Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:adm:czechidm_installation_win [2019/10/17 13:26] urbanl Added changes in tomcat properties and logback spring for log rotation. |
tutorial:adm:czechidm_installation_win [2021/12/14 08:53] fiserp [Configure environment properties. Select application profile] |
||
---|---|---|---|
Line 3: | Line 3: | ||
{{tag> | {{tag> | ||
- | We presume that the server is prepared as described in [[tutorial: | + | We presume that the server is prepared as described in [[.: |
This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache httpd). If you are looking for a demo installation please see [[: | This tutorial shows how to install full production-ready version of CzechIdM on standard software setup (java, postgreSQL, Tomcat, Apache httpd). If you are looking for a demo installation please see [[: | ||
==== Create DB user and database in PostgreSQL ==== | ==== Create DB user and database in PostgreSQL ==== | ||
- | Open a **PSQL** binary from the Start menu. A windows-cmd-like window should appear with a prompt. Create a db user and a database for CzechIdM. | ||
- | < | + | Open a **PSQL** binary from the Start menu (for the OpenSCG PostgreSQL) or fire-up the cmd terminal and run '' |
+ | < | ||
CREATE USER czechidm PASSWORD ' | CREATE USER czechidm PASSWORD ' | ||
+ | |||
+ | -- Choose appropriate collation and create database. | ||
+ | -- with english collation (we expect the default windows installation with cp1250/ | ||
CREATE DATABASE " | CREATE DATABASE " | ||
+ | -- with czech collation | ||
+ | CREATE DATABASE " | ||
+ | |||
</ | </ | ||
Use the pgAdmin or PSQL to test the database connection under the '' | Use the pgAdmin or PSQL to test the database connection under the '' | ||
==== JDBC driver installation ==== | ==== JDBC driver installation ==== | ||
- | Download the PostgreSQL JDBC driver from the [[https:// | + | |
+ | Download the newest | ||
==== Configure environment properties. Select application profile ==== | ==== Configure environment properties. Select application profile ==== | ||
+ | |||
Run the **Monitor Tomcat** application from the Start menu. Configure following settings: | Run the **Monitor Tomcat** application from the Start menu. Configure following settings: | ||
- | * Add '' | ||
- | * Add '' | ||
- | === Change Tomat logging properties === | + | * Add '' |
+ | * Add '' | ||
+ | * Add '' | ||
- | In order to set-up log rotation we need stop logging to stdout and start logging to catalina.log . | ||
- | Make these changes in file "/ | + | ==== Create CzechIdM configuration folders ==== |
- | Comment out console handler. We don't want tomcat to log to stdout or stderr. | + | |
- | < | + | |
- | handlers | + | |
- | # | + | |
- | .handlers = 1catalina.org.apache.juli.AsyncFileHandler | + | In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. |
- | #.handlers = java.util.logging.ConsoleHandler, | + | |
- | #java.util.logging.ConsoleHandler.level = FINE | + | * The **etc** |
- | #java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter | + | * The **lib** |
- | </ | + | * The **backup** |
- | In 1catalina file handler change log level to " | + | * The **data** |
- | < | + | |
- | # | + | |
- | # | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.level = INFO | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.directory | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.prefix = tomcat | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.rotatable = false | + | |
- | 1catalina.org.apache.juli.AsyncFileHandler.suffix = .log | + | |
- | </ | + | |
+ | Create the directory structure: | ||
- | ==== Create CzechIdM configuration folders ==== | ||
- | In CzechIdM, you can store all deployment-specific configuration (i.e. database credentials) outside the war file. This is a configure-once approach which greatly simplifies future deployments. | ||
- | * The **etc** directory stores configuration files. | ||
- | * The **lib** directory stores additional jar libraries such as database drivers. | ||
- | * The **backup** directory stored Groovy scripts backups. | ||
- | * The **data** directory stores various user-attached files. | ||
- | |||
- | Create the directory structure: | ||
< | < | ||
C:\CzechIdM | C:\CzechIdM | ||
Line 65: | Line 51: | ||
C: | C: | ||
C: | C: | ||
+ | |||
</ | </ | ||
==== Create SSL truststore ==== | ==== Create SSL truststore ==== | ||
+ | |||
Open the Git Bash and navigate to the ''/ | Open the Git Bash and navigate to the ''/ | ||
- | < | + | |
+ | < | ||
openssl genrsa -out fakecert.key | openssl genrsa -out fakecert.key | ||
- | openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert" | + | # if the following command fails, remove the parameter -subj and supply the values interactively |
+ | openssl req -new -key fakecert.key -out fakecert.csr -subj "//C=CZ\ST=Czech Republic\L=Prague\O=BCV\CN=CzechIdM placeholder cert" | ||
openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt | openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt | ||
keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks | keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks | ||
Line 81: | Line 71: | ||
rm fakecert.key fakecert.csr fakecert.crt | rm fakecert.key fakecert.csr fakecert.crt | ||
+ | |||
</ | </ | ||
- | Then adjust Tomcat configuration - the '' | + | Then adjust Tomcat configuration - the '' |
Save the configuration and restart the Tomcat for changes to take effect. | Save the configuration and restart the Tomcat for changes to take effect. | ||
+ | |||
==== Create CzechIdM configuration ==== | ==== Create CzechIdM configuration ==== | ||
- | Now we will create configuration files the CzechIdM will use. | + | |
- | < | + | Now we will create configuration files the CzechIdM will use. < |
- | * The **C: | + | |
+ | * The **C: | ||
+ | |||
+ | < | ||
cd / | cd / | ||
# start the vim editor | # start the vim editor | ||
Line 102: | Line 97: | ||
xxd -p secret.key | xxd -p secret.key | ||
... hex dump here ... text dump here ... | ... hex dump here ... text dump here ... | ||
- | ... 0a ...</ | + | ... 0a ... |
- | * The **C: | + | |
+ | </ | ||
+ | |||
+ | * The **C: | ||
+ | |||
+ | <file properties quartz-production.properties> | ||
org.quartz.scheduler.instanceName=idm-scheduler-instance | org.quartz.scheduler.instanceName=idm-scheduler-instance | ||
org.quartz.scheduler.instanceId=AUTO | org.quartz.scheduler.instanceId=AUTO | ||
Line 115: | Line 115: | ||
org.quartz.jobStore.misfireThreshold=60000 | org.quartz.jobStore.misfireThreshold=60000 | ||
org.quartz.jobStore.tablePrefix=qrtz_ | org.quartz.jobStore.tablePrefix=qrtz_ | ||
+ | |||
+ | |||
</ | </ | ||
- | | + | |
+ | | ||
+ | |||
+ | logback-spring.xml | ||
+ | |||
+ | < | ||
<?xml version=" | <?xml version=" | ||
<!-- https:// | <!-- https:// | ||
<!-- http:// | <!-- http:// | ||
< | < | ||
+ | <!-- !!!BEWARE!!! The specification of the LOG PATTERNS overrides the default configuration and increases the maximum length of the %logger{< | ||
+ | It is neccessary for correct function of the AUDIT logging feature (redmine ticket #2717). If AUDIT logger key is longer then the set limit it gets shortened | ||
+ | and SIEM software is not able to parse logs properly. --> | ||
+ | < | ||
+ | < | ||
+ | |||
< | < | ||
<include resource=" | <include resource=" | ||
<include resource=" | <include resource=" | ||
< | < | ||
- | | + | |
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | | ||
+ | < | ||
+ | </ | ||
<logger name=" | <logger name=" | ||
<logger name=" | <logger name=" | ||
<logger name=" | <logger name=" | ||
<logger name=" | <logger name=" | ||
+ | <logger name=" | ||
< | < | ||
< | < | ||
Line 136: | Line 173: | ||
</ | </ | ||
</ | </ | ||
- | < | + | < |
+ | | ||
+ | | ||
< | < | ||
< | < | ||
< | < | ||
</ | </ | ||
- | </ | + | </ |
<root level=" | <root level=" | ||
< | < | ||
Line 147: | Line 186: | ||
</ | </ | ||
</ | </ | ||
+ | |||
+ | |||
</ | </ | ||
- | | + | |
+ | | ||
+ | |||
+ | <file properties application-production.properties> | ||
# Doc: https:// | # Doc: https:// | ||
- | + | ||
idm.pub.app.instanceId=idm-primary | idm.pub.app.instanceId=idm-primary | ||
idm.pub.app.stage=production | idm.pub.app.stage=production | ||
- | + | ||
spring.datasource.url=jdbc: | spring.datasource.url=jdbc: | ||
spring.datasource.username=czechidm | spring.datasource.username=czechidm | ||
Line 163: | Line 207: | ||
spring.jpa.hibernate.ddl-auto=none | spring.jpa.hibernate.ddl-auto=none | ||
flyway.enabled=true | flyway.enabled=true | ||
- | + | ||
- | scheduler.enabled=true | + | |
- | scheduler.task.queue.process=1000 | + | |
- | scheduler.event.queue.process=1000 | + | |
scheduler.properties.location=quartz-production.properties | scheduler.properties.location=quartz-production.properties | ||
+ | |||
logging.config=c:/ | logging.config=c:/ | ||
+ | |||
idm.sec.core.demo.data.enabled=false | idm.sec.core.demo.data.enabled=false | ||
- | + | ||
- | #spring.cache.ehcache.config=classpath: | + | # attachments will be stored under this path. |
- | + | # new directories for attachment will be created in this folder (permissions has to be added) | |
- | spring.activiti.processDefinitionLocationPrefix=classpath*:/ | + | # System.getProperty(" |
- | idm.sec.core.notification.template.folder=classpath*:/eu/ | + | idm.sec.core.attachment.storagePath=c:/czechidm/data |
- | idm.sec.core.script.folder=classpath*:/ | + | # configuration property for default backup |
- | # configuration property for default backup | + | |
idm.sec.core.backups.default.folder.path=c:/ | idm.sec.core.backups.default.folder.path=c:/ | ||
- | + | ||
- | + | ||
idm.pub.security.allowed-origins=http:// | idm.pub.security.allowed-origins=http:// | ||
# Generate JWT token security string as "cat / | # Generate JWT token security string as "cat / | ||
Line 186: | Line 227: | ||
idm.sec.security.jwt.expirationTimeout=36000000 | idm.sec.security.jwt.expirationTimeout=36000000 | ||
- | # recaptcha | ||
- | # - recaptchaservice endpoint | ||
- | # | ||
- | # - secret key, can be generated here https:// | ||
- | idm.sec.security.recaptcha.secretKey=xxx | ||
- | # Proxy for HTTP requests | ||
- | # | ||
- | |||
# Cipher secret key for crypt values in confidential storage | # Cipher secret key for crypt values in confidential storage | ||
# for crypt values is used secretKey or secretKey defined by file - secretKeyPath | # for crypt values is used secretKey or secretKey defined by file - secretKeyPath | ||
# | # | ||
cipher.crypt.secret.keyPath=c:/ | cipher.crypt.secret.keyPath=c:/ | ||
- | + | ||
- | + | # Defaults for: emailer.* | |
+ | # test.enabled=true means mail WILL NOT be sent | ||
idm.sec.core.emailer.test.enabled=true | idm.sec.core.emailer.test.enabled=true | ||
# http:// | # http:// | ||
Line 208: | Line 242: | ||
# idm.sec.core.emailer.password=password | # idm.sec.core.emailer.password=password | ||
idm.sec.core.emailer.from=czechidm@localhost | idm.sec.core.emailer.from=czechidm@localhost | ||
- | + | ||
- | ## Global property that allow disable or enable sending notification from WF | + | |
- | idm.sec.core.wf.notification.send=false | + | |
- | + | ||
- | + | ||
- | # supports delete identity | + | |
- | idm.pub.core.identity.delete=true | + | |
- | # | + | |
- | # default password change type for custom users, one of values: | + | |
- | # DISABLED - password change is disable | + | |
- | # ALL_ONLY - users can change passwords only for all accounts | + | |
- | # CUSTOM - users can choose for which accounts change password | + | |
- | idm.pub.core.identity.passwordChange=ALL_ONLY | + | |
- | # | + | |
- | # required old password for change password | + | |
- | idm.pub.core.identity.passwordChange.requireOldPassword=true | + | |
- | # | + | |
- | # create default identity' | + | |
- | idm.pub.core.identity.create.defaultContract.enabled=true | + | |
- | + | ||
- | + | ||
# Default user role will be added automatically, | # Default user role will be added automatically, | ||
# could contains default authorities and authority policies configuration | # could contains default authorities and authority policies configuration | ||
Line 235: | Line 249: | ||
# Admin user role | # Admin user role | ||
idm.sec.core.role.admin=superAdminRole | idm.sec.core.role.admin=superAdminRole | ||
- | |||
- | |||
- | # ID system against which to authenticate | ||
- | idm.sec.security.auth.systemId= | ||
- | # attachments will be stored under this path. | + | # Max file size of uploaded file. Values can use the suffixed " |
- | # new directories for attachment will be created in this folder (permissions has to be added) | + | spring.servlet.multipart.max-file-size=100MB |
- | # System.getProperty(" | + | spring.servlet.multipart.max-request-size=100MB |
- | idm.sec.core.attachment.storagePath=c:/ | + | |
</ | </ | ||
=== Adjust database configuration === | === Adjust database configuration === | ||
- | If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** propetry. Set it to the password for czechidm user in PostgreSQL. | + | |
- | If necessary, adjust other database connection properties... <code properties> | + | If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** |
+ | |||
+ | <code properties> | ||
spring.datasource.url=jdbc: | spring.datasource.url=jdbc: | ||
spring.datasource.username=czechidm | spring.datasource.username=czechidm | ||
Line 255: | Line 268: | ||
spring.datasource.validationQuery=SELECT 1 | spring.datasource.validationQuery=SELECT 1 | ||
spring.datasource.test-on-borrow=true | spring.datasource.test-on-borrow=true | ||
+ | |||
+ | |||
</ | </ | ||
=== Generate JWT token === | === Generate JWT token === | ||
- | Set value of the **idm.sec.security.jwt.secret.token** property as is described in the template file:< | + | |
+ | Set value of the **idm.sec.security.jwt.secret.token** | ||
+ | |||
+ | <code properties> | ||
# Generate JWT token security string as "cat / | # Generate JWT token security string as "cat / | ||
# We recommend the VALUE to be at least 25. | # We recommend the VALUE to be at least 25. | ||
idm.sec.security.jwt.secret.token=********** TODO ********* | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | |||
+ | |||
</ | </ | ||
=== Local confidential storage === | === Local confidential storage === | ||
- | Local confidential storage is encrypted by AES algoritm. [[https:// | + | Local confidential storage is encrypted by AES algoritm. [[https:// |
- | Confidential storage is encrypted by a key found in **secret.key** file you already created. | + | |
There are two properties in application-production.properties that influence the confidential storage: | There are two properties in application-production.properties that influence the confidential storage: | ||
- | | + | |
- | * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. | + | |
+ | * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** | ||
<note warning> | <note warning> | ||
<note warning> | <note warning> | ||
- | Confidential storage uses AES/ | + | Confidential storage uses AES/ |
=== Attachment store === | === Attachment store === | ||
- | In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. | + | |
- | With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under '' | + | In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under '' |
<code properties> | <code properties> | ||
Line 287: | Line 308: | ||
# System.getProperty(" | # System.getProperty(" | ||
idm.sec.core.attachment.storagePath=c:/ | idm.sec.core.attachment.storagePath=c:/ | ||
+ | |||
+ | |||
</ | </ | ||
=== Environment === | === Environment === | ||
- | If you install CzechIdM in multiple environments (typically test and production), | + | If you install CzechIdM in multiple environments (typically test and production), |
<code properties> | <code properties> | ||
# Application stage (development, | # Application stage (development, | ||
idm.pub.app.stage=production | idm.pub.app.stage=production | ||
+ | |||
+ | |||
</ | </ | ||
+ | |||
==== Deploy the CzechIdM ==== | ==== Deploy the CzechIdM ==== | ||
+ | |||
CzechIdM is deployed as a WAR archive. | CzechIdM is deployed as a WAR archive. | ||
+ | |||
* Download the latest CzechIdM WAR archive. | * Download the latest CzechIdM WAR archive. | ||
* Stop the Tomcat service. | * Stop the Tomcat service. | ||
- | * Renamed it to '' | + | * Renamed it to '' |
- | * Start the Tomcat container and it will deploy the CzechIdM application. CzechIdM will load its configuration from the '' | + | * Start the Tomcat container and it will deploy the CzechIdM application. CzechIdM will load its configuration from the '' |
===== Change default admin password ===== | ===== Change default admin password ===== | ||
- | In the fresh CzechIdM installation, | + | |
+ | In the fresh CzechIdM installation, | ||
===== Configure IdM ===== | ===== Configure IdM ===== | ||
- | Follow some final configuration steps: [[tutorial: | + | Follow some final configuration steps: [[.: |
+ |