# Home Screen Server Configuration ## Introduction This manual describes the configuration of the server-side components of the application *GBS Home Screen*. The configuration procedure must be performed only after the installation step. For more information, consult the [GBS Apps Installation Manual](https://docs.griaule.com/gbs/en/web-components/gbsappssetup). ## Configuration The steps for configuration are: 1. [Configure Tomcat](#configuracao-do-tomcat); 2. [Configure the certificates](#configuracao-de-certificados); 3. [Generate the encrypted password](#criptografia-da-senha-do-banco-de-dados); 4. [Configure other properties in the config.properties file](#arquivo-de-configuracao-da-aplicacao); 5. [Install and configure Nginx](#nginx); 6. [Configure permissions](#permissoes); 7. [Configure the client logo](#logotipo-do-cliente); All steps are described below. An example of the file `config.properties` can be found in the section [Configuration File Example](#exemplo-do-arquivo-de-configuracao). {% hint style="danger" %} All lines must be present in the configuration file. Commenting out or deleting lines may cause unexpected behavior. For additional information, contact the Griaule Support Team. {% endhint %} ### Tomcat Configuration Edit Tomcat's configuration file to configure the certificates and the port the application will use. ```sh vim /var/lib/tomcats/home-screen/conf/server.xml ``` To change the port, search for `Connector port=`. This is the port for backend operations. The default port for GBS Home Screen is `8128`. ### Certificates Configuration To enable SSL authentication, search for `Connector port=` in the file `/conf/server.xml`. There are several entries. Look for the one that defines a *SSL HTTP/1.1 Connector*. If necessary, remove the comment delimiters ``. Then, adjust the following settings: ```properties port="8127" keystoreFile="/home/griaule/keystore" keystorePass="password" keyAlias="1" clientAuth="true" truststoreFile="/home/griaule/keystore" truststorePass="password" ``` The parameter `port` must be the desired network port for the application. Change the path of `keystoreFile` and `truststoreFile` to the correct values. Do the same for `keystorePass` and `truststorePass`. The parameter `clientAuth="true"` will require server authentication to the client and client authentication to the server. This means the client will need to import the certificate into the browser to be able to access the application. {% hint style="warning" %} When `clientAuth` is set to `true`, the system administrator must provide the file `certificate.pfx` to end users. {% endhint %} ### Database Password Encryption In the file `config.properties`, the parameter `jdbc.password` is an encrypted password. To generate the encrypted password, follow the steps below: {% hint style="info" %} If the directory `/var/lib/tomcats/home-screen/webapps/gbs-home-screen-server/WEB-INF/lib` does not exist, **start** the application (`systemctl start tomcat@home-screen.service`) once so that the directory is created. Then, **stop** the application (`systemctl stop tomcat@home-screen.service`) and continue the configuration procedure. {% endhint %} 1. Access the following directory: ```sh cd /var/lib/tomcats/home-screen/webapps/gbs-home-screen-server/WEB-INF/lib ``` 2. Run the command: ```sh java -cp gbs-common-db-.jar com.griaule.commons.util.EncryptUtil ``` 3. The encrypted password will appear after the message: *"Encrypted password is:"* {% hint style="info" %} Save the encrypted password. It will be used in the next step. {% endhint %} ### Application Configuration File Open the configuration file: ```sh vim /var/lib/tomcats/home-screen/conf/config.properties ``` Some important changes in this file are the parameters `jdbc.url`, `jdbc.username`, `jdbc.password` and `gbds.url`. Configure them according to your environment. An example of the complete configuration file is shown in the section [Configuration File Example](#exemplo-do-arquivo-de-configuracao). {% hint style="info" %} Remember to replace the encrypted password generated in the section [Database Password Encryption](#criptografia-da-senha-do-banco-de-dados) in this file. {% endhint %} #### Home Screen Settings Next, configure the IP, port and access protocol for the application. The IP and port must be the same configured in the section [Tomcat Configuration](#configuracao-do-tomcat). ```properties home-screen.ip= home-screen.port= home-screen.protocol= ``` {% hint style="warning" %} Make sure the configuration parameters `home-screen.ip`, `home-screen.port` and `home-screen.protocol` are correctly specified in the file `config.properties`. In many cases, the IP will be the same for several applications. However, each application will have a **different and unique port**. {% endhint %} ### Nginx Install and configure Nginx so that GBS Home Screen works with single sign-on (SSO) along with the other applications. #### Nginx Installation {% hint style="info" %} If Nginx is already installed, skip to the section [Nginx Configuration](#configuracao-do-nginx). {% endhint %} Install Nginx: ```sh sudo yum install nginx -y ``` Start Nginx: ```sh sudo systemctl start nginx ``` #### Nginx Configuration Enable Nginx to start with the system: ```sh sudo systemctl enable nginx ``` {% hint style="danger" %} If Nginx was already installed, check if a configuration file already exists in the directory `/etc/nginx/conf.d/`. If it exists, check the file to see if the *server block* is configured for **port 80** (`listen 80`) and for the **same** `server_name` of the GBS Home Screen host. If so, skip the instructions to create a new configuration file and add the settings below to the existing file. {% endhint %} Next, create a configuration file for Nginx: ```sh sudo vim /etc/nginx/conf.d/web-apps.conf ``` Add the following information to the file. In *server*, replace `` with the server's IP, hostname or domain: ```nginx server { listen 80; server_name ; client_max_body_size 50M; } ``` Next, still in *server*, add a configuration block for each application, mapping it to its IP and port. Replace ``, ``, `` and `` with the correct values: {% hint style="success" %} The `` it can be: `bcc`, `cardscan`, `etr`, `mir`, `best`, `intelligence`, `smart-sense`, `print`, `control-panel` or `home-screen`. {% endhint %} ```nginx location /gbs--server { proxy_pass ://:; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } ``` Example of a complete Nginx configuration file, containing routes for all applications, using their default ports. Replace ``, `` and `` with the correct values: ```nginx server { listen 80; server_name ; client_max_body_size 50M; # HOME SCREEN: location /gbs-home-screen-server { proxy_pass ://:8128; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # BCC location /gbs-bcc-server { proxy_pass ://:8124; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # CARDSCAN location /gbs-cardscan-server { proxy_pass ://:8087; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # ETR location /gbs-etr-server { proxy_pass ://:8089; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # MIR location /gbs-mir-server { proxy_pass ://:8120; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # BEST location /gbs-best-server { proxy_pass ://:8123; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # INTELLIGENCE location /gbs-intelligence-server { proxy_pass ://:8122; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # SMART SENSE location /gbs-smart-sense-server { proxy_pass ://:8127; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # PRINT location /gbs-print-server { proxy_pass ://:8127; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # CONTROL PANEL location /gbs-control-panel-server { proxy_pass ://:8121; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` Save and close the configuration file. Finally, reload Nginx configurations: ```sh sudo systemctl reload nginx ``` ### Permissions For the application icons to appear on the Home Screen, the user must have the necessary permissions. Each permission granted to the user (via LDAP integration) corresponds to an application, as shown in the table below: | Application | Permission | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | | If BCC Services is not running, open the start menu by clicking the Windows icon on the left side of the taskbar (or by pressing the Windows key on the keyboard). Then look for the GBS BCC folder in the list of programs (or type "bcc" to search). Click the | bccdesktop\_user | | CardScan | cardscan\_user | | ETR | exception\_treatment\_user | | MIR | quality\_control\_user | | BEST | forensic\_user | | Intelligence | intelligence\_user | | SmartSense | smartsense\_user | | Print | printservice\_user | | Control Panel | controlpanel\_user | ### Client Logo In the top right corner of the web apps, it is possible to add the client's logo. {% hint style="info" %} This is an environment configuration. Thus, all users who access the application will see the same logo. {% endhint %} ![](https://3757157672-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7Bx0xNdsdGHpCZ20yxbn%2Fuploads%2Fgit-blob-aa954a4ac2a3ecdf60d9d2f283c667e8968cfcea%2Flogo.png?alt=media) To do this, in the table `sphinx.settings` in the database, create or change the configuration `organization.logo` (type `APPS`) to the path of the desired logo. It is necessary that the application (user `tomcat`) has read access to the file in order to load it. {% hint style="warning" %} The **dimensions** of the logo should be **320x132** pixels so that the entire area is filled. If the image is larger, smaller or in another ratio, it will be resized and the remaining area will be filled with white color. The preferred image format should be **PNG** or **JPG**. {% endhint %} ![](https://3757157672-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7Bx0xNdsdGHpCZ20yxbn%2Fuploads%2Fgit-blob-e7740668dd12f293e233a19295633b6a3d807bf5%2Flogo_config.png?alt=media) ## Accessing the application GBS Home Screen, like the other applications, must be accessed without using the port, since Nginx will automatically redirect the request to the correct port. Thus, when performing a single login (SSO), the user will have access to all applications they have permission to use. The access URL format is: ```html :///gbs--server/react/ ^^^^^^^^^^ ^^^^^^^^^^^^^^ ^^^^^^^^^^ ``` {% hint style="success" %} The `` it can be: `bcc`, `cardscan`, `etr`, `mir`, `best`, `intelligence`, `smart-sense`, `print`, `control-panel` or `home-screen`. {% endhint %} Examples: * GBS Home Screen: * GBS BCC: * GBS ETR: *** * GBS Home Screen: * GBS CardScan: * GBS MIR: {% hint style="danger" %} If the applications are not accessed by the URL in the format described above (without port), that is, if they are accessed using their ports directly, the **single sign-on** (SSO) **will not work** and login will have to be performed in each application separately. {% endhint %} ## Finishing the Configurations After finishing all configuration steps, return to the [GBS Apps Installation Manual - Configuration Section](https://docs.griaule.com/gbs/en/gbsappssetup#configuracoes). ## Configuration File Example This section shows an example of the file `config.properties`. {% hint style="warning" %} The parameters ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, `` and `` must be replaced with appropriate values. {% endhint %} ```properties # ********************************************************************************************** # # /$$ /$$ /$$$$$$ /$$ /$$ /$$$$$$$$ # | $$ | $$ /$$__ $$| $$$ /$$$| $$_____/ # | $$ | $$| $$ \ $$| $$$$ /$$$$| $$ # | $$$$$$$$| $$ | $$| $$ $$/$$ $$| $$$$$ # | $$__ $$| $$ | $$| $$ $$$| $$| $$__/ # | $$ | $$| $$ | $$| $$\ $ | $$| $$ # | $$ | $$| $$$$$$/| $$ \/ | $$| $$$$$$$$ # |__/ |__/ \______/ |__/ |__/|________/ # # /$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$$$ /$$$$$$$$ /$$ /$$ # /$$__ $$ /$$__ $$| $$__ $$| $$_____/| $$_____/| $$$ | $$ # | $$ \__/| $$ \__/| $$ \ $$| $$ | $$ | $$$$| $$ # | $$$$$$ | $$ | $$$$$$$/| $$$$$ | $$$$$ | $$ $$ $$ # \____ $$| $$ | $$__ $$| $$__/ | $$__/ | $$ $$$$ # /$$ \ $$| $$ $$| $$ \ $$| $$ | $$ | $$\ $$$ # | $$$$$$/| $$$$$$/| $$ | $$| $$$$$$$$| $$$$$$$$| $$ \ $$ # \______/ \______/ |__/ |__/|________/|________/|__/ \__/ # # ********************************************************************************************** # DATABASE (RDB) jdbc.driverClassName=com.mysql.jdbc.Driver jdbc.url=jdbc:mysql://:3306/sphinx?useSSL=false jdbc.username= jdbc.password= jdbc.dialect=org.hibernate.dialect.MySQLDialect jdbc.showSql=false # ********************************************************************************************** # GBDS CONNECTION (& AUTHENTICATION LDAP ONLY) gbds.url=http://:8085 gbds.user= gbds.key= gbds.logLevel=INFO gbds.additionalHeaders={} gbds.flushDebugRequests=false gbds.timeout=300 gbds.listExceptions.labels= # ********************************************************************************************** # GUI SETTINGS home-screen.ip= home-screen.port=8128 home-screen.protocol= locale=en_us # ********************************************************************************************** # OTHER SETTINGS gbds.latent.search.url=null gbds.proxy.url=null gbds.proxy.port=0 keystore.path= keystore.password= truststore.path= truststore.password= # ********************************************************************************************** # SESSION SETTINGS same.user.simultaneous.login=true fingerprint.useSDK=false image.convert.useJnbis=false filter.people.pguid=ALL faceQuality.qtdeMinErrors=2 session.expirationTime.server=8h session.expirationTime.web=8h notification.last.timestamp=15 ldap.url=http://:8082/ ldap.user= ldap.password= codeValidTime=10 deviceTime=6 # ********************************************************************************************** # EMAIL email.host=smtp.gmail.com email.host.port=587 email.from= email.password= email.python.path=python email.use.script.python=true profile.cacheSize=100 profile.cacheTime=5m locale=pt_br ```