Activate Product 360 - Web Permissions & Interface Visibility
Product 360 - Web Specific Configuration
Setup HTTPS/SSL Security
- Running Product 360 - Web behind a Reverse Proxy
- Install SSL certificates on Product 360 Application Server directly
Setup Load Balancing

Activate Product 360 - Web Permissions & Interface Visibility

Product 360 - Web contributes some action rights and interface visibility elements which allow customization of the Web User Interface. To change these permissions, open the Product 360 - Desktop Organization perspective. A couple of web-specific actions rights are shown in the group "Web permissions" in the Action Rights View.

Even more configuration options are available on the Interface Visibility Tab. Please note that all web specific elements are only shown after the Web application was loaded at least once in the Browser.

The shown elements are dynamic and depend on the concrete configuration of the system. Hence new list definition contributions can be assigned to different user groups on the fly.

For some visibilities it it not enough to just activate them in the Interface visibility tab. The appropriate action right for general access needs also to be activated.

For example to see the Quality status tab for items in the web ui it is not enough to activate "Tab visibility: Item, Quality Status", also the Action right "Quality status, general access" needs to be activated

Product 360 - Web Specific Configuration

All configuration for Product 360 - Web is done in <PIM_SERVER_INSTALLATION_ROOT>/server/configuration/HPM/webfrontend.properties. This is a complete list of all configuration parameters:

General settings
web.client.default.language deprecated with 8.0.5	Default language, effects login page only, other things are shown in selected on login page language or as configured on form. German = deu English = eng Spanish = esl Finnish = fin French = fra Italian = ita Dutch = dut Swedish = swe Portuguese = por Default: eng
web.client.default.locale since 8.0.03.01	Default locale, effects login page only, other things are shown in selected on login page language or as configured on form. German = de_DE English (American) = en_US Spanish = es_ES Finnish = fi_FI French = fr_FR Italian = it_IT Dutch = nl_NL Swedish = sv_SE Portuguese (Brazilian) = pt_BR English (British) = en_GB Default: en_US
web.client.available.locales since 8.0.03.01	List of all available locales for login form. Must be a subset of language enum values in HPM. Separated by comma. Default value for this setting is a list of all languages where an official i18n package is available for. Default: de_DE,en_US,fr_FR,ru_RU,nl_NL,sv_SE,fi_FI, es_ES,no_NO,pt_BR,ja_JP,zh_CN,ko_KR,it_IT
web.client.theme	Theme affects the application appearance. Default: symphony
web.client.httpSession.timeout	Session time-out in seconds. Default (28800 seconds equals 8 hours): 28800
web.client.xframeoptions since 8.0.03.02	If set, an X-Frame-Options response header will be set in the main page http response to prevent the application being embedded in other sites for security reasons. Please note, that this will break catalog editor functionality in Supplier Portal and Supplier 360. Details: https://tools.ietf.org/html/rfc7034 Supported values: DENY, SAMEORIGIN, ALLOW-FROM Default: <empty>
web.client.headers.response since 10.1.0.01	It is possible add http response headers to each http response send to the client. This applies for all http resources below `/pim` context. Use prefix `web.client.headers.response.` to add arbitrary number of http response header. The following sample adds the header `Strict-Transport-Security` with value `max-age=31536000; includeSubDomains` to each response. `web.client.headers.response.Strict-Transport-Security = max-age=31536000; includeSubDomains` Default: not specified
web.client.headers.response.Content-Security-Policy since 10.1.0.02	This is to apply the appropriate Content-Security-Policy header to the http response send to client. The default value is `` as this property varies from one environment to other,this property can be changed to appropriate value based on the environment. To know how to change the value please refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy. Default: ``
web.client.detailform.inputs.limit	Maximum number of inputs at detail form displayed by default. If inputs count limit will be reached, user will see "More (x)" button. Default: 30
web.client.filter.minimum.length	Minimum length for text field used for filtering list views. Value has to be >= 0. Note that empty input (length=0) is always allowed as this is used to reset the filter to show all entries. Therefore setting minimum length to 1 does not have any impact. Default: 1
web.client.text.filter.timeout	Timeout for text filters. It set a time for response between entered letter and search results. Recommended value between 200-1000 ms. Default: 200
web.client.clone.referencetype.Article web.client.clone.referencetype.Variant web.client.clone.referencetype.Product2G	Reference type between cloned element and original. Value is based on repository Enum.ArticleReferenceType keys. WARN:Check your repository for valid keys! Example values from standard repository: sparepart=1,similar=2,followup=3,mandatory=4,select=5,accessories=6,others=7,diff_orderunit=8,consists_of=9,cross_selling=10,up-selling=11; if value is empty or doesn't exist at Enum, reference will not be created. for new custom entities just add new property : prefix 'web.client.clone.referencetype.' + entity identifier Default: ""
web.definition.dir	Relative path to web definitions XML files, starting from configuration directory. By default points to configuration/server/webdefinitions It can be also configured with absolute path. If path doesn't start with /, it is considered as absolute. Default: /webdefinitions
web.client.default.fetch.size since 8.0.03.01	Default number of rows that are fetched in master list views. Smaller numbers result in slightly faster loading times, however, multiple db queries might be necessary. Value should be a bit larger than the number of rows that are visible on the screen. Default: 200
Media Asset Configuration
web.client.mediaasset.servlet.path	Media asset bridge servlet (root path).. Default: /pim/mediaasset
web.client.mediaasset.prefered.quality	Prefered quality for thumbnails at mediaasset viewer. HLR Available values: web, lowres, highres [,doc,htm,printxml,pdf, ...] Product 360 - Media Manager Available values: 1, originalimage. Please clarify available quality values from Product 360 - Media Manager system administrator Default web
web.client.mediaasset.thumbnail.detail.panel.type	Detail form top image type from available mediaasset. Available values: normal, thumbnail, data_sheet, logo, others, unknown [, ...] Default normal
web.client.mediaasset.list.thumb.small	Documents list view thumbnails quality mapping for small images. Default: small
web.client.mediaasset.list.thumb.normal	Documents list view thumbnails quality mapping for standard images. Default: normal
web.client.mediaasset.list.thumb.big	Documents list view thumbnails quality mapping for large images. Default: big
web.client.mediaasset.list.page.size	Number of multimeda document that are display on a single page. Default: 25
Product 360 - Supplier Portal Integration
web.client.hsx.supplier.login	Login name of Product Manager user that is used for supplier editor. Only needed for Product 360 - Supplier Portal integration. Default: supplier
web.client.hsx.supplier.password	Login password of Product Manager user that is used for supplier editor. Only needed for Product 360 - Supplier Portal integration. Default: supplier If you want to encrypt the password please refer to chapter Encryption of secure information in the Server Installation manual.
web.client.hsx.readonly.supplier.login	Login name of Product Manager user that is used for supplier read-only view. Only needed for Product 360 - Supplier Portal integration. Default: readonlysupplier
web.client.hsx.readonly.supplier.password	Login password of Product Manager user that is used for supplier read-only view. Only needed for Product 360 - Supplier Portal integration. Default: readonlysupplier If you want to encrypt the password please refer to chapter Encryption of secure information in the Server Installation manual.
Product 360 - Web Search Integration
web.client.hps.max.display.facet	Maximum number of displayed search facets. Default: 5
Export Configuration
web.client.export.max.selection	Maximum number of records that can be exported from the Web UI. Export will be disabled when selection count exceeds this number. Use -1 to disable this limitation. Default: 200
Various UI settings
web.client.ui.search.and.replace.dialog.default.action	The default action in the `Search and Replace` dialog. Available values: SEARCH_AND_REPLACE, SET Default: SEARCH_AND_REPLACE
web.client.ui.classification.dialog.default.type	The default classification type in the `Classification` dialog. Available values: MOVE, COPY Default: MOVE
`web.client.ui.show.transition.fields.content`	Show content of transition fields in the `Field Selection` dialog or not. Available values: TRUE, FALSE Default: TRUE
`web.client.autoload.catalog`	Autoselect Master catalog or catalog stored in cookies after login. Possible values: true, false The default is: `true`
`web.client.menu.initial.structure`	Specifies external identifier for structure which will be initially selected in context. If not specified - value from com.heiler.ppm.structure.server/primaryStructureIdentifier will be used. First available value will be used if none of the properties mentioned above specify explicit value.
`web.client.popup.initial.structure`	Specifies external identifier for structure which will be initially selected in classification popup. If not specified - first available value will be used.
`web.client.enum.sort.locale-sensitive` since 8.1.0.02	Specifies whether to use locale-sensitive (= "true") resp. locale-insensitive (= "false") string comparison in enum list and lookup value sorting. Possible values: true, false The default is: false
`web.client.enum.sort.case-sensitive` since 8.1.0.02	Specifies whether to use case-sensitive (= "true") resp. case-insensitive (= "false") string comparison in enum list and lookup value sorting. Possible values: true, false If `web.client.enum.sort.locale-sensitive` is "true" this property will be ignored The default is: false

Vaadin Internal Configuration Parameters
web.vaadin.productionMode	Enables the application in development mode, must be true in production. Default: true
web.vaadin.disable-xsrf-protection	Enables the Vaadin XSRF protection. Set to true when running automated web tests. Should be false in production. Default: false
web.vaadin.widgetset	Vaadin Widgetset which is used in application. Default: com.heiler.ppm.web.widgetset.Widgetset
web.vaadin.heartbeatInterval	UI Heartbeat interval to track open sessions. https://vaadin.com/book/vaadin7/-/page/application.environment.html#aui_3_2_0_1292 Default value is 300 seconds (5 minutes).
web.vaadin.closeIdleSessions	Close http session after user inactivity. # https://vaadin.com/book/vaadin7/-/page/application.environment.html#aui_3_2_0_1309 Default: true
web.vaadin.pushMode	Mode for server side push. Possible values: AUTOMATIC, MANUAL, DISABLED When disabled, some application might not work correctly. Must be disabled for JMeter load test. Default: AUTOMATIC
web.vaadin.pushTransport	Transport mode for server side push. Possible values: WEBSOCKET, STREAMING, LONG_POLLING. Default: STREAMING

Setup HTTPS/SSL Security

When configuring Product 360 Web for production usage, setting up https security is mandatory. Otherwise all user credentials will be send as plain text through the internet. There are two scenarios, how security can be ensured:

Setup a Reverse Proxy that transparently forwards all requests to the Product 360 Application Server. SSL certificates are installed on the Reverse Proxy.
Install SSL certificates directly on Product 360 Application Server.

A combination of both is possible, too.

images/download/attachments/333611827/PIM_Web_SSL_scenarios.png

Running Product 360 - Web behind a Reverse Proxy

For SSL support and security reasons, customers typically run web applications behind a dedicated web server (called reverse proxy) which transparently handles all incoming requests from clients and forwards them to the Product 360 -Web application server.

Please expose only the dedicated P360 interface you want to use externally.

If the P360 web application should be used expose only http://<hpmserver>:<hpmport>/pim to the public.

Never expose all endpoints running at http://<hpmserver>:<hpmport>.

Product 360 - Web supports this scenario and has been tested with Apache 2.2. If you have installed and configured the Apache, the following lines in httpd.conf are necessary for request forwarding:

# Load the needed mod_proxy modules
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
 
 
#Reverse Proxy
ProxyPass /pim http://<hpmserver>:<hpmport>/pim
ProxyPassReverse /pim http://<hpmserver>:<hpmport>/pim

For setup of SSL, please refer to the corresponding Apache manuals. For a guide how to export a certificate or private key from the Java keystore into an Apache Webserver compatible format, please check this page at http://security.stackexchange.com/questions/3779/how-can-i-export-my-private-key-from-a-java-keytool-keystore .

An example configuration for setting up a Reverse Proxy together with a Virtual Host for https looks like this:

<VirtualHost _default_:443>
  ProxyPass "/pim" "http://localhost:1512/pim"
  ProxyPassReverse "/pim" "http://localhost:1512/pim"
  
  LoadModule headers_module modules/mod_headers.so
# Apache sets X-Forwarded-Host and X-Forwarded-For headers by default, but not X-Forwarded-Proto which is required by Jetty
  RequestHeader set X-Forwarded-Proto "https"
  
  SSLEngine on
  ServerName localhost:443
  SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key"
</Virtualhost>

Install SSL certificates on Product 360 Application Server directly

It is possible to setup SSL security on the Product 360 Application server, too. This is useful, if the connection between the Reverse Proxy and the Product 360 Server should be encrypted and secured, too.

To enable https, open the file <P360_SERVER>\configuration\HPM\NetworkConfig.xml.

    <node identifier="pim-server1" host="localhost" >
        <web useHttps="true">
            <http port="1512"/>
            <https port="8443" keyPassword="password" keystore="C:/Users/sroeck/.keystore" password="password"/>
        </web>
        <data-grid port="1801"/>
        <internal defaultRequestTimeout="300000">
            <hlr-tcp port="1701" />
        </internal>
        <default-role>CLIENTS_SERVER</default-role>
        <default-role>JOB_SERVER</default-role>  
    </node>

Please consult the Product 360 Configuration guide for a full list of all supported parameters.

Add the following lines to the Product 360 Server launch configuration (wrapper.conf) as JVM arguments to let Jetty know where the SSL certificate can be found:

-Djavax.net.ssl.keyStore=C:/Users/sroeck/.keystore
-Djavax.net.ssl.keyStorePassword=password

Setup Load Balancing

Please expose only the dedicated P360 interface you want to use externally.

If the P360 web application should be used expose only http://<hpmserver>:<hpmport>/pim to the public.

Never expose all endpoints running at http://<hpmserver>:<hpmport>.

Apache Web Server

If there is a cluster of Product 360 servers then the SSL/TLS-enabled Reverse Proxy described above can be configured as a load balancer with sticky sessions:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #Apache 2.4
 
Header add Set-Cookie "ROUTEID_HPMW=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
<Proxy balancer://hpmwcluster>
    BalancerMember http://<hpmserver01>:<hpmwport01> route=1
    BalancerMember http://<hpmserver02>:<hpmwport02> route=2
    BalancerMember http://<hpmserver03>:<hpmwport03> route=3
    BalancerMember http://<hpmserver04>:<hpmwport04> route=4
    ProxySet stickysession=ROUTEID_HPMW
</Proxy>
ProxyPass /pim balancer://hpmwcluster/pim
ProxyPassReverse /pim balancer://hpmwcluster/pim

Host and HTTP port for the nodes are defined in the corresponding elements of the NetworkConfig.xml. Please note that available scheduling algorithms and required modules differ between Apache httpd 2.4 and 2.2. Balancer manager provides some statistics and enables dynamic update of balancer members, please refer to the corresponding paragraph of the httpd documentation for details.

AWS ELB

Following the instructions on the official AWS ELB documentation pages at http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/setting-up-elb.html

If you want to configure health check, make sure the ping is sent to the login page at http://server:1501/pim/login.

Make sure to configure Sticky Sessions and preferably use Application-Controlled Session Stickiness as described on http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-sticky-sessions.html.

The application cookie name is JSESSIONID, so the configuration might look like this:

"AppCookieStickinessPolicies": [
                {
                        "PolicyName": "my-app-cookie-policy", 
                        "CookieName": "JSESSIONID"
                    }
 
                ]

Troubleshooting Reverse Proxy / LB Setup and Product 360 Push issues

Product 360 uses Server-side push functionality implemented by the Vaadin framework. The supported modes can be configured in webfrontend.properties:

# Transport mode for server side push. Possible values: WEBSOCKET, STREAMING, LONG_POLLING. Default is STREAMING.
web.vaadin.pushTransport=STREAMING

Please note that WEBSOCKET is not supported.

In case you're experiencing issues after login, e.g. spinning loading indicator, time-outs, unresponsiveness or session time-outs, try one of the following things:

Switch pushTransport mode to STREAMING or LONG_POLLING. Requires a server restart to take changes in effect. LONG_POLLING seem to be more stable behind proxies than STREAMING.
Check if the issue can be reproduced in local network, when calling the app on the server directly.
Make sure, a proxy doesn't buffer requests.
- In Apache, add "KeepAlive Off" in virtual host section.
- In IIS, set "Response buffer treshold" to 0
Turn http compression off, if enabled.

Some general hints regarding Push issues with Vaadin can be found on https://vaadin.com/wiki/-/wiki/Main/Working+around+push+issues