Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:adm:czechidm_installation [2019/11/26 09:26]
fiserp [3. Configure environment properties. Select application profile]
tutorial:adm:czechidm_installation [2020/04/21 11:40] (current)
fiserp [1. Create DB user and database in PostgreSQL]
Line 15: Line 15:
 psql  psql 
 CREATE USER czechidm PASSWORD '​XXXXXXXXXXXX';​ CREATE USER czechidm PASSWORD '​XXXXXXXXXXXX';​
 +
 +# Choose appropriate collation and create database.
 +# with english collation
 CREATE DATABASE "​czechidm"​ WITH OWNER '​czechidm'​ ENCODING '​UTF8'​ LC_COLLATE = '​en_US.UTF-8'​ LC_CTYPE = '​en_US.UTF-8'​ template '​template0';​ CREATE DATABASE "​czechidm"​ WITH OWNER '​czechidm'​ ENCODING '​UTF8'​ LC_COLLATE = '​en_US.UTF-8'​ LC_CTYPE = '​en_US.UTF-8'​ template '​template0';​
 +# with czech collation
 +CREATE DATABASE "​czechidm"​ WITH OWNER '​czechidm'​ ENCODING '​UTF8'​ LC_COLLATE = '​cs_CZ.UTF-8'​ LC_CTYPE = '​cs_CZ.UTF-8'​ template '​template0';​
 </​code>​ </​code>​
  
Line 35: Line 40:
 and restart PostgreSQL. and restart PostgreSQL.
 </​note>​ </​note>​
-==== 2. JDBC driver installation ====+==== 2. JDBC driver installation ​​- CentOS7 ​==== 
 **CentOS** **CentOS**
  
Line 47: Line 52:
  
 <code bash> <code bash>
-ln -s /​usr/​share/​java/​postgresql-jdbc.jar /usr/share/java/tomcat/+ln -s /​usr/​share/​java/​postgresql-jdbc.jar /opt/tomcat/current/lib/
 </​code> ​ </​code> ​
  
-**Debian**+==== 3. JDBC driver installation - Debian ​​==== ​
  
 Install the package with PostgreSQL JDBC driver: Install the package with PostgreSQL JDBC driver:
Line 63: Line 68:
 ln -s /​usr/​share/​java/​postgresql.jar /​var/​lib/​tomcat8/​lib/​postgresql-jdbc4.jar ln -s /​usr/​share/​java/​postgresql.jar /​var/​lib/​tomcat8/​lib/​postgresql-jdbc4.jar
 </​code> ​ </​code> ​
-==== 3. Configure environment properties. Select application profile ====+==== 4. Configure environment properties. Select application profile ====
  
-Edit tomcat ​unit - edit the line with environment variable choosing the appropriate application profile. We use **production** profile in our example, which enables you to configure production-ready instace of the identity manager.+Edit the configuration file ''/​etc/​systemd/​system/​tomcat.service'' ​- edit the line with environment variable choosing the appropriate application profile. We use **production** profile in our example, which enables you to configure production-ready instace of the identity manager.
 <​note>​The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</​note>​ <​note>​The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</​note>​
  
Line 73: Line 78:
 </​note>​ </​note>​
  
-Use ''​systemctl edit tomcat.service''​ and change ​the following line  ( On Debian make changes file ''/​etc/​default/​tomcat8''​):+Change ​the following line:
 <code bash> <code bash>
 Environment='​JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/​dev/​./​urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8'​ Environment='​JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/​dev/​./​urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8'​
Line 82: Line 87:
 </​code>​ </​code>​
  
-On CentOS reload ​systemd after the changes:+Reload ​systemd after the changes:
 <code bash> <code bash>
 systemctl daemon-reload systemctl daemon-reload
 </​code>​ </​code>​
-==== 4. Create CzechIdM configuration folders ====+==== 5. Create CzechIdM configuration folders ====
 In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments.
   * The **etc** directory stores configuration files.   * The **etc** directory stores configuration files.
Line 92: Line 97:
   * The **backup** directory stored Groovy scripts backups.   * The **backup** directory stored Groovy scripts backups.
   * The **data** directory stores various user-attached files.   * The **data** directory stores various user-attached files.
-  * The **app** directory stores war files. 
   *    * 
 Create the directory structure: Create the directory structure:
 <​code>​ <​code>​
-mkdir -p /​opt/​czechidm/​{etc,​lib,​backup,​data,app}+mkdir -p /​opt/​czechidm/​{etc,​lib,​backup,​data}
 </​code>​ </​code>​
  
  
  
-==== 5. Create CzechIdM configuration ====+==== 6. Create CzechIdM configuration ====
 Now we will create configuration files the CzechIdM will use. Now we will create configuration files the CzechIdM will use.
 <​note>​Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</​note>​ <​note>​Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</​note>​
Line 197: Line 201:
 flyway.enabled=true flyway.enabled=true
    
-scheduler.enabled=true + 
-scheduler.task.queue.process=1000 +
-scheduler.event.queue.process=1000+
 scheduler.properties.location=quartz-production.properties scheduler.properties.location=quartz-production.properties
 + 
 logging.config=/​opt/​czechidm/​etc/​logback-spring.xml logging.config=/​opt/​czechidm/​etc/​logback-spring.xml
-idm.sec.core.demo.data.enabled=false 
    
-#spring.cache.ehcache.config=classpath:​ehcache.xml+idm.sec.core.demo.data.enabled=false
    
-spring.activiti.processDefinitionLocationPrefix=classpath*:/​eu/​bcvsolutions/​idm/​workflow/​ +# attachments will be stored under this path
-idm.sec.core.notification.template.folder=classpath*:/​eu/​bcvsolutions/​idm/​templates+# new directories for attachment will be created in this folder (permissions has to be added) 
-idm.sec.core.script.folder=classpath*:/eu/​bcvsolutions/​idm/scripts/+# System.getProperty("​user.home")/idm_data will be used if no path is given 
 +idm.sec.core.attachment.storagePath=/opt/czechidm/data
 # configuration property for default backup ​ # configuration property for default backup ​
 idm.sec.core.backups.default.folder.path=/​opt/​czechidm/​backup idm.sec.core.backups.default.folder.path=/​opt/​czechidm/​backup
Line 218: Line 221:
 idm.sec.security.jwt.secret.token=********** TODO ********* idm.sec.security.jwt.secret.token=********** TODO *********
 idm.sec.security.jwt.expirationTimeout=36000000 idm.sec.security.jwt.expirationTimeout=36000000
- 
-# recaptcha 
-# - recaptchaservice endpoint ​ 
-#​idm.sec.security.recaptcha.url=https://​www.google.com/​recaptcha/​api/​siteverify 
-# - secret key, can be generated here https://​www.google.com/​recaptcha/​admin 
-idm.sec.security.recaptcha.secretKey=xxx 
-# Proxy for HTTP requests 
-#​idm.sec.core.http.proxy=12.34.56.78:​1234 
    
 # Cipher secret key for crypt values in confidential storage # Cipher secret key for crypt values in confidential storage
Line 232: Line 227:
 cipher.crypt.secret.keyPath=/​opt/​czechidm/​etc/​secret.key cipher.crypt.secret.keyPath=/​opt/​czechidm/​etc/​secret.key
    
- +# Defaults for: emailer.* 
 +# test.enabled=true means mail WILL NOT be sent
 idm.sec.core.emailer.test.enabled=true idm.sec.core.emailer.test.enabled=true
 # http://​camel.apache.org/​mail.html # http://​camel.apache.org/​mail.html
Line 241: Line 237:
 # idm.sec.core.emailer.password=password # idm.sec.core.emailer.password=password
 idm.sec.core.emailer.from=czechidm@localhost idm.sec.core.emailer.from=czechidm@localhost
-  
-## Global property that allow disable or enable sending notification from WF 
-idm.sec.core.wf.notification.send=false 
-  
-  
-# supports delete identity 
-idm.pub.core.identity.delete=true 
-# 
-# default password change type for custom users, one of values: ​ 
-# DISABLED - password change is disable 
-# ALL_ONLY - users can change passwords only for all accounts 
-# CUSTOM - users can choose for which accounts change password 
-idm.pub.core.identity.passwordChange=ALL_ONLY 
-# 
-# required old password for change password 
-idm.pub.core.identity.passwordChange.requireOldPassword=true 
-# 
-# create default identity'​s contract, when identity is created 
-idm.pub.core.identity.create.defaultContract.enabled=true 
-  
    
 # Default user role will be added automatically,​ after an identity is logged in # Default user role will be added automatically,​ after an identity is logged in
Line 269: Line 245:
 idm.sec.core.role.admin=superAdminRole idm.sec.core.role.admin=superAdminRole
    
-  +Max file size of uploaded file. Values can use the suffixed "​MB"​ or "​KB" ​to indicate a Megabyte or Kilobyte size. 
-ID system against which to authenticate +spring.servlet.multipart.max-file-size=100MB 
-idm.sec.security.auth.systemId+spring.servlet.multipart.max-request-size=100MB
- +
-# attachments will be stored under this path. +
-# new directories for attachment will be created in this folder (permissions has to be added) +
-# System.getProperty("​user.home"​)/​idm_data will be used if no path is given +
-idm.sec.core.attachment.storagePath=/​opt/​czechidm/​data+
 </​file>​ </​file>​
  
Line 331: Line 302:
  
  
-==== 6. Set correct permissions on CzechIdM files ====+==== 7. Set correct permissions on CzechIdM files ====
 **CentOS** **CentOS**
 <​code>​ <​code>​
 chown tomcat:​tomcat /​opt/​czechidm chown tomcat:​tomcat /​opt/​czechidm
-chown -R tomcat:​tomcat /​opt/​czechidm/​{etc,​data,​backup,app,lib} +chown -R tomcat:​tomcat /​opt/​czechidm/​{etc,​data,​backup,​lib} 
-chmod 750 /​opt/​czechidm/​{etc,​data,​backup,app,lib}+chmod 750 /​opt/​czechidm/​{etc,​data,​backup,​lib}
 chmod 640 /​opt/​czechidm/​etc/​* chmod 640 /​opt/​czechidm/​etc/​*
 </​code>​ </​code>​
-**Debian** + 
-<​code>​ +==== 8. Adjust Tomcat'​s classpath ====
-chown tomcat8:​tomcat8 /​opt/​czechidm +
-chown -R tomcat8:​tomcat8 /​opt/​czechidm/​{etc,​data,​backup,​app,​lib} +
-chmod 750 /​opt/​czechidm/​{etc,​data,​backup,​app,​lib} +
-chmod 640 /​opt/​czechidm/​etc/​* +
-</​code>​ +
-==== 7. Adjust Tomcat'​s classpath ====+
 Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/​opt/​czechidm/​etc** directory (and others) on the classpath. Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/​opt/​czechidm/​etc** directory (and others) on the classpath.
  
-Add this line with this comand ''​systemctl edit tomcat.service''​. +Create new file **/opt/tomcat/current/​bin/​setenv.sh** with following ​content: 
-<​code>​ + 
-Environment='​CLASSPATH=/​opt/​czechidm/​etc:/​opt/​czechidm/​lib/​*+<​code ​bash:>
-</​code>​ +
-On **Debian** create new file ''​/usr/share/tomcat8/​bin/​setenv.sh'' ​with this content: +
-<​code>​+
 CLASSPATH=/​opt/​czechidm/​etc:/​opt/​czechidm/​lib/​* CLASSPATH=/​opt/​czechidm/​etc:/​opt/​czechidm/​lib/​*
 </​code>​ </​code>​
 +
 And change owner of the file to tomcat: And change owner of the file to tomcat:
 <​code>​ <​code>​
-chown root:tomcat /usr/share/tomcat8/​bin/​setenv.sh+chown root:tomcat /opt/tomcat/current/​bin/​setenv.sh
 </​code>​ </​code>​
-==== 8. Create dedicated Java truststore ====+ 
 +==== 9. Create dedicated Java truststore ====
 Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities. Java truststore is a file which contains SSL certificates which we consider trusted. Usually this means some certificates of end systems or their respective certificate authorities.
 When we need CzechIdM to communicate with some new system with SSL-encrypted way, we need to import particular certificate here and restart the Tomcat container. When we need CzechIdM to communicate with some new system with SSL-encrypted way, we need to import particular certificate here and restart the Tomcat container.
Line 383: Line 347:
 </​code>​ </​code>​
  
-Edit the Tomcat service file (systemctl edit tomcat.serviceand add path to the truststore ''​-Djavax.net.ssl.trustStore=/​opt/​czechidm/​etc/​truststore.jks''​ and truststore password ''​-Djavax.net.ssl.trustStorePassword=THE PASSWORD YOU ENTERED WHEN CREATING KEYSTORE''​ to the Environment='​JAVA_OPTS' ​options. Finally, reload the systemd and restart Tomcat.+Edit the Tomcat service file ''/​etc/​systemd/​system/​tomcat.service'' ​and add path to the truststore ''​-Djavax.net.ssl.trustStore=/​opt/​czechidm/​etc/​truststore.jks''​ and truststore password ''​-Djavax.net.ssl.trustStorePassword=THE PASSWORD YOU ENTERED WHEN CREATING KEYSTORE''​ to the Java options. Finally, reload the systemd and restart Tomcat.
 <​code>​ <​code>​
 systemctl daemon-reload systemctl daemon-reload
 systemctl restart tomcat.service systemctl restart tomcat.service
 </​code>​ </​code>​
-==== 9. Deploy the CzechIdM ====+==== 10. Deploy the CzechIdM ====
 Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war. Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war.
- 
-**CentOS** 
  
 Ensure Tomcat is stopped: Ensure Tomcat is stopped:
Line 399: Line 361:
 Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**:​ Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**:​
 <​code>​ <​code>​
-cp idm-app-9.4.0.war /opt/czechidm/app/idm.war +cp idm-app-9.4.0.war /opt/tomcat/current/​webapps/idm.war 
-chown tomcat:​tomcat /opt/czechidm/app/idm.war+chown tomcat:​tomcat /opt/tomcat/​current/webapps/idm.war
 </​code>​ </​code>​
 Start the Tomcat container:<​code>​ Start the Tomcat container:<​code>​
 systemctl start tomcat.service systemctl start tomcat.service
 </​code>​ </​code>​
-If everything is set up right, the CzechIdM will deploy. Default log is **/var/log/​tomcat/​catalina.out**.+If everything is set up right, the CzechIdM will deploy. Default log is **/opt/tomcat/​current/​logs/​​catalina.out**. ​
  
-**Debian** 
  
-Ensure Tomcat is stopped: +==== 11Final Steps ==== 
-<​code>​ +
-systemctl stop tomcat8.service +
-</​code>​ +
-Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**:​ +
-<​code>​ +
-cp idm-app-9.4.0.war /​opt/​czechidm/​app/​idm.war +
-chown tomcat8:​tomcat8 /​opt/​czechidm/​app/​idm.war +
-</​code>​ +
-Start the Tomcat container:<​code>​ +
-systemctl start tomcat8.service +
-</​code>​ +
-If everything is set up right, the CzechIdM will deploy. Default log is **/​var/​log/​tomcat8/​catalina.out**.+
  
-==== 10. Final Steps ====  
 === Allow network services === === Allow network services ===
 Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld:
Line 439: Line 387:
 Follow some final configuration steps: [[tutorial:​adm:​czechidm_installation_finalize|]]. Follow some final configuration steps: [[tutorial:​adm:​czechidm_installation_finalize|]].
  
-=== On CentOS set permisive mod on Tomcat === 
-SELinux will deny acces to the database for tomcat and won't allow create files by him. The tomcat will write error to the ''/​var/​log/​tomcat/​catalina.out''​or ''/​var/​log/​messages''​ line similar to ''​org.postgresql.util.PSQLException:​ Connection to localhost:​5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.''​. 
- 
-To fix this we need set the permissive mode for tomcat: 
-<​code>​ 
-semanage permissive -a tomcat_t 
-</​code>​ 
- 
-<note warning> 
-Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. 
- 
-There are some possibilities:​ 
-  * Set permissive mode for logrotate as above. 
-  * Set permissive mode for whole SELinux. (This will drop the SELinux'​s protective function.) 
-  * Adjust particular SELinux labels. Example ([[https://​access.redhat.com/​solutions/​39006|here]]). 
-</​note>​