Deployment of eshop on IIS k2 gaia

This document deals with the issue of deploying the e-shop on IIS and the installation of its components and testing.

Before the actual installation of Eshop, it is necessary to have prepared and installed:

ISS (Internet Information Services Manager)
Application Servers
K2 web services server
Installation of PHP version 5.6

Installation and setup of individual components will be described in detail in the following chapters.

K2 Application server

Description

This installation package is used to install the K2 IS version 3 application server. The application server is then used to serve web clients that connect to the application server.

Software requirements

The first requirement of the application server installer is that user must have the installation running with administrator privileges. Since this condition must already be met by the K2 installer itself, this ensures that this permission is also transferred to all installations running from the K2 installer. To be sure, this permission is tested by each installation, so if the permission is deficient, the installer would display a message.

The second requirement is the need to have IS K2 installed, namely the version that corresponds to the version of the application server, at least at the level of the release version, i. e. 3.135.3.

If the above conditions are met, then user can start the installation.

Installation

After starting the installation, the first dialogue will be displayed, informing the user that the installer for the K2 Application Server product is running, and in addition it will display the version number that will be installed, see Pict.: Start of AS installation

Picture: Start of AS installation

After pressing the Next button, user will proceed to the second dialogue, which contains the license agreements, which user must accept to continue. User accepts the agreement, by checking the option I agree with the terms of the license agreement, see Fig .: AS license agreement.

Picture: AS.png license agreement

Click Next to get to the third dialogue, where the user is prompted to enter the path to the installed K2, see Pict.: Path to IS K2. With the Change button user can browse the classic directory dialogue on physical disks or on the network.

pim_1126_2021

Picture: Path to IS K2

If IS K2 is not installed in the selected directory, then a warning message is displayed when attempting to continue the installation, which will not allow the installation to continue until a valid path is selected, see Pict .: IS K2 not found

pim_1127

Picture: IS K2 not found

If a valid IS K2 installation is found in the directory, the installation continues to the next dialogue after pressing the Next button, which is used to select the installation path. That is, the path where the application will be installed. With the Change button user can browse the classic directory dialogue on physical disks.

Picture: Installation directory

After selecting the installation directory and pressing the Next button, a dialogue will appear prompting the user to enter the name of the application server, including a description (designed to make it easier to identify the application server) and the client, see Pict.: Name of K2 application server. This value serves as a unique identification of a particular application server among multiple installations of those application servers. Using this identification, web clients will then connect to the correct application servers.

Picture: Name of K2 application server

Fill the field Installation name and Description of application server. In the Client field, enter the client for which the application server should be the default.

Picture: Installation name

The Notifications on option enables notifications on the AS, i. e. the parameter "NSUSERS = K2" is added to the file "K2.INI". Using the Scheduler on option, the scheduler is switched on on the AS and the "SCHEDULESERVICE = 1" parameter is added to the "K2.INI" file.

If the Configure application server also for web services server option is checked, then a dialogue follows, see Pict: Application server settings that prompts user for an anonymous user prefix, number of users, and user password. These users must be created in IS K2 before the installation of AS and should be numbered in ascending order, e.g. AN1, AN2, etc. where AN is the prefix followed by the serial number. All of these users must have same password.

If the Configure for eshop option is checked, the dialogue for Application server for Eshop settings will be displayed as the next installation step, see Pict. Number of the default contact person for EShop. Here user enters the number of the contact person through whom the anonymous e-shop user logs in. This contact person must have a registration assigned. The "AS3ContactPerson" parameter is also included in the "K2.INI" application server.

If the Configure for contact center option is checked, a dialogue will also be displayed within the application server installation, see Pict. K2 user for the contact center. On this screen, enter the name of the user under which the contact center is running in IS K2 and also the password. The values entered here are then added to the "K2.INI" application server as the "CCUSER" and "CCPASWORD" parameters. The parameter "CONTACTCENTERSERVICE = 1" is also added to "K2.INI".

Picture: Application server settings

Picture: Number of the default contact person for EShop

Picture: K2 user for contact centre

Next dialogue in installation is entering the name and password of the user under which the application server service will run. A local system account can be used, see Pict. Local system account - AS or a Windows account of a user who requires a password, see Pict..: Windows user 2 - AS

Picture: Local system account - AS

A domain user can also be used with a password, see Pict.: Windows user 2 - AS

Picture: Windows user 2 - AS

After pressing the Next button, the passwords are checked for compliance. If they are not same, the user is prompted to correct them. Another dialogue in the installation is to enter the K2 user under which the application server will connect to the IS K2. It is possible to use an already created user or create a special user that will only be used to connect to the AS. It is not necessary to have a reserved license for users who will connect to the AS, see Pict.: K2 user - AS

Picture: K2 user - AS

After pressing the Next button, the passwords are checked for compliance. If they are not same, the user is prompted to correct them.

If the passwords are the same, then a dialogue will be displayed informing the user that the installation is ready. Clicking the Install button will then start the installation process itself.

Picture: Installation confirmation

After a successful installation, the user is shown the last dialogue about a successful installation, see Pict.: End of installation

Picture: End of installation

At the end of the installation or reinstallation of the Application Server, a text file with a list of users may be displayed. The reason is the stricter security policy of IS K2 user accounts.

Individual users can be denied access from the web to IS K2 and all users have this access denied after reinstallation. In the text file, at the end of the installation, a list of all users who have a link to the contact person and are also denied access via the web is displayed. These will not be able to use some features, such as approving wkfl from email. For these users, it is necessary to set access from the web in the book Users - password settings.

pim_1362

Picture: Text file with list of users

IIS Installation

K2 EShop must be used on a server operating system in live operation - Microsoft Windows server. Supported versions of this system are available in “System requirements” document according to K2 IS version. Installation on client operation system is possible but only for test or viewing DEMO installation. This document describes the server installation of IIS and all other system components necessary to run K2 Eshop.

Next step is IIS installation (Internet information service administrator. First is necessary to run Server administrator and then Add role and functionoption.

pic_4331

Picture: Server administrator

First step are instructions before the installation itself, after studying them, move to the next step with the Next button.

pic_4332

Picture: Add guide

In next step user chooses the type of installation - Installation based on role or function.

pic_4333

Picture: Type of installation

Selection of server, where the IIS should be installed.

pic_4334

Picture: Server selection

In next step, in addition to the default checked functions, it is necessary to check the “Web server (IIS)”.

pic_4335

Picture: Server roles

Next step is function definition. User sets Net Framework according to installation and option. Here user needs to keep the default settings and add application development (.NET 4.5, ASP.NET 4.5), Administrative Tools (including IIS 6 compatibility) and Do not check"WebDAV publishing".

Add: ASP.NET 4.6 and under HTTP Activation (under WCF Services).

pim_1305

Picture: Function

In next step check CGI (under Application development) - for eshop it is necessary, for API not.

pim_1306

Picture: Role services

In the same step Role services IIS 6 Metabase Compatibility need to be set.

pim_1307

Picture: Role services

In the last step the user confirms previous setting-

pim_1308

Picture: Installation confirmation

K2 installation

Server of web services K2 (API) is a web application which run on the web server Microsoft Internet Information Services (IIS). Through the application server K2, it makes the data of the K2 information system accessible and allows running scripts and reports. Web services are based on the REST technique, i. e. communication is running via HTTP protocol and via standard methods GET (reading data), POST (creating data), PUT (modification of existing data).

Data can be read or sent in XML or JSON format.

After entering the root URL address API into the browser can browse the basic description of the services and resources/operations using dynamic help.

Installation and basic settings

Prerequisites:

At least one API thread (Number of Shared Users) must be available in theK2 license and the corresponding number of anonymous users with a login composed of the same prefix and a supplemented serial number at the end (e.g. "AN1" - "AN5") must be created in the K2. These users must have the same rights and the same password.
The installed and running application server with the checked "Configure application server for web services server" and “Configure application server for Eshop during the installation. If this options were not checked during installation, it is possible to add the following parameters in theK2.INI configuration file for an existing AS installation (example for 5 threads and users named AN1 - AN5):
AS3USER='AN'
AS3PASSWORD='ANPassword'
AS3USERS=5
AS3IO=2000034152
AS3Contactperson=65 (contact number, which serves as a anonymous users access)
The server on which the API will be installed must have the IIS with installed support of ASP.NET and WCF. When installing IIS, the following components must be selected:
Roles: Default + Application Development (.NET 4.5, ASP.NET 4.5), Administrative Tools (including IIS 6 compatibility); Don't check: Publishing WebDAV
Function: Activation Service (Process Model), WCF Services (HTTP Activation), .NET 4.5, ASP.NET 4.5
In case of HTTPS installation correctly set certificate in IIS
In case of publication API for internet access, allowed used HTTP / HTTPS ports (80/443 by default)

Recommended deployment for accessing API from the Internet:

The K2 application server should always be installed on a server accessible only on the internal network. It is recommended to install K2 API and other web applications on a separate server that is accessible from the Internet and has limited access to the internal network allowing only communication with K2 AS.

Installation of K2 API :

This is done using the K2 Installer. The K2 API installation program checks the availability of the basic required components before starting the installation, eventually warns of missing components and the installation is stopped.

You need to enter some information during the installation:

Target directory - any directory can be selected, it does not have to be in the IIS root directory
IIS Server Name - enter the name that will be used to access the API server. For test installations it is also possible to enter "localhost" - under this name API will be available only on the given server.
Web Site (IIS) - user chooses, to which Web Site he/she wants to install API. By default, only "Default Web Site" is available on IIS.
Application name on IIS - part of the URL address to API after the server name. If the name of the server is "mujserver.cz" and user specifies "restservice" as the name of the application, then the basic URL for accessing API will be http://myserver.com/restservice
The name or IP address of the computer where the K2 AS is running
K2 AS instance name - specified when installing K2 AS

The most common problems with API installation and configuration

Wrong name or IP address of the AS server or wrong name of the AS instance - check and possibly edit it manually in the K2 API configuration file - web.config file in the API installation directory. Check that nothing is blocking network communication between the SWS server and the AS server
AS is not configured for API - add configuration, see the Prerequisites section above
Anonymous users are missing or prohibited - see the Prerequisites section above
There is no number of shared users in the K2 licence or this number is exceeded - update the K2 licence
Missing IIS components - check IIS components, see the Prerequisites section above
Missing permission for IIS process (see pict.)

pim_1309

Picture: Missing permission

Permissions must be added to these users.

pim_1310

Picture: Users

In most cases logging API or AS will help. API logging is activated in theweb.config configuration file, using parameters LogPath (log file path), LogLevel (types of messages to be recorded, at least Info is recommended for debugging), LogRequests (allows user to track the processing of individual API requests even multiple requests at once).

PHP Installation

Using “WEB platform Instaler” user installs PHP. For eshop it is necessary PHP version 5.6 and higher. For some OS, may not be able to install PHP Manager. It is not a necessary supplement, but it is suitable and recommended.

If the PHP manager cannot be installed, the link below describes how to install it.

Link how to install PHP manager:

https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/php-manager-for-iis-on-windows-10/33ef32f0-6a86-4803-abc1-6de81110f9a8?auth=1

Using Web platform instaler user finds PHP 5.6 and starts an installation

pim_1311

Picture: Installation of PHP version 5.6

pim_1312

Picture: Installation of PHP version 5.6

If PHP manager is installed, it is possible to check if the installation was successful using the Checkphpinfo function.

pim_1313

Picture: Installation verification

If the PHP is installed correctly, following page will display.

pim_1314

Picture: Installation verification

K2 E-shop

Description

This installation package is used to install the K2 online store. The K2 E-shop application runs within the Internet information service. The K2 E-shop uses web services to connect to the K2 IS and then the application server. The installation of the K2 E-shop therefore already assumes their existence.

Pictures for Eshop

Pictures are an inseparably part of an online store. The folder from which the online store will load images must be created in the same place as the IO itself. In this folder it is necessary to set in the "Directory browsing" section to Allow its browsing.

pim_1318

Picture: Settings of browsing the picture folder for Eshop

Secure IIS settings for K2 Eshop

In order to ensure the safest possible operation of K2 Eshop, a web page was created where after entering the URL address of the installed IIS environment or directly to Eshop, verifies whether the environment is set according to recommended configuration.

Web page is available at http://demo.k2.cz/iissecuritychecker/. After opening, a web page will be displayed, see the figure "Test settings for K2 Eshop". In the input field, user enters the address of the server which he/she wants to check for secure settings. For example user wants to check settings of demo installation of K2 eshop - https://demo.k2.cz/eshop/.

The picture shows a computer test on which ISS is running and does not have any of recommendations set.

pim_1315

Picture: Test settings for K2 Eshop - incorrect settings

The picture shows the test https://demo.k2.cz , which is set up correctly according to recommendation of safe configuration.

pim_1316

Picture: Test settings for K2 Eshop - correct settings

The test checks the six setting points that are considered appropriate to be set in this way. They increase the secure operation of the e-shop on IIS. The following text of this document deals with individual points, including setting instructions.

IIS settings

For each tested point, its meaning is described here, including a description of why it is appropriate to have it set and what the application is endangered if it is not. The text is also a guide on how to set each of the points correctly.

Note:

IIS server settings are passed from a higher level to a lower one. User can set up the IIS home page, and all others that fbelong under that page will take this setting and use it automatically.

For example, a configuration is defined on the website https://demo.k2.cz, then unless it is specified otherwise, all websites under this, for example https://demo.k2.cz/eshop will have this setting as well. If user runs more e-shops, it is advisable to make the settings at a higher level so that it is used by all installed e-shops on IIS.

Almost all the settings described here relate to the settings of HTTP response headers. User switches to their settings by selecting the website in the tree menu and on the left side of the settings, see the picture. For the selected website, user selects the icon in the right part of the form - "HTTP response headers", see the picture.

pim_1319

Picture: HTTP response header settings

After opening the settings a form will display (see following picture)

pim_1320

Picture: HTTP response header

In this section user adds individual settings. To do this, right-click and select "Add" from the context menu to open the form for creating a new record, see the picture.

pim_1321

Picture: Adding a new record

Setting up individual parts of IIS

X-Frame-Options Header Not Set

Description of vulnerability

In the HTTP request header is missing the "X-Frame-Options" parameter with the appropriate settings to prevent "ClickJacking" attacks.

A page that uses click jacking has harmless content in the background - such as funny pictures and a link next to them that claims to lead to another page of pictures. Further, a frame with a completely different page is inserted into the page and it is displayed over the background content, but with transparency turned on, so the user does not know about it. When a user tries to click on a link to lead to another page, he/she are actually clicking on an invisible page at the top. In this way, he/she can perform virtually any action on the target page without his/her knowledge and consent [source: Wiki].

EShop can be inserted into a frame on any page and be exploited.

IIS settings:

Configuration: HTTP response header
Name: X-Frame-Options
Value: DENY

pim_1322

Picture: IIS settings

Changing a settings requires restarting IIS.

X-Content-Type-Options Header Missing

Description of vulnerability

Option „nosniff“ is missing in request „X-Content-Type-Options“ parameter. This vulnerability allows older versions of IE and Chrome to perform "MIME-sniffing", which allows the data to be interpreted and displayed as a content type other than declared.

Repair action

Set the Internet Information Service to add the value "nosniff" to the "X-Content-Type-Options" parameter of the HTTP header. The settings are as follows.

IIS settings:

Configuration: HTTP response header
Name: X-Content-Type-Options
Value: nosniff

pim_1323

Picture: IIS settings

Changing a settings requires restarting IIS.

Set-Cookie – HTTPOnly a SecureFlag

HTTPONLY

Description of vulnerability

The cookie is set without the "HttpOnly" label, which means that it can be accessed using JavaScript. Unauthorized access to information may occur.

Repair action

Set the Internet Information Service to add the required "HttpOnly" flag to the HTTP "Set-Cookie" header. Configuration for Internet information service is following.

IIS settings:

Configuration: HTTP response header
Name: Set-Cookie
Value: ^(.*)$ $1;HttpOnly

pim_1324

Picture: IIS settings

Changing a settings requires restarting IIS.

SECUREFLAG

Description of SecureFLag vulnerability

Cookies do not have the "Secure" security flag set, which means that they can be accessed over an unencrypted connection.

Repair action

Set the Internet Information Service to add the required "Secure" flag

to the HTTP "Set-Cookie" header.

If the application is accessed using the HTTPS protocol, then everything will work fine. Problems can appear if the certificate expires and the cookie cannot be read from the HTTPS request. If HTTP is used, the cookie value will be empty and EShop will not work in combination with this setting. In general, web applications should run on the HTTPS protocol, which is also a recommendation of K2 atmitec. In the case of debugging and testing on the HTTP protocol, it must be taken into account that "Secure" cannot be set in the Set-Cookie.

IIS settings:

Configuration: HTTP response header
Name: Set-Cookie
Value: ^(.*)$ $1;Secure

pim_1325

Picture: IIS settings

Changing a settings requires restarting IIS.

These settings can be combined.

The resulting setting value is:

Configuration: HTTP response header
Name: Set-Cookie
Value: ^(.*)$ $1;HttpOnly;Secure

XSS Protection

Description of vulnerability

XSS - "Cross-site scripting" protection of the web browser is not set, or it is disabled by incorrect configuration of the "X-XSS-Protection" function in the HTTP response header on the web server.

Repair action

Set the Internet Information Services to add the "X-XSS-Protection" parameter to the HTTP response header. The Internet Information Services settings are as follows.

IIS settings:

Configuration: HTTP response header
Name: X- XSS Protection
Value: 1; mode=block

pim_1326

Picture: IIS settings

Changing a settings requires restarting IIS.

Using or redirecting HTTPS

Checking for redirection from HTTPS to HTTP.

Status 200 OK

Checking if the verified page returned HTTP 200 OK, i. e. the page exists and its content is returned.

Summary of secure settings in IIS

The correct setting of all mentioned points should be confirmed by the mentioned test. The form in the picture shows a summary of all points that relate to the setting of the HTTP response header.

pim_1317

Picture: Parameter settings