Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:czechidm_installation_tmp [2020/07/24 12:17]
fiserp [7. Adjust Tomcat's classpath]
+++ tutorial:adm:czechidm_installation_tmp [2020/07/24 12:52]
fiserp [10. Final Steps]
@@ Line 92: / Line 92: @@
 Now we will create configuration files the CzechIdM will use.
 <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note>
-  * The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes).<code>
+  * The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes) or 256 bit (= 32b bytes). The length of the key determines the AES cipher used (AES-128 od AES-256).<code>
-cat /dev/urandom | tr -dc 'a-z0-9' | head -c 16 > /opt/czechidm/etc/secret.key
+cat /dev/urandom | tr -dc 'a-z0-9' | head -c 32 > /opt/czechidm/etc/secret.key
 </code>
   * The **/opt/czechidm/etc/quartz-production.properties** file stores, the Quartz scheduler configuration. You can use the following snippet as a production-safe configuration file.<file properties quartz-production.properties>
@@ Line 123: / Line 123: @@
     </springProfile>
-    <springProfile name="test">
+    <springProfile name="production">
-        <logger name="eu.bcvsolutions" level="DEBUG"/>
-        <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="INFO"/>
-        <logger name="org.hibernate.SQL" level="INFO"/>
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
-    </springProfile>
-    <springProfile name="dev">
         <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/>
         <springProperty name="spring.datasource.url" source="spring.datasource.url"/>
@@ Line 151: / Line 143: @@
         </appender>
-        <logger name="eu.bcvsolutions" level="TRACE">
+        <logger name="eu.bcvsolutions" level="INFO">
             <appender-ref ref="DB_ASYNC" />
         </logger>
         <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="DEBUG"/>
+        <logger name="org.springframework.web" level="INFO"/>
-        <logger name="org.hibernate.SQL" level="DEBUG"/>
+        <logger name="org.hibernate.SQL" level="INFO"/>
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/>
+        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
-    </springProfile>
-    <springProfile name="dev-mysql">
-        <logger name="eu.bcvsolutions" level="TRACE" />
-        <logger name="org.springframework" level="INFO"/>
-        <logger name="org.springframework.web" level="DEBUG"/>
-        <logger name="org.hibernate.SQL" level="DEBUG"/>
-        <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/>
     </springProfile>
-            <springProfile name="production">
-                <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/>
-                <springProperty name="spring.datasource.url" source="spring.datasource.url"/>
-                <springProperty name="spring.datasource.username" source="spring.datasource.username"/>
-                <springProperty name="spring.datasource.password" source="spring.datasource.password"/>
-                <appender name="DB" class="ch.qos.logback.classic.db.DBAppender">
-                        <connectionSource class="ch.qos.logback.core.db.DriverManagerConnectionSource">
-                                <driverClass>${spring.datasource.driver-class-name}</driverClass>
-                                <url>${spring.datasource.url}</url>
-                                <user>${spring.datasource.username}</user>
-                                <password>${spring.datasource.password}</password>
-                        </connectionSource>
-                </appender>
-                <appender name="DB_ASYNC" class="ch.qos.logback.classic.AsyncAppender">
-                        <appender-ref ref="DB" />
-                        <includeCallerData>true</includeCallerData>
-                </appender>
-                <logger name="eu.bcvsolutions" level="INFO">
-                        <appender-ref ref="DB_ASYNC" />
-                </logger>
-                <logger name="org.springframework" level="INFO"/>
-                <logger name="org.springframework.web" level="INFO"/>
-                <logger name="org.hibernate.SQL" level="INFO"/>
-                <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
-        </springProfile>
 </configuration>
@@ Line 287: / Line 244: @@
 There are two properties in application-production.properties that influence the confidential storage:
-  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or
+  * You can set the key directly in the property file using **cipher.crypt.secret.key** property
-  * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
+  * or (better) you can create separate file ''secret.key'' containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
 <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
-Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.
+Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit or 256bit key.
+<note>
+Length of the key determines the cipher which will be used. If you use 128b (16byte) key, CzechIdM will use AES-128. If you use 256b (32byte) key, CzechIdM will use AES-256.
+  * OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default.
+  * Older versions (below 1.8u161) do not offer it. On those Java distributions, you can use AES-128 or obtain the [[https://www.oracle.com/java/technologies/javase-jce8-downloads.html|Unlimited Strength Jurisdiction Policy Files]] to enable AES-256.
+</note>
 === Attachment store ===
@@ Line 365: / Line 329: @@
 </code>
 ==== 9. Deploy the CzechIdM ====
-Download the latest CzechIdM version. Currently it is idm-app-9.4.0.war.
+Download the latest CzechIdM version. Currently it is idm-app-10.4.1.war.
 Ensure Tomcat is stopped:
@@ Line 371: / Line 335: @@
 systemctl stop tomcat.service
 </code>
-Copy the identity manager WAR into webapps folder in Tomcat and name it **idm.war**:
+Copy the identity manager WAR into webapps folder in Tomcat and name it ''idm.war'':
 <code>
-cp idm-app-9.4.0.war /opt/tomcat/current/webapps/idm.war
+cp idm-app-10.4.1.war /opt/tomcat/current/webapps/idm.war
-chown tomcat:tomcat /opt/tomcat/current/webapps/idm.war
 </code>
 Start the Tomcat container:<code>
 systemctl start tomcat.service
 </code>
-If everything is set up right, the CzechIdM will deploy. Default log is **/opt/tomcat/current/logs/catalina.out**.
+If everything is set up right, the CzechIdM will deploy. Default log is ''/opt/tomcat/current/logs/catalina.out''.
@@ Line 388: / Line 351: @@
 <code bash>
+firewall-cmd --permanent --add-port=80/tcp
 firewall-cmd --permanent --add-port=443/tcp
 firewall-cmd --reload