Home Screen Server Config

Introduction

This manual describes the configuration of the server-side components of the GBS Home Screen application.

The configuration procedure should only be carried out after the installation step. For more information, refer to the GBS Apps Installation Manual.

Configuration

The configuration steps are:

All the steps are described below. An example of the config.properties file can be found in the Configuration File Example section.

All lines must be present in the configuration file. Commenting out or deleting lines may cause unexpected behavior. For additional information, contact the Griaule Support Team.

Tomcat Configuration

Edit the Tomcat configuration file to set up the certificates and the port that the application will use.

vim /var/lib/tomcats/home-screen/conf/server.xml

To change the port, look for Connector port=. This is the port for backend operations.

The default port for GBS Home Screen is 8128.

Certificates Configuration

To enable SSL authentication, look for Connector port= in the /conf/server.xml file.

There are several entries. Look for the one that defines an SSL HTTP/1.1 Connector. If necessary, remove the comment delimiters . Then, adjust the following settings:

port="58194"
keystoreFile="/home/griaule/keystore"
keystorePass="password"
keyAlias="1"
clientAuth="true"
truststoreFile="/home/griaule/keystore"
truststorePass="password"

The port parameter should be the desired network port for the application.

Change the path for keystoreFile and truststoreFile to the correct values. Do the same for keystorePass and truststorePass.

The clientAuth="true" parameter will require authentication from the server-side to the client-side and from the client-side to the server-side. This means that the client will need to import the certificate into the browser to access the application.

When clientAuth is set to true, the system administrator must provide the certificate.pfx file to the end users.

Database Password Encryption

In the config.properties file, the jdbc.password parameter is an encrypted password. To generate the encrypted password, follow the steps below:

If the directory /var/lib/tomcats/home-screen/webapps/gbs-home-screen-server/WEB-INF/lib does not exist, start the application (systemctl start [email protected]) once so that the directory is created. Then, stop the application (systemctl stop [email protected]) and continue with the configuration procedure.

Access the following directory:

cd /var/lib/tomcats/home-screen/webapps/gbs-home-screen-server/WEB-INF/lib

Run the command:

java -cp gbs-common-db-<version>.jar com.griaule.commons.util.EncryptUtil <desiredPassword>

The encrypted password will appear after the message: “Encrypted password is:”

Save the encrypted password. It will be used in the next step.

Application Properties File

Open the configuration file:

vim /var/lib/tomcats/home-screen/conf/config.properties

Some important changes in this file are the jdbc.url, jdbc.username, jdbc.password, and gbds.url parameters. Configure them according to your environment.

An example of the complete configuration file is shown in the Configuration File Example section.

Remember to replace the encrypted password generated in the Database Password Encryption section in this file.

Home Screen Settings

Next, configure the IP, port, and protocol for accessing the application. The IP and port should be the same as those configured in the Tomcat Configuration section.

home-screen.ip=<ip>
home-screen.port=<port>
home-screen.protocol=<protocol>

Make sure the home-screen.ip, home-screen.port, and home-screen.protocol configuration parameters are correctly specified in the config.properties file. In many cases, the IP will be the same for multiple applications. However, each application will have a different and unique port.

Nginx

Install and configure Nginx so that GBS Home Screen works with Single Sign On (SSO) along with other applications.

Installing Nginx

If Nginx is already installed, skip to the Configuring Nginx section.

Install Nginx:

sudo yum install nginx -y

Start Nginx:

sudo systemctl start nginx

Configuring Nginx

Enable Nginx to start with the system:

sudo systemctl enable nginx

If Nginx was already installed, check if a configuration file already exists in the /etc/nginx/conf.d/ directory. If it does, check the file to see if the server block is configured for port 80 (listen 80) and for the same server_name as the GBS Home Screen host. If so, skip the instructions for creating a new configuration file and add the settings below to the existing file.

Next, create a configuration file for Nginx:

sudo vim /etc/nginx/conf.d/web-apps.conf

Add the following information to the file. In server, replace <ip_hostname_or_domain> with the IP, hostname, or domain of the server:

server {
	listen 80;
	server_name <ip_hostname_or_domain>;
	client_max_body_size 50M;
}

Next, still in server, add a configuration block for each application, mapping it to its IP and port. Replace <app_name>, <protocol>, <app_name_ip> and <app_name_port> with the correct values:

The <app_name> can be: bcc, cardscan, etr, mir, best, intelligence, smart-sense, print, control-panel, or home-screen.

location /gbs-<app_name>-server {
	proxy_pass <protocol>://<app_name_ip>:<app_name_port>;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
}

Example of a complete Nginx configuration file, containing routes for all applications, using their default ports. Replace <ip_hostname_or_domain>, <protocol>, and <app_name_ip> with the correct values:

server {
	listen 80;
	server_name <ip_hostname_or_domain>;
	client_max_body_size 50M;

	# HOME SCREEN:
	location /gbs-home-screen-server {
		proxy_pass <protocol>://<home-screen_ip>:8128;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# BCC
	location /gbs-bcc-server {
		proxy_pass <protocol>://<bcc_ip>:8124;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# CARDSCAN
	location /gbs-cardscan-server {
		proxy_pass <protocol>://<cardscan_ip>:8087;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# ETR
	location /gbs-etr-server {
		proxy_pass <protocol>://<etr_ip>:8089;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# MIR
	location /gbs-mir-server {
		proxy_pass <protocol>://<mir_ip>:8120;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# BEST
	location /gbs-best-server {
		proxy_pass <protocol>://<best_ip>:8123;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# INTELLIGENCE
	location /gbs-intelligence-server {
		proxy_pass <protocol>://<intelligence_ip>:8122;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# SMART SENSE
	location /gbs-smart-sense-server {
		proxy_pass <protocol>://<smart-sense_ip>:8127;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# PRINT
	location /gbs-print-server {
		proxy_pass <protocol>://<print_ip>:8127;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	# CONTROL PANEL
	location /gbs-control-panel-server {
		proxy_pass <protocol>://<control-panel_ip>:8121;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}
}

Save and close the configuration file.

Finally, reload the Nginx configurations:

sudo systemctl reload nginx

Permissions

For the application icons to appear on the Home Screen, the user must have the necessary permissions. Each permission granted to the user (via LDAP integration) corresponds to an application, as shown in the table below:

Application

Permission

BCC

bccdesktop_user

CardScan

cardscan_user

ETR

exception_treatment_user

MIR

quality_control_user

BEST

forensic_user

Intelligence

intelligence_user

SmartSense

smartsense_user

printservice_user

Control Panel

controlpanel_user

Organization Logo

In the upper right corner of the web apps, it is possible to add the organization's logo.

This is an environment configuration. Thus, all users accessing the application will see the same logo.

To do this, in the sphinx.settings table of the database, create or modify the organization.logo configuration (type APPS) to point to the desired logo path. The application (user tomcat) must have read access to the file to load it.

The dimensions of the logo must be 320x132 pixels to fill the entire area. If the image is larger, smaller, or in another proportion, it will be resized, and the remaining area will be filled with white.

The image format should preferably be PNG or JPG.

Accessing the Application

GBS Home Screen, like other applications, should be accessed without using the port, as Nginx will automatically redirect the request to the correct port. Thus, by performing a single sign on (SSO), the user will have access to all applications they have permission to use.

The access URL format is:

<protocol>://<ip_or_domain>/gbs-<app_name>-server/react/
^^^^^^^^^^   ^^^^^^^^^^^^^^     ^^^^^^^^^^

The <app_name> can be: bcc, cardscan, etr, mir, best, intelligence, smart-sense, print, control-panel, or home-screen.

Examples:

GBS Home Screen: http://172.16.0.185/gbs-home-screen-server/react/
GBS BCC: http://172.16.0.185/gbs-bcc-server/react/
GBS ETR: http://172.16.0.185/gbs-etr-server/react/

GBS Home Screen: https://my.server.com/gbs-home-screen-server/react/
GBS CardScan: https://my.server.com/gbs-cardscan-server/react/
GBS MIR: https://my.server.com/gbs-mir-server/react/

If the applications are not accessed through the URL in the format described above (without the port), i.e., if they are accessed using their ports directly, the single sign-on (SSO) will not work, and login will have to be done separately for each application.

Finalizing the Configurations

After completing all the configuration steps, return to the GBS Apps Installation Manual - Configuration Section.

Configuration File Example

This section shows an example of the config.properties file.

The parameters <rdb_ip>, <rdb_username>, <rdb_encrypted_password>, <gbds_ip>, <gbds_username>, <gbds_password>, <home_screen_ip>, <protocol>, <keystore_path>, <keystore_password>, <truststore_path>, <truststore_password>, <ldap_ip>, <ldap_username>, <ldap_password>, <email_password> and <email_address> must be replaced with the appropriate values.

# **********************************************************************************************
#
#      /$$   /$$  /$$$$$$  /$$      /$$ /$$$$$$$$
#     | $$  | $$ /$$__  $$| $$$    /$$$| $$_____/
#     | $$  | $$| $$  \ $$| $$$$  /$$$$| $$
#     | $$$$$$$$| $$  | $$| $$ $$/$$ $$| $$$$$
#     | $$__  $$| $$  | $$| $$  $$$| $$| $$__/
#     | $$  | $$| $$  | $$| $$\  $ | $$| $$
#     | $$  | $$|  $$$$$$/| $$ \/  | $$| $$$$$$$$
#     |__/  |__/ \______/ |__/     |__/|________/
#
#       /$$$$$$   /$$$$$$  /$$$$$$$  /$$$$$$$$ /$$$$$$$$ /$$   /$$
#      /$$__  $$ /$$__  $$| $$__  $$| $$_____/| $$_____/| $$$ | $$
#     | $$  \__/| $$  \__/| $$  \ $$| $$      | $$      | $$$$| $$
#     |  $$$$$$ | $$      | $$$$$$$/| $$$$$   | $$$$$   | $$ $$ $$
#      \____  $$| $$      | $$__  $$| $$__/   | $$__/   | $$  $$$$
#      /$$  \ $$| $$    $$| $$  \ $$| $$      | $$      | $$\  $$$
#     |  $$$$$$/|  $$$$$$/| $$  | $$| $$$$$$$$| $$$$$$$$| $$ \  $$
#      \______/  \______/ |__/  |__/|________/|________/|__/  \__/
#
# **********************************************************************************************
# DATABASE (RDB)
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://<rdb_ip>:3306/sphinx?useSSL=false
jdbc.username=<rdb_username>
jdbc.password=<rdb_encrypted_password>
jdbc.dialect=org.hibernate.dialect.MySQLDialect
jdbc.showSql=false

# **********************************************************************************************
# GBDS CONNECTION (& AUTHENTICATION LDAP ONLY)
gbds.url=http://<gbds_ip>:8085
gbds.user=<gbds_username>
gbds.key=<gbds_password>
gbds.logLevel=INFO
gbds.additionalHeaders={}
gbds.flushDebugRequests=false
gbds.timeout=300
gbds.listExceptions.labels=

# **********************************************************************************************
# GUI SETTINGS
home-screen.ip=<home_screen_ip>
home-screen.port=8128
home-screen.protocol=<protocol>
locale=en_us

# **********************************************************************************************
# OTHER SETTINGS
gbds.latent.search.url=null
gbds.proxy.url=null
gbds.proxy.port=0

keystore.path=<keystore_path>
keystore.password=<keystore_password>
truststore.path=<truststore_path>
truststore.password=<truststore_password>

# **********************************************************************************************
# SESSION SETTINGS
same.user.simultaneous.login=true
fingerprint.useSDK=false
image.convert.useJnbis=false
filter.people.pguid=ALL
faceQuality.qtdeMinErrors=2
session.expirationTime.server=8h
session.expirationTime.web=8h
notification.last.timestamp=15

ldap.url=http://<ldap_ip>:8082/
ldap.user=<ldap_username>
ldap.password=<ldap_password>
codeValidTime=10
deviceTime=6

# **********************************************************************************************
# EMAIL
email.host=smtp.gmail.com
email.host.port=587
email.from=<email_address>
email.password=<email_password>
email.python.path=python
email.use.script.python=true

profile.cacheSize=100
profile.cacheTime=5m
locale=pt_br

Last updated 29 days ago