Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation [2020/01/23 12:18]
urbanl [PostgreSQL]
tutorial:adm:server_preparation [2020/07/28 09:08]
urbanl
Line 1: Line 1:
-====== Server preparation - Linux ======+====== Server preparation - Linux - CentOS8 ​======
  
 {{tag>​installation java tomcat quickstart "​apache httpd"​}} {{tag>​installation java tomcat quickstart "​apache httpd"​}}
  
-This tutorial shows how to prepare the server for test or production ​usage of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[:​getting-started|]]+This tutorial shows how to prepare the server for test or production ​use of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[:​getting-started|]]
  
 ===== Basic system setup ===== ===== Basic system setup =====
-  * 1 server (can be virtualized) for all: backend, frontend and database.  +  * 1 server (can be virtualized) for everything: backend, frontend and database.  
-  * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation +  * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation 
-    * It is possible to use Debian but you have to adjust ​the installation ​guide a little. We tested CzechIdM installation on Stretch+    * It is possible to use Debian ​(we tested on Stretch) or other distributions, ​but you have to adjust ​steps in this guide accordingly
-  * PostgreSQL - installed from a new repository +  * PostgreSQL ​12.x - installed from OS packages. 
-  * Java - distribution repository (OpenJDK 1.8) +  * Java 11 installed from OS packages
-  * Apache Tomcat - manually ​installed into /​opt/​tomcat +  * Apache Tomcat ​8.5.x - installed ​manually ​into ''​/opt/tomcat''​. 
-  * Services ​start via systemd ​in OS +  * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx. 
-  * Services run under dedicated ​user (non-privileged ​one) +  * All services ​start via systemd. 
 +  * Each service runs under dedicated non-privileged ​user.
 ===== Instalation and software configuration ===== ===== Instalation and software configuration =====
-Prerequisities - Basic installation of CentOS ​7+Prerequisities - Basic installation of CentOS ​8
 <code bash> <code bash>
 # EPEL installation # EPEL installation
-yum clean all +dnf clean all 
-yum install ​-y epel-release +dnf -y install ​epel-release 
-yum update -y+dnf update -y 
 # other recommended packages installation # other recommended packages installation
-yum install ​-y net-tools nano wget mc vim-enhanced ​screen sysstat ​bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc ​telnet ​policycoreutils-python+dnf -y install mc haveged nmap screen sysstat telnet ​net-tools nano wget vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils tar 
 # enable haveged after OS start # enable haveged after OS start
 systemctl start haveged.service systemctl start haveged.service
 systemctl enable haveged.service systemctl enable haveged.service
-# remove unnecessary software +
-yum remove -y postfix +
-systemctl stop avahi-daemon.socket avahi-daemon.service +
-systemctl disable avahi-daemon.socket avahi-daemon.service +
-yum remove -y avahi-autoipd avahi+
 # set the hostname # set the hostname
 hostnamectl set-hostname FQDN_server_name hostnamectl set-hostname FQDN_server_name
Line 39: Line 37:
 </​code>​ </​code>​
  
-When installing on Debian, install these packages: +===== PostgreSQL ​ ===== 
-<​code>​ +<note tip>If you are installing ​CzechIdM on Microsoft SQL Server, please follow [[tutorial:​adm:​mssql_database_support|this tutorial]].</​note>​ 
-screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent +We install ​PostgreSQL ​12 database binaries and change ​database data directory from ''​/var/lib''​ to ''/​data''​
-</​code>​ +==== Database server installation - CentOS8 ​==== 
-===== PostgreSQL ===== +  * Software installation ​on CentOS8(versions can vary): 
-<note tip>If you are install ​CzechIdM on Sql server, please follow [[tutorial:​adm:​mssql_database_support|this tutorial]].</​note>​ +
-CentOS7 default repository version of PostgreSQL ​is 9.2 but IdM not support that version. In our tutorial, we will install newer version 9.6. Moreover, we install ​database data into /data not /​var/​lib ​which is the default option+
-==== Database server installation - CentOS7 ​==== +
-  * Software installation (versions can vary):+
 <code bash> <code bash>
-yum install -y https://​download.postgresql.org/​pub/​repos/​yum/​9.6/​redhat/​rhel-7-x86_64/​pgdg-centos96-9.6-3.noarch.rpm +# enable module postgres 12 
-yum install ​-y postgresql96-server ​postgresql96-contrib ​pgstat2_96 pg_top96 ​ postgresql96-libs+dnf module enable postgresql:12 
 +dnf -y install postgresql-server ​postgresql-contrib ​postgresql-libs
 </​code>​ </​code>​
-  ​* create new system ​directory:​ + 
-<​code>​ +  ​* create new directory ​for database data: 
-mkdir -p /​data/​pgsql/​9.6/data/+ 
 +<​code ​bash
 +mkdir -p /​data/​pgsql/​12/data/
 chown -R postgres:​postgres /​data/​pgsql/​ chown -R postgres:​postgres /​data/​pgsql/​
 chmod 700 /data/pgsql chmod 700 /data/pgsql
 </​code>​ </​code>​
-  ​* Copy of the configuration file for systemd, in which we will make change of directory for data:+ 
 +  ​* Copy the PostgreSQL'​s ​systemd ​unit to the /etc: 
 <code bash> <code bash>
-cp /​usr/​lib/​systemd/​system/​postgresql-9.6.service /​etc/​systemd/​system/​+cp /​usr/​lib/​systemd/​system/​postgresql.service /​etc/​systemd/​system/​
 </​code>​ </​code>​
-In the file ''/​etc/​systemd/​system/​postgresql-9.6.service''​ change the directory for data as follows:+ 
 +In the file ''/​etc/​systemd/​system/​postgresql.service''​ change the directory for data as follows:
 <​code>​ <​code>​
 # Location of database directory # Location of database directory
-Environment=PGDATA=/​data/​pgsql/​9.6/data/+Environment=PGDATA=/​data/​pgsql/​12/data/
 </​code>​ </​code>​
  
-  * In the file ''​~postgres/​.bash_profile''​ change the variable PGDATA ​value to:+  * In the file ''​/​var/​lib/​pgsql/​.bash_profile'' ​(bash profile for postgres user) change the variable PGDATA to:
  
 <​code>​ <​code>​
-PGDATA=/​data/​pgsql/​9.6/data+PGDATA=/​data/​pgsql/​12/data
 </​code>​ </​code>​
  
Line 85: Line 86:
  
 <code bash> <code bash>
-/​usr/​pgsql-9.6/​bin/​postgresql96-setup initdb+postgresql-setup ​--initdb ​--unit postgresql
 </​code>​ </​code>​
  
 +Change SELINUX labels: 
 +<​code>​ 
 +chcon -Rt postgresql_db_t /​data/​pgsql/​ 
 +chcon -Rt postgresql_log_t /​data/​pgsql/​12/​data/​log/​ 
 +</​code>​
  
   * Enable and start database:   * Enable and start database:
  
 <code bash> <code bash>
-systemctl start postgresql-9.6.service +systemctl start postgresql.service 
-systemctl enable postgresql-9.6.service+systemctl enable postgresql.service
 </​code>​ </​code>​
  
Line 100: Line 105:
  
 <code bash> <code bash>
-[root@tomcat1 system]# systemctl status postgresql-9.6.service -l +[root@HOSTNAME data]# systemctl status postgresql.service -l 
-● postgresql-9.6.service - PostgreSQL ​9.6 database server +● postgresql.service - PostgreSQL database server 
-   ​Loaded:​ loaded (/​etc/​systemd/​system/​postgresql-9.6.service; enabled; vendor preset: disabled) +   ​Loaded:​ loaded (/​etc/​systemd/​system/​postgresql.service;​ enabled; vendor preset: disabled) 
-   ​Active:​ active (running) since Pá 2016-11-18 23:50:06 CET; 2min 57s ago +   ​Active:​ active (running) since Wed 2020-03-11 10:48:06 CET; 1min 8s ago 
- Main PID: 2626 (postmaster) + Main PID: 25715 (postmaster) 
-   ​CGroup:​ /​system.slice/​postgresql-9.6.service +    Tasks: 8 (limit: 52428) 
-           ​├─2626 /usr/pgsql-9.6/​bin/​postmaster -D /​data/​pgsql/​9.6/data/ +   ​Memory:​ 19.8M 
-           ​├─2628 postgres: logger ​process ​                             ​ +   ​CGroup:​ /​system.slice/​postgresql.service 
-           ​├─2630 postgres: checkpointer ​process ​                       ​ +           ​├─25715 /​usr/​bin/​postmaster -D /​data/​pgsql/​12/data/ 
-           ​├─2631 postgres: writer ​process ​                             ​ +           ​├─25716 postgres: logger ​  ​ 
-           ​├─2632 postgres: ​wal writer process ​                         ​ +           ​├─25718 postgres: checkpointer ​  ​ 
-           ​├─2633 postgres: autovacuum launcher ​process ​                 +           ​├─25719 postgres: ​background ​writer ​  ​ 
-           2634 postgres: stats collector ​process ​                    +           ​├─25720 postgres: ​walwriter ​   
 +           ​├─25721 postgres: autovacuum launcher ​  ​ 
 +           25722 postgres: stats collector ​   
 +           ​└─25723 postgres: logical replication launcher ​  
  
-lis 18 23:50:06 tomcat1.localdomain ​systemd[1]: Starting PostgreSQL ​9.6 database server... +Mar 11 10:48:06 HOSTNAME ​systemd[1]: Starting PostgreSQL database server... 
-lis 18 23:50:06 tomcat1.localdomain ​postmaster[2626]: < 2016-11-18 23:50:06.608 CET LOG:  redirecting log output to logging collector process +Mar 11 10:48:06 HOSTNAME postmaster[25715]:​ 2020-03-11 10:48:06.255 CET [25715] LOG:  starting PostgreSQL 12.1 on x86_64-redhat-linux-gnu,​ compiled by gcc (G> 
-lis 18 23:50:06 tomcat1.localdomain ​postmaster[2626]: < 2016-11-18 23:50:06.608 CET HINT:  Future log output will appear in directory "pg_log". +Mar 11 10:48:06 HOSTNAME ​postmaster[25715]: 2020-03-11 10:​48:​06.256 CET [25715] LOG:  listening on IPv6 address "::​1",​ port 5432 
-lis 18 23:50:06 tomcat1.localdomain ​systemd[1]: Started PostgreSQL ​9.6 database server.+Mar 11 10:48:06 HOSTNAME postmaster[25715]:​ 2020-03-11 10:48:06.256 CET [25715] LOG:  listening on IPv4 address "​127.0.0.1",​ port 5432 
 +Mar 11 10:48:06 HOSTNAME postmaster[25715]:​ 2020-03-11 10:​48:​06.285 CET [25715] LOG:  listening on Unix socket "/​var/​run/​postgresql/​.s.PGSQL.5432"​ 
 +Mar 11 10:48:06 HOSTNAME postmaster[25715]:​ 2020-03-11 10:​48:​06.300 CET [25715] LOG:  listening on Unix socket "/​tmp/​.s.PGSQL.5432"​ 
 +Mar 11 10:48:06 HOSTNAME postmaster[25715]:​ 2020-03-11 10:​48:​06.330 CET [25715] ​LOG:  redirecting log output to logging collector process 
 +Mar 11 10:48:06 HOSTNAME ​postmaster[25715]: 2020-03-11 10:48:06.330 CET [25715] ​HINT:  Future log output will appear in directory "log". 
 +Mar 11 10:48:06 HOSTNAME ​systemd[1]: Started PostgreSQL database server.
 </​code>​ </​code>​
  
-==== Database server installation - Debian Stretch ==== 
-Install the database from OS packages: 
-<​code>​ 
-apt-get install postgresql-9.6 
-</​code>​ 
-We will move the database - create directory structure: 
-<​code>​ 
-mkdir -p /​data/​pgsql/​9.6/​data/​ 
-chown -R postgres:​postgres /​data/​pgsql/​ 
-chmod -R 700 /data/pgsql 
-</​code>​ 
-Create the file .bash\_profile in postgres user's home (default /​var/​lib/​postgresql) with following contents: 
-<​code>​ 
-PGDATA=/​data/​pgsql/​9.6/​data 
-</​code>​ 
-Stop the database: 
-<​code>​ 
-systemctl stop postgresql 
-</​code>​ 
-Move database directory (run this as root): 
-<​code>​ 
-mv /​var/​lib/​postgresql/​9.6/​main/​* /​data/​pgsql/​9.6/​data/​ 
-</​code>​ 
-In the PostgreSQL configuration file /​etc/​postgresql/​9.6/​main/​postgresql.conf set the data\_directory property to: 
-<​code>​ 
-data_directory = '/​data/​pgsql/​9.6/​data'​ 
-</​code>​ 
-Enable and start the database: 
-<​code>​ 
-systemctl start postgresql 
-systemctl enable postgresql 
-</​code>​ 
-==== DB server configuration ==== 
  
-First of all, enable ​the password authentication.+==== Database server configuration and sizing ==== 
 + 
 +  * Enable ​the password authentication.
  
-In the file ''/​data/​pgsql/​9.6/​data/​pg_hba.conf''​ find lines:+In the file ''/​data/​pgsql/​12/​data/​pg_hba.conf''​ find lines:
 <​code>​ <​code>​
 host    all             ​all ​            ​127.0.0.1/​32 ​           ident host    all             ​all ​            ​127.0.0.1/​32 ​           ident
 host    all             ​all ​            ::​1/​128 ​                ident host    all             ​all ​            ::​1/​128 ​                ident
 </​code>​ </​code>​
- +and change the value at the end of each line to ''​md5'' ​like this:
-and change the value at the end of each line into md5 like this:+
 <​code>​ <​code>​
 host    all             ​all ​            ​127.0.0.1/​32 ​           md5 host    all             ​all ​            ​127.0.0.1/​32 ​           md5
Line 168: Line 149:
 </​code>​ </​code>​
  
-Now we can do DB sizing. ​We presume the system has 3GB dedicated for the db. We can also log the queries logging (those over 200ms). **For particular ​sizing, use a [[https://​pgtune.leopard.in.ua/#/​|calculator]]**. +  * Adjust ​DB instance ​sizing. 
-In a file ''/​data/​pgsql/​9.6/​data/​postgresql.conf'' ​edit (add those if not exist) lines:+    * In following snippet, we presume the system has 3GB of memory ​dedicated for the database and about 100 db connections. **For your deployment, adjust the sizing ​accordingly. Use a [[https://​pgtune.leopard.in.ua/#/​|calculator]] ​if in doubt**
 +    * We also log queries running longer than 200ms
 +In a file ''/​data/​pgsql/​12/​data/​postgresql.conf'' ​change ​(or add) following ​lines: 
 <​code>​ <​code>​
-max_connections = 100 (change requires restart)+This is an EXAMPLE. Use the calculator to adjust for your deployment!
  
-shared_buffers = 768MB # min 128kB+# DB Version: 12 
 +# OS Type: linux 
 +# DB Type: web 
 +# Total Memory (RAM): 3 GB 
 +# Connections num: 100 
 +# Data Storage: ssd 
 +max_connections = 100 
 +shared_buffers = 768MB
 effective_cache_size = 2304MB effective_cache_size = 2304MB
-work_mem = 7864kB 
 maintenance_work_mem = 192MB maintenance_work_mem = 192MB
- 
-min_wal_size = 1GB 
-max_wal_size = 2GB 
 checkpoint_completion_target = 0.7 checkpoint_completion_target = 0.7
 wal_buffers = 16MB wal_buffers = 16MB
- 
 default_statistics_target = 100 default_statistics_target = 100
 +random_page_cost = 1.1
 +effective_io_concurrency = 200
 +work_mem = 3932kB
 +min_wal_size = 1GB
 +max_wal_size = 4GB
  
 log_min_duration_statement = 200 log_min_duration_statement = 200
 </​code>​ </​code>​
  
-Restart ​DB: ''​systemctl restart ​ postgresql-9.6.service''​+  * Restart ​the database
  
-For Debian installation,​ edit those configuration files instead: 
 <​code>​ <​code>​
-/etc/postgresql/9.6/​main/​pg_hba.conf +systemctl restart  ​postgresql.service
-/​etc/​postgresql/​9.6/​main/​postgresql.conf+
 </​code>​ </​code>​
  
-<​note>​If you install the database to a different server than the CzechIdM application itself ​(Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</​note>​+<​note>​If you install the database to a different server than the CzechIdM application itself, don't forget to configure PostgreSQL ​with SSL certificates and to enforce ​remote SSL connections.</​note>​
  
-===== Java - CentOS7 ​=====+===== Java - CentOS8 ​=====
  
-Java must be installed ​before Tomcat startIt is recommended ​to use OpenJDK (at least 1.8) from standard OS repository.+Tomcat application server needs Java installed. ​We recommend ​to use OpenJDK ​11 from standard OS repository. ​(OpenJDK ​1.8 is also supported, check [[devel:​documentation:​compatibility|compatibility page]]).
  
 Installation:​ Installation:​
-<​code ​bash+<​code>​ 
-yum install -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel+dnf install -y java-11-openjdk-headless java-11-openjdk-devel
 </​code>​ </​code>​
  
-Then create the file ''/​etc/​profile.d/​java.sh''​ with following: 
-<file bash java.sh> 
-[ -d /​usr/​lib/​jvm/​java-openjdk ] && export JAVA_HOME=/​usr/​lib/​jvm/​java-openjdk 
-</​file>​ 
- 
-===== Java - Debian ===== 
- 
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. 
- 
-Installation:​ 
-<code bash> 
-apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless 
-</​code>​ 
- 
-Then create the file ''/​etc/​profile.d/​java.sh''​ with following: 
-<file bash java.sh> 
-[ -d /​usr/​lib/​jvm/​java-1.8.0-openjdk-amd64 ] && export JAVA_HOME=/​usr/​lib/​jvm/​java-1.8.0-openjdk-amd64 
-</​file>​ 
  
 ===== Tomcat ===== ===== Tomcat =====
  
-  * Create a new group and add user for the tomcat to run under (for Debian, use /​usr/​sbin/​nologin in the useradd):+  * Create a new group and add user for the tomcat to run under:
  
 <​code>​ <​code>​
 groupadd -r tomcat groupadd -r tomcat
-useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat+useradd -r -s /usr/sbin/nologin -g tomcat -d /opt/tomcat tomcat
 getent passwd tomcat getent passwd tomcat
-tomcat:​x:​995:​993::/​opt/​tomcat:/​bin/nologin+#tomcat:​x:​995:​993::/​opt/​tomcat:/​usr/sbin/nologin
 </​code>​ </​code>​
  
Line 244: Line 215:
 </​code>​ </​code>​
  
-  * Download Apache Tomcat 8.5.x from the website [[https://​tomcat.apache.org/​download-80.cgi]] to **/​opt/​tomcat/​** +  * Download Apache Tomcat 8.5.x from the website [[https://​tomcat.apache.org/​download-80.cgi]] to ''​/​opt/​tomcat/​''​ 
-    * In our exapmle the version is 8.5.8.+    * In our exapmle the version is 8.5.57.
  
-  * extract files from archive:+  * extract files from the archive:
  
 <code bash> <code bash>
-tar xzf apache-tomcat-8.5.8.tar.gz+tar xzf apache-tomcat-8.5.57.tar.gz
 </​code>​ </​code>​
  
Line 257: Line 228:
 <code bash> <code bash>
 cd /opt/tomcat cd /opt/tomcat
-ln -s apache-tomcat-8.5.current+ln -s apache-tomcat-8.5.57 current
 </​code>​ </​code>​
  
Line 267: Line 238:
 chmod 750 /opt/tomcat chmod 750 /opt/tomcat
 cd /​opt/​tomcat/​current cd /​opt/​tomcat/​current
-chmod o+rX -R ./+chmod -R o+rX ./
 chgrp -R tomcat conf/ bin/ lib/ chgrp -R tomcat conf/ bin/ lib/
-chmod g+rwx conf+chmod g+rx conf
 chmod g+r conf/* chmod g+r conf/*
 chown -R tomcat webapps/ work/ temp/ logs/ chown -R tomcat webapps/ work/ temp/ logs/
 +
 +mkdir /​opt/​tomcat/​current/​conf/​Catalina
 +chown tomcat:​tomcat /​opt/​tomcat/​current/​conf/​Catalina
 +chmod 750 /​opt/​tomcat/​current/​conf/​Catalina
 </​code>​ </​code>​
  
Line 289: Line 264:
 [Unit] [Unit]
 Description=Apache Tomcat Web Application Container Description=Apache Tomcat Web Application Container
-After=syslog.target network.target+After=syslog.target network.target ​postgresql.service
  
 [Service] [Service]
Line 312: Line 287:
 WantedBy=multi-user.target WantedBy=multi-user.target
 </​file>​ </​file>​
 +<​note>​
 +  * Values of ''​-Xms''​ and ''​-Xmx''​ se are closely dependent on server sizing. If you have enough memory, we strongly recommend to use ''​-Xmx 6128M''​ or more.
 +  * Tomcat will be started under user ''​tomcat:​tomcat''​.
 +</​note>​
  
-  * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. +  * Reload ​systemd configuration:​
- +
-  * Tomcat will be started under user ''​tomcat:​tomcat''​ a will use java installed in ''/​usr/​lib/​jvm/​java-1.8.0-openjdk''​. +
-  * For Debian, change the JAVA\_HOME to ''​JAVA_HOME=/​usr/​lib/​jvm/​java-1.8.0-openjdk-amd64''​. +
-  * After every systemd configuration ​change it is necessary to reload:+
  
 <​code>​ <​code>​
 systemctl daemon-reload systemctl daemon-reload
 </​code>​ </​code>​
-  ​Test start:+ 
 +  ​Start the Tomcat to ensure it is configured properly. Enable its start on OS start. 
 <​code>​ <​code>​
 systemctl start tomcat systemctl start tomcat
 +systemctl enable tomcat
 </​code>​ </​code>​
 +
   * Check that Tomcat runs with desirable parameters:   * Check that Tomcat runs with desirable parameters:
 +
 <code bash> <code bash>
-[root@tomcat1 logs]# ps -tomcat ​-fwww +[root@tomcat1 logs]# ps -ef | grep ^tomcat 
-UID        PID  PPID  C STIME TTY          TIME CMD +tomcat ​     ​1623 ​      1  ​9 11:08 ?        00:00:04 /​usr/​lib/​jvm/​java-openjdk/​bin/​java -Djava.util.logging.config.file=/​opt/​tomcat/​current/​conf/​logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/​dev/​./​urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources ​-Dorg.apache.catalina.security.SecurityListener.UMASK=0027 ​-Xms512M -Xmx1024M -server -XX:​+UseParallelGC ​-Dignore.endorsed.dirs= ​-classpath /​opt/​tomcat/​current/​bin/​bootstrap.jar:/​opt/​tomcat/​current/​bin/​tomcat-juli.jar -Dcatalina.base=/​opt/​tomcat/​current -Dcatalina.home=/​opt/​tomcat/​current -Djava.io.tmpdir=/​opt/​tomcat/​current/​temp org.apache.catalina.startup.Bootstrap start
-tomcat ​   ​1602 ​    1  ​1 09:44 ?        00:00:02 /​usr/​lib/​jvm/​java-openjdk/​bin/​java -Djava.util.logging.config.file=/​opt/​tomcat/​current/​conf/​logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/​dev/​./​urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xms512M -Xmx1024M -server -XX:​+UseParallelGC -classpath /​opt/​tomcat/​current/​bin/​bootstrap.jar:/​opt/​tomcat/​current/​bin/​tomcat-juli.jar -Dcatalina.base=/​opt/​tomcat/​current -Dcatalina.home=/​opt/​tomcat/​current -Djava.io.tmpdir=/​opt/​tomcat/​current/​temp org.apache.catalina.startup.Bootstrap start+
 </​code>​ </​code>​
-  ​* Stop Apache ​Tomcat:+ 
 +  ​* Stop the Tomcat
 <​code>​ <​code>​
 systemctl stop tomcat systemctl stop tomcat
-</​code>​ 
-  * Enable tomcat start after OS start: 
-<code bash> 
-systemctl enable tomcat 
 </​code>​ </​code>​
  
Line 352: Line 329:
 If you want to use them, it is necessary to do following steps. If you want to use them, it is necessary to do following steps.
  
-First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. +First of all, create a Tomcat'​s ​database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
- +
-Create user like this:+
  
-Create the a new user in the file  ''/​opt/​tomcat/​current/​conf/​tomcat-users.xml''​ and assign him roles "​manager-gui"​ and "​admin-gui"​. +  * Create administration user 
-The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://​localhost:​8080/​docs/​manager-howto.html#​Configuring_Manager_Application_Access+    * Create the a new user in the file  ''/​opt/​tomcat/​current/​conf/​tomcat-users.xml''​ and assign him roles "​manager-gui"​ and "​admin-gui"​. 
 +    ​* ​The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://​localhost:​8080/​docs/​manager-howto.html#​Configuring_Manager_Application_Access
  
-The file ''/​opt/​tomcat/​current/​conf/​tomcat-users.xml'' ​looks like this:+The file ''/​opt/​tomcat/​current/​conf/​tomcat-users.xml'' ​should now look like this:
 <file xml tomcat-users.xml>​ <file xml tomcat-users.xml>​
 <?xml version="​1.0"​ encoding="​UTF-8"?>​ <?xml version="​1.0"​ encoding="​UTF-8"?>​
Line 375: Line 351:
 </​file>​ </​file>​
  
-If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see ''​403 Access Denied''​ it might be you did not do this setting.+  * If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. 
 +    * If you see ''​403 Access Denied'' ​when accessing Tomcat'​s management remotely, ​it might be because ​you did not perform ​this configuration.
  
-Add your IP address into application configuration files. In files ''/​opt/​tomcat/​current/​webapps/​manager/​META-INF/​context.xml''​ and ''/​opt/​tomcat/​current/​webapps/​host-manager/​META-INF/​context.xml''​ add net mask for your IP (both files should have the same content):+Add your IP address into application configuration files. In files ''/​opt/​tomcat/​current/​webapps/​manager/​META-INF/​context.xml''​ and ''/​opt/​tomcat/​current/​webapps/​host-manager/​META-INF/​context.xml''​ add netmask ​for your IP (both files should have the same content):
  
-In my casewant to access ​to Tomcat management from network 192.168.0.0/​24:​+For exampleif you want to access Tomcat'​s ​management from the network ​''​192.168.0.0/​24''​:
  
 <file xml context.xml>​ <file xml context.xml>​
Line 389: Line 366:
 </​file>​ </​file>​
  
-Again, restart the tomcat:+  * Again, restart the tomcat
 <code bash> <code bash>
 systemctl restart tomcat systemctl restart tomcat
 </​code>​ </​code>​
  
-===  Apache Tomcat configuration recommended for production ​usage ===+===  Apache Tomcat configuration recommended for production ​use ===
  
-It is advised ​to follow these steps for production ​usage:+We advise ​to follow these steps to configure Tomcat ​for production ​deployment.
  
-  * Remove unnecessary ​aplications ​that comes with Tomcat:+  * Remove unnecessary ​applications ​that come with Tomcat:
  
 <code bash> <code bash>
Line 410: Line 387:
 <Server port="​-1"​ shutdown="​SHUTDOWN">​ <Server port="​-1"​ shutdown="​SHUTDOWN">​
 </​code>​ </​code>​
 +
   * Make Tomcat listen only on localhost:   * Make Tomcat listen only on localhost:
-    * In the ''/​opt/​tomcat/​current/​conf/​server.xml''​ add the ''​address="​127.0.0.1"''​ property to configuration of ''​8009'' ​and ''​8080'' ​ports.+    * In the ''/​opt/​tomcat/​current/​conf/​server.xml''​ add the ''​address="​127.0.0.1"''​ property to configuration of ''​8080'' ​port. 
 + 
 +  * Set the ''​maxSwallowSize''​ for the HTTP/1.1 connector:​ 
 +    * In the ''/​opt/​tomcat/​current/​conf/​server.xml'',​ locate the configuration for port 8080 and add the ''​maxSwallowSize="​-1"''​ property therein. 
 + 
 +  * In same file configure AJP port (''​8009/​tcp''​) to look like this: 
 + 
 +<​code>​ 
 +<​Connector protocol="​AJP/​1.3"​ 
 +                address="​127.0.0.1"​ 
 +                secretRequired="​true"​ 
 +                secret="​***password for ajp port***"​ 
 +                port="​8009"​ 
 +                redirectPort="​8443"​ /> 
 +</​code>​
  
   * Do not show aplication server version:   * Do not show aplication server version:
-    * In the file ''/​opt/​tomcat/​current/​conf/​web.xml''​ set showServerInfo to false (default is true):+    * In the file ''/​opt/​tomcat/​current/​conf/​web.xml''​ set ''​showServerInfo'' ​to false (default is true):
  
 <code xml> <code xml>
Line 440: Line 432:
 <file txt tomcat> <file txt tomcat>
 /​opt/​tomcat/​current/​logs/​catalina.out { /​opt/​tomcat/​current/​logs/​catalina.out {
- rotate ​COUNT+ rotate ​90
  daily  daily
  dateext  dateext
Line 464: Line 456:
   * Adjust particular SELinux labels. Example ([[https://​access.redhat.com/​solutions/​39006|here]]).   * Adjust particular SELinux labels. Example ([[https://​access.redhat.com/​solutions/​39006|here]]).
 </​note>​ </​note>​
- 
-Please note that on Debian, the log is not rotate during the first day, but after the second day. 
  
  
Line 482: Line 472:
 <code bash> <code bash>
 yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs
-</​code>​ 
- 
-On Debian install those packages and allow modules: 
-<​code>​ 
-apt-get install apache2 libapache2-mod-security2 modsecurity-crs 
-a2enmod ssl 
-a2enmod proxy 
-a2enmod proxy_ajp 
-a2enmod proxy_http 
-a2enmod security2 
-a2enmod rewrite 
-a2enmod headers 
 </​code>​ </​code>​
  
 HTTPd basic configuration:​ HTTPd basic configuration:​
  
-Change MPM to worker ​(lower system requirements) ​- in the file ''/​etc/​httpd/​conf.modules.d/​00-mpm.conf''​ comment ​the lines with mod\_mpm\_prefork.so and uncomment ​mod\_mpm\_worker.so:​+Change MPM to worker - in the file ''/​etc/​httpd/​conf.modules.d/​00-mpm.conf''​ comment-out all lines but mod\_mpm\_worker.so:​
  
 <code bash> <code bash>
Line 528: Line 506:
 </​code>​ </​code>​
  
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/​etc/​httpd/​conf.d/​vhost-redirect.conf'' ​(or ''/​etc/​apache2/​sites-available/​vhost-redirect.conf''​ for Debian):+Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'SERVER' to the real servername in the file ''/​etc/​httpd/​conf.d/​vhost-redirect.conf'':​
 <code xml> <code xml>
 <​VirtualHost _default_:​80>​ <​VirtualHost _default_:​80>​
    ​DocumentRoot /​var/​www/​html    ​DocumentRoot /​var/​www/​html
-   ​Redirect permanent / https://server+   ​Redirect permanent / https://SERVER/
 </​VirtualHost>​ </​VirtualHost>​
 </​code>​ </​code>​
  
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/​etc/​httpd/​conf.d/​ssl.conf'' ​(or ''/​etc/​apache2/​sites-available/​ssl.conf''​ for Debian) ​add following before ending "​tag"​ VirtualHost:​+Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/​etc/​httpd/​conf.d/​ssl.conf''​ add following before ending "​tag"​ VirtualHost:​
  
 <​code>​ <​code>​
 +  Protocols ​      h2 https/1.1
   ProxyRequests ​    off   ProxyRequests ​    off
   ProxyPreserveHost on   ProxyPreserveHost on
   ProxyAddHeaders on   ProxyAddHeaders on
-  ProxyPass / ajp://​127.0.0.1:​8009/​ +  ProxyPass / ajp://​127.0.0.1:​8009/ ​secret=**tomcat_ajp_secret** 
-  ProxyPassReverse / ajp://​127.0.0.1:​8009/​+  ProxyPassReverse / ajp://​127.0.0.1:​8009/ ​secret=**tomcat_ajp_secret**
 </​code>​ </​code>​
  
Line 561: Line 540:
 </​code>​ </​code>​
  
-We also have to secure the communication. **Edit** corresponding lines in ''​ssl.conf''​ so they look like this. +Syntax check before httpd restart
-<​code>​ +
-SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +
-SSLCipherSuite ALL:​!ADH:​!EXPORT:​!SSLv2:​RC4+RSA:​+HIGH:​+MEDIUM:​!LOW:​!RC4:​!3DES+SHA:​!IDEA +
-SSLHonorCipherOrder on +
-</​code>​ +
-<​note>​In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</​note>​ +
- +
-On Debian, create symlinks to sites-enabled:​ +
-<​code>​ +
-cd /​etc/​apache2/​sites-enabled +
-ln -s ../​sites-available/​vhost-redirect.conf 01vhost-redirect.conf +
-ln -s ../​sites-available/​ssl.conf 02ssl.conf +
-</​code>​ +
- +
-Syntax check before httpd restart:+
 <​code>​ <​code>​
 httpd -t -D DUMP_VHOST httpd -t -D DUMP_VHOST
 +# or apachectl configtest
 </​code>​ </​code>​
  
Line 586: Line 551:
 </​code>​ </​code>​
  
 +Allow in SELINUX to httpd connect to network:
 +<​code>​
 +/​usr/​sbin/​setsebool -P httpd_can_network_connect 1
 +</​code>​
 + 
 Enable httpd after OS start: Enable httpd after OS start:
 <code bash> <code bash>
Line 592: Line 562:
  
 ===== mod_security configuration ===== ===== mod_security configuration =====
-Mod_security files locations (on CentOS7):+Mod_security files locations (on CentOS8):
  
   * Audit log: ''/​var/​log/​httpd/​modsec\_audit.log''​   * Audit log: ''/​var/​log/​httpd/​modsec\_audit.log''​
   * Directory with activated rules: ''/​etc/​httpd/​modsecurity.d/​activated\_rules/''​   * Directory with activated rules: ''/​etc/​httpd/​modsecurity.d/​activated\_rules/''​
-  * basic configuration file for mod\_security:​ ''/​etc/​httpd/​modsecurity.d/​modsecurity\_crs\_10\_config.conf''​+  * basic configuration file for mod\_security:​ ''​ /​etc/​httpd/​modsecurity.d/​activated_rules/​REQUEST-901-INITIALIZATION.conf''​
   * The file for chosen rules deactivation:​ ''/​etc/​httpd/​conf.d/​ssl.conf''​   * The file for chosen rules deactivation:​ ''/​etc/​httpd/​conf.d/​ssl.conf''​
  
Line 611: Line 581:
 ==== Disabling mod_security rules ==== ==== Disabling mod_security rules ====
  
-In the file ''/​etc/​httpd/​conf.d/​ssl.conf'' ​(or ''/​etc/​apache2/​sites-available/​ssl.conf''​ for Debian) ​deactivate following rules and set their logging:+These rules are disabled for modsec_crs 3.0. 
 + 
 +In the file ''/​etc/​httpd/​conf.d/​ssl.conf''​ deactivate following rules and set their logging: 
 <code xml> <code xml>
 <​IfModule mod_security2.c>​ <​IfModule mod_security2.c>​
-        SecRuleRemoveById ​981173 +        SecRuleRemoveById ​942430 
-        SecRuleRemoveById ​960015 +        SecRuleRemoveById ​942431 
-        SecRuleRemoveById ​950109 +        SecRuleRemoveById ​920300 
 +        ​SecRuleRemoveById 920230 
 +        ​
         # Allow Czech signs         # Allow Czech signs
-        SecRuleRemoveById ​981318 +        SecRuleRemoveById ​942110 
-        SecRuleRemoveById ​981242 +        SecRuleRemoveById ​942330 
-        SecRuleRemoveById ​960024 +        SecRuleRemoveById ​942460 
-        SecRuleRemoveById ​981245+        SecRuleRemoveById ​942260
         ​         ​
         # Too restrictive for login format         # Too restrictive for login format
-        SecRuleRemoveById ​960035 +        SecRuleRemoveById ​920440 
 +        
         # Needed by Websockets ​         # Needed by Websockets ​
         <​Location "/​idm/​api/​v1/​websocket-info/">​         <​Location "/​idm/​api/​v1/​websocket-info/">​
-                SecRuleRemoveById ​970901+                SecRuleRemoveById ​950100
         </​Location>​         </​Location>​
         ​         ​
-        # These break Certificate Authority module 
- <​Location "/​idm/​api/​v1/​crt/​certificates/​action/​validate">​ 
- SecRuleRemoveById 960915 
- SecRuleRemoveById 200003 
- </​Location>​ 
- 
- # Modsec can throw false positives on some files due to multipart boundary check 
- <​Location "/​idm/​api/​v1/​attachments/​upload">​ 
- SecRuleRemoveById 960915 
- SecRuleRemoveById 200003 
- </​Location>​ 
- 
         # do not log request/​response body         # do not log request/​response body
         SecAuditLogParts ABFHZ         SecAuditLogParts ABFHZ
Line 649: Line 611:
 </​code>​ </​code>​
  
-==== mod_security configuration - CentOS7 ​ ====+==== mod_security configuration - CentOS8 ​ ====
  
-In the file /​etc/​httpd/​modsecurity.d/​modsecurity\_crs\_10\_config.conf, find the rule with id=900012 and add support for content\_type=application/​json,​ application/​hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type,​ then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods. +Edit the file ''​/​etc/​httpd/​modsecurity.d/​activated_rules/​REQUEST-901-INITIALIZATION.conf''​.
-Whole rule after the changes looks like this:+
  
-<​code>​ +  * find the rule ''​900200''​ and add methods ''PUT'', ''​DELETE'' ​and ''​PATCH''​ on the line starting ''tx.allowed\_methods'​'​. ​It should look like this after change:
-SecAction \ +
-  "id:'900012', \ +
-  phase:1, \ +
-  t:none, \ +
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS ​PUT PATCH DELETE', ​+
-  setvar:'tx.allowed_request_content_type=application/​hal+json|application/​json|text/​plain|application/​x-www-form-urlencoded|multipart/​form-data|text/​xml|application/​xml|application/​x-amf', \ +
-  setvar:'tx.allowed_http_versions=HTTP/​0.9 HTTP/1.0 HTTP/1.1', \ +
-  setvar:'tx.restricted_extensions=.asa/​ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', ​\ +
-  setvar:'tx.restricted_headers=/​Proxy-Connection/​ /​Lock-Token/​ /​Content-Range/​ /Translate/ /via/ /if/', \ +
-  nolog, \ +
-  pass"​ +
-</​code>​+
  
-==== mod_security configuration - Debian ==== 
-Enable mod\_security configuration:​ 
 <​code>​ <​code>​
-cd /​etc/​modsecurity +# Default HTTP policy: allowed_methods (rule 900200) 
-cp modsecurity.conf-recommended modsecurity.conf+SecRule &​TX:​allowed_methods "@eq 0" \ 
 +    "​id:​901160,​\ 
 +    phase:1,\ 
 +    pass,\ 
 +    nolog,\ 
 +    setvar:'​tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"​
 </​code>​ </​code>​
  
-Uncomment following rules in the ''​/​etc/​modsecurity/​crs/​crs-setup.conf''​ and change them accordingly (add allowed ​content ​types and allowed ​HTTP methods): +  * find the rule ''​900220''​ and add support for content ​type ''​application/​hal+json''​ on the line starting with ''​tx.allowed\_request\_content\_type''​. ​Result should look like this:
-<​code>​ +
-SecAction ​\ +
- "​id:​900200,​\ +
-  phase:1,\ +
-  nolog,\ +
-  pass,\ +
-  t:none,\ +
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"​+
  
-SecAction ​+<​code>​ 
- "​id:​900220,\ +# Default HTTP policy: allowed_request_content_type (rule 900220) 
-  phase:1,\ +SecRule &​TX:​allowed_request_content_type "@eq 0" ​
-  ​nolog,​\ +    "id:901162,\ 
-  ​pass,\ +    phase:1,\ 
-  ​t:​none,\ +    pass,\ 
-  setvar:'​tx.allowed_request_content_type=application/​x-www-form-urlencoded|multipart/​form-data|text/​xml|application/​xml|application/​x-amf|application/​json|text/​plain|application/​hal+json'"​+    nolog,\ 
 +    setvar:'​tx.allowed_request_content_type=application/​x-www-form-urlencoded|multipart/​form-data|text/​xml|application/​xml|application/​x-amf|application/​json|text/​plain|application/​hal+json'"​
 </​code>​ </​code>​
  
Line 733: Line 678:
 </​code>​ </​code>​
  
-===== Workaround for slow HTTPD shutdown ===== 
-In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https://​bugzilla.redhat.com/​show_bug.cgi?​id=906321]]. 
-Workaround is to edit '''/​usr/​lib/​systemd/​system/​httpd.service'''​ and add the option: 
-<​code>​ 
-KillMode=none 
-</​code>​ 
-Then reload systemd: 
- 
-<​code>​ 
-systemctl daemon-reload 
-</​code>​ 
- 
-It is absolutely correct to create new versions of unity in /etc, that has the option: 
- 
-<​code>​ 
-cp /​usr/​lib/​systemd/​system/​httpd.service /​etc/​systemd/​system/​httpd.service 
-vim /​etc/​systemd/​system/​httpd.service # add parametr KillMode=none 
-systemctl daemon-reload 
-</​code>​ 
- 
-The patch of httpd should come soon so the first option is OK too. 
- 
-===== SSO ===== 
- 
-If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial:​adm:​sso_ad_domain#​configure_apache_httpd_-_linux|SSO installation guide]] for more details. 
- 
-====== nginx as reverse proxy ====== 
- 
-In case that you want to use nginx instead of Apache httpd, the configuration is as follows. ​ 
- 
-<code ini> 
-server { 
- listen ​  *:443 ssl http2; 
- server_name ​ idm.domain.tld;​ 
- client_max_body_size 1G; 
- ssl on; 
- ssl_certificate ​     /​path/​to/​fullchain.pem;​ 
- ssl_certificate_key ​ /​path/​to/​privkey.pem;​ 
- gzip on; 
- gzip_proxied any; 
- gzip_types 
-        text/css 
-       ​ text/​javascript 
-        text/xml 
-       ​ text/​plain 
-        application/​javascript 
-       ​ application/​x-javascript 
-        application/​json;​ 
- 
- location / { 
- proxy_hide_header X-Frame-Options;​ 
- add_header X-Frame-Options SAMEORIGIN; 
- proxy_pass http://​localhost:​8080/;​ 
- proxy_set_header Host $host; 
- proxy_set_header X-Real-IP $remote_addr;​ 
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;​ 
- proxy_set_header X-Forwarded-Proto "​https";​ 
- proxy_ssl_session_reuse off; 
- proxy_redirect off; 
- 
- # WebSocket support 
- proxy_http_version 1.1; 
-    proxy_set_header Upgrade $http_upgrade;​ 
-    proxy_set_header Connection "​upgrade";​ 
- } 
-} 
-</​code>​