Open Source CRM

Security Configuration

Configuring Domains and WorkAreas

After installing hipergate, the default user and password for entering to the TEST WorkArea appear on screen.

Moreover the TEST Domain hipergate comes with another two pre-created domains named REAL and DEMO.

Last, hipergate has two reserved domains named SYSTEM and MODEL with 5 users that must not be deleted, although their default passwords must be changed.
The MODEL domain must not be modified at all, except for changing the passwords of its already existing users. The SYSTEM domain is the one that provides the functionality of creating other new domains.

Default users and passwords
User	Password	Comments
administrator@hipergate-test.com	TEST
administrator@hipergate-demo.com	DEMO
administrator@hipergate-real.com	REAL
administrator@hipergate-system.com	hipergate	hipergate system administrator. This account is basically used for creating new domains.
administrator@hipergate-model.com	model	It is internally used only when a new domain is created.
superuser@hipergate-model.com	model	It is internally used only when a new domain is created.
user@hipergate-model.com	model	It is internally used only when a new domain is created.
guest@hipergate-model.com	model	It is internally used only when a new domain is created.

For more information about how to create domains, workareas and users read the User Manual.

Recommendations for deleting or disabling unnecessary users

Connected as administrator@hipergate-system.com delete all the domains that you are not going to use, except MODEL, never delete MODEL.

Connected as administrator@hipergate-model.com change the passwords of all the users of MODEL doamin but do not delete any of them.

Connected as administrator to each domain, delete the users that are not going to be used. Change the password of the remaining ones.

Restricting access to /admin directory

The subdirectory /admin contains a SQL interface which can be used for accessing the database. It is necessary to restrict access to that interface. Protect /admin with basic web server authentication.

Permissions of Tomcat over /tmp y /storage

The O.S. user that runs Tomcat (if not root) must have read and write permissions over directories /tmp (or C:\Temp in Windows) and over the storage directory set at hipergate.cnf.

Changing the database connection string and other configuration parameters

The file hipergate.cnf which is located at /etc or C:\Windows contains the information about the database connection and the directories where disk files are kept.
(the variables $CATALINA_HOME are not valid at hipergate.cnf and are only used for brevity).

        # [Database]
        # Database connection parameters
        driver=org.postgresql.Driver
        dburl=jdbc:postgresql://127.0.0.1:5432/test
        schema=
        dbuser=postgres
        dbpassword=postgres

        # [Connection pool] 
        # Parameters that govern the behaviour of the database connection pool
        poolsize=32
        maxconnections=100
        logintimeout=20
        connectiontimeout=60000
        connectionreaperdelay=30000

        # [Files]
        # Directory for temporary files
        temp=/tmp

        # Webapp base URL
        webserver=http://hostname:8080
        # Image server base URL (optional)
        imageserver=http://hostname:8080/images

        # File access protocol, username and password
        fileprotocol=file://
        fileserver=localhost
        fileuser=
        filepassword=

        # Base directory for files that are stored outside the database
        storage=/opt/storage

        # Directory for temporary deleting scripts
        shelldir=/tmp
        
        # Base path for public files
        workareasput=$CATALINA_HOME/webapps/hipergate/workareas
        # base URL for public files
        workareasget=http://hostname:8080/workareas
        
        # Maximum allowed file upload (bytes)
        maxfileupload=10485760
        
        # [Misc]
        # Whether or not to perform XML schema validations
        setXMLValidation=1
        
        # Maximum threads launched by the job scheduler
        maxschedulerthreads=1
        
        # [WebMail]
        # Set protocol names in lowercase
        mail.transport.protocol=smtp
        mail.store.protocol=pop3
        mail.incoming=pop3.yourserver.com
        mail.outgoing=smtp.yourserver.com
        mail.user=
        
        # Lucene
        # Typically a directory under /storage where Lucene indexes are kept
        luceneindex=/opt/storage/luceneindex
        analyzer=org.apache.lucene.analysis.WhitespaceAnalyzer
        
        # LDAP
        ldapconnect=ldap://127.0.0.1:389/dc=hipergate,dc=org
        ldapuser=cn=Manager,dc=hipergate,dc=org
        ldappassword=manager
        ldapclass=com.knowgate.ldap.LDAPNovell
        
        # SMS
        smsprovider=A subclass of com.knowgate.sms.SMSPush (for example, com.knowgate.sms.SMSPushSybase365)
        smsaccount=sms_account_name
        smspassword=sms_account_password
        
        # Google
        googlemapskey=…
        
        # Yahoo!
        yahoobosskey=…

Here comes a brief description of each parameter and its purpose.

driver: JDBC driver class name:
• org.postgresql.Driver (PostgreSQL)
• com.mysql.jdbc.Driver (MySQL)
• oracle.jdbc.driver.OracleDriver (Oracle)
• com.microsoft.sqlserver.jdbc.SQLServerDriver (SQL Server)
dburl: Database connection string: • jdbc:postgresql://host_name:5432/nombre_bbdd (PostgreSQL)
• jdbc:mysql://host_name/name_bbdd (MySQL)
• jdbc:oracle:thin:@host_name:1521:oracle_sid (Oracle)
• jdbc:sqlserver://host_name:1433;SelectMethod=cursor;DatabaseName=db_name (SQL Server)

If the web server and the database are on the same machine then the host_name is "127.0.0.1" or "localhost".
schema: Database schema. May be the user owner of the tables.
In PostgreSQL leave this parameter empty unluess you experience problems accesing table sql_features in which case set schema=public. Leave schema blank for MySQL.
Examples:
• dbo (SQL Server)
• HIPERGATE (Oracle)
• public (PostgreSQL)
dbuser/dbpassword: User and password for connecting to the database.
poolsize: Number of connections that will be kept open by the connection pool ready to be reused.
A connection may only be open and waiting for a maximum of five minutes.
After that period of inactivity it will be closed by the pool manager at the number of open connections will eventually go down to zero.
The default value is 32.
If this parameter is zero to zero, then the pool is disabled and each connection to the database is obtained by directly calling java.sql.DriverManager.getConnection().
maxconnections: Absolute maximum of connections that can be openend simultaneosly against the database.
logintimeout: Maximum time (in seconds) to wait for obtaining a connection to the database.
The default value is 20.
temp: Temporary storage. Here come uploaded files before moved to final storage directory and some temp files.
Examples:
• /tmp (Linux)
• C:\\TEMP (Windows)
webserver: URL to hipergate's JSP root directory. This parameter is utilized to compose relative and absolute URLs in each module.
Examples:
• http://server:port/webapp
• http://myserver:8080/
• http://localhost:7001/hipergateWeb (ejemplo con WebLogic)
imageserver: Optional URL to image server. All static images (icons, graphics, etc) can be placed in a separate web server, or left on a directory on the same server.
Examples:
• http://images.mycompany.com/hipergate
• http://myserver:8080/images
• http://localhost:7001/hipergateWeb/images (ejemplo con WebLogic)
fileprotocol: This value must be always "file://".
fileserver: This value must be always "localhost".
fileuser/filepassword: Username and password to access remote file storage. Currently only used with FTP.
storage: Base directory of private storage.
Examples:
• /var/lib/hipergate
• C:\\bea\\weblogic\\samples\\workshop\\hipergate\\storage (Windows)
shelldir: Some servlet containers lock files and directories. If you want to delete a newsletter, website or account you should remove all directories related to this object, but Java prevents this deletion, so you must create a scheduled task to remove them from outside the servlet container. For each object to be removed, a line is added to a file called cleanup.txt with the full path of the directory to be deleted. You can run a wrapper script each time server is restarted, or add a cron job that tries to remove this files periodicaly.
Examples:
• /tmp
• $CATALINA_HOME/webapps/shell
• C:\\BEA\\weblogic\\samples\\workshop\\hipergate\\shell (Windows)
workareasput: Base directory for public storage that should be available via HTTP.
Ejemplos:
• $CATALINA_HOME/webapps/hipergate/workareas
• C:\PROGRA~1\Tomcat\webapps\hipergate\workareas (Windows)
workareasget: Absolute web URL to workareasput directory.
Examples:
• /workareas
• /hipergateWeb/workareas
maxfileupload: Maximum size (in bytes) of uploaded files.
setXMLValidation: Activate XML validations when rendering XSLT templates.
maxschedulerthreads: Maximum number of threads for the job scheduler.
mail.transport.protocol: JavaMail transport (default=smtp)
mail.store.protocol: JavaMail store (default=pop3)
mail.incoming: POP3 JavaMail server for mail storage (default=localhost)
mail.outgoing: SMTP JavaMail server for mail delivery (default=localhost)