Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:czechidm_installation [2019/06/10 13:13] urbanl old revision restored (2019/03/18 14:46) |
tutorial:adm:czechidm_installation [2021/12/14 08:52] fiserp [3. Configure environment properties. Select application profile] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Installation of CzechIdM - Linux ====== | + | ====== Installation of CzechIdM - Linux - CentOS8 |
{{tag> | {{tag> | ||
- | We presume | + | We expect |
- | This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache | + | This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (Java, PostgreSQL, Tomcat, Apache |
- | <note tip>If you install CzechIdM on Sql server | + | <note tip>If you install CzechIdM on with Microsoft SQL Server database backend, |
==== 1. Create DB user and database in PostgreSQL ==== | ==== 1. Create DB user and database in PostgreSQL ==== | ||
Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL: | Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL: | ||
Line 15: | Line 15: | ||
psql | psql | ||
CREATE USER czechidm PASSWORD ' | CREATE USER czechidm PASSWORD ' | ||
- | CREATE DATABASE " | + | |
+ | # Choose appropriate collation and create database. | ||
+ | # with czech collation (- typical) | ||
+ | CREATE DATABASE " | ||
+ | # or with english collation | ||
+ | # CREATE DATABASE " | ||
</ | </ | ||
Line 35: | Line 40: | ||
and restart PostgreSQL. | and restart PostgreSQL. | ||
</ | </ | ||
- | ==== 2. JDBC driver installation ==== | + | ==== 2. JDBC driver installation |
**CentOS** | **CentOS** | ||
- | Install the package with PostgreSQL JDBC driver: | + | Download |
+ | In this example we download version 42.2.11. | ||
<code bash> | <code bash> | ||
- | yum install -y postgresql-jdbc | + | wget https:// |
</ | </ | ||
- | allow Tomcat to use the driver: | + | ==== 3. Configure environment properties. Select application profile ==== |
- | <code bash> | + | Edit the configuration file '' |
- | ln -s /usr/share/java/postgresql-jdbc.jar / | + | |
- | </code> | + | |
- | **Debian** | + | Change the following line: |
- | + | ||
- | Install | + | |
<code bash> | <code bash> | ||
- | apt-get install libpostgresql-jdbc-java | + | Environment=' |
</ | </ | ||
- | allow Tomcat to use the driver: | + | into: |
<code bash> | <code bash> | ||
- | ln -s /usr/share/ | + | Environment=' |
- | </ | + | |
- | ==== 3. Configure environment properties. Select application profile ==== | + | |
- | Edit tomcat unit - edit the line with environment variable choosing the appropriate application profile. We use **production** profile in our example, which enables you to configure production-ready instace of the identity manager. | + | </code> |
- | < | + | |
- | <note important> | + | Reload systemd after the changes: |
- | < | + | |
- | Initialization of bean failed; nested exception is java.lang.IllegalArgumentException: | + | |
- | </ | + | |
- | Use '' | ||
- | <code bash> | ||
- | Environment=' | ||
- | </ | ||
- | into: | ||
- | <code bash> | ||
- | Environment=' | ||
- | </ | ||
- | |||
- | On CentOS reload systemd after the changes: | ||
<code bash> | <code bash> | ||
systemctl daemon-reload | systemctl daemon-reload | ||
+ | |||
</ | </ | ||
+ | |||
+ | |||
==== 4. Create CzechIdM configuration folders ==== | ==== 4. Create CzechIdM configuration folders ==== | ||
In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. | In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. | ||
Line 92: | Line 82: | ||
* The **backup** directory stored Groovy scripts backups. | * The **backup** directory stored Groovy scripts backups. | ||
* The **data** directory stores various user-attached files. | * The **data** directory stores various user-attached files. | ||
- | * The **app** directory stores war files. | ||
* | * | ||
Create the directory structure: | Create the directory structure: | ||
< | < | ||
- | mkdir -p / | + | mkdir -p / |
</ | </ | ||
Line 102: | Line 91: | ||
==== 5. Create CzechIdM configuration ==== | ==== 5. Create CzechIdM configuration ==== | ||
- | Now we will create configuration files the CzechIdM will use. | + | |
- | < | + | Now we will create configuration files the CzechIdM will use. < |
- | * The **/ | + | |
- | cat / | + | * The **/ |
+ | |||
+ | < | ||
+ | cat / | ||
</ | </ | ||
- | | + | |
+ | | ||
+ | |||
+ | <file properties quartz-production.properties> | ||
org.quartz.scheduler.instanceName=idm-scheduler-instance | org.quartz.scheduler.instanceName=idm-scheduler-instance | ||
org.quartz.scheduler.instanceId=AUTO | org.quartz.scheduler.instanceId=AUTO | ||
Line 119: | Line 115: | ||
org.quartz.jobStore.misfireThreshold=60000 | org.quartz.jobStore.misfireThreshold=60000 | ||
org.quartz.jobStore.tablePrefix=qrtz_ | org.quartz.jobStore.tablePrefix=qrtz_ | ||
+ | |||
+ | |||
</ | </ | ||
- | | + | |
+ | | ||
+ | |||
+ | <file xml logback-spring.xml> | ||
<?xml version=" | <?xml version=" | ||
<!-- https:// | <!-- https:// | ||
<!-- http:// | <!-- http:// | ||
< | < | ||
+ | <!-- !!!BEWARE!!! The specification of the LOG PATTERNS overrides the default configuration and increases the maximum length of the %logger{< | ||
+ | It is neccessary for correct function of the AUDIT logging feature (redmine ticket #2717). If AUDIT logger key is longer then the set limit it gets shortened | ||
+ | and SIEM software is not able to parse logs properly. --> | ||
+ | < | ||
+ | < | ||
+ | |||
<include resource=" | <include resource=" | ||
< | < | ||
Line 133: | Line 140: | ||
<logger name=" | <logger name=" | ||
<logger name=" | <logger name=" | ||
+ | <logger name=" | ||
</ | </ | ||
- | < | + | < |
- | <logger name=" | + | |
- | <logger name=" | + | |
- | <logger name=" | + | |
- | <logger name=" | + | |
- | <logger name=" | + | |
- | </ | + | |
- | + | ||
- | < | + | |
< | < | ||
< | < | ||
Line 149: | Line 149: | ||
< | < | ||
- | < | + | < |
< | < | ||
< | < | ||
Line 163: | Line 163: | ||
</ | </ | ||
- | <logger name=" | + | <logger name=" |
< | < | ||
</ | </ | ||
<logger name=" | <logger name=" | ||
- | <logger name=" | + | <logger name=" |
- | <logger name=" | + | <logger name=" |
- | <logger name=" | + | <logger name=" |
- | </springProfile> | + | <logger name=" |
- | < | ||
- | <logger name=" | ||
- | <logger name=" | ||
- | <logger name=" | ||
- | <logger name=" | ||
- | <logger name=" | ||
</ | </ | ||
+ | |||
</ | </ | ||
+ | |||
+ | |||
</ | </ | ||
- | | + | |
+ | | ||
+ | |||
+ | <file properties application-production.properties> | ||
# Doc: https:// | # Doc: https:// | ||
- | + | ||
idm.pub.app.instanceId=idm-primary | idm.pub.app.instanceId=idm-primary | ||
idm.pub.app.stage=production | idm.pub.app.stage=production | ||
- | + | ||
spring.datasource.url=jdbc: | spring.datasource.url=jdbc: | ||
spring.datasource.username=czechidm | spring.datasource.username=czechidm | ||
Line 196: | Line 196: | ||
spring.jpa.hibernate.ddl-auto=none | spring.jpa.hibernate.ddl-auto=none | ||
flyway.enabled=true | flyway.enabled=true | ||
- | + | ||
- | scheduler.enabled=true | + | |
- | scheduler.task.queue.process=1000 | + | |
- | scheduler.event.queue.process=1000 | + | |
scheduler.properties.location=quartz-production.properties | scheduler.properties.location=quartz-production.properties | ||
+ | |||
logging.config=/ | logging.config=/ | ||
+ | |||
idm.sec.core.demo.data.enabled=false | idm.sec.core.demo.data.enabled=false | ||
- | + | ||
- | #spring.cache.ehcache.config=classpath: | + | # attachments will be stored under this path. |
- | + | # new directories for attachment will be created in this folder (permissions has to be added) | |
- | spring.activiti.processDefinitionLocationPrefix=classpath*:/ | + | # System.getProperty(" |
- | idm.sec.core.notification.template.folder=classpath*:/eu/ | + | idm.sec.core.attachment.storagePath=/opt/czechidm/data |
- | idm.sec.core.script.folder=classpath*:/ | + | # configuration property for default backup |
- | # configuration property for default backup | + | |
idm.sec.core.backups.default.folder.path=/ | idm.sec.core.backups.default.folder.path=/ | ||
- | + | ||
- | + | ||
idm.pub.security.allowed-origins=http:// | idm.pub.security.allowed-origins=http:// | ||
# Generate JWT token security string as "cat / | # Generate JWT token security string as "cat / | ||
Line 219: | Line 216: | ||
idm.sec.security.jwt.expirationTimeout=36000000 | idm.sec.security.jwt.expirationTimeout=36000000 | ||
- | # recaptcha | ||
- | # - recaptchaservice endpoint | ||
- | # | ||
- | # - secret key, can be generated here https:// | ||
- | idm.sec.security.recaptcha.secretKey=xxx | ||
- | # Proxy for HTTP requests | ||
- | # | ||
- | |||
# Cipher secret key for crypt values in confidential storage | # Cipher secret key for crypt values in confidential storage | ||
# for crypt values is used secretKey or secretKey defined by file - secretKeyPath | # for crypt values is used secretKey or secretKey defined by file - secretKeyPath | ||
# | # | ||
cipher.crypt.secret.keyPath=/ | cipher.crypt.secret.keyPath=/ | ||
- | + | ||
- | + | # Defaults for: emailer.* | |
+ | # test.enabled=true means mail WILL NOT be sent | ||
idm.sec.core.emailer.test.enabled=true | idm.sec.core.emailer.test.enabled=true | ||
# http:// | # http:// | ||
Line 241: | Line 231: | ||
# idm.sec.core.emailer.password=password | # idm.sec.core.emailer.password=password | ||
idm.sec.core.emailer.from=czechidm@localhost | idm.sec.core.emailer.from=czechidm@localhost | ||
- | + | ||
- | ## Global property that allow disable or enable sending notification from WF | + | |
- | idm.sec.core.wf.notification.send=false | + | |
- | + | ||
- | + | ||
- | # supports delete identity | + | |
- | idm.pub.core.identity.delete=true | + | |
- | # | + | |
- | # default password change type for custom users, one of values: | + | |
- | # DISABLED - password change is disable | + | |
- | # ALL_ONLY - users can change passwords only for all accounts | + | |
- | # CUSTOM - users can choose for which accounts change password | + | |
- | idm.pub.core.identity.passwordChange=ALL_ONLY | + | |
- | # | + | |
- | # required old password for change password | + | |
- | idm.pub.core.identity.passwordChange.requireOldPassword=true | + | |
- | # | + | |
- | # create default identity' | + | |
- | idm.pub.core.identity.create.defaultContract.enabled=true | + | |
- | + | ||
- | + | ||
# Default user role will be added automatically, | # Default user role will be added automatically, | ||
# could contains default authorities and authority policies configuration | # could contains default authorities and authority policies configuration | ||
Line 268: | Line 238: | ||
# Admin user role | # Admin user role | ||
idm.sec.core.role.admin=superAdminRole | idm.sec.core.role.admin=superAdminRole | ||
- | |||
- | |||
- | # ID system against which to authenticate | ||
- | idm.sec.security.auth.systemId= | ||
- | # attachments will be stored under this path. | + | # Max file size of uploaded file. Values can use the suffixed " |
- | # new directories for attachment will be created in this folder (permissions has to be added) | + | spring.servlet.multipart.max-file-size=100MB |
- | # System.getProperty(" | + | spring.servlet.multipart.max-request-size=100MB |
- | idm.sec.core.attachment.storagePath=/ | + | |
</ | </ | ||
=== Adjust database configuration === | === Adjust database configuration === | ||
- | If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** propetry. Set it to the password for czechidm user in PostgreSQL. | + | |
- | If necessary, adjust other database connection properties... <code properties> | + | If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** |
+ | |||
+ | <code properties> | ||
spring.datasource.url=jdbc: | spring.datasource.url=jdbc: | ||
spring.datasource.username=czechidm | spring.datasource.username=czechidm | ||
Line 288: | Line 257: | ||
spring.datasource.validationQuery=SELECT 1 | spring.datasource.validationQuery=SELECT 1 | ||
spring.datasource.test-on-borrow=true | spring.datasource.test-on-borrow=true | ||
+ | |||
+ | |||
</ | </ | ||
=== Generate JWT token === | === Generate JWT token === | ||
- | Set value of the **idm.sec.security.jwt.secret.token** property as is described in the template file:< | + | |
+ | Set value of the **idm.sec.security.jwt.secret.token** | ||
+ | |||
+ | <code properties> | ||
# Generate JWT token security string as "cat / | # Generate JWT token security string as "cat / | ||
# We recommend the VALUE to be at least 25. | # We recommend the VALUE to be at least 25. | ||
idm.sec.security.jwt.secret.token=********** TODO ********* | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | |||
+ | |||
</ | </ | ||
=== Local confidential storage === | === Local confidential storage === | ||
- | Local confidential storage is encrypted by AES algoritm. [[https:// | + | Local confidential storage is encrypted by AES algoritm. [[https:// |
- | Confidential storage is encrypted by a key found in **secret.key** file you already created. | + | |
There are two properties in application-production.properties that influence the confidential storage: | There are two properties in application-production.properties that influence the confidential storage: | ||
- | | + | |
- | * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. | + | |
+ | * or (better) | ||
<note warning> | <note warning> | ||
- | Confidential storage uses AES/ | + | Confidential storage uses AES/ |
+ | |||
+ | * OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default. | ||
+ | * Older versions (below 1.8u161) do not offer it. On those Java distributions, | ||
+ | |||
+ | </ | ||
=== Attachment store === | === Attachment store === | ||
- | In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. | + | |
- | With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under / | + | In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under / |
<code properties> | <code properties> | ||
Line 319: | Line 300: | ||
# System.getProperty(" | # System.getProperty(" | ||
idm.sec.core.attachment.storagePath=/ | idm.sec.core.attachment.storagePath=/ | ||
+ | |||
+ | |||
</ | </ | ||
=== Environment === | === Environment === | ||
- | If you install CzechIdM in multiple environments (typically test and production), | + | If you install CzechIdM in multiple environments (typically test and production), |
<code properties> | <code properties> | ||
# Application stage (development, | # Application stage (development, | ||
idm.pub.app.stage=production | idm.pub.app.stage=production | ||
- | </ | ||
+ | |||
+ | </ | ||
==== 6. Set correct permissions on CzechIdM files ==== | ==== 6. Set correct permissions on CzechIdM files ==== | ||
- | **CentOS** | ||
< | < | ||
chown tomcat: | chown tomcat: | ||
- | chown -R tomcat: | + | chown -R tomcat: |
- | chmod 750 / | + | chmod 750 / |
- | chmod 640 / | + | |
- | </ | + | |
- | **Debian** | + | |
- | < | + | |
- | chown tomcat8: | + | |
- | chown -R tomcat8: | + | |
- | chmod 750 / | + | |
chmod 640 / | chmod 640 / | ||
</ | </ | ||
+ | |||
==== 7. Adjust Tomcat' | ==== 7. Adjust Tomcat' | ||
- | Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/ | + | Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the '' |
- | Add this line with this comand '' | + | Create |
- | < | + | |
- | Environment=' | + | < |
- | </ | + | |
- | On **Debian** create | + | |
- | < | + | |
CLASSPATH=/ | CLASSPATH=/ | ||
</ | </ | ||
+ | |||
And change owner of the file to tomcat: | And change owner of the file to tomcat: | ||
< | < | ||
- | chown root:tomcat /usr/share/tomcat8/ | + | chown root:tomcat /opt/tomcat/current/ |
</ | </ | ||
+ | |||
==== 8. Create dedicated Java truststore ==== | ==== 8. Create dedicated Java truststore ==== | ||
Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities. | Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities. | ||
Line 389: | Line 366: | ||
</ | </ | ||
==== 9. Deploy the CzechIdM ==== | ==== 9. Deploy the CzechIdM ==== | ||
- | Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war. | + | Download the latest CzechIdM version. Currently it is idm-app-10.4.1.war. |
- | + | ||
- | **CentOS** | + | |
Ensure Tomcat is stopped: | Ensure Tomcat is stopped: | ||
Line 397: | Line 372: | ||
systemctl stop tomcat.service | systemctl stop tomcat.service | ||
</ | </ | ||
- | Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: | + | Copy the identity manager WAR into webapps folder in Tomcat and name it '' |
< | < | ||
- | cp idm-app-9.4.0.war /opt/czechidm/ | + | cp idm-app-10.4.1.war / |
- | chown tomcat:tomcat /opt/czechidm/app/idm.war | + | |
</ | </ | ||
Start the Tomcat container:< | Start the Tomcat container:< | ||
systemctl start tomcat.service | systemctl start tomcat.service | ||
</ | </ | ||
- | If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/ | + | If everything is set up right, the CzechIdM will deploy. Default log is '' |
- | **Debian** | ||
- | Ensure Tomcat is stopped: | + | ==== 10. Final Steps ==== |
- | < | + | |
- | systemctl stop tomcat8.service | + | |
- | </ | + | |
- | Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: | + | |
- | < | + | |
- | cp idm-app-9.4.0.war / | + | |
- | chown tomcat8: | + | |
- | </ | + | |
- | Start the Tomcat container:< | + | |
- | systemctl start tomcat8.service | + | |
- | </ | + | |
- | If everything is set up right, the CzechIdM will deploy. Default log is **/ | + | |
- | ==== 10. Final Steps ==== | ||
=== Allow network services === | === Allow network services === | ||
Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: | Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: | ||
<code bash> | <code bash> | ||
+ | firewall-cmd --permanent --add-port=80/ | ||
firewall-cmd --permanent --add-port=443/ | firewall-cmd --permanent --add-port=443/ | ||
firewall-cmd --reload | firewall-cmd --reload | ||
Line 439: | Line 400: | ||
Follow some final configuration steps: [[tutorial: | Follow some final configuration steps: [[tutorial: | ||
- | === Known Isues === | ||
- | It is possible that, on some distros, SELinux will deny acces to the database for tomcat. The tomcat will error to the ''/ | ||
- | |||
- | If this happens, set the permissive mode for tomcat: | ||
- | < | ||
- | semanage permissive -a tomcat_t | ||
- | </ | ||
- | |||
- | <note warning> | ||
- | Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. | ||
- | |||
- | There are some possibilities: | ||
- | * Set permissive mode for logrotate as above. | ||
- | * Set permissive mode for whole SELinux. (This will drop the SELinux' | ||
- | * Adjust particular SELinux labels. Example ([[https:// | ||
- | </ |