Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:czechidm_installation [2019/11/26 09:26] fiserp [3. Configure environment properties. Select application profile] |
tutorial:adm:czechidm_installation [2020/12/21 10:11] kasalr |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Installation of CzechIdM - Linux ====== | + | ====== Installation of CzechIdM - Linux - CentOS8 |
{{tag> | {{tag> | ||
- | We presume | + | We expect |
- | This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache | + | This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (Java, PostgreSQL, Tomcat, Apache |
- | <note tip>If you install CzechIdM on Sql server | + | <note tip>If you install CzechIdM on with Microsoft SQL Server database backend, |
==== 1. Create DB user and database in PostgreSQL ==== | ==== 1. Create DB user and database in PostgreSQL ==== | ||
Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL: | Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL: | ||
Line 15: | Line 15: | ||
psql | psql | ||
CREATE USER czechidm PASSWORD ' | CREATE USER czechidm PASSWORD ' | ||
- | CREATE DATABASE " | + | |
+ | # Choose appropriate collation and create database. | ||
+ | # with czech collation (- typical) | ||
+ | CREATE DATABASE " | ||
+ | # or with english collation | ||
+ | # CREATE DATABASE " | ||
</ | </ | ||
Line 35: | Line 40: | ||
and restart PostgreSQL. | and restart PostgreSQL. | ||
</ | </ | ||
- | ==== 2. JDBC driver installation ==== | + | ==== 2. JDBC driver installation |
**CentOS** | **CentOS** | ||
- | Install the package with PostgreSQL JDBC driver: | + | Download |
+ | In this example we download version 42.2.11. | ||
<code bash> | <code bash> | ||
- | yum install -y postgresql-jdbc | + | wget https:// |
</ | </ | ||
- | allow Tomcat to use the driver: | ||
- | |||
- | <code bash> | ||
- | ln -s / | ||
- | </ | ||
- | |||
- | **Debian** | ||
- | |||
- | Install the package with PostgreSQL JDBC driver: | ||
- | |||
- | <code bash> | ||
- | apt-get install libpostgresql-jdbc-java | ||
- | </ | ||
- | |||
- | allow Tomcat to use the driver: | ||
- | |||
- | <code bash> | ||
- | ln -s / | ||
- | </ | ||
==== 3. Configure environment properties. Select application profile ==== | ==== 3. Configure environment properties. Select application profile ==== | ||
- | Edit tomcat | + | Edit the configuration file ''/ |
< | < | ||
- | <note important> | ||
- | < | ||
- | Initialization of bean failed; nested exception is java.lang.IllegalArgumentException: | ||
- | </ | ||
- | Use '' | + | Change the following line: |
<code bash> | <code bash> | ||
Environment=' | Environment=' | ||
Line 79: | Line 62: | ||
into: | into: | ||
<code bash> | <code bash> | ||
- | Environment=' | + | Environment=' |
</ | </ | ||
- | On CentOS reload | + | Reload systemd after the changes: |
<code bash> | <code bash> | ||
systemctl daemon-reload | systemctl daemon-reload | ||
Line 92: | Line 75: | ||
* The **backup** directory stored Groovy scripts backups. | * The **backup** directory stored Groovy scripts backups. | ||
* The **data** directory stores various user-attached files. | * The **data** directory stores various user-attached files. | ||
- | * The **app** directory stores war files. | ||
* | * | ||
Create the directory structure: | Create the directory structure: | ||
< | < | ||
- | mkdir -p / | + | mkdir -p / |
</ | </ | ||
Line 104: | Line 86: | ||
Now we will create configuration files the CzechIdM will use. | Now we will create configuration files the CzechIdM will use. | ||
< | < | ||
- | * The **/ | + | * The **/ |
- | cat / | + | cat / |
</ | </ | ||
* The **/ | * The **/ | ||
Line 135: | Line 117: | ||
</ | </ | ||
- | < | + | < |
- | <logger name=" | + | |
- | <logger name=" | + | |
- | <logger name=" | + | |
- | <logger name=" | + | |
- | <logger name=" | + | |
- | </ | + | |
- | + | ||
- | < | + | |
< | < | ||
< | < | ||
Line 163: | Line 137: | ||
</ | </ | ||
- | <logger name=" | + | <logger name=" |
< | < | ||
</ | </ | ||
<logger name=" | <logger name=" | ||
- | <logger name=" | + | <logger name=" |
- | <logger name=" | + | <logger name=" |
- | <logger name=" | + | <logger name=" |
</ | </ | ||
- | < | ||
- | <logger name=" | ||
- | <logger name=" | ||
- | <logger name=" | ||
- | <logger name=" | ||
- | <logger name=" | ||
- | </ | ||
</ | </ | ||
</ | </ | ||
Line 197: | Line 165: | ||
flyway.enabled=true | flyway.enabled=true | ||
- | scheduler.enabled=true | + | |
- | scheduler.task.queue.process=1000 | + | |
- | scheduler.event.queue.process=1000 | + | |
scheduler.properties.location=quartz-production.properties | scheduler.properties.location=quartz-production.properties | ||
+ | |||
logging.config=/ | logging.config=/ | ||
+ | |||
idm.sec.core.demo.data.enabled=false | idm.sec.core.demo.data.enabled=false | ||
- | + | ||
- | #spring.cache.ehcache.config=classpath: | + | # attachments will be stored under this path. |
- | + | # new directories for attachment will be created in this folder (permissions has to be added) | |
- | spring.activiti.processDefinitionLocationPrefix=classpath*:/ | + | # System.getProperty(" |
- | idm.sec.core.notification.template.folder=classpath*:/eu/ | + | idm.sec.core.attachment.storagePath=/opt/czechidm/data |
- | idm.sec.core.script.folder=classpath*:/ | + | |
# configuration property for default backup | # configuration property for default backup | ||
idm.sec.core.backups.default.folder.path=/ | idm.sec.core.backups.default.folder.path=/ | ||
- | + | ||
idm.pub.security.allowed-origins=http:// | idm.pub.security.allowed-origins=http:// | ||
Line 219: | Line 186: | ||
idm.sec.security.jwt.expirationTimeout=36000000 | idm.sec.security.jwt.expirationTimeout=36000000 | ||
- | # recaptcha | ||
- | # - recaptchaservice endpoint | ||
- | # | ||
- | # - secret key, can be generated here https:// | ||
- | idm.sec.security.recaptcha.secretKey=xxx | ||
- | # Proxy for HTTP requests | ||
- | # | ||
- | |||
# Cipher secret key for crypt values in confidential storage | # Cipher secret key for crypt values in confidential storage | ||
# for crypt values is used secretKey or secretKey defined by file - secretKeyPath | # for crypt values is used secretKey or secretKey defined by file - secretKeyPath | ||
# | # | ||
cipher.crypt.secret.keyPath=/ | cipher.crypt.secret.keyPath=/ | ||
- | + | ||
- | + | # Defaults for: emailer.* | |
+ | # test.enabled=true means mail WILL NOT be sent | ||
idm.sec.core.emailer.test.enabled=true | idm.sec.core.emailer.test.enabled=true | ||
# http:// | # http:// | ||
Line 241: | Line 201: | ||
# idm.sec.core.emailer.password=password | # idm.sec.core.emailer.password=password | ||
idm.sec.core.emailer.from=czechidm@localhost | idm.sec.core.emailer.from=czechidm@localhost | ||
- | |||
- | ## Global property that allow disable or enable sending notification from WF | ||
- | idm.sec.core.wf.notification.send=false | ||
- | |||
- | |||
- | # supports delete identity | ||
- | idm.pub.core.identity.delete=true | ||
- | # | ||
- | # default password change type for custom users, one of values: | ||
- | # DISABLED - password change is disable | ||
- | # ALL_ONLY - users can change passwords only for all accounts | ||
- | # CUSTOM - users can choose for which accounts change password | ||
- | idm.pub.core.identity.passwordChange=ALL_ONLY | ||
- | # | ||
- | # required old password for change password | ||
- | idm.pub.core.identity.passwordChange.requireOldPassword=true | ||
- | # | ||
- | # create default identity' | ||
- | idm.pub.core.identity.create.defaultContract.enabled=true | ||
- | |||
# Default user role will be added automatically, | # Default user role will be added automatically, | ||
Line 268: | Line 208: | ||
# Admin user role | # Admin user role | ||
idm.sec.core.role.admin=superAdminRole | idm.sec.core.role.admin=superAdminRole | ||
- | |||
- | |||
- | # ID system against which to authenticate | ||
- | idm.sec.security.auth.systemId= | ||
- | # attachments will be stored under this path. | + | # Max file size of uploaded file. Values can use the suffixed " |
- | # new directories for attachment will be created in this folder (permissions has to be added) | + | spring.servlet.multipart.max-file-size=100MB |
- | # System.getProperty(" | + | spring.servlet.multipart.max-request-size=100MB |
- | idm.sec.core.attachment.storagePath=/ | + | |
</ | </ | ||
Line 303: | Line 238: | ||
There are two properties in application-production.properties that influence the confidential storage: | There are two properties in application-production.properties that influence the confidential storage: | ||
- | * You can set the 128bit (16byte) | + | * You can set the key directly in the property file using **cipher.crypt.secret.key** property |
- | * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. | + | * or (better) |
<note warning> | <note warning> | ||
- | Confidential storage uses AES/ | + | Confidential storage uses AES/ |
+ | < | ||
+ | Length of the key determines the cipher which will be used. If you use 128b (16byte) key, CzechIdM will use AES-128. If you use 256b (32byte) key, CzechIdM will use AES-256. | ||
+ | |||
+ | * OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default. | ||
+ | * Older versions (below 1.8u161) do not offer it. On those Java distributions, | ||
+ | |||
+ | </ | ||
=== Attachment store === | === Attachment store === | ||
Line 332: | Line 274: | ||
==== 6. Set correct permissions on CzechIdM files ==== | ==== 6. Set correct permissions on CzechIdM files ==== | ||
- | **CentOS** | ||
< | < | ||
chown tomcat: | chown tomcat: | ||
- | chown -R tomcat: | + | chown -R tomcat: |
- | chmod 750 / | + | chmod 750 / |
- | chmod 640 / | + | |
- | </ | + | |
- | **Debian** | + | |
- | < | + | |
- | chown tomcat8: | + | |
- | chown -R tomcat8: | + | |
- | chmod 750 / | + | |
chmod 640 / | chmod 640 / | ||
</ | </ | ||
+ | |||
==== 7. Adjust Tomcat' | ==== 7. Adjust Tomcat' | ||
- | Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/ | + | Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the '' |
- | Add this line with this comand '' | + | Create |
- | < | + | |
- | Environment=' | + | < |
- | </ | + | |
- | On **Debian** create | + | |
- | < | + | |
CLASSPATH=/ | CLASSPATH=/ | ||
</ | </ | ||
+ | |||
And change owner of the file to tomcat: | And change owner of the file to tomcat: | ||
< | < | ||
- | chown root:tomcat /usr/share/tomcat8/ | + | chown root:tomcat /opt/tomcat/current/ |
</ | </ | ||
+ | |||
==== 8. Create dedicated Java truststore ==== | ==== 8. Create dedicated Java truststore ==== | ||
Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities. | Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities. | ||
Line 383: | Line 317: | ||
</ | </ | ||
- | Edit the Tomcat service file (systemctl edit tomcat.service) and add path to the truststore '' | + | Edit the Tomcat service file ''/ |
< | < | ||
systemctl daemon-reload | systemctl daemon-reload | ||
Line 389: | Line 323: | ||
</ | </ | ||
==== 9. Deploy the CzechIdM ==== | ==== 9. Deploy the CzechIdM ==== | ||
- | Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war. | + | Download the latest CzechIdM version. Currently it is idm-app-10.4.1.war. |
- | + | ||
- | **CentOS** | + | |
Ensure Tomcat is stopped: | Ensure Tomcat is stopped: | ||
Line 397: | Line 329: | ||
systemctl stop tomcat.service | systemctl stop tomcat.service | ||
</ | </ | ||
- | Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: | + | Copy the identity manager WAR into webapps folder in Tomcat and name it '' |
< | < | ||
- | cp idm-app-9.4.0.war /opt/czechidm/ | + | cp idm-app-10.4.1.war / |
- | chown tomcat:tomcat /opt/czechidm/app/idm.war | + | |
</ | </ | ||
- | Start the Tomcat container:< | + | Check that the idm.war file is owned by Tomcat: |
- | systemctl start tomcat.service | + | |
- | </ | + | |
- | If everything | + | |
- | + | ||
- | **Debian** | + | |
- | + | ||
- | Ensure | + | |
< | < | ||
- | systemctl stop tomcat8.service | + | ls -l / |
</ | </ | ||
- | Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: | + | If not, change its owner: |
< | < | ||
- | cp idm-app-9.4.0.war / | + | chown tomcat:tomcat |
- | chown tomcat8:tomcat8 | + | |
</ | </ | ||
Start the Tomcat container:< | Start the Tomcat container:< | ||
- | systemctl start tomcat8.service | + | systemctl start tomcat.service |
</ | </ | ||
- | If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/tomcat8/ | + | If everything is set up right, the CzechIdM will deploy. Default log is '' |
==== 10. Final Steps ==== | ==== 10. Final Steps ==== | ||
+ | |||
=== Allow network services === | === Allow network services === | ||
Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: | Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: | ||
<code bash> | <code bash> | ||
+ | firewall-cmd --permanent --add-port=80/ | ||
firewall-cmd --permanent --add-port=443/ | firewall-cmd --permanent --add-port=443/ | ||
firewall-cmd --reload | firewall-cmd --reload | ||
Line 439: | Line 365: | ||
Follow some final configuration steps: [[tutorial: | Follow some final configuration steps: [[tutorial: | ||
- | === On CentOS set permisive mod on Tomcat === | ||
- | SELinux will deny acces to the database for tomcat and won't allow create files by him. The tomcat will write error to the ''/ | ||
- | |||
- | To fix this we need set the permissive mode for tomcat: | ||
- | < | ||
- | semanage permissive -a tomcat_t | ||
- | </ | ||
- | |||
- | <note warning> | ||
- | Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. | ||
- | |||
- | There are some possibilities: | ||
- | * Set permissive mode for logrotate as above. | ||
- | * Set permissive mode for whole SELinux. (This will drop the SELinux' | ||
- | * Adjust particular SELinux labels. Example ([[https:// | ||
- | </ |