1. Introduction

This manual describes the configuration of the server-side components of the GBS Home Screen application.

The configuration procedure should only be carried out after the installation step. For more information, refer to the GBS Apps Installation Manual.

2. Configuration

The configuration steps are:

  1. Configure Tomcat;
  2. Configure certificates;
  3. Generate the encrypted password;
  4. Configure other properties in the config.properties file;
  5. Install and configure Nginx;
  6. Configure permissions;
  7. Configure the organization logo;

All the steps are described below. An example of the config.properties file can be found in the Configuration File Example section.

Danger

All lines must be present in the configuration file. Commenting out or deleting lines may cause unexpected behavior. For additional information, contact the Griaule Support Team.

2.1. Tomcat Configuration

Edit the Tomcat configuration file to set up the certificates and the port that the application will use.

vim /var/lib/tomcats/home-screen/conf/server.xml

To change the port, look for Connector port=. This is the port for backend operations.

The default port for GBS Home Screen is 8128.

2.2. Certificates Configuration

To enable SSL authentication, look for Connector port= in the /conf/server.xml file.

There are several entries. Look for the one that defines an SSL HTTP/1.1 Connector. If necessary, remove the comment delimiters <!-- and -->. Then, adjust the following settings:

port="58194"
keystoreFile="/home/griaule/keystore"
keystorePass="password"
keyAlias="1"
clientAuth="true"
truststoreFile="/home/griaule/keystore"
truststorePass="password"

The port parameter should be the desired network port for the application.

Change the path for keystoreFile and truststoreFile to the correct values. Do the same for keystorePass and truststorePass.

The clientAuth="true" parameter will require authentication from the server-side to the client-side and from the client-side to the server-side. This means that the client will need to import the certificate into the browser to access the application.

Warning

When clientAuth is set to true, the system administrator must provide the certificate.pfx file to the end users.

2.3. Database Password Encryption

In the config.properties file, the jdbc.password parameter is an encrypted password. To generate the encrypted password, follow the steps below:

Note

If the directory /var/lib/tomcats/home-screen/webapps/gbs-home-screen-server/WEB-INF/lib does not exist, start the application (systemctl start tomcat@home-screen.service) once so that the directory is created. Then, stop the application (systemctl stop tomcat@home-screen.service) and continue with the configuration procedure.

  1. Access the following directory:

    cd /var/lib/tomcats/home-screen/webapps/gbs-home-screen-server/WEB-INF/lib

  2. Run the command:

    java -cp gbs-common-db-<version>.jar com.griaule.commons.util.EncryptUtil <desiredPassword>

  3. The encrypted password will appear after the message: “Encrypted password is:”

Note

Save the encrypted password. It will be used in the next step.

2.4. Application Properties File

Open the configuration file:

vim /var/lib/tomcats/home-screen/conf/config.properties

Some important changes in this file are the jdbc.url, jdbc.username, jdbc.password, and gbds.url parameters. Configure them according to your environment.

An example of the complete configuration file is shown in the Configuration File Example section.

Note

Remember to replace the encrypted password generated in the Database Password Encryption section in this file.

2.4.1. Home Screen Settings

Next, configure the IP, port, and protocol for accessing the application. The IP and port should be the same as those configured in the Tomcat Configuration section.

home-screen.ip=<ip>
home-screen.port=<port>
home-screen.protocol=<protocol>

Important

Make sure the home-screen.ip, home-screen.port, and home-screen.protocol configuration parameters are correctly specified in the config.properties file. In many cases, the IP will be the same for multiple applications. However, each application will have a different and unique port.

2.5. Nginx

Install and configure Nginx so that GBS Home Screen works with Single Sign On (SSO) along with other applications.

2.5.1. Installing Nginx

Note

If Nginx is already installed, skip to the Configuring Nginx section.

Install Nginx:

sudo yum install nginx -y

Start Nginx:

sudo systemctl start nginx

2.5.2. Configuring Nginx

Enable Nginx to start with the system:

sudo systemctl enable nginx

Danger

If Nginx was already installed, check if a configuration file already exists in the /etc/nginx/conf.d/ directory. If it does, check the file to see if the server block is configured for port 80 (listen 80) and for the same server_name as the GBS Home Screen host. If so, skip the instructions for creating a new configuration file and add the settings below to the existing file.

Next, create a configuration file for Nginx:

sudo vim /etc/nginx/conf.d/web-apps.conf

Add the following information to the file. In server, replace <ip_hostname_or_domain> with the IP, hostname, or domain of the server:

server {
   listen 80;
   server_name <ip_hostname_or_domain>;
   client_max_body_size 50M;
}

Next, still in server, add a configuration block for each application, mapping it to its IP and port. Replace <app_name>, <protocol>, <app_name_ip> and <app_name_port> with the correct values:

Tip

The <app_name> can be: bcc, cardscan, etr, mir, best, intelligence, smart-sense, print, control-panel, or home-screen.

location /gbs-<app_name>-server {
   proxy_pass <protocol>://<app_name_ip>:<app_name_port>;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
}

Example of a complete Nginx configuration file, containing routes for all applications, using their default ports. Replace <ip_hostname_or_domain>, <protocol>, and <app_name_ip> with the correct values:

server {
   listen 80;
   server_name <ip_hostname_or_domain>;
   client_max_body_size 50M;

   # HOME SCREEN:
   location /gbs-home-screen-server {
      proxy_pass <protocol>://<home-screen_ip>:8128;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }

   # BCC
   location /gbs-bcc-server {
      proxy_pass <protocol>://<bcc_ip>:8124;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }

   # CARDSCAN
   location /gbs-cardscan-server {
      proxy_pass <protocol>://<cardscan_ip>:8087;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }


   # ETR
   location /gbs-etr-server {
      proxy_pass <protocol>://<etr_ip>:8089;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }

   # MIR
   location /gbs-mir-server {
      proxy_pass <protocol>://<mir_ip>:8120;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }

   # BEST
   location /gbs-best-server {
      proxy_pass <protocol>://<best_ip>:8123;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }

   # INTELLIGENCE
   location /gbs-intelligence-server {
      proxy_pass <protocol>://<intelligence_ip>:8122;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }

   # SMART SENSE
   location /gbs-smart-sense-server {
      proxy_pass <protocol>://<smart-sense_ip>:8127;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }

   # PRINT
   location /gbs-print-server {
      proxy_pass <protocol>://<print_ip>:8127;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }

   # CONTROL PANEL
   location /gbs-control-panel-server {
      proxy_pass <protocol>://<control-panel_ip>:8121;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }
}

Save and close the configuration file.

Finally, reload the Nginx configurations:

sudo systemctl reload nginx

2.6. Permissions

For the application icons to appear on the Home Screen, the user must have the necessary permissions. Each permission granted to the user (via LDAP integration) corresponds to an application, as shown in the table below:

Application Permission
BCC bccdesktop_user
CardScan cardscan_user
ETR exception_treatment_user
MIR quality_control_user
BEST forensic_user
Intelligence intelligence_user
SmartSense smartsense_user
Print printservice_user
Control Panel controlpanel_user

3. Accessing the Application

GBS Home Screen, like other applications, should be accessed without using the port, as Nginx will automatically redirect the request to the correct port. Thus, by performing a single sign on (SSO), the user will have access to all applications they have permission to use.

The access URL format is:

<protocol>://<ip_or_domain>/gbs-<app_name>-server/react/
^^^^^^^^^^   ^^^^^^^^^^^^^^     ^^^^^^^^^^

Tip

The <app_name> can be: bcc, cardscan, etr, mir, best, intelligence, smart-sense, print, control-panel, or home-screen.

Examples:

Error

If the applications are not accessed through the URL in the format described above (without the port), i.e., if they are accessed using their ports directly, the single sign-on (SSO) will not work, and login will have to be done separately for each application.

4. Finalizing the Configurations

After completing all the configuration steps, return to the GBS Apps Installation Manual - Configuration Section.

5. Configuration File Example

This section shows an example of the config.properties file.

Warning

The parameters <rdb_ip>, <rdb_username>, <rdb_encrypted_password>, <gbds_ip>, <gbds_username>, <gbds_password>, <home_screen_ip>, <protocol>, <keystore_path>, <keystore_password>, <truststore_path>, <truststore_password>, <ldap_ip>, <ldap_username>, <ldap_password>, <email_password> and <email_address> must be replaced with the appropriate values.

# **********************************************************************************************
#
#      /$$   /$$  /$$$$$$  /$$      /$$ /$$$$$$$$
#     | $$  | $$ /$$__  $$| $$$    /$$$| $$_____/
#     | $$  | $$| $$  \ $$| $$$$  /$$$$| $$
#     | $$$$$$$$| $$  | $$| $$ $$/$$ $$| $$$$$
#     | $$__  $$| $$  | $$| $$  $$$| $$| $$__/
#     | $$  | $$| $$  | $$| $$\  $ | $$| $$
#     | $$  | $$|  $$$$$$/| $$ \/  | $$| $$$$$$$$
#     |__/  |__/ \______/ |__/     |__/|________/
#
#       /$$$$$$   /$$$$$$  /$$$$$$$  /$$$$$$$$ /$$$$$$$$ /$$   /$$
#      /$$__  $$ /$$__  $$| $$__  $$| $$_____/| $$_____/| $$$ | $$
#     | $$  \__/| $$  \__/| $$  \ $$| $$      | $$      | $$$$| $$
#     |  $$$$$$ | $$      | $$$$$$$/| $$$$$   | $$$$$   | $$ $$ $$
#      \____  $$| $$      | $$__  $$| $$__/   | $$__/   | $$  $$$$
#      /$$  \ $$| $$    $$| $$  \ $$| $$      | $$      | $$\  $$$
#     |  $$$$$$/|  $$$$$$/| $$  | $$| $$$$$$$$| $$$$$$$$| $$ \  $$
#      \______/  \______/ |__/  |__/|________/|________/|__/  \__/
#
# **********************************************************************************************
# DATABASE (RDB)
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://<rdb_ip>:3306/sphinx?useSSL=false
jdbc.username=<rdb_username>
jdbc.password=<rdb_encrypted_password>
jdbc.dialect=org.hibernate.dialect.MySQLDialect
jdbc.showSql=false

# **********************************************************************************************
# GBDS CONNECTION (& AUTHENTICATION LDAP ONLY)
gbds.url=http://<gbds_ip>:8085
gbds.user=<gbds_username>
gbds.key=<gbds_password>
gbds.logLevel=INFO
gbds.additionalHeaders={}
gbds.flushDebugRequests=false
gbds.timeout=300
gbds.listExceptions.labels=

# **********************************************************************************************
# GUI SETTINGS
home-screen.ip=<home_screen_ip>
home-screen.port=8128
home-screen.protocol=<protocol>
locale=en_us

# **********************************************************************************************
# OTHER SETTINGS
gbds.latent.search.url=null
gbds.proxy.url=null
gbds.proxy.port=0

keystore.path=<keystore_path>
keystore.password=<keystore_password>
truststore.path=<truststore_path>
truststore.password=<truststore_password>

# **********************************************************************************************
# SESSION SETTINGS
same.user.simultaneous.login=true
fingerprint.useSDK=false
image.convert.useJnbis=false
filter.people.pguid=ALL
faceQuality.qtdeMinErrors=2
session.expirationTime.server=8h
session.expirationTime.web=8h
notification.last.timestamp=15

ldap.url=http://<ldap_ip>:8082/
ldap.user=<ldap_username>
ldap.password=<ldap_password>
codeValidTime=10
deviceTime=6

# **********************************************************************************************
# EMAIL
email.host=smtp.gmail.com
email.host.port=587
email.from=<email_address>
email.password=<email_password>
email.python.path=python
email.use.script.python=true

profile.cacheSize=100
profile.cacheTime=5m
locale=pt_br