Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation [2019/09/23 12:05]
kolycheva [Optional - Management Interface for Tomcat]
tutorial:adm:server_preparation [2020/01/23 12:18]
urbanl [PostgreSQL]
Line 45: Line 45:
 ===== PostgreSQL ===== ===== PostgreSQL =====
 <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note> <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
-CentOS7 default repository version of PostgreSQL is 9.2. In our tutorial, we will install newer version 9.6. Moreover, we install database data into /data not /var/lib which is the default option.+CentOS7 default repository version of PostgreSQL is 9.2 but IdM not support that version. In our tutorial, we will install newer version 9.6. Moreover, we install database data into /data not /var/lib which is the default option.
 ==== Database server installation - CentOS7 ==== ==== Database server installation - CentOS7 ====
   * Software installation (versions can vary):   * Software installation (versions can vary):
Line 197: Line 197:
  
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note> <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
 +
 +===== Java - CentOS7 =====
 +
 +Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository.
 +
 +Installation:
 +<code bash>
 +yum install -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel
 +</code>
 +
 +Then create the file ''/etc/profile.d/java.sh'' with following:
 +<file bash java.sh>
 +[ -d /usr/lib/jvm/java-openjdk ] && export JAVA_HOME=/usr/lib/jvm/java-openjdk
 +</file>
 +
 +===== Java - Debian =====
 +
 +Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository.
 +
 +Installation:
 +<code bash>
 +apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless
 +</code>
 +
 +Then create the file ''/etc/profile.d/java.sh'' with following:
 +<file bash java.sh>
 +[ -d /usr/lib/jvm/java-1.8.0-openjdk-amd64 ] && export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64
 +</file>
  
 ===== Tomcat ===== ===== Tomcat =====
  
-Installation CentOS7:+  * Create a new group and add user for the tomcat to run under (for Debian, use /usr/sbin/nologin in the useradd): 
 + 
 +<code> 
 +groupadd -r tomcat 
 +useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat 
 +getent passwd tomcat 
 +tomcat:x:995:993::/opt/tomcat:/bin/nologin 
 +</code> 
 + 
 +  * change working directory into /opt/tomcat 
 <code bash> <code bash>
-yum install -y tomcat+mkdir /opt/tomcat 
 +cd /opt/tomcat
 </code> </code>
  
-Installation Debian:+  * Download Apache Tomcat 8.5.x from the website [[https://tomcat.apache.org/download-80.cgi]] to **/opt/tomcat/** 
 +    * In our exapmle the version is 8.5.8. 
 + 
 +  * extract files from archive: 
 <code bash> <code bash>
-apt install -y tomcat8+tar xzf apache-tomcat-8.5.8.tar.gz
 </code> </code>
  
 +  * create a new symbolic link to current user version (we presume there may be more versions at the server in future due to upgrades/updates)
  
-==== Start Tomcat automatically after system startup CentOS ==== +<code bash> 
-  +cd /opt/tomcat 
 +ln -s apache-tomcat-8.5.8 current 
 +</code>
  
-  * Make some adjustments to systemd unit.+  * Set rights on files for tomcat user (still working under root):
  
 <code bash> <code bash>
-systemctl edit tomcat.service+chown -R root:root /opt/tomcat 
 +chown root:tomcat /opt/tomcat 
 +chmod 750 /opt/tomcat 
 +cd /opt/tomcat/current 
 +chmod o+rX -R .
 +chgrp -R tomcat conf/ bin/ lib/ 
 +chmod g+rwx conf 
 +chmod g+r conf/* 
 +chown -R tomcat webapps/ work/ temp/ logs/
 </code> </code>
-Or if you want use diferent editor than nanovimuse this comands:+ 
 + 
 +==== Start Tomcat automatically after system startup ==== 
 + 
 +  * Create startup script (systemd unit), in which we also set the basic JVM parameters: 
 <code bash> <code bash>
-export SYSTEMD_EDITOR="/bin/vim" +vim /etc/systemd/system/tomcat.service
-sudo -E  systemctl edit tomcat.service+
 </code> </code>
-  * Add these lines and save the file: 
  
-<code>+  * File content of ''/etc/systemd/system/tomcat.service'': 
 + 
 +<file ini tomcat.service> 
 +# Systemd unit file for tomcat 
 +[Unit] 
 +Description=Apache Tomcat Web Application Container 
 +After=syslog.target network.target 
 [Service] [Service]
-SyslogFacility=local3+Type=forking 
 + 
 +PIDFile=/opt/tomcat/current/temp/tomcat.pid 
 + 
 +Environment=JAVA_HOME=/usr/lib/jvm/java-openjdk 
 +Environment=CATALINA_PID=/opt/tomcat/current/temp/tomcat.pid 
 +Environment=CATALINA_HOME=/opt/tomcat/current 
 +Environment=CATALINA_BASE=/opt/tomcat/current
 Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC' Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
 Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8' Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8'
-</code>+ 
 +ExecStart=/opt/tomcat/current/bin/startup.sh 
 +ExecStop=/opt/tomcat/current/bin/shutdown.sh 
 + 
 +User=tomcat 
 +Group=tomcat 
 + 
 +[Install] 
 +WantedBy=multi-user.target 
 +</file>
  
   * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more.   * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more.
-  * Tomcat will be started under user tomcat:tomcat.+ 
 +  * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''
 +  * For Debian, change the JAVA\_HOME to ''JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64''.
   * After every systemd configuration change it is necessary to reload:   * After every systemd configuration change it is necessary to reload:
  
Line 248: Line 330:
 [root@tomcat1 logs]# ps -u tomcat -fwww [root@tomcat1 logs]# ps -u tomcat -fwww
 UID        PID  PPID  C STIME TTY          TIME CMD UID        PID  PPID  C STIME TTY          TIME CMD
-tomcat   14221     1  0 10:17 ?        00:00:03 /usr/lib/jvm/jre/bin/java -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start+tomcat    1602     1  1 09:44 ?        00:00:02 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start
 </code> </code>
   * Stop Apache Tomcat:   * Stop Apache Tomcat:
Line 258: Line 340:
 systemctl enable tomcat systemctl enable tomcat
 </code> </code>
-==== Start Tomcat automatically after system startup - Debian ==== 
  
-  * In file ''/etc/default/tomcat8'' set the basic JVM parameters. If they are there already, change them.+==== Apache Tomcat configuration ====
  
-<file ini tomcat8>+=== Interface Management ===
  
-CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC" +Apache Tomcat offers two applications for tomcat management available at
-JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8"+ 
 +  * http://localhost:8080/manager 
 +  * http://localhost:8080/host-manager 
 + 
 +If you want to use them, it is necessary to do following steps.
  
 +First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
 +
 +Create user like this:
 +
 +Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui".
 +The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
 +
 +The file ''/opt/tomcat/current/conf/tomcat-users.xml'' looks like this:
 +<file xml tomcat-users.xml>
 +<?xml version="1.0" encoding="UTF-8"?>
 +<tomcat-users xmlns="http://tomcat.apache.org/xml"
 +              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 +              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
 +              version="1.0">
 +  <role rolename="manager-script"/>
 +  <role rolename="manager-gui"/>
 +  <role rolename="manager-jmx"/>
 +  <role rolename="manager-status"/>
 +  <role rolename="admin-gui"/>
 +  <user username="admin" password="*****store it somewhere safe*****" roles="manager-gui,manager-status,admin-gui"/>
 +</tomcat-users>
 </file> </file>
  
-  * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. +If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IPIf you see ''403 Access Denied'' it might be you did not do this setting.
-  * Tomcat will be started under user ''tomcat8:tomcat8''. +
-  * Test start:+
  
-<code>+Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add net mask for your IP (both files should have the same content):
  
-systemctl start tomcat8+In my case, I want to access to Tomcat management from network 192.168.0.0/24:
  
-</code+<file xml context.xml> 
-  * Check that Tomcat runs with desirable parameters:+<?xml version="1.0" encoding="UTF-8"?> 
 +<Context antiResourceLocking="false" privileged="true" 
 +  <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
 +         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.\d+\.\d+" /> 
 +</Context> 
 +</file> 
 + 
 +Again, restart the tomcat:
 <code bash> <code bash>
-[root@tomcat1 logs]# ps -u tomcat8 -fwww +systemctl restart tomcat
-UID        PID  PPID  C STIME TTY          TIME CMD +
-tomcat8    742      0 13:20 ?        00:00:03 /usr/lib/jvm/java-8-openjdk-amd64/bin/java -Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat8 -Dcatalina.home=/usr/share/tomcat8 -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp org.apache.catalina.startup.Bootstrap start+
 </code> </code>
-  * Stop Apache Tomcat: + 
-<code> +===  Apache Tomcat configuration recommended for production usage === 
-systemctl stop tomcat8 + 
-</code> +It is advised to follow these steps for production usage: 
-  * Enable tomcat start after OS start:+ 
 +  * Remove unnecessary aplications that comes with Tomcat: 
 <code bash> <code bash>
-systemctl enable tomcat8+rm -rf /opt/tomcat/current/webapps/{examples,docs,ROOT,host-manager,manager}
 </code> </code>
-====  Apache Tomcat configuration recommended for production usage ==== 
  
-It is advised to follow these steps for production usage: 
-  
-- In file ''/etc/tomcat/server.xml''( ''/etc/tomcat8/server.xml'' on debian) 
   * Turn off the shutdown port:   * Turn off the shutdown port:
-     Set value -1 from 8005 to the Server port tag, thus you deactivate it:+    In the config file ''/opt/tomcat/current/conf/server.xml'' set value -1 from 8005 to the Server port tag, thus you deactivate it:
  
 <code xml> <code xml>
 <Server port="-1" shutdown="SHUTDOWN"> <Server port="-1" shutdown="SHUTDOWN">
 </code> </code>
- 
-- In same file do this: 
   * Make Tomcat listen only on localhost:   * Make Tomcat listen only on localhost:
-       Add the ''address="127.0.0.1"'' property to configuration of ''8009'' and ''8080'' ports. +    In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8009'' and ''8080'' ports.
-       * In Debian you need to uncoment AJP conector on port ''8009''+
-  * Change logging into ''localhost\_access\_log''+
-    * Find these lines and comment them. +
- +
-<code xml> +
-<!-- +
-<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" +
-               prefix="localhost_access_log." suffix=".txt" +
-               pattern="%h %l %u %t &quot;%r&quot; %s %b" /> +
---> +
-</code> +
-And add these lines: +
-<code xml> +
-<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" +
-               prefix="localhost_access_log." suffix="log" +
-               pattern="%h %l %u %t &quot;%r&quot; %s %b" +
-               rotatable="false" /> +
-</code>+
  
--  In the file ''/etc/tomcat/web.xml''( ''/etc/tomcat8/web.xml'' on debian) 
   * Do not show aplication server version:   * Do not show aplication server version:
-    * Set showServerInfo to false (default is true):+    * In the file ''/opt/tomcat/current/conf/web.xml'' set showServerInfo to false (default is true):
  
 <code xml> <code xml>
Line 348: Line 434:
         <load-on-startup>1</load-on-startup>         <load-on-startup>1</load-on-startup>
     </servlet>     </servlet>
-</code> 
-We need to tell Tomcat where idm.war will be. Create context file ''/etc/tomcat/Catalina/localhost/idm.xml''( ''/etc/tomcat8/Catalina/localhost/idm.xml'' on debian) with these lines: 
-<code xml> 
-<Context 
- docBase="/opt/czechidm/app/idm.war" 
- path="" 
-/> 
-</code> 
-==== Tomcat loging configuration ==== 
-- in file ''/etc/tomcat/logging.properties''( ''/etc/tomcat8/logging.properties'' on debian) 
-  * Change logging properties 
-    * Add/change lines( 1catalina, 2localhost, 3manager, 4host-manager) into this(leave the other lines as they are): 
- 
-<code> 
-1catalina.org.apache.juli.FileHandler.level = ALL 
-1catalina.org.apache.juli.FileHandler.prefix = tomcat. 
-1catalina.org.apache.juli.FileHandler.rotatable = false 
-1catalina.org.apache.juli.FileHandler.suffix = log 
- 
-2localhost.org.apache.juli.FileHandler.rotatable = false 
-2localhost.org.apache.juli.FileHandler.suffix = log 
- 
-3manager.org.apache.juli.FileHandler.rotatable = false 
-3manager.org.apache.juli.FileHandler.suffix = log 
- 
-4host-manager.org.apache.juli.FileHandler.rotatable = false 
-4host-manager.org.apache.juli.FileHandler.suffix = log 
-</code> 
- 
-On Debian make these extra changes: 
-<code> 
-handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler 
-#, java.util.logging.ConsoleHandler 
- 
-.handlers = 1catalina.org.apache.juli.FileHandler 
-#, java.util.logging.ConsoleHandler 
- 
-############################################################ 
-# Handler specific properties. 
-############################################################ 
- 
-3manager.org.apache.juli.FileHandler.level = FINE 
-3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 
-3manager.org.apache.juli.FileHandler.prefix = manager. 
- 
-4host-manager.org.apache.juli.FileHandler.level = FINE 
-4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 
-4host-manager.org.apache.juli.FileHandler.prefix = host-manager. 
- 
-#java.util.logging.ConsoleHandler.level = FINE 
-#java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter 
- 
-############################################################ 
-# Facility specific properties. 
-############################################################ 
- 
-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO 
-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler 
- 
-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO 
-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler 
- 
-</code> 
- 
- 
- 
-On CentOS for redirect logging from /var/log/messages. Add this rule into ''/etc/rsyslog.d/tomcat.conf'' file. 
-<code> 
-### tomcat log 
-$template TomcatForm,"%msg%\n" 
-if ($syslogfacility-text == 'local3' and  $syslogtag contains "server") then{ 
-        action(type="omfile" file="/var/log/tomcat/catalina.out" FileCreateMode="0644" fileOwner="tomcat" fileGroup="tomcat" template="TomcatForm" ) 
-        & stop 
-} 
-</code> 
-Then restart rsyslog 
-<code> 
-systemctl restart rsyslog 
 </code> </code>
  
-==== Rotating Tomcat logs ==== +=== Rotating Tomcat logs === 
-Tomcat logger appneds to the logfile at ''/var/log/tomcat/''Tomcat also sets up logrotate at ''/etc/logrotate.d/tomcat''. Change logrotate file into following and adjust log retention (the ''COUNT'') as necessary - for production deployments we recommend at least 90 days.+Default Tomcat logger appneds to the logfile, it is therefore safe to use simple ''logrotate'' configurationSave following as ''/etc/logrotate.d/tomcat''adjust log retention (the ''rotate COUNT'') as necessary.
 <file txt tomcat> <file txt tomcat>
-/var/log/tomcat/tomcat.log +/opt/tomcat/current/logs/catalina.out {
-/var/log/tomcat/manager.log +
-/var/log/tomcat/localhost_access_log.log +
-/var/log/tomcat/localhost.log +
-/var/log/tomcat/host-manager.log{+
  rotate COUNT  rotate COUNT
  daily  daily
Line 443: Line 447:
  notifempty  notifempty
  compress  compress
- create 0644 tomcat tomcat 
-} 
-/var/log/tomcat/catalina.out 
-{ 
-        rotate COUNT 
-        daily 
-        dateext 
-        copytruncate 
-        missingok 
-        notifempty 
-        compress 
-        create 0644 tomcat tomcat 
-        sharedscripts 
-        postrotate 
-        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true 
-         endscript 
-} 
-</file> 
-On **Debian** logs are in ''/var/log/tomcat8/'' and logrotate config is in ''/etc/logrotate.d/tomcat8''. 
-<file txt tomcat8> 
-/var/log/tomcat8/tomcat.log 
-/var/log/tomcat8/manager.log 
-/var/log/tomcat8/localhost_access_log.log 
-/var/log/tomcat8/localhost.log 
-/var/log/tomcat8/host-manager.log 
-/var/log/tomcat8/catalina.out { 
-        rotate COUNT 
-        daily 
-        dateext 
-        copytruncate 
-        missingok 
-        notifempty 
-        compress 
-        create 0644 tomcat8 tomcat8 
 } }
 </file> </file>
Line 494: Line 464:
   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
 </note> </note>
-Please note that the log does not rotate during the first day, but after the second day. 
-==== Optional - Management Interface for Tomcat==== 
  
-If you installed two additional applications for tomcat management follow this part to complete tomcat configuration.+Please note that on Debian, the log is not rotate during the first day, but after the second day.
  
-These applications are available at: 
  
-  * http://localhost:8080/manager 
-  * http://localhost:8080/host-manager 
- 
-If you want to use them, it is necessary to do following steps. 
- 
-First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. 
- 
-Create user like this: 
- 
-Create the a new user in the file  ''/etc/tomcat/tomcat-users.xml''( on Debian ''/etc/tomcat8/tomcat-users.xml'') and assign him roles "manager-gui" and "admin-gui". 
-The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access 
- 
-The file ''/etc/tomcat/tomcat-users.xml''( on Debian ''/etc/tomcat8/tomcat-users.xml'') looks like this: 
-<file xml tomcat-users.xml> 
-<?xml version="1.0" encoding="UTF-8"?> 
-<tomcat-users xmlns="http://tomcat.apache.org/xml" 
-              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
-              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" 
-              version="1.0"> 
-  <role rolename="manager-script"/> 
-  <role rolename="manager-gui"/> 
-  <role rolename="manager-jmx"/> 
-  <role rolename="manager-status"/> 
-  <role rolename="admin-gui"/> 
-  <user username="admin" password="*****store it somewhere safe*****" roles="manager-gui,manager-status,admin-gui"/> 
-</tomcat-users> 
-</file> 
- 
-If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see ''403 Access Denied'' it might be you did not do this setting. 
- 
-Add your IP address into application configuration files. In files ''/var/lib/tomcat/webapps/manager/META-INF/context.xml'' and ''/var/lib/tomcat/webapps/host-manager/META-INF/context.xml''( on Debian ''/var/lib/tomcat8/webapps/...'' add net mask for your IP (both files should have the same content): 
- 
-In my case, I want to access to Tomcat management from network 192.168.0.0/24: 
- 
-<file xml context.xml> 
-<?xml version="1.0" encoding="UTF-8"?> 
-<Context antiResourceLocking="false" privileged="true" > 
-  <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
-         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.\d+\.\d+" /> 
-</Context> 
-</file> 
- 
-Again, restart the tomcat: 
-<code bash> 
-service tomcat8 restart 
-</code> 
 ====== Apache httpd as a reverse proxy ====== ====== Apache httpd as a reverse proxy ======
  
Line 636: Line 557:
 To do so, add following lines to the virtualhost config file (ssl.conf): To do so, add following lines to the virtualhost config file (ssl.conf):
 <code> <code>
-  RewriteEngine On +RewriteEngine On 
-  RewriteRule "^/$"  "/idm/" [R] +RewriteRule "^/$"  "/idm/" [R] 
 </code> </code>
  
-In the file ssl.conf we also have to disable SSLv3. Edit the line with SSLProtocol directive:+We also have to secure the communication**Edit** corresponding lines in ''ssl.conf'' so they look like this.
 <code> <code>
-SSLProtocol all -SSLv2 -SSLv3+SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 
 +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA 
 +SSLHonorCipherOrder on
 </code> </code>
 +<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note>
  
 On Debian, create symlinks to sites-enabled: On Debian, create symlinks to sites-enabled:
Line 710: Line 634:
         # These break Certificate Authority module         # These break Certificate Authority module
  <Location "/idm/api/v1/crt/certificates/action/validate">  <Location "/idm/api/v1/crt/certificates/action/validate">
 + SecRuleRemoveById 960915
 + SecRuleRemoveById 200003
 + </Location>
 +
 + # Modsec can throw false positives on some files due to multipart boundary check
 + <Location "/idm/api/v1/attachments/upload">
  SecRuleRemoveById 960915  SecRuleRemoveById 960915
  SecRuleRemoveById 200003  SecRuleRemoveById 200003
  • by koulaj