The initial server configuration can be done by editing the config file ERS2.xml. All day-to-day administration can be conducted through the web interface or the Remote Designer.
Table 4.1. Elixir Repertoire Server Configuration details
Name | Element name | Description |
---|---|---|
Server Listener IP | Host |
By default, Elixir Repertoire Server accepts requests on all local IP addresses. If you wish to restrict the listener to a single IP address (e.g. you have multiple network cards), you need to set the desired IP address in dotted-byte format (e.g. 192.168.1.1). Requests will now only be accepted if sent to this specific local IP. |
Server Listener Port | Port |
Elixir Repertoire Server Listener handles all the incoming request from the clients. The default port number is set to 8080. |
Allowed Clients | Accept |
Elixir Repertoire Server can allow or refuse connections based on IP address. The Accept value is a regular expression that will be tested against the dotted-byte IP string of the client. Only those clients with accepted IP addresses will be allowed to connect. By default, this parameter is disabled, so that all clients can connect. Note that this value is a regular expression, so any dots (.) may need to be escaped. For example "192\.168\.1\.1" identifies the client at "192.168.1.1". You can include IP ranges using "192\.168\..*" - the final ".*" means any characters (in this case dots and digits) are allowed. This will allow connection from "192.168.5.20", "192.168.80.1" etc. whatever the value of the last two dotted bytes. You can also enumerate values, for example: "192\.168\.1\.1|192\.168\.1\.5" will allow connections only from the .1 and .5 clients. |
Maximum Concurrent Report Render Count | MaxRenderCount |
This parameter controls the number of report generation requests that can be processed concurrently. The set size will not exceed what is specified in the license. When the requests is exceeded the count, the requests will wait in the queue. The size dependent on the hardware, shared load with other application, operating system and its capacity. Proper sizing of the hardware is required to determine the optimal size. The general thumb rule for every one unit of CPU, the size can be incremented by 2 to 3 unit i.e. a two CPU system can handles 4 to 6 concurrent report generations at any one time. |
Maximum Queue Count | MaxQueueCount |
This parameter controls the number of report generation requests that can be kept in the queue. This set size will not exceed the value specified in the license. When the number of requests exceed the maximum queue size, incoming requests will be rejected. |
Encrypted connection to client | Secure |
When set to true, all data packets sent between the client and server are encrypted. Allowed values: true or false. The default is false. Note that ERSClient must be configured with setSecure(true) if this option is enabled. For more details on configuring secure mode (which requires generation of a server certificate) see the section called “Secure Mode”. |
In order to enable LDAP secondary authentication, the administrator will have to edit ERS2.xml with the necessary LDAP details before starting Elixir Repertoire Server.
During normal logon, the user's user name and password is checked against Elixir user's record. With LDAP secondary authentication, a user with user name or password not found in Elixir user record will be checked using LDAP to verify the user name and password entered. If this user is valid in the LDAP server, Elixir user and group records will be updated according to the values accepted by the LDAP server. If no such user name was found, a new user will be created. New groups may be created dynamically to match those that the user was assigned to in the LDAP server. After a successful secondary authentication, subsequent logons will be as per normal as the records are already stored in Elixir records. If it still fails, the user will be unable to logon.
The web interface for users to change their password is disabled when LDAP secondary authentication is enabled. This will avoid any confusion as any subsequent entry error will result in the resetting of password back to the LDAP password.
If the LDAP password is changed, the user can logon immediately with the new password due to secondary authentication. However, the user can still keep to the old password until a RESET forces the user to use the new password.
An Administrator is required to log in to trigger the Reset function. In order to reset, in the Web interface, go to Administration, Users. Click on the Reset LDAP Users button.
Alternatively, you can reset the LDAP server using the REST action. Simply paste the following URL in the address bar :
http://localhost:8080/tool/admin/users.html?action=ResetLDAPUsers
This action will then apply the changes done to the user's password.
To verify that the LDAP user can no longer log in with the old password, go to Elixir Repertoire Server Web interface log in page and enter the LDAP username and the old password. The log in will fail. When the user tries logging in with the LDAP username and new password, the user will be able to log in successfully.
Before configuring Elixir Repertoire Server to support LDAP Multiuser Subtree, make sure a multiuser subtree exists in LDAP server and LDAP authentication mode is enabled. This feature is supported in Repertoire Server 8.2 and later versions.
Under the Repertoire Server install directory, go into the /config directory, open the ERS2.xml file, and look for the following codes:
<ers:mbean name="ERS2:name=LDAPUserRoleAuthentication" class= "com.elixirtech.ers2.security.ldap.LDAPUserRoleAuthentication">
Change the statement
"com.elixirtech.ers2.security.ldap.LDAPUserRoleAuthentication"
to the following statement:
"com.elixirtech.ers2.security.ldap.LDAPMultiUserRoleAuthentication"
Replace the code
<ers:property name="UsersDN">ou=people,dc=elite</ers:property>
with the following codes:
<ers:properties name="UsersDNList"> <ers:item>ou=users,dc=example,dc=com</ers:item> <ers:item>ou=altusers,dc=example,dc=com</ers:item> </ers:properties>
Save the ERS2.xml file and start the Repertoire Server. After entering the correct user name and password, the user will log in successfully.
Elixir Repertoire Server includes an SMTP server named elixir.aspirin
.
The configuration of this server is in ERS2.xml.
You may add additional external SMTP servers and remove the default one too, if required. External SMTP servers require additional information like this:
<ers:mbean name="ERS2:name=GmailSMTPServer" class="com.elixirtech.ers2.mail.SMTPServer"> <ers:property name="Host">smtp.gmail.com</ers:property> <ers:property name="Port">465</ers:property> <ers:property name="User">[user]@gmail.com</ers:property> <ers:property name="Password">password</ers:property> <ers:property name="ConnectionTimeout">30000</ers:property> <ers:property name="TLSEnabled">false</ers:property> <ers:property name="SSLEnabled">true</ers:property> <ers:property name="Debug">false</ers:property> </ers:mbean>
Note that the mbean name (ERS2:name=GmailSMTPServer
in this case)
must be unique within ERS2.xml. Once the SMTP server is configured, you can reference it by name from a
Mail Target (see Figure 6.4, “Mail Target” below, or
from a Job (see the Elixir Schedule Designer manual).
Log4j is used for Elixir Repertoire Server logging mechanism. If you're not familiar with the log4j package, you can read the full detail about it at the Jakarta web site. (http://jakarta.apache.org/log4j/).
Logging is controlled from a central log configuration file (config/log-config.xml). This file defines a set of appenders, specifying the log files, what categories of messages should go there, the message format and the level of filtering. By default, Elixir Repertoire Server produces a log file called server.log in the log directory).
There are 4 basic log levels used: DEBUG, INFO, WARN and ERROR. The logging threshold is INFO, which means that you will see informational messages, warning messages and error messages but not general debug messages.
The default server log is set to rotate the log every 500KB and the file is overwritten every time the server is restarted, up to five server logs are generated before the same file name is reused.
Elixir Repertoire Server provides an HTTP interface. This uses the http:// URL prefix. If you wish to run a secure protocol, then you will need to switch to https://. The secure protocol is configured by following these steps:
Edit ERS2.xml to uncomment these lines:
<!--ers:property name="Secure">true</ers:property> <ers:property name="Port">8443</ers:property> <ers:property name="Password">secret</ers:property -->
Edit ERS2.xml to comment out the plain mode alternatives immediately below the secure version.
Create a new directory ssl
inside
the config
directory. You now have to
set up a "keystore" that contains a digital certificate.
The server uses this to authenticate itself to the clients.
Open a command prompt in the new ssl directory and enter:
keytool -keystore keystore -alias jetty -genkey -keyalg RSA
You will be prompted first for a password. Enter something memorable. Now you need to answer a number of questions. Most are optional, the only question that you must answer is the first one: "What is your first and last name?". Enter the name by which users will access the server, for example www.example.com. You should not include any prefix, e.g. https. You can ignore the other questions if you like. Finally you will be asked for a key password. Just press enter to use the same password entered at the start.
You now have a file called keystore in config/ssl. Go back to ERS2.xml and enter the password you chose into the password property. Start the server and you should now be able to connect to the server with https://localhost:8443/ as your new URL (substitute your machine name as appropriate).
When you connect for the first time over https to the server, your browser will ask you if you want to accept the server certificate. You should look at the contents and ensure they match the certificate you created. If you accept, the browser will remember the server, so that you can connect directly in future.
The steps that have just been described, show you how to create a self-signed certificate. If you are intending to allow external users to connect to the server, you may wish to purchase an SSL certificate from a trusted Certification Authority (CA). When connecting to a trusted server, you will not need to accept the certificate the first time the browser connects. There are further implications for using https with a self-signed certificate, which are discussed in Chapter 8, Server API.
If you don't want to store the plain text password in the configuration file,
you can encrypt it using the encrypt utility in the server /bin directory.
Open a command prompt at the bin directory and run the encrypt program with
a single parameter - the string you wish to encrypt. The encrypted value will
be returned. If your string contains spaces or special characters, be sure
to quote it "like this"
to ensure the encrypt
routine sees the whole string as one value.
It is essential to ensure your configuration is working first, before you encrypt the password. Once you have the encrypted value, paste it into the configuration file and mark the property encrypted, like this:
<ers:property name="Password" encrypted="true">FrRMRoVI36lj3o3drUGqNA==</ers:property>
(this example is wrapped to fit on the page - you must not insert spaces and newlines in the encrypted string). You can encrypt any mbean property values in ERS2.xml using the same approach.