Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:adm:czechidm_installation_win [2018/04/06 14:34] fiserp [Create CzechIdM configuration folders] |
tutorial:adm:czechidm_installation_win [2021/12/14 08:53] (current) fiserp [Configure environment properties. Select application profile] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Installation of CzechIdM - Windows ====== | ||
+ | |||
+ | {{tag> | ||
+ | |||
+ | We presume that the server is prepared as described in [[.: | ||
+ | |||
+ | This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache httpd). If you are looking for a demo installation please see [[: | ||
+ | |||
+ | ==== Create DB user and database in PostgreSQL ==== | ||
+ | |||
+ | Open a **PSQL** binary from the Start menu (for the OpenSCG PostgreSQL) or fire-up the cmd terminal and run '' | ||
+ | <code sql> | ||
+ | CREATE USER czechidm PASSWORD ' | ||
+ | |||
+ | -- Choose appropriate collation and create database. | ||
+ | -- with english collation (we expect the default windows installation with cp1250/ | ||
+ | CREATE DATABASE " | ||
+ | -- with czech collation | ||
+ | CREATE DATABASE " | ||
+ | |||
+ | </ | ||
+ | |||
+ | Use the pgAdmin or PSQL to test the database connection under the '' | ||
+ | ==== JDBC driver installation ==== | ||
+ | |||
+ | Download the newest PostgreSQL JDBC driver( version 42.2.6 and newer) from the [[https:// | ||
+ | ==== Configure environment properties. Select application profile ==== | ||
+ | |||
+ | Run the **Monitor Tomcat** application from the Start menu. Configure following settings: | ||
+ | |||
+ | * Add '' | ||
+ | * Add '' | ||
+ | * Add '' | ||
+ | |||
+ | |||
+ | ==== Create CzechIdM configuration folders ==== | ||
+ | |||
+ | In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. | ||
+ | |||
+ | * The **etc** | ||
+ | * The **lib** | ||
+ | * The **backup** | ||
+ | * The **data** | ||
+ | |||
+ | Create the directory structure: | ||
+ | |||
+ | < | ||
+ | C:\CzechIdM | ||
+ | C: | ||
+ | C: | ||
+ | C: | ||
+ | C: | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Create SSL truststore ==== | ||
+ | |||
+ | Open the Git Bash and navigate to the ''/ | ||
+ | |||
+ | <code bash> | ||
+ | openssl genrsa -out fakecert.key | ||
+ | # if the following command fails, remove the parameter -subj and supply the values interactively | ||
+ | openssl req -new -key fakecert.key -out fakecert.csr -subj "// | ||
+ | openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt | ||
+ | keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks | ||
+ | Enter keystore password: | ||
+ | Re-enter new password: | ||
+ | ... | ||
+ | Trust this certificate? | ||
+ | Certificate was added to keystore | ||
+ | |||
+ | rm fakecert.key fakecert.csr fakecert.crt | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then adjust Tomcat configuration - the '' | ||
+ | |||
+ | Save the configuration and restart the Tomcat for changes to take effect. | ||
+ | |||
+ | ==== Create CzechIdM configuration ==== | ||
+ | |||
+ | Now we will create configuration files the CzechIdM will use. < | ||
+ | |||
+ | * The **C: | ||
+ | |||
+ | < | ||
+ | cd / | ||
+ | # start the vim editor | ||
+ | vim secret.key | ||
+ | # press " | ||
+ | # type the 16 characters of the secret key | ||
+ | # press ESC to switch to command mode | ||
+ | # type :wq | ||
+ | # press ENTER | ||
+ | # now you should see that secret.key file has been created, check its contents | ||
+ | # the file should be EXACTLY 17 BYTES LONG, 16 bytes for your key and the last byte " | ||
+ | xxd -p secret.key | ||
+ | ... hex dump here ... text dump here ... | ||
+ | ... 0a ... | ||
+ | |||
+ | </ | ||
+ | |||
+ | * The **C: | ||
+ | |||
+ | <file properties quartz-production.properties> | ||
+ | org.quartz.scheduler.instanceName=idm-scheduler-instance | ||
+ | org.quartz.scheduler.instanceId=AUTO | ||
+ | org.quartz.scheduler.skipUpdateCheck=true | ||
+ | org.quartz.threadPool.class=org.quartz.simpl.SimpleThreadPool | ||
+ | org.quartz.threadPool.threadCount=10 | ||
+ | org.quartz.threadPool.threadPriority=4 | ||
+ | org.quartz.jobStore.class=org.quartz.impl.jdbcjobstore.JobStoreTX | ||
+ | org.quartz.jobStore.driverDelegateClass=org.quartz.impl.jdbcjobstore.PostgreSQLDelegate | ||
+ | org.quartz.jobStore.useProperties=false | ||
+ | org.quartz.jobStore.misfireThreshold=60000 | ||
+ | org.quartz.jobStore.tablePrefix=qrtz_ | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | * The **C: | ||
+ | |||
+ | logback-spring.xml | ||
+ | |||
+ | <code xml> | ||
+ | <?xml version=" | ||
+ | <!-- https:// | ||
+ | <!-- http:// | ||
+ | < | ||
+ | <!-- !!!BEWARE!!! The specification of the LOG PATTERNS overrides the default configuration and increases the maximum length of the %logger{< | ||
+ | It is neccessary for correct function of the AUDIT logging feature (redmine ticket #2717). If AUDIT logger key is longer then the set limit it gets shortened | ||
+ | and SIEM software is not able to parse logs properly. --> | ||
+ | < | ||
+ | < | ||
+ | |||
+ | < | ||
+ | <include resource=" | ||
+ | <include resource=" | ||
+ | < | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | <logger name=" | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | <logger name=" | ||
+ | <logger name=" | ||
+ | <logger name=" | ||
+ | <logger name=" | ||
+ | <logger name=" | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | </ | ||
+ | </ | ||
+ | < | ||
+ | logs/ | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | <root level=" | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | * The most important file is **C: | ||
+ | |||
+ | <file properties application-production.properties> | ||
+ | # Doc: https:// | ||
+ | |||
+ | idm.pub.app.instanceId=idm-primary | ||
+ | idm.pub.app.stage=production | ||
+ | |||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.username=czechidm | ||
+ | spring.datasource.password=********** TODO ********* | ||
+ | spring.datasource.driver-class-name=org.postgresql.Driver | ||
+ | spring.datasource.validationQuery=SELECT 1 | ||
+ | spring.datasource.test-on-borrow=true | ||
+ | spring.jpa.generate-ddl=false | ||
+ | spring.jpa.hibernate.ddl-auto=none | ||
+ | flyway.enabled=true | ||
+ | |||
+ | scheduler.properties.location=quartz-production.properties | ||
+ | |||
+ | logging.config=c:/ | ||
+ | |||
+ | idm.sec.core.demo.data.enabled=false | ||
+ | |||
+ | # attachments will be stored under this path. | ||
+ | # new directories for attachment will be created in this folder (permissions has to be added) | ||
+ | # System.getProperty(" | ||
+ | idm.sec.core.attachment.storagePath=c:/ | ||
+ | # configuration property for default backup | ||
+ | idm.sec.core.backups.default.folder.path=c:/ | ||
+ | |||
+ | idm.pub.security.allowed-origins=http:// | ||
+ | # Generate JWT token security string as "cat / | ||
+ | # We recommend the VALUE to be at least 25. | ||
+ | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | idm.sec.security.jwt.expirationTimeout=36000000 | ||
+ | |||
+ | # Cipher secret key for crypt values in confidential storage | ||
+ | # for crypt values is used secretKey or secretKey defined by file - secretKeyPath | ||
+ | # | ||
+ | cipher.crypt.secret.keyPath=c:/ | ||
+ | |||
+ | # Defaults for: emailer.* | ||
+ | # test.enabled=true means mail WILL NOT be sent | ||
+ | idm.sec.core.emailer.test.enabled=true | ||
+ | # http:// | ||
+ | idm.sec.core.emailer.protocol=smtp | ||
+ | idm.sec.core.emailer.host=something.tld | ||
+ | idm.sec.core.emailer.port=25 | ||
+ | # idm.sec.core.emailer.username=czechidm@domain.tld | ||
+ | # idm.sec.core.emailer.password=password | ||
+ | idm.sec.core.emailer.from=czechidm@localhost | ||
+ | |||
+ | # Default user role will be added automatically, | ||
+ | # could contains default authorities and authority policies configuration | ||
+ | # for adding autocomplete or all record read permission etc. | ||
+ | idm.sec.core.role.default=userRole | ||
+ | # Admin user role | ||
+ | idm.sec.core.role.admin=superAdminRole | ||
+ | |||
+ | # Max file size of uploaded file. Values can use the suffixed " | ||
+ | spring.servlet.multipart.max-file-size=100MB | ||
+ | spring.servlet.multipart.max-request-size=100MB | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | === Adjust database configuration === | ||
+ | |||
+ | If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** | ||
+ | |||
+ | <code properties> | ||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.username=czechidm | ||
+ | spring.datasource.password=********** TODO ********* | ||
+ | spring.datasource.driver-class-name=org.postgresql.Driver | ||
+ | spring.datasource.validationQuery=SELECT 1 | ||
+ | spring.datasource.test-on-borrow=true | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | === Generate JWT token === | ||
+ | |||
+ | Set value of the **idm.sec.security.jwt.secret.token** | ||
+ | |||
+ | <code properties> | ||
+ | # Generate JWT token security string as "cat / | ||
+ | # We recommend the VALUE to be at least 25. | ||
+ | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | === Local confidential storage === | ||
+ | |||
+ | Local confidential storage is encrypted by AES algoritm. [[https:// | ||
+ | |||
+ | There are two properties in application-production.properties that influence the confidential storage: | ||
+ | |||
+ | * You can set the 128bit (16byte) or 256bit (32byte) key directly in the property file using **cipher.crypt.secret.key** | ||
+ | * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | Confidential storage uses AES/ | ||
+ | |||
+ | === Attachment store === | ||
+ | |||
+ | In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under '' | ||
+ | |||
+ | <code properties> | ||
+ | # attachments will be stored under this path. | ||
+ | # new directories for attachment will be created in this folder (permissions has to be added) | ||
+ | # System.getProperty(" | ||
+ | idm.sec.core.attachment.storagePath=c:/ | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | === Environment === | ||
+ | |||
+ | If you install CzechIdM in multiple environments (typically test and production), | ||
+ | |||
+ | <code properties> | ||
+ | # Application stage (development, | ||
+ | idm.pub.app.stage=production | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Deploy the CzechIdM ==== | ||
+ | |||
+ | CzechIdM is deployed as a WAR archive. | ||
+ | |||
+ | * Download the latest CzechIdM WAR archive. | ||
+ | * Stop the Tomcat service. | ||
+ | * Renamed it to '' | ||
+ | * Start the Tomcat container and it will deploy the CzechIdM application. CzechIdM will load its configuration from the '' | ||
+ | |||
+ | ===== Change default admin password ===== | ||
+ | |||
+ | In the fresh CzechIdM installation, | ||
+ | |||
+ | ===== Configure IdM ===== | ||
+ | |||
+ | Follow some final configuration steps: [[.: | ||
+ | |||