Installing the Back-End
The enaio® coLab back-end API has been programmed as a Spring Boot application.
Installation
Copy all resources from the service portal to a local directory (<colab-localfolder>) before you set up the backend.
Next, use SAM tools to install enaio® coLab.
-
In the command prompt window, navigate to the <enaio_install>\service-manager\tools\sam directory.
-
Run the following command: sam install <colab_localfolder>\colab-app\enaio-colab-app.jar.
A message appears indicating that the configuration has been saved and enaio® coLab installed.
-
Copy the <colab-localfolder>\colab-app\colab-prod.yml file to the <enaio_installation>\service-manager\config directory.
Configuration
Customize the application properties in the configuration file:
<enaio_installation>\service-manager\config\colab-prod.yml.
A configuration file with all parameters is available for download.
This section describes how you can extend and change various sections in the configuration file.
Validate the .yml file using a tool of your choice after you have completed the configuration. The app cannot be started if the .yml file is invalid.
Sensitive data in the configuration file can be encrypted.
global: service: baseUrl: http://<gateway_IP>/colab
global.service.baseUrl should reference the backend URL. If you are using HTTPs, you will need to change the log accordingly.
epr: smtp: host: 127.0.0.1 port: 26 from: name: "enaio(c) coLab" address: enaio-colab@colab.dev auth: enable: true username: username password: pass
Set the SMTP properties in accordance with the settings of the system on which enaio® coLab was installed. If your e-mail server does not require authentication, you will not need an auth parameter.
The store parameter in the file-repository area should be set to fs.
file-system-dir: Parameter that defines the path where temporary files will be stored. The specified directory must be available in the file system (e.g., C:\data).
bucket: The bucket directory must be available in the file system within the file-system-dir path (e.g., C:\data\bucketdir).
In the Postgres area, uri is the URL of the Postgres server. The user name and password are valid for the enaio® coLab user you created when you installed Postgres. If your database and enaio® coLab are located on the same server, use localhost as the URL.
If Postgres and enaio® coLab are located on different servers, add the Postgres URL by following the steps below:
-
Open the C:\Program Files\PostgreSQL\10\data\pg_hba.conf configuration file and search for the host all all 127.0.0.1/32 md5 entry.
-
Copy and paste the line.
-
Replace the IP 127.0.0.1 with your server IP address and save the file.
-
To reload the Postgres configuration, open 'pgAdmin 4' as a Postgres user.
-
Run the following query:
select pg_reload_conf();
The following entry in colab-prod.yml is also necessary for new installations:
liquibase:
contexts: legacy
Change to the <enaio_installation>\services\os_gateway\apps\os_gateway\config\ directory, open the application-prod.yml file and enter the following:
proxy: services: endpoints: - endpoint: name: colab url: 'http://<colab-IP>:8066'
Update the settings for external user login:
Replace:
handleRedirectsFromService: 'OSWebClient,osweb'
with:
handleRedirectsFromService: 'OSWebClient,osweb,epr,colab'
If the entry does not exist, create it now:
proxy: services: handleRedirectsFromService: 'OSWebClient,osweb,epr,colab'
When you are done, restart enaio® gateway.
Make the settings for enaio® server in the following configuration file:
<enaio_installation>\service-manager\config\application_blue.yml.
enaio.dms.username: <enaio_user> enaio.dms.password: <enaio_pw> server: enaiodms1.example.com:4000:50#enaiodms2.example.com:4000:50
All enaio® servers must be listed here.
The following settings for the NTLM login of enaio®users are required in enaio® enterprise-manager:
-
SSP login: Windows
-
Security support provider: NTLM
-
Login order: A or AI
-
User names for LoginPipe exceptions: all technical users of all services that are integrated in enaio®.
-
IP addresses for LoginPipe exceptions: all addresses of all services that are integrated in enaio®.
-
Alternative LoginPipe: UI
COLAB_USER
All enaio® users have access to enaio® coLab by default.
You can restrict access to all enaio® users in a group. The group does not need any other properties.
Add the following entry to the colab-prod.yml file located in the <enaio_installation>\service-manager\config\ directory, specifying the group name:
enaio:
colab-user-group: groupname
COLAB_ADMIN
Set up the 'COLAB_ADMIN' group in the user administration of enaio®. The group does not need any other properties.
Members of this group will be shown all existing project rooms after they have logged in. Detailed information about each project room can be called up. Project rooms, including those of project room owners, can also be managed and deleted.
You can give another group this function via an entry in the application-blue.yml file located in the <enaio_installation>\service-manager\config\ directory:
enaio.admin-user-group: NEW-GROUP_NAME
Login for External Users
You can configure the login settings for external users in enaio® coLab in the colab-prod.yml file. Users can log in using their Google, LinkedIn, or Microsoft accounts, or using Keycloak as the authentication instance.
To allow users to log in using their Microsoft accounts, follow these steps:
-
Sign in to https://console.developers.google.com.
-
Create a new project and go to the Credentials area.
-
Click Create credentials and choose OAuth client ID.
-
Select Web application as the application type.
-
Retrieve the client ID and client secret and enter this information in the appropriate area in the colab-prod.yml configuration file.
-
Click Authorized JavaScript origins and enter your domain with the protocol where enaio® gateway is installed.
For example: http://<gateway-IP>:colab
-
Under Authorized redirect URIs enter your domain name, followed by /epr/login/google/.
For example: http://<gateway-IP>/colab/epr/login/google
- Modify the <enaio_installation>\service-manager\config\colab-prod.yml file:
spring:
security:
oauth2:
client:
registration:
google:
clientId: client_id
clientSecret: client_secret
redirect-uri: ${global.service.baseUrl}/epr/login/google
scope: openid, email, profile
To allow users to log in with their LinkedIn accounts, follow these steps:
-
Log in to https://developer.linkedin.com/docs/oauth2 and perform step 1 only. After you have received the authentication keys (client ID and client secret), enter them in the corresponding section of the colab-prod.yml configuration file.
-
Once the application has been created, enter your domain name under Authorized redirect URLs (along with the protocol and port), followed by /epr/login/linkedin.
- Modify the <enaio_installation>\service-manager\config\colab-prod.yml file:
spring:
security:
oauth2:
client:
registration:
linkedin:
clientId: client_id
clientSecret: client_secret
redirect-uri: ${global.service.baseUrl}/epr/login/linkedin
scope: r_emailaddress, r_liteprofile
client-authentication-method: post
authorization-grant-type: authorization_code
provider:
linkedin:
authorization-uri: https://www.linkedin.com/oauth/v2/authorization
token-uri: https://www.linkedin.com/oauth/v2/accessToken
user-info-uri: https://api.linkedin.com/v2/me
user-name-attribute: id
To allow users to log in using their Microsoft accounts, follow these steps:
-
Log in to https://portal.azure.com and use the search field to search for App registration.
- Click 'New registration', enter the relevant information in each of the fields, and click 'Register'.
The application ID/client ID and object ID are displayed.
- Click 'Certificates & secrets', followed by 'New client secret'.
- Copy the value of 'Client secret'.
Microsoft displays the client secret only once
-
Navigate to 'Authentication', click Add a platform, select Web on the configuration platform, then go to 'RedirectURL' and enter your domain name and protocol, followed by /epr/login/microsoft.
For example: http://<gatewayIP>/colab/epr/login/microsoft
When you are finished, enter the client secret along with the app key in the corresponding section of the colab-prod.yml configuration file.
- Modify the <enaio_installation>\service-manager\config\colab-prod.yml file:
spring:
security:
oauth2:
client:
registration:
microsoft:
client-id: client_id
client-secret: client_secret
provider: microsoft
redirect-uri: ${global.service.baseUrl}/epr/login/microsoft
scope: openid, profile, email, https://graph.microsoft.com/.default
client-authentication-method: basic
authorization-grant-type: authorization_code
provider:
microsoft:
authorization-uri: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token-uri: https://login.microsoftonline.com/common/oauth2/v2.0/token
user-info-uri: https://graph.microsoft.com/v1.0/me
jwk-set-uri: https://login.microsoftonline.com/common/discovery/v2.0/keys
user-name-attribute: id
It is possible to use Keycloak as the authentication instance in enaio® coLab. For security and maintenance reasons, Keycloak must be installed on a separate server.
You first need to install and configure Keycloak using the installation files and following the instructions available at https://keycloak.org. User accounts are managed using your Keycloak instance.
To use Keycloak as the authentication instance in enaio® coLab, add the following configuration to the colab-prod.yml file:
spring:
security:
oauth2:
client:
registration:
keycloak:
client-id: client_id
client-secret: client_secret
provider: keycloak
redirect-uri: ${global.service.baseUrl}/epr/login/keycloak
scope: openid, profile, email
authorization-grant-type: authorization_code
title: Keycloak server
provider:
keycloak:
authorization-uri: http://<server_ip>:<port>/auth/realms/colab-test/protocol/openid-connect/auth
token-uri: http://<server_ip>:<port>/auth/realms/colab-test/protocol/openid-connect/token
user-info-uri: http://<server_ip>:<port>/auth/realms/colab-test/protocol/openid-connect/userinfo
jwk-set-uri: http://<server_ip>:<port>/auth/realms/colab-test/protocol/openid-connect/certs
user-name-attribute: sub
To check that the changes were applied after updating enaio® coLab, go to http://127.0.0.1:7273 > coLab app. Click 'Details' and then 'Environment.' Search for the Keycloak properties and check that they are included in the list.
Integrating an Antivirus Scanner
In enaio® coLab, a virus scanner can be integrated via webhook, which checks documents that users want to add. If applicable, users will be notified correspondingly.
The update pages contain a description on its integration.
Update information can be found on the release pages.
Encryption of Configuration Values
The configuration values of the colab-prod.yml file in the \config\ directory of enaio® service-manager can be encrypted:
-
Open the command prompt as the administrator and change to the \service-manager\tools\encryption\ directory.
-
Run the following command: encode.bat "value" -W.
The encrypted value is displayed in round brackets with 'ENC' before it: ENC(encryptedvalue).
-
Copy the encrypted value with the leading 'ENC' and with the round brackets and enter it into the configuration file.
-
Save the configuration and restart the service, if necessary.
If the value to be encrypted contains quotation marks or ends with a backslash, these characters must be preceded by the backslash.
Example: encode.bat "passwordwith\"quotation\"marks" -W