Tag Archives: Liferay

Liferay, Security, Software Security

Security & Cookie links @ www.Liferay.com – Part 1

Leave a comment

List of Liferay security & cookie related links which includes Cookies, XSS, CSRF, OWASP, CORS, SSO, IAM, Service Action Policies and more:

  1. Known vulnerabilities: Known Vulnerabilities – Liferay
  2. Security statement: Security Statement | Liferay
  3. LXC Cloud security: DXP Cloud Security | Liferay
  4. Securing Liferay page: Securing Liferay – Liferay Learn
  5. Help center DXP 7.0: Liferay DXP Security Overview – Liferay Help Center
  6. Help center DXP 7.1: Introduction to Securing Liferay DXP – Liferay Help Center
  7. Administration security: Security – Liferay Learn
  8. Search security DXP 7.2: Installing Liferay Enterprise Search Security – Liferay Help Center
  9. Search security DXP 7.1: Installing Liferay Enterprise Search Security – Liferay Help Center
  10. Securing ElasticSearch DXP 7.3/7.4: Securing Elasticsearch – Liferay Learn
  11. Reporting security issues: Reporting Security Issues – Liferay
  12. Liferay product cookies: Liferay Product Cookies – Liferay Help Center
  13. Cookie list: Cookies list that could be found in a Liferay Portal and their usage – Liferay Help Center
  14. Login cookies: List of Cookies That Are Affected at Liferay Login – Liferay Help Center
  15. Liferay cloud cookies: Liferay Cloud cookies – Liferay Help Center

Email me: Neil@HarwaniSystems.in

Liferay

What you should not be doing in Liferay – Part 1

Leave a comment

Here is a list of what you should not be doing in Liferay – Part 1 and also what you should be doing written right next to it in place of the wrong things:

  • Write JDBC calls in portlets. Avoid JDBC calls in portlets. Please explore expando, service builder, dynamic queries and such from Liferay.
  • Run elasticsearch & database in embedded mode in production. This is to be avoided always. For production and especially clustering, use remote elasticsearch and separate database.
  • Use simple filestore for large number of documents. Right from the start prefer using advanced filestore.
  • Forget to switch off developer settings in portal-ext.properties and verbose level of tracing in logs. Please switch off developer settings and verbose level tracing in logs.
  • No performance testing and tuning of system before go-live. Please perform performance testing and tuning including GC / JVM / Caching / etc. for Liferay. Install Glowroot right from the start if possible in central pattern.
  • Not configure security for various parts of the system. Configure SSL, xpack security for search. Explore the security page on Liferay Learn for various configurations. Perform VAPT at the start.
  • Not enabling SSO. If SSO will be required in future, please enable it right from the start so that there are no user problems later. Also, it helps to reduce load on Liferay CPU of encryption.
  • Not refer official documentation. Please refer liferay.dev – forums, blogs, learn.liferay.comhelp.liferay.com, help center articles, Liferay Learn YouTube channel and more from the start.
  • Not explore commerce, objects, publications, headless APIs, blueprints, asset library, fragments and such features. Please explore all this right from the start.
  • Not explore benchmarking, performance, compatibility matrix whitepapers. Please explore them before go-live. There are lot of resources under resources section on Liferay.com including case studies, whitepapers and more.
  • Not create go-live, integration, deployment diagram, architecture and such documents at the start. Please create go-live, integration, deployment, architecture, design documents from the start.
  • Check Glowroot only when you face a problem. Instead, check your Glowroot regularly on weekly basis at least.
  • Not size the infrastructure requirements for NAS/SAN for filestore and DR strategy. Please plan your infrastructure requirements in terms of NAS/SAN, servers for Liferay, database, elastic and others like web server before go-live.
  • Not doing regular maintenance. Routinely do maintenance of Liferay, database, Elasticsearch, webserver and more by checking logs, JVM, CPU/memory usage, configurations and more.
  • Not checking your lighthouse score incase of public websites. Regularly optimize your lighthouse score incase of public facing websites.
  • Not have a DevSecOps strategy in place. Please create a CICD pipeline, DevSecOps strategy and implementation with Git style repository to manage things properly.
  • Not have an upgrade plan mapped to quarterly release of Liferay. Please have an upgrade plan mapped to quarterly releases of Liferay.

Email me: Neil@HarwaniSystems.in

Liferay

Performance tuning in Liferay – Part 2

Leave a comment

Following up on the Performance tuning in Liferay – Part 1 post – here are some additional points for performance tuning:

  1. The blue circle in Glowroot slow traces indicates that the transaction is still ongoing whereas yellow indicates it’s completed. Red indicates there is an error.
  2. You can change the JVM gauges as needed to see lot of different types of details of JVM
  3. You can use instrumentation from configuration using type ahead drop down (AJAX style)
  4. You can allocate specific cores to a JVM if need be using an argument on core allotment
  5. You can see thread profiles and take heap dumps from Glowroot itself
  6. Glowroot has sections on errors, queries and service calls
  7. You can get Glowroot to sustain it’s data through restarts using arguments
  8. For frequent garbage collection, check if some queries, etc. are continuously filling up memory and any fine tuning on caching can help
  9. It helps to follow these sections in no particular order and check them regularly: JVM – guages, MBeans (You can search your cache related things here – it’s like seeing things in VisualVM), threads and more, transactions, slow traces (all three areas throughput/etc.), thread profiles (search “blocked” here), queries, service calls, errors, sorting options in transactions, instrumentation, etc.
  10. Latest Glowroot works with Java 11 that is compatible with Liferay for customizations and product usage but not source code compile. This latest Glowroot gives lot many more options especially in transactions.
  11. If you are using Java 8, check if your Glowroot version is compatible with it. Typically 0.13.6 and below are compatible with Java 8 as far as I know.

Email me: Neil@HarwaniSystems.in

Liferay

Performance tuning in Liferay – Part 1

Leave a comment

Expanding on my post here on performance tuning: Post | Feed | LinkedIn

Below are the main points to work on for a performance tuning engagement in Liferay – Part 1.

  • Firstly, we need to find out what is slow: Database, service calls, elastic search, memory is an issue, threads are blocked / waiting, how much memory is a module taking, logs are printing what, etc.
  • Check your configurations as per this post: How to debug Liferay? – Some pointers – Part 1 | LinkedIn
  • Install Glowroot if possible, in central pattern and check following sections in it: slow traces, errors, service calls, threads, heap, instrumentation, configurations and so on for the problem timeframe.
  • You can enable tracing in logs & Glowroot instrumentation on targets. You can also use plugins by Fabian Bouché like for fragment analysis or follow his blogs on www.liferay.dev/blogs for using Glowroot in upgrades.
  • The above will give you hints on what is slow. Especially open the FLAME graphs and threads along with heap dumps to analyze which threads are blocked or waiting, how much memory is allocated to what in slow traces of modules and so on.
  • Then run a load test in simulated environment after checking compatibility matrix to get latest statistics for various scenarios like web content on portlet or in fragment, API calls, integrations, heavy load on Elasticsearch and so on with experimentation on themes.
  • After getting the slow threads and details in flame graphs plus slow traces, if it’s custom code or configuration or DB call or ES which is slow, optimize it like Hikari pool connections or if it’s source code of Liferay, open the GITHUB repo for Liferay portal, check the source code and reach out of Customer Success / Global Services / Support with inferences depending on your engagement in account. Your Customer Success Manager or Sales can guide you on this.
  • GS / CS will work internally in Liferay to get you the best options and / or patches in case they already exist. Many a times this could also have been fixed in a Hot fix or Fix Pack already. Alternatively, configurations could also solve such problems many a times. To check these go to Liferay customer portal and check the changelog for fix packs. You can also refer to Liferay Learn and Help Center for help articles and tutorials.
  • Various areas of performance tuning: Database, HTTP calls, App server, ElasticSearch, Threads, Heap optimization, Caching and more. We will follow up this post with more pointers on performance tuning in Part – 2. A good list of areas is to check in the deployment guide for your version.
  • Thanks to Fabian Bouché David Nebinger and many more at Liferay Global Services / Support / Customer Success and Customer Support / Engineering due to which I am able to compile the above. Above is a compilation of work from many sources internally in Liferay via work with customers & externally which hopefully should help many of Liferay customers and partners. This also serves as a case study on performance tuning.
  • Email me: Neil@HarwaniSystems.in
Liferay

Liferay clustering – Part 1

Leave a comment

Notes on Liferay clustering:

Email me: Neil@HarwaniSystems.in

AIML, Liferay

Liferay & AIML / Generative AI – Part 1

Leave a comment

What all is possible with Liferay & AIML / Generative AI? – Part 1. Liferay being open source we can integrate GAI / AIML with Liferay for:

  • Generating content & images in web content section
  • Generating automated blogs, tags, categories and UIUX flows
  • Assistant which could redirect us to relevant help pages
  • Assistant which could suggest which portlets or features to use from documentation
  • Assistant for suggesting configurations of Liferay
  • Intelligent chatbot which is domain specific
  • Assistant for fault finding & log analysis recommendations
  • Assistant for detecting status of liferay, integrations, file store & database
  • Assistant for analysis of networked components like web server, CDN, hosting / cloud and so on
  • List is endless and this seems to be the just the start of this new area of integrating AIML / GAI into enterprise applications for monitoring, suggestions and assistance

Refer my earlier blog for what kind of disclaimers might be required when working with GAI: What points can be part of fair use disclaimer for Generative AI? – Part 1 | LinkedIn

Email me: Neil@HarwaniSystems.in

Liferay

How to take knowledge transfer in a discussion for Liferay engagement – Part 1

Leave a comment

Here is a list of points which will help in taking a knowledge transfer for a Liferay engagement – Part 1:

1. Check which products of Liferay are in use: DXP, Commerce, Analytics and / or Cloud LXC

2. Take the list of osgi/configs & osgi/modules to get configurations of osgi modules and such

3. Check portal-ext.properties and portal-setup-wizard.properties 

4. Understand the functional flow of usecase fully and draw sequence diagrams for the flows 

5. Check control panel in terms of what is in use like number of private / public pages, server administration, OOTB portlets / apps used, web content, templates, foundation, search, instance / virtual settings, redirects, configurations, LDAP, SSO, system properties  

6. Check theme and style books

7. Get information on file-store, index server, database, clustering and deployment via deployment architecture 

8. Check CI/CD & developer environment details in terms of integration and pipeline

9. Check sizes of file-store and database

10. Get details on type of custom portlets, UI frameworks in use and Lifeary DevStudio usage

11. Check integrations with Liferay and the ecosystem like deployment on in-prem infra and cloud deployment

12. Check CPU / memory usage and errors that frequently come from logs. Get logs for last 7-15 days

13. Check the ecosystem of code quality, monitoring & performance tools if any are present 

14. Get a list of problems from developers, inputs from functional managers, any roadmap, upgrade plans for future usage 

Email me: Neil@HarwaniSystems.in

Liferay

Checklist for DMS Use Case in Liferay

Leave a comment

Find below a checklist for Liferay’s DMS (Document Management System) Use Case:

  • Size your document average size, range of size, number of documents, type, viewers, thumbnail requirements early
  • Decide the workflow templates for start plus growth per quarter & estimated workflow instances per day / week / month in advance which will run on your documents
  • Size your file store and decide on SAN / NAS requirements early based on latency / size of documents / number of folders and so on
  • Switch to advanced file store early if you have large number of documents – this is preferrable right from the start
  • Consider adding multiple repositories in advance if you have multiple file stores and a very large number of documents across repositories
  • Use case of DMS specific software other than Liferay working alongside Liferay mounted via CMIS protocol should be considered early incase of very large number of documents across repositories
  • Full text / partial / multilingual search requirements should be planned early
  • Scanning integration if needed should be considered
  • Anti-virus considerations should be considered depending on use case
  • Response times should be calculated based on network latency for all users
  • Mobile, responsive, desktop, laptop / universal views for documents need to be planned
  • Cloud deployment use case in terms of blob storage / file store considerations should be done early
  • Separate Elasticsearch should be planned
  • Access control, confidentiality, digital rights management related planning and requirements should be done as a prerequisite
  • Liferay file store, Elasticsearch, data folder, filesystem and database should not be directly worked on – We should work via Liferay UI/Control Panel/Groovy/API and so on. Exceptions are there like reindexing problems, performance tuning and so on but they should be more exceptions than norm.
  • Include backup/restore in sync with database. Also in DR.
  • Leverage Ghostscript and Open Office / Libre Office for text extraction and conversion.
  • Include clam-av for portal-based scans when uploads are supported from external sources.

Email me: Neil@HarwaniSystems.in

Liferay, Search

Elasticsearch with Liferay – Notes & Links – Part 1

Leave a comment

Below are the important notes & links for configuring Liferay DXP with Elasticsearch.

Email me: Neil@HarwaniSystems.in

Liferay

How to debug Liferay? – Some pointers – Part 1

Leave a comment

How to debug Liferay? Some pointers. – Part 1. Many a times, we only check at specific places and forget other areas while debugging. This small blog acts as a checklist to check and debug Liferay.

  • Look at installing and using GLOWROOT
  • Check the slow traces / web transactions / errors and the related graphs in GLOWROOT
  • Check the logging levels module wise and overall
  • Check all the Liferay nodes if in a cluster
  • Check the app server logs
  • Check JNDI & JDBC settings
  • Check the things by simulating on default vanilla instance / bundle
  • Use help center articles
  • Check your webserver, load balancer and database configurations plus logs
  • Check your portal & system properties
  • Check configurations in control panel for the related work
  • Check your custom API list
  • Check details via GoGo shell commands
  • Check the code in Liferay DevStudio or your favorite IDE
  • Check marketplace apps that are installed
  • Consider using Groovy scripting for debugging
  • Check virtual instances if in use
  • Check OSGI configurations if added
  • Check your elastic search server status
  • Check your heap size and thread dumps plus configurations in setenv.sh/bat

Blog also gives you an idea on the configurability and extent of Liferay modularity. It makes our work easier when many of the things are configurable.

References: