Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
tutorial:adm:installation_script_-_centos [2018/08/17 19:53] apeterova typos |
tutorial:adm:installation_script_-_centos [2019/04/12 10:39] fiserp [Step 5: mod_deflate configuration] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Installation script for CzechIdM ====== | ||
+ | LINK to the script | ||
+ | |||
+ | ===== About script ===== | ||
+ | |||
+ | The script was developed to make it easier for developers to prepare server and install CzechIdM. This script replaces tutorials Server preparation and Install CzechIdM. | ||
+ | |||
+ | Make sure that your server is running on CentOS. Otherwise, you need to use a different tutorial. | ||
+ | |||
+ | ===== How to use this script ===== | ||
+ | |||
+ | ==== Step 1: Change tomcat mirror in script ==== | ||
+ | |||
+ | In the script find the line, where tomcat is downloaded (only **wget** used there) and change it according to this [[https:// | ||
+ | |||
+ | ==== Step 2: Copy script to the server ==== | ||
+ | |||
+ | Connect to your server and then copy your script there. | ||
+ | < | ||
+ | scp czechidm-install.sh < | ||
+ | </ | ||
+ | |||
+ | ==== Step 3: Right to execute ==== | ||
+ | |||
+ | We will need to execute this script, so we need our script to be executable: | ||
+ | |||
+ | < | ||
+ | chmod +x czechidm-install.sh | ||
+ | </ | ||
+ | |||
+ | ==== Step 4: Configure YUM repository ==== | ||
+ | |||
+ | Before we start actual script it is advised to change the file CentOS-Base.repo. | ||
+ | |||
+ | As root, edit your / | ||
+ | to the sections [base] and [updates] append a line: | ||
+ | |||
+ | < | ||
+ | exclude=postgresql* | ||
+ | </ | ||
+ | |||
+ | The script will ask to do so in right after it starts. You can just skip it. | ||
+ | |||
+ | ==== Step 5: Start the script ==== | ||
+ | |||
+ | The only thing left is to start the actual script and follow the steps. | ||
+ | |||
+ | ===== Settings after script ===== | ||
+ | |||
+ | ==== Step 1: Apache Tomcat configuration ==== | ||
+ | |||
+ | * Do not show application server version: | ||
+ | * In the file ''/ | ||
+ | |||
+ | <code xml> | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Step 2: mod_security configuration ==== | ||
+ | |||
+ | Mod_security files locations (on CentOS7): | ||
+ | |||
+ | * Audit log: ''/ | ||
+ | * Directory with activated rules: ''/ | ||
+ | * basic configuration file for mod\_security: | ||
+ | * The file for chosen rules deactivation: | ||
+ | |||
+ | The default set of rules is relatively strict. CzechIdM cannot run with the default configuration of mod_security. | ||
+ | |||
+ | Each rule is identified by a unique ID. If you want to deactivate the whole rule, it is advised to write the rule ID into ssl.conf like this: | ||
+ | |||
+ | <code xml> | ||
+ | < | ||
+ | SecRuleRemoveById RULE_ID | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Sep 3: mod_security configuration | ||
+ | |||
+ | In the file / | ||
+ | Whole rule after the changes looks like this: | ||
+ | |||
+ | < | ||
+ | SecAction \ | ||
+ | " | ||
+ | phase:1, \ | ||
+ | t:none, \ | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | nolog, \ | ||
+ | pass" | ||
+ | </ | ||
+ | |||
+ | ==== Step 4: Disabling mod_security rules ==== | ||
+ | |||
+ | In the file ''/ | ||
+ | <code xml> | ||
+ | < | ||
+ | SecRuleRemoveById 981173 | ||
+ | SecRuleRemoveById 960015 | ||
+ | SecRuleRemoveById 950109 | ||
+ | |||
+ | # Allow Czech signs | ||
+ | SecRuleRemoveById 981318 | ||
+ | SecRuleRemoveById 981242 | ||
+ | SecRuleRemoveById 960024 | ||
+ | SecRuleRemoveById 981245 | ||
+ | | ||
+ | # Too restrictive for login format | ||
+ | SecRuleRemoveById 960035 | ||
+ | |||
+ | # Needed by Websockets | ||
+ | < | ||
+ | SecRuleRemoveById 970901 | ||
+ | </ | ||
+ | | ||
+ | # These break Certificate Authority module | ||
+ | < | ||
+ | SecRuleRemoveById 960915 | ||
+ | SecRuleRemoveById 200003 | ||
+ | </ | ||
+ | |||
+ | # do not log request/ | ||
+ | SecAuditLogParts ABFHZ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Step 5: mod_deflate configuration ==== | ||
+ | It is advised to set up gzip so the users get minimum of data from the frontend server. | ||
+ | In the file ''/ | ||
+ | <code xml> | ||
+ | < | ||
+ | # Compress HTML, CSS, JavaScript, Text, XML and fonts | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE font/ | ||
+ | AddOutputFilterByType DEFLATE font/otf | ||
+ | AddOutputFilterByType DEFLATE font/ttf | ||
+ | AddOutputFilterByType DEFLATE image/ | ||
+ | AddOutputFilterByType DEFLATE image/ | ||
+ | AddOutputFilterByType DEFLATE text/css | ||
+ | AddOutputFilterByType DEFLATE text/html | ||
+ | AddOutputFilterByType DEFLATE text/ | ||
+ | AddOutputFilterByType DEFLATE text/plain | ||
+ | AddOutputFilterByType DEFLATE text/xml | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | |||
+ | # Remove browser bugs (only needed for really old browsers) | ||
+ | BrowserMatch ^Mozilla/4 gzip-only-text/ | ||
+ | BrowserMatch ^Mozilla/ | ||
+ | BrowserMatch \bMSIE !no-gzip !gzip-only-text/ | ||
+ | Header append Vary User-Agent | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Step 6: Application properties ==== | ||
+ | |||
+ | * The most important file is **/ | ||
+ | |||
+ | <file properties application-production.properties> | ||
+ | # Doc: https:// | ||
+ | |||
+ | idm.pub.app.instanceId=idm-primary | ||
+ | idm.pub.app.stage=production | ||
+ | |||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.username=czechidm | ||
+ | spring.datasource.password=********** TODO ********* | ||
+ | spring.datasource.driver-class-name=org.postgresql.Driver | ||
+ | spring.datasource.tomcat.validationQuery=SELECT 1 | ||
+ | spring.datasource.tomcat.test-on-borrow=true | ||
+ | spring.jpa.generate-ddl=false | ||
+ | spring.jpa.hibernate.ddl-auto=none | ||
+ | flyway.enabled=true | ||
+ | |||
+ | scheduler.enabled=true | ||
+ | scheduler.task.queue.process=1000 | ||
+ | scheduler.properties.location=quartz-production.properties | ||
+ | logging.config=/ | ||
+ | idm.sec.core.demo.data.enabled=false | ||
+ | |||
+ | # | ||
+ | |||
+ | spring.activiti.processDefinitionLocationPrefix=classpath*:/ | ||
+ | idm.sec.core.notification.template.folder=classpath*:/ | ||
+ | idm.sec.core.script.folder=classpath*:/ | ||
+ | # configuration property for default backup | ||
+ | idm.sec.core.backups.default.folder.path=/ | ||
+ | |||
+ | |||
+ | idm.pub.security.allowed-origins=http:// | ||
+ | # Generate JWT token security string as "cat / | ||
+ | # We recommend the VALUE to be at least 25. | ||
+ | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | idm.sec.security.jwt.expirationTimeout=36000000 | ||
+ | |||
+ | # recaptcha | ||
+ | # - recaptchaservice endpoint | ||
+ | # | ||
+ | # - secret key, can be generated here https:// | ||
+ | idm.sec.security.recaptcha.secretKey=xxx | ||
+ | # Proxy for HTTP requests | ||
+ | # | ||
+ | |||
+ | # Cipher secret key for crypt values in confidential storage | ||
+ | # for crypt values is used secretKey or secretKey defined by file - secretKeyPath | ||
+ | # | ||
+ | cipher.crypt.secret.keyPath=/ | ||
+ | |||
+ | |||
+ | idm.sec.core.emailer.test.enabled=true | ||
+ | # http:// | ||
+ | idm.sec.core.emailer.protocol=smtp | ||
+ | idm.sec.core.emailer.host=something.tld | ||
+ | idm.sec.core.emailer.port=25 | ||
+ | # idm.sec.core.emailer.username=czechidm@domain.tld | ||
+ | # idm.sec.core.emailer.password=password | ||
+ | idm.sec.core.emailer.from=czechidm@localhost | ||
+ | |||
+ | ## Global property that allow disable or enable sending notification from WF | ||
+ | idm.sec.core.wf.notification.send=false | ||
+ | |||
+ | |||
+ | # supports delete identity | ||
+ | idm.pub.core.identity.delete=true | ||
+ | # | ||
+ | # default password change type for custom users, one of values: | ||
+ | # DISABLED - password change is disable | ||
+ | # ALL_ONLY - users can change passwords only for all accounts | ||
+ | # CUSTOM - users can choose for which accounts change password | ||
+ | idm.pub.core.identity.passwordChange=ALL_ONLY | ||
+ | # | ||
+ | # required old password for change password | ||
+ | idm.pub.core.identity.passwordChange.requireOldPassword=true | ||
+ | # | ||
+ | # create default identity' | ||
+ | idm.pub.core.identity.create.defaultContract.enabled=true | ||
+ | |||
+ | |||
+ | # Default user role will be added automatically, | ||
+ | # could contains default authorities and authority policies configuration | ||
+ | # for adding autocomplete or all record read permission etc. | ||
+ | idm.sec.core.role.default=userRole | ||
+ | # Admin user role | ||
+ | idm.sec.core.role.admin=superAdminRole | ||
+ | |||
+ | |||
+ | # ID system against which to authenticate | ||
+ | idm.sec.security.auth.systemId= | ||
+ | |||
+ | # attachments will be stored under this path. | ||
+ | # new directories for attachment will be created in this folder (permissions has to be added) | ||
+ | # System.getProperty(" | ||
+ | idm.sec.core.attachment.storagePath=/ | ||
+ | </ | ||
+ | |||
+ | === Adjust database configuration === | ||
+ | If you followed this howto, the only thing you should need to adjust is a **spring.datasource.password** propetry. Set it to the password for czechidm user in PostgreSQL. | ||
+ | If necessary, adjust other database connection properties... | ||
+ | |||
+ | <code properties> | ||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.username=czechidm | ||
+ | spring.datasource.password=********** TODO ********* | ||
+ | spring.datasource.driver-class-name=org.postgresql.Driver | ||
+ | spring.datasource.tomcat.validationQuery=SELECT 1 | ||
+ | spring.datasource.tomcat.test-on-borrow=true | ||
+ | </ | ||
+ | |||
+ | === Generate JWT token === | ||
+ | Set value of the **idm.sec.security.jwt.secret.token** property as is described in the template file: | ||
+ | |||
+ | <code properties> | ||
+ | # Generate JWT token security string as "cat / | ||
+ | # We recommend the VALUE to be at least 25. | ||
+ | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | </ | ||
+ | |||
+ | === Local confidential storage === | ||
+ | |||
+ | Local confidential storage is encrypted by AES algoritm. [[https:// | ||
+ | Confidential storage is encrypted by a key found in **secret.key** file you already created. | ||
+ | |||
+ | There are two properties in application-production.properties that influence the confidential storage: | ||
+ | * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or | ||
+ | * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property. | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | Confidential storage uses AES/ | ||
+ | |||
+ | === Attachment store === | ||
+ | In CzechIdM, users can sometimes add attachments (say, attach *.jpeg photo to their employee card request). Those files are stored in the attachment store. | ||
+ | With the following property, you can configure, where the store is. If you used sample property file, the store is by-default located under / | ||
+ | |||
+ | <code properties> | ||
+ | # attachments will be stored under this path. | ||
+ | # new directories for attachment will be created in this folder (permissions has to be added) | ||
+ | # System.getProperty(" | ||
+ | idm.sec.core.attachment.storagePath=/ | ||
+ | </ | ||
+ | |||
+ | ==== Step 7: Allow network services ==== | ||
+ | Firewall may restrict the access to all port except ssh (22/tcp). To be able to use CzechIdM, allow port 443/tcp and reload firewalld: | ||
+ | |||
+ | <code bash> | ||
+ | firewall-cmd --permanent --add-port=443/ | ||
+ | firewall-cmd --reload | ||
+ | </ |