Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:czechidm_installation_win [2020/04/21 11:43]
fiserp [Create DB user and database in PostgreSQL] 		tutorial:adm:czechidm_installation_win [2020/11/18 14:46]
urbanl Guide upgrade to support postgres 12 and java open-jdk 11 - #2503
Line 8: Line 8:
  
 ==== Create DB user and database in PostgreSQL ==== ==== Create DB user and database in PostgreSQL ====
-Open a **PSQL** binary from the Start menu. A windows-cmd-like window should appear with a prompt. Create a db user and a database for CzechIdM.+Open a **PSQL** binary from the Start menu (for the OpenSCG PostgreSQL) or fire-up the cmd terminal and run ''psql.exe -U postgres'' (for the EnterpriseDB PostgreSQL). A windows-cmd-like window should appear with a prompt. Create a db user and a database for CzechIdM.
  
 <code sql> <code sql>
 CREATE USER czechidm PASSWORD '*****'; CREATE USER czechidm PASSWORD '*****';
  
-Choose appropriate collation and create database. +-- Choose appropriate collation and create database. 
-with english collation (we expect the default windows installation with cp1250/cp1252 and "English_United States" collation).+-- with english collation (we expect the default windows installation with cp1250/cp1252 and "English_United States" collation).
 CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' template 'template0'; CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' template 'template0';
-with czech collation+-- with czech collation
 CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'czech_czech' LC_CTYPE = 'czech_czech' template 'template0'; CREATE DATABASE "czechidm" WITH OWNER 'czechidm' ENCODING 'UTF8' LC_COLLATE = 'czech_czech' LC_CTYPE = 'czech_czech' template 'template0';
 </code> </code>
Line 22: Line 22:
 Use the pgAdmin or PSQL to test the database connection under the ''czechidm'' user. Use the pgAdmin or PSQL to test the database connection under the ''czechidm'' user.
 ==== JDBC driver installation ==== ==== JDBC driver installation ====
-Download the PostgreSQL JDBC driver from the [[https://jdbc.postgresql.org/download.html|this URL]] and move it to the C:\CzechIdM\lib\ directory (create the directory if it does not exist).+Download the newest PostgreSQL JDBC driver( version 42.2.6 and newer) from the [[https://jdbc.postgresql.org/download.html|this URL]] and move it to the ''C:\Program Files\Apache Software Foundation\Tomcat 8.5\lib\'' directory.
 ==== Configure environment properties. Select application profile ==== ==== Configure environment properties. Select application profile ====
 Run the **Monitor Tomcat** application from the Start menu. Configure following settings: Run the **Monitor Tomcat** application from the Start menu. Configure following settings:
-  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib\\*;'' to the **beginning of the** ''CLASSPATH''. If you followed the [[tutorial:adm:server_preparation_win|]] guide, this should already be in place. +  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib<nowiki>\*</nowiki>;'' to the **beginning of the** ''CLASSPATH''. If you followed the [[tutorial:adm:server_preparation_win|]] guide, this should already be in place. 
-  * Add ''-Dspring.profiles.active=production'' and ''-Djava.util.Arrays.useLegacyMergeSort=true''to the ''Java options''. +  * Add ''-Dspring.profiles.active=production'' to the ''Java options''.
- +
-=== Change Tomat logging properties === +
- +
-In order to set-up log rotation we need stop logging to stdout and start logging to catalina.log . +
- +
-Make these changes in file "/c/Program\ Files/Apache\ Software\ Foundation/Tomcat\ 8.5/conf/logging.properties" +
-Comment out console handler. We don't want tomcat to log to stdout or stderr. +
-<code> +
-handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, 3manager.org.apache.juli.AsyncFileHandler, 4host-manager.org.apache.juli.AsyncFileHandler +
-#handlers =  java.util.logging.ConsoleHandler +
- +
-.handlers = 1catalina.org.apache.juli.AsyncFileHandler +
-#.handlers = java.util.logging.ConsoleHandler, +
- +
-#java.util.logging.ConsoleHandler.level = FINE +
-#java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter +
-</code> +
-In 1catalina file handler change log level to "INFO" and prefix from "catalina" to "tomcat". Also set property rotable to "false". Tomcat write to this file only when starting or shutting down. +
-<code> +
-#1catalina.org.apache.juli.AsyncFileHandler.level = FINE +
-#1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina. +
-1catalina.org.apache.juli.AsyncFileHandler.level = INFO +
-1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs +
-1catalina.org.apache.juli.AsyncFileHandler.prefix = tomcat +
-1catalina.org.apache.juli.AsyncFileHandler.rotatable = false +
-1catalina.org.apache.juli.AsyncFileHandler.suffix = .log +
-</code> +
  
 ==== Create CzechIdM configuration folders ==== ==== Create CzechIdM configuration folders ====
Line 74: Line 46:
 ==== Create SSL truststore ==== ==== Create SSL truststore ====
 Open the Git Bash and navigate to the ''/c/czechidm/etc''. Then create fake certificate which will be, for this time, the only certificate in the truststore. Open the Git Bash and navigate to the ''/c/czechidm/etc''. Then create fake certificate which will be, for this time, the only certificate in the truststore.
-<code>+<code bash>
 openssl genrsa -out fakecert.key openssl genrsa -out fakecert.key
-openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert"+# if the following command fails, remove the parameter -subj and supply the values interactively 
 +openssl req -new -key fakecert.key -out fakecert.csr -subj "//C=CZ\ST=Czech Republic\L=Prague\O=BCV\CN=CzechIdM placeholder cert"
 openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt
 keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks
Line 130: Line 103:
         <include resource="org/springframework/boot/logging/logback/defaults.xml"/>         <include resource="org/springframework/boot/logging/logback/defaults.xml"/>
         <springProfile name="production">         <springProfile name="production">
-                <logger name="eu.bcvsolutions" level="INFO"/>+         
 +                <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/> 
 +                <springProperty name="spring.datasource.url" source="spring.datasource.url"/> 
 +                <springProperty name="spring.datasource.username" source="spring.datasource.username"/> 
 +                <springProperty name="spring.datasource.password" source="spring.datasource.password"/> 
 +  
 +                <appender name="DB" class="ch.qos.logback.classic.db.DBAppender"> 
 +                    <connectionSource class="ch.qos.logback.core.db.DriverManagerConnectionSource"> 
 +                      <driverClass>${spring.datasource.driver-class-name}</driverClass> 
 +                      <url>${spring.datasource.url}</url> 
 +                      <user>${spring.datasource.username}</user> 
 +                      <password>${spring.datasource.password}</password> 
 +                    </connectionSource> 
 +                </appender> 
 +  
 +                <appender name="DB_ASYNC" class="ch.qos.logback.classic.AsyncAppender"> 
 +                <appender-ref ref="DB" /> 
 +                     <includeCallerData>true</includeCallerData> 
 +                </appender> 
 +  
 +                <logger name="eu.bcvsolutions" level="INFO"> 
 +                     <appender-ref ref="DB_ASYNC" /> 
 +                </logger> 
 +        
                 <logger name="org.springframework" level="INFO"/>                 <logger name="org.springframework" level="INFO"/>
                 <logger name="org.springframework.web" level="INFO"/>                 <logger name="org.springframework.web" level="INFO"/>
                 <logger name="org.hibernate.SQL" level="INFO"/>                 <logger name="org.hibernate.SQL" level="INFO"/>
                 <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>                 <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
-                <appender name="idm" class="ch.qos.logback.core.rolling.RollingFileAppender"> +
-                        <encoder> +
-                                <pattern> +
-                                         %d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{36}.%M : %msg%n +
-                                </pattern> +
-                        </encoder> +
-                        <file>logs/catalina.log</file> +
-                        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> +
-                                <fileNamePattern>logs/catalina.%d{yyyy-MM-dd}.log</fileNamePattern> +
-                                <maxHistory>90</maxHistory> +
-                        </rollingPolicy> +
-                </appender>      +
-                <root level="INFO"> +
-                        <appender-ref ref="idm"/> +
-                </root>+
         </springProfile>         </springProfile>
 </configuration> </configuration>
Line 242: Line 224:
  
 There are two properties in application-production.properties that influence the confidential storage: There are two properties in application-production.properties that influence the confidential storage:
-  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or+  * You can set the 128bit (16byte) or 256bit (32byte) key directly in the property file using **cipher.crypt.secret.key** property or
   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
 <note warning>On Windows, you have to use separate file **secret.key**.</note> <note warning>On Windows, you have to use separate file **secret.key**.</note>
Line 248: Line 230:
 <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
  
-Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.+Confidential storage uses AES/CBC/PKCS5Padding (more info) algorithm which operates with 128bit or 256bit key. 
  
 === Attachment store === === Attachment store ===
  • by fiserp