Deployment of eshop on IIS K2

This document deals with the issue of deploying the e-shop on IIS and the installation of its components and testing.

Before the actual installation of Eshop, it is necessary to have prepared and installed:

  1. ISS (Internet Information Services Manager)
  2. Application Servers
  3. K2 web services server
  4. Installation of PHP version 5.6

Installation and setup of individual components will be described in detail in the following chapters.

Book Contents

Book Index

K2 Application server

Book Contents

Book Index

Description

This installation package is used to install the K2 IS version 3 application server. The application server is then used to serve web clients that connect to the application server.

Book Contents

Book Index

Software requirements

The first requirement of the application server installer is that user must have the installation running with administrator privileges. Since this condition must already be met by the K2 installer itself, this ensures that this permission is also transferred to all installations running from the K2 installer. To be sure, this permission is tested by each installation, so if the permission is deficient, the installer would display a message.

The second requirement is the need to have IS K2 installed, namely the version that corresponds to the version of the application server, at least at the level of the release version, i. e. 3.135.3.

If the above conditions are met, then user can start the installation.

Book Contents

Book Index

Installation

After starting the installation, the first dialogue will be displayed, informing the user that the installer for the K2 Application Server product is running, and in addition it will display the version number that will be installed, see Pict.: Start of AS installation

pim_1124_2021.png

Picture: Start of AS installation

After pressing the Next button, user will proceed to the second dialogue, which contains the license agreements, which user must accept to continue. User accepts the agreement, by checking the option I agree with the terms of the license agreement, see Fig .: AS license agreement.

pim_1125_2021.png

Picture: AS.png license agreement

Click Next to get to the third dialogue, where the user is prompted to enter the path to the installed K2, see Pict.: Path to IS K2. With the Change button user can browse the classic directory dialogue on physical disks or on the network.

pim_1126_2021

Picture: Path to IS K2

If IS K2 is not installed in the selected directory, then a warning message is displayed when attempting to continue the installation, which will not allow the installation to continue until a valid path is selected, see Pict .: IS K2 not found

pim_1127

Picture: IS K2 not found

If a valid IS K2 installation is found in the directory, the installation continues to the next dialogue after pressing the Next button, which is used to select the installation path. That is, the path where the application will be installed. With the Change button user can browse the classic directory dialogue on physical disks.

pim_1128_2021.png

Picture: Installation directory

After selecting the installation directory and pressing the Next button, a dialogue will appear prompting the user to enter the name of the application server, including a description (designed to make it easier to identify the application server) and the client, see Pict.: Name of K2 application server. This value serves as a unique identification of a particular application server among multiple installations of those application servers. Using this identification, web clients will then connect to the correct application servers.

pim_1353_2021.png

Picture: Name of K2 application server

Fill the field Installation name and Description of application server. In the Client field, enter the client for which the application server should be the default.

pim_1354_2021.png

Picture: Installation name

The Notifications on option enables notifications on the AS, i. e. the parameter "NSUSERS = K2" is added to the file "K2.INI". Using the Scheduler on option, the scheduler is switched on on the AS and the "SCHEDULESERVICE = 1" parameter is added to the "K2.INI" file.

If the Configure application server also for web services server option is checked, then a dialogue follows, see Pict: Application server settings that prompts user for an anonymous user prefix, number of users, and user password. These users must be created in IS K2 before the installation of AS and should be numbered in ascending order, e.g. AN1, AN2, etc. where AN is the prefix followed by the serial number. All of these users must have same password.

If the Configure for eshop option is checked, the dialogue for Application server for Eshop settings will be displayed as the next installation step, see Pict. Number of the default contact person for EShop. Here user enters the number of the contact person through whom the anonymous e-shop user logs in. This contact person must have a registration assigned. The "AS3ContactPerson" parameter is also included in the "K2.INI" application server.

If the Configure for contact center option is checked, a dialogue will also be displayed within the application server installation, see Pict. K2 user for the contact center. On this screen, enter the name of the user under which the contact center is running in IS K2 and also the password. The values entered here are then added to the "K2.INI" application server as the "CCUSER" and "CCPASWORD" parameters. The parameter "CONTACTCENTERSERVICE = 1" is also added to "K2.INI".

pim_1197_2021.png

Picture: Application server settings

pim_1298_2021.png

Picture: Number of the default contact person for EShop

pim_1299_2021.png

Picture: K2 user for contact centre

Next dialogue in installation is entering the name and password of the user under which the application server service will run. A local system account can be used, see Pict. Local system account - AS or a Windows account of a user who requires a password, see Pict..: Windows user 2 - AS

pim_1130_2021.png

Picture: Local system account - AS

A domain user can also be used with a password, see Pict.: Windows user 2 - AS

pim_1131_2021.png

Picture: Windows user 2 - AS

After pressing the Next button, the passwords are checked for compliance. If they are not same, the user is prompted to correct them. Another dialogue in the installation is to enter the K2 user under which the application server will connect to the IS K2. It is possible to use an already created user or create a special user that will only be used to connect to the AS. It is not necessary to have a reserved license for users who will connect to the AS, see Pict.: K2 user - AS

pim_1132_2021.png

Picture: K2 user - AS

After pressing the Next button, the passwords are checked for compliance. If they are not same, the user is prompted to correct them.

If the passwords are the same, then a dialogue will be displayed informing the user that the installation is ready. Clicking the Install button will then start the installation process itself.

pim_1133_2021.png

Picture: Installation confirmation

After a successful installation, the user is shown the last dialogue about a successful installation, see Pict.: End of installation

pim_1134_2021.png

Picture: End of installation

At the end of the installation or reinstallation of the Application Server, a text file with a list of users may be displayed. The reason is the stricter security policy of IS K2 user accounts.

Individual users can be denied access from the web to IS K2 and all users have this access denied after reinstallation. In the text file, at the end of the installation, a list of all users who have a link to the contact person and are also denied access via the web is displayed. These will not be able to use some features, such as approving wkfl from email. For these users, it is necessary to set access from the web in the book Users - password settings.

pim_1362

Picture: Text file with list of users

Book Contents

Book Index

IIS Installation

K2 EShop must be used on a server operating system in live operation - Microsoft Windows server. Supported versions of this system are available in “System requirements” document according to K2 IS version. Installation on client operation system is possible but only for test or viewing DEMO installation. This document describes the server installation of IIS and all other system components necessary to run K2 Eshop.

Next step is IIS installation (Internet information service administrator. First is necessary to run Server administrator and then Add role and functionoption.

pic_4331

Picture: Server administrator

First step are instructions before the installation itself, after studying them, move to the next step with the Next button.

pic_4332

Picture: Add guide

In next step user chooses the type of installation - Installation based on role or function.

pic_4333

Picture: Type of installation

Selection of server, where the IIS should be installed.

pic_4334

Picture: Server selection

In next step, in addition to the default checked functions, it is necessary to check the “Web server (IIS)”.

pic_4335

Picture: Server roles

Next step is function definition. User sets Net Framework according to installation and option. Here user needs to keep the default settings and add application development (.NET 4.5, ASP.NET 4.5), Administrative Tools (including IIS 6 compatibility) and Do not check"WebDAV publishing".

Add: ASP.NET 4.6 and under HTTP Activation (under WCF Services).

pim_1305

Picture: Function

In next step check CGI (under Application development) - for eshop it is necessary, for API not.

pim_1306

Picture: Role services

In the same step Role services IIS 6 Metabase Compatibility need to be set.

pim_1307

Picture: Role services

In the last step the user confirms previous setting-

pim_1308

Picture: Installation confirmation

Book Contents

Book Index

K2 installation

Server of web services K2 (API) is a web application which run on the web server Microsoft Internet Information Services (IIS). Through the application server K2, it makes the data of the K2 information system accessible and allows running scripts and reports. Web services are based on the REST technique, i. e. communication is running via HTTP protocol and via standard methods GET (reading data), POST (creating data), PUT (modification of existing data).

Data can be read or sent in XML or JSON format.

After entering the root URL address API into the browser can browse the basic description of the services and resources/operations using dynamic help.

Installation and basic settings

Prerequisites:

Recommended deployment for accessing API from the Internet:

The K2 application server should always be installed on a server accessible only on the internal network. It is recommended to install K2 API and other web applications on a separate server that is accessible from the Internet and has limited access to the internal network allowing only communication with K2 AS.

Installation of K2 API :

This is done using the K2 Installer. The K2 API installation program checks the availability of the basic required components before starting the installation, eventually warns of missing components and the installation is stopped.

You need to enter some information during the installation:

The most common problems with API installation and configuration

pim_1309

Picture: Missing permission

Permissions must be added to these users.

pim_1310

Picture: Users

In most cases logging API or AS will help. API logging is activated in theweb.config configuration file, using parameters LogPath (log file path), LogLevel (types of messages to be recorded, at least Info is recommended for debugging), LogRequests (allows user to track the processing of individual API requests even multiple requests at once).

Book Contents

Book Index

PHP Installation

Using “WEB platform Instaler” user installs PHP. For eshop it is necessary PHP version 5.6 and higher. For some OS, may not be able to install PHP Manager. It is not a necessary supplement, but it is suitable and recommended.

If the PHP manager cannot be installed, the link below describes how to install it.

Link how to install PHP manager:

https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/php-manager-for-iis-on-windows-10/33ef32f0-6a86-4803-abc1-6de81110f9a8?auth=1

Using Web platform instaler user finds PHP 5.6 and starts an installation

pim_1311

Picture: Installation of PHP version 5.6

pim_1312

Picture: Installation of PHP version 5.6

If PHP manager is installed, it is possible to check if the installation was successful using the Checkphpinfo function.

pim_1313

Picture: Installation verification

If the PHP is installed correctly, following page will display.

pim_1314

Picture: Installation verification

Book Contents

Book Index

K2 E-shop

Book Contents

Book Index

Description

This installation package is used to install the K2 online store. The K2 E-shop application runs within the Internet information service. The K2 E-shop uses web services to connect to the K2 IS and then the application server. The installation of the K2 E-shop therefore already assumes their existence.

Book Contents

Book Index

Software requirements

The first condition for the installation of the K2 E-shop is the installation of Internet Information Services, further only IIS, version 6.0 and higher. If IIS is not installed, a warning message is displayed at the beginning of the installation. Within IIS, user must have the Common Gateway Interface (CGI) option checked in the Web Services - Application Development Function. This option is required for PHP functionality within IIS.

The second requirement for the functionality of the K2 E-shop is the extension of IIS with URL Rewrite. Installing this extension translates URL addresses into a readable form. If this extension is not installed, the installer will display a message with a download link. Rewrite URL installation is also included on the Other installations tab, from where it can be downloaded and installed.

Picture: Installer message (missing Rewrite URL)

The last requirement is to install PHP version 5.6 support on IIS. If this support is not installed, the installer informs you with the displayed message. PHP support installation is available on the Other installations tab. However, there is no installer for PHP version 5.6. It is necessary to first install version 5.3 (available in the installer on the Other installations tab), then download PHP 5.6 and upgrade to this version. The download link for PHP 5.6 is http://windows.php.net/.

Picture: Installer message (missing PHP support)

Book Contents

Book Index

Installation

After starting the installation and meeting the above software requirements, the first dialogue will be displayed, informing the user that the installer for the K2 E-shop product is running, see Pict .: Start K2 installation.

Picture: Start installation K2 E-shop

After pressing the Next button, user will proceed to the second dialogue, which contains the license agreement.

The Next button takes user to the third dialogue, which is used to select the installation path for the K2 E-shop, see Pict.: Target directory. With the Change button user can browse the classic directory dialogue on physical disks or on the network. We usually install the K2 E-shop in the IIS home directory (the default IIS directory is C: \ inetpub \ wwwroot). The directory name then determines the final form of the e-shop URL, which consists of the IIS address and the directory name with the K2 E-shop product installation.

Picture: Target directory

After selecting the installation path, a dialogue follows, in which user specifies web services for the E-shop. Using these web services, the K2 E-shop connects to the K2 IS. In this dialogue, select the Protocol type (Http or Https), the IIS server name (usually the name of the computer where the web services are installed) and the IIS application name (the name of the web services for K2 E-shop). These three values create the complete URL address for connecting to the web services server.

Picture: Web services for E-shop

To display the next dialogue box, press the Next button again. Here it is then necessary to set login details for anonymous access to the eshop. These are the login details set on the contact person.

Picture: Login for an unregistered user

The last installation dialogue is E-shop settings. Here it is necessary to enter the RID of the internet shop from IS K2 in the E-shop number from K2 field for its unique identification. There is also a field for specifying the URLaddress for accessing the images.

Picture: E-shop settings

After filling in all the data, user continues with the Next button. A dialogue will appear informing the user that the installation is ready. Then use the Install button to start the actual installation of the product.

Picture: Installation ready K2 E-shop

After successful installation, the last dialogue with the result information will be displayed.

Picture: Completing the installation

Book Contents

Book Index

Pictures for Eshop

Pictures are an inseparably part of an online store. The folder from which the online store will load images must be created in the same place as the IO itself. In this folder it is necessary to set in the "Directory browsing" section to Allow its browsing.

pim_1318

Picture: Settings of browsing the picture folder for Eshop

Book Contents

Book Index

Secure IIS settings for K2 Eshop

In order to ensure the safest possible operation of K2 Eshop, a web page was created where after entering the URL address of the installed IIS environment or directly to Eshop, verifies whether the environment is set according to recommended configuration.

Web page is available at http://demo.k2.cz/iissecuritychecker/. After opening, a web page will be displayed, see the figure "Test settings for K2 Eshop". In the input field, user enters the address of the server which he/she wants to check for secure settings. For example user wants to check settings of demo installation of K2 eshop - https://demo.k2.cz/eshop/.

The picture shows a computer test on which ISS is running and does not have any of recommendations set.

pim_1315

Picture: Test settings for K2 Eshop - incorrect settings

The picture shows the test https://demo.k2.cz , which is set up correctly according to recommendation of safe configuration.

pim_1316

Picture: Test settings for K2 Eshop - correct settings

The test checks the six setting points that are considered appropriate to be set in this way. They increase the secure operation of the e-shop on IIS. The following text of this document deals with individual points, including setting instructions.

Book Contents

Book Index

IIS settings

For each tested point, its meaning is described here, including a description of why it is appropriate to have it set and what the application is endangered if it is not. The text is also a guide on how to set each of the points correctly.

Note:

IIS server settings are passed from a higher level to a lower one. User can set up the IIS home page, and all others that fbelong under that page will take this setting and use it automatically.

For example, a configuration is defined on the website https://demo.k2.cz, then unless it is specified otherwise, all websites under this, for example https://demo.k2.cz/eshop will have this setting as well. If user runs more e-shops, it is advisable to make the settings at a higher level so that it is used by all installed e-shops on IIS.

Almost all the settings described here relate to the settings of HTTP response headers. User switches to their settings by selecting the website in the tree menu and on the left side of the settings, see the picture. For the selected website, user selects the icon in the right part of the form - "HTTP response headers", see the picture.

pim_1319

Picture: HTTP response header settings

After opening the settings a form will display (see following picture)

pim_1320

Picture: HTTP response header

In this section user adds individual settings. To do this, right-click and select "Add" from the context menu to open the form for creating a new record, see the picture.

pim_1321

Picture: Adding a new record

Book Contents

Book Index

Setting up individual parts of IIS

Book Contents

Book Index

X-Frame-Options Header Not Set

Description of vulnerability

In the HTTP request header is missing the "X-Frame-Options" parameter with the appropriate settings to prevent "ClickJacking" attacks.

A page that uses click jacking has harmless content in the background - such as funny pictures and a link next to them that claims to lead to another page of pictures. Further, a frame with a completely different page is inserted into the page and it is displayed over the background content, but with transparency turned on, so the user does not know about it. When a user tries to click on a link to lead to another page, he/she are actually clicking on an invisible page at the top. In this way, he/she can perform virtually any action on the target page without his/her knowledge and consent [source: Wiki].

EShop can be inserted into a frame on any page and be exploited.

IIS settings:

pim_1322

Picture: IIS settings

Changing a settings requires restarting IIS.

Book Contents

Book Index

X-Content-Type-Options Header Missing

Description of vulnerability

Option „nosniff“ is missing in request „X-Content-Type-Options“ parameter. This vulnerability allows older versions of IE and Chrome to perform "MIME-sniffing", which allows the data to be interpreted and displayed as a content type other than declared.

Repair action

Set the Internet Information Service to add the value "nosniff" to the "X-Content-Type-Options" parameter of the HTTP header. The settings are as follows.

IIS settings:

pim_1323

Picture: IIS settings

Changing a settings requires restarting IIS.

Book Contents

Book Index

Set-Cookie – HTTPOnly a SecureFlag

Book Contents

Book Index

HTTPONLY

Description of vulnerability

The cookie is set without the "HttpOnly" label, which means that it can be accessed using JavaScript. Unauthorized access to information may occur.

Repair action

Set the Internet Information Service to add the required "HttpOnly" flag to the HTTP "Set-Cookie" header. Configuration for Internet information service is following.

IIS settings:

pim_1324

Picture: IIS settings

Changing a settings requires restarting IIS.

Book Contents

Book Index

SECUREFLAG

Description of SecureFLag vulnerability

Cookies do not have the "Secure" security flag set, which means that they can be accessed over an unencrypted connection.

Repair action

Set the Internet Information Service to add the required "Secure" flag

to the HTTP "Set-Cookie" header.

If the application is accessed using the HTTPS protocol, then everything will work fine. Problems can appear if the certificate expires and the cookie cannot be read from the HTTPS request. If HTTP is used, the cookie value will be empty and EShop will not work in combination with this setting. In general, web applications should run on the HTTPS protocol, which is also a recommendation of K2 atmitec. In the case of debugging and testing on the HTTP protocol, it must be taken into account that "Secure" cannot be set in the Set-Cookie.

IIS settings:

pim_1325

Picture: IIS settings

Changing a settings requires restarting IIS.

These settings can be combined.

The resulting setting value is:

Book Contents

Book Index

XSS Protection

Description of vulnerability

XSS - "Cross-site scripting" protection of the web browser is not set, or it is disabled by incorrect configuration of the "X-XSS-Protection" function in the HTTP response header on the web server.

Repair action

Set the Internet Information Services to add the "X-XSS-Protection" parameter to the HTTP response header. The Internet Information Services settings are as follows.

IIS settings:

pim_1326

Picture: IIS settings

Changing a settings requires restarting IIS.

Book Contents

Book Index

Using or redirecting HTTPS

Checking for redirection from HTTPS to HTTP.

Book Contents

Book Index

Status 200 OK

Checking if the verified page returned HTTP 200 OK, i. e. the page exists and its content is returned.

Book Contents

Book Index

Summary of secure settings in IIS

The correct setting of all mentioned points should be confirmed by the mentioned test. The form in the picture shows a summary of all points that relate to the setting of the HTTP response header.

pim_1317

Picture: Parameter settings