After the installation of the RPM packages the Fabasoft Folio Service user (fscsrv) is available. The ownership and permissions of the file /etc/fabasoft/krb5.keytab, that has been created during preparation of Linux (see document “Fabasoft on Red Hat Linux – Preparation Guide”), need to be adjusted. Therefore perform the following steps:
The ownership and permissions for the file /etc/fabasoft/krb5.keytab have been changed.
Kerberos authentication requires a specific login name to be present in a user object.
For a user “test” in a domain “testdomain.at” the corresponding login name is email@example.com, which is the so called user principal name (UPN) associated with the domain user.
In previous releases the required login name was “testdomain\test” (first component of full-qualified domain name followed by username). For upgraded web services the login name does not have to be changed to the new format. For new web services the new format has to be used.
If the old format should be used in this case, an environment variable must be configured on a per web service basis.
Execute the following command:
echo –n “YES” > /var/opt/fabasoft/instances/WebService_<id>/env/FSCVEXT_KRB5SAMUSERLOGNAME
After a restart of the web service, the old format is in use.
The user fscsrv, local to the Fabasoft Folio Web Server, must be granted permission to log on to the Fabasoft Folio Domain. Therefore an additional login name is appended to the System Administrator user object. When using Kerberos, perform the following steps on the Fabasoft Folio Backend Server:
The administrative user has been added to Fabasoft Folio so it is possible to log on to the Fabasoft Folio Domain with this user.
Note: To grant the fscsrv user permission to the Fabasoft Folio Domain without using Kerberos, skip the line kinit<administrative user>.
The login name of the user running the Fabasoft Folio Web Service has to be added to the htpasswd file.
To add a user login name to the htpasswd file, use the following command:
Configure all the apache configuration files for the desired product components in the path /etc/httpd/conf.d/ by enabling the basic authentication method. Here is an example:
# Basic Authentication
AuhtName “<product name>”
Make sure that the Fabasoft Folio Web Server is converted to SSL communication (suggestive in combination with basic authentication). The configuration file is located in /etc/httpd/conf.d/ssl.conf.
Example: Extract of the web server configuration for SSL
This way SSL is activated for the server. Additionally it can be configured for which pages SSL shall be used. For that purpose define the directories that should be used in a virtual host.
Outgoing HTTPS requests require CA certificates of the destination servers to be configured. The default list of trusted certificates is stored in /etc/pki/tls/certs/ca-bundle.crt.
openssl must be used to add additional CA certificates to the file.
Execute the following command:
openssl x509 –in <path-to-new-ca-file> -text >> /etc/pki/tls/certs/ca-bundle.crt
Depending on your Web Service configuration, users might be required to authenticate themselves as part of a use case involving an electronic signature.
If the Web Service is configured to authenticate users via Kerberos, authentication in the context of an electronic signature is also based on Kerberos, no further configuration is required.
If Kerberos is not configured, authentication is based on LDAP via Pluggable Authentication Modules for Linux (PAM). To enable PAM authentication, PAM must be configured according to your LDAP infrastructure (pam_ldap.conf). The PAM configuration for each service can be found in /etc/pam.d. The directory contains a single file per service, which is typically a familiar name corresponding to an application. For each service, the file /etc/pam.d/<service> contains its configuration. In case of the Fabasoft Folio Web Service, the service name is "fscweb". Consequently, the file /etc/pam.d/fscweb must be created or modified to complete the authentication configuration for LDAP.