Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:czechidm_installation [2019/06/10 13:17] urbanl [10. Final Steps] |
tutorial:adm:czechidm_installation [2020/03/12 09:30] urbanl [2. JDBC driver installation - CentOS7 ] |
||
---|---|---|---|
Line 35: | Line 35: | ||
and restart PostgreSQL. | and restart PostgreSQL. | ||
</ | </ | ||
- | ==== 2. JDBC driver installation ==== | + | ==== 2. JDBC driver installation |
**CentOS** | **CentOS** | ||
- | Install the package with PostgreSQL JDBC driver: | + | Download |
+ | In this example we download version 42.2.11. | ||
<code bash> | <code bash> | ||
- | yum install -y postgresql-jdbc | + | wget https:// |
</ | </ | ||
Line 47: | Line 48: | ||
<code bash> | <code bash> | ||
- | ln -s / | + | ln -s / |
</ | </ | ||
- | **Debian** | + | ==== 3. JDBC driver installation - Debian |
Install the package with PostgreSQL JDBC driver: | Install the package with PostgreSQL JDBC driver: | ||
Line 63: | Line 64: | ||
ln -s / | ln -s / | ||
</ | </ | ||
- | ==== 3. Configure environment properties. Select application profile ==== | + | ==== 4. Configure environment properties. Select application profile ==== |
- | Edit tomcat | + | Edit the configuration file ''/ |
< | < | ||
Line 73: | Line 74: | ||
</ | </ | ||
- | Use '' | + | Change the following line: |
<code bash> | <code bash> | ||
Environment=' | Environment=' | ||
Line 79: | Line 80: | ||
into: | into: | ||
<code bash> | <code bash> | ||
- | Environment=' | + | Environment=' |
</ | </ | ||
- | On CentOS reload | + | Reload systemd after the changes: |
<code bash> | <code bash> | ||
systemctl daemon-reload | systemctl daemon-reload | ||
</ | </ | ||
- | ==== 4. Create CzechIdM configuration folders ==== | + | ==== 5. Create CzechIdM configuration folders ==== |
In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. | In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. | ||
* The **etc** directory stores configuration files. | * The **etc** directory stores configuration files. | ||
Line 92: | Line 93: | ||
* The **backup** directory stored Groovy scripts backups. | * The **backup** directory stored Groovy scripts backups. | ||
* The **data** directory stores various user-attached files. | * The **data** directory stores various user-attached files. | ||
- | * The **app** directory stores war files. | ||
* | * | ||
Create the directory structure: | Create the directory structure: | ||
< | < | ||
- | mkdir -p / | + | mkdir -p / |
</ | </ | ||
- | ==== 5. Create CzechIdM configuration ==== | + | ==== 6. Create CzechIdM configuration ==== |
Now we will create configuration files the CzechIdM will use. | Now we will create configuration files the CzechIdM will use. | ||
< | < | ||
Line 277: | Line 277: | ||
# System.getProperty(" | # System.getProperty(" | ||
idm.sec.core.attachment.storagePath=/ | idm.sec.core.attachment.storagePath=/ | ||
+ | |||
+ | # Max file size of uploaded file. Values can use the suffixed " | ||
+ | spring.servlet.multipart.max-file-size=100MB | ||
+ | spring.servlet.multipart.max-request-size=100MB | ||
</ | </ | ||
Line 331: | Line 335: | ||
- | ==== 6. Set correct permissions on CzechIdM files ==== | + | ==== 7. Set correct permissions on CzechIdM files ==== |
**CentOS** | **CentOS** | ||
< | < | ||
chown tomcat: | chown tomcat: | ||
- | chown -R tomcat: | + | chown -R tomcat: |
- | chmod 750 / | + | chmod 750 / |
chmod 640 / | chmod 640 / | ||
</ | </ | ||
- | **Debian** | + | |
- | < | + | ==== 8. Adjust Tomcat' |
- | chown tomcat8: | + | |
- | chown -R tomcat8: | + | |
- | chmod 750 / | + | |
- | chmod 640 / | + | |
- | </ | + | |
- | ==== 7. Adjust Tomcat' | + | |
Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/ | Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/ | ||
- | Add this line with this comand '' | + | Create new file **/opt/tomcat/current/ |
- | < | + | |
- | Environment=' | + | < |
- | </ | + | |
- | On **Debian** create new file '' | + | |
- | < | + | |
CLASSPATH=/ | CLASSPATH=/ | ||
</ | </ | ||
+ | |||
And change owner of the file to tomcat: | And change owner of the file to tomcat: | ||
< | < | ||
- | chown root:tomcat /usr/share/tomcat8/ | + | chown root:tomcat /opt/tomcat/current/ |
</ | </ | ||
- | ==== 8. Create dedicated Java truststore ==== | + | |
+ | ==== 9. Create dedicated Java truststore ==== | ||
Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities. | Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities. | ||
When we need CzechIdM to communicate with some new system with SSL-encrypted way, we need to import particular certificate here and restart the Tomcat container. | When we need CzechIdM to communicate with some new system with SSL-encrypted way, we need to import particular certificate here and restart the Tomcat container. | ||
Line 388: | Line 385: | ||
systemctl restart tomcat.service | systemctl restart tomcat.service | ||
</ | </ | ||
- | ==== 9. Deploy the CzechIdM ==== | + | ==== 10. Deploy the CzechIdM ==== |
Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war. | Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war. | ||
- | |||
- | **CentOS** | ||
Ensure Tomcat is stopped: | Ensure Tomcat is stopped: | ||
Line 399: | Line 394: | ||
Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: | Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: | ||
< | < | ||
- | cp idm-app-9.4.0.war /opt/czechidm/app/idm.war | + | cp idm-app-9.4.0.war /opt/tomcat/current/ |
- | chown tomcat: | + | chown tomcat: |
</ | </ | ||
Start the Tomcat container:< | Start the Tomcat container:< | ||
systemctl start tomcat.service | systemctl start tomcat.service | ||
</ | </ | ||
- | If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/ | + | If everything is set up right, the CzechIdM will deploy. Default log is **/opt/tomcat/current/ |
- | **Debian** | ||
- | Ensure Tomcat is stopped: | + | ==== 11. Final Steps ==== |
- | < | + | |
- | systemctl stop tomcat8.service | + | |
- | </ | + | |
- | Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: | + | |
- | < | + | |
- | cp idm-app-9.4.0.war / | + | |
- | chown tomcat8: | + | |
- | </ | + | |
- | Start the Tomcat container:< | + | |
- | systemctl start tomcat8.service | + | |
- | </ | + | |
- | If everything is set up right, the CzechIdM will deploy. Default log is **/ | + | |
- | ==== 10. Final Steps ==== | ||
=== Allow network services === | === Allow network services === | ||
Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: | Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: | ||
Line 439: | Line 420: | ||
Follow some final configuration steps: [[tutorial: | Follow some final configuration steps: [[tutorial: | ||
- | === On CentOS set permisive mod on Tomcat === | ||
- | SELinux will deny acces to the database for tomcat and won't allow create files by him. The tomcat will write error to the ''/ | ||
- | |||
- | To fix this we need set the permissive mode for tomcat: | ||
- | < | ||
- | semanage permissive -a tomcat_t | ||
- | </ | ||
- | |||
- | <note warning> | ||
- | Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. | ||
- | |||
- | There are some possibilities: | ||
- | * Set permissive mode for logrotate as above. | ||
- | * Set permissive mode for whole SELinux. (This will drop the SELinux' | ||
- | * Adjust particular SELinux labels. Example ([[https:// | ||
- | </ |