<%NOJS_WARNING%>

KISTERS Logo KISTERS logo

Admin Post Installation Guide

Scroll PDF

First Steps

After the installation is completed, you will find the installed VisShare directory in the given path and four running services:

Service Name

Description / Details

Kisters Nginx Service

The Nginx proxy to upgrade to SSL (optional) and to route the traffic to the correct ports for the application

Port 3000 for the backend REST API

Port 80 for the VisShare client

Port 8080 for the WebViewer client (Websocket support needed)

Kisters VisShare Service

The service to provide the VisShare server and frontend

Needs DB access

Needs mail server access

Needs model repository access

Kisters VisShare WebViewer Service

The service to provide the WebViewer server and frontend

Needs model repository access

Kisters VisShare Converter Service

The automated conversion of files uploaded to the VisShare system

Needs model repository access

If any of these services do not run, you can expect an error. To ensure a smooth behavior for the end user, you should set these services to restart on service failure and on server restart (you can do this via the Windows Services properties).

A common approach is to change the model repository from the default path (inside the VisShare installation folder).

To do this, there are a few settings that need to be updated to point to the new location:

File Name

Description / Details

VisShare/server/datasources.json

Change the entry root in the filestorage section to the new location

VisShare/server/config/settings.json

Change the settings DriveName and WVDriveName to the new location

VisShare_WebViewer/CRendererInstance.ini

Change the setting ModelRepository to the new location

Debugging

If you encounter any errors, there are multiple directories to look for log files:

Location

Description / Details

VisShare root

The setup logs into this file, here you can find any errors that occured on the initial installation

VisShare_Webviewer/logs

The WebViewer logs into the subdirectories below this path

/server

Daily log for the WebViewer server

/instance

One log file per instance

VisShare/server/middleware/log

The VisShare server logs into this directory

One log file per service start

VisShare_Nginx

See the official Nginx documentation for further troubleshooting

VisShare_Converter service

/Log

One log file per service start

Security Considerations

This chapter will cover some security considerations you should keep in mind.

Service Account Rights

We recommend to run the services mentioned above with special service accounts. You should restrict access to the model repository and to the VisShare folder only to this service account, so that other users on the systems can't read the model or configuration files (there are clear text access informations in the configuration files).

Model Repository

To emphasize the last recommendation, the model repository should always be secured against access from non-permitted users/services/applications. If the model repository is located outside of the VisShare server system, you may need to implement a new service account on the VisShare machine, that has access to the remote model repository and set this account for the VisShare services.

VisShare User Access

The VisShare user access is layered in multiple access controls. The default installation tries to use the highest security regarding the user access limitation.

Access control can be managed by following layers:

1.Registration

User accounts on the VisShare can be created via registration (email + password). It is possible to define the way, registrations can be done via settings:

Registration Method

Description / Details

LDAPOnly

With this setting active, registrations are disabled and only valid LDAP users can enter the VisShare

InviteOnly

With this setting active, registrations can only be triggered by valid VisShare users via an email invitation to new user accounts

AdminCreationOnly

With this setting active, registrations are disabled and only administrators can create new user accounts

 

2.Access to the VisShare itself

The VisShare is by default only accessible with a valid login (email + password) from a confirmed user mail (a newly registered user must click on a confirmation link send to this email).

New user accounts can be further restricted by following settings:

Restriction Level

Description / Details

AdminVerification

Accounts need to be verified by an admin before they can start working on the VisShare

AllowGuests

Non-verified accounts are allowed to access public and showcase projects

There are two ways to bypass the login, the first (and recommended) is by accessing file links that were created by VisShare users and the other way would be to enable the RemotePublic flag.

This will allow the access to public projects via the link <server-url>/remote-public/<ID-of-the-public-project>. This setting should only be set to true if there really is a need for this kind of access.

 

3.User pools

The next layer of user access (or user separation) are the user pools. Administrators are allowed to create these and map user accounts to them.

User accounts are only allowed to see (e.g. during the mapping of users to a new project) other users that are in one of their user pools and a project must be mapped to a user pool to enforce a separation of users per project.

User pools do not limit the access to the projects or files, this must be done on project level itself, they are solely used to limit the visible users for normal accounts.

 

4.Project access

The project access should be seen as the main feature to limit the access to the important data (the files). These access rules are applied at the project level and will be inherited down to all files and folders inside the project.

Projects can be set to one of the following types:

Type

Description / Details

Public

Every user can see this project and has write access

Showcase

Every user can see this project but write access must be permitted by project administrators

Restricted

Only users with at least read access can see this project and write access must be permitted by project administrators

Additionally, every project has different kinds of user roles for the users that can access the project:

Role

Description / Details

Project admins

Project admins are allowed to add users to the project and give them rights

By default, the project creator is a project admin and the owner of the project

Write access

These users can see, view, upload, paste, copy and delete files and folders

These users can download files and folders

These users can save files from the WebViewer sessions into the project

Read only access

These users can only see and view files and folders

 

5. Account roles

There are three roles a user account can have:

Role

Description / Details

Guest (if enabled)

Has only access to public and showcase projects

Normal user

Has access to public and showcase projects

Can create new projects

Has access to projects that permitted this account to access

Admins

Same access as normal users

Can create and assign user pools

Can change the VisShare theming

Can/must verify new users (if enabled)

Can create, delete and block (=unverify) users

Can confirm emails (if needed)

Note: Cannot access all projects (same rules apply as for normal users)

There are additional settings to limit features (such as the download) on the VisShare, please refer to the Admin Settings Documentation for a complete list.

CSP and Other HTTP Header

It is recommended to set some HTTP header to improve the security.

These headers need to be set either on the Proxy Server or in the index.html (installation folder/www):

The Proxy headers have not much impact on the execution of the VisShare service and are therefore implemented in the default Nginx configuration. If a different proxy is used, it is recommended to enable at least the following headers in the proxy configuration:

Content-Security-Policy: "frame-ancestors 'self';"

Access-Control-Allow-Origin: <VisShare FQN>

The headers set in the client index.html may have some impact on the execution of the VisShare service and are therefore only described here and should be tested further before deploying them to the live installation.

Moreover, a dynamic hash has to be generated for every release version. This header can be taken from the browser development tools after loading the VisShare in the browser (it will be logged as a missing hash in the console tab).

Following header should be written in a meta tag in the index.html:

Content-Security-Policy:

default-src: 'none'

style-src: 'self' 'unsafe-inline'

script-src: <version depending SHA hash>

img-src: 'self' data:

font-src 'self'

script-src-elem: 'self' <version depending SHA hash>

object-src: 'none'

connect-src: 'self'

form-action: 'self'

base-uri: 'self'

worker-src: blob:

block-all-mixed-content

For example like this:

<meta http-equiv="Content-Security-Policy" content="

  default-src 'none';

  style-src 'self' 'unsafe-inline';

  script-src 'sha256-X+U5Sd/3bd4dCP/omuUcZqp4zoblo0iOYTy3KKqhH2I=';

  img-src 'self' data:;

  font-src 'self';

  script-src-elem 'self' 'sha256-RtvwbtYK3Z0+zSLo7typSexHqOElemnq3IuFC/AjvsM=';

  object-src 'none';

  connect-src 'self';

  form-action 'self';

  base-uri 'self';

  worker-src blob:;

  block-all-mixed-content;"

>

English Version German Version Japanese Version Italian Version French Version Spanish Version Chinese Version File Format list-PDF Admin-PDF