Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:czechidm_installation_win [2018/04/06 14:33] fiserp [JDBC driver installation - CentOS7] |
tutorial:adm:czechidm_installation_win [2021/03/08 10:38] svandav |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Installation of CzechIdM - Windows ====== | ||
+ | {{tag> | ||
+ | |||
+ | We presume that the server is prepared as described in [[tutorial: | ||
+ | |||
+ | This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache httpd). If you are looking for a demo installation please see [[: | ||
+ | |||
+ | ==== Create DB user and database in PostgreSQL ==== | ||
+ | Open a **PSQL** binary from the Start menu (for the OpenSCG PostgreSQL) or fire-up the cmd terminal and run '' | ||
+ | |||
+ | <code sql> | ||
+ | CREATE USER czechidm PASSWORD ' | ||
+ | |||
+ | -- Choose appropriate collation and create database. | ||
+ | -- with english collation (we expect the default windows installation with cp1250/ | ||
+ | CREATE DATABASE " | ||
+ | -- with czech collation | ||
+ | CREATE DATABASE " | ||
+ | </ | ||
+ | |||
+ | Use the pgAdmin or PSQL to test the database connection under the '' | ||
+ | ==== JDBC driver installation ==== | ||
+ | Download the newest PostgreSQL JDBC driver( version 42.2.6 and newer) from the [[https:// | ||
+ | ==== Configure environment properties. Select application profile ==== | ||
+ | Run the **Monitor Tomcat** application from the Start menu. Configure following settings: | ||
+ | * Add '' | ||
+ | * Add '' | ||
+ | * Add '' | ||
+ | |||
+ | ==== Create CzechIdM configuration folders ==== | ||
+ | In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. | ||
+ | * The **etc** directory stores configuration files. | ||
+ | * The **lib** directory stores additional jar libraries such as database drivers. | ||
+ | * The **backup** directory stored Groovy scripts backups. | ||
+ | * The **data** directory stores various user-attached files. | ||
+ | |||
+ | Create the directory structure: | ||
+ | < | ||
+ | C:\CzechIdM | ||
+ | C: | ||
+ | C: | ||
+ | C: | ||
+ | C: | ||
+ | </ | ||
+ | |||
+ | ==== Create SSL truststore ==== | ||
+ | Open the Git Bash and navigate to the ''/ | ||
+ | <code bash> | ||
+ | openssl genrsa -out fakecert.key | ||
+ | # if the following command fails, remove the parameter -subj and supply the values interactively | ||
+ | openssl req -new -key fakecert.key -out fakecert.csr -subj "// | ||
+ | openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt | ||
+ | keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks | ||
+ | Enter keystore password: | ||
+ | Re-enter new password: | ||
+ | ... | ||
+ | Trust this certificate? | ||
+ | Certificate was added to keystore | ||
+ | |||
+ | rm fakecert.key fakecert.csr fakecert.crt | ||
+ | </ | ||
+ | |||
+ | Then adjust Tomcat configuration - the '' | ||
+ | |||
+ | Save the configuration and restart the Tomcat for changes to take effect. | ||
+ | ==== Create CzechIdM configuration ==== | ||
+ | Now we will create configuration files the CzechIdM will use. | ||
+ | < | ||
+ | * The **C: | ||
+ | cd / | ||
+ | # start the vim editor | ||
+ | vim secret.key | ||
+ | # press " | ||
+ | # type the 16 characters of the secret key | ||
+ | # press ESC to switch to command mode | ||
+ | # type :wq | ||
+ | # press ENTER | ||
+ | # now you should see that secret.key file has been created, check its contents | ||
+ | # the file should be EXACTLY 17 BYTES LONG, 16 bytes for your key and the last byte " | ||
+ | xxd -p secret.key | ||
+ | ... hex dump here ... text dump here ... | ||
+ | ... 0a ...</ | ||
+ | * The **C: | ||
+ | org.quartz.scheduler.instanceName=idm-scheduler-instance | ||
+ | org.quartz.scheduler.instanceId=AUTO | ||
+ | org.quartz.scheduler.skipUpdateCheck=true | ||
+ | org.quartz.threadPool.class=org.quartz.simpl.SimpleThreadPool | ||
+ | org.quartz.threadPool.threadCount=10 | ||
+ | org.quartz.threadPool.threadPriority=4 | ||
+ | org.quartz.jobStore.class=org.quartz.impl.jdbcjobstore.JobStoreTX | ||
+ | org.quartz.jobStore.driverDelegateClass=org.quartz.impl.jdbcjobstore.PostgreSQLDelegate | ||
+ | org.quartz.jobStore.useProperties=false | ||
+ | org.quartz.jobStore.misfireThreshold=60000 | ||
+ | org.quartz.jobStore.tablePrefix=qrtz_ | ||
+ | </ | ||
+ | * The **C: | ||
+ | <note important> | ||
+ | <code xml logback-spring.xml> | ||
+ | <?xml version=" | ||
+ | <!-- https:// | ||
+ | <!-- http:// | ||
+ | < | ||
+ | < | ||
+ | <include resource=" | ||
+ | <include resource=" | ||
+ | < | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | <logger name=" | ||
+ | < | ||
+ | </ | ||
+ | | ||
+ | <logger name=" | ||
+ | <logger name=" | ||
+ | <logger name=" | ||
+ | <logger name=" | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | * The most important file is **C: | ||
+ | # Doc: https:// | ||
+ | |||
+ | idm.pub.app.instanceId=idm-primary | ||
+ | idm.pub.app.stage=production | ||
+ | |||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.username=czechidm | ||
+ | spring.datasource.password=********** TODO ********* | ||
+ | spring.datasource.driver-class-name=org.postgresql.Driver | ||
+ | spring.datasource.validationQuery=SELECT 1 | ||
+ | spring.datasource.test-on-borrow=true | ||
+ | spring.jpa.generate-ddl=false | ||
+ | spring.jpa.hibernate.ddl-auto=none | ||
+ | flyway.enabled=true | ||
+ | |||
+ | |||
+ | scheduler.properties.location=quartz-production.properties | ||
+ | |||
+ | logging.config=c:/ | ||
+ | |||
+ | idm.sec.core.demo.data.enabled=false | ||
+ | |||
+ | # attachments will be stored under this path. | ||
+ | # new directories for attachment will be created in this folder (permissions has to be added) | ||
+ | # System.getProperty(" | ||
+ | idm.sec.core.attachment.storagePath=c:/ | ||
+ | # configuration property for default backup | ||
+ | idm.sec.core.backups.default.folder.path=c:/ | ||
+ | |||
+ | |||
+ | idm.pub.security.allowed-origins=http:// | ||
+ | # Generate JWT token security string as "cat / | ||
+ | # We recommend the VALUE to be at least 25. | ||
+ | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | idm.sec.security.jwt.expirationTimeout=36000000 | ||
+ | |||
+ | # Cipher secret key for crypt values in confidential storage | ||
+ | # for crypt values is used secretKey or secretKey defined by file - secretKeyPath | ||
+ | # | ||
+ | cipher.crypt.secret.keyPath=c:/ | ||
+ | |||
+ | # Defaults for: emailer.* | ||
+ | # test.enabled=true means mail WILL NOT be sent | ||
+ | idm.sec.core.emailer.test.enabled=true | ||
+ | # http:// | ||
+ | idm.sec.core.emailer.protocol=smtp | ||
+ | idm.sec.core.emailer.host=something.tld | ||
+ | idm.sec.core.emailer.port=25 | ||
+ | # idm.sec.core.emailer.username=czechidm@domain.tld | ||
+ | # idm.sec.core.emailer.password=password | ||
+ | idm.sec.core.emailer.from=czechidm@localhost | ||
+ | |||
+ | # Default user role will be added automatically, | ||
+ | # could contains default authorities and authority policies configuration | ||
+ | # for adding autocomplete or all record read permission etc. | ||
+ | idm.sec.core.role.default=userRole | ||
+ | # Admin user role | ||
+ | idm.sec.core.role.admin=superAdminRole | ||
+ | |||
+ | # Max file size of uploaded file. Values can use the suffixed " | ||
+ | spring.servlet.multipart.max-file-size=100MB | ||
+ | spring.servlet.multipart.max-request-size=100MB | ||
+ | </ | ||
+ | |||
+ | === Adjust database configuration === | ||
+ | If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** propetry. Set it to the password for czechidm user in PostgreSQL. | ||
+ | If necessary, adjust other database connection properties... <code properties> | ||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.username=czechidm | ||
+ | spring.datasource.password=********** TODO ********* | ||
+ | spring.datasource.driver-class-name=org.postgresql.Driver | ||
+ | spring.datasource.validationQuery=SELECT 1 | ||
+ | spring.datasource.test-on-borrow=true | ||
+ | </ | ||
+ | |||
+ | === Generate JWT token === | ||
+ | Set value of the **idm.sec.security.jwt.secret.token** property as is described in the template file:< | ||
+ | # Generate JWT token security string as "cat / | ||
+ | # We recommend the VALUE to be at least 25. | ||
+ | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | </ | ||
+ | |||
+ | === Local confidential storage === | ||
+ | |||
+ | Local confidential storage is encrypted by AES algoritm. [[https:// | ||
+ | Confidential storage is encrypted by a key found in **secret.key** file you already created. | ||
+ | |||
+ | There are two properties in application-production.properties that influence the confidential storage: | ||
+ | * You can set the 128bit (16byte) or 256bit (32byte) key directly in the property file using **cipher.crypt.secret.key** property or | ||
+ | * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. | ||
+ | <note warning> | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | Confidential storage uses AES/ | ||
+ | |||
+ | |||
+ | === Attachment store === | ||
+ | In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. | ||
+ | With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under '' | ||
+ | |||
+ | <code properties> | ||
+ | # attachments will be stored under this path. | ||
+ | # new directories for attachment will be created in this folder (permissions has to be added) | ||
+ | # System.getProperty(" | ||
+ | idm.sec.core.attachment.storagePath=c:/ | ||
+ | </ | ||
+ | |||
+ | === Environment === | ||
+ | |||
+ | If you install CzechIdM in multiple environments (typically test and production), | ||
+ | <code properties> | ||
+ | # Application stage (development, | ||
+ | idm.pub.app.stage=production | ||
+ | </ | ||
+ | |||
+ | ==== Deploy the CzechIdM ==== | ||
+ | CzechIdM is deployed as a WAR archive. | ||
+ | * Download the latest CzechIdM WAR archive. | ||
+ | * Stop the Tomcat service. | ||
+ | * Renamed it to '' | ||
+ | * Start the Tomcat container and it will deploy the CzechIdM application. CzechIdM will load its configuration from the '' | ||
+ | ===== Change default admin password ===== | ||
+ | In the fresh CzechIdM installation, | ||
+ | |||
+ | ===== Configure IdM ===== | ||
+ | |||
+ | Follow some final configuration steps: [[tutorial: |