set the password for access to FTS-Index

 

 

The changed access information must also be saved in the file ..\WebOffice FTS Index\bin\solr.in.cmd:

 

Configuration of the Basic Authentication access data for starting the Windows service

Configuration of the Basic Authentication access data for starting the Windows service

 

 

Change admin-user in security.json

If the default user has been changed or a new user has been added, this user must be configured as administrator. This setting must also be made in the file ..\WebOffice\FTS-Index\server\solr\security.json.

In the item user-role the weboffice-user is preconfigured as admin-user. Here you can insert the new user instead of the weboffice-user. In the following screenshot the user fts was assigned the admin-role.

 

Configuration of a new admin-user

Configuration of a new admin-user