Policy Server Installation Guide

Seclore FileSecure Policy Server
Installation Guide

Installation Guide
Version 2.4.11.0
Seclore Technology Pvt. Ltd.

Installation Guide
Table of Contents
1. Introduction...................................................................................................................................................1
2. Preparing for Installation.............................................................................................................................1
2.1. System Configuration...........................................................................................................................1
2.2. Dependencies........................................................................................................................................1
2.3. Prerequisites .........................................................................................................................................2
2.3.1. Java Installation .............................................................................................................................2
2.3.2. Tomcat Installation.........................................................................................................................2
2.3.3. SSL certificate.................................................................................................................................2
2.3.4. Policy Server License....................................................................................................................2
2.3.5. Policy Server Consent...................................................................................................................2
2.4. Create Database schema for Policy Server.....................................................................................2
2.5. Configure Java for Policy Server........................................................................................................3
2.5.1. Java Cryptography Extension(JCE)............................................................................................3
2.5.2. Enabling SSL 3.0............................................................................................................................4
2.6. Configure Tomcat for Policy Server ..................................................................................................4
2.6.1. Update Java Options for Tomcat..................................................................................................4
2.6.2. Tomcat error handling customization..........................................................................................5
2.6.3. Allow/Restrict Tomcat Manager application...............................................................................5
2.6.3.1. Allow Tomcat Manager application...................................................................................5
2.6.3.2. Restrict Tomcat Manager application...............................................................................6
2.6.4. Copy the Common Libraries in Tomcat lib folder......................................................................7
2.6.5. Configure server.xml in Apache Tomcat.....................................................................................7
3. Setting up and Configuring Policy Server..............................................................................................10
3.1. Configuring the PolicyServerConfig.xml in Policy Server..........................................................10
3.1.1. Policy Server Context Name......................................................................................................10
3.1.2. URL used by Desktop Client for connecting to Policy Server...............................................10
3.1.3. Email Notifications........................................................................................................................10
3.1.4. Organization name.......................................................................................................................11
3.1.5. Database settings.........................................................................................................................11
3.1.6. Watermark Configuration............................................................................................................12
3.2. Configuring the FSMailConfig.xml in Policy Server....................................................................13
3.3. Adding deployment specific buffer files...........................................................................................13
3.4. License File.........................................................................................................................................14
3.5. Consent File ........................................................................................................................................14
3.6. Run Tomcat service............................................................................................................................14
Installation Guide
4. Configure BYOK (Bring Your Own Key) in Policy Server....................................................................14
5. Adoption Stats............................................................................................................................................14
6. Post Install Configurations........................................................................................................................14
7. Configuring other components to work with Policy Server.................................................................14
7.1. Lite Server............................................................................................................................................14
8. Placing customized FileSecure client installers in PolicyServer........................................................15
8.1. FileSecure Desktop Client.................................................................................................................15
8.2. FileSecureLite Windows....................................................................................................................15
8.3. FileSecureLite Mac.............................................................................................................................15
9. Frequently asked questions.....................................................................................................................15
9.1. How do I acquire the Policy Server License?.................................................................................15
9.2. How to disable SSL 3.0 ?...................................................................................................................15
9.3. How to setup logger ?........................................................................................................................16
9.4. How to generate self signed SSL certificate?.................................................................................16
9.5. How to get CA signed SSL certificate?............................................................................................18
9.6. How to configure Windows Integrated Authentication for MSSQL ?..........................................19
9.7. What is JNDI Connection Pooling?..................................................................................................19
9.8. How to disable Request Access Rights feature in Policy Server?.............................................19
9.9. How to configure Adoption Stats feature in Policy Server?..........................................................19
10. Other Documentations............................................................................................................................20
Installation Guide
1. Introduction
The Policy Server Installation and Configuration Guide provides information about the basic installation and setup of
Policy Server components.
Note: If any Policy Server customizations are required please follow customization specific deployment
documents after Policy Server deployment.
2. Preparing for Installation

The system configuration, prerequisites and dependencies for the installation and configuration of Policy Server are
summarized below:
2.1. System Configuration

Policy Server deployment requires following server system configurations :
System Configuration Details
RAM 2GB or above is preferred
Hard Disk space 40GB or above
Operating System Windows Server 2008/2012
Note:
1. It is recommended to keep all FileSecure components and other related installations (e.g. Java, Tomcat,
Policy Server, FIM, Lite Server, etc.) in a folder named Seclore. Also this folder should be placed in non-
OS drive. E.g. D:/Seclore
2. "<POLICYSERVER_HOME>\config\reporting" folder will require extra disk space for storing reporting
index files. For every 1 million file activities, approximately 500MB additional disk space will be required.
2.2. Dependencies
The dependencies for the deployment of Policy Server are summarized in the table below:
Dependencies Details
Database Ensure that MS SQL or Oracle database is properly installed. The supported databases are
as follows:
MS SQL 2005, MS SQL 2008, MS SQL 2012, MS SQL 2014.
Oracle 9i, Oracle 10g, Oracle 11g, Oracle 12c.
Note : For Multilingual Support with Oracle database
Policy Server supports internationalization and localization of data. So, for multilingual
support ensure that the database character-set AL32UTF8 is correctly selected during
installation of Oracle Database.
Java Ensure that JDK 1.8.0_66 is installed properly. If not, refer References/Java 8 Installation
Installation Guide
Guide.pdf file for Java 8 installation guidelines.
Web Application Ensure that Apache Tomcat 8.0.32 is installed properly. If not, refer References/Tomcat 8
Installation Guide.pdf file for Tomcat 8 installation guidelines.
Server
2.3. Prerequisites
Please ensure that below prerequisites are met before we begin with Policy Server deployment.
2.3.1. Java Installation

Java installation is successful.
2.3.2. Tomcat Installation

Tomcat installation is successful.
2.3.3. SSL certificate

For Production deployment valid SSL certificate is required. Refer How to get CA signed SSL certificate?
For POC/Demo/UAT deployment a self signed SSL certificate is sufficient. Refer How to generate self
signed SSL certificate?.
2.3.4. Policy Server License
Ensure that valid Policy Server License is available. Refer How do I acquire the Policy Server License?.
2.3.5. Policy Server Consent
For Production deployment a valid Policy Server Consent file is required. This file can be generated after an
authorized person from the Customer end accepts the license terms and conditions.
For more details, refer 'Supplements/Seclore License Portal - User Manual.pdf'.
For POC/Demo/UAT deployment consent file is not required.
2.4. Create Database schema for Policy Server

Refer Policy Server [Version]/Installation Docs/References/Creating Database Schema.pdf file for creating Database
schema for Policy Server.
Note: Screenshots are for representational purposes only. Java and Tomcat versions must match those
mentioned in the steps.
Installation Guide
2.5. Configure Java for Policy Server
2.5.1. Java Cryptography Extension(JCE)
Steps to configure the java to use the JCE
1. Locate the JDK folder which is used by the Apache Tomcat server
a Run Tomcat8w.exe from <TOMCAT_HOME>/bin folder
b Click on the Java tab and locate the JDK path from Java Virtual Machine field.
2. Locate the jre/lib/security inside the JDK folder e.g. D:\Seclore\Java\jdk1.8.0_66\jre\lib\security.

a Backup the following files from the JDK folder
i. local_policy.jar
ii. US_export_policy.jar
b Replace the following files from Policy Server [Version]/Tools/Java/Java Lib/JCE in the JDK folder which
is currently used by Apache Tomcat Server.
i. local_policy.jar
ii. US_export_policy.jar
Installation Guide
2.5.2. Enabling SSL 3.0

By default SSL 3.0 is disabled in Java 8. SSL 3.0 is required to run Policy Server with IE6 (with default settings) and
Desktop Client (Version 2.40.0.0 and older). To enable SSL 3.0 perform the following steps:
1. Go to "< JAVA INSTALLATION FOLDER >/jdk1.8.0_66/jre/lib/security"
2. Open java.security in text editor
3. Add a ' # '(Hash tag) before jdk.tls.disabledAlgorithms=SSLv3 to comment it.
Note : Refer How to disable SSL 3.0 ? to disable SSL 3.0.
2.6. Configure Tomcat for Policy Server

Note : Memory usage of Tomcat Server is based on the concurrent requests for viewing files processed
by the Policy Server. It is recommended to assign higher JVM memory to Tomcat for better performance
of Policy Server. Please refer "Supplements/Tweaking Tomcat JVM Memory.txt" for detailed steps.
2.6.1. Update Java Options for Tomcat

Java Option Description
-Duser.timezone="Asia/Calcutta" To update the time zone information in
the Tomcat.
For different timezones to be configured
for different countries, refer
References/FileSecure Supported
Timezones.pdf
-Dcom.sun.jndi.ldap.connect.pool.timeout=600000 Required only if you are planning to

configure Simple AD Repository in Policy
Server to connect to Active Directory.
Otherwise, this can be skipped.
Refer What is JNDI Connection Pooling?
for further details.
Steps :
1. Run <TOMCAT HOME>/bin/Tomcat8w.exe
2. Go to Java tab.
3. Configure the above configurations in 'Java Options' field.
Installation Guide
2.6.2. Tomcat error handling customization

1. Copy the following file from 'Policy Server [Version]/Tools/Tomcat/Configure Custom Error Pages' directory
to '<TOMCAT_INSTALL_FOLDER>/lib ' directory :
SecloreCustomErrorReportValve.jar
2. Open 'server.xml' file from '<TOMCAT_INSTALL_FOLDER>/conf '
Add the 'errorReportValveClass' attribute inside '<Host ...>' tag to customize error handling for Tomcat Server.
<Host name="localhost" appBase="webapps"

unpackWARs="true" autoDeploy="true"
errorReportValveClass="com.seclore.fs.custom.error.valve.SecloreCustomErrorReportValve">
2.6.3. Allow/Restrict Tomcat Manager application

This chapter summarizes the Configuration steps to allow or restrict the Tomcat manager application.
2.6.3.1. Allow Tomcat Manager application
To allow Tomcat manager application you are not required to take any action. By default the manager application is
enabled.
Note: If the Tomcat manager application is enabled, any user can access the application. One can reload
any web application from Tomcat manager. It is highly recommend to restrict the Tomcat manager
application in production environment.
Installation Guide
2.6.3.2. Restrict Tomcat Manager application
Note: To restart any web application, the Tomcat server is to be restarted.
To restrict Tomcat manager application you are required to do following actions.

1 Take backup of the following files :
From <TOMCAT_HOME>/webapps/ROOT folder
i. index.jsp
ii. favicon.ico
From the <TOMCAT_HOME>/webapps folder
i. docs
ii. examples
iii. host-manager
iv. manager
2 Overwrite the following files from Policy Server [Version]/Tools/Tomcat/Block Manager Application
folder
index.jsp
favicon.ico
3 Update the index.jsp page to enable any of the following option
Display blank page with security message
i. Open index.jsp file.
ii. Uncomment the Block1.
iii. Please provide the customized message.
Display blank page with security message and Policy Server redirect URL
iii. Please provide the customized message.
iv. Please provide the application name in anchor tag.
Redirect to Policy Server
iii. Please provide the application name.
4 Remove the following applications from the <TOMCAT_HOME>/webapps folder
docs
examples
host-manager
manager
Installation Guide
2.6.4. Copy the Common Libraries in Tomcat lib folder

Copy common library files from Policy Server [Version]/Tools/Common Libs to <TOMCAT HOME>/lib .
2.6.5. Configure server.xml in Apache Tomcat

This chapter summarizes the Configuration steps of server.xml. This file can be found at location
<TOMCAT_HOME>/conf/
Comment <Connector> tag with port attribute as 8080 and 8009 by enclosing these tags by  if
these ports are not used by any other application.

Add the configuration for the <Connector> tag in to the server.xml inside the <Service name=catalina> tag.
Note:
The keyAlias value will be the name of the alias you entered while creating keystore entry.
The disableUploadTimeout is 'false' for uploading larger files through Lite Server application.
Check whether the port specified in the connector tag specified below is not used by any other
application.
<Connector port="443"
protocol = "org.apache.coyote.http11.Http11NioProtocol"
keystoreFile="ABSOLUTE PATH OF THE KEY STORE FILE"
keyAlias = "NAME_OF_KEYSTORE_ALIAS"
keystorePass="PASSWORD"
redirectPort="-1"
disableUploadTimeout="false" connectionUploadTimeout="3600000"
acceptCount="100"
acceptorThreadCount="2"
scheme="https" secure="true"
SSLEnabled="true" clientAuth="false"
sslEnabledProtocols="SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2"
URIEncoding="UTF-8" server="FileSecure Server"
ciphers = " TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA">
</Connector>
Installation Guide
Add the configuration for Policy Server inside the <Host > tag.
Note : docBase attribute should point to the Policy Server home folder e.g. D:/Seclore/Policy Server.
For MSSQL Database Server
<Context path="/policyserver"
docBase="ABSOLUTE PATH OF POLICYSERVER HOME FOLDER" >
<Valve className="org.apache.catalina.valves.RemoteIpValve"/>
<Valve className="org.apache.catalina.authenticator.NonLoginAuthenticator"
disableProxyCaching="true" securePagesWithPragma="false" />
<Resource name="jdbc/filesecure"
auth="Container"
type="javax.sql.DataSource"
driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver"
url="jdbc:sqlserver://DBSERVERNAME:PORT;databaseName=DATABASENAME"
username="USERNAME"
password="PASSWORD"
maxWaitMillis="5000"
maxTotal="100"
removeAbandonedOnBorrow="true"
removeAbandonedTimeout="300"
logAbandoned="true"
testOnBorrow="true"
validationQuery="select GETDATE()"/>
<Manager className="org.apache.catalina.session.PersistentManager" saveOnRestart="false">
<Store className="org.apache.catalina.session.FileStore"/>
</Manager>
</Context>
Note : Refer How to configure Windows Integrated Authentication for MSSQL? to enable Windows
Integrated Authentication for MSSQL Database Server.
Installation Guide
For ORACLE Database Server
<Context path="/policyserver"
docBase="ABSOLUTE PATH OF POLICYSERVER HOME FOLDER" >
<Valve className="org.apache.catalina.valves.RemoteIpValve"/>
<Valve className="org.apache.catalina.authenticator.NonLoginAuthenticator"
disableProxyCaching="true" securePagesWithPragma="false" />
<Resource name="jdbc/filesecure"
auth="Container"
type="javax.sql.DataSource"
driverClassName="oracle.jdbc.driver.OracleDriver"
url="jdbc:oracle:thin:@DBSERVERNAME:PORT:HOSTSTRING"
username="USERNAME"
password="PASSWORD"
maxWaitMillis="5000"
maxTotal="100"
removeAbandonedOnBorrow="true"
removeAbandonedTimeout="300"
logAbandoned="true"
testOnBorrow="true"
validationQuery="select * from dual"/>
<Manager className="org.apache.catalina.session.PersistentManager" saveOnRestart="false">
<Store className="org.apache.catalina.session.FileStore"/>
</Manager>
</Context>
Note : Refer "Policy Server [Version]\Tools\Tomcat\Database Credentials Encryption\Database

Credentials Encryption Guide.txt" to configure encrypted username and password for the database.
Add the configuration for RemoteIpValve inside the <Context> tag.
Note : Refer "Policy Server [Version]\Installation Docs\Supplements\Tomcat Valve configuration for

resolving client IP addresses.pdf for configuring RemoteIpValve in different server setups.
Installation Guide
3. Setting up and Configuring Policy Server

The Policy Server installation shipped in the PolicyServer.zip requires some configuration settings.
Extract the PolicySever.zip located at Policy Server [Version]/Web App/ to a folder; we will refer this folder as
<POLICYSERVER_HOME>. e.g. D:/Seclore/Policy Server
Following steps need to be performed to configure the Policy Server:
3.1. Configuring the PolicyServerConfig.xml in Policy Server

Open the file PolicyServerConfig.xml from the below location
<POLICYSERVER_HOME>/config/PolicyServerConfig.xml
3.1.1. Policy Server Context Name

Modify the <appname> in the PolicyServerConfig.xml file to configure the application name. This should be same
as the published policy server name.
<ps-config>
<server>
<appname>/policyserver</appname>
3.1.2. URL used by Desktop Client for connecting to Policy Server

Modify the information under the tags <urls> in the PolicyServerConfig.xml file to add the list of URL to be used
by the Desktop Client to connect to Policy Server.
<urls>
<url>https://irm.acmegroup.com :443</url> 
<url>https://foirm.acmegroup.com:443</url> 
<url>https://drirm.acmegroup.com:443</url> 
</urls>
There is no limitation on number of URLs. Desktop Client will try to connect to Policy Server in the order the URLs are
specified.
3.1.3. Email Notifications

Modify the information under the tags <notification-config> in the PolicyServerConfig.xml file. This configuration
is mandatory and must be configured properly for working of Policy Server.
test-email-config
The email-id specified in <test-email-config> tag will be used to test SMTP details of your Policy Server
installation. On each server startup a notification will be sent to this email id. It is recommended to put email
id of Policy Server administrator.
contacts
<contacts> tag will be used by Policy Server to send notifications of various events to stake holders. The stake
holders receive email notifications when those events occur. Currently, this tag is being used for alerts
regarding usage of protection licenses beyond the purchased licenses and license expiry. The <email-id> tag
must have a valid email id. It is recommended to create a group email id (in the email server) and put all the
stake holders in that group email id.
Installation Guide
<notification-config>

<test-email-config>
<email-id>acmeuser@acmegroup.com</email-id>
</test-email-config>

<contacts>

<contact>

<email-id>acmeuser@acmegroup.com</email-id>
</contact>
</contacts>
</notification-config>
3.1.4. Organization name

Modify the information under the tag <organization> in the PolicyServerConfig.xml file to add organization name
to be used by Policy Server.
<organization>
<name>Acme Group Pvt Ltd.</name>
</organization>
3.1.5. Database settings

Modify the information under the tag <database> in the PolicyServerConfig.xml file to add database <type> to
be used.
<database>
<type>MSSQL</type>
<context-name>java:comp/env</context-name>
<data-source-name>jdbc/filesecure</data-source-name>
</database>
Following are the possible values for the same :

MSSQL
ORACLE
Installation Guide
3.1.6. Watermark Configuration
Modify the information under <watermark-config> to customize the watermark in Policy Server. Information
specified in <watermark-config> tag is displayed as watermark on files opened in FileSecure Lite.
<watermark-config>

<template-id>2</template-id>

<image-name>seclore-logo.gif</image-name>

<font-face>Arial Black</font-face>

<lines>

<line1>$USERNAME$</line1>

<line2>$FILEID$ : $VIEWTIME$</line2>
</lines>

<font-bold>false</font-bold>

<font-italic>false</font-italic>

<color>c8c8c8</color>
</watermark-config>
Installation Guide
Only the first ten tags configured in the <lines> tag are considered by Policy Server. All subsequent tags are ignored.
Following are the variables that can be configured in <line1>, <line2> ... tags. The variables are replaced with actual
values when displayed to the user.
$USERNAME$ Name of the user who has requested to view protected file.
$VIEWTIME$ Date and time of view (DD-MMM-YYYY 24HH:MI).
$USEREMAIL$ Email id of the requesting user.
$FILEID$ Unique identifier of the protected file in Policy Server.
$FILECLASS$ Classification of protected file.
$LICENSECLIENT$ Client to whom license is issued.
3.2. Configuring the FSMailConfig.xml in Policy Server

NOTE :
Thisconfiguration is mandatory.
This configuration will be Following arePolicy
required by someServer
cases only
in which it is usedcases:
in following :
Request Access
Request Rights
Access feature
Rights feature
- ByBy
defaultRequest
default RequestAccess
AccessRights
Rightsfeature
featureisisenabled,
enabled,totodisable
disableRequest
Request Access
Access Rights
Rights refer How to
refer How to
disable
disable Request
Request Access
Access Rights
Rights feature
feature in Policy
in Policy Server?
Server?
Onboarding newFIM
At least one users in FIM repositories
repository needs to be configured.
Sending notifications of certain events to stake holders
Open FSMailConfig.xml from the below location

'<POLICYSERVER_HOME>/config/FSMailConfig.xml '.
SMTP server details can be configured in FSMailConfig.xml.

List of parameters to be configured are as follows :
mail.smtp.host
mail.smtp.port
com.seclore.filesecure.mail.config.username
com.seclore.filesecure.mail.config.password
com.seclore.filesecure.mail.config.sender.emailid
For detailed information of above configuration paramaters please refer 'FSMailConfig.xml' file.
3.3. Adding deployment specific buffer files

Deployment specific 'PDF' buffer files is required if Seclore Lite Online is installed.
Copy customer specific 'PDF' buffer files in the folder <POLICYSERVER_HOME>/custom/bufferfiles
If the deployment is for demo or POC purpose and want to use default buffer file then the buffer files can be copied
from Policy Server [Version]/Installation Docs
Installation Guide
3.4. License File
Place the Policy Server License file (PolicyServer.lic ) at <POLICYSERVER_HOME>/config.
3.5. Consent File

Place the Policy Server Consent file (PolicyServer.consent) at <POLICYSERVER_HOME>/config.
3.6. Run Tomcat service

Run the Apache Tomcat 8.0 service to start the Policy Server.
4. Configure BYOK (Bring Your Own Key) in Policy Server

Policy Server supports following key management systems:
Thales Hardware Security Module (Thales HSM) : To configure Thales HSM in Policy Server refer Policy
Server [Version]/Installation Docs/Supplements/Thales HSM Configuration Guide.txt
5. Adoption Stats
Policy Server will send monthly and midmonth adoption statistics to product.metrics@seclore.com on
1st and 16th of every month.
This feature will be enabled by default. To disable Adoption Stats refer How to configure Adoption Stats
feature in Policy Server?
Note :
This feature requires a valid consent file to be present.
For Production deployment, Adoption stats will not be sent if valid consent file is not present.
For POC/Demo/UAT deployment Adoption stats will not be sent, irrespective of the consent.
6. Post Install Configurations

Policy Server homepage can be accessed using : https://[DOMAIN]:[PORT]/
[POLICY_SERVER_APPLICATION_NAME] . e.g. https://irm.acmegroup.com/policyserver
System Administrator login can be accessed using : https://[DOMAIN]:[PORT]/
[POLICY_SERVER_APPLICATION_NAME]/sysadmin.
e.g. https://irm.acmegroup.com/policyserver/sysadmin
A System Administrator can configure Repositories, create Organisation Unit Admin (OU admin), Manage
Enterprise Application etc.
7. Configuring other components to work with Policy Server
7.1. Lite Server

Refer the installation guide located at Policy Server [Version]/Installation Docs/Supplements/Lite Server Installation
Guide.txt for the Lite Server Application deployment.
Installation Guide
8. Placing customized FileSecure client installers in PolicyServer
Use information given below to place customized FileSecure client installers in Policy Server deployment.
8.1. FileSecure Desktop Client

Details for FileSecure Desktop Client installer
Folder Path: <POLICYSERVER_HOME>/portal/pages/download/dc
File Name: FileSecure_DC_Setup.zip
8.2. FileSecureLite Windows

Details for Installer Type 1
Folder Path: <POLICYSERVER_HOME>/portal/pages/download/filesecurelite
File Name: FileSecureLite.exe
Folder Path: <POLICYSERVER_HOME>/portal/pages/download/filesecurelite/v2
File Name: FileSecureLite.exe
8.3. FileSecureLite Mac

Folder Path: <POLICYSERVER_HOME>/portal/pages/download/filesecurelitemac
File Name: FileSecureLite.dmg
Folder Path: <POLICYSERVER_HOME>/portal/pages/download/filesecurelitemac/v2
File Name: FileSecureLite.dmg
9. Frequently asked questions
9.1. How do I acquire the Policy Server License?

The steps for getting the license are explained below.
Please copy the file UserInfo.exe from Policy Server [Version]/License Utility/UserInfo.exe to a folder in your
hard disk, say D:/Seclore/License Utility .
Run the UserInfo.exe executable file on the machine in which the policy server needs to be installed.
The above step will generate, a XML file, which can be found in the location D:/Seclore/License Utility.
Send this file to the support@seclore.com to get the license file.
9.2. How to disable SSL 3.0 ?

To disable SSL 3.0 for Java perform following steps
Go to "< JAVA INSTALLATION FOLDER >/jdk1.8.0_66/jre/lib/security"
Open java.security in text editor
Uncomment jdk.tls.disabledAlgorithms=SSLv3 by removing ' # '(Hash tag) against it.
Installation Guide
Open <TOMCAT HOME>/conf/server.xml.
Remove SSLv3 from sslEnabledProtocols inside <Connector> tag.
9.3. How to setup logger ?

This chapter summarizes the steps to configure the logging for Policy Server.
Logging for the Policy Server can be set in 4 different modes:
off Logs nothing
Error Logs only errors
Info Logs error and the major milestones like connection to database or connection to AD
Debug Logs each processing of the server in detail
To Change the Logger Setting, open the <POLICYSERVER_HOME>/config/log4j.properties file.
REQUEST : Logs all the requests sent by different client to Policy Server.
<POLICYSERVER_HOME>/logs/Request.log
DEBUG : Logs all the processing steps for any request to be served.
<POLICYSERVER_HOME>/logs/PolicyServer.log
SYNC : Logs the steps while synchronizing different repositories.

<POLICYSERVER_HOME>/logs/Sync.log
Modify the following properties for different logger for different logging type.
log4j.category.REQUEST=debug, REQUEST
log4j.category.DEGUG=debug, DEBUG
log4j.category.SYNC=debug, SYNC
9.4. How to generate self signed SSL certificate?

To create the certificate file, you need to perform the following steps:
Open command prompt.
Change current directory to the Seclore folder created earlier. e.g.D:/Seclore.

Enter the following command
Note : tomcat and acmegroup.keystore are placeholders. Replace it with appropriate values before
executing the command.
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 36500 -sigalg SHA1WithRSA -keystore
acmegroup.keystore
Installation Guide
Enter details as shown below
NOTE :
Note down the alias name and password. These details(alias name & password) will be required
while configuring the SSL key in the server.xml file.
For First and last name, enter Fully Qualified Domain Name for Policy Server Domain
(example:www.yourdomain.com). For a Wildcard Certificate this must begin with the * character.
(example: *.yourdomain.com)
It is required to have the keystore password and key password for alias same for smooth
functioning of Policy Server application.
Installation Guide
At the end of this activity a acmegroup.keystore file will be created. The keystore file will be created in the
directory pointed by the command prompt while running the keytool command. For example, in the sample screens
above, the keystore file is generated at D:/Seclore.
Note : This keystore file will be later referred in Tomcat server.xml configuration.
9.5. How to get CA signed SSL certificate?

To generate CSR (Certificate Signing Request) request and to import certificate perform following steps
Note : The words root, inter, tomcat and acmegroup.keystore are placeholders. Replace them
with appropriate values before executing commands.
1. Generate keystore file.

Refer How to generate self signed SSL certificate? to get keystore file.
2. To generate CSR from keystore file perform following steps

i. Use keytool to create the Certificate Signing Request (CSR) from your Keystore. Enter the following
command in the command prompt:
keytool -certreq -alias tomcat -file csr.txt -keystore acmegroup.keystore
ii. Type the keystore password that you chose earlier and hit Enter.
iii. CSR file named csr.txt is now created in current user directory. Send the CSR to the vendor from whom
you plan to purchase the SSL certificate.
Note : Save the keystore file (e.g. acmegroup.keystore) as your certificates will be installed to it later.
3. After receiving the certificates from the vendor, import them into keystore
for Root Certificate
Installation Guide
keytool -import -trustcacerts -alias root -file root.crt -keystore acmegroup.keystore
for Intermediate Certificate
keytool -import -trustcacerts -alias inter -file inter.crt -keystore acmegroup.keystore
for Domain Certificate
keytool -import -trustcacerts -alias tomcat -file mydomain.crt -keystore acmegroup.keystore
9.6. How to configure Windows Integrated Authentication for MSSQL ?

To configure windows integrated authentication for MSSQL with JDBC driver perform steps provided in Policy
Server[Version]/Installation Docs/Supplements/Windows Authentication for database/Windows Integrated
Authentication for MSSQL.pdf file.
9.7. What is JNDI Connection Pooling?

Policy Server uses JNDI connection pool to connect with Active Directory Domain controller. There are different
parameters that can be configured for the connection pool.
Visit the following URL to get details about the connection pool parameters:
http://download.oracle.com/javase/jndi/tutorial/ldap/connect/config.html
The default connection timeout at Active Directory Domain controller end is 15 minutes. FileSecure recommends
following parameter to be provided with Tomcat startup arguments.
-Dcom.sun.jndi.ldap.connect.pool.timeout=600000
This parameter indicates the pool to release the connection if it has been in the pool for more than 10 minutes
(600000 miliseconds). You can configure other parameters also according to the requirement of the deployment.
These are the steps to configure the startup parameter in Tomcat Server:
The syntax to configure the parameter is : -Dparam_name=param_value
Start the Tomcat8w.exe from <TOMCAT_HOME>/bin directory
Go to the Java tab and in the Java Options field, append the parameter name value pair. For example,
-Dcom.sun.jndi.ldap.connect.pool.timeout=600000
9.8. How to disable Request Access Rights feature in Policy Server?

To disable Request Access Rights feature modify the information under the tag <request-access-right-config> in the
PolicyServerConfig.xml with 0. Policy Server needs to be restarted after altering this value.
<request-access-right-config>

<is-supported>0</is-supported>
</request-access-right-config>
9.9. How to configure Adoption Stats feature in Policy Server?

To disable or enable Adoption Stats feature execute the respective script in database
For Disabling Adoption stats:
Installation Guide
MSSQL Database
Policy Server[Version]/DB Scripts/Policy Server/MS-SQL/MS-SQL disable adoption stats.sql
Oracle Database
Policy Server[Version]/DB Scripts/Policy Server/Oracle/Oracle disable adoption stats.sql
For Enabling Adoption stats:
MSSQL Database
Policy Server[Version]/DB Scripts/Policy Server/MS-SQL/MS-SQL enable adoption stats.sql
Oracle Database
Policy Server[Version]/DB Scripts/Policy Server/Oracle/Oracle enable adoption stats.sql
10.Other Documentations
Below is a list of documents shipped alongwith a brief description of the contents.
Location : Policy Server [Version]/Installation Docs/
Document Name Description
Lite Server Installation Guide.txt Describes steps for Lite Server installation.
Location : Policy Server [Version]/Installation Docs/Supplements/
Configuring SSO using WebSEAL Guidelines on configuring SSO in Policy Server using
the IBM Tivoli Access Manager WebSEAL SSO server.
Junction.txt
Connecting to AD over SSL.txt Explains how to import SSL Certificate in JVM for
connection to Active Directory (over SSL).
FIM Repository Configuration.pdf Describes how to configure FIM Repository in Policy

Server.
Import self signed certificate in Java.txt Explains how to import self signed certificate in Java
Certificate Trust Store.
Tweaking Tomcat JVM Memory.txt Explains how to configure JVM memory of the Tomcat.
Tomcat Valve configuration for resolving Explains how to configure RemoteIPValve in different
server environment setups.
client IP addresses.pdf
Thales HSM Configuration Guide.txt Explains how to configure Thales HSM in Policy Server.
Google Authentication Configuration Explains how to configure Google Authentication in

Policy Server
Guide.pdf
Seclore License Portal User Manual.pdf Explains how to generate a valid PolicyServer.consent
Installation Guide
file.
Location : Policy Server [Version]/Installation Docs/Supplements/Windows Authentication for Database/
Windows Integrated Auth MSSQL.pdf Explains how to configure Windows integrated

authentication for MSSQL.
Location : Policy Server [Version]/Installation Docs/Supplements/Outlook on the web Add-in Configuration/
Outlook on the web Add-in Configuration Explains how to install and configure Outlook on the
web Add-in in Policy Server.
Guide.pdf
Location : Policy Server [Version]/Installation Docs/References/
Creating Database Schema.pdf Explains how to configure Database and execute

Database script for Policy Server.
Java 8 Installation Guide.pdf Explains Java 8 installation steps for Policy Server.
Tomcat 8 Installation Guide.pdf Explains Apache Tomcat 8 installation steps for Policy
Server.
FileSecure Supported Timezones.pdf Contains list of timezones which can be configured in

Tomcat Java options.

Policy Server Installation Guide

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Policy Server Installation Guide

Încărcat de

Drepturi de autor:

Formate disponibile

Seclore FileSecure Policy Server

Seclore FileSecure Policy Server

Seclore Technology Pvt. Ltd.

2. Preparing for Installation

2.1. System Configuration

System Configuration Details

RAM 2GB or above is preferred

Hard Disk space 40GB or above

Operating System Windows Server 2008/2012

2.3.1. Java Installation

2.3.2. Tomcat Installation

2.3.3. SSL certificate

2.4. Create Database schema for Policy Server

2. Locate the jre/lib/security inside the JDK folder e.g. D:\Seclore\Java\jdk1.8.0_66\jre\lib\security.

2.5.2. Enabling SSL 3.0

Note : Refer How to disable SSL 3.0 ? to disable SSL 3.0.

2.6. Configure Tomcat for Policy Server

2.6.1. Update Java Options for Tomcat

-Dcom.sun.jndi.ldap.connect.pool.timeout=600000 Required only if you are planning to

2.6.2. Tomcat error handling customization

<Host name="localhost" appBase="webapps"

2.6.3. Allow/Restrict Tomcat Manager application

Note: To restart any web application, the Tomcat server is to be restarted.

To restrict Tomcat manager application you are required to do following actions.

2.6.4. Copy the Common Libraries in Tomcat lib folder

2.6.5. Configure server.xml in Apache Tomcat

For MSSQL Database Server

Note : Refer "Policy Server [Version]\Tools\Tomcat\Database Credentials Encryption\Database

Add the configuration for RemoteIpValve inside the <Context> tag.

Note : Refer "Policy Server [Version]\Installation Docs\Supplements\Tomcat Valve configuration for

3. Setting up and Configuring Policy Server

3.1. Configuring the PolicyServerConfig.xml in Policy Server

3.1.1. Policy Server Context Name

3.1.2. URL used by Desktop Client for connecting to Policy Server

3.1.3. Email Notifications

3.1.4. Organization name

3.1.5. Database settings

Following are the possible values for the same :

3.2. Configuring the FSMailConfig.xml in Policy Server

Open FSMailConfig.xml from the below location

SMTP server details can be configured in FSMailConfig.xml.

3.3. Adding deployment specific buffer files

3.5. Consent File

3.6. Run Tomcat service

4. Configure BYOK (Bring Your Own Key) in Policy Server

6. Post Install Configurations

7. Configuring other components to work with Policy Server

7.1. Lite Server

8.1. FileSecure Desktop Client

8.2. FileSecureLite Windows

8.3. FileSecureLite Mac

9. Frequently asked questions

9.1. How do I acquire the Policy Server License?

9.2. How to disable SSL 3.0 ?

9.3. How to setup logger ?

SYNC : Logs the steps while synchronizing different repositories.

9.4. How to generate self signed SSL certificate?

Change current directory to the Seclore folder created earlier. e.g.D:/Seclore.

Enter details as shown below

9.5. How to get CA signed SSL certificate?

1. Generate keystore file.

2. To generate CSR from keystore file perform following steps

9.6. How to configure Windows Integrated Authentication for MSSQL ?

9.7. What is JNDI Connection Pooling?