Installing on GlassFish Server

Installation on GlassFish Server has the following tasks:

• Install the GlassFish-software
• Create a data source, and deploy to the target
• Deploy the Resource-directory and java web applications to the GlassFish Server
• NOTE: iKnowBase WebDav must be deployed on contextroot / and it is therefore recommended to use a separate server for iKnowBase WebDav.

Installation and configuration of GlassFish itself.

Run a normal installation of GlassFish.

Configure a domain containing

• a cluster
• one or more instances supporting the cluster
• a standalone instance or an additional cluster supported by a single instance for WebDav
  • WebDav does NOT support clustering and must be deployed to a single server instance or cluster backed by a single server instance.

Configuring a database data source

To run iKnowBase under GlassFish, you need to add the required jdbc driver, a connection pool and a data source:

First, install the Oracle JDBC Driver:

• If you need to, download the driver from http://www.oracle.com/technetwork/indexes/downloads/index.html. Download the latest driver which is supported for your database.
• Install the driver (typically ojdbc6.jar) to the GlassFish server or domain where you want to install iKnowBase, e.g. either ${GLASSFISH_HOME}/glassfish/lib/ or ${GLASSFISH_HOME}/glassfish/domain/domain1/lib/
• Restart your GlassFish instance.

Next, create a connection pool:

• From the GlassFish console, select “Resources, JDBC, Connection Pools” from the tree.
• Click “New” to create a new pool, and configure it as follows:
• Name = jdbc/iknowbaseDSPool
• ResourceType = javax.sql.ConnectionPoolDataSource
• Vendor=oracle
• Datasource Classname=oracle.jdbc.pool.OracleConnectionPoolDataSource
• Ping=Enabled
• Three properties (only)
  • url=jdbc:oracle:thin:@//dbhost.example.com:1521/dbname.domain
  • user=<database user>
  • password=<database password>
• Disable ‘Wrap JDBC Objects’ (you may have to close and reopen the connection pool to find this flag, it is under the tab “Advanced”)

Finally ,create a data source:

• From the GlassFish console, select “Resources, JDBC, JDBC Resources” from the tree.
• Click “New” to create a new data source, and configure it as follows:
  • JNDI Name = jdbc/iknowbaseDS
  • Pool Name = jdbc/iknowbaseDSPool

Configuring cluster single-sign-on-state

The availability service for the cluster and web container must be enabled (enabled by default).

Single-sign-on-state for web container availability should also be enabled to support replicating the authenticated user.

Configuring the HTTP listener for ikbInstant

ikbInstant requires that support for Comet and/or Websockets is enabled on the HTTP listener.

• From the GlassFish console, select “Configurations, <your configuration name>, Network Config, Protocols, <http-listener-1 or your listener name>” from the tree.
• Select the HTTP tab
• Set Comet Support to Enabled
• [GF4+ only]: Set Websockets Support to Enabled:

Deploy the applications

For each of the application archives, deploy using the GlassFish console:

• Select “Applications” in the administration console.
• Select "Deploy"
• Select the relevant web archive.

• Set context root (deployments using the administration console will not pick up the configured context root)
• Target applications:
  • All applications except iKnowBase WebDav should be targeted to the main cluster.
  • iKnowBase WebDav should be targeted to the webdav standalone instance or separate cluster backed by a single instance.
• Availability:
  • All applications except iKnowBase WebDav and iKnowBase resources should have the “Availability” flag set.

Deploy the /ressurs-directory

The easiest mechanims is to deploy the iknowbase-resources-VERSION.war file, which will automatically expose the resources.

If you want to have the /ressurs-directory (or other directories) available from the file system, unzip them to a directory and configure a reverse proxy in front of GlassFish to server this content for requests starting with “/ressurs”. As a standard deployment of ikbViewer and ikbWebdav will use context root /, the GlassFish docroot cannot be used.

Configure security providers (authentication)

iKnowBase is a Java Enterprise Edition web application, and uses the security contracts defined in the JEE specification. In particular, the following must be true:

• The server must authenticate users, before accessing protected URLs
• It must be possible to group users into three roles, IKB_USERS, IKB_DEVELOPERS and IKB_SYSADMINS.

GlassFish supports pluggable security providers, and the configuration of them is outside the scope of the iKnowBase product. However, as long as they support the requirements above, you may use any GlassFish security provider.

GlassFish supports a global setting that makes groups the equivalent of roles. Then, the security provider needs only to provide the groups (IKB_USERS et al), and not worry about mapping groups into roles. This is called “Default principal to role mapping”, and is configured as shown below. Note that this particular feature must be enabled before deploying applications; otherwise, you need to redeploy the applications.

• From the GlassFish console, select “Configuration, Security” from the tree.
• Enable the checkbox “Default principal to role mapping”.

File-based security

Out of the box, GlassFish is configured with a file-based security provider. To use this with iKnowBase, use the following configuration below. Note that this configuration must be set before deploying applications.

• First, enable “default principal to role mapping”.
• Next, create users in GlassFish as required:
• From the GlassFish console, select “Configuration, Security, Realms, file”.
• Click "Manager Users"
• Add users as needed. Specify the group list with commas, using the required role names for group names.

LDAP-based security

It is supposed to be possible to configure LDAP-based security with GlassFish, for integration with directory servers such as Oracle Internet Directory and others. Read the GlassFish documentation for more details. Also, tips may be found on various blogs, such as http://weblogs.java.net/blog/tchangu/archive/2007/01/ldap_security_r.html. Note that this particular blog does in fact perform group-to-role mapping, which is not required if you choose to enable “Default principal to role mapping”.

Single sign-on with Windows Active Directory

It is supposed to be possible to configure GlassFish with single sign-on from active Directory. Use the plugin available at https://spnego.dev.java.net/.

Spnego is an SPNEGO and Kerberos plugin for Glassfish. SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. SPNEGO is a standard GSSAPI pseudo-mechanism for peers to determine which GSSAPI mechanisms are shared, select one and then establish a security context with it. Kerberos is a computer network authentication protocol, which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner

Configure SSL

We strongly recommend using SSL (https) for all production sites.

Terminating SSL in the application server

The procedures for terminating SSL directy in the application server can be found in the glassfish documentation.

Terminating SSL in an external proxy

If you terminate SSL in an external proxy, that proxy will typically use HTTP (an unsecured connection) to talk to the application server. Then, the application server will not be aware that the browser sees a secure connection, and will by default generate links to an unsecure site. To avoid this, note the following items:

• Configure the load balancer to generate a HTTP header called “X-Forwarded-Proto” with the value “https”, ref http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
• Configure the glassfish http protocol listeners to use a scheme-mapping that understands this header, ref http://java.net/jira/browse/GLASSFISH-18685
• Verify this setup by loading /ikb$console/java/request using from a secure connection; the value “Requested URL” should indicate a https-scheme
• Note that you will need at least glassfish 3.1.2.2 for this setup to work

If using Apache httpd for ssl-termination, the following configuration in httpd.conf should set the required header:

<Virtualhost ...>
...
RequestHeader set X-Forwarded-Proto "https"
...
</Virtualhost>

Use the following example from the glassfish domain.xml:

<network-config>
  <protocols>
    <protocol name="http-listener-1">
      <http default-virtual-server="server" max-connections="250" scheme-mapping="X-Forwarded-Proto">
...

NOTE GlassFish 4: GlassFish 4 (build 89) does not support scheme-mapping=“X-Forwarded-Proto”, as reported in https://java.net/jira/browse/GLASSFISH-20842.

Troubleshooting

Using custom passwords on java keystores

If you have changed the passwords on GlassFish’s java truststore (cacerts.jks) and keystore (keystore.jks) during the setup and plan to deploy the iKnowBase Batch Server, the passwords for accessing the keystores must be set using JVM options
-Djavax.net.ssl.keyStorePassword=<your_new_password>
-Djavax.net.ssl.trustStorePassword=<your_new_password>

The Batch Server will fail to start ( SSLInitializationException: Failure initializing default system SSL context) if the passwords are not set.

GlassFish server.log: AS-NAMING-00006 and RAR8067

The following log statements in server.log is related to activiti enabled applications

• SEVERE: AS-NAMING-00006: Exception in NamingManagerImpl copyMutableObject: java.lang.IllegalStateException: This web container has not yet been started
• WARNING: RAR8067: Unable to determine pool type for pool [ jdbc/iknowbaseDSPool ], using default pool type

The issue can occur while reloading / redeploying one of the activiti enabled applications (viewer, batch or activitiexplorer). The activiti job executor thread is busy looking for asynchronous tasks and might not shut down within the time used for reloading or redeploying the application.

This error results in a non-functioning activiti job executor and asynchronous tasks will not be loaded by this application.

To resolve the issue, restart the application server.

Issue reference: IKBR-1124

iKnowBase does not detect HTTPS (secure) mode on GlassFish 4 behind an SSL terminating reverse proxy

GlassFish 4 (build 89) does not support scheme-mapping=“X-Forwarded-Proto”, as reported in https://java.net/jira/browse/GLASSFISH-20842, and iKnowBase will not operate correctly behind an SSL terminating reverse proxy until this issue is resolved.

Available workarounds are

• Running HTTPS directly on the GlassFish application server
• Correct HTTP response in a reverse proxy (HTTP to HTTPS links) (somewhat costly)

We strongly recommend using SSL and GlassFish 4 (build 89) is not recommended for production unless the issue is resolved or a suitable workaround is applied.

Session replication does not work in GlassFish 4

Session replication and failover does not work properly in GlassFish 4 (build 89). The release notes states:

Note:
The main thrust of the GlassFish Server Open Source Edition 4.0 release is to provide an application server for developers to explore and begin exploiting the new and updated technologies in the Java EE 7 platform. Thus, the follow ing features of GlassFish Server were not a focus of this release:
* Clusters and standalone instances
* High availability features
* Upgrade
* Embedded Server
These features are included in the release, but they may not function properly with some of the new features added in support of the Java EE 7 platform.