Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:czechidm_installation [2019/11/26 09:26]
fiserp [3. Configure environment properties. Select application profile]
+++ tutorial:adm:czechidm_installation [2020/07/28 09:10]
urbanl predelani navodu pro centos8
@@ Line 1: / Line 1: @@
-====== Installation of CzechIdM - Linux ======
+====== Installation of CzechIdM - Linux - CentOS8 ======
 {{tag>installation jdbc quickstart encryption}}
-We presume that the server is prepared as described in [[tutorial:adm:server_preparation|]].
+We expect that the server is prepared as described in [[tutorial:adm:server_preparation|]].
-This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache httpd). If you are looking for a demo installation please see [[:getting-started|]].
+This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (Java, PostgreSQL, Tomcat, Apache HTTPd). If you are looking for a demo installation please see [[:getting-started|]].
-<note tip>If you install CzechIdM on Sql server please skip instruction with setup DB and install JDBC driver and [[tutorial:adm:mssql_database_support|follow the tutorial.]]</note>
+<note tip>If you install CzechIdM on with Microsoft SQL Server database backend, please skip PostgreSQL-related sections and [[tutorial:adm:mssql_database_support|swap them for this tutorial]] instead.</note>
 ==== 1. Create DB user and database in PostgreSQL ====
 Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL:
@@ Line 15: / Line 15: @@
 psql
 CREATE USER czechidm PASSWORD 'XXXXXXXXXXXX';
+# Choose appropriate collation and create database.
+# with english collation
 CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' template 'template0';
+# with czech collation
+CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'cs_CZ.UTF-8' LC_CTYPE = 'cs_CZ.UTF-8' template 'template0';
 </code>
@@ Line 35: / Line 40: @@
 and restart PostgreSQL.
 </note>
-==== 2. JDBC driver installation ====
+==== 2. JDBC driver installation - CentOS8 ====
 **CentOS**
-Install the package with PostgreSQL JDBC driver:
+Download PostgreSQL JDBC driver from [[https://jdbc.postgresql.org/download.html|official page]].
+In this example we download version 42.2.11.
 <code bash>
-yum install -y postgresql-jdbc
+wget https://jdbc.postgresql.org/download/postgresql-42.2.11.jar -P /opt/tomcat/current/lib/
 </code>
-allow Tomcat to use the driver:
-<code bash>
-ln -s /usr/share/java/postgresql-jdbc.jar /usr/share/java/tomcat/
-</code>
-**Debian**
-Install the package with PostgreSQL JDBC driver:
-<code bash>
-apt-get install libpostgresql-jdbc-java
-</code>
-allow Tomcat to use the driver:
-<code bash>
-ln -s /usr/share/java/postgresql.jar /var/lib/tomcat8/lib/postgresql-jdbc4.jar
-</code>
 ==== 3. Configure environment properties. Select application profile ====
-Edit tomcat unit - edit the line with environment variable choosing the appropriate application profile. We use **production** profile in our example, which enables you to configure production-ready instace of the identity manager.
+Edit the configuration file ''/etc/systemd/system/tomcat.service'' - edit the line with environment variable choosing the appropriate application profile. We use **production** profile in our example, which enables you to configure production-ready instace of the identity manager.
 <note>The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</note>
-<note important>To prevent application startup fails due to Flyway bug, property ''-Djava.util.Arrays.useLegacyMergeSort=true'' has to be added into environment properties. If property is not set, then application can fail on error:
-<code>Error creating bean with name 'flywayCore' defined in class path resource [eu/bcvsolutions/idm/core/config/flyway/CoreFlywayConfig.class]:
-Initialization of bean failed; nested exception is java.lang.IllegalArgumentException: Comparison method violates its general contract!</code>
-</note>
-Use ''systemctl edit tomcat.service'' and change the following line  ( On Debian make changes file ''/etc/default/tomcat8''):
+Change the following line:
 <code bash>
 Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8'
@@ Line 79: / Line 62: @@
 into:
 <code bash>
-Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Dspring.profiles.active=production -Djava.util.Arrays.useLegacyMergeSort=true'
+Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Dspring.profiles.active=production'
 </code>
-On CentOS reload systemd after the changes:
+Reload systemd after the changes:
 <code bash>
 systemctl daemon-reload
@@ Line 92: / Line 75: @@
   * The **backup** directory stored Groovy scripts backups.
   * The **data** directory stores various user-attached files.
-  * The **app** directory stores war files.
   *
 Create the directory structure:
 <code>
-mkdir -p /opt/czechidm/{etc,lib,backup,data,app}
+mkdir -p /opt/czechidm/{etc,lib,backup,data}
 </code>
@@ Line 104: / Line 86: @@
 Now we will create configuration files the CzechIdM will use.
 <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note>
-  * The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes).<code>
+  * The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes) or 256 bit (= 32b bytes). The length of the key determines the AES cipher used (AES-128 od AES-256).<code>
-cat /dev/urandom | tr -dc 'a-z0-9' | head -c 16 > /opt/czechidm/etc/secret.key
+cat /dev/urandom | tr -dc 'a-z0-9' | head -c 32 > /opt/czechidm/etc/secret.key
 </code>
   * The **/opt/czechidm/etc/quartz-production.properties** file stores, the Quartz scheduler configuration. You can use the following snippet as a production-safe configuration file.<file properties quartz-production.properties>
@@ Line 135: / Line 117: @@
     </springProfile>
-    <springProfile name="test">
+    <springProfile name="production">
-        <logger name="eu.bcvsolutions" level="DEBUG"/>
-        <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="INFO"/>
-        <logger name="org.hibernate.SQL" level="INFO"/>
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
-    </springProfile>
-    <springProfile name="dev">
         <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/>
         <springProperty name="spring.datasource.url" source="spring.datasource.url"/>
@@ Line 163: / Line 137: @@
         </appender>
-        <logger name="eu.bcvsolutions" level="TRACE">
+        <logger name="eu.bcvsolutions" level="INFO">
             <appender-ref ref="DB_ASYNC" />
         </logger>
         <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="DEBUG"/>
+        <logger name="org.springframework.web" level="INFO"/>
-        <logger name="org.hibernate.SQL" level="DEBUG"/>
+        <logger name="org.hibernate.SQL" level="INFO"/>
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/>
+        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
     </springProfile>
-    <springProfile name="dev-mysql">
-        <logger name="eu.bcvsolutions" level="TRACE" />
-        <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="DEBUG"/>
-        <logger name="org.hibernate.SQL" level="DEBUG"/>
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/>
-    </springProfile>
 </configuration>
 </file>
@@ Line 197: / Line 165: @@
 flyway.enabled=true
-scheduler.enabled=true
-scheduler.task.queue.process=1000
-scheduler.event.queue.process=1000
 scheduler.properties.location=quartz-production.properties
 logging.config=/opt/czechidm/etc/logback-spring.xml
 idm.sec.core.demo.data.enabled=false
-#spring.cache.ehcache.config=classpath:ehcache.xml
+# attachments will be stored under this path.
+# new directories for attachment will be created in this folder (permissions has to be added)
-spring.activiti.processDefinitionLocationPrefix=classpath*:/eu/bcvsolutions/idm/workflow/
+# System.getProperty("user.home")/idm_data will be used if no path is given
-idm.sec.core.notification.template.folder=classpath*:/eu/bcvsolutions/idm/templates/
+idm.sec.core.attachment.storagePath=/opt/czechidm/data
-idm.sec.core.script.folder=classpath*:/eu/bcvsolutions/idm/scripts/
 # configuration property for default backup
 idm.sec.core.backups.default.folder.path=/opt/czechidm/backup
 idm.pub.security.allowed-origins=http://localhost
@@ Line 219: / Line 186: @@
 idm.sec.security.jwt.expirationTimeout=36000000
-# recaptcha
-# - recaptchaservice endpoint
-#idm.sec.security.recaptcha.url=https://www.google.com/recaptcha/api/siteverify
-# - secret key, can be generated here https://www.google.com/recaptcha/admin
-idm.sec.security.recaptcha.secretKey=xxx
-# Proxy for HTTP requests
-#idm.sec.core.http.proxy=12.34.56.78:1234
 # Cipher secret key for crypt values in confidential storage
 # for crypt values is used secretKey or secretKey defined by file - secretKeyPath
 #cipher.crypt.secret.key=XXXXXXXXXXXXXXXX
 cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key
+# Defaults for: emailer.*
+# test.enabled=true means mail WILL NOT be sent
 idm.sec.core.emailer.test.enabled=true
 # http://camel.apache.org/mail.html
@@ Line 241: / Line 201: @@
 # idm.sec.core.emailer.password=password
 idm.sec.core.emailer.from=czechidm@localhost
-## Global property that allow disable or enable sending notification from WF
-idm.sec.core.wf.notification.send=false
-# supports delete identity
-idm.pub.core.identity.delete=true
-#
-# default password change type for custom users, one of values:
-# DISABLED - password change is disable
-# ALL_ONLY - users can change passwords only for all accounts
-# CUSTOM - users can choose for which accounts change password
-idm.pub.core.identity.passwordChange=ALL_ONLY
-#
-# required old password for change password
-idm.pub.core.identity.passwordChange.requireOldPassword=true
-#
-# create default identity's contract, when identity is created
-idm.pub.core.identity.create.defaultContract.enabled=true
 # Default user role will be added automatically, after an identity is logged in
@@ Line 268: / Line 208: @@
 # Admin user role
 idm.sec.core.role.admin=superAdminRole
-# ID system against which to authenticate
-idm.sec.security.auth.systemId=
-# attachments will be stored under this path.
+# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size.
-# new directories for attachment will be created in this folder (permissions has to be added)
+spring.servlet.multipart.max-file-size=100MB
-# System.getProperty("user.home")/idm_data will be used if no path is given
+spring.servlet.multipart.max-request-size=100MB
-idm.sec.core.attachment.storagePath=/opt/czechidm/data
 </file>
@@ Line 303: / Line 238: @@
 There are two properties in application-production.properties that influence the confidential storage:
-  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or
+  * You can set the key directly in the property file using **cipher.crypt.secret.key** property
-  * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
+  * or (better) you can create separate file ''secret.key'' containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
 <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
-Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.
+Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit or 256bit key.
+<note>
+Length of the key determines the cipher which will be used. If you use 128b (16byte) key, CzechIdM will use AES-128. If you use 256b (32byte) key, CzechIdM will use AES-256.
+  * OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default.
+  * Older versions (below 1.8u161) do not offer it. On those Java distributions, you can use AES-128 or obtain the [[https://www.oracle.com/java/technologies/javase-jce8-downloads.html|Unlimited Strength Jurisdiction Policy Files]] to enable AES-256.
+</note>
 === Attachment store ===
@@ Line 332: / Line 274: @@
 ==== 6. Set correct permissions on CzechIdM files ====
-**CentOS**
 <code>
 chown tomcat:tomcat /opt/czechidm
-chown -R tomcat:tomcat /opt/czechidm/{etc,data,backup,app,lib}
+chown -R tomcat:tomcat /opt/czechidm/{etc,data,backup,lib}
-chmod 750 /opt/czechidm/{etc,data,backup,app,lib}
+chmod 750 /opt/czechidm/{etc,data,backup,lib}
-chmod 640 /opt/czechidm/etc/*
-</code>
-**Debian**
-<code>
-chown tomcat8:tomcat8 /opt/czechidm
-chown -R tomcat8:tomcat8 /opt/czechidm/{etc,data,backup,app,lib}
-chmod 750 /opt/czechidm/{etc,data,backup,app,lib}
 chmod 640 /opt/czechidm/etc/*
 </code>
 ==== 7. Adjust Tomcat's classpath ====
-Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/opt/czechidm/etc** directory (and others) on the classpath.
+Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the ''/opt/czechidm/etc'' directory (and others) on the classpath.
-Add this line with this comand ''systemctl edit tomcat.service''.
+Create new file ''/opt/tomcat/current/bin/setenv.sh'' with following content:
-<code>
-Environment='CLASSPATH=/opt/czechidm/etc:/opt/czechidm/lib/*'
+<code bash:>
-</code>
-On **Debian** create new file ''/usr/share/tomcat8/bin/setenv.sh'' with this content:
-<code>
 CLASSPATH=/opt/czechidm/etc:/opt/czechidm/lib/*
 </code>
 And change owner of the file to tomcat:
 <code>
-chown root:tomcat /usr/share/tomcat8/bin/setenv.sh
+chown root:tomcat /opt/tomcat/current/bin/setenv.sh
 </code>
 ==== 8. Create dedicated Java truststore ====
 Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities.
@@ Line 383: / Line 317: @@
 </code>
-Edit the Tomcat service file (systemctl edit tomcat.service) and add path to the truststore ''-Djavax.net.ssl.trustStore=/opt/czechidm/etc/truststore.jks'' and truststore password ''-Djavax.net.ssl.trustStorePassword=THE PASSWORD YOU ENTERED WHEN CREATING KEYSTORE'' to the Environment='JAVA_OPTS' options. Finally, reload the systemd and restart Tomcat.
+Edit the Tomcat service file ''/etc/systemd/system/tomcat.service'' and add path to the truststore ''-Djavax.net.ssl.trustStore=/opt/czechidm/etc/truststore.jks'' and truststore password ''-Djavax.net.ssl.trustStorePassword=THE PASSWORD YOU ENTERED WHEN CREATING KEYSTORE'' to the Java options. Finally, reload the systemd and restart Tomcat.
 <code>
 systemctl daemon-reload
@@ Line 389: / Line 323: @@
 </code>
 ==== 9. Deploy the CzechIdM ====
-Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war.
+Download the latest CzechIdM version. Currently it is idm-app-10.4.1.war.
-**CentOS**
 Ensure Tomcat is stopped:
@@ Line 397: / Line 329: @@
 systemctl stop tomcat.service
 </code>
-Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**:
+Copy the identity manager WAR into webapps folder in Tomcat and name it ''idm.war'':
 <code>
-cp idm-app-9.4.0.war /opt/czechidm/app/idm.war
+cp idm-app-10.4.1.war /opt/tomcat/current/webapps/idm.war
-chown tomcat:tomcat /opt/czechidm/app/idm.war
 </code>
 Start the Tomcat container:<code>
 systemctl start tomcat.service
 </code>
-If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/tomcat/catalina.out**.
+If everything is set up right, the CzechIdM will deploy. Default log is ''/opt/tomcat/current/logs/catalina.out''.
-**Debian**
-Ensure Tomcat is stopped:
+==== 10. Final Steps ====
-<code>
-systemctl stop tomcat8.service
-</code>
-Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**:
-<code>
-cp idm-app-9.4.0.war /opt/czechidm/app/idm.war
-chown tomcat8:tomcat8 /opt/czechidm/app/idm.war
-</code>
-Start the Tomcat container:<code>
-systemctl start tomcat8.service
-</code>
-If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/tomcat8/catalina.out**.
-==== 10. Final Steps ====
 === Allow network services ===
 Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld:
 <code bash>
+firewall-cmd --permanent --add-port=80/tcp
 firewall-cmd --permanent --add-port=443/tcp
 firewall-cmd --reload
@@ Line 439: / Line 357: @@
 Follow some final configuration steps: [[tutorial:adm:czechidm_installation_finalize|]].
-=== On CentOS set permisive mod on Tomcat ===
-SELinux will deny acces to the database for tomcat and won't allow create files by him. The tomcat will write error to the ''/var/log/tomcat/catalina.out''or ''/var/log/messages'' line similar to ''org.postgresql.util.PSQLException: Connection to localhost:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.''.
-To fix this we need set the permissive mode for tomcat:
-<code>
-semanage permissive -a tomcat_t
-</code>
-<note warning>
-Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization.
-There are some possibilities:
-  * Set permissive mode for logrotate as above.
-  * Set permissive mode for whole SELinux. (This will drop the SELinux's protective function.)
-  * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
-</note>