Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
tutorial:adm:czechidm_installation [2019/06/10 13:17]
urbanl [10. Final Steps]
tutorial:adm:czechidm_installation [2020/01/13 14:12]
urbanl Uprava návodu na ruční instalaci tomcatu 8
Line 35: Line 35:
 and restart PostgreSQL. and restart PostgreSQL.
 </note> </note>
-==== 2. JDBC driver installation ====+==== 2. JDBC driver installation ​- CentOS7 ​==== 
 **CentOS** **CentOS**
  
Line 47: Line 47:
  
 <code bash> <code bash>
-ln -s /usr/share/java/postgresql-jdbc.jar /usr/share/java/tomcat/+ln -s /usr/share/java/postgresql-jdbc.jar /opt/tomcat/current/lib/
 </code>  </code> 
  
-**Debian**+==== 3. JDBC driver installation - Debian ​==== 
  
 Install the package with PostgreSQL JDBC driver: Install the package with PostgreSQL JDBC driver:
Line 63: Line 63:
 ln -s /usr/share/java/postgresql.jar /var/lib/tomcat8/lib/postgresql-jdbc4.jar ln -s /usr/share/java/postgresql.jar /var/lib/tomcat8/lib/postgresql-jdbc4.jar
 </code>  </code> 
-==== 3. Configure environment properties. Select application profile ====+==== 4. Configure environment properties. Select application profile ====
  
-Edit tomcat unit - edit the line with environment variable choosing the appropriate application profile. We use **production** profile in our example, which enables you to configure production-ready instace of the identity manager.+Edit the configuration file ''/etc/systemd/system/tomcat.service'' - edit the line with environment variable choosing the appropriate application profile. We use **production** profile in our example, which enables you to configure production-ready instace of the identity manager.
 <note>The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</note> <note>The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</note>
  
Line 73: Line 73:
 </note> </note>
  
-Use ''systemctl edit tomcat.service'' and change the following line  ( On Debian make changes file ''/etc/default/tomcat8''):+Change ​the following line:
 <code bash> <code bash>
 Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8' Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8'
Line 79: Line 79:
 into: into:
 <code bash> <code bash>
-Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dspring.profiles.active=production -Djava.util.Arrays.useLegacyMergeSort=true -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8' +Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Dspring.profiles.active=production -Djava.util.Arrays.useLegacyMergeSort=true
 </code> </code>
  
-On CentOS reload systemd after the changes:+Reload ​systemd after the changes:
 <code bash> <code bash>
 systemctl daemon-reload systemctl daemon-reload
 </code> </code>
-==== 4. Create CzechIdM configuration folders ====+==== 5. Create CzechIdM configuration folders ====
 In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments.
   * The **etc** directory stores configuration files.   * The **etc** directory stores configuration files.
Line 96: Line 96:
 Create the directory structure: Create the directory structure:
 <code> <code>
-mkdir -p /opt/czechidm/{etc,lib,backup,data,app}+mkdir -p /opt/czechidm/{etc,lib,backup,data}
 </code> </code>
  
  
  
-==== 5. Create CzechIdM configuration ====+==== 6. Create CzechIdM configuration ====
 Now we will create configuration files the CzechIdM will use. Now we will create configuration files the CzechIdM will use.
 <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note> <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note>
Line 331: Line 331:
  
  
-==== 6. Set correct permissions on CzechIdM files ====+==== 7. Set correct permissions on CzechIdM files ====
 **CentOS** **CentOS**
 <code> <code>
 chown tomcat:tomcat /opt/czechidm chown tomcat:tomcat /opt/czechidm
-chown -R tomcat:tomcat /opt/czechidm/{etc,data,backup,app,lib} +chown -R tomcat:tomcat /opt/czechidm/{etc,data,backup,lib} 
-chmod 750 /opt/czechidm/{etc,data,backup,app,lib}+chmod 750 /opt/czechidm/{etc,data,backup,lib}
 chmod 640 /opt/czechidm/etc/* chmod 640 /opt/czechidm/etc/*
 </code> </code>
-**Debian** + 
-<code> +==== 8. Adjust Tomcat's classpath ====
-chown tomcat8:tomcat8 /opt/czechidm +
-chown -R tomcat8:tomcat8 /opt/czechidm/{etc,data,backup,app,lib} +
-chmod 750 /opt/czechidm/{etc,data,backup,app,lib} +
-chmod 640 /opt/czechidm/etc/+
-</code> +
-==== 7. Adjust Tomcat's classpath ====+
 Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/opt/czechidm/etc** directory (and others) on the classpath. Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/opt/czechidm/etc** directory (and others) on the classpath.
  
-Add this line with this comand ''systemctl edit tomcat.service''+Create new file **/opt/tomcat/current/bin/setenv.sh** with following ​content: 
-<code> +<code ​bash>
-Environment='CLASSPATH=/opt/czechidm/etc:/opt/czechidm/lib/*+
-</code> +
-On **Debian** create new file ''/usr/share/tomcat8/bin/setenv.sh'' with this content: +
-<code>+
 CLASSPATH=/opt/czechidm/etc:/opt/czechidm/lib/* CLASSPATH=/opt/czechidm/etc:/opt/czechidm/lib/*
 </code> </code>
 +
 And change owner of the file to tomcat: And change owner of the file to tomcat:
 <code> <code>
-chown root:tomcat /usr/share/tomcat8/bin/setenv.sh+chown root:tomcat /opt/tomcat/current/bin/setenv.sh
 </code> </code>
-==== 8. Create dedicated Java truststore ====+ 
 +==== 9. Create dedicated Java truststore ====
 Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities. Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities.
 When we need CzechIdM to communicate with some new system with SSL-encrypted way, we need to import particular certificate here and restart the Tomcat container. When we need CzechIdM to communicate with some new system with SSL-encrypted way, we need to import particular certificate here and restart the Tomcat container.
Line 388: Line 380:
 systemctl restart tomcat.service systemctl restart tomcat.service
 </code> </code>
-==== 9. Deploy the CzechIdM ====+==== 10. Deploy the CzechIdM ====
 Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war. Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war.
- 
-**CentOS** 
  
 Ensure Tomcat is stopped: Ensure Tomcat is stopped:
Line 399: Line 389:
 Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**:
 <code> <code>
-cp idm-app-9.4.0.war /opt/czechidm/app/idm.war +cp idm-app-9.4.0.war /opt/tomcat/current/​webapps/idm.war 
-chown tomcat:tomcat /opt/czechidm/app/idm.war+chown tomcat:tomcat /opt/tomcat/current/​webapps/idm.war
 </code> </code>
 Start the Tomcat container:<code> Start the Tomcat container:<code>
 systemctl start tomcat.service systemctl start tomcat.service
 </code> </code>
-If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/tomcat/catalina.out**.+If everything is set up right, the CzechIdM will deploy. Default log is **/opt/tomcat/​current/logs/catalina.out**. 
  
-**Debian** 
  
-Ensure Tomcat is stopped: +==== 11Final Steps ==== 
-<code> +
-systemctl stop tomcat8.service +
-</code> +
-Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: +
-<code> +
-cp idm-app-9.4.0.war /opt/czechidm/app/idm.war +
-chown tomcat8:tomcat8 /opt/czechidm/app/idm.war +
-</code> +
-Start the Tomcat container:<code> +
-systemctl start tomcat8.service +
-</code> +
-If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/tomcat8/catalina.out**.+
  
-==== 10. Final Steps ====  
 === Allow network services === === Allow network services ===
 Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld:
Line 439: Line 415:
 Follow some final configuration steps: [[tutorial:adm:czechidm_installation_finalize|]]. Follow some final configuration steps: [[tutorial:adm:czechidm_installation_finalize|]].
  
-=== On CentOS set permisive mod on Tomcat === 
-SELinux will deny acces to the database for tomcat and won't allow create files by him. The tomcat will write error to the ''/var/log/tomcat/catalina.out''or ''/var/log/messages'' line similar to ''org.postgresql.util.PSQLException: Connection to localhost:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.''. 
- 
-To fix this we need set the permissive mode for tomcat: 
-<code> 
-semanage permissive -a tomcat_t 
-</code> 
- 
-<note warning> 
-Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. 
- 
-There are some possibilities: 
-  * Set permissive mode for logrotate as above. 
-  * Set permissive mode for whole SELinux. (This will drop the SELinux's protective function.) 
-  * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]). 
-</note> 
  • by kralikf