PA Provider Deployment Guide
Open-Xchange HE + Parallels Operations Automation - Integration Instructions
This document covers the basic installation and configuration instructions to integrate an OpenXchange HE Server into a POA environment. It does not cover any OX setup tuning instructions. It should be used by POA or/and OX specialists since this configuration instructions require a very deep knowledge of both products.
Details about the APS package are listed on the APS website
Details about the APS package deployment/configuration within the POA environment can be found in the current "Application Hosting Deployment Guide" on the parallels.com website.
Basic Installation of OX
Simply follow the "Hosting Edition deployment tutorials" at Main_Page_HESE#quickinstall to install Open-Xchange Hosting Edition on your favorite Linux distribution, but make sure you install the packages below instead of the default OX meta/packages provided in the manual, because POA integration needs a different set of software:
mysql-server open-xchange-meta-parallels
Important: Stop before step "Creating contexts and users " - this is not necessary since all administration of contexts and users will be handled via POA.
Installation and Configuration of OX Business Mobility
If you plan to sell Open-Xchange Business Mobility function (synchronization with mobile phones) in combination with POA, you should also follow the official installation guide, which can be found also on the OXPedia website:
Business Mobility Installation
Installation and Configuration of SOAP interface
To allow POA to provision contexts and users to Open-Xchange it is necessary to install the SOAP package on the OX server and configure it:
1. Login to your Open-Xchange server and install the package open-xchange-admin-soap
2. Restart the Open-Xchange services:
On OX6 with backend versions >= 7.2.0:
$ /etc/init.d/open-xchange restart
On OX6 with backend versions <= 6.20.7:
$ /etc/init.d/open-xchange-admin restart $ /etc/init.d/open-xchange-groupware restart
Installation of POA specific OX plugins
Please install following packages on the OX server if not already done by the meta package specified above. These are mandatory for the POA integration:
On OX6 with backend versions >= 7.2.0:
openxchange-parallels openxchange-parallels-gui openxchange-spamhandler-spamassassin openxchange-admin-soap
On OX6 with backend versions <= 6.20.7:
openxchange-custom-parallels openxchange-custom-parallels-gui openxchange-spamhandler-spamassassin openxchange-admin-soap openxchange-easylogin
IMPORTANT:
Make sure that you dont have any other „spamhandler“ package installed like „open-xchange-spamhandler-default“. Also make sure, that you dont have any other OX authentication package installed like „open-xchange-authentication-database“. Additionally, don`t install following packages, since they are not needed for POA installation:
open-xchange-admin-plugin-contextrestore, open-xchange-log4j, open-xchange-passwordchange-database, open-xchange-passwordchange-servlet
If already installed, please uninstall first!
These packages contain POA specific plugins for authentication, branding and advanced antispam cababilities. After you installed these packages via your favorite package manager like apt or yum, please restart the open-xchange server. To verify that the plugins are correctly loaded, please execute the command „listbundles“ which is located in /opt/open-xchange/sbin“. It should return a list with all „ACTIVE“ bundles.
If the bundle „com.openexchange.custom.parallels“ is not set to „ACTIVE“, please have a look at all OX logfiles located under „/var/log/open-xchange“ and watch out for error messages.
Configuration of POA specific OX plugins
Important:
In Open-Xchange versions 6.22.2 and above or in OX App Suite (7.0.2 and above), you need to add this parameter to /opt/open-xchange/etc/login.properties
com.openexchange.login.formLoginWithoutAuthId=true
You have to switch some properties of OX, else, the just installed plugins will not work correctly.
a) To enable the OX-POA antispam functionality you must first edit file „/opt/open-xchange/etc/groupware/imap.properties“ and set property „com.openexchange.imap.spamHandler“ to value „SpamAssassin“.
# Define the registration name of the appropriate spam handler to use com.openexchange.imap.spamHandler=SpamAssassin
Next you have to edit file „/opt/open-xchange/etc/groupware/spamassassin.properties“ and set property „com.openexchange.spamhandler.spamassassin.spamd“ to value „true“.
# Choose if a mail should be send to spamd afterwards com.openexchange.spamhandler.spamassassin.spamd=true
INFO:
If POA XML-RPC Service runs on a different port than „3100“.
Please edit file:
"/opt/open-xchange/etc/groupware/parallels.properties"
and set property
"com.openexchange.custom.parallels.antispam.xmlrpc.port" to your custom port.
Make sure that the OX HOST IPs are added to "/etc/mail/spamassassin/allowed_ips" on the POA antispam/mail server. Else OX can not connect to POA spamassasin to learn new mails and you will get "connection reset" errors in open-xchange logfile.
2a) To configure POA antispam lists management via OX UI through POA-OpenAPI, you have to modify "/opt/open-xchange/etc/groupware/parallels.properties" and should adjust following parameters:
# ## OpenAPI properties for managing Black&White Lists via OX GUI # # This property defines the URL to the HTTP OpenAPI interface of POA com.openexchange.custom.parallels.openapi.interface_url=http://<coreserver>:<port>/ # # This property defines if OpenAPI calls should be made with http basic auth com.openexchange.custom.parallels.openapi.auth_enabled=false # # This property defines OpenAPI http basic auth credentials auth id com.openexchange.custom.parallels.openapi.auth_id=openapi_user_id # # This property defines OpenAPI http basic auth credentials auth password com.openexchange.custom.parallels.openapi.auth_password=openapi_password # # The property defines the mount point of the OX OpenAPI servlet implementation. # Typically, no need to change it. com.openexchange.custom.parallels.openapi_servlet=/ajax/parallels/openapi
b) To enable correct branding for POA resellers and their customers, you have to define a „fallback“ FQDN under which the OX installation is reachable under the default skin/theme via http/https.
To achieve this, please edit file „/opt/open-change/etc/groupware/parallels.properties“ and set property „com.openexchange.custom.parallels.branding.fallbackurl“ to the approciate value of your OX installation.
# THIS property below must only contain FQDN to OX GUI # like webmail.system.com/ox6 com.openexchange.custom.parallels.branding.fallbackurl=ox.aps.sw.ru
c) To enable creation of OX contexts (customers) via POA correctly you have to edit file „/opt/open-xchange/etc/admindaemon/plugin/hosting.properties“ and set property „CHECK_CONTEXT_LOGIN_MAPPING_REGEXP“ to value „[$%:\\.+a-zA-Z0-9@_\\/\\|-]“
# pattern of allowed chars in login mapping names CHECK_CONTEXT_LOGIN_MAPPING_REGEXP=[$%:\\.+a-zA-Z0-9@_\\/\\|-]
d)To enable correctly generated direct links when customer/context is branded you have to edit file „/opt/open-xchange/etc/groupware/notification.properties“ and set property
„object_link“ to value „http://[hostname]/#m=[module]&i=[object]&f=[folder]“
object_link=http://[hostname]/#m=[module]&i=[object]&f=[folder]
e) To support IDN Domains you also have to switch off username validation. To achieve this, please modify file "/opt/open-xchange/etc/admindaemon/User.properties" and update corresponding property:
CHECK_USER_UID_FOR_NOT_ALLOWED_CHARS=false
f) The Open-Xchange SOAP interface is used by POA to provision the OX system. To restrict access to this interface, we recommend that you add following lines to the apache2 configuration of OX (/etc/apache2/conf.d/ox_soap_access.conf).
The following example configuration will allow SOAP requests only from "localhost" and IP address "172.16.65.1". Make sure you edit this configuration accordingly to your actual POA environment/network. If you dont know the IP address of the POA host which will use the SOAP interface, contact the POA specialist who is responsible for the project. If you need more fine grained access restrictions see "mod_access" documentation at www.apache.org.
<Location /servlet/axis2/services> Order Deny,Allow Deny from all Allow from 172.16.65.1 127.0.0.1 </Location>
After you have edited all these properties, please restart „open-xchange-groupware", „open-xchange-admin“ and apache service via init scripts. Now you need to write down the „oxadminmaster“ username and its password which you set up during installation of the normal OX system. Then you should give these credentials and the OX IP/Hostname to the POA specialist. He will enter this infos in the POA environment.
APS Package Resource configuration
Starting with APS package version 7.0, there are some important new configuration options that need to take care of. With versions 7.0 and above, the package supports Open-Xchange 6.20.7 and Open-Xchange backend versions >= 7.2.0.
Configure the appropriate Autologin path
For Open-Xchange Server versions > 6.20.7, Easylogin is not available anymore!
OX App Suite or OX 6
Depending on whether you plan to integrate OX App Suite or OX 6, you have to select the correct identifier.
Running OX App Suite and OX 6 in parallel
On a parallel setup of OX App Suite and OX6 you may want to access both from you POA. This can be achieved in creating two resource types in the POA Provisioning Manager. One for OX App Suite and one for OX 6. In the Product path setting, you can either specify the path to OX App Suite or to OX6
Note: Do not configure an automatic redirect/url rewrite in this case.