|
Navigation: Admin Post Installation Guide |
Scroll
 |
|
First Steps
After the installation is completed, you will find the installed VisShare directory in the given path and four running services:
Service Name |
Description / Details |
|---|---|
Kisters Nginx Service |
The Nginx proxy to upgrade to SSL (optional) and to route the traffic to the correct ports for the application ▪Port 3000 for the backend REST API ▪Port 80 for the VisShare client ▪Port 8080 for the WebViewer client (Websocket support needed) |
Kisters VisShare Service |
The service to provide the VisShare server and frontend ▪Needs DB access ▪Needs mail server access ▪Needs model repository access |
Kisters VisShare WebViewer Service |
The service to provide the WebViewer server and frontend ▪Needs model repository access |
Kisters VisShare Converter Service |
The automated conversion of files uploaded to the VisShare system ▪Needs model repository access |
If any of these services do not run, you can expect an error. To ensure a smooth behavior for the end user, you should set these services to restart on service failure and on server restart (you can do this via the Windows Services properties).
A common approach is to change the model repository from the default path (inside the VisShare installation folder).
To do this, there are a few settings that need to be updated to point to the new location:
File Name |
Description / Details |
|---|---|
VisShare/server/datasources.json |
Change the entry root in the filestorage section to the new location |
VisShare/server/config/settings.json |
Change the settings DriveName and WVDriveName to the new location |
VisShare_WebViewer/CRendererInstance.ini |
Change the setting ModelRepository to the new location |
Debugging
If you encounter any errors, there are multiple directories to look for log files:
Location |
Description / Details |
|---|---|
VisShare root |
The setup logs into this file, here you can find any errors that occured on the initial installation |
VisShare_Webviewer/logs |
The WebViewer logs into the subdirectories below this path ▪/server ▪Daily log for the WebViewer server ▪/instance ▪One log file per instance |
VisShare/server/middleware/log |
▪The VisShare server logs into this directory ▪One log file per service start |
VisShare_Nginx |
See the official Nginx documentation for further troubleshooting |
VisShare_Converter service |
▪/Log ▪One log file per service start |
Security Considerations
This chapter will cover some security considerations you should keep in mind.
Service Account Rights
We recommend to run the services mentioned above with special service accounts. You should restrict access to the model repository and to the VisShare folder only to this service account, so that other users on the systems can't read the model or configuration files (there are clear text access informations in the configuration files).
Model Repository
To emphasize the last recommendation, the model repository should always be secured against access from non-permitted users/services/applications. If the model repository is located outside of the VisShare server system, you may need to implement a new service account on the VisShare machine, that has access to the remote model repository and set this account for the VisShare services.
VisShare User Access
The VisShare user access is layered in multiple access controls. The default installation tries to use the highest security regarding the user access limitation.
Access control can be managed by following layers:
1.Registration
User accounts on the VisShare can be created via registration (email + password). It is possible to define the way, registrations can be done via settings:
Registration Method |
Description / Details |
|---|---|
LDAPOnly |
With this setting active, registrations are disabled and only valid LDAP users can enter the VisShare |
InviteOnly |
With this setting active, registrations can only be triggered by valid VisShare users via an email invitation to new user accounts |
AdminCreationOnly |
With this setting active, registrations are disabled and only administrators can create new user accounts |
2.Access to the VisShare itself
The VisShare is by default only accessible with a valid login (email + password) from a confirmed user mail (a newly registered user must click on a confirmation link send to this email).
New user accounts can be further restricted by following settings:
Restriction Level |
Description / Details |
|---|---|
AdminVerification |
Accounts need to be verified by an admin before they can start working on the VisShare |
AllowGuests |
Non-verified accounts are allowed to access public and showcase projects |
There are two ways to bypass the login, the first (and recommended) is by accessing file links that were created by VisShare users and the other way would be to enable the RemotePublic flag.
This will allow the access to public projects via the link <server-url>/remote-public/<ID-of-the-public-project>. This setting should only be set to true if there really is a need for this kind of access.
3.User pools
The next layer of user access (or user separation) are the user pools. Administrators are allowed to create these and map user accounts to them.
User accounts are only allowed to see (e.g. during the mapping of users to a new project) other users that are in one of their user pools and a project must be mapped to a user pool to enforce a separation of users per project.
User pools do not limit the access to the projects or files, this must be done on project level itself, they are solely used to limit the visible users for normal accounts.
4.Project access
The project access should be seen as the main feature to limit the access to the important data (the files). These access rules are applied at the project level and will be inherited down to all files and folders inside the project.
Projects can be set to one of the following types:
Type |
Description / Details |
|---|---|
Public |
Every user can see this project and has write access |
Showcase |
Every user can see this project but write access must be permitted by project administrators |
Restricted |
Only users with at least read access can see this project and write access must be permitted by project administrators |
Additionally, every project has different kinds of user roles for the users that can access the project:
Role |
Description / Details |
|---|---|
Project admins |
▪Project admins are allowed to add users to the project and give them rights ▪By default, the project creator is a project admin and the owner of the project |
Write access |
▪These users can see, view, upload, paste, copy and delete files and folders ▪These users can download files and folders ▪These users can save files from the WebViewer sessions into the project |
Read only access |
These users can only see and view files and folders |
5. Account roles
There are three roles a user account can have:
Role |
Description / Details |
|---|---|
Guest (if enabled) |
Has only access to public and showcase projects |
Normal user |
▪Has access to public and showcase projects ▪Can create new projects ▪Has access to projects that permitted this account to access |
Admins |
▪Same access as normal users ▪Can create and assign user pools ▪Can change the VisShare theming ▪Can/must verify new users (if enabled) ▪Can create, delete and block (=unverify) users ▪Can confirm emails (if needed) Note: Cannot access all projects (same rules apply as for normal users) |
There are additional settings to limit features (such as the download) on the VisShare, please refer to the Admin Settings Documentation for a complete list.
CSP and Other HTTP Header
It is recommended to set some HTTP header to improve the security.
These headers need to be set either on the Proxy Server or in the index.html (installation folder/www):
The Proxy headers have not much impact on the execution of the VisShare service and are therefore implemented in the default Nginx configuration. If a different proxy is used, it is recommended to enable at least the following headers in the proxy configuration:
▪Content-Security-Policy: "frame-ancestors 'self';"
▪Access-Control-Allow-Origin: <VisShare FQN>
The headers set in the client index.html may have some impact on the execution of the VisShare service and are therefore only described here and should be tested further before deploying them to the live installation.
Moreover, a dynamic hash has to be generated for every release version. This header can be taken from the browser development tools after loading the VisShare in the browser (it will be logged as a missing hash in the console tab).
Following header should be written in a meta tag in the index.html:
▪Content-Security-Policy:
▪default-src: 'none'
▪style-src: 'self' 'unsafe-inline'
▪script-src: <version depending SHA hash>
▪img-src: 'self' data:
▪font-src 'self'
▪script-src-elem: 'self' <version depending SHA hash>
▪object-src: 'none'
▪connect-src: 'self'
▪form-action: 'self'
▪base-uri: 'self'
▪worker-src: blob:
▪block-all-mixed-content
For example like this:
<meta http-equiv="Content-Security-Policy" content=" default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'sha256-X+U5Sd/3bd4dCP/omuUcZqp4zoblo0iOYTy3KKqhH2I='; img-src 'self' data:; font-src 'self'; script-src-elem 'self' 'sha256-RtvwbtYK3Z0+zSLo7typSexHqOElemnq3IuFC/AjvsM='; object-src 'none'; connect-src 'self'; form-action 'self'; base-uri 'self'; worker-src blob:; block-all-mixed-content;" > |
