Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:czechidm_installation_win [2020/06/10 17:01]
apeterova fake certificate 		tutorial:adm:czechidm_installation_win [2021/10/07 13:11]
fiserp [Create CzechIdM configuration]
Line 22: Line 22:
 Use the pgAdmin or PSQL to test the database connection under the ''czechidm'' user. Use the pgAdmin or PSQL to test the database connection under the ''czechidm'' user.
 ==== JDBC driver installation ==== ==== JDBC driver installation ====
-Download the PostgreSQL JDBC driver from the [[https://jdbc.postgresql.org/download.html|this URL]] and move it to the ''C:\Program Files\Apache Software Foundation\Tomcat 8.5\lib\'' directory.+Download the newest PostgreSQL JDBC driver( version 42.2.6 and newer) from the [[https://jdbc.postgresql.org/download.html|this URL]] and move it to the ''C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib\'' directory.
 ==== Configure environment properties. Select application profile ==== ==== Configure environment properties. Select application profile ====
 Run the **Monitor Tomcat** application from the Start menu. Configure following settings: Run the **Monitor Tomcat** application from the Start menu. Configure following settings:
-  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib\\*;'' to the **beginning of the** ''CLASSPATH''. If you followed the [[tutorial:adm:server_preparation_win|]] guide, this should already be in place.+  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib<nowiki>\*</nowiki>;'' to the **beginning of the** ''CLASSPATH''. If you followed the [[tutorial:adm:server_preparation_win|]] guide, this should already be in place.
   * Add ''-Dspring.profiles.active=production'' to the ''Java options''.   * Add ''-Dspring.profiles.active=production'' to the ''Java options''.
- +  * Add ''-Djava.security.egd=file:/dev/urandom'' to the ''Java options''.
-=== Change Tomat logging properties === +
- +
-In order to set-up log rotation we need stop logging to stdout and start logging to catalina.log . +
- +
-Make these changes in file ''C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\logging.properties''+
-Comment out console handler. We don't want tomcat to log to stdout or stderr. +
-<code> +
-handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, 3manager.org.apache.juli.AsyncFileHandler, 4host-manager.org.apache.juli.AsyncFileHandler +
-#handlers =  java.util.logging.ConsoleHandler +
- +
-.handlers = 1catalina.org.apache.juli.AsyncFileHandler +
-#.handlers = java.util.logging.ConsoleHandler, +
- +
-#java.util.logging.ConsoleHandler.level = FINE +
-#java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter +
-</code> +
-In 1catalina file handler change log level to "INFO" and prefix from "catalina" to "tomcat". Also set property rotable to "false". Tomcat write to this file only when starting or shutting down. +
-<code> +
-#1catalina.org.apache.juli.AsyncFileHandler.level = FINE +
-#1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina. +
-1catalina.org.apache.juli.AsyncFileHandler.level = INFO +
-1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs +
-1catalina.org.apache.juli.AsyncFileHandler.prefix = tomcat +
-1catalina.org.apache.juli.AsyncFileHandler.rotatable = false +
-1catalina.org.apache.juli.AsyncFileHandler.suffix = .log +
-</code> +
  
 ==== Create CzechIdM configuration folders ==== ==== Create CzechIdM configuration folders ====
Line 77: Line 50:
 openssl genrsa -out fakecert.key openssl genrsa -out fakecert.key
 # if the following command fails, remove the parameter -subj and supply the values interactively # if the following command fails, remove the parameter -subj and supply the values interactively
-openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert"+openssl req -new -key fakecert.key -out fakecert.csr -subj "//C=CZ\ST=Czech Republic\L=Prague\O=BCV\CN=CzechIdM placeholder cert"
 openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt
 keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks
Line 122: Line 95:
 org.quartz.jobStore.tablePrefix=qrtz_ org.quartz.jobStore.tablePrefix=qrtz_
 </file> </file>
-  * The **C:\CzechIdM\etc\logback-spring.xml** specifies logging configuration. This is the default logging configuration that you can use out of the box.<code xml logback-spring.xml>+  * The **C:\CzechIdM\etc\logback-spring.xml** specifies logging configuration. This is the default logging configuration that you can use out of the box. 
 + 
 +<code xml logback-spring.xml>
 <?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
 <!-- https://springframework.guru/using-logback-spring-boot/ --> <!-- https://springframework.guru/using-logback-spring-boot/ -->
 <!-- http://logback.qos.ch/manual/appenders.html --> <!-- http://logback.qos.ch/manual/appenders.html -->
 <configuration> <configuration>
 +        <!-- !!!BEWARE!!! The specification of the LOG PATTERNS overrides the default configuration and increases the maximum length of the %logger{<size>} attribute. 
 +        It is neccessary for correct function of the AUDIT logging feature (redmine ticket #2717). If AUDIT logger key is longer then the set limit it gets shortened 
 +        and SIEM software is not able to parse logs properly. -->
 +        <property name="CONSOLE_LOG_PATTERN" value="%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n"/>
 +        <property name="FILE_LOG_PATTERN" value="%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n"/>
 +        
         <springProperty name="spring.profiles.active" source="spring.profiles.active"/>         <springProperty name="spring.profiles.active" source="spring.profiles.active"/>
         <include resource="org/springframework/boot/logging/logback/file-appender.xml"/>         <include resource="org/springframework/boot/logging/logback/file-appender.xml"/>
         <include resource="org/springframework/boot/logging/logback/defaults.xml"/>         <include resource="org/springframework/boot/logging/logback/defaults.xml"/>
         <springProfile name="production">         <springProfile name="production">
-                <logger name="eu.bcvsolutions" level="INFO"/>+         
 +                <springProperty name="spring.datasource.driver-class-name" source="spring.datasource.driver-class-name"/> 
 +                <springProperty name="spring.datasource.url" source="spring.datasource.url"/> 
 +                <springProperty name="spring.datasource.username" source="spring.datasource.username"/> 
 +                <springProperty name="spring.datasource.password" source="spring.datasource.password"/> 
 +  
 +                <appender name="DB" class="eu.bcvsolutions.idm.core.exception.IdmDbAppender"> 
 +                    <connectionSource class="ch.qos.logback.core.db.DriverManagerConnectionSource"> 
 +                      <driverClass>${spring.datasource.driver-class-name}</driverClass> 
 +                      <url>${spring.datasource.url}</url> 
 +                      <user>${spring.datasource.username}</user> 
 +                      <password>${spring.datasource.password}</password> 
 +                    </connectionSource> 
 +                </appender> 
 +  
 +                <appender name="DB_ASYNC" class="ch.qos.logback.classic.AsyncAppender"> 
 +                <appender-ref ref="DB" /> 
 +                     <includeCallerData>true</includeCallerData> 
 +                </appender> 
 +  
 +                <logger name="eu.bcvsolutions" level="INFO"> 
 +                     <appender-ref ref="DB_ASYNC" /> 
 +                </logger> 
 +        
                 <logger name="org.springframework" level="INFO"/>                 <logger name="org.springframework" level="INFO"/>
                 <logger name="org.springframework.web" level="INFO"/>                 <logger name="org.springframework.web" level="INFO"/>
                 <logger name="org.hibernate.SQL" level="INFO"/>                 <logger name="org.hibernate.SQL" level="INFO"/>
                 <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>                 <logger name="org.hibernate.type.descriptor.sql.BasicBinder" level="INFO"/>
-                <appender name="idmclass="ch.qos.logback.core.rolling.RollingFileAppender"> +                <logger name="AUDIT" level="INFO"/> 
-                        <encoder> +
-                                <pattern> +
-                                         %d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{36}.%M : %msg%n +
-                                </pattern> +
-                        </encoder> +
-                        <file>logs/catalina.log</file> +
-                        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> +
-                                <fileNamePattern>logs/catalina.%d{yyyy-MM-dd}.log</fileNamePattern> +
-                                <maxHistory>90</maxHistory> +
-                        </rollingPolicy> +
-                </appender>      +
-                <root level="INFO"> +
-                        <appender-ref ref="idm"/> +
-                </root>+
         </springProfile>         </springProfile>
 </configuration> </configuration>
Line 243: Line 234:
  
 There are two properties in application-production.properties that influence the confidential storage: There are two properties in application-production.properties that influence the confidential storage:
-  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or+  * You can set the 128bit (16byte) or 256bit (32byte) key directly in the property file using **cipher.crypt.secret.key** property or
   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
 <note warning>On Windows, you have to use separate file **secret.key**.</note> <note warning>On Windows, you have to use separate file **secret.key**.</note>
Line 249: Line 240:
 <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
  
-Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.+Confidential storage uses AES/CBC/PKCS5Padding (more info) algorithm which operates with 128bit or 256bit key. 
  
 === Attachment store === === Attachment store ===
  • by fiserp