1C:Enterprise 8.3. Administrator Guide. Contents
WEB SERVERS' SETUP FOR 1C:ENTERPRISE
This chapter describes the procedure of web servers' setup for operation with the web client, web services and setup for support of the OpenID-authentication. After publishing, the published components will be accessed as follows:
Web client access. To launch the web client you need to use the address generated as follows: <Web server host name>/<Virtual directory name>. If the virtual directory is named DemoCfg, you will need to enter the following URL to launch the web client (to access the client from a local machine): http://localhost/DemoCfg.
Web service access. To access a web service, you will need to use its address generated as follows: <Web server host name>/<Virtual directory name>/ ws/<Web service name> or <Web server host name>/<Virtual directory name>/ ws/<Web service address>.
So if a virtual directory is named DemoWS, the web service is named DemoOperationWS in the Designer while the address is DemoWorkWS, this web service can be accessed using two addresses simultaneously (from a local machine): http://localhost/DemoWS/ws/DemoOperationWS or http://localhost/DemoWS/ws/DemoWorkWS.
The OpenID-authentication is performed automatically by the system.
The IIS web servers are supplied in the operating system. The table below demonstrates the web server versions matching the operating systems and is intended to help you understand which web server you use:
|
IIS Version |
Operating System Version |
|
IIS 5.1 |
Windows XP Professional |
|
IIS 6.0 |
Windows Server 2003 or Windows XP Professional x64 Edition |
|
IIS 7.0 |
Windows Vista or Windows Server 2008 |
|
IIS 7.5 |
Windows 7 or Windows Server 2008 R2 |
|
IIS 8.0 |
Windows 8 or Windows Server 2012s |
NOTE
Apache web server distribution kit (both for Windows and for Linux) is available for download from the project website: http://httpd.apache.org/ download.
7.1. GENERAL REQUIREMENTS
The computer where the publication is executed should have a supported web server installed and configured. To install the Internet Information Services web server, you may need a distribution set for the operating system being used. When installing a web server, you must install the ISAPI extension support.
To install and configure servers, the user should have administrator rights for the computer where the publication is executed.
To execute publication in Windows Vista and higher OS versions, Designer should be started by the Run as administrator item of the application or launcher context menu. If the publication is being executed via the webinst utility, either this utility or the Windows command line should also be started by the administrator.
To execute publication in Linux, you should obtain superuser rights (the root user) via the su command, or run the application that performs publication via the sudo command.
Publication is possible only if 1C:Enterprise is located on a computer with a web server.
Publication is not supported for the IIS 7.x web server if the Directory property (or the dir parameter of the webinst utility) is set to the %SYSTEMDRIVE%\Inetpub\ wwwroot directory.
NOTE
Working with the configuration through the web server is possible only if the configuration is not empty.
Two publication methods can be applied:
via the Publication dialogue on the web server, if the computer with a web server allows running Designer of the required bit set.
via the webinst utility.
7.2. GENERIC PUBLISHING PROCEDURE
The generic publishing procedure is as follows:
Query processing module (web server extension module) matching this web server is registered.
A virtual application is registered on the web server.
Virtual application directory is created and default.vrd is located in this directory (see page 253).
Rights for the database directory are assigned to users (file mode only).
A web server restart is required if:
○ the 1C:Enterprise version in which the publication is executed has been changed as compared to the version in which the previous publication was executed;
○ the 1C:Enterprise installation directory path has changed; ○ a new publication has been created for the Apache web server.
The actions above can both be executed manually and using a dedicated Designer tool accessed via Administration – Publishing on web-server menu option. The tool is only used for publishing under Windows on a computer where both web server and 1C:Enterprise are installed.
Use the same version of 1C:Enterprise that is used for working with the infobase with which you want to get access to a web client to publish the web client. If two versions (e.g., 8.3.3.657 and 8.3.3.713) are installed on the computer, and the 1C:Enterprise Server 8.3.3.713 is running, use the Designer or the same version of the webinst utility.
When publishing, remember that the bit set of the web server extension being recorded should match the bit set of the web server itself. To determine the publishing method in any particular situation, refer to the table below.
|
|
32-bit Web Server |
64-bit Web Server |
|
32-bit 1C:Enterprise |
Designer or webinst |
Partially |
|
64-bit 1C:Enterprise |
Not supported |
Designer or webinst |
Designer – publishing via Designer is available only for Linux.
Partially – you can publish a 32-bit 1C:Enterprise application to be used with a 64-bit IIS web server. For details on configuring IIS, see page 170. The webinst utility should be called from the bin directory of the 32-bit 1C:Enterprise version. Linux does not support such publication.
When publishing on the IIS web server, you should remember that publishing is always performed for the default website (Default Web Site) and application pool (DefaultAppPool).
To publish from Designer, use the Publication dialogue (Administration – Publishing on web-server).
Fig. 64. Web Service Publishing
After this is accomplished, follow the steps below:
Enter the name for the virtual directory in the Name field. The name can only contain Latin characters.
In the Web server field specify the web server type the publishing is executed for.
The Directory field is intended to specify physical location of the directory that will host the files describing the virtual directory. When Apache web server is used, the directory name can only contain Latin letters.
Check Publish thin client and web client or Publish web services as required.
For an IIS web server you can specify if operating system tools should be used for web server authentication.
If necessary, select the web services to publish. The Address column can be modified. This column specifies a web service synonym. A web service can be accessed via both its name and its synonym.
Clicking Publish will initiate publishing. Clicking Disconnect button will remove the publishing from the selected web server.
In the following cases you will be prompted to restart the web server after publishing:
○ 1C:Enterprise version has changed;
○ Web server extension module path has changed;
○ New publishing has been executed for an Apache web server.
When anonymous authentication and file infobase are used, access rights to the infobase directory are checked in the publishing process for the user executing the anonymous access. If the user does not possess the required rights, a warning will be displayed informing the user that it is impossible to work with the infobase via a web server. In this case we recommend either granting the rights to the infobase directory or checking Use operating system authentication.
If publishing from Designer is not available (for example, if the Windows 64-bit is used), you can use the webinst utility 32-bit and 64-bit versions, which are available in Windows and Linux. The next section provides a detailed description of the Publication dialogue and the webinst utility command line options.
7.2.1. Publication Dialog
The Publication dialog is intended to create a publication or to prepare a template file for publishing via the webinst utility (by using the -descriptor command line parameter).
All parameters that you can edit when creating a publication are located on two tabs. Let’s have a closer look at them.
7.2.1.1. Dialog Buttons
The Publish button enables publishing to the web server. During the publication process, a directory is created on the disk and the specified web server is configured to work with 1C:Enterprise. Note that publishing to the IIS web server is always for the default web site (Default web site) and for the default application pool (DefaultAppPool).
Actions executed in Linux are as follows:
the owner-group for the directory where the default.vrd file is located is a group belonging to the user in whose account the web server is run;
For the default.vrd file, the read access is assigned to a group that includes the user in whose account the web server is run.
For a file-mode infobase publication, the owner-group for the directory with the infobase file is the group of the user in whose account the web server is run; moreover, the owner-group inheritance is set up to guarantee interaction with the infobase (for details see page 44).
The Disconnect button is used to delete applications from the web server and the publication directory, where necessary.
The Save button saves the parameters specified in the Publication dialog on the web server to the file. To save them, the system asks for the name and location of the file to which you are going to save. Parameters will be saved in the default. vrd file format. This command allows you to create file templates to be used as the -descriptor parameter of the webinst utility. Parameters of the infobase from which files are being saved will become values of the ib and base attributes of the point item.
The Restore button allows you to load an arbitrary file (default.vrd) for editing. The ib and base attributes of the point item are ignored.
The Close button closes the dialog.
The Help button opens the window with reference information about the Publication dialog.
7.2.1.2. Main
This tab allows you to set the main publication parameters.
Fig. 65. Publishing to a web server: Main settings
Name. Indicates the publication name. Defined by the -wsdir parameter when publication is executed via the webinst utility. Corresponds to the base attribute of the point item in the default.vrd file.
Web server. Specifies the web server for which the publication is being made. Defined by any of iis, apache2 or apache22 parameters when publication is executed via the webinst utility. When in Linux, publication is only supported for the Apache web server.
Directory. Specifies a physical directory on the disk where the default.vrd file will be placed and where the virtual directory of the web server will be displayed. The directory must exist. Defined by the -dir parameter when publication is executed via the webinst utility.
Publish thin client and web client. Ensures the work with the published infobase via the thin and thick clients. If selected, the work with the published infobase via the thin and thick clients is available. Corresponds to the enable attribute of the point item in the default.vrd file.
Publish web services. If selected, the system will publish web services created in the configuration and listed in the table that is located below the check box. Corresponds to the enable attribute of the ws item in the default.vrd file. Deselecting this check box is equivalent to scenarios where the default.vrd file does not include the ws item, or includes the ws item with the enable attribute set to true.
The table below the Publish web services check box provides a list of web services being published and allows you to control each web service publication. The first column manages the publication of a specific web service. If the check box is deselected, that web service will not be allowed to use (i.e., it cannot be called). Corresponds to the enable attribute of the point item in the default.vrd file.
The last column of the table (Address) contains an alias for the web server being published. The web server can be called either by its real name or by its alias. The web server alias can be edited in the publication window.
Corresponds to the alias attribute of the point item in the default.vrd file.
Publish distribution kit. Defines whether the client application can be received and installed if the client application and server versions mismatch. The distribution set is a zip archive whose full name is specified as a value of Location of distribution set published. Corresponds to the pubdst attribute of the point item in the default.vrd file. The archive should include a distribution set for the client application (without directories). The installation parameters specified in the 1CEStart.cfg file will be used for the installation (similar to standard installation of a client application).
Use operating system authentication. Allows the system to enable OS authentication on the IIS web server.
7.2.1.3. Other
This tab allows you to set additional publication parameters.
Fig. 66. Publishing to a Web Server. Other settings
Temporary file directory. Allows you to specify the directory of temporary files to enable the work of the web server extension or the infobase in file mode. Corresponds to the temp attribute of the point item in the default.vrd file.
Connection pool group. Describes the pool item of the default.vrd file. For details, see page 258.
Debugging group. Describes the debug item of the default.vrd file. For details, see page 259.
OpenID group. Describes the openid item of the default.vrd file. For details, see page 262.
Data split. Describes the zones item of the default.vrd file. For details, see page 259. Let’s have a closer look at the structure of the table with separators.
The table includes all independent separators existing in the configuration or in the loaded file. The first column (unnamed) defines whether the zone item should be created for the separator selected. Remember that the item is mapped by the separator order number in the list rather than by its name. If the first separator is disabled, it makes sense to disable all the others, as the system will apply zones item parameters to other separators.
The Name column includes the separator name as set in the common attribute property. The check box in the next column defines whether the value of the separator in the zone item will be set. If selected, the value attribute will be set to a value from the Value table.
The check boxes in Specification and Secure define the safe and specify attributes (respectively) of the zone item in the default.vrd file.
7.2.2. Webinst Utility
This utility helps you to configure web servers to support web client operation. The utility runs in both Windows and Linux environments and is included in the distribution kit.
webinst [-publish] | -delete <web server> -wsdir <virtual directory> -dir <physical directory> -connstr <connection string> -confpath <path to httpd.conf file> -descriptor <path to default.vrd file> [-osauth]
IMPORTANT!
The option name and value should be separated by a space. If the parameter contains any spaces, it should be enclosed in quotation marks ("). If the parameter contains any quotation marks itself, double quotation marks should be used to enclose the parameter.
IMPORTANT!
Only one of the following options can be specified when the utility is launched: iis, apache2 or apache22.
IMPORTANT!
To complete publication, the utility should be launched under the administrator account. A prompt to elevate privileges will appear in Windows OS.
-publish by Default
The web client is published on the web server.
-delete
The publication is deleted from the directory specified (the physical directory containing the publication is deleted as well).
NOTE
When deleting the publication, you may specify the -wsdir parameter only. Other parameters may be specified to control operation.
<web server>
Specifies the web server for which the action will be performed (publication or deleting the publication):
-iis – a web server of the Microsoft Information Services 5.1, 6.0, 7.x family (only if used with Windows OS)
-apache2 – an Apache 2.0 web server
-apache22 – an Apache 2.2 web server
-wsdir
Virtual directory name.
-dir
Name of the physical directory where the web server virtual directory will be displayed. A physical directory should exist.
Publishing is not supported for the web server IIS 7.x and later if this parameter references the %SYSTEMDRIVE%\Inetpub\wwwroot directory.
NOTE
The directory name must not end with the backslash ("\") symbol if it is quoted. Correct: c:\my path, incorrect: c:\my path\.
-connstr
Infobase connection string. For details, see the description of the connection string in the Designer built-in help.
-confpath for Apache only
Full path to the configuration file (httpd.conf) of the Apache web server. This parameter is only used with Apache web servers.
-descriptor
Enables publication according to a template created by an existing file to be defined by this parameter (including the path to this file). The template file name does not need to be default.vrd. During the publication process, the existing default.vrd file is replaced by a template file. If, in addition to this parameter, the -wsdir or -connstr parameter is specified, their values replace the value of the base and ib attributes (respectively) of the point item.
If the -descriptor parameter is specified together with the -delete parameter, then the virtual directory name (the base attribute of the point item) and the infobase connection string (the ib attribute of the point item) from the template file are used. The publication will be deleted only if both values of the publication to be deleted and of the template file match.
-osauth for IIS only
Sets up use of OS authentication on the web server when publishing. This parameter is only used with IIS web servers.
Example of the publish command for IIS 7.0 and later:
webinst -publish -iis -wsdir demo -dir "c:\inetpub\demo" -connstr "Srvr=server:1741;Ref=demo;"
In this example, the web client is published with the following parameters:
virtual directory: demo (the -wsdir demo parameter)
a physical directory where a virtual directory is displayed: c:\inetpub\demo
(the -dir c:\inetpub\demo parameter)
infobase connection string: Srvr=server:1741;Ref=demo; (the -connstr Srvr=server:1741;Ref=demo; parameter, a client/server mode of the infobase)
Example of the publish command for Apache 2.2:
webinst -publish -apache22 -wsdir DemoWS -dir "c:\apache.www\demows" -connstr "File=""c:\my db\demows"";" -confpath "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf"
In this example, the web client is published with the following parameters:
virtual directory: DemoWS (the -wsdir demoWS parameter)
a physical directory where a virtual directory is displayed: c:\apache.www\demows (the -dir "c:\apache.www\demows" parameter)
infobase connection string: File="c:\my db\demows"; (the -connstr
"File=""c:\my db\demows"";" parameter, a file infobase)
Apache web server configuration file: C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf (the -confpath "C:\Program Files\ Apache Software Foundation\Apache2.2\conf\httpd.conf" parameter)
Example of the delete command for IIS:
webinst -delete -iis -wsdir DemoWS
In this example, the publication created in the virtual directory is deleted:
Virtual directory: DemoWS (the -wsdir DemoWS parameter). Other parameters are defined automatically on the basis of this name.
7.3. WEB CLIENT SUPPORT SETUP
This section provides setup instructions for various web servers for working with a web client. This section provides setup instructions for different web servers to work with a web client. Here we describe the operations that ensure publishing from Designer as well as those necessary for publishing via the webinst utility.
The section covers the values that are critical for publishing. Other parameters should be set when required.
7.3.1. Windows
This section covers setup of Windows-based web servers for web client operation.
To publish a web client, select the Publish thin client and web client checkbox.
7.3.1.1. Internet Information Services
In addition to specifying the publication parameters (described below), you should perform the following settings:
Grant read rights to the account under which queries are processed (user IUSR_<PC_NAME> for IIS 5.1 and 6.0 or group IIS_IUSRS for IIS 7.0 and 7.5) and to the bin directory with the files of the appropriate 1C:Enterprise version.
Grant edit rights to the account under which queries are processed (user IUSR_<PC_NAME> for IIS 5.1 and 6.0 or group IIS_IUSRS for IIS 7.0 and 7.5) and to the infobase directory (only for a file mode).
NOTE
The <PC_NAME> text in the IUSR_<PC_NAME> username is the name of the computer on which IIS is installed. For instance, on the computer named IISCOMP the username will appear as follows: IUSR_IIS-COMP.
For details on IIS setup, see page 170. Publication dialogue
Specify Internet Information Services in the Web Server field. If the web server requires operating system authentication, select the relevant check box (Use operating system authentication).
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154). The webinst utility
To set up the IIS web server by using the webinst utility (see page 155), execute the following command (parameters provided for this example should be replaced with actual ones).
Example:
webinst -publish -iis -wsdir demo -dir "c:\inetpub\demo" -connstr "Srvr=server:1741;Ref=demo;" -osauth
7.3.1.2. Apache Version 2.0
In addition to specifying the publication parameters (described below), you should perform the following settings:
Grant read rights for the bin directory of the specific 1C:Enterprise version files to the user account the web server operates under;
Grant modification rights for the infobase directory to the user account web server operates under (only for the file mode). Publication dialogue
Specify Apache 2.0 in the Web server field.
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154). The webinst utility
To set up the Apache 2.0 web server by using the webinst utility (see page 155), execute the following command (the parameters provided for this example should be replaced with actual ones).
Example:
webinst -publish -apache2 -wsdir demo -connstr "Srvr=server:1741; Ref=demo;" -dir "c:\apache.www\demows" -confpath "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf"
7.3.1.3. Apache 2.2
In addition to specifying the publication parameters (described below), you should perform the following settings:
Assign read rights for the bin file directory of a specific version of 1C:Enterprise to the account under which the web server is run.
Assign modification rights for an infobase directory (in file mode only) to the account under which the web server is run. Publication Dialogue
Specify Apache 2.2 in the Web server field.
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154).
The webinst utility
To set up the Apache 2.2 web server by using the webinst utility (see page 155), execute the following command (the parameters provided for this example should be replaced with actual ones).
Example:
webinst -publish -apache22 -wsdir demo -connstr "Srvr=server:1741; Ref=demo;" -dir "c:\apache.www\demows" -confpath "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf"
7.3.1.4. Automatic Authentication Setup for Apache Web Server
For detailed description of the setup process, see page 43.
7.3.2. For Linux OS
This section covers setup of Linux-based web servers for web client operation. After the publication is completed, the user in whose account Apache is being run must be granted rights (read and execute) to the executable files directory (/opt/1C/v8.3/i386/ for a 32-bit version or /opt/1C/v8.3/x86_64/ for a 64-bit version) of the specific 1C:Enterprise version. For the file-mode infobase, the user in whose account the web server is run should be granted rights to modify the infobase directory.
7.3.2.1. Apache Version 2.0
Publication dialog
Apache 2.0 is to be specified in the Web server field.
Where required, other publication parameters are specified in the Other tab of the publication dialogue on the server (see page 154). Webinst utility
To configure Apache v.2.0 using the webinst utility (see page 155), execute the command described below (parameters are provided as an example only and should be replaced with actual values).
Example:
webinst -apache2 -wsdir DemoWS -dir /var/www/DemoWS -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf
7.3.2.2. Apache Version 2.2
Publication dialog
Apache 2.2 is to be specified in the Web server field.
Where required, other publication parameters are specified in the Other tab of the publication dialogue on the server (see page 154). Webinst utility
To configure Apache v.2.2 using the webinst utility (see page 155), execute the command described below (parameters are provided as an example only and should be replaced with actual values).
Example:
webinst -apache22 -wsdir DemoWS -dir /var/www/DemoWS -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/apache.conf
7.3.2.3. Automatic Authentication Setup for Apache Web Server
For details on the setup process, see page 44.
7.4. WEB SERVICES SUPPORT SETUP
Setting up the web server support means configuring the web server being used so that it can interact with web services, and setting the rights of access to executable file directories and databases (for file-mode operation).
To publish web services, check the Publish web services box and select the services to be published in the table under the checkbox.
7.4.1. Windows
This section describes web services publishing process for the Windows-based web servers. We assume that the web server has already been installed.
NOTE
The distribution kit of the operating system used may be needed to install the IIS web server.
7.4.1.1. Internet Information Services
In addition to specifying the publication parameters (described below), you should perform the following settings:
Grant read rights to the account under which queries are processed (user IUSR_<PC_NAME> for IIS 5.1 and 6.0 or group IIS_IUSRS for IIS 7.0 and 7.5) as well as to the bin directory with the files of the appropriate 1C:Enterprise version.
Grant edit rights to the account under which queries are processed (user IUSR_<PC_NAME> for IIS 5.1 and 6.0 or group IIS_IUSRS for IIS 7.0 and 7.5) as well as to the infobase directory (only for a file mode).
NOTE
The <PC_NAME> text in the IUSR_<PC_NAME> username is the name of the computer on which IIS is installed. For instance, on the computer named IISCOMP the username will appear as follows: IUSR_IIS-COMP.
For details on IIS setup, see page 170.
Publication dialog
Specify Internet Information Services in the Web server field.
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154). The webinst utility
Create a template file before publication:
Specify Internet Information Services in the Web server field.
Select the Publish web services check box.
Select the parameters of the web services to be published.
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154).
Save the template file by clicking the Save button. Specify iis-template.vrd as the template file name.
Publish by using the template file.
Example:
webinst -publish -iis -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor iis-template.vrd
7.4.1.2. Apache Version 2.0
Infobase directory (read rights and write rights in the case of the file mode) to the account under which Apache is being run. Publication dialog
Specify Apache 2.0 in the Web server field.
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154). The webinst utility
Create a template file before publication:
Specify Apache 2.0 in the Web server field.
Select the Publish web services check box.
Select the parameters of the web services to be published.
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154).
Save the template file by clicking the Save button. Specify apache-template.vrd as the template file name.
Publish by using the template file.
Example:
webinst -publish -apache2 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd
7.4.1.3. Apache 2.2
Assign rights for the bin file directory of the specific version of 1C:Enterprise (read and execute rights) and for the infobase directory (read rights and write rights in the case of the file mode) to the account under which the Apache is run. Publication dialog
Specify Apache 2.2 in the Web Server field.
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154). The webinst utility
Create a template file before publication:
Specify Apache 2.2 in the Web Server field.
Select the Publish web services check box.
Select the parameters of the web services to be published.
Where required, set other publication parameters on the Other tab of the publication dialogue on the web server (see page 154).
Save the template file by clicking the Save button. Specify apache-template.vrd as the template file name.
Publish by using the template file.
Example:
webinst -publish -apache22 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd
7.4.2. Linux
This section describes the web service publication process for web servers run in Linux. It is assumed that the web server has already been installed.
To publish the service manager, check the Publish web services box and select the services to be published in the table under the checkbox.
After publication has been completed, the user in whose account Apache is being run should be granted rights (read and execute) to the executable files directory (/opt/1C/v8.3/i386/ for a 32-bit version or /opt/1C/v8.3/x86_64/ for a 64-bit version) of the specific 1C:Enterprise version. For the file-mode infobase, the user in whose account the web server is run must be granted rights to modify the infobase directory.
7.4.2.1. Apache Version 2.0
Publication dialog
Apache 2.0 is to be specified in the Web server field.
Where required, other publication parameters are specified in the Other tab of the publication dialogue on the server (see page 154). Webinst utility
Create a template file (from Designer) before publication:
Specify Apache 2.0 in the Web server field.
Select the Publish web services check box.
Select the parameters of the web services to be published.
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154).
Save the template file by clicking the Save button. Specify apache20-template.vrd as the template file name.
Publish by using the template file.
Example:
webinst -publish -apache2 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf -descriptor apache20-template.vrd
7.4.2.2. Apache Version 2.2
Publication dialog
Apache 2.2 is to be specified in the Web server field.
Where required, other publication parameters are specified in the Other tab of the publication dialogue on the server (see page 154). Webinst utility
Create a template file (from Designer) before publication:
Specify Apache 2.2 in the Web server field.
Select the Publish web services check box.
Select the parameters of the web services to be published.
Where required, set other publication parameters on the Other tab of the Publication dialogue on the web server (see page 154).
Save the template file by clicking the Save button. Specify apache22-template.vrd as the template file name.
Publish by using the template file.
Example:
webinst -publish -apache22 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf -descriptor apache22-template.vrd
7.4.3. Web Services Security
7.4.3.1. Authentication
Generally, the scheme of the client’s calling to a web service looks as follows:
Fig. 67. Web service connections
Three types of authentication can be distinguished:
On a proxy server – This authentication is not directly related to the web server use but it should be considered when you have to use a web service from a network located under the proxy server.
On the web server – In this case the following authentication types can be applied:
○ Anonymous authentication – All queries from the web server are executed under a special account representing the "anonymous connection".
In this case the authentication in 1C:Enterprise is performed with the user name and password passed in the HTTP query.
○ Basic Authentication – The web service client passes, for the purpose of authentication, the user name and password to the web server via the HTTP query that is generated during the call to the web server.
In order for this authentication to be successful, the user name and the password used to access 1C:Enterprise should also be used to access the web server. The user whose parameters are passed in the HTTP query cannot use the web service if he/she cannot access the web server.
○ OS Authentication – The web server defines the OS account under which the web service will call 1C:Enterprise, and this data will be used from then on.
In this case the web server defines the user attempting to access the web server and then passes 1C:Enterprise both the OS user’s characteristics and the data passed in the HTTP query to the web service. If the user name and password are specified in the HTTP query, they will be used in authentication instead of the OS user’s data. The specific OS user’s data will be used if the HTTP query does not include the user name and password.
1C:Enterprise Authentication. To perform this authentication, the web server extension uses the user’s name and password as passed on by the web server (if the Basic authentication or OS authentication is used on the web server). When an anonymous authentication is used on the web server, 1C:Enterprise requests the calling party to perform the Basic authentication. 1C:Enterprise expects the user’s login and the password to be transferred in UTF-8 encoding.
If needed, you can establish a secure channel between you and the web server (see page 166).
When using an infobase in file mode, accounts under which the system is accessed should be eligible to execute files of the required version of 1C:Enterprise and have rights to read and change data in the infobase directory.
7.4.3.2. Using a Secure Channel
A secure channel can be used for data exchange in client/server interaction of web services. The secure channel uses SSL 3.0/TLS 1.0 communication protocol. To enable SSL protocol:
Obtain a server certificate for the website intended for SSL use. The certificate is issued by the Certification Center and is linked to this website.
The root certificate issued by the Certification Center should be added to cacert.pem in the 1C:Enterprise installation directory on all the clients that require secure channel access. The format of the certificate must be PEM (Privacy Enhanced Mail).
Another option is to use the client certificate for the web service consumer. In this case specify that the client certificate (and any required root certificates) should be used to develop the application using the web service. This will ensure that an encrypted channel between the client and the web server is established (based on the client and server certificates). If the application using the web service is developed in 1C:Enterprise, the reference to certificates should be specified for the WSDefinitions and WSProxy objects.
The web server should have the SSL support enabled.
7.5. CONFIGURING OPENID AUTHENTICATION SUPPORT
7.5.1. OpenID Settings
If an infobase uses OpenID authentication, you need to specify the OpenID provider (the one participating in authentication) address in the default.vrd file that publishes the infobase on a web server. Use the <openid> and <rely> elements to do this.
Example:
<?xml version="1.0" encoding="UTF-8"?> <point xmlns="http://v8.1c.ru/8.3/virtual-resource-system" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" base="/demo" ib="Srvr="tcp://Server";Ref="demo";" enable="false"> <openid> <rely url="http://myserver.org/users-ib/e1cib/oida"/> </openid> </point>
These elements describe a URL path to the OpenID provider that authenticates the user of an infobase that uses OpenID authentication. In this example, an infobase published at https://myserver.org/users-ib functions as an OpenID provider.
See page 253 for a detailed description of the default.vrd file.
This parameter can be set via the Publication dialogue on the web server (tab: Other, group: OpenID), see page 154.
7.5.2. OpenID Provider Settings
If an infobase functions as an OpenID provider, you need to specify in the de- fault.vrd file that publishes the infobase on a web server that this infobase functions as an OpenID provider. Use the <openid> and <provider> elements to do this.
Example:
<?xml version="1.0" encoding="UTF-8"?> <point xmlns="http://v8.1c.ru/8.3/virtual-resource-system" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" base="/users-ib" ib="Srvr="tcp://Server"; Ref="oidusers";" enable="false"> <openid> <provider> <lifetime>1209600</lifetime> </provider> </openid> </point>
These elements specify the following:
That an infobase functions as an OpenID provider.
That the lifetime of a successful authentication attribute is 432,000 seconds (or 5 days).
The URL address that should be specified in the <rely> element of the default.vrd file (OpenID provider address) can look as follows: https://myserver.org/users-ib/e1cib/oida. This would be the case if the host where an infobase is published is named myserver.org.
See page 253 for a detailed description of the default.vrd file.
This parameter can be set via the Publication dialogue on the web server (tab: Other, group: OpenID), see page 154.
7.5.3. Additional Interface for Using External Resources
The OpenID provider in 1C:Enterprise performs authentication only in the checked_immediate mode and does not provide a screen for entering a username and a password. However, the system does provide a number of commands that simplify the use of the OpenID provider by third-party systems.
Authentication Procedure
Description:
Performs authentication. HTTP method: POST.
The body of a query transfers two strings: a username and a password.
Syntax:
/e1cib/oida?cmd=login
Options:
redirect optional
The destination address to be transferred to in case of successful authentication.
Returned value:
200 – user authenticated (if no redirect parameter is set).
402 – user not authenticated. Authentication verification Description:
Performs authentication verification. HTTP method: GET.
Syntax:
/e1cib/oida?cmd=isloggedin
Returned value:
200 – user authenticated.
402 – user not authenticated.
Exiting the system Description:
Exits the system and resets a successful authentication attribute. HTTP method:
GET.
Syntax:
/e1cib/oida?cmd=logout
Options:
redirect optional
The destination address to be transferred to in case of successful exit from the system.
7.6. WEB SERVER CUSTOMIZATION FEATURES
7.6.1. Internet Information Services
If a 32-bit version of the web server extension is used in a 64-bit version of the operating system, you should specify to the web server that it can execute 32-bit applications. The following actions will then need to be performed:
In IIS 5.1, IIS 6.0, launch the command interpreter and perform the following command:
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
In IIS 7.0 and later, open the application pool main settings dialog: Control
Panel – Administration – IIS Service Manager – <Name of server> – Application Pools – <Name of application pool> – Advanced settings. Set the 32-bit applications allowed parameter to True.
During IIS customization, please remember that no more than one web server extension module differing in the third and fourth digits of the version number may be executed in a single application pool. In this case, use the same number of application pools as the number of different versions of the extension modules you plan to use, and bind each virtual application of the web client to the appropriate application pool.
When 1C:Enterprise errors (when you are working with IIS web server 7.0 or 7.5) are displayed as 500 – internal server error. There is a problem with the resource you are looking for, and it cannot be displayed., change the parameter controlling the error display. To do this, open the error page parameters customization dialog:
Control Panel – Administrative tools – IIS Services Manager – <Name of server> – Sites – <Default Web Site> – <Name of virtual application> – Error pages – Edit parameters. In the dialog that opens, set the If the server finds an error, return the following parameter to Detailed error messages. Then click OK.
7.6.2. Reverse Proxy
The reverse proxy is a proxy server that retransmits clients’ queries from the external network to one or more servers in the internal network. It can be used to balance the load and increase security.
If web servers where 1C:Enterprise infobases are published are accessed through the reverse proxy, then improper configuration of the reverse proxy can interfere with the operability of certain mechanisms. This can be caused by the fact that a query received by the 1C:Enterprise web server was sent not from an external client but from the computer where the reverse proxy is installed.
To avoid these issues, set up the reverse proxy in such a way as to generate proper titles of the X-Forwarded-Port, X-Forwarded-Host and X-Forwarded-Proto queries when the HTTP query is redirected. 1C:Enterprise will then be able to restore the external HTTP query correctly.
For a detailed description on how to set up the reverse proxy, see the documentation on the web server used for this purpose.