Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:czechidm_installation_win [2020/04/21 11:51]
fiserp [Create DB user and database in PostgreSQL] 		tutorial:adm:czechidm_installation_win [2021/03/10 11:12]
tomiskar
Line 22: Line 22:
 Use the pgAdmin or PSQL to test the database connection under the ''czechidm'' user. Use the pgAdmin or PSQL to test the database connection under the ''czechidm'' user.
 ==== JDBC driver installation ==== ==== JDBC driver installation ====
-Download the PostgreSQL JDBC driver from the [[https://jdbc.postgresql.org/download.html|this URL]] and move it to the C:\CzechIdM\lib\ directory (create the directory if it does not exist).+Download the newest PostgreSQL JDBC driver( version 42.2.6 and newer) from the [[https://jdbc.postgresql.org/download.html|this URL]] and move it to the ''C:\Program Files\Apache Software Foundation\Tomcat 8.5\lib\'' directory.
 ==== Configure environment properties. Select application profile ==== ==== Configure environment properties. Select application profile ====
 Run the **Monitor Tomcat** application from the Start menu. Configure following settings: Run the **Monitor Tomcat** application from the Start menu. Configure following settings:
-  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib\\*;'' to the **beginning of the** ''CLASSPATH''. If you followed the [[tutorial:adm:server_preparation_win|]] guide, this should already be in place. +  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib<nowiki>\*</nowiki>;'' to the **beginning of the** ''CLASSPATH''. If you followed the [[tutorial:adm:server_preparation_win|]] guide, this should already be in place. 
-  * Add ''-Dspring.profiles.active=production'' and ''-Djava.util.Arrays.useLegacyMergeSort=true''to the ''Java options''+  * Add ''-Dspring.profiles.active=production'' to the ''Java options''
- +  * Add ''-Djava.security.egd=file:/dev/urandom'' to the ''Java options''.
-=== Change Tomat logging properties === +
- +
-In order to set-up log rotation we need stop logging to stdout and start logging to catalina.log . +
- +
-Make these changes in file "/c/Program\ Files/Apache\ Software\ Foundation/Tomcat\ 8.5/conf/logging.properties" +
-Comment out console handler. We don't want tomcat to log to stdout or stderr. +
-<code> +
-handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, 3manager.org.apache.juli.AsyncFileHandler, 4host-manager.org.apache.juli.AsyncFileHandler +
-#handlers =  java.util.logging.ConsoleHandler +
- +
-.handlers = 1catalina.org.apache.juli.AsyncFileHandler +
-#.handlers = java.util.logging.ConsoleHandler, +
- +
-#java.util.logging.ConsoleHandler.level = FINE +
-#java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter +
-</code> +
-In 1catalina file handler change log level to "INFO" and prefix from "catalina" to "tomcat". Also set property rotable to "false". Tomcat write to this file only when starting or shutting down. +
-<code> +
-#1catalina.org.apache.juli.AsyncFileHandler.level = FINE +
-#1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina. +
-1catalina.org.apache.juli.AsyncFileHandler.level = INFO +
-1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs +
-1catalina.org.apache.juli.AsyncFileHandler.prefix = tomcat +
-1catalina.org.apache.juli.AsyncFileHandler.rotatable = false +
-1catalina.org.apache.juli.AsyncFileHandler.suffix = .log +
-</code> +
  
 ==== Create CzechIdM configuration folders ==== ==== Create CzechIdM configuration folders ====
Line 74: Line 47:
 ==== Create SSL truststore ==== ==== Create SSL truststore ====
 Open the Git Bash and navigate to the ''/c/czechidm/etc''. Then create fake certificate which will be, for this time, the only certificate in the truststore. Open the Git Bash and navigate to the ''/c/czechidm/etc''. Then create fake certificate which will be, for this time, the only certificate in the truststore.
-<code>+<code bash>
 openssl genrsa -out fakecert.key openssl genrsa -out fakecert.key
-openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert"+# if the following command fails, remove the parameter -subj and supply the values interactively 
 +openssl req -new -key fakecert.key -out fakecert.csr -subj "//C=CZ\ST=Czech Republic\L=Prague\O=BCV\CN=CzechIdM placeholder cert"
 openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt
 keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks
Line 121: Line 95:
 org.quartz.jobStore.tablePrefix=qrtz_ org.quartz.jobStore.tablePrefix=qrtz_
 </file> </file>
-  * The **C:\CzechIdM\etc\logback-spring.xml** specifies logging configuration. This is the default logging configuration that you can use out of the box.<code xml logback-spring.xml>+  * The **C:\CzechIdM\etc\logback-spring.xml** specifies logging configuration. This is the default logging configuration that you can use out of the box. 
 +<note important>Since IdM version **11.0.0** use DB appender `eu.bcvsolutions.idm.core.exception.IdmDbAppender` instead `ch.qos.logback.classic.db.DBAppender`!</note> 
 +<code xml logback-spring.xml>
 <?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
 <!-- https://springframework.guru/using-logback-spring-boot/ --> <!-- https://springframework.guru/using-logback-spring-boot/ -->
Line 130: Line 106:
         <include resource="org/springframework/boot/logging/logback/defaults.xml"/>         <include resource="org/springframework/boot/logging/logback/defaults.xml"/>
         <springProfile name="production">         <springProfile name="production">
-                <logger name="eu.bcvsolutions" level="INFO"/>+         
 +                <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/> 
 +                <springProperty name="spring.datasource.url" source="spring.datasource.url"/> 
 +                <springProperty name="spring.datasource.username" source="spring.datasource.username"/> 
 +                <springProperty name="spring.datasource.password" source="spring.datasource.password"/> 
 +  
 +                <appender name="DB" class="ch.qos.logback.classic.db.DBAppender"> 
 +                    <connectionSource class="ch.qos.logback.core.db.DriverManagerConnectionSource"> 
 +                      <driverClass>${spring.datasource.driver-class-name}</driverClass> 
 +                      <url>${spring.datasource.url}</url> 
 +                      <user>${spring.datasource.username}</user> 
 +                      <password>${spring.datasource.password}</password> 
 +                    </connectionSource> 
 +                </appender> 
 +  
 +                <appender name="DB_ASYNC" class="ch.qos.logback.classic.AsyncAppender"> 
 +                <appender-ref ref="DB" /> 
 +                     <includeCallerData>true</includeCallerData> 
 +                </appender> 
 +  
 +                <logger name="eu.bcvsolutions" level="INFO"> 
 +                     <appender-ref ref="DB_ASYNC" /> 
 +                </logger> 
 +        
                 <logger name="org.springframework" level="INFO"/>                 <logger name="org.springframework" level="INFO"/>
                 <logger name="org.springframework.web" level="INFO"/>                 <logger name="org.springframework.web" level="INFO"/>
                 <logger name="org.hibernate.SQL" level="INFO"/>                 <logger name="org.hibernate.SQL" level="INFO"/>
                 <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>                 <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
-                <appender name="idm" class="ch.qos.logback.core.rolling.RollingFileAppender"> +
-                        <encoder> +
-                                <pattern> +
-                                         %d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{36}.%M : %msg%n +
-                                </pattern> +
-                        </encoder> +
-                        <file>logs/catalina.log</file> +
-                        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> +
-                                <fileNamePattern>logs/catalina.%d{yyyy-MM-dd}.log</fileNamePattern> +
-                                <maxHistory>90</maxHistory> +
-                        </rollingPolicy> +
-                </appender>      +
-                <root level="INFO"> +
-                        <appender-ref ref="idm"/> +
-                </root>+
         </springProfile>         </springProfile>
 </configuration> </configuration>
Line 242: Line 227:
  
 There are two properties in application-production.properties that influence the confidential storage: There are two properties in application-production.properties that influence the confidential storage:
-  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or+  * You can set the 128bit (16byte) or 256bit (32byte) key directly in the property file using **cipher.crypt.secret.key** property or
   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
 <note warning>On Windows, you have to use separate file **secret.key**.</note> <note warning>On Windows, you have to use separate file **secret.key**.</note>
Line 248: Line 233:
 <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
  
-Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.+Confidential storage uses AES/CBC/PKCS5Padding (more info) algorithm which operates with 128bit or 256bit key. 
  
 === Attachment store === === Attachment store ===
  • by fiserp