Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:czechidm_installation [2020/08/26 15:24] apeterova czech collation is default |
tutorial:adm:czechidm_installation [2022/12/20 10:07] kralikf [5. Create CzechIdM configuration] |
||
---|---|---|---|
Line 3: | Line 3: | ||
{{tag> | {{tag> | ||
- | We expect that the server is prepared as described in [[tutorial: | + | We expect that the server is prepared as described in [[.: |
This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (Java, PostgreSQL, Tomcat, Apache HTTPd). If you are looking for a demo installation please see [[: | This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (Java, PostgreSQL, Tomcat, Apache HTTPd). If you are looking for a demo installation please see [[: | ||
- | <note tip>If you install CzechIdM on with Microsoft SQL Server database backend, please skip PostgreSQL-related sections and [[tutorial: | + | <note tip>If you install CzechIdM on with Microsoft SQL Server database backend, please skip PostgreSQL-related sections and [[.: |
+ | |||
==== 1. Create DB user and database in PostgreSQL ==== | ==== 1. Create DB user and database in PostgreSQL ==== | ||
+ | If czech database collation should be used, install the czech language packs. | ||
+ | <code bash> | ||
+ | dnf install langpacks-cs | ||
+ | </ | ||
+ | |||
+ | |||
Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL: | Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL: | ||
Line 52: | Line 60: | ||
==== 3. Configure environment properties. Select application profile ==== | ==== 3. Configure environment properties. Select application profile ==== | ||
- | Edit the configuration file ''/ | + | Edit the configuration file ''/ |
- | < | + | |
Change the following line: | Change the following line: | ||
+ | |||
<code bash> | <code bash> | ||
Environment=' | Environment=' | ||
+ | |||
</ | </ | ||
+ | |||
into: | into: | ||
+ | |||
<code bash> | <code bash> | ||
- | Environment=' | + | Environment=' |
</ | </ | ||
Reload systemd after the changes: | Reload systemd after the changes: | ||
+ | |||
<code bash> | <code bash> | ||
systemctl daemon-reload | systemctl daemon-reload | ||
+ | |||
</ | </ | ||
+ | |||
+ | |||
==== 4. Create CzechIdM configuration folders ==== | ==== 4. Create CzechIdM configuration folders ==== | ||
In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. | In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. | ||
Line 84: | Line 99: | ||
==== 5. Create CzechIdM configuration ==== | ==== 5. Create CzechIdM configuration ==== | ||
- | Now we will create configuration files the CzechIdM will use. | + | |
- | < | + | Now we will create configuration files the CzechIdM will use. < |
- | * The **/ | + | |
- | cat / | + | * The **/ |
+ | |||
+ | < | ||
+ | cat / | ||
</ | </ | ||
- | | + | |
+ | | ||
+ | |||
+ | <file properties quartz-production.properties> | ||
org.quartz.scheduler.instanceName=idm-scheduler-instance | org.quartz.scheduler.instanceName=idm-scheduler-instance | ||
org.quartz.scheduler.instanceId=AUTO | org.quartz.scheduler.instanceId=AUTO | ||
Line 101: | Line 123: | ||
org.quartz.jobStore.misfireThreshold=60000 | org.quartz.jobStore.misfireThreshold=60000 | ||
org.quartz.jobStore.tablePrefix=qrtz_ | org.quartz.jobStore.tablePrefix=qrtz_ | ||
+ | |||
+ | |||
</ | </ | ||
- | | + | |
+ | | ||
+ | |||
+ | <file xml logback-spring.xml> | ||
<?xml version=" | <?xml version=" | ||
<!-- https:// | <!-- https:// | ||
<!-- http:// | <!-- http:// | ||
< | < | ||
+ | <!-- !!!BEWARE!!! The specification of the LOG PATTERNS overrides the default configuration and increases the maximum length of the %logger{< | ||
+ | It is neccessary for correct function of the AUDIT logging feature (redmine ticket #2717). If AUDIT logger key is longer then the set limit it gets shortened | ||
+ | and SIEM software is not able to parse logs properly. --> | ||
+ | < | ||
+ | < | ||
+ | |||
<include resource=" | <include resource=" | ||
< | < | ||
Line 115: | Line 148: | ||
<logger name=" | <logger name=" | ||
<logger name=" | <logger name=" | ||
+ | <logger name=" | ||
</ | </ | ||
Line 123: | Line 157: | ||
< | < | ||
- | < | + | < |
- | < | + | |
- | < | + | |
- | < | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
</ | </ | ||
Line 144: | Line 173: | ||
<logger name=" | <logger name=" | ||
<logger name=" | <logger name=" | ||
+ | <logger name=" | ||
</ | </ | ||
</ | </ | ||
+ | |||
</ | </ | ||
- | | + | |
+ | | ||
+ | |||
+ | <file properties application-production.properties> | ||
# Doc: https:// | # Doc: https:// | ||
- | + | ||
idm.pub.app.instanceId=idm-primary | idm.pub.app.instanceId=idm-primary | ||
idm.pub.app.stage=production | idm.pub.app.stage=production | ||
- | + | ||
spring.datasource.url=jdbc: | spring.datasource.url=jdbc: | ||
spring.datasource.username=czechidm | spring.datasource.username=czechidm | ||
Line 164: | Line 198: | ||
spring.jpa.hibernate.ddl-auto=none | spring.jpa.hibernate.ddl-auto=none | ||
flyway.enabled=true | flyway.enabled=true | ||
- | |||
scheduler.properties.location=quartz-production.properties | scheduler.properties.location=quartz-production.properties | ||
Line 176: | Line 209: | ||
# System.getProperty(" | # System.getProperty(" | ||
idm.sec.core.attachment.storagePath=/ | idm.sec.core.attachment.storagePath=/ | ||
- | # configuration property for default backup | + | # configuration property for default backup |
idm.sec.core.backups.default.folder.path=/ | idm.sec.core.backups.default.folder.path=/ | ||
- | |||
idm.pub.security.allowed-origins=http:// | idm.pub.security.allowed-origins=http:// | ||
# Generate JWT token security string as "cat / | # Generate JWT token security string as "cat / | ||
Line 201: | Line 233: | ||
# idm.sec.core.emailer.password=password | # idm.sec.core.emailer.password=password | ||
idm.sec.core.emailer.from=czechidm@localhost | idm.sec.core.emailer.from=czechidm@localhost | ||
- | + | ||
# Default user role will be added automatically, | # Default user role will be added automatically, | ||
# could contains default authorities and authority policies configuration | # could contains default authorities and authority policies configuration | ||
Line 212: | Line 244: | ||
spring.servlet.multipart.max-file-size=100MB | spring.servlet.multipart.max-file-size=100MB | ||
spring.servlet.multipart.max-request-size=100MB | spring.servlet.multipart.max-request-size=100MB | ||
+ | |||
+ | |||
</ | </ | ||
=== Adjust database configuration === | === Adjust database configuration === | ||
- | If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** propetry. Set it to the password for czechidm user in PostgreSQL. | + | |
- | If necessary, adjust other database connection properties... <code properties> | + | If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** |
+ | |||
+ | <code properties> | ||
spring.datasource.url=jdbc: | spring.datasource.url=jdbc: | ||
spring.datasource.username=czechidm | spring.datasource.username=czechidm | ||
Line 223: | Line 259: | ||
spring.datasource.validationQuery=SELECT 1 | spring.datasource.validationQuery=SELECT 1 | ||
spring.datasource.test-on-borrow=true | spring.datasource.test-on-borrow=true | ||
+ | |||
+ | |||
</ | </ | ||
=== Generate JWT token === | === Generate JWT token === | ||
- | Set value of the **idm.sec.security.jwt.secret.token** property as is described in the template file:< | + | |
+ | Set value of the **idm.sec.security.jwt.secret.token** | ||
+ | |||
+ | <code properties> | ||
# Generate JWT token security string as "cat / | # Generate JWT token security string as "cat / | ||
# We recommend the VALUE to be at least 25. | # We recommend the VALUE to be at least 25. | ||
idm.sec.security.jwt.secret.token=********** TODO ********* | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | |||
+ | |||
</ | </ | ||
=== Local confidential storage === | === Local confidential storage === | ||
- | Local confidential storage is encrypted by AES algoritm. [[https:// | + | Local confidential storage is encrypted by AES algoritm. [[https:// |
- | Confidential storage is encrypted by a key found in **secret.key** file you already created. | + | |
There are two properties in application-production.properties that influence the confidential storage: | There are two properties in application-production.properties that influence the confidential storage: | ||
- | | + | |
- | * or (better) you can create separate file '' | + | |
+ | * or (better) you can create separate file '' | ||
<note warning> | <note warning> | ||
- | Confidential storage uses AES/ | + | Confidential storage uses AES/ |
- | < | + | |
- | Length of the key determines the cipher which will be used. If you use 128b (16byte) key, CzechIdM will use AES-128. If you use 256b (32byte) key, CzechIdM will use AES-256. | + | |
* OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default. | * OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default. | ||
Line 253: | Line 294: | ||
=== Attachment store === | === Attachment store === | ||
- | In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. | + | |
- | With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under / | + | In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under / |
<code properties> | <code properties> | ||
Line 261: | Line 302: | ||
# System.getProperty(" | # System.getProperty(" | ||
idm.sec.core.attachment.storagePath=/ | idm.sec.core.attachment.storagePath=/ | ||
+ | |||
+ | |||
</ | </ | ||
=== Environment === | === Environment === | ||
- | If you install CzechIdM in multiple environments (typically test and production), | + | If you install CzechIdM in multiple environments (typically test and production), |
<code properties> | <code properties> | ||
# Application stage (development, | # Application stage (development, | ||
idm.pub.app.stage=production | idm.pub.app.stage=production | ||
- | </ | ||
+ | |||
+ | </ | ||