Apache Ofbiz Installation Windows 10
Tabatha Pasqua
PLEASE NOTE: Despite our best efforts to maintain up to three active release branches, support for older branches can decrease because our project volunteers may be focused on other issues. We recommend using releases from the most recent branch wherever possible.
We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either secu...@ofbiz.apache.org or secu...@apache.org), before disclosing them in a public forum. Please don't pack several vulnerabilities in the same report, send them one by one, thanks in advance.
Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user. Rather create bugs reports in our issue tracker (Jira) for that. Please don't create Jira issues for unauth (aka pre-auth) reports, thanks in advance.
One of the reason we no longer create CVEs for post-auth attacks done using demo credentials is because we highly suggest to OFBiz users to not use credentials demo in production and we expect OFBiz users to do so. We also warn our users on the "Keeping OFBiz secure wiki page". And finally, mostly we reject post-auth vulnerabilities because we have a solid CSRF defense.
Copyright 2024 The Apache Software Foundation. Licensed under the Apache License, Version 2.0.
Apache OFBiz, OFBiz, the project logo and the Apache feather logo are trademarks of The Apache Software Foundation.
Expert Recommendation: If you intend to only install a release version of OFBiz you will not need the SVN client. But normally you would want to have the svn client in order to be able to upgrade easily.
2) Build using "[./] gradlew" (add "./" on *nix systems, to use the embedded Gradle which comes with its wrapper, hence gradlew and not gradle in the command). Do this from the ofbiz home directory (i.e. the directory where you installed OFBiz). Note: you can get more information about Gradle task using "gradlew tasks".
By default OFBiz includes and is configured for an embedded Java database called Derby. This database used to be called Cloudscape but was purchased by IBM, changed to be DB2 specification compliant, and then release as open source. This is a great database for demonstration, testing, development, and even small-scale production environments.
Expert Recommendation: We generally do not recommend the Derby database for production because it is not as easy to administer and optimize, and will generally not perform as well as more substantial or native databases. This is mainly because Derby is a lightweight Java database.
Expert Recommendation: There are many databases that OFBiz can use, both commercial and open source. While there are significant production instances of OFBiz running using Oracle, MS SQLServer, and so on, we generally recommend using an open source database such as Postgres or MySQL. Which database to use is an important decision and may have a future impacts on your implementation. If you do not have a preferred database choice then we strongly recommend discussing options with an experienced consultant before making a final decision.
Expert Recommendation: if you are using an external application server or want to setup more advanced Entity Engine configurations, see the Entity Engine Configuration Guide or other online documentation. The training videos from Undersun Consulting are highly recommend if you get into more advanced usage of OFBiz.
To load the initial data just use the OFBiz install routine through gradlew or directly with Java and the build/libs/ofbiz.jar executable JAR file. By default the install routine will load the "seed" and "demo" sets of data files, as defined in the entityengine.xml file and in the ofbiz-component.xml file in each component.
Definition: Seed Data is data that an application requires in order to run. It is created and maintained along with the code and should be loaded into the database when the code is updated. It should not be changed or removed in the application database without first having done so in the Seed Data XML files. In OFBiz these are the source of the Seed Data and they are maintained in the code repository along with the code. Add in components should do the same for this sort of data.
Definition: Seed Initial Data is data that is only required the first time the system is loaded like the password of the admin user. Later if you want to update the seed data, you would normally not want the password of admin to be set back to 'ofbiz'.
For larger installations we recommend creating data files with your own settings, copied from the demo data, or simply creating all data from scratch. These can be added to the "ext" set of install data files, which is done by referencing those files in an ofbiz-component.xml file entity-resource tag with the attribute reader-name="ext".
Expert Recommendation: While the "admin" party is the most critical user you need to make sure the passwords are changed for, there are other parties you should also check and change the password for all User Login accounts associated with these parties. This includes "ltdadmin" and "externaluser". If the demo data is loaded (done by default) then also change the passwords for the users "DemoBuyer", "DemoRepAll", and "DemoRepStore".
Fresh from SVN, this file is configured to be development friendly to reload resources frequently. For production use the expire times for the caches in the last section of the file should all be commented out by putting a hashtag sign "#" at the beginning of each line. The properties in question start with "minilang.", "script.", "webapp.", "widget." And "template.".
Disabling the "info" and "timing" level properties can save some resources on the server, but we recommend leaving all of the others enabled. To do this just change the values of the "print.info" and "print.timing" properties to anything except "true".
If your LDAP installation is simple (all of your users are in a single organization unit) then these are all the changes needed. If your users are in more than one organizational unit, then you will need to set up each user's distinguished name using the Party Manager View Profile -> Update UserLogin Security Settings screen.
By default, OFBiz will authenticate the user to LDAP first, and if successful it will synchronize the user's OFBiz password to the user's LDAP password, and then proceed to authenticate the user to OFBiz (using OFBiz's internal permissions logic). If LDAP authentication is unsuccessful, the user is still authenticated to OFBiz. This is the behavior appropriate for most installations.
If you want the entire authentication process to fail if LDAP authentication fails, then set the security.ldap.fail.login property in $ofbiz install dir/framework/security/config/security.properties to true. Only users who are in the LDAP directory will be able to use OFBiz. This would be appropriate for installations that use only the back office (manager) applications.
The following configuration files contain port configurations that may configured for custom OFBiz installations.
You may also use the global portoffset Java properties. Use "gradlew "ofbiz ?" or "java -jar build/libs/ofbiz.jar -h" to know more about this option.
4. Download your certificate from the signing authority. Please remember to download the Certificate in PKCS#7 format. If you get a certificate in pem format don't convert to PKCS#7/P7B Format but der format
If you are having trouble getting OFBiz to connect to your mail server, try disabling your anti-virus software (temporarily) as it may block attempts to send emails from unknown applications because it thinks they are being sent by a virus.
Another possible issue is the presence in database of SystemProperty data that could overload general.properties configuration. Be sure to check the absence of mail property in SystemProperty table.
It is often desirable to have one of the webapps mounted on the root. This is often either the ecommerce webapp or your own web site, which is created as a webapp in an OFBiz component would be setup the same way.
For production use you will want to setup a start script that contains special settings for things like memory heap size, and so on. There are example start and stop scripts in the root ofbiz directory in the startofbiz.sh and stopofbiz.sh files.
Expert Recommendation: Instead of running the startup and shutdown scripts manually it might be better to set them up as services on the system, or to use something like daemontools to make sure the process is restarted automatically if it goes down for some unexpected reason.
Each component running in OFBiz can have its own set of tests. These are usually defined in the "testdef" directory in each component, and the test set XML files are specified in the ofbiz-component.xml file for each component.
Expert Recommendation: While some steps can be taken at this point in the configuration process, the real performance testing and tuning should be done after you have setup your catalog, categories and products, and after you have customized any templates you plan to.
You can get a lot of good information on database and configuration file (XML, properties, etc) performance by looking at the statistics in the cache management page in Web Tools. They are all listed there with statistics about hits and misses, and about why cache misses happened.
If you are running into problems with Soft References (as seen on the cache management page in WebTools), the case is generally that your heap memory settings are less than ideal. Every time Java does a memory allocation and finds it needs to grow the heap size it first does a garbage collection and clears out soft references. The Entity Engine caches all use Soft References to avoid overrunning memory with cached database data.
d3342ee215