Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:adm:czechidm_installation [2019/08/22 13:29]
doischert [8. Create dedicated Java truststore]
tutorial:adm:czechidm_installation [2022/12/20 10:11] (current)
kralikf [9. Deploy the CzechIdM]
Line 1: Line 1:
-====== Installation of CzechIdM - Linux ======+====== Installation of CzechIdM - Linux - CentOS8 ======
  
 {{tag>installation jdbc quickstart encryption}} {{tag>installation jdbc quickstart encryption}}
  
-We presume that the server is prepared as described in [[tutorial:adm:server_preparation|]].+We expect that the server is prepared as described in [[.:server_preparation|]]. 
 + 
 +This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (Java, PostgreSQL, Tomcat, Apache HTTPd). If you are looking for a demo installation please see [[:getting-started|]]. 
 + 
 +<note tip>If you install CzechIdM on with Microsoft SQL Server database backend, please skip PostgreSQL-related sections and [[.:mssql_database_support|swap them for this tutorial]] instead.</note>
  
-This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache httpd). If you are looking for a demo installation please see [[:getting-started|]]. 
  
-<note tip>If you install CzechIdM on Sql server please skip instruction with setup DB and install JDBC driver and [[tutorial:adm:mssql_database_support|follow the tutorial.]]</note> 
 ==== 1. Create DB user and database in PostgreSQL ==== ==== 1. Create DB user and database in PostgreSQL ====
 +If czech database collation should be used, install the czech language packs.
 +<code bash>
 +dnf install langpacks-cs
 +</code>
 +
 +
 Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL: Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL:
  
Line 15: Line 23:
 psql  psql 
 CREATE USER czechidm PASSWORD 'XXXXXXXXXXXX'; CREATE USER czechidm PASSWORD 'XXXXXXXXXXXX';
-CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' template 'template0';+ 
 +# Choose appropriate collation and create database. 
 +# with czech collation (- typical) 
 +CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'cs_CZ.UTF-8' LC_CTYPE = 'cs_CZ.UTF-8' template 'template0'; 
 +# or with english collation 
 +CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' template 'template0';
 </code> </code>
  
Line 35: Line 48:
 and restart PostgreSQL. and restart PostgreSQL.
 </note> </note>
-==== 2. JDBC driver installation ====+==== 2. JDBC driver installation ​- CentOS8 ​==== 
 **CentOS** **CentOS**
  
-Install the package with PostgreSQL JDBC driver:+Download PostgreSQL JDBC driver from [[https://jdbc.postgresql.org/download.html|official page]]. 
 +In this example we download version 42.2.11.
  
 <code bash> <code bash>
-yum install -y postgresql-jdbc+wget https://jdbc.postgresql.org/download/postgresql-42.2.11.jar -P /opt/tomcat/current/lib/
 </code> </code>
  
-allow Tomcat to use the driver: +==== 3Configure environment properties. Select application profile ====
- +
-<code bash> +
-ln -s /usr/share/java/postgresql-jdbc.jar /usr/share/java/tomcat/ +
-</code> +
  
-**Debian**+Edit the configuration file ''/etc/systemd/system/tomcat.service'' - edit the line with environment variable choosing the appropriate application profile. We use **production** profile in our example, which enables you to configure production-ready instace of the identity manager. <note>The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</note>
  
-Install the package with PostgreSQL JDBC driver:+Change ​the following line:
  
 <code bash> <code bash>
-apt-get install libpostgresql-jdbc-java+Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8' 
 </code> </code>
  
-allow Tomcat to use the driver:+into:
  
 <code bash> <code bash>
-ln -/usr/share/java/postgresql.jar /var/lib/tomcat8/lib/postgresql-jdbc4.jar +Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true -Dspring.profiles.active=production'
-</code>  +
-==== 3Configure environment propertiesSelect application profile ====+
  
-Edit tomcat unit - edit the line with environment variable choosing the appropriate application profile. We use **production** profile in our example, which enables you to configure production-ready instace of the identity manager. +</code>
-<note>The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</note>+
  
-<note important>To prevent application startup fails due to Flyway bug, property ''-Djava.util.Arrays.useLegacyMergeSort=true'' has to be added into environment properties. If property is not set, then application can fail on error: +Reload ​systemd after the changes:
-<code>Error creating bean with name 'flywayCore' defined in class path resource [eu/bcvsolutions/idm/core/config/flyway/CoreFlywayConfig.class]:  +
-Initialization of bean failed; nested exception is java.lang.IllegalArgumentException: Comparison method violates its general contract!</code> +
-</note>+
  
-Use ''systemctl edit tomcat.service'' and change the following line  ( On Debian make changes file ''/etc/default/tomcat8''): 
-<code bash> 
-Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8' 
-</code> 
-into: 
-<code bash> 
-Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dspring.profiles.active=production -Djava.util.Arrays.useLegacyMergeSort=true -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8'  
-</code> 
- 
-On CentOS reload systemd after the changes: 
 <code bash> <code bash>
 systemctl daemon-reload systemctl daemon-reload
 +
 </code> </code>
 +
 +
 ==== 4. Create CzechIdM configuration folders ==== ==== 4. Create CzechIdM configuration folders ====
 In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments.
Line 92: Line 90:
   * The **backup** directory stored Groovy scripts backups.   * The **backup** directory stored Groovy scripts backups.
   * The **data** directory stores various user-attached files.   * The **data** directory stores various user-attached files.
-  * The **app** directory stores war files. 
   *    * 
 Create the directory structure: Create the directory structure:
 <code> <code>
-mkdir -p /opt/czechidm/{etc,lib,backup,data,app}+mkdir -p /opt/czechidm/{etc,lib,backup,data}
 </code> </code>
  
Line 102: Line 99:
  
 ==== 5. Create CzechIdM configuration ==== ==== 5. Create CzechIdM configuration ====
-Now we will create configuration files the CzechIdM will use. + 
-<note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note> +Now we will create configuration files the CzechIdM will use. <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note> 
-  * The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes).<code> + 
-cat /dev/urandom | tr -dc 'a-z0-9' | head -c 16 > /opt/czechidm/etc/secret.key+   * The **/opt/czechidm/etc/secret.key**  is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes) or 256 bit (= 32b bytes). The length of the key determines the AES cipher used (AES-128 od AES-256). 
 + 
 +<code> 
 +cat /dev/urandom | tr -dc 'a-z0-9' | head -c 32> /opt/czechidm/etc/secret.key 
 </code> </code>
-  * The **/opt/czechidm/etc/quartz-production.properties** file stores, the Quartz scheduler configuration. You can use the following snippet as a production-safe configuration file.<file properties quartz-production.properties>+ 
 +  * The **/opt/czechidm/etc/quartz-production.properties**  file stores, the Quartz scheduler configuration. You can use the following snippet as a production-safe configuration file. 
 + 
 +<file properties quartz-production.properties>
 org.quartz.scheduler.instanceName=idm-scheduler-instance org.quartz.scheduler.instanceName=idm-scheduler-instance
 org.quartz.scheduler.instanceId=AUTO org.quartz.scheduler.instanceId=AUTO
Line 119: Line 123:
 org.quartz.jobStore.misfireThreshold=60000 org.quartz.jobStore.misfireThreshold=60000
 org.quartz.jobStore.tablePrefix=qrtz_ org.quartz.jobStore.tablePrefix=qrtz_
 +
 +
 </file> </file>
-  * The **/opt/czechidm/etc/logback-spring.xml** specifies logging configuration. This is the default logging configuration that you can use out of the box.<file xml logback-spring.xml>+ 
 +  * The **/opt/czechidm/etc/logback-spring.xml**  specifies logging configuration. This is the default logging configuration that you can use out of the box. 
 + 
 +<file xml logback-spring.xml>
 <?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
 <!-- https://springframework.guru/using-logback-spring-boot/ --> <!-- https://springframework.guru/using-logback-spring-boot/ -->
 <!-- http://logback.qos.ch/manual/appenders.html --> <!-- http://logback.qos.ch/manual/appenders.html -->
 <configuration> <configuration>
 +    <!-- !!!BEWARE!!! The specification of the LOG PATTERNS overrides the default configuration and increases the maximum length of the %logger{<size>} attribute.
 +    It is neccessary for correct function of the AUDIT logging feature (redmine ticket #2717). If AUDIT logger key is longer then the set limit it gets shortened
 +    and SIEM software is not able to parse logs properly. -->
 +    <property name="CONSOLE_LOG_PATTERN" value="%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n"/>
 +    <property name="FILE_LOG_PATTERN" value="%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n"/>
 +
     <include resource="org/springframework/boot/logging/logback/base.xml"/>     <include resource="org/springframework/boot/logging/logback/base.xml"/>
     <springProperty name="spring.profiles.active" source="spring.profiles.active"/>     <springProperty name="spring.profiles.active" source="spring.profiles.active"/>
Line 133: Line 148:
         <logger name="org.hibernate.SQL" level="INFO"/>         <logger name="org.hibernate.SQL" level="INFO"/>
         <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>         <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
 +        <logger name="AUDIT" level="INFO"/>
     </springProfile>     </springProfile>
  
-    <springProfile name="test"> +    <springProfile name="production">
-        <logger name="eu.bcvsolutions" level="DEBUG"/> +
-        <logger name="org.springframework" level="INFO"/> +
-        <logger name="org.springframework.web" level="INFO"/> +
-        <logger name="org.hibernate.SQL" level="INFO"/> +
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/> +
-    </springProfile> +
- +
-    <springProfile name="dev">  +
         <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/>         <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/>
         <springProperty name="spring.datasource.url" source="spring.datasource.url"/>         <springProperty name="spring.datasource.url" source="spring.datasource.url"/>
Line 149: Line 157:
         <springProperty name="spring.datasource.password" source="spring.datasource.password"/>         <springProperty name="spring.datasource.password" source="spring.datasource.password"/>
  
-        <appender name="DB" class="ch.qos.logback.classic.db.DBAppender"> +        <appender name="DB" class="eu.bcvsolutions.idm.core.exception.IdmDbAppender"> 
-            <connectionSource class="ch.qos.logback.core.db.DriverManagerConnectionSource"> +
-                <driverClass>${spring.datasource.driver-class-name}</driverClass> +
-                <url>${spring.datasource.url}</url> +
-                <user>${spring.datasource.username}</user> +
-                <password>${spring.datasource.password}</password> +
-            </connectionSource>+
         </appender>         </appender>
  
Line 163: Line 166:
         </appender>         </appender>
  
-        <logger name="eu.bcvsolutions" level="TRACE">+        <logger name="eu.bcvsolutions" level="INFO">
             <appender-ref ref="DB_ASYNC" />             <appender-ref ref="DB_ASYNC" />
         </logger>         </logger>
         <logger name="org.springframework" level="INFO"/>         <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="DEBUG"/> +        <logger name="org.springframework.web" level="INFO"/> 
-        <logger name="org.hibernate.SQL" level="DEBUG"/> +        <logger name="org.hibernate.SQL" level="INFO"/> 
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/> +        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/> 
-    </springProfile>+        <logger name="AUDIT" level="INFO"/>
  
-    <springProfile name="dev-mysql">     
-        <logger name="eu.bcvsolutions" level="TRACE" /> 
-        <logger name="org.springframework" level="INFO"/> 
-        <logger name="org.springframework.web" level="DEBUG"/> 
-        <logger name="org.hibernate.SQL" level="DEBUG"/> 
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/>         
     </springProfile>     </springProfile>
 +
 </configuration> </configuration>
 +
 +
 </file> </file>
-  * The most important file is **/opt/czechidm/etc/application-production.properties** (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file:<file properties application-production.properties>+ 
 +  * The most important file is **/opt/czechidm/etc/application-production.properties**  (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file: 
 + 
 +<file properties application-production.properties>
 # Doc: https://wiki.czechidm.com/devel/dev/configuration/backend # Doc: https://wiki.czechidm.com/devel/dev/configuration/backend
- +
 idm.pub.app.instanceId=idm-primary idm.pub.app.instanceId=idm-primary
 idm.pub.app.stage=production idm.pub.app.stage=production
-  + 
-spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm+spring.datasource.jdbcUrl=jdbc:postgresql://localhost:5432/czechidm
 spring.datasource.username=czechidm spring.datasource.username=czechidm
 spring.datasource.password=********** TODO ********* spring.datasource.password=********** TODO *********
Line 196: Line 199:
 spring.jpa.hibernate.ddl-auto=none spring.jpa.hibernate.ddl-auto=none
 flyway.enabled=true flyway.enabled=true
-  +
-scheduler.enabled=true +
-scheduler.task.queue.process=1000 +
-scheduler.event.queue.process=1000+
 scheduler.properties.location=quartz-production.properties scheduler.properties.location=quartz-production.properties
 +
 logging.config=/opt/czechidm/etc/logback-spring.xml logging.config=/opt/czechidm/etc/logback-spring.xml
 +
 idm.sec.core.demo.data.enabled=false idm.sec.core.demo.data.enabled=false
-  + 
-#spring.cache.ehcache.config=classpath:ehcache.xml +attachments will be stored under this path
-  +# new directories for attachment will be created in this folder (permissions has to be added) 
-spring.activiti.processDefinitionLocationPrefix=classpath*:/eu/bcvsolutions/idm/workflow+# System.getProperty("user.home")/idm_data will be used if no path is given 
-idm.sec.core.notification.template.folder=classpath*:/eu/bcvsolutions/idm/templates/ +idm.sec.core.attachment.storagePath=/opt/czechidm/data 
-idm.sec.core.script.folder=classpath*:/eu/bcvsolutions/idm/scripts+# configuration property for default backup
-# configuration property for default backup +
 idm.sec.core.backups.default.folder.path=/opt/czechidm/backup idm.sec.core.backups.default.folder.path=/opt/czechidm/backup
-  +
- +
 idm.pub.security.allowed-origins=http://localhost idm.pub.security.allowed-origins=http://localhost
 # Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255. # Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255.
Line 219: Line 219:
 idm.sec.security.jwt.expirationTimeout=36000000 idm.sec.security.jwt.expirationTimeout=36000000
  
-# recaptcha 
-# - recaptchaservice endpoint  
-#idm.sec.security.recaptcha.url=https://www.google.com/recaptcha/api/siteverify 
-# - secret key, can be generated here https://www.google.com/recaptcha/admin 
-idm.sec.security.recaptcha.secretKey=xxx 
-# Proxy for HTTP requests 
-#idm.sec.core.http.proxy=12.34.56.78:1234 
-  
 # Cipher secret key for crypt values in confidential storage # Cipher secret key for crypt values in confidential storage
 # for crypt values is used secretKey or secretKey defined by file - secretKeyPath # for crypt values is used secretKey or secretKey defined by file - secretKeyPath
 #cipher.crypt.secret.key=XXXXXXXXXXXXXXXX #cipher.crypt.secret.key=XXXXXXXXXXXXXXXX
 cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key
-  + 
- +# Defaults for: emailer.* 
 +# test.enabled=true means mail WILL NOT be sent
 idm.sec.core.emailer.test.enabled=true idm.sec.core.emailer.test.enabled=true
 # http://camel.apache.org/mail.html # http://camel.apache.org/mail.html
Line 241: Line 234:
 # idm.sec.core.emailer.password=password # idm.sec.core.emailer.password=password
 idm.sec.core.emailer.from=czechidm@localhost idm.sec.core.emailer.from=czechidm@localhost
-  +
-## Global property that allow disable or enable sending notification from WF +
-idm.sec.core.wf.notification.send=false +
-  +
-  +
-# supports delete identity +
-idm.pub.core.identity.delete=true +
-+
-# default password change type for custom users, one of values:  +
-# DISABLED - password change is disable +
-# ALL_ONLY - users can change passwords only for all accounts +
-# CUSTOM - users can choose for which accounts change password +
-idm.pub.core.identity.passwordChange=ALL_ONLY +
-+
-# required old password for change password +
-idm.pub.core.identity.passwordChange.requireOldPassword=true +
-+
-# create default identity's contract, when identity is created +
-idm.pub.core.identity.create.defaultContract.enabled=true +
-  +
- +
 # Default user role will be added automatically, after an identity is logged in # Default user role will be added automatically, after an identity is logged in
 # could contains default authorities and authority policies configuration # could contains default authorities and authority policies configuration
Line 268: Line 241:
 # Admin user role # Admin user role
 idm.sec.core.role.admin=superAdminRole idm.sec.core.role.admin=superAdminRole
-  
-  
-# ID system against which to authenticate 
-idm.sec.security.auth.systemId= 
  
-attachments will be stored under this path. +Max file size of uploaded fileValues can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. 
-# new directories for attachment will be created in this folder (permissions has to be added) +spring.servlet.multipart.max-file-size=100MB 
-# System.getProperty("user.home")/idm_data will be used if no path is given +spring.servlet.multipart.max-request-size=100MB 
-idm.sec.core.attachment.storagePath=/opt/czechidm/data+ 
 </file> </file>
  
 === Adjust database configuration === === Adjust database configuration ===
-If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** propetry. Set it to the password for czechidm user in PostgreSQL. + 
-If necessary, adjust other database connection properties... <code properties>+If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password**  propetry. Set it to the password for czechidm user in PostgreSQL. If necessary, adjust other database connection properties… 
 + 
 +<code properties>
 spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm
 spring.datasource.username=czechidm spring.datasource.username=czechidm
Line 288: Line 260:
 spring.datasource.validationQuery=SELECT 1 spring.datasource.validationQuery=SELECT 1
 spring.datasource.test-on-borrow=true spring.datasource.test-on-borrow=true
 +
 +
 </code> </code>
  
 === Generate JWT token === === Generate JWT token ===
-Set value of the **idm.sec.security.jwt.secret.token** property as is described in the template file:<code properties>+ 
 +Set value of the **idm.sec.security.jwt.secret.token**  property as is described in the template file: 
 + 
 +<code properties>
 # Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255. # Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255.
 # We recommend the VALUE to be at least 25. # We recommend the VALUE to be at least 25.
 idm.sec.security.jwt.secret.token=********** TODO ********* idm.sec.security.jwt.secret.token=********** TODO *********
 +
 +
 </code> </code>
  
 === Local confidential storage === === Local confidential storage ===
  
-Local confidential storage is encrypted by AES algoritm. [[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|Read more]].  +Local confidential storage is encrypted by AES algoritm. [[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|Read more]]. Confidential storage is encrypted by a key found in **secret.key**  file you already created.
-Confidential storage is encrypted by a key found in **secret.key** file you already created.+
  
 There are two properties in application-production.properties that influence the confidential storage: There are two properties in application-production.properties that influence the confidential storage:
-  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or + 
-  * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.+  * You can set the key directly in the property file using **cipher.crypt.secret.key**  property 
 +  * or (better) you can create separate file ''secret.key''  containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath**  property.
  
 <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
  
-Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.+Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit or 256bit key. <note> Length of the key determines the cipher which will be used. If you use 128b (16byte) key, CzechIdM will use AES-128. If you use 256b (32byte) key, CzechIdM will use AES-256. 
 + 
 +  * OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default. 
 +  * Older versions (below 1.8u161) do not offer it. On those Java distributions, you can use AES-128 or obtain the [[https://www.oracle.com/java/technologies/javase-jce8-downloads.html|Unlimited Strength Jurisdiction Policy Files]] to enable AES-256. 
 + 
 +</note>
  
 === Attachment store === === Attachment store ===
-In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. + 
-With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under /opt/czechidm/data .+In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under /opt/czechidm/data .
  
 <code properties> <code properties>
Line 319: Line 303:
 # System.getProperty("user.home")/idm_data will be used if no path is given # System.getProperty("user.home")/idm_data will be used if no path is given
 idm.sec.core.attachment.storagePath=/opt/czechidm/data idm.sec.core.attachment.storagePath=/opt/czechidm/data
 +
 +
 </code> </code>
  
 === Environment === === Environment ===
  
-If you install CzechIdM in multiple environments (typically test and production), you can display a label in the navigation bar which will tell the users in which environment they work. The default value "production" doesn't display any label. Set the value to ''test'' to display the label marking the Test environment.+If you install CzechIdM in multiple environments (typically test and production), you can display a label in the navigation bar which will tell the users in which environment they work. The default value "production" doesn't display any label. Set the value to ''test''  to display the label marking the Test environment. 
 <code properties> <code properties>
 # Application stage (development, test, production (default)) # Application stage (development, test, production (default))
 idm.pub.app.stage=production idm.pub.app.stage=production
-</code> 
  
 +
 +</code>
  
  
 ==== 6. Set correct permissions on CzechIdM files ==== ==== 6. Set correct permissions on CzechIdM files ====
-**CentOS** 
 <code> <code>
 chown tomcat:tomcat /opt/czechidm chown tomcat:tomcat /opt/czechidm
-chown -R tomcat:tomcat /opt/czechidm/{etc,data,backup,app,lib} +chown -R tomcat:tomcat /opt/czechidm/{etc,data,backup,lib} 
-chmod 750 /opt/czechidm/{etc,data,backup,app,lib} +chmod 750 /opt/czechidm/{etc,data,backup,lib}
-chmod 640 /opt/czechidm/etc/+
-</code> +
-**Debian** +
-<code> +
-chown tomcat8:tomcat8 /opt/czechidm +
-chown -R tomcat8:tomcat8 /opt/czechidm/{etc,data,backup,app,lib} +
-chmod 750 /opt/czechidm/{etc,data,backup,app,lib}+
 chmod 640 /opt/czechidm/etc/* chmod 640 /opt/czechidm/etc/*
 </code> </code>
 +
 ==== 7. Adjust Tomcat's classpath ==== ==== 7. Adjust Tomcat's classpath ====
-Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/opt/czechidm/etc** directory (and others) on the classpath.+Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the ''/opt/czechidm/etc'' directory (and others) on the classpath.
  
-Add this line with this comand ''systemctl edit tomcat.service''+Create new file ''/opt/tomcat/current/bin/setenv.sh'' with following ​content: 
-<code> + 
-Environment='CLASSPATH=/opt/czechidm/etc:/opt/czechidm/lib/*' +<code bash:>
-</code> +
-On **Debian** create new file ''/usr/share/tomcat8/bin/setenv.sh'' with this content: +
-<code>+
 CLASSPATH=/opt/czechidm/etc:/opt/czechidm/lib/* CLASSPATH=/opt/czechidm/etc:/opt/czechidm/lib/*
 </code> </code>
 +
 And change owner of the file to tomcat: And change owner of the file to tomcat:
 <code> <code>
-chown root:tomcat /usr/share/tomcat8/bin/setenv.sh+chown root:tomcat /opt/tomcat/current/bin/setenv.sh
 </code> </code>
 +
 ==== 8. Create dedicated Java truststore ==== ==== 8. Create dedicated Java truststore ====
 Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities. Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities.
Line 383: Line 363:
 </code> </code>
  
-Edit the Tomcat service file (systemctl edit tomcat.serviceand add path to the truststore ''-Djavax.net.ssl.trustStore=/opt/czechidm/etc/truststore.jks'' and truststore password ''-Djavax.net.ssl.trustStorePassword=THE PASSWORD YOU ENTERED WHEN CREATING KEYSTORE'' to the Environment='JAVA_OPTS' options. Finally, reload the systemd and restart Tomcat.+Edit the Tomcat service file ''/etc/systemd/system/tomcat.service'' and add path to the truststore ''-Djavax.net.ssl.trustStore=/opt/czechidm/etc/truststore.jks'' and truststore password ''-Djavax.net.ssl.trustStorePassword=THE PASSWORD YOU ENTERED WHEN CREATING KEYSTORE'' to the Java options. Finally, reload the systemd and restart Tomcat.
 <code> <code>
 systemctl daemon-reload systemctl daemon-reload
Line 389: Line 369:
 </code> </code>
 ==== 9. Deploy the CzechIdM ==== ==== 9. Deploy the CzechIdM ====
-Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war. 
  
-**CentOS**+Download the latest CzechIdM version. Currently it is idm-app-12.2.3.war.
  
 Ensure Tomcat is stopped: Ensure Tomcat is stopped:
 +
 <code> <code>
 systemctl stop tomcat.service systemctl stop tomcat.service
 +
 </code> </code>
-Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**:+ 
 +Copy the identity manager WAR into webapps folder in Tomcat and name it ''idm.war'':
 <code> <code>
-cp idm-app-9.4.0.war /opt/czechidm/app/idm.war +cp idm-app-10.4.1.war /opt/tomcat/current/webapps/idm.war 
-chown tomcat:tomcat /opt/czechidm/app/idm.war +
-</code> +
-Start the Tomcat container:<code> +
-systemctl start tomcat.service+
 </code> </code>
-If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/tomcat/catalina.out**. 
  
-**Debian**+Start the Tomcat container:
  
-Ensure Tomcat is stopped: 
 <code> <code>
-systemctl stop tomcat8.service+systemctl start tomcat.service 
 </code> </code>
-Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: + 
-<code> +If everything is set up right, the CzechIdM will deploy. Default log is ''/opt/tomcat/​current/logs/​catalina.out''. 
-cp idm-app-9.4.0.war /opt/czechidm/app/idm.war +
-chown tomcat8:tomcat8 /opt/czechidm/app/idm.war +
-</code> +
-Start the Tomcat container:<code> +
-systemctl start tomcat8.service +
-</code> +
-If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/tomcat8/catalina.out**.+
  
 ==== 10. Final Steps ====  ==== 10. Final Steps ==== 
 +
 === Allow network services === === Allow network services ===
 Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld:
  
 <code bash> <code bash>
 +firewall-cmd --permanent --add-port=80/tcp
 firewall-cmd --permanent --add-port=443/tcp firewall-cmd --permanent --add-port=443/tcp
 firewall-cmd --reload firewall-cmd --reload
Line 439: Line 413:
 Follow some final configuration steps: [[tutorial:adm:czechidm_installation_finalize|]]. Follow some final configuration steps: [[tutorial:adm:czechidm_installation_finalize|]].
  
-=== On CentOS set permisive mod on Tomcat === 
-SELinux will deny acces to the database for tomcat and won't allow create files by him. The tomcat will write error to the ''/var/log/tomcat/catalina.out''or ''/var/log/messages'' line similar to ''org.postgresql.util.PSQLException: Connection to localhost:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.''. 
- 
-To fix this we need set the permissive mode for tomcat: 
-<code> 
-semanage permissive -a tomcat_t 
-</code> 
- 
-<note warning> 
-Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. 
- 
-There are some possibilities: 
-  * Set permissive mode for logrotate as above. 
-  * Set permissive mode for whole SELinux. (This will drop the SELinux's protective function.) 
-  * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]). 
-</note> 
  • by doischert