Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tutorial:adm:installation_script_-_centos [2018/08/17 19:53]
apeterova typos
tutorial:adm:installation_script_-_centos [2019/04/12 10:39]
fiserp [Step 5: mod_deflate configuration]
Line 1: Line 1:
 +====== Installation script for CzechIdM ======
  
 +LINK to the script       //#TODO soon//
 +
 +===== About script =====
 +
 +The script was developed to make it easier for developers to prepare server and install CzechIdM. This script replaces tutorials Server preparation and Install CzechIdM.
 +
 +Make sure that your server is running on CentOS. Otherwise, you need to use a different tutorial.
 +
 +===== How to use this script =====
 +
 +==== Step 1: Change tomcat mirror in script ====
 +
 +In the script find the line, where tomcat is downloaded (only **wget** used there) and change it according to this [[https://tomcat.apache.org/download-80.cgi|link]].
 +
 +==== Step 2: Copy script to the server ====
 +
 +Connect to your server and then copy your script there.
 +<code>
 +scp czechidm-install.sh <destination>
 +</code>
 +
 +==== Step 3: Right to execute ====
 +
 +We will need to execute this script, so we need our script to be executable:
 +
 +<code>
 +chmod +x czechidm-install.sh
 +</code>
 +
 +==== Step 4: Configure YUM repository ====
 +
 +Before we start actual script it is advised to change the file CentOS-Base.repo.
 +
 +As root, edit your /etc/yum.repos.d/CentOS-Base.repo file,
 +to the sections [base] and [updates] append a line:
 +
 +<code>
 +exclude=postgresql*
 +</code>
 +
 +The script will ask to do so in right after it starts. You can just skip it.
 +
 +==== Step 5: Start the script ====
 +
 +The only thing left is to start the actual script and follow the steps.
 +
 +===== Settings after script =====
 +
 +==== Step 1: Apache Tomcat configuration ====
 +
 +  * Do not show application server version:
 +    * In the file ''/opt/tomcat/current/conf/web.xml'' set showServerInfo to false (default is true):
 +
 +<code xml>
 +    <servlet>
 +        <servlet-name>default</servlet-name>
 +        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
 +        <init-param>
 +            <param-name>debug</param-name>
 +            <param-value>0</param-value>
 +        </init-param>
 +        <init-param>
 +            <param-name>listings</param-name>
 +            <param-value>false</param-value>
 +        </init-param>
 +        <init-param>
 +            <param-name>showServerInfo</param-name>
 +            <param-value>false</param-value>
 +        </init-param>
 +        <load-on-startup>1</load-on-startup>
 +    </servlet>
 +</code>
 +
 +==== Step 2: mod_security configuration ====
 +
 +Mod_security files locations (on CentOS7):
 +
 +  * Audit log: ''/var/log/httpd/modsec\_audit.log''
 +  * Directory with activated rules: ''/etc/httpd/modsecurity.d/activated\_rules/''
 +  * basic configuration file for mod\_security: ''/etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf''
 +  * The file for chosen rules deactivation: ''/etc/httpd/conf.d/ssl.conf''
 +
 +The default set of rules is relatively strict. CzechIdM cannot run with the default configuration of mod_security.
 +
 +Each rule is identified by a unique ID. If you want to deactivate the whole rule, it is advised to write the rule ID into ssl.conf like this:
 +
 +<code xml>
 +  <IfModule mod_security2.c>
 +    SecRuleRemoveById RULE_ID
 +  </IfModule>
 +</code>
 +
 +==== Sep 3: mod_security configuration  ====
 +
 +In the file /etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf, find the rule with id=900012 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods.
 +Whole rule after the changes looks like this:
 +
 +<code>
 +SecAction \
 +  "id:'900012', \
 +  phase:1, \
 +  t:none, \
 +  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE', \
 +  setvar:'tx.allowed_request_content_type=application/hal+json|application/json|text/plain|application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', \
 +  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
 +  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
 +  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
 +  nolog, \
 +  pass"
 +</code>
 +
 +==== Step 4: Disabling mod_security rules ====
 +
 +In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 +<code xml>
 +<IfModule mod_security2.c>
 +        SecRuleRemoveById 981173
 +        SecRuleRemoveById 960015
 +        SecRuleRemoveById 950109
 +
 +        # Allow Czech signs
 +        SecRuleRemoveById 981318
 +        SecRuleRemoveById 981242
 +        SecRuleRemoveById 960024
 +        SecRuleRemoveById 981245
 +        
 +        # Too restrictive for login format
 +        SecRuleRemoveById 960035
 +
 +        # Needed by Websockets 
 +        <Location "/idm/api/v1/websocket-info/">
 +                SecRuleRemoveById 970901
 +        </Location>
 +        
 +        # These break Certificate Authority module
 + <Location "/idm/api/v1/crt/certificates/action/validate">
 + SecRuleRemoveById 960915
 + SecRuleRemoveById 200003
 + </Location>
 +
 +        # do not log request/response body
 +        SecAuditLogParts ABFHZ
 +</IfModule>
 +</code>
 +
 +==== Step 5: mod_deflate configuration ====
 +It is advised to set up gzip so the users get minimum of data from the frontend server.
 +In the file ''/etc/httpd/conf.d/ssl.conf'' we add following configuration and restart the server:
 +<code xml>
 +<IfModule mod_deflate.c>
 +        # Compress HTML, CSS, JavaScript, Text, XML and fonts
 +        AddOutputFilterByType DEFLATE application/javascript
 +        AddOutputFilterByType DEFLATE application/rss+xml
 +        AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
 +        AddOutputFilterByType DEFLATE application/x-font
 +        AddOutputFilterByType DEFLATE application/x-font-opentype
 +        AddOutputFilterByType DEFLATE application/x-font-otf
 +        AddOutputFilterByType DEFLATE application/x-font-truetype
 +        AddOutputFilterByType DEFLATE application/x-font-ttf
 +        AddOutputFilterByType DEFLATE application/x-javascript
 +        AddOutputFilterByType DEFLATE application/xhtml+xml
 +        AddOutputFilterByType DEFLATE application/xml
 +        AddOutputFilterByType DEFLATE font/opentype
 +        AddOutputFilterByType DEFLATE font/otf
 +        AddOutputFilterByType DEFLATE font/ttf
 +        AddOutputFilterByType DEFLATE image/svg+xml
 +        AddOutputFilterByType DEFLATE image/x-icon
 +        AddOutputFilterByType DEFLATE text/css
 +        AddOutputFilterByType DEFLATE text/html
 +        AddOutputFilterByType DEFLATE text/javascript
 +        AddOutputFilterByType DEFLATE text/plain
 +        AddOutputFilterByType DEFLATE text/xml
 +        AddOutputFilterByType DEFLATE application/json
 +        AddOutputFilterByType DEFLATE application/hal+json
 +
 +        # Remove browser bugs (only needed for really old browsers)
 +        BrowserMatch ^Mozilla/4 gzip-only-text/html
 +        BrowserMatch ^Mozilla/4\.0[678] no-gzip
 +        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
 +        Header append Vary User-Agent
 +</IfModule>
 +</code>
 +
 +==== Step 6: Application properties ====
 +
 +* The most important file is **/opt/czechidm/etc/application-production.properties** (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file:
 +
 +<file properties application-production.properties>
 +# Doc: https://wiki.czechidm.com/devel/dev/configuration/backend
 + 
 +idm.pub.app.instanceId=idm-primary
 +idm.pub.app.stage=production
 + 
 +spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm
 +spring.datasource.username=czechidm
 +spring.datasource.password=********** TODO *********
 +spring.datasource.driver-class-name=org.postgresql.Driver
 +spring.datasource.tomcat.validationQuery=SELECT 1
 +spring.datasource.tomcat.test-on-borrow=true
 +spring.jpa.generate-ddl=false
 +spring.jpa.hibernate.ddl-auto=none
 +flyway.enabled=true
 + 
 +scheduler.enabled=true
 +scheduler.task.queue.process=1000
 +scheduler.properties.location=quartz-production.properties
 +logging.config=/opt/czechidm/etc/logback-spring.xml
 +idm.sec.core.demo.data.enabled=false
 + 
 +#spring.cache.ehcache.config=classpath:ehcache.xml
 + 
 +spring.activiti.processDefinitionLocationPrefix=classpath*:/eu/bcvsolutions/idm/workflow/
 +idm.sec.core.notification.template.folder=classpath*:/eu/bcvsolutions/idm/templates/
 +idm.sec.core.script.folder=classpath*:/eu/bcvsolutions/idm/scripts/
 +# configuration property for default backup 
 +idm.sec.core.backups.default.folder.path=/opt/czechidm/backup
 + 
 + 
 +idm.pub.security.allowed-origins=http://localhost
 +# Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255.
 +# We recommend the VALUE to be at least 25.
 +idm.sec.security.jwt.secret.token=********** TODO *********
 +idm.sec.security.jwt.expirationTimeout=36000000
 +
 +# recaptcha
 +# - recaptchaservice endpoint 
 +#idm.sec.security.recaptcha.url=https://www.google.com/recaptcha/api/siteverify
 +# - secret key, can be generated here https://www.google.com/recaptcha/admin
 +idm.sec.security.recaptcha.secretKey=xxx
 +# Proxy for HTTP requests
 +#idm.sec.core.http.proxy=12.34.56.78:1234
 + 
 +# Cipher secret key for crypt values in confidential storage
 +# for crypt values is used secretKey or secretKey defined by file - secretKeyPath
 +#cipher.crypt.secret.key=XXXXXXXXXXXXXXXX
 +cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key
 + 
 + 
 +idm.sec.core.emailer.test.enabled=true
 +# http://camel.apache.org/mail.html
 +idm.sec.core.emailer.protocol=smtp
 +idm.sec.core.emailer.host=something.tld
 +idm.sec.core.emailer.port=25
 +# idm.sec.core.emailer.username=czechidm@domain.tld
 +# idm.sec.core.emailer.password=password
 +idm.sec.core.emailer.from=czechidm@localhost
 + 
 +## Global property that allow disable or enable sending notification from WF
 +idm.sec.core.wf.notification.send=false
 + 
 + 
 +# supports delete identity
 +idm.pub.core.identity.delete=true
 +#
 +# default password change type for custom users, one of values: 
 +# DISABLED - password change is disable
 +# ALL_ONLY - users can change passwords only for all accounts
 +# CUSTOM - users can choose for which accounts change password
 +idm.pub.core.identity.passwordChange=ALL_ONLY
 +#
 +# required old password for change password
 +idm.pub.core.identity.passwordChange.requireOldPassword=true
 +#
 +# create default identity's contract, when identity is created
 +idm.pub.core.identity.create.defaultContract.enabled=true
 + 
 + 
 +# Default user role will be added automatically, after an identity is logged in
 +# could contains default authorities and authority policies configuration
 +# for adding autocomplete or all record read permission etc.
 +idm.sec.core.role.default=userRole
 +# Admin user role
 +idm.sec.core.role.admin=superAdminRole
 + 
 + 
 +# ID system against which to authenticate
 +idm.sec.security.auth.systemId=
 +
 +# attachments will be stored under this path.
 +# new directories for attachment will be created in this folder (permissions has to be added)
 +# System.getProperty("user.home")/idm_data will be used if no path is given
 +idm.sec.core.attachment.storagePath=/opt/czechidm/data
 +</file>
 +
 +=== Adjust database configuration ===
 +If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** propetry. Set it to the password for czechidm user in PostgreSQL.
 +If necessary, adjust other database connection properties... 
 +
 +<code properties>
 +spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm
 +spring.datasource.username=czechidm
 +spring.datasource.password=********** TODO *********
 +spring.datasource.driver-class-name=org.postgresql.Driver
 +spring.datasource.tomcat.validationQuery=SELECT 1
 +spring.datasource.tomcat.test-on-borrow=true
 +</code>
 +
 +=== Generate JWT token ===
 +Set value of the **idm.sec.security.jwt.secret.token** property as is described in the template file:
 +
 +<code properties>
 +# Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255.
 +# We recommend the VALUE to be at least 25.
 +idm.sec.security.jwt.secret.token=********** TODO *********
 +</code>
 +
 +=== Local confidential storage ===
 +
 +Local confidential storage is encrypted by AES algoritm. [[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|Read more]]. 
 +Confidential storage is encrypted by a key found in **secret.key** file you already created.
 +
 +There are two properties in application-production.properties that influence the confidential storage:
 +  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or
 +  * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
 +
 +<note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
 +
 +Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.
 +
 +=== Attachment store ===
 +In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store.
 +With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under /opt/czechidm/data .
 +
 +<code properties>
 +# attachments will be stored under this path.
 +# new directories for attachment will be created in this folder (permissions has to be added)
 +# System.getProperty("user.home")/idm_data will be used if no path is given
 +idm.sec.core.attachment.storagePath=/opt/czechidm/data
 +</code>
 +
 +==== Step 7: Allow network services ====
 +Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld:
 +
 +<code bash>
 +firewall-cmd --permanent --add-port=443/tcp
 +firewall-cmd --reload
 +</code>
  • by fiserp