Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation [2020/08/10 07:39]
urbanl [Apache Tomcat configuration] optional tomcat manager
+++ tutorial:adm:server_preparation [2024/01/10 10:35] (current)
koulaj [Java - CentOS8]
@@ Line 6: / Line 6: @@
 ===== Basic system setup =====
-  * 1 server (can be virtualized) for everything: backend, frontend and database.
+  * 1 server (can be virtualized) for everything: backend, frontend and database.
   * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation
-    * It is possible to use Debian (we tested on Stretch) or other distributions, but you have to adjust steps in this guide accordingly.
+      * It is possible to use Debian (we tested on Stretch) or other distributions, but you have to adjust steps in this guide accordingly.
   * PostgreSQL 12.x - installed from OS packages.
-  * Java 11 - installed from OS packages.
+  * Java 11 (Java 21 for CzechIdM 13.1.0+) - installed from OS packages.
-  * Apache Tomcat 8.5.x - installed manually into ''/opt/tomcat''.
+  * Apache Tomcat 9.0.x - installed manually into ''/opt/tomcat''.
   * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx.
   * All services start via systemd.
   * Each service runs under dedicated non-privileged user.
 ===== Instalation and software configuration =====
 Prerequisities - Basic installation of CentOS 8
 <code bash>
 # EPEL installation
 dnf clean all
 dnf -y install epel-release
-dnf update -y
+dnf -y update
 # other recommended packages installation
@@ Line 35: / Line 40: @@
 # check the network configuration, be sure it is static (/etc/sysconfig/network-scripts/)
 # reboot the server
 </code>
-===== PostgreSQL  =====
+===== PostgreSQL =====
-<note tip>If you are installing CzechIdM on Microsoft SQL Server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
-We install PostgreSQL 12 database binaries and change database data directory from ''/var/lib'' to ''/data''.
+<note tip>If you are installing CzechIdM on Microsoft SQL Server, please follow [[.:mssql_database_support|this tutorial]].</note> We install PostgreSQL 12 database binaries and change database data directory from ''/var/lib''  to ''/data''.
 ==== Database server installation - CentOS8 ====
   * Software installation on CentOS8(versions can vary):
@@ Line 47: / Line 55: @@
 dnf module enable postgresql:12
 dnf -y install postgresql-server postgresql-contrib postgresql-libs
 </code>
@@ Line 55: / Line 64: @@
 chown -R postgres:postgres /data/pgsql/
 chmod 700 /data/pgsql
 </code>
@@ Line 61: / Line 71: @@
 <code bash>
 cp /usr/lib/systemd/system/postgresql.service /etc/systemd/system/
 </code>
-In the file ''/etc/systemd/system/postgresql.service'' change the directory for data as follows:
+In the file ''/etc/systemd/system/postgresql.service''  change the directory for data as follows:
 <code>
 # Location of database directory
 Environment=PGDATA=/data/pgsql/12/data/
 </code>
-  * In the file ''/var/lib/pgsql/.bash_profile'' (bash profile for postgres user) change the variable PGDATA to:
+  * In the file ''/var/lib/pgsql/.bash_profile''  (bash profile for postgres user) change the variable PGDATA to:
 <code>
 PGDATA=/data/pgsql/12/data
 </code>
@@ Line 78: / Line 92: @@
 <code bash>
 systemctl daemon-reload
 </code>
@@ Line 87: / Line 101: @@
 <code bash>
 postgresql-setup --initdb --unit postgresql
 </code>
 Change SELINUX labels:
 <code>
 chcon -Rt postgresql_db_t /data/pgsql/
 chcon -Rt postgresql_log_t /data/pgsql/12/data/log/
 </code>
@@ Line 100: / Line 117: @@
 systemctl start postgresql.service
 systemctl enable postgresql.service
 </code>
@@ Line 114: / Line 132: @@
    CGroup: /system.slice/postgresql.service
            ├─25715 /usr/bin/postmaster -D /data/pgsql/12/data/
            ├─25716 postgres: logger
            ├─25718 postgres: checkpointer
            ├─25719 postgres: background writer
            ├─25720 postgres: walwriter
            ├─25721 postgres: autovacuum launcher
            ├─25722 postgres: stats collector
            └─25723 postgres: logical replication launcher
 Mar 11 10:48:06 HOSTNAME systemd[1]: Starting PostgreSQL database server...
@@ Line 131: / Line 149: @@
 Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.330 CET [25715] HINT:  Future log output will appear in directory "log".
 Mar 11 10:48:06 HOSTNAME systemd[1]: Started PostgreSQL database server.
 </code>
 ==== Database server configuration and sizing ====
@@ Line 138: / Line 156: @@
   * Enable the password authentication.
-In the file ''/data/pgsql/12/data/pg_hba.conf'' find lines:
+In the file ''/data/pgsql/12/data/pg_hba.conf''  find lines:
 <code>
 host    all             all             127.0.0.1/32            ident
 host    all             all             ::1/128                 ident
 </code>
-and change the value at the end of each line to ''md5'' like this:
+and change the value at the end of each line to ''md5''  like this:
 <code>
 host    all             all             127.0.0.1/32            md5
 host    all             all             ::1/128                 md5
 </code>
   * Adjust DB instance sizing.
-    * In following snippet, we presume the system has 3GB of memory dedicated for the database and about 100 db connections. **For your deployment, adjust the sizing accordingly. Use a [[https://pgtune.leopard.in.ua/#/|calculator]] if in doubt**.
+      * In following snippet, we presume the system has 3GB of memory dedicated for the database and about 100 db connections. **For your deployment, adjust the sizing accordingly. Use a [[https://pgtune.leopard.in.ua/#/|calculator]] if in doubt**.
-    * We also log queries running longer than 200ms.
+      * We also log queries running longer than 200ms.
-In a file ''/data/pgsql/12/data/postgresql.conf'' change (or add) following lines:
+In a file ''/data/pgsql/12/data/postgresql.conf''  change (or add) following lines:
 <code>
 # This is an EXAMPLE. Use the calculator to adjust for your deployment!
@@ Line 177: / Line 201: @@
 log_min_duration_statement = 200
 </code>
@@ Line 183: / Line 208: @@
 <code>
 systemctl restart  postgresql.service
 </code>
@@ Line 189: / Line 215: @@
 ===== Java - CentOS8 =====
-Tomcat application server needs Java installed. We recommend to use OpenJDK 11 from standard OS repository. (OpenJDK 1.8 is also supported, check [[devel:documentation:compatibility|compatibility page]]).
+Tomcat application server needs Java installed. We recommend to use OpenJDK 11 from standard OS repository. (OpenJDK 1.8 is also supported, check [[:devel:documentation:compatibility|compatibility page]]).
 Installation:
 <code>
 dnf install -y java-11-openjdk-headless java-11-openjdk-devel
+</code>
+For CzechIdM 13.1.0+:
+<code>
+dnf install -y java-21-openjdk-headless java-21-openjdk-devel
 </code>
@@ Line 206: / Line 241: @@
 getent passwd tomcat
 #tomcat:x:995:993::/opt/tomcat:/usr/sbin/nologin
 </code>
@@ Line 213: / Line 249: @@
 mkdir /opt/tomcat
 cd /opt/tomcat
 </code>
-  * Download Apache Tomcat 8.5.x from the website [[https://tomcat.apache.org/download-80.cgi]] to ''/opt/tomcat/''
+  * Download Apache Tomcat 9.0.x from the website [[https://tomcat.apache.org/download-90.cgi|https://tomcat.apache.org/download-90.cgi]] to ''/opt/tomcat/''
-    * In our exapmle the version is 8.5.57.
+      * In our exapmle the version is 9.0.45.
   * extract files from the archive:
 <code bash>
-tar xzf apache-tomcat-8.5.57.tar.gz
+tar xzf apache-tomcat-9.0.45.tar.gz
 </code>
@@ Line 228: / Line 268: @@
 <code bash>
 cd /opt/tomcat
-ln -s apache-tomcat-8.5.57 current
+ln -s apache-tomcat-9.0.45 current
 </code>
@@ Line 247: / Line 289: @@
 chown tomcat:tomcat /opt/tomcat/current/conf/Catalina
 chmod 750 /opt/tomcat/current/conf/Catalina
 </code>
@@ Line 256: / Line 300: @@
 <code bash>
 vim /etc/systemd/system/tomcat.service
 </code>
@@ Line 286: / Line 331: @@
 [Install]
 WantedBy=multi-user.target
 </file>
 <note>
-  * Values of ''-Xms'' and ''-Xmx'' se are closely dependent on server sizing. If you have enough memory, we strongly recommend to use ''-Xmx 6128M'' or more.
+  * Values of ''-Xms''  and ''-Xmx''  se are closely dependent on server sizing. If you have enough memory, we strongly recommend to use ''-Xmx 6128M''  or more.
   * Tomcat will be started under user ''tomcat:tomcat''.
 </note>
   * Reload systemd configuration:
 <code>
 systemctl daemon-reload
 </code>
@@ Line 303: / Line 353: @@
 systemctl start tomcat
 systemctl enable tomcat
 </code>
@@ Line 310: / Line 361: @@
 [root@tomcat1 logs]# ps -ef | grep ^tomcat
 tomcat      1623       1  9 11:08 ?        00:00:04 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start
 </code>
   * Stop the Tomcat.
 <code>
 systemctl stop tomcat
 </code>
@@ Line 324: / Line 377: @@
 Apache Tomcat offers two applications for tomcat management available at:
-  * http://localhost:8080/manager
+  * [[http://localhost:8080/manager|http://localhost:8080/manager]]
-  * http://localhost:8080/host-manager
+  * [[http://localhost:8080/host-manager|http://localhost:8080/host-manager]]
-<note important>These applications are optional but even when you will not install them you need to **set admin password** to increase security of Tomcat.</note>
+<note important>These applications are optional but even when you will not install them you need to **set admin password**  to increase security of Tomcat.</note>
 If you want to use them, it is necessary to do following steps.
@@ Line 334: / Line 387: @@
   * Create administration user
-    * Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui".
+      * Create the a new user in the file ''/opt/tomcat/current/conf/tomcat-users.xml''  and assign him roles "manager-gui" and "admin-gui".
-    * The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
+      * The documentation of available roles as well as overall configuration of the application is a part of application installation available at [[http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access|http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access]]
+The file ''/opt/tomcat/current/conf/tomcat-users.xml''  should now look like this:
-The file ''/opt/tomcat/current/conf/tomcat-users.xml'' should now look like this:
 <file xml tomcat-users.xml>
 <?xml version="1.0" encoding="UTF-8"?>
@@ Line 351: / Line 405: @@
   <user username="admin" password="*****store it somewhere safe*****" roles="manager-gui,manager-status,admin-gui"/>
 </tomcat-users>
 </file>
   * If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
-    * If you see ''403 Access Denied'' when accessing Tomcat's management remotely, it might be because you did not perform this configuration.
+      * If you see ''403 Access Denied''  when accessing Tomcat's management remotely, it might be because you did not perform this configuration.
-Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add netmask for your IP (both files should have the same content):
+Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml''  and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml''  add netmask for your IP (both files should have the same content):
 For example, if you want to access Tomcat's management from the network ''192.168.0.0/24'':
@@ Line 362: / Line 418: @@
 <file xml context.xml>
 <?xml version="1.0" encoding="UTF-8"?>
-<Context antiResourceLocking="false" privileged="true" >
+<Context antiResourceLocking="false" privileged="true">
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
-         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.\d+\.\d+" />
+         allow="127.d+.d+.d+|::1|0:0:0:0:0:0:0:1|192\.168.d+.d+" />
 </Context>
 </file>
   * Again, restart the tomcat
 <code bash>
 systemctl restart tomcat
 </code>
-===  Apache Tomcat configuration recommended for production use ===
+=== Apache Tomcat configuration recommended for production use ===
 We advise to follow these steps to configure Tomcat for production deployment.
@@ Line 381: / Line 442: @@
 <code bash>
 rm -rf /opt/tomcat/current/webapps/{examples,docs,ROOT,host-manager,manager}
 </code>
   * Turn off the shutdown port:
-    * In the config file ''/opt/tomcat/current/conf/server.xml'' set value -1 from 8005 to the Server port tag, thus you deactivate it:
+      * In the config file ''/opt/tomcat/current/conf/server.xml''  set value -1 from 8005 to the Server port tag, thus you deactivate it:
 <code xml>
 <Server port="-1" shutdown="SHUTDOWN">
 </code>
   * Make Tomcat listen only on localhost:
-    * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
+      * In the ''/opt/tomcat/current/conf/server.xml''  add the ''address="127.0.0.1"''  property to configuration of ''8080''  port.
-  * Set the ''maxSwallowSize'' for the HTTP/1.1 connector:
+  * Set the ''maxSwallowSize''  for the HTTP/1.1 connector:
-    * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein.
+      * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"''  property therein.
   * In same file configure AJP port (''8009/tcp'') to look like this:
 <code>
 <Connector protocol="AJP/1.3"
                 address="127.0.0.1"
@@ Line 405: / Line 470: @@
                 port="8009"
                 redirectPort="8443" />
 </code>
   * Do not show aplication server version:
-    * In the file ''/opt/tomcat/current/conf/web.xml'' set ''showServerInfo'' to false (default is true):
+      * In the file ''/opt/tomcat/current/conf/web.xml''  set ''showServerInfo''  to false (default is true):
 <code xml>
@@ Line 428: / Line 494: @@
         <load-on-startup>1</load-on-startup>
     </servlet>
 </code>
 === Rotating Tomcat logs ===
-Default Tomcat logger appneds to the logfile, it is therefore safe to use simple ''logrotate'' configuration. Save following as ''/etc/logrotate.d/tomcat'', adjust log retention (the ''rotate COUNT'') as necessary.
+Default Tomcat logger appends to the logfile, it is therefore safe to use simple ''logrotate''  configuration. Save following as ''/etc/logrotate.d/tomcat'', adjust log retention (the ''rotate COUNT'') as necessary.
 <file txt tomcat>
 /opt/tomcat/current/logs/catalina.out {
-	rotate 90
+    rotate 90
-	daily
+    daily
-	dateext
+    dateext
-	copytruncate
+    copytruncate
-	missingok
+    missingok
-	notifempty
+    notifempty
-	compress
+    compress
 }
 </file>
-It is possible that, on some distros, SELinux will deny acces to the logfile for logrotate because ''logrotate_t'' is only allowed in the ''/var/log'' and subfolders. The logrotate will error to the ''/var/log/messages'' line similar to ''Sep  3 03:48:01 server.tld logrotate: ALERT exited abnormally with [1]''.
+It is possible that, on some distros, SELinux will deny acces to the logfile for logrotate because ''logrotate_t''  is only allowed in the ''/var/log''  and subfolders. The logrotate will error to the ''/var/log/messages''  line similar to ''Sep 3 03:48:01 server.tld logrotate: ALERT exited abnormally with [1]''.
 If this happens, set the permissive mode for logrotate:
 <code>
 semanage permissive -a logrotate_t
 </code>
-<note warning>
+<note warning> Evaluate impact of SELinux adjustments **before**  you implement them. Proper mitigation heavily depends on habits and security policies of your organization.
-Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization.
 There are some possibilities:
   * Set permissive mode for logrotate as above.
   * Set permissive mode for whole SELinux. (This will drop the SELinux's protective function.)
   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
 </note>
@@ Line 462: / Line 538: @@
 ====== Apache httpd as a reverse proxy ======
-It is possible to open Apache Tomcat to the network directly, but little inconvenient. You want the users to access the CzechIdM on user-friendly ports 80/tcp or 443/tcp, which is not easy to setup in Tomcat itself running under nonprivileged user. So we use Apache httpd as a reverse proxy.
+It is possible to open Apache Tomcat to the network directly, but little inconvenient. You want the users to access the CzechIdM on user-friendly ports 80/tcp or 443/tcp, which is not easy to setup in Tomcat itself running under nonprivileged user. So we use Apache httpd as a reverse proxy. Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol will be enabled, but we will redirect all communication to https. Communication between Apache httpd and Tomcat will take place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), which serves as an application firewall.
-Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol will be enabled, but we will redirect all communication to https.
-Communication between Apache httpd and Tomcat will take place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), which serves as an application firewall.
 The configuration example is written for the server which allows access to its services under the name "demo.czechidm.com".
@@ Line 474: / Line 548: @@
 <code bash>
 yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs
 </code>
 HTTPd basic configuration:
-Change MPM to worker - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment-out all lines but mod\_mpm\_worker.so:
+Change MPM to worker - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf''  comment-out all lines but mod\_mpm\_worker.so:
 <code bash>
@@ Line 499: / Line 575: @@
 #
 #LoadModule mpm_event_module modules/mod_mpm_event.so
 </code>
 Disable "welcome" page:
 <code bash>
 cd /etc/httpd/conf.d
 mv welcome.conf welcome.conf-DISABLED
 touch welcome.conf
 </code>
 Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'SERVER' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
 <code xml>
 <VirtualHost _default_:80>
@@ Line 514: / Line 596: @@
    Redirect permanent / https://SERVER/
 </VirtualHost>
-</code>
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:
+</code>
+Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf''  add following before ending "tag" VirtualHost:
 <code>
-  Protocols       h2 https/1.1
+  Protocols       https/1.1
   ProxyRequests     off
   ProxyPreserveHost on
@@ Line 525: / Line 609: @@
   ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
   ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
 </code>
-In IE 11, CzechIdM  has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set ''Cache-Control'' HTTP header. We need to set it only for font files:
+In IE 11, CzechIdM has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set ''Cache-Control''  HTTP header. We need to set it only for font files:
 <code>
 # workaround for bad font handling in IE 11
 <LocationMatch "/idm/.*(\.ttf|\.woff2|\.eot)$">
         Header set Cache-Control "no-cache, public, must-revalidate, proxy-revalidate"
 </LocationMatch>
 </code>
-Identity manager CzechIdM will be available on address https://server/idm/ It is possible to forward from / to /idm/, so that the user does not need to type the whole URL.
+Identity manager CzechIdM will be available on address [[https://server/idm/|https://server/idm/]] It is possible to forward from / to /idm/, so that the user does not need to type the whole URL. To do so, add following lines to the virtualhost config file (ssl.conf):
-To do so, add following lines to the virtualhost config file (ssl.conf):
 <code>
 RewriteEngine On
 RewriteRule "^/$"  "/idm/" [R]
 </code>
+=== Certificate for httpd ===
+If you have prepared certifikate, key and certificate authority chain just chnge these properties in ''/etc/httpd/conf.d/ssl.conf''  and make sure that only httpd can read the files.
+<code>
+    SSLCertificateFile PATH_TO_CERTIFICATE_FILE
+    SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE
+    SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE
+</code>
+Then continue with cheking syntax of httpd.
+If you not prepared them in the moment. Create temporary certificate and key.
+<code>
+mkdir /etc/httpd/cert
+cd /etc/httpd/cert
+openssl genrsa -out http_temp_cert.key
+openssl req -new -key http_temp_cert.key -out http_temp_cert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert"
+openssl x509 -req -in http_temp_cert.csr -signkey http_temp_cert.key -days 1 -sha256 -out http_temp_cert.crt
+rm http_temp_cert.csr
+chmod 600 /etc/httpd/cert/*
+chown -R apache:apache  /etc/httpd/cert/
+</code>
+Then change set path to them in these properties in ''/etc/httpd/conf.d/ssl.conf''.
+<code>
+    SSLCertificateFile /etc/httpd/cert/http_temp_cert.crt
+    SSLCertificateKeyFile /etc/httpd/cert/http_temp_cert.key
+</code>
+=== Checking httpd configuration syntax and configuring selinux ===
 Syntax check before httpd restart
 <code>
 httpd -t -D DUMP_VHOST
 # or apachectl configtest
 </code>
 httpd restart and reload configuration changes:
 <code>
 systemctl restart httpd
 </code>
 Allow in SELINUX to httpd connect to network:
 <code>
 /usr/sbin/setsebool -P httpd_can_network_connect 1
 </code>
 Enable httpd after OS start:
 <code bash>
 systemctl enable httpd.service
 </code>
 ===== mod_security configuration =====
 Mod_security files locations (on CentOS8):
@@ Line 579: / Line 714: @@
     SecRuleRemoveById RULE_ID
   </IfModule>
 </code>
@@ Line 585: / Line 721: @@
 These rules are disabled for modsec_crs 3.0.
-In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
+In the file ''/etc/httpd/conf.d/ssl.conf''  deactivate following rules and set their logging:
 <code xml>
@@ Line 593: / Line 729: @@
         SecRuleRemoveById 920300
         SecRuleRemoveById 920230
         # Allow Czech signs
         SecRuleRemoveById 942110
@@ Line 599: / Line 735: @@
         SecRuleRemoveById 942460
         SecRuleRemoveById 942260
         # Too restrictive for login format
         SecRuleRemoveById 920440
         # Needed by Websockets
         <Location "/idm/api/v1/websocket-info/">
                 SecRuleRemoveById 950100
         </Location>
         # do not log request/response body
-        SecAuditLogParts ABFHZ
+        SecAuditLogParts AFHZ
 </IfModule>
 </code>
-==== mod_security configuration - CentOS8  ====
+==== mod_security configuration - CentOS8 ====
 Edit the file ''/etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf''.
-  * find the rule ''900200'' and add methods ''PUT'', ''DELETE'' and ''PATCH'' on the line starting ''tx.allowed\_methods''. It should look like this after change:
+  * find the rule ''900200''  and add methods ''PUT'', ''DELETE''  and ''PATCH''  on the line starting ''tx.allowed\_methods''. It should look like this after change:
 <code>
@@ Line 627: / Line 764: @@
     nolog,\
     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
 </code>
-  * find the rule ''900220'' and add support for content type ''application/hal+json'' on the line starting with ''tx.allowed\_request\_content\_type''. Result should look like this:
+  * find the rule ''900220''  and add support for content type ''application/hal+json''  on the line starting with ''tx.allowed\_request\_content\_type''. Result should look like this:
 <code>
@@ Line 639: / Line 777: @@
     nolog,\
     setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
 </code>
 ===== mod_deflate configuration =====
-It is advised to set up gzip so the users get minimum of data from the frontend server.
-In the file ''/etc/httpd/conf.d/ssl.conf'' we add following configuration and restart the server:
+It is advised to set up gzip so the users get minimum of data from the frontend server. In the file ''/etc/httpd/conf.d/ssl.conf''  we add following configuration and restart the server:
 <code xml>
 <IfModule mod_deflate.c>
@@ Line 678: / Line 817: @@
         Header append Vary User-Agent
 </IfModule>
 </code>