Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation [2019/06/10 13:13]
urbanl [Instalation and software configuration] 		tutorial:adm:server_preparation [2019/11/28 13:26]
fiserp [Disabling mod_security rules]
Line 199: Line 199:
  
 ===== Tomcat ===== ===== Tomcat =====
 +
 +<note warning>This version of Tomcat install guide is suspected not to work properly with newer versions of IdM (we are currently investigating the issue). Please use [[https://wiki.czechidm.com/tutorial/adm/server_preparation?rev=1550580216|this revision]] of the guide to install and configure Tomcat.</note>
  
 Installation - CentOS7: Installation - CentOS7:
 <code bash> <code bash>
-yum install -y tomcat+yum install -y tomcat java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel
 </code> </code>
  
Line 307: Line 309:
   * Make Tomcat listen only on localhost:   * Make Tomcat listen only on localhost:
        * Add the ''address="127.0.0.1"'' property to configuration of ''8009'' and ''8080'' ports.        * Add the ''address="127.0.0.1"'' property to configuration of ''8009'' and ''8080'' ports.
 +       * On tomcat 7 add ''URIEncoding="UTF-8""'' property to configuration of ''8009'' and ''8080'' ports.
        * In Debian you need to uncoment AJP conector on port ''8009''.        * In Debian you need to uncoment AJP conector on port ''8009''.
   * Change logging into ''localhost\_access\_log''.   * Change logging into ''localhost\_access\_log''.
Line 545: Line 548:
 Again, restart the tomcat: Again, restart the tomcat:
 <code bash> <code bash>
-systemctl restart tomcat+service tomcat8 restart
 </code> </code>
 ====== Apache httpd as a reverse proxy ====== ====== Apache httpd as a reverse proxy ======
Line 636: Line 639:
 To do so, add following lines to the virtualhost config file (ssl.conf): To do so, add following lines to the virtualhost config file (ssl.conf):
 <code> <code>
-  RewriteEngine On +RewriteEngine On 
-  RewriteRule "^/$"  "/idm/" [R] +RewriteRule "^/$"  "/idm/" [R] 
 </code> </code>
  
-In the file ssl.conf we also have to disable SSLv3. Edit the line with SSLProtocol directive:+We also have to secure the communication**Edit** corresponding lines in ''ssl.conf'' so they look like this.
 <code> <code>
-SSLProtocol all -SSLv2 -SSLv3+SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 
 +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA 
 +SSLHonorCipherOrder on
 </code> </code>
 +<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note>
  
 On Debian, create symlinks to sites-enabled: On Debian, create symlinks to sites-enabled:
Line 710: Line 716:
         # These break Certificate Authority module         # These break Certificate Authority module
  <Location "/idm/api/v1/crt/certificates/action/validate">  <Location "/idm/api/v1/crt/certificates/action/validate">
 + SecRuleRemoveById 960915
 + SecRuleRemoveById 200003
 + </Location>
 +
 + # Modsec can throw false positives on some files due to multipart boundary check
 + <Location "/idm/api/v1/attachments/upload">
  SecRuleRemoveById 960915  SecRuleRemoveById 960915
  SecRuleRemoveById 200003  SecRuleRemoveById 200003
  • by koulaj