Configure the License Server

Overview

You configure the License Server using a file named spring-context.xml, located in the conf folder.

The License Server cannot start if there is no configuration file, or if the file does not define security properties.

Configure SSL/TLS

The License Server uses HTTP to communicate with Semarchy xDI clients. You must first configure SSL/TLS.

Enable SSL/TLS

To enable SSL/TLS, define security properties in a bean node with the com.semarchy.xdi.license.server.plugin.ssl.impl.DesignerSslPlugin class, as shown:

Example 1. Security properties definition - Enable SSL/TLS
<beans ...>
 <...>
 <bean class="com.semarchy.xdi.license.server.plugin.ssl.impl.DesignerSslPlugin">
  <property name="enableSsl" value="true"></property>
  <property name="keyStoreType" value="JKS"></property>
  <property name="keyStore" value="path_to_keystore/keystore.jks"></property>
  <property name="keyStorePassword" value="keystore_password"></property>
  <property name="keyAlias" value="key_alias"></property>
  <property name="keyPassword" value="key_password"></property>
 </bean>
 <...>
</beans>
Table 1. Security Properties
Parameter Description

enableSsl

This parameter is mandatory. It allows to enable or disable SSL/TLS.

disableSNIHostCheck

Enable or disable strict hostname checks, such as when using self-signed certificates.

keyStoreType

Java keystore type, such as JKS.

keyStore

The relative or absolute path to the Java keystore containing the certificate used to secure the endpoints.

keyStorePassword

Password of the keystore file.

keyAlias

Alias of the key in the keystore.

keyPassword

Password of the key.

You can define additional SSL/TLS settings in the com.semarchy.xdi.license.server.plugin.tls.impl.DesignerTlsPlugin bean node.

Example 2. Additional SSL/TLS settings
<beans ...>
 <...>
 <bean class="com.semarchy.xdi.license.server.plugin.tls.impl.DesignerTlsPlugin">
  <property name="includeProtocols">
   <array value-type="java.lang.String">
    <!--<value>TLSv1.2</value>-->
   </array>
  </property>
  <!-- excludeProtocols: list of TLS protocols to refuse to use -->
  <property name="excludeProtocols">
   <array value-type="java.lang.String">
    <!--<value>TLSv1</value>-->
    <!--<value>TLSv1.1</value>-->
    <!--<value>TLSv1.2</value>-->
   </array>
  </property>
 </bean>
 <...>
</beans>

Self-signed certificates

If you enable SSL/TLS, and want use a self-signed certificate, you must configure both the License Server and xDI Designer. The general steps are as follows:

  1. In the License Server configuration file, set the disableSNIHostCheck property to true.

  2. Add the self-signed certificate to Designer.

  3. Disable hostname verification in Designer.

For information about configuring these settings in Designer, see the section about the License Server certificate in Designer

Your version of xDI Designer needs to be later than 20.4.0 to work with custom certificates.

Disable SSL/TLS

You can disable SSL/TLS in the License Server by setting the enableSsl property to false in the com.semarchy.xdi.license.server.plugin.ssl.impl.DesignerSslPlugin bean node.

If you disable SSL/TLS in the license server, you must add another SSL/TLS layer such as a proxy, load balancer, or similar. This is required for xDI Designer, as Designer refuses insecure connections.
Example 3. Security properties definition - Disable SSL/TLS
<beans ...>
 <...>
 <bean class="com.semarchy.xdi.license.server.plugin.ssl.impl.DesignerSslPlugin">
  <property name="enableSsl" value="false"></property>
 </bean>
 <...>
</beans>

Configure user filters

You can configure user filters to limit access to users defined in a configuration file. User filters are enabled by adding two elements to the spring-context.xml file:

  1. One or more bean elements that contain a filter definition, each with a unique ID.

  2. A bean element that acts as a filter manager, with a list of IDs linked to a filter definition.

All examples in this section can be found in the conf/samples/ directory. Use them as a sstarting point for your own configuration.

Configure static filtering

Use static filters to limit access to users defined in a configuration file.

To enable static filtering, the spring-context.xml file needs a bean with the class="com.semarchy.xdi.license.server.plugin.impl.DesignerFilterSimplePlugin attribute, a list of allowed user accounts, and a logging property. The user list must contain operating system account names.

Use the following example as a starting point.

<!-- Filter management -->
<bean class="com.semarchy.xdi.license.server.plugin.impl.DesignerFilterManager">
  <property name="plugins">
    <map>
      <!-- associate a license.xml xDI License Server group (in the key attribute) to a filter (in the value-ref attribute)  -->
      <entry key="default" value-ref="simpleFilter"></entry>
    </map>
  </property>
</bean>

<!-- Simple filter -->
<bean id="simpleFilter"
  class="com.semarchy.xdi.license.server.plugin.impl.DesignerFilterSimplePlugin">
  <!-- userNames: List of allowed username  -->
  <property name="userNames">
    <list>
      <value>tsmith</value>
      <value>ejones</value>
      <value>dwheldon</value>
    </list>
  </property>
  <!-- logUserListAtStartup: Enable logging user "userNameAttribute" attribute when starting the server -->
  <property name="logUserListAtStartup" value="true"></property>
</bean>

Configure LDAP filters

Use LDAP filters to limit access to users defined in an LDAP directory.

To enable LDAP filtering, the spring-context.xml file needs three beans: one to define an LDAP source, one to bridge the source and the filter rules, and one for the rules themselves.

  • Define the LDAP source in a bean with the class org.springframework.ldap.core.support.LdapContextSource.

  • Define filtering in a bean with the class com.semarchy.xdi.license.server.plugin.impl.DesignerFilterLdapPlugin.

  • Define a bean with the class org.springframework.ldap.core.LdapTemplate to act as a bridge between the other two.

You must use an LDAP attribute for each Semarchy xDI user you want to specify in the filter. This user account name must be set as the value of the userNameAttribute property.

Use the following example as a starting point.

<!-- Filter management -->
<bean class="com.semarchy.xdi.license.server.plugin.impl.DesignerFilterManager">
  <property name="plugins">
    <map>
      <!-- associate a license.xml group (in the key attribute) to a filter (in the value-ref attribute)  -->
      <entry key="default" value-ref="ldapFilter"></entry>
    </map>
  </property>
</bean>

<!-- LDAP configuration -->
<bean id="contextSource"
  class="org.springframework.ldap.core.support.LdapContextSource">
  <!-- url: The LDAP URL. format: ldap://<IP_ADDRESS>:<PORT> -->
  <property name="url" value="ldap://xx.xx.xx.xx:yyy" />
  <!-- userDn: The LDAP user to use -->
  <property name="userDn" value="cn=admin,dc=myorganization,dc=org" />
  <!-- password: The LDAP user password -->
  <property name="password" value="LDAP_PASSWORD" />
</bean>

<bean id="ldapTemplate"
  class="org.springframework.ldap.core.LdapTemplate">
  <constructor-arg ref="contextSource" />
</bean>

<!-- LDAP filter -->
<bean id="ldapFilter"
  class="com.semarchy.xdi.license.server.plugin.impl.DesignerFilterLdapPlugin">
  <constructor-arg ref="ldapTemplate" />
  <!-- base: The search base defines the starting point for the search in the directory tree -->
  <property name="base" value="ou=people,dc=myorganization,dc=org"/>
  <!-- filter: The filter to use in the search
    Note: use &amp; string as AND (&) operator
  -->
  <property name="filter" value="objectClass=person"/>
  <!-- userNameAttribute: LDAP attribute containing the allowed username -->
  <property name="userNameAttribute" value="userName"/>
  <!-- searchScope: Specifies the portion of the target subtree that should be considered. Supported search scope values are:
    0: baseObject (also known as "base"):  only the entry specified as the search base should be considered.
    1: singleLevel (also known as "one"):  only the immediate children of the entry specified as the search base should be considered.
    2: wholeSubtree (also known as "sub"): indicates that the entry specified as the search base, and all of its subordinates to any depth, should be considered.
  -->
  <property name="searchScope" value="2"/>
  <!-- logUserListAtStartup: Enable logging user "userNameAttribute" attribute when starting the server -->
  <property name="logUserListAtStartup" value="true"/>
  <!-- refreshInterval: Filter refresh interval (in seconds). Default value is 30 seconds -->
  <property name="refreshInterval" value="600"/>
</bean>

Combine multiple filters

The filter management bean can contain multiple entries. It can also reference a bean with the com.semarchy.xdi.license.server.plugin.impl.DesignerFilterComposePlugin class that groups other filters together.

For an example of a filter combination, see the sample files.