Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
tutorial:adm:czechidm_installation_tmp [2020/07/24 12:23] fiserp [9. Deploy the CzechIdM] |
tutorial:adm:czechidm_installation_tmp [2020/07/24 12:52] fiserp [10. Final Steps] |
Now we will create configuration files the CzechIdM will use. | Now we will create configuration files the CzechIdM will use. |
<note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note> | <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note> |
* The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes).<code> | * The **/opt/czechidm/etc/secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes) or 256 bit (= 32b bytes). The length of the key determines the AES cipher used (AES-128 od AES-256).<code> |
cat /dev/urandom | tr -dc 'a-z0-9' | head -c 16 > /opt/czechidm/etc/secret.key | cat /dev/urandom | tr -dc 'a-z0-9' | head -c 32 > /opt/czechidm/etc/secret.key |
</code> | </code> |
* The **/opt/czechidm/etc/quartz-production.properties** file stores, the Quartz scheduler configuration. You can use the following snippet as a production-safe configuration file.<file properties quartz-production.properties> | * The **/opt/czechidm/etc/quartz-production.properties** file stores, the Quartz scheduler configuration. You can use the following snippet as a production-safe configuration file.<file properties quartz-production.properties> |
</springProfile> | </springProfile> |
| |
<springProfile name="test"> | <springProfile name="production"> |
<logger name="eu.bcvsolutions" level="DEBUG"/> | |
<logger name="org.springframework" level="INFO"/> | |
<logger name="org.springframework.web" level="INFO"/> | |
<logger name="org.hibernate.SQL" level="INFO"/> | |
<logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/> | |
</springProfile> | |
| |
<springProfile name="dev"> | |
<springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/> | <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/> |
<springProperty name="spring.datasource.url" source="spring.datasource.url"/> | <springProperty name="spring.datasource.url" source="spring.datasource.url"/> |
</appender> | </appender> |
| |
<logger name="eu.bcvsolutions" level="TRACE"> | <logger name="eu.bcvsolutions" level="INFO"> |
<appender-ref ref="DB_ASYNC" /> | <appender-ref ref="DB_ASYNC" /> |
</logger> | </logger> |
<logger name="org.springframework" level="INFO"/> | <logger name="org.springframework" level="INFO"/> |
<logger name="org.springframework.web" level="DEBUG"/> | <logger name="org.springframework.web" level="INFO"/> |
<logger name="org.hibernate.SQL" level="DEBUG"/> | <logger name="org.hibernate.SQL" level="INFO"/> |
<logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/> | <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/> |
</springProfile> | |
| |
<springProfile name="dev-mysql"> | |
<logger name="eu.bcvsolutions" level="TRACE" /> | |
<logger name="org.springframework" level="INFO"/> | |
<logger name="org.springframework.web" level="DEBUG"/> | |
<logger name="org.hibernate.SQL" level="DEBUG"/> | |
<logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="TRACE"/> | |
</springProfile> | </springProfile> |
<springProfile name="production"> | |
<springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/> | |
<springProperty name="spring.datasource.url" source="spring.datasource.url"/> | |
<springProperty name="spring.datasource.username" source="spring.datasource.username"/> | |
<springProperty name="spring.datasource.password" source="spring.datasource.password"/> | |
| |
<appender name="DB" class="ch.qos.logback.classic.db.DBAppender"> | |
<connectionSource class="ch.qos.logback.core.db.DriverManagerConnectionSource"> | |
<driverClass>${spring.datasource.driver-class-name}</driverClass> | |
<url>${spring.datasource.url}</url> | |
<user>${spring.datasource.username}</user> | |
<password>${spring.datasource.password}</password> | |
</connectionSource> | |
</appender> | |
| |
<appender name="DB_ASYNC" class="ch.qos.logback.classic.AsyncAppender"> | |
<appender-ref ref="DB" /> | |
<includeCallerData>true</includeCallerData> | |
</appender> | |
<logger name="eu.bcvsolutions" level="INFO"> | |
<appender-ref ref="DB_ASYNC" /> | |
</logger> | |
<logger name="org.springframework" level="INFO"/> | |
<logger name="org.springframework.web" level="INFO"/> | |
<logger name="org.hibernate.SQL" level="INFO"/> | |
<logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/> | |
| |
</springProfile> | |
| |
</configuration> | </configuration> |
| |
There are two properties in application-production.properties that influence the confidential storage: | There are two properties in application-production.properties that influence the confidential storage: |
* You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or | * You can set the key directly in the property file using **cipher.crypt.secret.key** property |
* you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. | * or (better) you can create separate file ''secret.key'' containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. |
| |
<note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> | <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> |
| |
Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key. | Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit or 256bit key. |
| <note> |
| Length of the key determines the cipher which will be used. If you use 128b (16byte) key, CzechIdM will use AES-128. If you use 256b (32byte) key, CzechIdM will use AES-256. |
| |
| * OpenJDK/JDK 1.8u161 and all higher versions support AES-256 by default. |
| * Older versions (below 1.8u161) do not offer it. On those Java distributions, you can use AES-128 or obtain the [[https://www.oracle.com/java/technologies/javase-jce8-downloads.html|Unlimited Strength Jurisdiction Policy Files]] to enable AES-256. |
| |
| </note> |
| |
=== Attachment store === | === Attachment store === |
| |
<code bash> | <code bash> |
| firewall-cmd --permanent --add-port=80/tcp |
firewall-cmd --permanent --add-port=443/tcp | firewall-cmd --permanent --add-port=443/tcp |
firewall-cmd --reload | firewall-cmd --reload |