Date: Thu, 28 Mar 2024 18:17:39 +0100 (CET) Message-ID: <1686619788.873.1711646259210@nm-docs> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_872_302783312.1711646259210" ------=_Part_872_302783312.1711646259210 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
On this page
Teamwork Cloud features the new Webapp Platform-based TWCloud Admin Cons= ole. As such, it is a standalone application that communicates with T= eamwork Cloud using the REST API.
Configuration of its communication with Teamwork Cloud is located in <installation_directory>/WebAppPlatform/shared/conf/webappplatform.p= roperties.
In this section, we will review the various settings which you may have = to adjust in order to establish communications between the admin console an= d Teamwork Cloud. Changes to these settings are only necessary if one= is not using a default installation.
# # Authentication server properties # # Authentication server address # http/https depending on setup of Authentication server. authentication.server.uri=3Dhttps://IP_ADDRESS:8555/authentication
Authserver access
If you are accessing via a hostname or FQDN, especially if you are using= a signed certificate, use the applicable FQDN or hostname instead of the I= P address.
If you have configured authserver to use HTTP or to run on a different p= ort, make sure that the URI reflects the correct values.
# # Teamwork Cloud server properties # twc.admin.username=3DAdministrator twc.admin.password=3DAdministrator # Teamwork Cloud server address # http/https depending on setup of Authentication server. twc.url=3Dhttps://IP_ADDRESS:8111
TWCloud access
=Please make sure these credentials for twc.admin.username and twc.admin.password match those of a user with admin= istrative privileges.
If you are accessing via a hostname or FQDN, especially if you are using= a signed certificate, use the applicable FQDN or hostname instead of the I= P address.
If you have configured TWCloud to use HTTP or to run on a different port= , make sure that the URI reflects the correct values.
If you change any of the configuration parameters, you will need to rest= art the WebApp service.
By default, and in order to enforce a higher level of security, the admi= n console is accessed via HTTPS. In order to change the mode of operation t= o HTTP (not recommended), various configuration changes must be made.
The default port for the admin console is 8443. In this example= , we will make the changes necessary to run over HTTP on the default port o= f 8443.
The WebApp server configuration is located in <= installation_directory>/WebAppPlatform/conf/server.xml.
The following section:
<= Connector executor=3D"tomcatThreadPool" port=3D"8080" protocol=3D"HTTP/1.1" connectionTimeout=3D"20000" redirectPort=3D"8443" />
needs to be edited to:
<= Connector executor=3D"tomcatThreadPool" port=3D"8443" protocol=3D"HTTP/1.1" connectionTimeout=3D"20000" />
The changes which we implemented consist of changing the port from 8= 080 to 8443, and removing a redirect that would route to the = handler on port 8443.
Since we have configured this connector to listen on port 8443,= we now need to remove the existing connector handler on port 8443= .
The following section:
<= Connector port=3D"8443" protocol=3D"org.apache.coyote.http11.Http11NioProto= col" sslImplementationName=3D"org.apache.tomcat.util.net.jsse.JSS= EImplementation" maxThreads=3D"150" SSLEnabled=3D"true"> <SSLHostConfig> <Certificate certificateKeystoreFile=3D"../configuration/keystor= e.p12" certificateKeystorePassword=3D"nomagic" type=3D"RSA" /> </SSLHostConfig> </Connector>
needs to be commented out as follows:
<!-- = =20 =09<Connector port=3D"8443" protocol=3D"org.apache.coyote.http11.Http11= NioProtocol" sslImplementationName=3D"org.apache.tomcat.util.net.jsse.JSS= EImplementation" maxThreads=3D"150" SSLEnabled=3D"true"> <SSLHostConfig> <Certificate certificateKeystoreFile=3D"../configuration/keystor= e.p12" certificateKeystorePassword=3D"nomagic" type=3D"RSA" /> </SSLHostConfig> </Connector> -->
By default, for security reasons, we have e= stablished a security policy requiring access to be encrypted. To disable t= his, we need to edit <installation_directory>/WebAppPlatform= /conf/web.xml. This section is located at the very bottom of the= file.
The following section:
<secu= rity-constraint> =20 <web-resource-collection> =20 <web-resource-name>webapp</web-resource-name> <url-pattern>/*</url-pattern> =20 </web-resource-collection> =20 <user-data-constraint> =20 <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
needs to be edited as follows:
<secu= rity-constraint> =20 <web-resource-collection> =20 <web-resource-name>webapp</web-resource-name> <url-pattern>/*</url-pattern> =20 </web-resource-collection> =20 <user-data-constraint> =20 <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
In the next example, we will configure the Admin Console to run HTTPS on= a different port (8444).
The following code section:
<Conn= ector port=3D"8443" protocol=3D"org.apache.coyote.http11.Http11NioProtocol" sslImplementationName=3D"org.apache.tomcat.util.net.jsse.JSS= EImplementation" maxThreads=3D"150" SSLEnabled=3D"true"> <SSLHostConfig> <Certificate certificateKeystoreFile=3D"../configuration/keystor= e.p12" certificateKeystorePassword=3D"nomagic" type=3D"RSA" /> </SSLHostConfig> </Connector>
needs to be edited as follows:
<Conn= ector port=3D"8444" protocol=3D"org.apache.coyote.http11.Http11NioProtocol" sslImplementationName=3D"org.apache.tomcat.util.net.jsse.JSS= EImplementation" maxThreads=3D"150" SSLEnabled=3D"true"> <SSLHostConfig> <Certificate certificateKeystoreFile=3D"../configuration/keystor= e.p12" certificateKeystorePassword=3D"nomagic" type=3D"RSA" /> </SSLHostConfig> </Connector>
As can be seen, the only change is the definition of the port number, wh= ich changed from 8443 to 8444.
If you change either the protocol or the port from the default, you need= to edit authentication.redire= ct.uri.whitelist, located in <install= ation_directory>/AuthServer/config/authserver.properties accordingl= y.
By default, the Admin console uses a self-signed certificate that is pro= vided with the build. This is the same keystore used by TWCloud and Authser= ver, and is located in <install_directory>/configuration/keystore= .p12.
If a signed certificate is being used to replace the self-signed certifi= cate, we need to update configurations in three files: <i= nstallation_directory>/configuration/application.conf, <installation_directory>/AuthServer/config/authserver.properties= and <installation_directory>/WebAppPlatform/conf/serve= r.xml.
To list the aliases of the using the command:
<pat= h_to_java_bin_directory>/keytool -v -list -keystore <keystorefile>=
For this example, the location of my keytool executable is /opt/loca= l/java/jdk1.8.0_192/bin/keytool, and the keystore file is the default = keystore.p12. The command is being executed from the same director= y where keystore.p12 is located. When the command is execu= ted, you will be prompted for the keystore password. For our sel= f-signed certificate (keystore.p12), it is nomagic.
# /opt/l= ocal/java/jdk1.8.0_192/bin/keytool -v -list -keystore keystore.p12=20 Enter keystore password: =20 Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry Alias name: teamworkcloud Creation date: Oct 30, 2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=3D10.254.254.56
You will execute this command on whichever certificate you will be using= . In this case, the alias is teamworkcloud and the certifi= cate was generated for an Owner with a common name (CN) of= 10.254.254.56, which happens to be a self-signed certificate for a machine= with IP 10.254.254.56. Your keystore may contain multiple certificat= es with different aliases. You will identify the relevant one based on the = Owner information. Once we have this information, we can proceed with the c= onfiguration.
For this example, we will assume that our new certificate is named serve= r.p12, the keystore password is "mypassword" and the alias is "myserver". First, copy it to the <install_directory>/config= uration/ directory.
Now we will proceed to edit application.conf.
= ssl { keystorePath =3D "configuration/server.p12" keystoreType =3D "pkcs12" keystorePassword =3D "mypassword" keyPassword =3D "mypassword" }
https {= =20 # the file name of the certificate or the key store= (should be a full path) file =3D "configuration/server.p12" =20 # certificate_mode: "true" if the file is a certifi= cate; "false" if the file is a key store. is_certificate_file =3D false # key store password password =3D "mypassword" }
Next, we proceed to edit authserver.properties.
server.s= sl.key-store=3D../configuration/server.p12 server.ssl.key-store-type=3DPKCS12 server.ssl.key-store-password=3Dmypassword =20 server.ssl.key-password=3Dmypassword server.ssl.key-alias=3Dmyserver
Finally, we will edit server.xml.
<= Connector port=3D"8443" protocol=3D"org.apache.coyote.http11.Http11NioProto= col" sslImplementationName=3D"org.apache.tomcat.util.net.jsse.JSS= EImplementation" maxThreads=3D"150" SSLEnabled=3D"true"> <SSLHostConfig> <Certificate certificateKeystoreFile=3D"../configuration/server.= p12" certificateKeystorePassword=3D"mypassword" certificateKeyAlias=3D"myserver" type=3D"RSA" /> </SSLHostConfig> </Connector>
Please note the addition of "certificateKeyAlias". This is not = always necessary, but we do it for good measure. Tomcat will load the first= certificate in the keystore. If there are multiple certificates, the alias= is necessary in order to load the correct certificate.
After completing the configuration changes, all 3 services (Teamwork Clo= ud, Authserver, and Webapp) must be restarted.