2017 R1

Configuration of Fabasoft Folio Web ServicesPermanent link for this heading

KerberosPermanent link for this heading

After the installation of the RPM packages the Fabasoft Folio Service user (fscsrv) is available. The ownership and permissions of the file /etc/fabasoft/krb5.keytab, that has been created during preparation of Linux (see document “Fabasoft on Red Hat Linux – Preparation Guide”), need to be adjusted. Therefore perform the following steps:

  1. Set the ownership of the file /etc/fabasoft/krb5.keytab to fscsrv by executing the following command:
    # chown fscsrv:fsc /etc/fabasoft/krb5.keytab
  2. Set the permission for the file /etc/fabasoft/krb5.keytab as only the user fscsrv can read and write it by executing the following command:
    # chmod 0600 /etc/fabasoft/krb5.keytab

The ownership and permissions for the file /etc/fabasoft/krb5.keytab have been changed.

Starting with Fabasoft Folio

Kerberos authentication requires a specific login name to be present in a user object.

For a user “test” in a domain “testdomain.at” the corresponding login name is test@testdomain.at, which is the so called user principal name (UPN) associated with the domain user.

In previous releases the required login name was “testdomain\test” (first component of full-qualified domain name followed by username). For upgraded web services the login name does not have to be changed to the new format. For new web services the new format has to be used.

If the old format should be used in this case, an environment variable must be configured on a per web service basis.

Execute the following command:

echo –n “YES” > /var/opt/fabasoft/instances/WebService_<id>/env/FSCVEXT_KRB5SAMUSERLOGNAME

After a restart of the web service, the old format is in use.

Grant Login to the Fabasoft Folio DomainPermanent link for this heading

The user fscsrv, local to the Fabasoft Folio Web Server, must be granted permission to log on to the Fabasoft Folio Domain. Therefore an additional login name is appended to the System Administrator user object. When using Kerberos, perform the following steps on the Fabasoft Folio Backend Server:

  1. Logon as user fscsrv.
    # sufscsrv
  2. Get a Kerberos ticket for the administrative user.
    > kinit <administrative user>
  3. Add the login name of the administrative user to Fabasoft Folio by executing the following command:
    > HOST=<fully qualified domain name of the Fabasoft Folio Backend Server> \
    > PORT=<port of the primary Fabasoft Folio COO Service> \

    > /opt/
    fabasoft/sbin/loader –userlogname “:<fully qualified domain name of the Fabasoft Folio Web Server>:\fscsrv

The administrative user has been added to Fabasoft Folio so it is possible to log on to the Fabasoft Folio Domain with this user.

Note: To grant the fscsrv user permission to the Fabasoft Folio Domain without using Kerberos, skip the line kinit<administrative user>.

Basic Authentication With htpasswdPermanent link for this heading

The login name of the user running the Fabasoft Folio Web Service has to be added to the htpasswd file.

To add a user login name to the htpasswd file, use the following command:

  • Red Hat Linux
    # htpasswd –b /etc/fabasoft/web/htpasswd <username> <password>

Configure all the apache configuration files for the desired product components in the path /etc/httpd/conf.d/ by enabling the basic authentication method. Here is an example:

# Basic Authentication
AuthType Basic
AuhtName “<product name>”
AuthUserFile /etc/fabasoft/web/htpasswd
Require valid-user

Configuring SSL CommunicationPermanent link for this heading

Make sure that the Fabasoft Folio Web Server is converted to SSL communication (suggestive in combination with basic authentication). The configuration file is located in /etc/httpd/conf.d/ssl.conf.

Example: Extract of the web server configuration for SSL

<VirtualHost _default_:443>
  Listen 0.0.0.0:443

  
SSLEngine on
  
SSLProtocol all
  
SSLCipherSuite HIGH:MEDIUM
  
SSLCertificateFile /opt/fabalabs/etc/<Certificate.cer>
  
SSLCertificateKeyFile /opt/fabalabs/etc/<CertifikateKey.key>
</
VirtualHost>

This way SSL is activated for the server. Additionally it can be configured for which pages SSL shall be used. For that purpose define the directories that should be used in a virtual host.

Configuring SSL Communication for Outgoing RequestsPermanent link for this heading

Outgoing HTTPS requests require CA certificates of the destination servers to be configured. The default list of trusted certificates is stored in /etc/pki/tls/certs/ca-bundle.crt.

openssl must be used to add additional CA certificates to the file.

Execute the following command:

openssl x509 –in <path-to-new-ca-file> -text >> /etc/pki/tls/certs/ca-bundle.crt

Configuring Electronic Signature AuthenticationPermanent link for this heading

Depending on your Web Service configuration, users might be required to authenticate themselves as part of a use case involving an electronic signature.

If the Web Service is configured to authenticate users via Kerberos, authentication in the context of an electronic signature is also based on Kerberos, no further configuration is required.

If Kerberos is not configured, authentication is based on LDAP via Pluggable Authentication Modules for Linux (PAM). To enable PAM authentication, PAM must be configured according to your LDAP infrastructure (pam_ldap.conf). The PAM configuration for each service can be found in /etc/pam.d. The directory contains a single file per service, which is typically a familiar name corresponding to an application. For each service, the file /etc/pam.d/<service> contains its configuration. In case of the Fabasoft Folio Web Service, the service name is "fscweb". Consequently, the file /etc/pam.d/fscweb must be created or modified to complete the authentication configuration for LDAP.