Security Configuration
Configuring Domains and WorkAreas
After installing hipergate, the default user and password for entering to the TEST WorkArea appear on screen.
Moreover the TEST Domain hipergate comes with another two pre-created domains named REAL and DEMO.
Last, hipergate has two reserved domains named SYSTEM and MODEL with 5 users that must not be deleted, although their default passwords must be changed.
The MODEL domain must not be modified at all, except for changing the passwords of its already existing users.
The SYSTEM domain is the one that provides the functionality of creating other new domains.
Default users and passwords | ||
---|---|---|
User | Password | Comments |
administrator@hipergate-test.com | TEST | |
administrator@hipergate-demo.com | DEMO | |
administrator@hipergate-real.com | REAL | |
administrator@hipergate-system.com | hipergate | hipergate system administrator. This account is basically used for creating new domains. |
administrator@hipergate-model.com | model | It is internally used only when a new domain is created. |
superuser@hipergate-model.com | model | It is internally used only when a new domain is created. |
user@hipergate-model.com | model | It is internally used only when a new domain is created. |
guest@hipergate-model.com | model | It is internally used only when a new domain is created. |
For more information about how to create domains, workareas and users read the User Manual.
Recommendations for deleting or disabling unnecessary users
Connected as administrator@hipergate-system.com delete all the domains that you are not going to use, except MODEL, never delete MODEL.
Connected as administrator@hipergate-model.com change the passwords of all the users of MODEL doamin but do not delete any of them.
Connected as administrator to each domain, delete the users that are not going to be used. Change the password of the remaining ones.
Restricting access to /admin directory
The subdirectory /admin contains a SQL interface which can be used for accessing the database. It is necessary to restrict access to that interface. Protect /admin with basic web server authentication.
Permissions of Tomcat over /tmp y /storage
The O.S. user that runs Tomcat (if not root) must have read and write permissions over directories /tmp (or C:\Temp in Windows) and over the storage directory set at hipergate.cnf.
Changing the database connection string and other configuration parameters
The file hipergate.cnf which is located at /etc or C:\Windows contains the information about the database connection and the directories where disk files are kept.
(the variables $CATALINA_HOME are not valid at hipergate.cnf and are only used for brevity).
# [Database] # Database connection parameters driver=org.postgresql.Driver dburl=jdbc:postgresql://127.0.0.1:5432/test schema= dbuser=postgres dbpassword=postgres # [Connection pool] # Parameters that govern the behaviour of the database connection pool poolsize=32 maxconnections=100 logintimeout=20 connectiontimeout=60000 connectionreaperdelay=30000 # [Files] # Directory for temporary files temp=/tmp # Webapp base URL webserver=http://hostname:8080 # Image server base URL (optional) imageserver=http://hostname:8080/images # File access protocol, username and password fileprotocol=file:// fileserver=localhost fileuser= filepassword= # Base directory for files that are stored outside the database storage=/opt/storage # Directory for temporary deleting scripts shelldir=/tmp # Base path for public files workareasput=$CATALINA_HOME/webapps/hipergate/workareas # base URL for public files workareasget=http://hostname:8080/workareas # Maximum allowed file upload (bytes) maxfileupload=10485760 # [Misc] # Whether or not to perform XML schema validations setXMLValidation=1 # Maximum threads launched by the job scheduler maxschedulerthreads=1 # [WebMail] # Set protocol names in lowercase mail.transport.protocol=smtp mail.store.protocol=pop3 mail.incoming=pop3.yourserver.com mail.outgoing=smtp.yourserver.com mail.user= # Lucene # Typically a directory under /storage where Lucene indexes are kept luceneindex=/opt/storage/luceneindex analyzer=org.apache.lucene.analysis.WhitespaceAnalyzer # LDAP ldapconnect=ldap://127.0.0.1:389/dc=hipergate,dc=org ldapuser=cn=Manager,dc=hipergate,dc=org ldappassword=manager ldapclass=com.knowgate.ldap.LDAPNovell # SMS smsprovider=A subclass of com.knowgate.sms.SMSPush (for example, com.knowgate.sms.SMSPushSybase365) smsaccount=sms_account_name smspassword=sms_account_password # Google googlemapskey=… # Yahoo! yahoobosskey=…
Here comes a brief description of each parameter and its purpose.
- driver
-
JDBC driver class name:
• org.postgresql.Driver (PostgreSQL)
• com.mysql.jdbc.Driver (MySQL)
• oracle.jdbc.driver.OracleDriver (Oracle)
• com.microsoft.sqlserver.jdbc.SQLServerDriver (SQL Server)
- dburl
-
Database connection string:
• jdbc:postgresql://host_name:5432/nombre_bbdd (PostgreSQL)
• jdbc:mysql://host_name/name_bbdd (MySQL)
• jdbc:oracle:thin:@host_name:1521:oracle_sid (Oracle)
• jdbc:sqlserver://host_name:1433;SelectMethod=cursor;DatabaseName=db_name (SQL Server)
If the web server and the database are on the same machine then the host_name is "127.0.0.1" or "localhost". - schema
-
Database schema. May be the user owner of the tables.
In PostgreSQL leave this parameter empty unluess you experience problems accesing table sql_features in which case set schema=public. Leave schema blank for MySQL.
Examples:
• dbo (SQL Server)
• HIPERGATE (Oracle)
• public (PostgreSQL)
- dbuser/dbpassword
- User and password for connecting to the database.
- poolsize
-
Number of connections that will be kept open by the connection pool ready to be reused.
A connection may only be open and waiting for a maximum of five minutes.
After that period of inactivity it will be closed by the pool manager at the number of open connections will eventually go down to zero.
The default value is 32.
If this parameter is zero to zero, then the pool is disabled and each connection to the database is obtained by directly calling java.sql.DriverManager.getConnection(). - maxconnections
- Absolute maximum of connections that can be openend simultaneosly against the database.
- logintimeout
-
Maximum time (in seconds) to wait for obtaining a connection to the database.
The default value is 20. - temp
-
Temporary storage. Here come uploaded files before moved to final storage directory and some temp files.
Examples:
• /tmp (Linux)
• C:\\TEMP (Windows)
- webserver
-
URL to hipergate's JSP root directory. This parameter is utilized to compose relative and absolute URLs in each module.
Examples:
• http://server:port/webapp
• http://myserver:8080/
• http://localhost:7001/hipergateWeb (ejemplo con WebLogic)
- imageserver
-
Optional URL to image server. All static images (icons, graphics, etc) can be placed in a separate web server, or left on a directory on the same server.
Examples:
• http://images.mycompany.com/hipergate
• http://myserver:8080/images
• http://localhost:7001/hipergateWeb/images (ejemplo con WebLogic)
- fileprotocol
- This value must be always "file://".
- fileserver
- This value must be always "localhost".
- fileuser/filepassword
- Username and password to access remote file storage. Currently only used with FTP.
- storage
-
Base directory of private storage.
Examples:
• /var/lib/hipergate
• C:\\bea\\weblogic\\samples\\workshop\\hipergate\\storage (Windows)
- shelldir
-
Some servlet containers lock files and directories. If you want to delete a
newsletter, website or account you should remove all directories related to this object, but
Java prevents this deletion, so you must create a scheduled task to remove them from outside
the servlet container. For each object to be removed, a line is added to a file called
cleanup.txt with the full path of the directory to be deleted. You can run a wrapper
script each time server is restarted, or add a cron job that tries to remove this files periodicaly.
Examples:
• /tmp
• $CATALINA_HOME/webapps/shell
• C:\\BEA\\weblogic\\samples\\workshop\\hipergate\\shell (Windows)
- workareasput
-
Base directory for public storage that should be available via HTTP.
Ejemplos:
• $CATALINA_HOME/webapps/hipergate/workareas
• C:\PROGRA~1\Tomcat\webapps\hipergate\workareas (Windows)
- workareasget
-
Absolute web URL to workareasput directory.
Examples:
• /workareas
• /hipergateWeb/workareas
- maxfileupload
- Maximum size (in bytes) of uploaded files.
- setXMLValidation
- Activate XML validations when rendering XSLT templates.
- maxschedulerthreads
- Maximum number of threads for the job scheduler.
- mail.transport.protocol
- JavaMail transport (default=smtp)
- mail.store.protocol
- JavaMail store (default=pop3)
- mail.incoming
- POP3 JavaMail server for mail storage (default=localhost)
- mail.outgoing
- SMTP JavaMail server for mail delivery (default=localhost)