Setting up

Setting up web services for 1C:Enterprise

General information

This chapter describes the functionality settings of the web servers for operation with the web client and web services, and the OpenID authentication support settings. After publishing, access to the published components is as follows:

Access to the web client. To start the web client, use the address generated according to the following rules: <Web server host name>/<Virtual directory name>. If the name of the virtual directory is DemoCfg, type the following URL to start the web client (to get access from a local computer): http://localhost/DemoCfg.
Access to web service. To access the Web service use the address that generates as follows: <Web server host name>/<Virtual directory name>/ws/<Web service name> or <Web server host name>/<Virtual directory name>/ws/<Web service address>.
For example, if the virtual directory has the name DemoWS, the name of web service in Designer is shown as OperationDemoWS and the address is DemoWorkWS, the access to the web service can be performed via either address (to get access from a local computer): http://localhost/DemoWS/ws/OperationDemoWS or http://localhost/DemoWS/ws/DemoWorkWS.
Access to HTTP service. To get access to HTTP service, use the address generated as follows: <Web server host name>/<Virtual directory name>/hs/<path to resource>.
OpenID authentication performed automatically.

Web servers of Internet Information Services (hereinafter referred to as IIS) family are delivered with an operating system. To make it easier for understanding which server you are using, refer to the lookup table of OS and web server versions:

IIS version	OS version
IIS 5.1	Windows XP Professional
IIS 6.0	Windows Server 2003 or Windows XP Professional x64 Edition
IIS 7.0	Windows Vista or Windows Server 2008
IIS 7.5	Windows 7 or Windows Server 2008 R2
IIS 8.0	Windows 8 or Windows Server 2012
IIS 8.5	Windows 8.1 or Windows Server 2012 R2
IIS 10.0	Windows 10 or Windows Server 2016

The distribution package of Apache webserver (for Windows or Linux) can be downloaded from the project website: http://httpd.apache.org/download.

General requirements

On a computer where the publication is done, a supported web server must be installed and configured. To install the Internet Information Services web server, you may need a distribution package of the operating system used. When installing the webserver you must install support for ISAPI extensions. To install the webserver you need the administrative privileges on the computer.

The publication can be performed in two ways:

Using the publication dialog box on the webserver if Designer of required bitness can be started on the computer with the webserver.
Using webinst utility.

To perform a publication on the webserver you need the administrative rights on the computer:

For Windows Vista OS or later, in order to perform the publication, you need to start Designer using Run as Administrator context menu command. If the publication is performed with the webinst utility, the administrator starts either the utility itself or the Windows command line interpreter.
For Linux, to perform the publication, you need the superuser rights (root) using the su command or start the application that performs the publication using the sudo command.

When you try to perform the publication, the software checks for the necessary privileges to perform the operation. If the privileges of the current user are not sufficient to perform the publication:

When publishing from Designer, the user is prompted to continue publishing. The dialog box displays the reason of the prompt and recommendations on how to obtain the necessary privileges.
When publishing using the webinst utility, the user gets a diagnostic message but the publication continues.

The publication is possible only if 1C:Enterprise is located on a computer with a web server. To work with the configuration via the webserver, the configuration needs to be blank.

Operation through a web server is characterized by certain features of both the actual work and settings of the web servers:

When working with the file version of the infobase through a web server, the actual work with the database file is executed by the web server extension. If several client applications work with the publication, then requests from these client applications are executed sequentially, in the order of request arrival to the web server extension. Each web server working process provides an operation of the web server extension single instance.
Due to the features of getting the results of the background jobs in the file version of work, it is recommended to configure the web server so that each publication of the 1C:Enterprise infobase serves no more than one web server working process.
When using the IIS web server:
- For IIS 7.x and later web servers, publishing is not supported if the Directory property (dir parameter of webinst utility) points to the directory %SYSTEMDRIVE%\Inetpub\wwwroot.
- Publishing is always done for the default web site (Default Web Site) and the default application pool (DefaultAppPool).
- For the application pool used for 1C:Enterprise, the .NET environment support must be disabled. To do this, set the application pool property Versions of the .NET Framework to Non-managed code.
When using Apache server:
- When working under Linux OS, it is recommended to use the worker multiprocessing module. Other available modules are not recommended.

Publication types

General publication procedure

The general publication procedure is as follows:

The request processing module (webserver extension module) corresponding to the webserver is registered.
A virtual application is registered on the webserver.
The virtual application directory is created and the default.vrd file is placed in it and configured.
Users are granted permission to access the directory with the database file (for file mode only).

To publish the web client, use the 1C:Enterprise version that is used with the Infobase to be accessed using the web client. If two versions are installed on the computer (for example, 8.3.3.100 and 8.3.3.150) and the 1C:Enterprise server of version 8.3.3.150 is running, use Designer or webinst utility of exactly the same version for publishing.

When publishing, remember that the bitness of the registered web server extension must match the bitness of the webserver. To determine the publishing method, use the following table:

	32-bit webserver	64-bit webserver
32-bit 1C:Enterprise	Fully	Partially
64-bit 1C:Enterprise	Not supported.	Fully

The publication is fully ‑ supported both using the configurator and the webinst utility.

Partially‑, it is possible to publish a 32-bit 1C:Enterprise application for use with a 64-bit IIS web server. The webinst utility is called from the bin directory of the 32-bit version of 1C:Enterprise. Under Linux, this publication is not supported.

To publish from the Designer, you should use the publish dialog (Administration ‑ Publishing on webserver ...).

Fig. 91. Publishing on webserver

Then follow these steps:

Enter the name of the virtual directory in the Name field. The name of the virtual directory only contains Latin letters.
In the Web server field, specify the type of web server for which you are publishing.
In the Directory field, specify the physical location of the directory in which the files describing the virtual directory will be located. For the Apache webserver, the directory name contains only Latin letters.
Depending on whether to Publish access for client applications and Publish Web-services checkboxes are checked, or not.
For the IIS web server, you can specify OS authentication on the webserver.
If necessary, select the Web services to be published. The Address column can be edited. This column defines a Web service synonym. Accessing the Web service is possible both by name and by synonym.
If necessary, ‑customize the rest of the publishing parameters.
Clicking the Publish button starts the publishing process. Clicking Disable deletes the publication from the selected web server.

After the publication has been completed, you will be prompted to restart the web server in the following cases:

1C:Enterprise version has changed
Path to the web server extension module has changed
A new publication has been made for the Apache webserver
Publication was disabled

When using anonymous authentication and file Infobase, when publishing is performed, the user is checked for access rights to the Infobase directory on whose behalf anonymous access is performed. If the user does not have the necessary rights, a warning is displayed that this Infobase cannot be accessed via a web server. It is recommended to either grant access rights for the directory with the Infobase, or select the Use OS authentication on a web server checkbox.

The publishing dialog box and the command line parameters of the webinst utility will be described in other subsections of this section.

Publishing dialog box

The publication dialog box is used to create a publication or to prepare a template file for publication using the webinst utility (using the -descriptor command line parameter).

All parameters that can be edited when creating a publication are located in two tabs. For more details, see below.

Dialog buttons

The Publish button submits a publication to the webserver. When publishing, a directory is created on the hard drive and the webserver is configured to operate with 1C:Enterprise. Please note that publishing to the IIS web server is always performed for the default web site (Default Web Site) and for the default application pool (DefaultAppPool).

Under Linux, the following actions are performed:

For the directory in which the default.vrd file is located, the group of the user on whose behalf the webserver was started is set as the owner group.
The default.vrd file is set to read access for the group that includes the user on whose behalf the webserver was started.

In the case of publishing a file Infobase, for a directory with an Infobase file the user group is set as the owner group on behalf of which the webserver is running, and the owner group inheritance is configured to operate with the Infobase.

Fig. 92. Publishing on webserver

The Disable button removes the application from the web server and from the publication directory, if necessary.

The Save button saves the parameters specified in the publishing dialog on the webserver to a file. When saving, you are prompted for the name and location of the file to be saved. Saving will be performed in the default.vrd file format. Using this command, you can create template files that will be used as the -descriptor parameter of the webinst utility. The parameters of the source Infobase are written to the values of the ib and base attributes of the point element.

The Download button opens file default.vrd for editing. At loading, the ib andbase attributes of the point element of the loaded file are ignored.

The Close button closes the dialog box.

The Help button opens a window with reference information about the publication dialog.

Main tab

General parameters

In this tab, you can set the general parameters of the publication.

Fig. 93. Publishing on the webserver. Main tab.

Name. Specifies the publication name. When published using the webinst utility, it is described by the -wsdir parameter. In the default.vrd file, it corresponds to the base attribute of the point element.

Web server. Specifies web server used for publishing. Apache web servers are added to the list if they are found on the computer. When publishing using the webinst utility, the webserver used is indicated by one of the iis, apache2, apache22 or apache24 parameters. When operating in Linux, publishing is only possible for the Apache webserver.

If the version of the Apache webserver installed on the computer (2.2 or 2.4) cannot be determined, both versions of the web server will be listed. Please consider that for the Apache webserver version 2.2 and 2.4 there are differences between the changes made in the configuration file of the webserver. Therefore, the incorrectly specified version of the webserver will result in the unavailability of the publication.

Directory. Specifies the physical directory on the hard drive in which the default.vrd file will be located and where the virtual directory of the webserver will be displayed. The directory must already exist. When published using the webinst utility, it is described by the -dir parameter.

Publish access for client applications. Responsible for accessing the published Infobase using a thin, mobile, and a web client. If the checkbox is selected, the published Infobase can be accessed using a thin, mobile or a web client. In the default.vrd file, corresponds to the enable attribute of the point element.

Publish standard OData interface. Responsible for accessing the standard OData interface of the application. In the default.vrd file, corresponds to the enableStandardOData attribute of the point element.

Publish a thin client distribution package. Determines whether the client application (thin client) can be obtained and installed if the versions of the client application and the server do not match. A zip archive is used as a distribution package, the full name of which is indicated as one of the values of the Location of the published distribution package property.

Windows x86 ‑ distribution package of the 32-bit client application for Windows OS.
Windows x86_64 ‑ distribution package of the 64-bit client application for Windows OS.
MacOS x86_64 ‑ distribution package of the 64-bit client application for macOS OS.

In the default.vrd file, these properties correspond to the pubdstwin32, pubdstwin64, pubdsmac64 attributes of the point element. The archive must contain the distribution package of the client application. The installation will use the parameters specified in the 1cestart.cfg file (similar to the regular installation of the client application).

Use OS authentication. Allows OS authentication on the IIS web server.

The address of the transition at the end of the web client allows specifying the transition URL to open after the web client is closed. In the default.vrd file, corresponds to the exitURL element.

Web services tab

Publish Web services. Selecting this checkbox will result in the publication of Web services created in the configuration and listed in the table below the checkbox. In the default.vrd file, it corresponds to the enable attribute of the wselement. If the checkbox is cleared, this is equivalent to the absence of the ws element in the default.vrd file or the presence of the ws element with the enable attribute set to true value.

Fig. 94. Publishing web services

Publish Web services by default. Responsible for using Web services that are published without explicit permission to use. In the default.vrd file, it corresponds to the pointEnableCommon attribute of the ws element.

The table below the Publish web services check box contains a list of published Web services and allows managing publication of each Web service. The first column controls publication of each Web service. If the check box is cleared, the Web service will be disabled (it cannot be called). In the default.vrd file, corresponds to the enable attribute of the point element.

The second column (Name) contains the name of the Web service as defined when it was created. In the default.vrd file, it corresponds to the name attribute of the point element.

The last column of the table (Address) contains the alias of the name of the published Web service. The Web service can be accessed both by name and by alias. You can edit the Web service alias in the publish window. In the default.vrd file, it corresponds to the aliasattribute of the point element.

Web services that are located in the connected extensions are not displayed in this table and can be published only by editing the default.vrd file manually.

Publish extensions Web services by default. Responsible for using Web services supplied in configuration extensions. In the default.vrd file, it corresponds to the publishExtensionsByDefault attribute of the ws element.

HTTP services tab

The HTTP services tab is designed to control the application access over HTTP services.

Fig. 95. Publishing HTTP services

Publish HTTP services by default. Selecting this check box will result in the publication of HTTP services created in the configuration and listed in the table below the check box. In the default.vrd file, it corresponds to the publishByDefault attribute of the httpServices element. If the check box is cleared, this is equivalent to the absence of the httpServices element in the default.vrd file or the presence of the httpServices element with the publishByDefault attribute set to false value.

The table below the Publish HTTP services by default check box contains a list of published HTTP services and allows to manage the publication of each HTTP service. The first column controls publication of each HTTP service. If the check box is cleared, the HTTP service will be disabled (it cannot be called). In the default.vrd file, it corresponds to the enable attribute of the service element.

The second column (Name) contains the name of the HTTP service as defined when it was created. In the default.vrd file, it corresponds to the name attribute of the service element.

HTTP services that are located in the connected extensions are not displayed in this table and can be published only by editing the default.vrd file manually.

Publish extensions HTTP services by default. Responsible for using HTTP services supplied in configuration extensions. In the default.vrd file, it corresponds to the publishExtensionsByDefault attribute of the httpServices element.

OpenID tab

On this tab, you can configure the OpenID authentication settings for the publication to be performed.

Fig. 96. OpenID authentication settings

The Use OpenID authentication check box enables OpenID authentication for this infobase. In this case, the OpenID Provider Address property contains the address of the infobase that acts as OpenID provider. Access to this infobase is performed only over HTTPS protocol.

If the published infobase acts as an OpenID provider, it is necessary to select the Use as an OpenID provider check box.

In fact, this tab is used to configure the openid element of the default.vrd file.

Additional tab

In this tab, you can set the auxiliary parameters of the publication.

Fig. 97. Auxiliary parameters of the publication on the web server

Temporary files directory. Specifies a temporary files directory for the web server extension or the infobase file mode. In the default.vrd file, it corresponds to the tempattribute of the point element.

Connection pool group. Describes the pool element of the default.vrd file. Also, the parameters of this group control the operation of the connection interruption tracking system.

Debugging tab. Describes the debug element of the default.vrd file.

Data separation. Describes the zones element of the default.vrd file. More detail on the structure of the separators table is provided below.

The table contains all independent separators that exist in a configuration or in a downloaded file. The first column (without a name) determined whether a zone element needs to be created for the selected separator. Remember that the element is mapped not by the name of the separator, but by its ordinal position in the list. If the first separator is disabled, it makes sense to disable all others, since the parameters of the zones element will be applied automatically to other separators.

The Name column contains the name of the separator as defined in the properties of the general attribute. The check box in the next column determines whether the separator value will be specified in the zone element. If the check box is selected, the value from the Value column will be used as the Value attribute.

The check boxes in the Safe and Specify columns are responsible for the safe and specify attributes of the zone element of the default.vrd file.

The parameter Background jobs in the file mode determines whether background jobs can be used in the file mode of the infobase (attribute allowexecutescheduledjobs of the root point element).

Webinst utility

General description

The utility is designed to configure web servers to support the web client operation. The utility works in Windows or Linux environment, and is part of the 1C:Enterprise distribution package.

webinst [-publish] | -delete <web server>
   -wsdir <virtual directory>
   -dir <physical directory>
   -connstr <connection string>
   -confpath <path to httpd.conf>
   -descriptor <path to default.vrd>
   [-osauth]

IMPORTANT! The name and value of the parameter must be separated by a space character. If the parameter contains spaces, it must be enclosed in quotation marks ("). If inside the parameter there is a quotation mark, then the internal quotation marks must be doubled.

IMPORTANT! When running the utility, only one of these parameters can be specified: iis, apache2, apache22 or apache24.

IMPORTANT! To perform the publication, the utility must be run as an administrator. When running on Windows, a request for elevation of privileges will appear.

-publish by default

The web client is published to the web server.

-delete

Execution of deletion from the specified directory.

NOTE. When deleting a publication, it is sufficient to specify only the -wsdir parameter. The remaining parameters can be specified to control the operation.

<web server>

Specifies for which web server the action will be performed (publish or delete publication):

-iis ‑is a web server of Microsoft Internet Information Services versions 5.1, 6.0, 7.x, 8.x, 10.0 (only when used with Windows OS).
-apache2 ‑ is Apache 2.0 web server.
-apache22 ‑ is Apache 2.2 web server.
-apache24 ‑ is Apache 2.4 web server.

When using the Apache 2.4 web server, you can omit the path to the configuration file using the -confpath parameter.

It should be considered that for the Apache web server version 2.2 and 2.4 there are differences between the changes made in the configuration file of the web server. Therefore, the incorrectly specified version of the web server will result in the unavailability of the publication.

-wsdir

Name of the virtual directory.

-dir

Name of the physical directory to which the virtual directory of the web server will be mapped. The directory must already exist.

For IIS 7.x and later web servers, publishing is not supported if the value of this parameter points to the %SYSTEMDRIVE%\Inetpub\wwwroot directory.

NOTE. A directory name must not end with a "\" symbol if it is enclosed in quotes. Correct: "c:\my path", incorrect: "c:\my path\".

-connstr

Infobase connection string.

-confpath only for Apache

The full path to the configuration file (httpd.conf) of the Apache web server. This parameter is applicable only when using Apache web servers.

-descriptor

Allows to publish according to the template specified by the existing file, which is specified in this parameter (including the file path). The name of the template file does not have to be default.vrd. When publishing, the existing default.vrd file is completely replaced with the template file. If the -wsdir or -connstr parameters are specified simultaneously with this parameter, then the values of these parameters replace the values of the base and ib (respectively) attributes of the point element.

If the -descriptor parameter is specified simultaneously with the -delete parameter, then the virtual directory name (the base attribute of the point element) and the infobase connection string (the ib attribute of the point element) are used from the template file. The publication will be deleted only if both values of the deleted publication and the template file match.

-osauth only for IIS

When publishing, it configures the use of OS authentication on a web server. This parameter is applicable only when using IIS web servers.

Publication examples

Example of publish command for IIS 7.0 and later:

webinst -publish -iis -wsdir demo -dir "c:\inetpub\demo" -connstr "Srvr=server:1741;Ref=demo;"

In this example, a web client with the following parameters is published:

Virtual directory: demo (-wsdir demo parameter)
The physical directory to which the virtual directory is mapped: C:\inetpub\demo (-dir "c:\inetpub\demo" parameter)
Infobase connection string: Srvr=server:1741;Ref=demo; (-connstr "Srvr=server:1741;Ref=demo;" parameter, client/server mode of the infobase)

Example of publish command for Apache 2.2:

webinst -publish -apache22 -wsdir DemoWS -dir "c:\apache.www\demows" -connstr "File=""c:\my db\demows"";" -confpath "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf"

In this example, a web client with the following parameters is published:

Virtual directory: DemoWS (-wsdir demoWS parameter)
The physical directory to which the virtual directory is mapped: C:\apache.www\demows (-dir "c:\apache.www\demows" parameter)
Infobase connection string: File="c:\my db\demows"; (-connstr "File=""c:\my db\demows"";" parameter, file mode of the infobase)
Apache web server configuration file: C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf (-confpath "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf" parameter).

Example of publishing using a template file:

webinst -publish -iis -wsdir demoMA -dir "c:\inetpub\wwwroot\demoMA" -connstr "Srvr=server:1741;Ref=demo;" -descriptor template.vrd

In this example:

Publication to IIS web server (-publish -iis parameters) is performed.
Virtual directory: demoMA (-wsdir demoMA parameter)
The physical directory to which the virtual directory is mapped: c:\inetpub\wwwroot\demoMA (-dir "c:\inetpub\wwwroot\demoMA" parameter)
Infobase connection string Srvr=server:1741;Ref=demo; (-connstr "Srvr=server:1741;Ref=demo;")
The remaining publication parameters will be obtained from the template.vrd template file (-descriptor template.vrd parameter).

Example of a command for deleting a publication for IIS:

webinst -delete -iis -wsdir DemoWS

Example of deletion of a publication made in the virtual directory:

Virtual directory: DemoWS (–wsdir DemoWS parameter). The remaining parameters are automatically determined from this name.

Web client support settings

General information

This section contains instructions for setting up various web servers to operate using the web client. It describes both the actions necessary for publishing from the Designer, and the actions necessary for publishing using the webinst utility.

When describing a publication, the values that are key to the publishing will be described. The remaining parameters must be configured if necessary.

On Windows

General information

This section describes how to configure the Windows-based web servers for the web client operation.

To publish a web client, select the Publish thin client and web client check box.

Internet Information Services

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the requests are executed (IUSR_ <PC_NAME> user for IIS versions 5.1 and 6.0 or IIS_IUSRS group for IIS versions 7.x and later) to the bin directory of files of a specific 1C:Enterprise version
Grant edit rights to the user on whose behalf the queries are executed (IUSR_ <PC_NAME> user for IIS versions 5.1 and 6.0 or IIS_IUSRS group for IIS versions 7.x and later) on the infobase directory (only in the case of the file mode).

NOTE. Substring <PC_NAME> in the username IUSR_ <PC_NAME> indicates the name of the computer on which the IIS is installed. So, for a computer with the name IIS-COMP, the username will look like this: IUSR_IIS-COMP.

Publishing dialog box

In the Web server field, specify Internet Information Services. If you need the operating system authentication on a web server, select the corresponding check box (Use operating system authentication on a web server).

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

To configure the IIS web server using the webinst utility, run the following command (the parameters are given for example, they should be replaced with the real values).

Example:

webinst -publish -iis -wsdir demo -dir "c:\inetpub\demo" -connstr "Srvr=server:1741;Ref=demo;" -osauth

Apache 2.0

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the web server operates to the bin directory of files of a specific version of the 1C:Enterprise application;
Grant edit rights for the user on whose behalf the web server operates to the infobase directory (only when in file mode).

Publishing dialog box

In the Web server field, specify Apache 2.0.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

To configure the Apache 2.0 web server using the webinst utility, run the following command (the parameters are for reference only, they should be replaced with actual values before using).

Example:

webinst -publish -apache2 -wsdir demo -connstr "Srvr=server:1741;Ref=demo;" -dir "c:\apache.www\demows" -confpath "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf"

Apache 2.2

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the web server operates to the bin directory of files of a specific version of the 1C:Enterprise application;
Grant edit rights for the user on whose behalf the web server operates to the infobase directory (only when in file mode).

Publishing dialog box

In the Web server field, specify Apache 2.2.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

To configure the Apache 2.2 web server using the webinst utility, run the following command (the parameters are for reference only, they should be replaced with actual values before using).

Example:

webinst -publish -apache22 -wsdir demo -connstr "Srvr=server:1741;Ref=demo;" -dir "c:\apache.www\demows" -confpath "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf"

Apache 2.4

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the web server operates to the bin directory of files of a specific version of the 1C:Enterprise application;
Grant edit rights for the user on whose behalf the web server operates to the infobase directory (only when in file mode).

Publishing dialog box

In the Web server field, specify Apache 2.4.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

To configure the Apache 2.4 web server using the webinst utility, run the following command (the parameters are for reference only, they should be replaced with actual values before using).

Example:

webinst -publish -apache24 -wsdir demo -connstr "Srvr=server:1741;Ref=demo;" -dir "c:\apache.www\demows"

On Linux

General information

This section describes how to configure the Linux-based web servers for the web client operation. After the publication is performed, you must provide the user, on behalf of which Apache operates, the rights to the executable files directory (/opt/1C/v8.3/i386/ for the 32-bit version or /opt/1C/v8.3/x86_64/ for 64- bit version) of a specific version of the 1C:Enterprise application (read and execute). In the case of the file mode of the infobase, you must give the rights to modify the infobase catalog to the user, on whose behalf the web server was started.

Apache 2.0

Publishing dialog box

In the Web server field, specify Apache 2.0.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

To configure the Apache 2.0 web server using the webinst utility, run the following command (the parameters are for reference only, they should be replaced with actual values before using).

Example:

webinst -apache2 -wsdir DemoWS -dir /var/www/DemoWS -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf

Apache 2.2

Publishing dialog box

In the Web server field, specify Apache 2.2.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

To configure the Apache 2.2 web server using the webinst utility, run the following command (the parameters are for reference only, they should be replaced with actual values before using).

Example:

webinst -apache22 -wsdir DemoWS -dir /var/www/DemoWS -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/apache.conf

Apache 2.4

Publishing dialog box

In the Web server field, specify Apache 2.4.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

To configure the Apache 2.4 web server using the webinst utility, run the following command (the parameters are for reference only, they should be replaced with actual values before using).

Example:

webinst -apache24 -wsdir DemoWS -dir /var/www/DemoWS -connstr "Srvr=server:1741;Ref=demo;"

Web service support settings

General information

Setting support for Web services is to configure your web server for operation with Web services and to set the access rights to the directories of executable files and the database (for the file mode of operation).

To publish Web services, select the Publish Web services check box on the Web services tab, and select the services to be published in the table below the check box.

On Windows

General information

This section describes the publication of Web services for Windows-based web servers. It is assumed that the web server is already installed.

NOTE. To install the IIS web server, you may need a distribution package of the operating system used.

Internet Information Services

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the requests are executed (IUSR_<PC_NAME> user for IIS versions 5.1 or 6.0 or IIS_IUSRS group for IIS versions 7.x and later) to the bin directory of files of a specific 1C:Enterprise version
Grant edit rights to the user on whose behalf the queries are executed (IUSR_<PC_NAME> user for IIS versions 5.1 or 6.0 or IIS_IUSRS group for IIS versions 7.x and later) on the infobase directory (only in the case of the file mode)

Publishing dialog box

In the Web server field, enter Internet Information Services.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, enter Internet Information Services.
Select the Publish Web Services check box.
Select the parameters of web services to publish.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as iis-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -iis -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor iis-template.vrd

Apache 2.0

General description

It is necessary to give rights to the user on whose behalf Apache runs for the bin directory of files of a specific version of the 1C:Enterprise application (read and execute) and for the directory of the infobase (read and write, in the case of the file mode).

Publishing dialog box

In the Web server field, specify Apache 2.0.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.2.
Select the Publish Web Services check box.
Select the parameters of web services to publish.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache2 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

Apache 2.2

General description

Publishing dialog box

In the Web server field, specify Apache 2.2.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.2.
Select the Publish Web Services check box.
Select the parameters of web services to publish.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache22 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

Apache 2.4

General description

Publishing dialog box

In the Web server field, specify Apache 2.4.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.4.
Select the Publish Web Services check box.
Select the parameters of web services to publish.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache24 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

On Linux

General information

This section describes the publication of Web services for Linux-based web servers. It is assumed that the web server is already installed.

To publish Web services, select the Publish Web services check box on the Web services tab, and select the services to be published in the table below the check box.

After the publication is performed, you must provide the user, on behalf of which Apache operates, the rights to the executable files directory (/opt/1C/v8.3/i386/ for the 32-bit version or /opt/1C/v8.3/x86_64/ for 64- bit version) of a specific version of the 1C:Enterprise application (read and execute). In the case of the file mode of the infobase, you must give the rights to modify the infobase catalog to the user, on whose behalf the web server was started.

Apache 2.0

Publishing dialog box

In the Web server field, specify Apache 2.0.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file (in Designer):

In the Web server field, specify Apache 2.2.
Select the Publish Web Services check box.
Select the parameters of web services to publish.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache2 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf -descriptor apache-template.vrd

Apache 2.2

Publishing dialog box

In the Web server field, specify Apache 2.2.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file (in Designer):

In the Web server field, specify Apache 2.2.
Select the Publish Web Services check box.
Select the parameters of web services to publish.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache22 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf -descriptor apache-template.vrd

Apache 2.4

Publishing dialog box

In the Web server field, specify Apache 2.4.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file (in Designer):

In the Web server field, specify Apache 2.4.
Select the Publish Web Services check box.
Select the parameters of web services to publish.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache24 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

Standard OData interface support

General information

Setting support for Standard OData Interface is to configure your web server used and to set the access rights to the directories of executable files and the database (for the file mode of operation).

To publish a standard OData interface, select the Publish standard OData interface check box on the Main tab.

On Windows

General information

This section describes the publication of standard OData Interface for Windows-based web servers. It is assumed that the web server is already installed.

NOTE. To install the IIS web server you may need a distribution package of the operating system used.

Internet Information Services

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the requests are executed (IUSR_<PC_NAME> user for IIS versions 5.1 or 6.0 or IIS_IUSRS group for IIS versions 7.x and later) to the bin directory of files of a specific 1C:Enterprise version
Grant edit rights to the user on whose behalf the queries are executed (IUSR_<PC_NAME> user for IIS versions 5.1 or 6.0 or IIS_IUSRS group for IIS versions 7.x and later) on the infobase directory (only in the case of the file mode)

Publishing dialog box

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, enter Internet Information Services.
Select check box Publish standard OData interface.
If necessary, specify the option to Use operating system authentication on a web server;
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as iis-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -iis -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor iis-template.vrd

Apache 2.0

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the web server operates to the bin directory of files of a specific version of the 1C:Enterprise application;
Grant edit rights for the user on whose behalf the web server operates to the infobase directory (only when in file mode).

Publishing dialog box

In the Web server field, specify Apache 2.0.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.2.
Select check box Publish standard OData interface.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache2 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

Apache 2.2

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the web server operates to the bin directory of files of a specific version of the 1C:Enterprise application;
Grant edit rights for the user on whose behalf the web server operates to the infobase directory (only when in file mode).

Publishing dialog box

In the Web server field, specify Apache 2.2.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.2.
Select check box Publish standard OData interface.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache22 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

Apache 2.4

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the web server operates to the bin directory of files of a specific version of the 1C:Enterprise application;
Grant edit rights for the user on whose behalf the web server operates to the infobase directory (only when in file mode).

Publishing dialog box

In the Web server field, specify Apache 2.4.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.4.
Select check box Publish standard OData interface.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache24 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

On Linux

General information

This section describes the publication of Standard OData Interface for Linux-based web servers. It is assumed that the web server is already installed.

Apache 2.0

Publishing dialog box

In the Web server field, specify Apache 2.0.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.2.
Select check box Publish standard OData interface.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache2 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf -descriptor apache-template.vrd

Apache 2.2

Publishing dialog box

In the Web server field, specify Apache 2.2.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.2.
Select check box Publish standard OData interface.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache22 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf -descriptor apache-template.vrd

Apache 2.4

Publishing dialog box

In the Web server field, specify Apache 2.4.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.4.
Select check box Publish standard OData interface.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache24 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

HTTP services support settings

General information

Setting support for HTTP services is to configure your web server for operation with HTTP services and to set the access rights to the directories of executable files and the database (for the file mode of operation).

To publish HTTP services, select the Publish HTTP services by default check box on the HTTP services tab, and select the services to be published in the table below the check box.

On Windows

General information

This section describes the publication of HTTP services for Windows-based web servers. It is assumed that the web server is already installed.

NOTE. To install the IIS web server, you may need a distribution package of the operating system used.

Internet Information Services

General description

Besides specifying the parameters of the publication (described below), you must additionally make the following settings:

Grant read rights for the user on whose behalf the requests are executed (IUSR_<PC_NAME> user for IIS versions 5.1 or 6.0 or IIS_IUSRS group for IIS versions 7.x and later) to the bin directory of files of a specific 1C:Enterprise version
Grant edit rights to the user on whose behalf the queries are executed (IUSR_<PC_NAME> user for IIS versions 5.1 or 6.0 or IIS_IUSRS group for IIS versions 7.x and later) on the infobase directory (only in the case of the file mode)

Publishing dialog box

In the Web server field, enter Internet Information Services.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, enter Internet Information Services.
Select check box Publish HTTP services.
Select parameters of HTTP services to be published.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as iis-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -iis -wsdir demo-hs -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor iis-template.vrd

Apache 2.0

General description

Publishing dialog box

In the Web server field, specify Apache 2.0.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.2.
Select check box Publish HTTP services.
Select parameters of HTTP services to be published.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache2 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

Apache 2.2

General description

Publishing dialog box

In the Web server field, specify Apache 2.2.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.2.
Select check box Publish HTTP services.
Select parameters of HTTP services to be published.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache22 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

Apache 2.4

General description

Publishing dialog box

In the Web server field, specify Apache 2.4.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file:

In the Web server field, specify Apache 2.4.
Select check box Publish HTTP services.
Select parameters of HTTP services to be published.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache24 -wsdir demo-ws -dir "c:\inetpub\demo-ws" -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

On Linux

General information

This section describes the publication of Web services for Linux-based web servers. It is assumed that the web server is already installed.

To publish HTTP services, select the Publish HTTP services by default check box on the HTTP services tab, and select the services to be published in the table below the check box.

Apache 2.0

Publishing dialog box

In the Web server field, specify Apache 2.0.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file (in Designer):

In the Web server field, specify Apache 2.2.
Select check box Publish HTTP services.
Select parameters of HTTP services to be published.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache2 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf -descriptor apache-template.vrd

Apache 2.2

Publishing dialog box

In the Web server field, specify Apache 2.2.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file (in Designer):

In the Web server field, specify Apache 2.2.
Select check box Publish HTTP services.
Select parameters of HTTP services to be published.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache22 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -confpath /etc/apache2/httd.conf -descriptor apache-template.vrd

Apache 2.4

Publishing dialog box

In the Web server field, specify Apache 2.4.

If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.

Webinst utility

Before publishing, you need to create a template file (in Designer):

In the Web server field, specify Apache 2.4.
Select check box Publish HTTP services.
Select parameters of HTTP services to be published.
If necessary, specify the remaining publishing parameters on the Additional tab of the publishing dialog box on the web server.
To save the template file, click Save. Enter the name of template file as apache-template.vrd.

Perform publication using the template file.

Example:

webinst -publish -apache24 -wsdir demo-ws -dir /var/www/demo-ws -connstr "Srvr=server:1741;Ref=demo;" -descriptor apache-template.vrd

OpenID authentication support settings

Settings for OpenID

If the infobase uses OpenID authentication, you must specify the address of the OpenID provider used for authentication in the default.vrd file (with which the infobase was published on the web server). The <openid> and <rely> elements are intended for this.

Example:

<?xml version="1.0" encoding="UTF-8"?>
<point xmlns=http://v8.1c.ru/8.2/virtual-resource-system xmlns:xs=http://www.w3.org/2001/XMLSchema xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 base="/demo"
 ib="Srvr=&quot;tcp://Server&quot;;Ref=&quot;demo&quot;;"
 enable="false">
 <openid>
   <rely url="https://myserver.org/users-ib/e1cib/oid2op"/>
 </openid>
</point>

These elements describe the URL to the OpenID provider that authenticates the user to the infobase with OpenID authentication. In this example, the 1C:Enterprise infobase, published at https://myserver.org/users-ib, acts as the OpenID provider.

This parameter can be configured using the publication dialog on the web server (OpenID tab).

Configuring an infobase to act as an OpenID provider

If the infobase acts as an OpenID provider, you must specify this in the default.vrd file (with which the infobase was published on the web server). The <openid> and <provider> elements are intended for this.

Example:

<?xml version="1.0" encoding="UTF-8"?>
<point xmlns=http://v8.1c.ru/8.2/virtual-resource-system xmlns:xs=http://www.w3.org/2001/XMLSchema xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   base="/users-ib"
   ib="Srvr=&quot;tcp://Server&quot;;Ref=&quot;oidusers&quot;;"
   enable="false">
 <openid>
   <provider>
    <lifetime>432000</lifetime>
   </provider>
 </openid>
</point>

These elements indicate that:

Infobase acts as an OpenID provider
Lifetime of the authentication data is 432 000 seconds (or 5 days)
The URL to be specified in the <rely> element of the default.vrd file (the address of the OpenID provider) may look like this: https://myserver.org/users-ib/e1cib/oid2op. The URL will look like this if the name of the host on which the infobase is published is myserver.org.

This parameter can be configured using the publication dialog on the web server (OpenID tab).

Additional interface for use by external resources

The OpenID provider implemented by 1C:Enterprise can be accessed using the standard OpenID 2.0 protocol considering some features:

In requests for interactive and non-interactive authentication (the openid.mode parameter is equal to checkid_immediate or checkid_setup), the openid.claimed_id and openid.identity parameters must be set to http://specs.openid.net/auth/2.0/identifier_select value. Setting this value means that the user ID is determined by the provider.
Requests for non-interactive authentication with other values of theopenid.claimed_id and openid.identity parameters result in a request for interactive authentication, during which the provider determines the values of openid.claimed_id and openid.identity.

The OpenID provider implements a form for entering a username and password for interactive authentication.

The application also provides a number of commands that simplify the use of an OpenID provider by third-party systems, which are described below. When describing commands, the following abbreviations are used:

ProviderIB ‑infobase of an OpenID provider;
RPID ‑ infobase of OpenID dependent party

Request parameters are transmitted in UTF-8 encoding.

Request for OpenID Provider XRDS Document

Description:

Gets an XRDS document describing the properties of an OpenID provider.

Syntax:

https://hostname/ProviderIB/e1cib/oid2op

Returns:

XRDS document describing the properties of an OpenID provider.

Request for OpenID dependent party XRDS Document

Description:

Gets an XRDS document describing the properties of an OpenID dependent party.

Syntax:

https://hostname/RPIB/e1cib/oid2rp

Returns:

XRDS document describing the properties of an OpenID dependent party.

Authentication request

Description:

Performs authentication request.

Syntax:

https://hostname/ProviderIB/e1cib/oid2op?cmd=auth

Parameters:

openid.auth.user mandatory

Username as specified in the OpenID provider's database.

openid.auth.pwd mandatory

User password.

openid.auth.2FCode optional

Second authentication factor code

opeind.auth.short optional

If the parameters is set to true, the authentication is performed within the session of the web browser, but not more than the lifetime parameter value of the default.vrd file, which describes the publication of the infobase of the OpenID provider.

openid.auth.check optional

Response to this request must be checked (the parameter is set to true). It makes sense only if the openid.return_to parameter is specified.

openid.return_to optional

Contains the target URL that is opened after processing the request.

Returns:

If the openid.return_to parameter is not specified, then an empty document with the HTTP status code is returned:

200 ‑ authentication successful
400 ‑ authentication failure
402 ‑ login and password authentication is completed successfully. The second factor code is required. The response should have a header named 2FAType, which can contain one of the following values:
- secretCode ‑ for authentication, enter the secret code;
- external ‑ the second factor is executed at the provider side.
  At the time of receipt of such a response code, a request to execute the second authentication factor has already been sent by the OpenID- provider to the provider of the second authentication factor.
  It is understood that the OpenID provider will check the username and the password, but will not create a user session when it detects the need to execute the second authentication factor. The session will be created at the next access, checking the login, the password and the second factor again.
  After receiving a response 402, do the following:
- In case of authentication using a code (secretCode), ‑ add the secret code with additional parameter to the request.
- In case of authentication on the provider side (external), ‑ add nothing. The server will send for check the authentication request and will check the second factor.

If the openid.return_to parameter is specified, then it is redirected to the address specified in the parameter. If authentication is successful, the following parameters are added to the URL:

openid.auth.user with username as value
openid.auth.uid with a one-time identifier as a value to validate this response This parameter is specified if the openid.auth.check parameter is specified in the authentication request.

In case of unsuccessful authentication, go to the specified URL without adding any parameters.

Request of the OpenID- provider for authentication check

Description:

Executes authentication request.

Syntax:

https://hostname/ProviderIB/e1cib/oid2op/2FACheck?user=xxx

Parameters:

user mandatory

The username (xxx) whose authentication should be checked.

Returns:

An empty document with an HTTP status code is returned:

200 ‑ authentication is successful, the user is authenticated using the second factor;
400 ‑ Authentication failed for one of the following reasons:
- The user parameter is not specified;
- There was no regular authentication request before this request;
- Authentication failure;
- Authentication timed out.

OpenID provider request to verify the active authentication

Description:

Authentication check is performed.

Syntax:

https://hostname/ProviderIB/e1cib/oid2op?cmd=lookup

Parameters:

openid.return_to mandatory

Contains the target URL that is opened after processing the request.

openid.auth.check optional

Response to this request must be checked (the parameter is set to true). It makes sense only if the openid.return_to parameter is specified.

Returns:

Redirecting to the URL specified in the openid.return_to parameter. If authentication is successful, the following parameters are added to the URL:

openid.auth.user with username as value
openid.auth.uid with a one-time identifier as a value to validate this response This parameter is specified if the openid.auth.check parameter is specified in the authentication request.

In case of unsuccessful authentication, go to the specified URL without adding any parameters.

Check an OpenID provider response

Description:

Checks an OpenID Provider response for cmd=auth and cmd=lookup requests if the openid.auth.check parameter is set to true in the request.

Syntax:

https://hostname/ProviderIB/e1cib/oid2op?cmd=check

Parameters:

openid.auth.user mandatory

The username that is obtained from the query parameter of the same name.

openid.auth.uid mandatory

The value of the one-time response identifier of the OpenID provider, obtained from the query parameter of the same name.

Returns:

A document of text/plain type with the following contents is returned:

is_valid:true ‑ the response is indeed generated by the OpenID provider used. In this case, the HTTP status code is 200.
is_valid:false ‑ The used OpenID provider did not generate a valid response. In this case, the HTTP status code will be equal to 400.

Request to cancel authentication for a dependent party

Description:

Performs the cancellation of authentication if the OpenID provider URL is unknown. Finishes the current session, cancels authentication on the OpenID provider, restarts the web client. The web client will issue a cancellation request for the OpenID provider.

Syntax:

https://hostname/RPIB/e1cib/oid2op?cmd=logout

Request to cancel authentication for an OpenID provider

Description:

Performs the cancellation of authentication on the indicated OpenID provider.

Syntax:

https://hostname/ProviderIB/e1cib/oid2op?cmd=logout

Parameters:

openid.return_to optional

Contains the target URL that is opened after processing the request.

Returns:

If the openid.return_to parameter is specified, the user is redirected to the specified URL, otherwise an empty response is returned with the HTTP status code equal to 200.

Requirements for external OpenID providers

If it is necessary to use external (in relation to the 1C:Enterprise application) OpenID providers that are supposed to be used to authenticate users of the 1C:Enterprise infobases, the following should be considered:

The OpenID provider must support the OpenID Authentication 2.0 protocol specifications and the extension of this protocol implemented in the 1C:Enterprise platform.
To be able to use the 1C:Enterprise with thin client, the OpenID provider must use a cookie named vrs_oid2op_auth.
When receiving a request with an Accept HTTP header that prohibits the use of HTML content in the response, the OpenID provider should not use redirection with HTML forms (section 5.2.2 of the OpenID Authentication 2.0 protocol specification).
When returning the openid.claimed_id and openid.identity parameters to the 1C:Enterprise infobases, the OpenID provider should set the values of these parameters in the format <address of the OpenID provider>?lid = <user login>, for example https://myserver.org/users-ib/e1cib/oid2op?lid=user1.

It may also be helpful to consider the following:

In the case when the 1C:Enterprise infobase calls the OpenID provider, the openid.claimed_id and openid.identity request parameters always pass the value http://specs.openid.net/auth/2.0/identifier_select.
1C:Enterprise infobase does not use a shared secret key (Diffie-Hellman’s algorithm) to authenticate the provider's messages. Authentication is performed using a direct request to the OpenID provider, in accordance with the requirements of section 11.4.2 of the OpenID Authentication 2.0 protocol specification.

Safety while using Internet services

Authentication

In general, the procedure of client accessing an Internet service is as follows:

Fig. 98. Internet service connections

There are three different types of authentication:

On a proxy server‑, this authentication is not directly related to the use of a web server, but you should remember about it if you need to use an Internet service from a network behind a proxy server.
In this case, the following types of authentication can be used on the web server‑:
- Anonymous authentication ‑ in this case, all requests coming from the web server are performed under a special user, which impersonates the "anonymous" connection.
  In this case, the authentication in 1C:Enterprise is performed using the username and password passed in the HTTP request.
- Basic authentication ‑ in this case, the client of the Internet service passes for authentication to the web server the username and password in an HTTP request that is generated when accessing the web server.
  In order to successfully perform this type of authentication, the username and password used to access 1C:Enterprise must also be used to access the web server. If a user, whose parameters are passed in an HTTP request, cannot access the web server, it means that he/she will not be able to use the Internet service.
- OS authentication ‑ in this case, the web server determines on which behalf of the OS user the Internet service performs the access to 1C:Enterprise and further this particular data is used.
  In this case, the web server determines the OS user who is trying to access the web server, and then transfers to 1C:Enterprise both the parameters of the OS user and the data passed in the HTTP request to the Internet service. If the HTTP request contains the username and password, then it is they who are used for authentication, and the OS user data are not used. If the username and password in the HTTP request are not specified ‑, the data of a specific OS user is used.
  For a thin client connecting to the infobase via HTTP protocol (via a web server), and for a web client, the OS authentication operation is based on the possibility of impersonalizing a web browser user or a thin client user in a web server thread that executes HTTP requests. The impersonation of users by a web server depends on the type and setting of the web browser used, the type and setting of the web server, the settings of individual user rights, domain security policies, etc. Impersonation is not always possible.
  The corresponding settings are the subject of the administration of the network environment and are beyond the scope of the 1C:Enterprise documentation.
1C:Enterprise authentication. To perform this authentication, the web server extension uses the username and password that are transmitted by the web server (when using Basic authentication or OS authentication on the web server). If you use anonymous authentication on a web server, 1C:Enterprise will request Basic authentication from the caller. 1C:Enterprise expects that the username and password of the user will be passed in UTF-8 encoding.
If the Internet service is accessed from the Microsoft Internet Explorer web browser, it is not recommended to use non-Latin characters in the username and password.

When interacting with a web server, it is possible to organize operation via a secure channel.

When using the file mode of the infobase, the users on whose behalf access is performed must have access to the execution of the files of the required version of 1C:Enterprise and the rights to read and modify data in the infobase directory.

Operations over a secure channel

When a client interacts with an Internet services server, data can be exchanged over a secure channel. Secure communication channels prevent unauthorized viewing and alteration of data. The secure channel is TLS-based (version 1.2). TLS connections support cryptographic algorithms that comply with GOST R 34.10-94, R 34.10-2001, R 34.10-2012, R 34.11-94, R 34.11-2012, and 28147-89. The obsolete SSL 3.0 protocol can be enabled using the command line to start a client connection.

The TLS (Transport Layer Security) ‑ protocol is used to provide secure communication between a client and a server. TLS is based on:

Mutual authentication of the client and the server, so that both the client and the server are certain of each other's identities
Digital signatures to ensure data integrity (protecting data from unauthorized alteration)
Encryption to ensure the confidentiality of data (protecting data from unauthorized viewing)

TLS protocol supports various encryption options, digital signatures, certificates, etc., in order to provide a secure channel with the required robustness.

TLS protocol uses a TLS session to establish a secure connection between the a and a server. Session is established by exchanging a sequence of messages between a client and a server. When establishing a session, the following actions can be performed:

Determining cryptography algorithms that will be used to encrypt and digitally sign the transmitted data
Setting the session key
Performing server authentication on the client side
Performing client authentication on the server side

To authenticate client on the server side and server on the client side, TLS uses certificates. A certificate is a document that describes a set of parameters of the party being authenticated. For example, the certificate may contain the username or the name of the server web site. The certificate also contains a digital signature, which is used to verify its validity. Chains of certificates are used to prevent the possibility of uncontrolled issuance of certificates. The beginning of the chain of certificates is the Certificate Authority‑ an organization issuing certificates. If a particular user needs a certificate, he/she sends a request to the Certificate Authority to issue a certificate. Certificate Authority issues a certificate that is signed with its own private key. The user to whom the certificate is issued may, in turn, act as a Certificate Authority for other users. Thus, a chain of certificates is formed, the root of which is the Root Certificate Authority, which is, as a rule, a well-known organization. For a client to accept this certificate, it must be on the list of the certificates that this client trusts. The list can include both this certificate and any other certificates from the certificate chain of this certificate. As a rule, this is a certificate from the Root Certificate Authority. Please remember that 1C:Enterprise operates correctly with certificates only if the certificate fields contain data in US ASCII or characters encoded with Punycode. Certificate fields must not contain data in Unicode.

One of the most common uses of the TLS protocol is its use for sending HTTP requests (the HTTPS protocol). In this case, the URL is the addressing scheme for such ‑HTTPS resources, and the default port is ‑443.

The client part of the Web services engine automatically, using the URL scheme (HTTPS) of the location of the Web service, determines that the interaction with the Web service should be performed over a secure communication channel. The client also requires that a valid certificate be linked to the server issued by a Certificate Authority known to the client.

A server certificate is valid if its digital signature matches the content of the certificate, its validity date is not expired, and the website, for which the certificate was issued, corresponds to the server website. If the certificate is not valid, for example, the certificate website does not match the server website, then the client will not be able to communicate via TLS with the Web services of this website.

In order to enable the operation via TLS protocol, you need to:

Obtain a server certificate for the website, for which you plan to use TLS. The certificate is issued by a Certificate Authority and is linked to this website.
TLS support must be enabled for the web server.
In order for an application using a Web service to use a secure connection, you must explicitly specify this when connecting to the Web service. To do this, when creating WS Determinations and WS Proxy objects, you must specify the SecureConnection parameter. When using a secure connection, you must specify the SecureConnectionOpenSSL object as the value of this parameter.

Configuring a web server

Internet Information Services

32-bit web server extension version on a IIS 64-bit version

If you are using the 32-bit version of a web server extension on a 64-bit version of the operating system, you must indicate to the web server that it can run 32-bit applications. To do this, you must perform the following operations:

For IIS 5.1, IIS 6.0 ‑, you must start the command interpreter and start the following command in it:

cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1

For IIS 7.0 and older ‑, open the application pool's main settings dialog: IIS configuration manager ‑ <Specific server> ‑ Application pools ‑ <Desired application pool> ‑ Advanced parameters. Set parameter Allow 32-bit applications to True .

Application pool settings

When configuring IIS, remember that within one application pool, more than one web server extension module cannot be executed which differ only in the third and fourth digits of the version. To organize such operation, you should number if the application pools equal to the number of different versions of expansion modules, and manually tie each virtual application of the web client to the desired application pool.

If the publication serves a file version of the infobase, it is not recommended that you allow the web server to create several working processes in the same application pool. If in the infobase file mode background jobs are used, for correct operation purposes the number of working processes in the pool you use must be equal to 1. Working process numbers is managed by the parameter IIS configuration manager ‑ <Specific server> ‑ Application pools ‑ <Desired application pool> ‑ Advanced parameters ‑ Working processes maximum number (in the parameter group Process model).

Error presentation setup

In cases where the "1C: Enterprise" errors (when working with the IIS web server of version 7.x and later) are displayed with text of the type 500‑, an internal server error. Problem with requested resource; the resource cannot be displayed, you must change the parameter that controls the presentation of errors. To do this, open the dialog to configure the parameters of the error pages: IIS configuration manager ‑ <Specific Server> ‑ Web sites ‑ <Default Web Site> ‑ <Virtual application name> ‑ Error pages ‑ Change parameters… In the opened dialog box, set the If the server detects an error, return to the value Detailed error messages parameter. Then, click OK button.

Setup of the URL permissible length

When accessing the standard OData interface, the URL can be of significant length. By default, IIS restricts URL length to 260 characters. To change this restriction, it is necessary (with administrator rights) in the system registry, in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters section, create a UrlSegmentMaxLength parameter of DWORD type. Set this parameter to a required value or to 0 for unlimited URL length. Then, restart the computer on which the IIS is installed.

HTTPS-connection setup

In some cases, when downloading large amounts of data over an HTTPS connection (when using the IIS web server) errors may occur. In these cases, try to use TLS 1.2 or TLS 1.1 protocol. For IIS 7.5 and later (Windows Server 2008 R2, Windows 7 and later), it is possible to enable the use of TLS 1.1 and later protocols. To do this, follow these steps:

in the system registry, in the section HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server create DisableByDefault parameter of DWORD type and set its value to 0.
in the system registry, in the section HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server create DisableByDefault parameter of DWORD type and set its value to 0.
These actions should be performed on behalf of a user with the administrative rights.

Then, restart the computer on which the IIS is installed.

Embedding Web Client

If you need to embed a web client in a web site, it is recommended to use the following settings for X-Frame-Origin response header in a web client application:

If an external web site and web client are published on a single web server, the header accepts sameorigin.
If an external web site and web client are published on different web servers, the header accepts allow-from %WebSite%. In this expression %WebSite% refers to URL (protocol, domain and port) of an external web site, where an embedded web client is expected to be used.
If a web client cannot be integrated with an external web site, the header accepts deny.

If there is no need to fine-tune the response header, make sure that in the web client application settings no X-Frame-Origin response header is available which accepts deny.

Apache

General features

In the case of publishing a file mode of the infobase to the Apache 2.2 web server (running under Windows), it is recommended to add the following fragment to the Apache web server configuration file (httpd.conf):

<IfModule mpm_winnt_module>
 ThreadStackSize 8388608
</IfModule>

If problems occur during the operation of the infobase associated with the exhaustion of the stack on the web server side, it is recommended to increase the value of the ThreadStackSize parameter. A detailed description of the ThreadStackSize parameter: http://httpd.apache.org/docs/2.2/mod/mpm_common.html#ThreadStackSize.

When using the Apache web server version 2.2 and later, running the Linux operating system, please use the multi-process worker module. A detailed description of this module is available at: http://httpd.apache.org/docs/2.2/mod/worker.html or http://httpd.apache.org/docs/2.4/mod/worker.html. If the publication serves a file version of the infobase, it is not recommended that you allow the web server to create several working processes that serve one publication. If in the infobase file mode background jobs are used, for correct operation purposes the number of working processes in the pool you use must be equal to 1. To manage the number of working processes, set ServerLimit 1 parameter in the worker module setup section (<IfModule worker.c> </IfModule> section) of the web server configuration file. If a multiprocess processing module is different from the recommended one, for settings of the number of working processes see documentation for the module you use.

Search algorithm for an installed web server

Apache 2.0

On Windows

Service detection:
- An attempt is made to read registry parameter value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache2\ImagePath.
- In the resulting value, the Apache2.exe fragment is replaced with conf\\httpd.conf.
- If there is a file in the path received, then the Apache web server version 2.0 is considered to be detected.
Detecting the installation directory in the registry:
- An attempt is made to access the registry key HKEY_LOCAL_MACHINE\Software\Apache Software Foundation\Apache.
- If the attempt fails, then an attempt is made to gain access to the registry key HKEY_CURRENT_USER\Software\Apache Software Foundation\Apache.
- The open section reads the value of the 2.0\ServerRoot parameter.
- The parameter conf\httpd.conf is added to the parameter value.
- If there is a file in the path received, then the Apache web server version 2.0 is considered to be detected.
Detection by default installation directory:
- The configuration file (httpd.conf) in the default installation directory is being searched for: C:\Program Files\Apache Software Foundation\Apache2\conf.
- If the file is found, then the Apache web server version 2.0 is considered to be detected.

On Linux

The configuration file (httpd.conf) is searched for in the directory: /etc/httpd/conf/.

Apache 2.2

On Windows

Service detection:
- An attempt is made to read registry parameter value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache2.2\ImagePath.
- In the resulting value, the Apache2.exe fragment is replaced with conf\\httpd.conf.
- If there is a file in the path received, then the Apache web server version 2.2 is considered to be detected.
Detecting the installation directory in the registry:
- An attempt is made to access the registry key HKEY_LOCAL_MACHINE\Software\Apache Software Foundation\Apache.
- If the attempt fails, then an attempt is made to gain access to the registry key HKEY_CURRENT_USER\Software\Apache Software Foundation\Apache.
- The open section reads the value of the 2.2\ServerRoot parameter.
- The parameter conf\httpd.conf is added to the parameter value.
- If there is a file in the path received, then the Apache web server version 2.2 is considered to be detected.
Detection by default installation directory:
- The configuration file (httpd.conf) in the default installation directory is being searched for: C:\Program Files\Apache Software Foundation\Apache2.2\conf.
- If the file is found, the Apache web server version 2.2 is considered to be detected.

On Linux

The configuration file (apache2.conf) is searched for in the following directory: /etc/apache2/.

Apache 2.4

On Windows

Service detection:
- An attempt is made to read registry parameter value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache2.4\ImagePath.
- In the resulting value, the Apache2.exe fragment is replaced with conf\\httpd.conf.
- If there is a file in the path received, then the Apache web server version 2.4 is considered to be detected.
Detecting the installation directory in the registry:
- An attempt is made to access the registry key HKEY_LOCAL_MACHINE\Software\Apache Software Foundation\Apache.
- If the attempt fails, then an attempt is made to gain access to the registry key HKEY_CURRENT_USER\Software\Apache Software Foundation\Apache.
- The open section reads the value of the 2.4\ServerRoot parameter.
- The parameter conf\httpd.conf is added to the parameter value.
- If there is a file in the path received, then the Apache web server version 2.4 is considered to be detected.
Detection by default installation directory:
- The configuration file (httpd.conf) in the default installation directory is being searched for: C:\Program Files\Apache Software Foundation\Apache2.4\conf.
- If the file is found, the Apache web server version 2.4 is considered to be detected.

On Linux

The configuration file (apache2.conf) is searched for in the following directory: /etc/apache2/.

Embedding Web Client

If you need to embed a web client in a web site, it is recommended to use the following settings for X-Frame-Origin response header in the required publication section of a web server configuration file (httpd.conf):

If an external web site and web client are published on a single web server, make sure that a configuration file has the following strings:

LoadModule headers_module modules/mod_headers.so
Header set X-Frame-Options "sameorigin"

If an external web site and web client are published on different web servers, make sure that a configuration file has the following strings:

LoadModule headers_module modules/mod_headers.so
Header set X-Frame-Options "allow-from %WebSite%"

In this expression %WebSite% refers to URL (protocol, domain and port) of an external web site, where an embedded web client is expected to be used.

If a web client cannot be integrated with an external web site, make sure that a configuration file has the following strings:

LoadModule headers_module modules/mod_headers.so
Header set X-Frame-Options "deny"

If there is not need to fine-tune the response header, make sure that none of the following exist in the configuration file:

LoadModule headers_module modules/mod_headers.so
Header set X-Frame-Options "deny"

Reverse Proxy

Reverse proxy (reverse proxy server) ‑ is a proxy server that relays client requests from an external network to one or more servers located on the internal network. Can be used for load balancing and increased safety.

If the access to the web servers on which the 1C:Enterprise infobases are published is carried out via reverse proxy, then if the reverse proxy is not properly configured, this may lead to the inoperability of some components. This may be due to the fact that the request received by the 1C:Enterprise web server does not come from an external client, but from the computer, on which the reverse proxy is installed.

To avoid these problems, you should configure reverse proxy so that when you redirect an HTTP request, the X-Forwarded-Port, X-Forwarded-Host and X-Forwarded-Proto request headers are appropriately configured. In this case, 1C:Enterprise will be able to correctly recover the external HTTP request.

A detailed description of the reverse proxy settings should be found in the documentation for the web server used for this purpose.