Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation [2019/02/19 12:43]
urbanl Upraven tomcat.service - přidáno umístění PID file
+++ tutorial:adm:server_preparation [2020/02/03 12:15]
fiserp [HTTPd installation and configuration]
@@ Line 23: / Line 23: @@
 yum update -y
 # other recommended packages installation
-yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet
+yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet policycoreutils-python
 # enable haveged after OS start
 systemctl start haveged.service
@@ Line 45: / Line 45: @@
 ===== PostgreSQL =====
 <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
-CentOS7 default repository version of PostgreSQL is 9.2. In our tutorial, we will install newer version 9.6. Moreover, we install database data into /data not /var/lib which is the default option.
+CentOS7 default repository version of PostgreSQL is 9.2 but IdM not support that version. In our tutorial, we will install newer version 9.6. Moreover, we install database data into /data not /var/lib which is the default option.
 ==== Database server installation - CentOS7 ====
   * Software installation (versions can vary):
@@ Line 197: / Line 197: @@
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
 ===== Java - CentOS7 =====
@@ Line 439: / Line 440: @@
 <file txt tomcat>
 /opt/tomcat/current/logs/catalina.out {
-	rotate 7
+	rotate COUNT
 	daily
 	dateext
@@ Line 465: / Line 466: @@
 Please note that on Debian, the log is not rotate during the first day, but after the second day.
 ====== Apache httpd as a reverse proxy ======
@@ Line 530: / Line 532: @@
 <VirtualHost _default_:80>
    DocumentRoot /var/www/html
-   Redirect permanent / https://server
+   Redirect permanent / https://SERVER/
 </VirtualHost>
 </code>
@@ Line 555: / Line 557: @@
 To do so, add following lines to the virtualhost config file (ssl.conf):
 <code>
-  RewriteEngine On
+RewriteEngine On
-  RewriteRule "^/$"  "/idm/" [R]
+RewriteRule "^/$"  "/idm/" [R]
 </code>
-In the file ssl.conf we also have to disable SSLv3. Edit the line with SSLProtocol directive:
+We also have to secure the communication. **Edit** corresponding lines in ''ssl.conf'' so they look like this.
 <code>
-SSLProtocol all -SSLv2 -SSLv3
+SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA
+SSLHonorCipherOrder on
 </code>
+<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note>
 On Debian, create symlinks to sites-enabled:
@@ Line 629: / Line 634: @@
         # These break Certificate Authority module
 	<Location "/idm/api/v1/crt/certificates/action/validate">
+		SecRuleRemoveById 960915
+		SecRuleRemoveById 200003
+	</Location>
+	# Modsec can throw false positives on some files due to multipart boundary check
+	<Location "/idm/api/v1/attachments/upload">
 		SecRuleRemoveById 960915
 		SecRuleRemoveById 200003
@@ Line 711: / Line 722: @@
         AddOutputFilterByType DEFLATE text/plain
         AddOutputFilterByType DEFLATE text/xml
+        AddOutputFilterByType DEFLATE application/json
+        AddOutputFilterByType DEFLATE application/hal+json
         # Remove browser bugs (only needed for really old browsers)
@@ Line 787: / Line 800: @@
 }
 </code>