Installing the Back-End

enaio® coLab 11.0 »

The enaio® coLab back-end API has been programmed as a Spring Boot application.

Installation

Copy all resources from the service portal to a local directory (<colab-localfolder>) before you set up the backend.

Next, use SAM tools to install enaio® coLab.

  1. In the command prompt window, navigate to the <enaio_install>\service-manager\tools\sam directory.

  2. Run the following command: sam install <colab_localfolder>\colab-app\enaio-colab-app.jar.

    A message appears indicating that the configuration has been saved and enaio® coLab installed.

  3. Copy the <colab-localfolder>\colab-app\colab-prod.yml file to the <enaio_installation>\service-manager\config directory.

Configuration

Customize the application properties in the configuration file:

<enaio_installation>\service-manager\config\colab-prod.yml.

The following describes how to modify different sections of the configuration file.

Validate the .yml file using a tool of your choice after you have completed the configuration. The app cannot be started if the .yml file is invalid.
Sensitive data in the configuration file can be encrypted.

global:
  service:
    baseUrl: http://<gateway_IP>/colab

global.service.baseUrl should reference the backend URL. If you are using HTTPs, you will need to change the log accordingly.

epr:
  smtp:
    host: 127.0.0.1
    port: 26
    from:
      name: "enaio(c) coLab"
      address: enaio-colab@colab.dev
   auth:
     enable: true
     username: username
     password: pass

Set the SMTP properties in accordance with the settings of the system on which enaio® coLab was installed. If your e-mail server does not require authentication, you will not need an auth parameter.

The store parameter in the file-repository area should be set to fs.

file-system-dir: Parameter that defines the path where temporary files will be stored. The specified directory must be available in the file system (e.g., C:\data).

bucket: The bucket directory must be available in the file system within the file-system-dir path (e.g., C:\data\bucketdir).

In the Postgres area, uri is the URL of the Postgres server. The user name and password are valid for the enaio® coLab user you created when you installed Postgres. If your database and enaio® coLab are located on the same server, use localhost as the URL.

If Postgres and enaio® coLab are located on different servers, add the Postgres URL by following the steps below:

  1. Open the C:\Program Files\PostgreSQL\10\data\pg_hba.conf configuration file and search for the host all all 127.0.0.1/32 md5 entry.

  2. Copy and paste the line.

  3. Replace the IP 127.0.0.1 with your server IP address and save the file.

  4. To reload the Postgres configuration, open 'pgAdmin 4' as a Postgres user.

  5. Run the following query:

    select pg_reload_conf();

The following entry in colab-prod.yml is also necessary for new installations:

liquibase:
  contexts: legacy

Change to the <enaio_installation>\services\os_gateway\apps\os_gateway\config\ directory, open the application-prod.yml file and enter the following:

proxy:
  services:
   endpoints:
	- endpoint:				
		name: colab		
		url: 'http://<colab-IP>:8066'

Update the settings for external user login:

Replace:

handleRedirectsFromService: 'OSWebClient,osweb'

with:

handleRedirectsFromService: 'OSWebClient,osweb,epr,colab'

If the entry does not exist, create it now:

proxy:
  services:
    handleRedirectsFromService: 'OSWebClient,osweb,epr,colab'

When you are done, restart enaio® gateway.

Make the settings for enaio® server in the following configuration file:

<enaio_installation>\service-manager\config\application_blue.yml.

enaio.dms.username: <enaio_user>
  enaio.dms.password: <enaio_pw>
  server: enaiodms1.example.com:4000:50#enaiodms2.example.com:4000:50

All enaio® servers must be listed here.

The following settings for the NTLM login of enaio®users are required in enaio® enterprise-manager:

  • SSP login: Windows

  • Security support provider: NTLM

  • Login order: A or AI

  • User names for LoginPipe exceptions: all technical users of all services that are integrated in enaio®.

  • IP addresses for LoginPipe exceptions: all addresses of all services that are integrated in enaio®.

  • Alternative LoginPipe: UI

COLAB_USER

All enaio® users have access to enaio® coLab by default.

You can restrict access to all enaio® users in a group. The group does not need any other properties.

Add the following entry to the colab-prod.yml file located in the <enaio_installation>\service-manager\config\ directory, specifying the group name:
enaio:
colab-user-group: groupname

COLAB_ADMIN

Set up the 'COLAB_ADMIN' group in the user administration of enaio®. The group does not need any other properties.

Members of this group will be shown all existing project rooms after they have logged in. Detailed information about each project room can be called up. Project rooms, including those of project room owners, can also be managed and deleted.

You can give another group this function via an entry in the application-blue.yml file located in the <enaio_installation>\service-manager\config\ directory:

enaio.admin-user-group: NEW-GROUP_NAME

Login for External Users

You can configure the login settings for external users in enaio® coLab in the colab-prod.yml file. Users can log in using their Google, LinkedIn, or Microsoft accounts, or using Keycloak as the authentication instance.

To allow users to log in using their Microsoft accounts, follow these steps:

  1. Sign in to https://console.developers.google.com.

  2. Create a new project and go to the Credentials area.

  3. Click Create credentials and choose OAuth client ID.

  4. Select Web application as the application type.

  5. Retrieve the client ID and client secret and enter this information in the appropriate area in the colab-prod.yml configuration file.

  6. Click Authorized JavaScript origins and enter your domain with the protocol where enaio® gateway is installed.

    For example: http://<gateway-IP>:colab

  7. Under Authorized redirect URIs enter your domain name, followed by /epr/login/google/.

    Example: http://<gateway-IP>/colab/epr/login/google

  8. Modify the <enaio_installation>\service-manager\config\colab-prod.yml file:

    9. spring:
      security:
        oauth2:
          client:
            registration:
              google:
                clientId: client_id
                clientSecret: client_secret
                redirect-uri: ${global.service.baseUrl}/epr/login/google
                scope: openid, email, profile

To allow users to log in with their LinkedIn accounts, follow these steps:

  1. Log in to https://developer.linkedin.com/docs/oauth2 and perform step 1 only. After you have received the authentication keys (client ID and client secret), enter them in the corresponding section of the colab-prod.yml configuration file.

  2. Once the application has been created, enter your domain name under Authorized redirect URLs (along with the protocol and port), followed by /epr/login/linkedin.

  3. Modify the <enaio_installation>\service-manager\config\colab-prod.yml file:

    4. spring:
      security:
        oauth2:
          client:
            registration:
              linkedin:
                clientId: client_id
                clientSecret: client_secret
                redirect-uri: ${global.service.baseUrl}/epr/login/linkedin
                scope: r_emailaddress, r_liteprofile
                client-authentication-method: post
                authorization-grant-type: authorization_code
            provider:
              linkedin:
                authorization-uri: https://www.linkedin.com/oauth/v2/authorization
                token-uri: https://www.linkedin.com/oauth/v2/accessToken
                user-info-uri: https://api.linkedin.com/v2/me
                user-name-attribute: id

To allow users to log in using their Microsoft accounts, follow these steps:

  1. Log in to https://portal.azure.com and use the search field to search for App registration.

  2. Click 'New registration', enter the relevant information in each of the fields, and click 'Register'.

    The application ID/client ID and object ID are displayed.

  3. Click 'Certificates & secrets', followed by 'New client secret'.
  4. Copy the value of 'Client secret'.

    Microsoft displays the client secret only once

  5. Navigate to 'Authentication', click Add a platform, select Web on the configuration platform, then go to 'RedirectURL' and enter your domain name and protocol, followed by /epr/login/microsoft.

    Example: http://<gatewayIP>/colab/epr/login/microsoft

    When you are finished, enter the client secret along with the app key in the corresponding section of the colab-prod.yml configuration file.

  6. Modify the <enaio_installation>\service-manager\config\colab-prod.yml file:

    7. spring:
      security:
        oauth2:
          client:
            registration:
              microsoft:
                client-id: client_id
                client-secret: client_secret
                provider: microsoft
                redirect-uri: ${global.service.baseUrl}/epr/login/microsoft
                scope: openid, profile, email, https://graph.microsoft.com/.default
                client-authentication-method: basic
                authorization-grant-type: authorization_code
            provider:
              microsoft:
                authorization-uri: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
                token-uri: https://login.microsoftonline.com/common/oauth2/v2.0/token
                user-info-uri: https://graph.microsoft.com/v1.0/me
                jwk-set-uri: https://login.microsoftonline.com/common/discovery/v2.0/keys
                user-name-attribute: id

It is possible to use Keycloak as the authentication instance in enaio® coLab. For security and maintenance reasons, Keycloak must be installed on a separate server.

You first need to install and configure Keycloak using the installation files and following the instructions available at https://keycloak.org. User accounts are managed using your Keycloak instance.

To use Keycloak as the authentication instance in enaio® coLab, add the following configuration to the colab-prod.yml file:

spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: client_id
            client-secret: client_secret
            provider: keycloak
            redirect-uri: ${global.service.baseUrl}/epr/login/keycloak
            scope: openid, profile, email
            authorization-grant-type: authorization_code
            title: Keycloak server
        provider:
          keycloak:
            authorization-uri: http://<server_ip>:<port>/auth/realms/colab-test/protocol/openid-connect/auth
            token-uri: http://<server_ip>:<port>/auth/realms/colab-test/protocol/openid-connect/token
            user-info-uri: http://<server_ip>:<port>/auth/realms/colab-test/protocol/openid-connect/userinfo
            jwk-set-uri: http://<server_ip>:<port>/auth/realms/colab-test/protocol/openid-connect/certs
            user-name-attribute: sub

To check that the changes were applied after updating enaio® coLab, go to http://127.0.0.1:7273 > coLab app. Click 'Details' and then ‘Environment.' Search for the Keycloak properties and check that they are included in the list.

Integrating an Antivirus Scanner

In enaio® coLab, an antivirus scanner that checks documents that users want to insert can be integrated via webhook. If applicable, users will be notified correspondingly.

The update pages contain a description on its integration.

Update information can be found on the release pages.

Encryption of Configuration Values

The configuration values of the colab-prod.yml file in the \config\ directory of enaio® service-manager can be encrypted:

  • Open the command prompt as the administrator and change to the \service-manager\tools\encryption\ directory.

  • Run the following command: encode.bat "value" -W.

    The encrypted value is displayed in round brackets with 'ENC' before it: ENC(encryptedvalue).

  • Copy the encrypted value with the leading 'ENC' and with the round brackets and enter it into the configuration file.

  • Save the configuration and restart the service, if necessary.

If the value to be encrypted contains quotation marks or ends with a backslash, these characters must be preceded by the backslash.
Example: encode.bat "passwordwith\"quotation\"marks" -W