# BEST Web Server Configuration

## Introduction

This manual describes the configuration of the server-side components of the *GBS BEST Server*.

The configuration procedure should be done only after the installation step. For more information, consult the [GBS Apps Installation Manual](/gbs/en/web-components/gbsappssetup.md).

## Configuration

The configuration steps are:

1. Configure Tomcat;
2. Configure the Certificates;
3. Generate the encrypted password;
4. Finalize the configurations in the config.properties file.

All steps are described below. An example of the file `config.properties` can be seen in the section [Configuration File Example](#exemplo-do-arquivo-de-configuracao).

{% hint style="danger" %}
All lines must be present in the configuration file. Commenting out or deleting lines may cause unexpected behavior. For additional information, contact the Griaule Support Team.
{% endhint %}

### Tomcat Configuration

Edit Tomcat's configuration file to configure the certificates and the port the application will use.

```sh
vi /var/lib/tomcats/best/conf/server.xml
```

To change the port, search for `connector port=`. This is the port for backend operations.

### Certificates Configuration

To enable SSL authentication, search for `connector port=` in the file `/conf/server.xml`.

There are two entries. The commented one is the configuration for SSL. Remove the comment delimiters `<!--` and `-->`, then adjust the following parameters:

```properties
port="58194"
keystoreFile="/home/griaule/keystore"
keystorePass="password"
keyAlias="1"
clientAuth="true"
truststoreFile="/home/griaule/keystore"
truststorePass="password"
```

The parameter `port` must be the desired network port for the application.

Change the path of the `keystoreFile` and the `truststoreFile` to the appropriate values. Do the same for the `keystorePass` and the `truststorePass`.

The parameter `clientAuth="true"` will require server authentication to the client and client authentication to the server. This means the client will need to import the certificate into the browser to be able to access the application.

{% hint style="warning" %}
When **clientAuth** is set to *true*, the system administrator must provide the file **certificate.pfx** to end users.
{% endhint %}

### Database Password Encryption

In the file `config.properties`, the parameter `jdbc.password` is an encrypted password. To generate the encrypted password, follow these steps:

1. Go to the following directory:

   ```sh
   cd /var/lib/tomcats/best/webapps/gbs-best-server/WEB-INF/lib
   ```
2. Run the command:

   ```sh
   java -cp gbs-common-db-<version>.jar com.griaule.commons.util.EncryptUtil <desiredPassword>
   ```
3. The encrypted password will appear after the message: *"Encrypted password is:"*

{% hint style="info" %}
Save the encrypted password. It will be used in later configurations.
{% endhint %}

### Label Search Filter

Some BEST configurations can be made through the databases, such as the labels for the search filter. This configuration is a list of labels that the user can select in the fragment search configuration to restrict the candidate list.

To configure the desired labels, you need to include the labels in the line `search.labels` in the table `sphinx.settings`. Note that labels must be separated by commas.

These labels will be visible to all BEST users.

### Application Configuration File

To configure the file, open it with:

```sh
vi /var/lib/tomcats/best/conf/config.properties
```

The most important changes in this file are the parameters `jdbc.url`, `jdbc.username`, `jdbc.password` and `gbds.url`. Configure them according to your environment.

The complete configuration file is shown in the section [Configuration File Example](#exemplo-do-arquivo-de-configuracao)

{% hint style="info" %}
Remember to replace the encrypted password generated in the section [Database Password Encryption](#criptografia-da-senha-do-banco-de-dados) in this file.
{% endhint %}

#### Case Segregation Label

It is possible to segregate the cases that a user sees in the software. To do this, you need to add a permission in the LDAP settings.

Inside a user group in LDAP, add the label in the format `best_org_{label}`, e.g. `best_org__MG`. New cases created by users in this group will have this label and the case will be visible only to users with the correct permissions to view cases with this label.

{% hint style="info" %}
Cases created before the addition of the labels will not be modified.
{% endhint %}

#### Use of multiple nodes

BEST can be used on more than one server node. To allow this, the master server must have the setting `poolingUL.active` is set to `true`, and other nodes must have it set to `false`.

{% hint style="warning" %}
Remember to set up load balancing between the nodes if you are using this method.
{% endhint %}

#### BEST Settings

The last step is to configure the IP and port of the application that the end user will access. It must be the same IP and port configured in the section [Tomcat Configuration](#configuracao-do-tomcat).

```properties
best.ip=<ip>
best.port=<port>
best.protocol=<protocol>
```

{% hint style="warning" %}
Make sure the configuration parameters `best.ip`, `best.port` and `best.protocol` are correctly specified in the file `config.properties`. In many cases, the IP will be the same for several applications. However, each application will have a **different and unique port**.
{% endhint %}

## Finishing the Configurations

After completing all configuration steps, return to the [GBS Apps Installation Manual - Configuration Section](/gbs/en/web-components/gbsappssetup.md#configuracoes).

## Configuration File Example

This section shows an example of the file `config.properties`.

```properties
# GBS BEST Server

jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://192.168.0.200:3306/forensic?useSSL=false
jdbc.username=root
jdbc.password=CDrt8vbewA2YAubPNOLZkw==
jdbc.dialect=org.hibernate.dialect.MySQLDialect
jdbc.showSql=false

# GBDS connection
gbds.url=http://192.168.0.200:8085
gbds.user=admin
gbds.key=griaule123
gbds.logLevel=DEBUG

session.expirationTime=8h
same.user.simultaneous.login=true

locale=en_us

fingerprint.useSDK=true
useLatentExtrator.fingerprint=true
useLatentExtrator.palmprint=false

image.convert.useJnbis=false

poolingSearch.active=true
poolingSearch.time=5

poolingUL.active=true
poolingUL.time=300

extratorServer.firstPort=8100
extratorServer.processNumber=4

faceQuality.qtdeMinErrors=2

session.expirationTime=8h

server.standalone.port=8085

best.ip=127.0.0.1
best.port=8123
best.protocol=http

# Path to save the videos (the face detection and extraction service needs to access this path)
fileDir=/var/lib/apache-tomcat-best/videos

# Endpoint for face detection/extraction service
detect.group.url=http://172.16.0.70:8127/v1/detection/

# Number of best faces desired for each identify (at least 1)
detect.numberBestFaces=5

# Number of threads (BEST server will import and search the faces in parallel)
identity.threadSize=4

# Frame detection step. If 3, only 1 out of 3 frames will be considered
detect.framesStep=3

# Faces must appear in at least this number of frames to be considered valid
detect.framesAppearingFilter=30

# Facelib match threshold
detect.matchThreshold=65
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.griaule.com/gbs/en/web-components/bestwebconfig.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.