Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:czechidm_installation_win [2020/03/11 12:02] fiserp [Create CzechIdM configuration] |
tutorial:adm:czechidm_installation_win [2021/01/21 11:46] kasalr [Configure environment properties. Select application profile] |
||
---|---|---|---|
Line 8: | Line 8: | ||
==== Create DB user and database in PostgreSQL ==== | ==== Create DB user and database in PostgreSQL ==== | ||
- | Open a **PSQL** binary from the Start menu. A windows-cmd-like window should appear with a prompt. Create a db user and a database for CzechIdM. | + | Open a **PSQL** binary from the Start menu (for the OpenSCG PostgreSQL) or fire-up the cmd terminal and run '' |
- | < | + | < |
CREATE USER czechidm PASSWORD ' | CREATE USER czechidm PASSWORD ' | ||
+ | |||
+ | -- Choose appropriate collation and create database. | ||
+ | -- with english collation (we expect the default windows installation with cp1250/ | ||
CREATE DATABASE " | CREATE DATABASE " | ||
+ | -- with czech collation | ||
+ | CREATE DATABASE " | ||
</ | </ | ||
Use the pgAdmin or PSQL to test the database connection under the '' | Use the pgAdmin or PSQL to test the database connection under the '' | ||
==== JDBC driver installation ==== | ==== JDBC driver installation ==== | ||
- | Download the PostgreSQL JDBC driver from the [[https:// | + | Download the newest |
==== Configure environment properties. Select application profile ==== | ==== Configure environment properties. Select application profile ==== | ||
Run the **Monitor Tomcat** application from the Start menu. Configure following settings: | Run the **Monitor Tomcat** application from the Start menu. Configure following settings: | ||
- | * Add '' | + | * Add '' |
- | * Add '' | + | * Add '' |
- | + | * Add '' | |
- | === Change Tomat logging properties === | + | |
- | + | ||
- | In order to set-up log rotation we need stop logging to stdout and start logging to catalina.log . | + | |
- | + | ||
- | Make these changes in file "/c/Program\ Files/ | + | |
- | Comment out console handler. We don't want tomcat | + | |
- | < | + | |
- | handlers = 1catalina.org.apache.juli.AsyncFileHandler, | + | |
- | #handlers = java.util.logging.ConsoleHandler | + | |
- | + | ||
- | .handlers = 1catalina.org.apache.juli.AsyncFileHandler | + | |
- | #.handlers = java.util.logging.ConsoleHandler, | + | |
- | + | ||
- | # | + | |
- | # | + | |
- | </ | + | |
- | In 1catalina file handler change log level to " | + | |
- | < | + | |
- | # | + | |
- | # | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.level = INFO | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/ | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.prefix = tomcat | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.rotatable = false | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.suffix = .log | + | |
- | </ | + | |
==== Create CzechIdM configuration folders ==== | ==== Create CzechIdM configuration folders ==== | ||
Line 69: | Line 47: | ||
==== Create SSL truststore ==== | ==== Create SSL truststore ==== | ||
Open the Git Bash and navigate to the ''/ | Open the Git Bash and navigate to the ''/ | ||
- | < | + | < |
openssl genrsa -out fakecert.key | openssl genrsa -out fakecert.key | ||
- | openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert" | + | # if the following command fails, remove the parameter -subj and supply the values interactively |
+ | openssl req -new -key fakecert.key -out fakecert.csr -subj "//C=CZ\ST=Czech Republic\L=Prague\O=BCV\CN=CzechIdM placeholder cert" | ||
openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt | openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt | ||
keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks | keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks | ||
Line 125: | Line 104: | ||
<include resource=" | <include resource=" | ||
< | < | ||
- | | + | |
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | | ||
+ | < | ||
+ | </ | ||
+ | | ||
<logger name=" | <logger name=" | ||
<logger name=" | <logger name=" | ||
<logger name=" | <logger name=" | ||
<logger name=" | <logger name=" | ||
- | < | + | |
- | < | + | |
- | < | + | |
- | | + | |
- | </ | + | |
- | </ | + | |
- | < | + | |
- | < | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
- | </ | + | |
- | <root level=" | + | |
- | < | + | |
- | </ | + | |
</ | </ | ||
</ | </ | ||
Line 164: | Line 152: | ||
flyway.enabled=true | flyway.enabled=true | ||
- | scheduler.enabled=true | + | |
- | scheduler.task.queue.process=1000 | + | |
- | scheduler.event.queue.process=1000 | + | |
scheduler.properties.location=quartz-production.properties | scheduler.properties.location=quartz-production.properties | ||
+ | |||
logging.config=c:/ | logging.config=c:/ | ||
+ | |||
idm.sec.core.demo.data.enabled=false | idm.sec.core.demo.data.enabled=false | ||
- | #spring.cache.ehcache.config=classpath: | + | # attachments will be stored under this path. |
- | + | # new directories for attachment will be created in this folder (permissions has to be added) | |
- | spring.activiti.processDefinitionLocationPrefix=classpath*:/ | + | # System.getProperty(" |
- | idm.sec.core.notification.template.folder=classpath*:/eu/ | + | idm.sec.core.attachment.storagePath=c:/czechidm/data |
- | idm.sec.core.script.folder=classpath*:/ | + | |
# configuration property for default backup | # configuration property for default backup | ||
idm.sec.core.backups.default.folder.path=c:/ | idm.sec.core.backups.default.folder.path=c:/ | ||
- | + | ||
- | + | ||
idm.pub.security.allowed-origins=http:// | idm.pub.security.allowed-origins=http:// | ||
# Generate JWT token security string as "cat / | # Generate JWT token security string as "cat / | ||
Line 185: | Line 172: | ||
idm.sec.security.jwt.secret.token=********** TODO ********* | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
idm.sec.security.jwt.expirationTimeout=36000000 | idm.sec.security.jwt.expirationTimeout=36000000 | ||
- | |||
- | # recaptcha | ||
- | # - recaptchaservice endpoint | ||
- | # | ||
- | # - secret key, can be generated here https:// | ||
- | idm.sec.security.recaptcha.secretKey=xxx | ||
- | # Proxy for HTTP requests | ||
- | # | ||
# Cipher secret key for crypt values in confidential storage | # Cipher secret key for crypt values in confidential storage | ||
Line 199: | Line 178: | ||
cipher.crypt.secret.keyPath=c:/ | cipher.crypt.secret.keyPath=c:/ | ||
- | + | # Defaults for: emailer.* | |
+ | # test.enabled=true means mail WILL NOT be sent | ||
idm.sec.core.emailer.test.enabled=true | idm.sec.core.emailer.test.enabled=true | ||
# http:// | # http:// | ||
Line 208: | Line 188: | ||
# idm.sec.core.emailer.password=password | # idm.sec.core.emailer.password=password | ||
idm.sec.core.emailer.from=czechidm@localhost | idm.sec.core.emailer.from=czechidm@localhost | ||
- | |||
- | ## Global property that allow disable or enable sending notification from WF | ||
- | idm.sec.core.wf.notification.send=false | ||
- | |||
- | |||
- | # supports delete identity | ||
- | idm.pub.core.identity.delete=true | ||
- | # | ||
- | # default password change type for custom users, one of values: | ||
- | # DISABLED - password change is disable | ||
- | # ALL_ONLY - users can change passwords only for all accounts | ||
- | # CUSTOM - users can choose for which accounts change password | ||
- | idm.pub.core.identity.passwordChange=ALL_ONLY | ||
- | # | ||
- | # required old password for change password | ||
- | idm.pub.core.identity.passwordChange.requireOldPassword=true | ||
- | # | ||
- | # create default identity' | ||
- | idm.pub.core.identity.create.defaultContract.enabled=true | ||
- | |||
# Default user role will be added automatically, | # Default user role will be added automatically, | ||
Line 236: | Line 196: | ||
idm.sec.core.role.admin=superAdminRole | idm.sec.core.role.admin=superAdminRole | ||
- | |||
- | # ID system against which to authenticate | ||
- | idm.sec.security.auth.systemId= | ||
- | |||
- | # attachments will be stored under this path. | ||
- | # new directories for attachment will be created in this folder (permissions has to be added) | ||
- | # System.getProperty(" | ||
- | idm.sec.core.attachment.storagePath=c:/ | ||
- | |||
# Max file size of uploaded file. Values can use the suffixed " | # Max file size of uploaded file. Values can use the suffixed " | ||
spring.servlet.multipart.max-file-size=100MB | spring.servlet.multipart.max-file-size=100MB | ||
Line 274: | Line 225: | ||
There are two properties in application-production.properties that influence the confidential storage: | There are two properties in application-production.properties that influence the confidential storage: | ||
- | * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or | + | * You can set the 128bit (16byte) or 256bit (32byte) key directly in the property file using **cipher.crypt.secret.key** property or |
* you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. | * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. | ||
<note warning> | <note warning> | ||
Line 280: | Line 231: | ||
<note warning> | <note warning> | ||
- | Confidential storage uses AES/ | + | Confidential storage uses AES/ |
=== Attachment store === | === Attachment store === |