Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:czechidm_installation_tmp [2020/03/12 14:49]
urbanl created
+++ tutorial:adm:czechidm_installation_tmp [2020/07/24 12:52]
fiserp [10. Final Steps]
@@ Line 1: / Line 1: @@
-<note important>IdM installation for CentOS8</note>
+<note important>IdM installation for CentOS8
-====== Installation of CzechIdM - Linux ======
+This tutorial is in development
+Author: Ludek Urban</note>
+====== Installation of CzechIdM - Linux - CentOS8 ======
 {{tag>installation jdbc quickstart encryption}}
-We presume that the server is prepared as described in [[tutorial:adm:server_preparation|]].
+We expect that the server is prepared as described in [[tutorial:adm:server_preparation|]].
-This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache httpd). If you are looking for a demo installation please see [[:getting-started|]].
+This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (Java, PostgreSQL, Tomcat, Apache HTTPd). If you are looking for a demo installation please see [[:getting-started|]].
-<note tip>If you install CzechIdM on Sql server please skip instruction with setup DB and install JDBC driver and [[tutorial:adm:mssql_database_support|follow the tutorial.]]</note>
+<note tip>If you install CzechIdM on with Microsoft SQL Server database backend, please skip PostgreSQL-related sections and [[tutorial:adm:mssql_database_support|swap them for this tutorial]] instead.</note>
 ==== 1. Create DB user and database in PostgreSQL ====
 Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL:
@@ Line 17: / Line 21: @@
 psql
 CREATE USER czechidm PASSWORD 'XXXXXXXXXXXX';
+# Choose appropriate collation and create database.
+# with english collation
 CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' template 'template0';
+# with czech collation
+CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'cs_CZ.UTF-8' LC_CTYPE = 'cs_CZ.UTF-8' template 'template0';
 </code>
@@ Line 37: / Line 46: @@
 and restart PostgreSQL.
 </note>
-==== 2. JDBC driver installation - CentOS7 ====
+==== 2. JDBC driver installation - CentOS8 ====
 **CentOS**
@@ Line 52: / Line 61: @@
 <note>The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</note>
-<note important>To prevent application startup fails due to Flyway bug, property ''-Djava.util.Arrays.useLegacyMergeSort=true'' has to be added into environment properties. If property is not set, then application can fail on error:
-<code>Error creating bean with name 'flywayCore' defined in class path resource [eu/bcvsolutions/idm/core/config/flyway/CoreFlywayConfig.class]:
-Initialization of bean failed; nested exception is java.lang.IllegalArgumentException: Comparison method violates its general contract!</code>
-</note>
 Change the following line:
@@ Line 63: / Line 68: @@
 into:
 <code bash>
-Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Dspring.profiles.active=production -Djava.util.Arrays.useLegacyMergeSort=true'
+Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Dspring.profiles.active=production'
 </code>
@@ Line 87: / Line 92: @@
 Now we will create configuration files the CzechIdM will use.
 <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note>
-  * The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes).<code>
+  * The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes) or 256 bit (= 32b bytes). The length of the key determines the AES cipher used (AES-128 od AES-256).<code>
-cat /dev/urandom | tr -dc 'a-z0-9' | head -c 16 > /opt/czechidm/etc/secret.key
+cat /dev/urandom | tr -dc 'a-z0-9' | head -c 32 > /opt/czechidm/etc/secret.key
 </code>
   * The **/opt/czechidm/etc/quartz-production.properties** file stores, the Quartz scheduler configuration. You can use the following snippet as a production-safe configuration file.<file properties quartz-production.properties>
@@ Line 118: / Line 123: @@
     </springProfile>
-    <springProfile name="test">
+    <springProfile name="production">
-        <logger name="eu.bcvsolutions" level="DEBUG"/>
-        <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="INFO"/>
-        <logger name="org.hibernate.SQL" level="INFO"/>
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
-    </springProfile>
-    <springProfile name="dev">
         <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/>
         <springProperty name="spring.datasource.url" source="spring.datasource.url"/>
@@ Line 146: / Line 143: @@
         </appender>
-        <logger name="eu.bcvsolutions" level="TRACE">
+        <logger name="eu.bcvsolutions" level="INFO">
             <appender-ref ref="DB_ASYNC" />
         </logger>
         <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="DEBUG"/>
+        <logger name="org.springframework.web" level="INFO"/>
-        <logger name="org.hibernate.SQL" level="DEBUG"/>
+        <logger name="org.hibernate.SQL" level="INFO"/>
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/>
+        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
-    </springProfile>
-    <springProfile name="dev-mysql">
-        <logger name="eu.bcvsolutions" level="TRACE" />
-        <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="DEBUG"/>
-        <logger name="org.hibernate.SQL" level="DEBUG"/>
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/>
     </springProfile>
 </configuration>
 </file>
@@ Line 253: / Line 244: @@
 There are two properties in application-production.properties that influence the confidential storage:
-  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or
+  * You can set the key directly in the property file using **cipher.crypt.secret.key** property
-  * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
+  * or (better) you can create separate file ''secret.key'' containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
 <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
-Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.
+Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit or 256bit key.
+<note>
+Length of the key determines the cipher which will be used. If you use 128b (16byte) key, CzechIdM will use AES-128. If you use 256b (32byte) key, CzechIdM will use AES-256.
+  * OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default.
+  * Older versions (below 1.8u161) do not offer it. On those Java distributions, you can use AES-128 or obtain the [[https://www.oracle.com/java/technologies/javase-jce8-downloads.html|Unlimited Strength Jurisdiction Policy Files]] to enable AES-256.
+</note>
 === Attachment store ===
@@ Line 282: / Line 280: @@
 ==== 6. Set correct permissions on CzechIdM files ====
-**CentOS**
 <code>
 chown tomcat:tomcat /opt/czechidm
@@ Line 291: / Line 288: @@
 ==== 7. Adjust Tomcat's classpath ====
-Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/opt/czechidm/etc** directory (and others) on the classpath.
+Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the ''/opt/czechidm/etc'' directory (and others) on the classpath.
-Create new file **/opt/tomcat/current/bin/setenv.sh** with following content:
+Create new file ''/opt/tomcat/current/bin/setenv.sh'' with following content:
 <code bash:>
@@ Line 332: / Line 329: @@
 </code>
 ==== 9. Deploy the CzechIdM ====
-Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war.
+Download the latest CzechIdM version. Currently it is idm-app-10.4.1.war.
 Ensure Tomcat is stopped:
@@ Line 338: / Line 335: @@
 systemctl stop tomcat.service
 </code>
-Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**:
+Copy the identity manager WAR into webapps folder in Tomcat and name it ''idm.war'':
 <code>
-cp idm-app-9.4.0.war /opt/tomcat/current/webapps/idm.war
+cp idm-app-10.4.1.war /opt/tomcat/current/webapps/idm.war
-chown tomcat:tomcat /opt/tomcat/current/webapps/idm.war
 </code>
 Start the Tomcat container:<code>
 systemctl start tomcat.service
 </code>
-If everything is set up right, the CzechIdM will deploy. Default log is **/opt/tomcat/current/logs/catalina.out**.
+If everything is set up right, the CzechIdM will deploy. Default log is ''/opt/tomcat/current/logs/catalina.out''.
@@ Line 355: / Line 351: @@
 <code bash>
+firewall-cmd --permanent --add-port=80/tcp
 firewall-cmd --permanent --add-port=443/tcp
 firewall-cmd --reload