iKnowBase web server

NOTE: This chapter assumes the iKnowBase database repository has been created, as outlined in Quick Installation and upgrade overview .

iKnowBase comes with an embedded web server based on the Eclipse Jetty server. This is a fast and capable server which requires little resources and is very easy to manager. This is the recommended web server for most installations.

Spring Boot

Both the iKnowBase application and the embedded web server are developed using Spring Boot and configuration handling and options in Spring Boot for Jetty are applicable for iKnowBase.

We’ve also extended Jetty with settings that are not available in Spring boot. These are prefixed com.iknowbase.server.jetty.

Preparations

Verify / review the recommended installation structure outlined in Quick Installation and upgrade overview .

Configure the iKnowBase instance

If you’ve not already done so, set up the iKnowBase instance configuration file described in outlined in Quick Installation and upgrade overview .

For the examples further down we assume you’ve used the default configuration file name application.properties for a configuration named “production”.

Run and test the iKnowBase instance

With this configuration, you should be able to easily run and test the applications:

cd /opt/iknowbase/production
./iknowbase.sh webServer

Start a web-browser, and navigate to http://YOUR_SERVER_NAME:8080/ressurs/iknowbase (to see documentation) or http://YOUR_SERVER_NAME:8080/ikb$console (for the Management Console). The first should open immediately, while the second one will require login, which requires configuration as shown below.

Configure modules

The iKnowBase application itself is distributed as a Spring Boot executable jar file. Review configuration sections for the available modules and configure them as needed.

Configure Web Application Security

The recommended sequence for configuration is to first set up iKnowBase using the internal user directory, and verify sure that you have access to the iKnowBase web applications. After that, you can change to any supported authentication setting you want, but with the knowledge that iKnowBase does indeed work properly with a simple login service.

See iKnowBase Installation Guide > Web Application Security for additional explanations.

Configure SSL

We strongly recommend using SSL (https) for all production sites.

Terminating SSL in an external proxy

If you terminate SSL in an external proxy, that proxy will typically use HTTP (an unsecured connection) to talk to the application server. Then, the application server will not be aware that the browser sees a secure connection, and will by default generate links to an unsecure site. To avoid this, note the following items:

• Configure the load balancer to generate a HTTP header called “X-Forwarded-Proto” with the value “https”, ref http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
• Configure the iKnowBase server to use a scheme-mapping that understands this header, as shown below
• Verify this setup by loading /ikb$console/java/request using from a secure connection; the value “Requested URL” should indicate a https-scheme

If using Apache httpd for ssl-termination, the following configuration in httpd.conf should set the required header:

<Virtualhost ...>
...
RequestHeader set X-Forwarded-Proto "https"
...
</Virtualhost>

To configure the iKnowBase web server, set the property server.use-forward-headers=true in the property file:

...
server.use-forward-headers=true
...

Configuring SSL listener in iKnowBase web server

The iKnowBase web server can be configured to listen for HTTPS traffic with the following options:

...
server.port=8443
server.ssl.key-store=iknowbase.keystore
server.ssl.key-store-password=<KEYSTORE_PASSWORD>
server.ssl.key-password=<KEY_PASSWORD>
...

If you require both HTTP and HTTPS listeners at the same time, do:

...
server.port=8443
server.ssl.key-store=iknowbase.keystore
server.ssl.key-store-password=<KEYSTORE_PASSWORD>
server.ssl.key-password=<KEY_PASSWORD>
com.iknowbase.server.jetty.httpListener.port=8080
...

The iknowbase.keystore is a standard java keystore in JKS format generated by Java keytool.

The following example demonstrates generating the iknowbase.keystore using preexisting private key, a server certificate and a CA chain file.

$ sudo openssl pkcs12 -inkey ./www_example_com.key -in ./www_example_com.crt -certfile ./ca_chain_file.crt -export -out ./www_example_com.pkcs12 -passout pass:<KEYSTORE_PASSWORD>
$ $JAVA_HOME/bin/keytool -keystore ./iknowbase.keystore -storepass <KEYSTORE_PASSWORD> -importkeystore -srckeystore ./www_example_com.pkcs12 -srcstoretype PKCS12 -srcstorepass <KEYSTORE_PASSWORD>

Multiple certificates (SNI)

Support for multiple certificates is as simple as repeating the previous step for the next certificate and importing into the same keystore.

Advanced topics

Specify temp directory

During normal execution, the iKnowBase web server needs access to a temporary directory. This defaults to value of the system property java.io.tmpdir. If for some reason you need to use a different temporary directory, change this system property.

Note that iKnowBase before version 7.2 unpacked the web application into a work directory and if that temporary directory was deleted it would fail to serve the unpacked content. From iKnowBase 7.2 this is no longer the case and you may use the normal temp directory.

Configure logging

iKnowBase logs only to console by default. If you want to write the logs to file, set logging.path to absolute or relative path to the log directory you want. We also recommend that you enable the iKnowBase specific log configuration using logging.config=classpath:log4j-default.properties.

# logging.path=
logging.path=./work/logs
# logging.config=
logging.config=classpath:log4j-default.properties

The iKnowBase Setup program writes logs to ./work/logs by default, however you may override this by setting:

# com.iknowbase.setup.log.logDirectory=./work/logs
com.iknowbase.setup.log.logDirectory=<A LOG DIRECTORY>

Access logging are by default enabled using daily rolling of the access log file. See application.properties.SAMPLE for details.

Setting max form size

Max form size that can be submitted to the iKnowBase web server is by default set to 200 000 bytes and 1000 keys. This is intended to help in denial of service attack scenarios where malicious clients send huge amount of data.

Please note that this limitation does NOT affect file uploads using multipart/form-data. See multipart.* configuration options in the Java Applications section.

If you need to POST forms larger than 200 000 bytes and/or 1000 keys override the max value in the iknowbase property file:

...
# com.iknowbase.server.jetty.maxFormContentSize=200000
# com.iknowbase.server.jetty.maxFormKeys=1000
...

Shutdown capability and faster restarts

If you enable the shutdown capabilities by setting com.iknowbase.server.jetty.shutdown.token to a string token like com.iknowbase.server.jetty.shutdown.token=YouShallNotPass!!!, any additional start of the application will send a shutdown signal to the currently running application.

Compared to the normal restart (stop + start) procedure, this will accomplish a restart with minimal downtime since the new container will be close to ready when the shutdown signal is sent.

You may also invoke the command “stopWebServer” to just stop the existing one without activating a new server.

NOTE: Shutdown call is only accepted from localhost. This means that the shutdown handler cannot be invoked from a remote location even if the token is known.

Troubleshooting

Database connections through firewall or on an unreliable network

When accessing a database through a firewall or on an unreliable network, use the Oracle Net connection descriptor syntax with ENABLE=BROKEN instead of the standard JDBC URL syntax as the database connection string.

Default JDBC URL:

jdbc:oracle:thin:@//localhost:1521/ORCL

Using Oracle Net connection descriptor syntax:

jdbc:oracle:thin:@(DESCRIPTION = (ENABLE = BROKEN)(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ORCL)(FAILOVER_MODE =(TYPE = SESSION)(METHOD = BASIC))))

Unexpected error occurred: java.lang.IllegalStateException: Form too large

See Setting max form size.

WARN: bad HTTP parsed: 400 HTTP/0.9 not supported for HttpChannelOverHttp

iKnowBase 7.0 upgraded the embedded web server Jetty from 9.2 to 9.3, which uses updated HTTP specifications.

SEE: Header parse error after upgrade to Jetty 9.3 for details.
bc..
"Jetty 9.2 followed RFC2616 (Now Obsoleted by: RFC7230, RFC7231, RFC7232, RFC7233, RFC7234, RFC7235 and Updated by: RFC2817, RFC5785, RFC6266, RFC6585)

Jetty 9.3 follows the updates to the venerable (from 1999!) RFC2616 spec. Many things that were valid in the past are no longer valid. We also dropped support for HTTP/0.9 in Jetty 9.3"

This update should not affect end user clients, but it might affect systems requesting information from iKnowBase over HTTP. The systems need to adjust to follow updated HTTP specs.