Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
tutorial:adm:czechidm_installation_tmp [2020/03/24 08:14] urbanl |
tutorial:adm:czechidm_installation_tmp [2020/07/24 12:52] fiserp [10. Final Steps] |
{{tag>installation jdbc quickstart encryption}} | {{tag>installation jdbc quickstart encryption}} |
| |
We presume that the server is prepared as described in [[tutorial:adm:server_preparation|]]. | We expect that the server is prepared as described in [[tutorial:adm:server_preparation|]]. |
| |
This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache httpd). If you are looking for a demo installation please see [[:getting-started|]]. | This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (Java, PostgreSQL, Tomcat, Apache HTTPd). If you are looking for a demo installation please see [[:getting-started|]]. |
| |
<note tip>If you install CzechIdM on Sql server please skip instruction with setup DB and install JDBC driver and [[tutorial:adm:mssql_database_support|follow the tutorial.]]</note> | <note tip>If you install CzechIdM on with Microsoft SQL Server database backend, please skip PostgreSQL-related sections and [[tutorial:adm:mssql_database_support|swap them for this tutorial]] instead.</note> |
==== 1. Create DB user and database in PostgreSQL ==== | ==== 1. Create DB user and database in PostgreSQL ==== |
Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL: | Switch the user from root to postgres and use **psql** to add the user and database into PostgreSQL: |
psql | psql |
CREATE USER czechidm PASSWORD 'XXXXXXXXXXXX'; | CREATE USER czechidm PASSWORD 'XXXXXXXXXXXX'; |
| |
| # Choose appropriate collation and create database. |
| # with english collation |
CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' template 'template0'; | CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' template 'template0'; |
| # with czech collation |
| CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'cs_CZ.UTF-8' LC_CTYPE = 'cs_CZ.UTF-8' template 'template0'; |
</code> | </code> |
| |
and restart PostgreSQL. | and restart PostgreSQL. |
</note> | </note> |
==== 2. JDBC driver installation - CentOS7 ==== | ==== 2. JDBC driver installation - CentOS8 ==== |
**CentOS** | **CentOS** |
| |
<note>The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</note> | <note>The **dev** profile is for development and testing environments and as such it has debug logging enabled. For production deployment, use a profile named **production** as is shown in the example. The profile naming convention is mandatory because other CzechIdM configuration depends on it.</note> |
| |
<note important>To prevent application startup fails due to Flyway bug, property ''-Djava.util.Arrays.useLegacyMergeSort=true'' has to be added into environment properties. If property is not set, then application can fail on error: | |
<code>Error creating bean with name 'flywayCore' defined in class path resource [eu/bcvsolutions/idm/core/config/flyway/CoreFlywayConfig.class]: | |
Initialization of bean failed; nested exception is java.lang.IllegalArgumentException: Comparison method violates its general contract!</code> | |
</note> | |
| |
Change the following line: | Change the following line: |
into: | into: |
<code bash> | <code bash> |
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Dspring.profiles.active=production -Djava.util.Arrays.useLegacyMergeSort=true' | Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Dspring.profiles.active=production' |
</code> | </code> |
| |
Now we will create configuration files the CzechIdM will use. | Now we will create configuration files the CzechIdM will use. |
<note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note> | <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note> |
* The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes).<code> | * The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes) or 256 bit (= 32b bytes). The length of the key determines the AES cipher used (AES-128 od AES-256).<code> |
cat /dev/urandom | tr -dc 'a-z0-9' | head -c 16 > /opt/czechidm/etc/secret.key | cat /dev/urandom | tr -dc 'a-z0-9' | head -c 32 > /opt/czechidm/etc/secret.key |
</code> | </code> |
* The **/opt/czechidm/etc/quartz-production.properties** file stores, the Quartz scheduler configuration. You can use the following snippet as a production-safe configuration file.<file properties quartz-production.properties> | * The **/opt/czechidm/etc/quartz-production.properties** file stores, the Quartz scheduler configuration. You can use the following snippet as a production-safe configuration file.<file properties quartz-production.properties> |
</springProfile> | </springProfile> |
| |
<springProfile name="test"> | <springProfile name="production"> |
<logger name="eu.bcvsolutions" level="DEBUG"/> | |
<logger name="org.springframework" level="INFO"/> | |
<logger name="org.springframework.web" level="INFO"/> | |
<logger name="org.hibernate.SQL" level="INFO"/> | |
<logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/> | |
</springProfile> | |
| |
<springProfile name="dev"> | |
<springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/> | <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/> |
<springProperty name="spring.datasource.url" source="spring.datasource.url"/> | <springProperty name="spring.datasource.url" source="spring.datasource.url"/> |
</appender> | </appender> |
| |
<logger name="eu.bcvsolutions" level="TRACE"> | <logger name="eu.bcvsolutions" level="INFO"> |
<appender-ref ref="DB_ASYNC" /> | <appender-ref ref="DB_ASYNC" /> |
</logger> | </logger> |
<logger name="org.springframework" level="INFO"/> | <logger name="org.springframework" level="INFO"/> |
<logger name="org.springframework.web" level="DEBUG"/> | <logger name="org.springframework.web" level="INFO"/> |
<logger name="org.hibernate.SQL" level="DEBUG"/> | <logger name="org.hibernate.SQL" level="INFO"/> |
<logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/> | <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/> |
</springProfile> | </springProfile> |
| |
<springProfile name="dev-mysql"> | |
<logger name="eu.bcvsolutions" level="TRACE" /> | |
<logger name="org.springframework" level="INFO"/> | |
<logger name="org.springframework.web" level="DEBUG"/> | |
<logger name="org.hibernate.SQL" level="DEBUG"/> | |
<logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/> | |
</springProfile> | |
</configuration> | </configuration> |
</file> | </file> |
| |
There are two properties in application-production.properties that influence the confidential storage: | There are two properties in application-production.properties that influence the confidential storage: |
* You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or | * You can set the key directly in the property file using **cipher.crypt.secret.key** property |
* you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. | * or (better) you can create separate file ''secret.key'' containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. |
| |
<note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> | <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> |
| |
Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key. | Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit or 256bit key. |
| <note> |
| Length of the key determines the cipher which will be used. If you use 128b (16byte) key, CzechIdM will use AES-128. If you use 256b (32byte) key, CzechIdM will use AES-256. |
| |
| * OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default. |
| * Older versions (below 1.8u161) do not offer it. On those Java distributions, you can use AES-128 or obtain the [[https://www.oracle.com/java/technologies/javase-jce8-downloads.html|Unlimited Strength Jurisdiction Policy Files]] to enable AES-256. |
| |
| </note> |
| |
=== Attachment store === | === Attachment store === |
| |
==== 6. Set correct permissions on CzechIdM files ==== | ==== 6. Set correct permissions on CzechIdM files ==== |
**CentOS** | |
<code> | <code> |
chown tomcat:tomcat /opt/czechidm | chown tomcat:tomcat /opt/czechidm |
| |
==== 7. Adjust Tomcat's classpath ==== | ==== 7. Adjust Tomcat's classpath ==== |
Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the **/opt/czechidm/etc** directory (and others) on the classpath. | Apache Tomcat has to know where the new configuration is. Because CzechIdM uses SpringBoot project, we simply add the ''/opt/czechidm/etc'' directory (and others) on the classpath. |
| |
Create new file **/opt/tomcat/current/bin/setenv.sh** with following content: | Create new file ''/opt/tomcat/current/bin/setenv.sh'' with following content: |
| |
<code bash:> | <code bash:> |
</code> | </code> |
==== 9. Deploy the CzechIdM ==== | ==== 9. Deploy the CzechIdM ==== |
Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war. | Download the latest CzechIdM version. Currently it is idm-app-10.4.1.war. |
| |
Ensure Tomcat is stopped: | Ensure Tomcat is stopped: |
systemctl stop tomcat.service | systemctl stop tomcat.service |
</code> | </code> |
Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**: | Copy the identity manager WAR into webapps folder in Tomcat and name it ''idm.war'': |
<code> | <code> |
cp idm-app-9.4.0.war /opt/tomcat/current/webapps/idm.war | cp idm-app-10.4.1.war /opt/tomcat/current/webapps/idm.war |
chown tomcat:tomcat /opt/tomcat/current/webapps/idm.war | |
</code> | </code> |
Start the Tomcat container:<code> | Start the Tomcat container:<code> |
systemctl start tomcat.service | systemctl start tomcat.service |
</code> | </code> |
If everything is set up right, the CzechIdM will deploy. Default log is **/opt/tomcat/current/logs/catalina.out**. | If everything is set up right, the CzechIdM will deploy. Default log is ''/opt/tomcat/current/logs/catalina.out''. |
| |
| |
| |
<code bash> | <code bash> |
| firewall-cmd --permanent --add-port=80/tcp |
firewall-cmd --permanent --add-port=443/tcp | firewall-cmd --permanent --add-port=443/tcp |
firewall-cmd --reload | firewall-cmd --reload |