Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation [2020/07/28 09:08]
urbanl 		tutorial:adm:server_preparation [2021/05/10 16:09]
urbanl [HTTPd installation and configuration]
Line 21: Line 21:
 dnf clean all dnf clean all
 dnf -y install epel-release dnf -y install epel-release
-dnf update -y+dnf -y update
  
 # other recommended packages installation # other recommended packages installation
Line 326: Line 326:
   * http://localhost:8080/manager   * http://localhost:8080/manager
   * http://localhost:8080/host-manager   * http://localhost:8080/host-manager
 +
 +<note important>These applications are optional but even when you will not install them you need to **set admin password** to increase security of Tomcat.</note>
  
 If you want to use them, it is necessary to do following steps. If you want to use them, it is necessary to do following steps.
Line 367: Line 369:
  
   * Again, restart the tomcat   * Again, restart the tomcat
 +
 <code bash> <code bash>
 systemctl restart tomcat systemctl restart tomcat
Line 539: Line 542:
 RewriteRule "^/$"  "/idm/" [R]  RewriteRule "^/$"  "/idm/" [R] 
 </code> </code>
 +
 +=== Certificate for httpd ===
 +
 +If you have prepared certifikate, key and certificate authority chain just chnge these properties in ''/etc/httpd/conf.d/ssl.conf'' and make sure that only httpd can read the files.
 +<code>
 + SSLCertificateFile PATH_TO_CERTIFICATE_FILE
 + SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE
 + SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE
 +</code>
 +Then continue with cheking syntax of httpd.
 +
 +If you not prepared them in the moment. Create temporary certificate and key. 
 +<code>
 +mkdir /etc/httpd/cert
 +cd /etc/httpd/cert
 +openssl genrsa -out http_temp_cert.key
 +openssl req -new -key http_temp_cert.key -out http_temp_cert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert"
 +openssl x509 -req -in http_temp_cert.csr -signkey http_temp_cert.key -days 1 -sha256 -out http_temp_cert.crt
 +rm http_temp_cert.csr
 +chmod 600 /etc/httpd/cert/*
 +chown -R tomcat:tomcat  /etc/httpd/cert/
 +</code>
 +Then change set path to them in these properties in ''/etc/httpd/conf.d/ssl.conf''.
 +<code>
 + SSLCertificateFile /etc/httpd/cert/http_temp_cert.crt
 + SSLCertificateKeyFile /etc/httpd/cert/http_temp_cert.key
 +</code>
 +
 +=== Checking httpd configuration syntax and configuring selinux ===
  
 Syntax check before httpd restart Syntax check before httpd restart
Line 605: Line 637:
                 SecRuleRemoveById 950100                 SecRuleRemoveById 950100
         </Location>         </Location>
-        +
         # do not log request/response body         # do not log request/response body
-        SecAuditLogParts ABFHZ+        SecAuditLogParts AFHZ
 </IfModule> </IfModule>
 </code> </code>
  • by koulaj