Versions Compared

Old Version 15

changes.mady.by.user Unknown User (r.de.haard)

Saved on

compared with

New Version Current

changes.mady.by.user Tijmen Daatselaar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents

Subpages

Children Display

This chapter describes how to configure Blueriq Studio before getting started.

License

Before you can start Blueriq you have to copy a valid license file into the license directory. The license file is called “license.aql”. You can find the directory here: [Blueriq installation directory]\Studio\Configuration\License.

Security and User Management

During the installation of Blueriq Studio you have chosen a security mode. This paragraph will explain how to configure each security mode.

Blueriq supports three types of security modes:

  • NTLM authentication and authorization:

The authorization and authentication is done against active directory. Active directory groups can be mapped to a Blueriq Studio role.

  • NTLM authentication and custom authorization:

The authorization and authentication is done against active directory. Each active directory user can be mapped to a Blueriq Studio role.

  • Custom Authentication:

The authorization and authentication is managed in Blueriq Studio. Users can be created in Blueriq Studio and mapped to a Blueriq Studio role.

...

titleNTLM authentication and authorization

NTLM authentication and authorization

The Studio Server authenticates using OpenID Connect (with Keycloak), so that users login using credentials that are managed externally.

Authorization can be achieved by mapping roles/groups provided by the external provider to Encore/Studio roles (see Group access).

Note

OpenID Connect for the Studio is currently only supported in combination with the provided Keycloak server, and only for a subset of the full OIDC specification and Keycloak features. While OIDC is an open standard, in practice there can be differences in the various implementations. This does not automatically exclude compatibility with other implementation, but we can not guarantee it.

Studio Server

...

To configure the Studio Server's connection to Keycloak, go to

[Blueriq Installation directory]\

...

Studio\

...

Services\

...

StudioService.dll.config and search for <security>. It contains an <oidc> element:

html/
Code Block
language
xml
<?xml
<oidc
version
authority="
1.0"?> <RoleMappings> --> <RoleMapping> <Group>LDAP1</Group> <Group>LDAP2</group> <UserRole>Administrator</UserRole> </RoleMapping> <-- </RoleMappings>

The text between the arrows shows a role mapping. The LDAP groups LDAP1 and LDAP2 are mapped to the Administrator role in Blueriq Studio. You can change the LDAP groups to your specific groups that must have full access to Blueriq Studio.

After the installation of Blueriq Studio only the user role Administrator exists. In Blueriq Studio you can create new roles with other permissions.

To map an active directory group to a user role, copy the text between the arrows from above and paste this after the </RoleMapping>-tag. Change the group name to the active directory group that you want to map to a user role. Change the User Role name to the user role you want to map to the active directory group. You can add more groups to the same user role.

For example: In Blueriq Studio you have created a new role with the name Test1. You want to map the active directory group Blueriq2 to this role. You must have the following text in the RoleMappings.xml file:

Code Block
languagehtml/xml
<?xml version="1.0"?>
  <RoleMappings>
    <RoleMapping>
      <Group>Blueriq</Group>
      <UserRole>Administrator</UserRole>
    </RoleMapping>
    <RoleMapping>
      <Group>Blueriq2</Group>
      <UserRole>Test1</UserRole>
    </RoleMapping>
  </RoleMappings>
UI Expand
titleNTLM Authentication and custom Authorization

NTLM Authentication and custom Authorization

For this security mode you have to map active directory users to Blueriq roles. To do this, go to the directory [Blueriq Installation directory]\Studio\Configuration\Security\UserAccess\. In this directory you will find a file named UserAccess.xml.

Code Block
languagehtml/xml
<?xml version="1.0"?>
  <Users>
--> <User Name="Admin">
    <Role>Administrator</Role>
  </User> <--
</Users>

The file contains a user Admin. This user is not an active directory user. In this security mode you can only use active directory users. You have to change the name in an active directory username with the syntax <domainname>\<username>.

For example: The domain name is Blueriq and the username of the user that needs full access to Blueriq Studio is Test, you have to change Admin into Blueriq\Test. You can insert more users with the same role.

This example results in the follow text:

Code Block
languagehtml/xml
<?xml version="1.0"?> <Users> <User Name="Blueriq\Test"> <Role>Administrator</Role> </User> </Users>
UI Expand
expandedtrue
titleCustom Authentication

Custom Authentication

This security mode is fully controlled in Blueriq Studio. You can login with the default credentials:

  • Username: admin

  • Password: welcome

Note

To activate changes restart the Studio server.

Logging

If any problem occurs with authorization or authentication you can use the  audit.log to trace and find the cause.

Secure the administration page

By default the administration page is not secured, which means that any user that can access the environment on which Studio or the Runtime is located can also access the administration page. A user can download/upload the repository through the administration page, so you might want to allow only specific users to access this page.

To achieve this you have two possibilities:

  1. You can secure the administration page through Studio.
  2. You can restrict the administration page to all Studio users.

IIS

First open the Internet Information Services (IIS) Manager from the Start menu on the machine where Blueriq is installed.

Image Removed

Browse to the administration site by expanding the tree on the left as shown below and double click Authentication.

Image Removed

By default IIS allows Anonymous access to the site.

Image Removed

Disable Anonymous Authentication and enable Basic Authentication by right clicking the appropriate authentication and choosing enable/disable.

Image Removed

Now when you browse to the administration page, a popup will be shown asking for credentials. But first we must specify which users and/or groups can access the administration page.

To do this, first return to the administration site and select authorization rules.

Please note: if you do not see authorization rules as shown below, you must first enable this feature in IIS.

Image Removed

By default all users have access.

Image Removed

Remove the entry allowing all users access by right-clicking on it and choosing remove. Then you can add a new Allow rule by right-clicking. Here you can specify users or groups from both the local machine or the active directory if the machine is part of a domain.

Image Removed

Please note that this is not related to the authentication you have chosen for the Studio. So for example you can configure the Studio with one of the NTLM modes to authenticate against active directory, while you can secure the administration page with a local user on the machine.

Studio users

Another way to restrict the administration page, is by restricting it to all Studio users. This relies on the authorization mechanism that Studio uses. To configure this, you have to change the configuration of the administration page. This can be found in the [Blueriq installation directory]\Studio\wwwroot\Administration\Web.config file.

The administration page uses a connection to the management service. This connection requires a username and password, which by default is set during the installation of Blueriq:

Code Block
languagexml
<managementservice>
<connection url="http://localhost:8095/Services/ManagementService" user="administrationpage" password="administrationpage"/>
</managementservice>

If the user and password in this configuration is cleared, the administration page will prompt for authorization when accessed. When the username and password of a Studio user is entered, the administration page will be shown.

UI Text Box
typenote

Please note that the user and password tag have to exist in the configuration, so clear their values instead of removing them. Example:

Code Block
languagexml
<managementservice>
<connection url="http://localhost:8095/Services/ManagementService" user="" password=""/>
</managementservice>
http://localhost:15098/Keycloak/realms/BlueriqStudio15" clientid="studio-server" clientsecret="" rolespath="realm_access.roles">
  <rolemappingdao class="Aquima.Studio.Server.UserAccess.Xml.XmlRoleMappingDao, UserAccess">
    <parameters>
      <parameter value="../Configuration/Security/RoleMappings" />
    </parameters>
  </rolemappingdao>
</oidc>

The authority and client-secret have been configured during installation. To check the validity of the authority url, open [authorityUrl]/.well-known/openid-configuration in your browser, the result should be a JSON response.

To map the roles of an OIDC user to Blueriq roles, see Group access.

User Management

Studio connects to a Keycloak server provided with the Blueriq installation. Users may be managed via the admin console of the Keycloak server. This Keycloak server can also be configured to connect to an Active Directory with NTLM or Kerberos.

See the User management for more information about adding, editing, and deleting users in Keycloak.

See the Keycloak configuration for more information about the default configuration and user federation in Keycloak.

Management Service

Requests to the management service should use Basic authentication.

Logging

If any problem occurs with authorization or authentication you can use the audit.log to trace and find the cause.

Data storage
Anchor
Data storage
Data storage

Model data within the Blueriq Studio server is stored in one of two locations: work that is being done in a branch is stored in a relational database (PostgreSQL) until it is committed, at which point it is archived for long-term storage in a version control system separate from Blueriq Studio.

Both storage components are included and managed by the Blueriq Installer, no configuration is required.

Creating backups

To create a backup of all Studio datarepositories on a server, two options exist: the Blueriq Repository Backup tool, which can be scheduled, or a manual download from the administration pageBlueriq Encore.

Option 1: Blueriq Backup Tool

To backup all relevant content that is stored by Blueriq StudioEncore, the Management Service has a SOAP operation to duplicate its data storage to a single file on disk. For typical automated backup strategies it is cumbersome to interact with a SOAP service, therefore Blueriq provides a tool that can be run from a batch/bash script to perform this operation.

The backup tool is included in the installation zip, and can be downloaded from the customer-area of my.blueriq. The tool can be run using the following parameters:

Code Block
languagexml
titleBasic authenticationbash
java -jar blueriq-studio-backup-tool.jar backup --studioUrl=http://studio.server:90160/Studio/Server/Services/ManagementService --username=user --password=password --path=backup/path/repository.zip

...

Info
titleSystem Requirements

The backup tool requires Java 11.

Note
titleKeep multiple days of backup

It is recommended that the file that is created by running the tool is not considered as primary backup, but replicated on a different machine and that backups from multiple days are retained! As such, we strongly advise to copy the resulting file somewhere safe and to avoid overwriting the backup of the prior

...

seven days.

UI Expand
titleBackup has timed out

When experiencing timeouts during the creation of a backup using either the backup tool, you can adjust the timeout settings using the following guidelines:

Using the  --timeout parameter you can set the timeout period in seconds, when setting it to zero the timeout period will be removed completly.

Code Block
languagebash
java -jar blueriq-studio-backup-tool.jar backup --timeout=0

Option 2: Download from

...

Blueriq Encore (max 2 GB)

  • Log in to Blueriq Encore as admin

  • Click on the cog icon in the bottom left corner
  • Go to the "Backup and restore" tab

...

    Open the administration page from the welcome page and open the “Repository” tab.

  • Click on “Create

    • Backup”

  • backup” and save the file to a backup location.

Restoring backups

Only backups created from the same or older versions of Blueriq Studio can be restored. If a backup of an older version is restored the repository is automatically upgraded by Blueriq Studio.

Option 1: Blueriq Backup Tool

The backup tool as mentioned above can also be used to restore a backup using the following parameters:

Code Block
languagebash
java -jar blueriq-studio-backup-tool.jar restore --studioUrl=http://studio.server:90160/Studio/Server/Services/ManagementService --username=user --password=password --path=backup/path/repository.zip

As is the case with creating a backup, the path in the above command is in terms of the machine the machine where the Studio server is installed on, not on the machine the tool is run from.

Option 2: Upload in

...

Blueriq Encore (max 2 GB)

  • Log in to Blueriq Encore as admin

  • Click on the cog icon in the bottom left corner
  • Go to the "Backup and restore"

...

  • Open the administration page from the Welcome page and open the “Repository” tab
  • Click on
    • the “Browse” button near the “Upload Backup” button, browse to the backup file and click “Upload Backup”.
  • “Upload backup” and select the backup file
  • Click on "Restore backup" to resotre the backup

When the upload has completed all users are logged out and the system automatically refreshes. There is no need to restart the server.

...

Info
titleDownload Tool

The Blueriq Studio Backup Tool can be found on the Customers page under the button Studio Data Backup Tool

Commit hook

The commit hook is a feature that sends an HTTP request to a configured endpoint whenever a commit is performed from within studioEncore. This allows you to create buildpipelines that get triggered from Blueriq.

To enable this feature, add the configuration below to the studio section of the config file for Blueriq Studio Server (StudioService.exedll.config).

Code Block
languagexml
<configuration>
  <studio>
    ...
	<commithook url="http://localhost:3210" />
    ...
  </studio>
</configuration>

Once you've configured the endpoint, each commit in Blueriq Studio Encore will cause an HTTP POST request to be sent to the endpoint containing the information below.

...