Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/03/10 11:46]
urbanl [Instalation and software configuration]
+++ tutorial:adm:server_preparation_tmp [2020/03/12 12:29]
urbanl [HTTPd installation and configuration]
@@ Line 58: / Line 58: @@
 screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent
 </code>
-===== PostgreSQL =====
+===== PostgreSQL -!CHANGED =====
 <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
-CentOS7 default repository version of PostgreSQL is 9.2 but IdM not support that version. In our tutorial, we will install newer version 9.6. Moreover, we install database data into /data not /var/lib which is the default option.
+CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option.
-==== Database server installation - CentOS7 and CentOS8 -!CHANGED ====
+==== Database server installation - CentOS8 -!CHANGED ====
-  * Software installation on CentOS7(versions can vary):
+  * Software installation on CentOS8(versions can vary):
-<code bash>
-yum install -y https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm
-yum install -y postgresql96-server postgresql96-contrib pgstat2_96 pg_top96  postgresql96-libs
-</code>
-#TODO
-  * Software installation on CentOS7(versions can vary):
 <code bash>
-# add repository
+# enable module postgres 12
-yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
+yum module enable postgresql:12
-# disable centos8 build-in module
+yum install -y postgresql-server postgresql-contrib postgresql-libs
-yum module disable postgresql
-# install postgresql components
-yum install -y postgresql11-server postgresql11-contrib pgstat2_11 pg_top11  postgresql11-libs
 </code>
   * create new system directory:
-<code>
-mkdir -p /data/pgsql/11/data/
+<code bash>
+mkdir -p /data/pgsql/12/data/
+mkdir -p /data/pgsql/12/data/
 chown -R postgres:postgres /data/pgsql/
 chmod 700 /data/pgsql
 </code>
   * Copy of the configuration file for systemd, in which we will make change of directory for data:
 <code bash>
-cp /usr/lib/systemd/system/postgresql-11.service /etc/systemd/system/
+cp /usr/lib/systemd/system/postgresql.service /etc/systemd/system/
 </code>
-In the file ''/etc/systemd/system/postgresql-11.service'' change the directory for data as follows:
+In the file ''/etc/systemd/system/postgresql.service'' change the directory for data as follows:
 <code>
 # Location of database directory
-Environment=PGDATA=/data/pgsql/9.6/data/
+Environment=PGDATA=/data/pgsql/12/data/
 </code>
@@ Line 97: / Line 94: @@
 <code>
-PGDATA=/data/pgsql/11/data
+PGDATA=/data/pgsql/12/data
 </code>
@@ Line 111: / Line 108: @@
 <code bash>
-/usr/pgsql-11/bin/postgresql96-setup initdb
+/usr/bin/postgresql-setup --initdb --unit postgresql
 </code>
+Change SELINUX labels:
+<code>
+chcon -Rt postgresql_db_t pgsql/
+chcon -Rt postgresql_log_t /data/pgsql/12/data/log/
+</code>
   * Enable and start database:
 <code bash>
-systemctl start postgresql-11.service
+systemctl start postgresql.service
-systemctl enable postgresql-11.service
+systemctl enable postgresql.service
 </code>
@@ Line 126: / Line 127: @@
 <code bash>
-[root@tomcat1 system]# systemctl status postgresql-9.6.service -l
+[root@HOSTNAME data]# systemctl status postgresql.service -l
-● postgresql-9.6.service - PostgreSQL 9.6 database server
+● postgresql.service - PostgreSQL database server
-   Loaded: loaded (/etc/systemd/system/postgresql-9.6.service; enabled; vendor preset: disabled)
+   Loaded: loaded (/etc/systemd/system/postgresql.service; enabled; vendor preset: disabled)
-   Active: active (running) since Pá 2016-11-18 23:50:06 CET; 2min 57s ago
+   Active: active (running) since Wed 2020-03-11 10:48:06 CET; 1min 8s ago
- Main PID: 2626 (postmaster)
+ Main PID: 25715 (postmaster)
-   CGroup: /system.slice/postgresql-9.6.service
+    Tasks: 8 (limit: 52428)
-           ├─2626 /usr/pgsql-9.6/bin/postmaster -D /data/pgsql/9.6/data/
+   Memory: 19.8M
-           ├─2628 postgres: logger process
+   CGroup: /system.slice/postgresql.service
-           ├─2630 postgres: checkpointer process
+           ├─25715 /usr/bin/postmaster -D /data/pgsql/12/data/
-           ├─2631 postgres: writer process
+           ├─25716 postgres: logger
-           ├─2632 postgres: wal writer process
+           ├─25718 postgres: checkpointer
-           ├─2633 postgres: autovacuum launcher process
+           ├─25719 postgres: background writer
-           └─2634 postgres: stats collector process
+           ├─25720 postgres: walwriter
+           ├─25721 postgres: autovacuum launcher
+           ├─25722 postgres: stats collector
+           └─25723 postgres: logical replication launcher
-lis 18 23:50:06 tomcat1.localdomain systemd[1]: Starting PostgreSQL 9.6 database server...
+Mar 11 10:48:06 HOSTNAME systemd[1]: Starting PostgreSQL database server...
-lis 18 23:50:06 tomcat1.localdomain postmaster[2626]: < 2016-11-18 23:50:06.608 CET > LOG:  redirecting log output to logging collector process
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.255 CET [25715] LOG:  starting PostgreSQL 12.1 on x86_64-redhat-linux-gnu, compiled by gcc (G>
-lis 18 23:50:06 tomcat1.localdomain postmaster[2626]: < 2016-11-18 23:50:06.608 CET > HINT:  Future log output will appear in directory "pg_log".
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.256 CET [25715] LOG:  listening on IPv6 address "::1", port 5432
-lis 18 23:50:06 tomcat1.localdomain systemd[1]: Started PostgreSQL 9.6 database server.
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.256 CET [25715] LOG:  listening on IPv4 address "127.0.0.1", port 5432
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.285 CET [25715] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.300 CET [25715] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.330 CET [25715] LOG:  redirecting log output to logging collector process
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.330 CET [25715] HINT:  Future log output will appear in directory "log".
+Mar 11 10:48:06 HOSTNAME systemd[1]: Started PostgreSQL database server.
 </code>
@@ Line 178: / Line 187: @@
 systemctl enable postgresql
 </code>
-==== DB server configuration ====
+==== DB server configuration -!CHANGED ====
 First of all, enable the password authentication.
-In the file ''/data/pgsql/9.6/data/pg_hba.conf'' find lines:
+In the file ''/data/pgsql/12/data/pg_hba.conf'' find lines:
 <code>
 host    all             all             127.0.0.1/32            ident
@@ Line 195: / Line 204: @@
 Now we can do DB sizing. We presume the system has 3GB dedicated for the db. We can also log the queries logging (those over 200ms). **For particular sizing, use a [[https://pgtune.leopard.in.ua/#/|calculator]]**.
-In a file ''/data/pgsql/9.6/data/postgresql.conf'' edit (add those if not exist) lines:
+In a file ''/data/pgsql/12/data/postgresql.conf'' edit (add those if not exist) lines:
 <code>
 max_connections = 100			# (change requires restart)
@@ Line 214: / Line 223: @@
 </code>
-Restart DB: ''systemctl restart  postgresql-9.6.service''
+Restart DB: ''systemctl restart  postgresql.service''
 For Debian installation, edit those configuration files instead:
 <code>
-/etc/postgresql/9.6/main/pg_hba.conf
+/etc/postgresql/12/main/pg_hba.conf
-/etc/postgresql/9.6/main/postgresql.conf
+/etc/postgresql/12/main/postgresql.conf
 </code>
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
-===== Java - CentOS7 =====
+===== Java - CentOS8 -! CHANGED =====
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository.
+Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository.
 Installation:
 <code bash>
-yum install -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel
+yum install -y java-11-openjdk-headless java-11-openjdk-devel
 </code>
@@ Line 436: / Line 445: @@
 <Server port="-1" shutdown="SHUTDOWN">
 </code>
+-! CHANGED
   * Make Tomcat listen only on localhost:
-    * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8009'' and ''8080'' ports.
+    * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
+    * In same file configure ajp port(''8009'') to look like this:
+    <Connector protocol="AJP/1.3"
+                address="127.0.0.1"
+                secretRequired="true"
+                secret="***password for ajp port***"
+                port="8009"
+                redirectPort="8443" />
   * Do not show aplication server version:
@@ Line 522: / Line 541: @@
 </code>
-HTTPd basic configuration:
+HTTPd basic configuration -!CHANGED:
-Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment the lines with mod\_mpm\_prefork.so and uncomment mod\_mpm\_worker.so:
+Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment all lines but mod\_mpm\_worker.so:
 <code bash>
@@ Line 568: / Line 587: @@
   ProxyPreserveHost on
   ProxyAddHeaders on
-  ProxyPass / ajp://127.0.0.1:8009/
+  ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
-  ProxyPassReverse / ajp://127.0.0.1:8009/
+  ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
 </code>
@@ Line 785: / Line 804: @@
 If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial:adm:sso_ad_domain#configure_apache_httpd_-_linux|SSO installation guide]] for more details.
-====== nginx as reverse proxy ======
+====== INSTALACTNI NAVOD ======
-In case that you want to use nginx instead of Apache httpd, the configuration is as follows.
+<note important>Tato cast se vlozi do instalacniho navodu pro IdM</note>
+==== 2. JDBC driver installation - CentOS8 ====
+**CentOS**
-<code ini>
+Install the package with PostgreSQL JDBC driver:
-server {
-	listen   *:443 ssl http2;
-	server_name  idm.domain.tld;
-	client_max_body_size 1G;
-	ssl on;
-	ssl_certificate      /path/to/fullchain.pem;
-	ssl_certificate_key  /path/to/privkey.pem;
-	gzip on;
-	gzip_proxied any;
-	gzip_types
-        	text/css
-       		text/javascript
-        	text/xml
-       		text/plain
-        	application/javascript
-       		application/x-javascript
-        	application/json;
-	location / {
+<code bash>
-		proxy_hide_header X-Frame-Options;
+yum install -y postgresql-jdbc
-		add_header X-Frame-Options SAMEORIGIN;
+</code>
-		proxy_pass http://localhost:8080/;
-		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Proto "https";
-		proxy_ssl_session_reuse off;
-		proxy_redirect off;
-		# WebSocket support
+allow Tomcat to use the driver:
-		proxy_http_version 1.1;
-    		proxy_set_header Upgrade $http_upgrade;
+<code bash>
-    		proxy_set_header Connection "upgrade";
+ln -s /usr/share/java/postgresql-jdbc.jar /opt/tomcat/current/lib/
-	}
-}
 </code>
+==== Application properties ====
+  * The most important file is **/opt/czechidm/etc/application-production.properties** (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file:
+<file properties application-production.properties>
+# Doc: https://wiki.czechidm.com/devel/dev/configuration/backend
+idm.pub.app.instanceId=idm-primary
+idm.pub.app.stage=production
+spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm
+spring.datasource.username=czechidm
+spring.datasource.password=********** TODO *********
+spring.datasource.driver-class-name=org.postgresql.Driver
+spring.datasource.validationQuery=SELECT 1
+spring.datasource.test-on-borrow=true
+spring.jpa.generate-ddl=false
+spring.jpa.hibernate.ddl-auto=none
+flyway.enabled=true
+scheduler.properties.location=quartz-production.properties
+logging.config=/opt/czechidm/etc/logback-spring.xml
+idm.sec.core.demo.data.enabled=false
+# attachments will be stored under this path.
+# new directories for attachment will be created in this folder (permissions has to be added)
+# System.getProperty("user.home")/idm_data will be used if no path is given
+idm.sec.core.attachment.storagePath=/opt/czechidm/data
+# configuration property for default backup
+idm.sec.core.backups.default.folder.path=/opt/czechidm/backup
+idm.pub.security.allowed-origins=http://localhost
+# Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255.
+# We recommend the VALUE to be at least 25.
+idm.sec.security.jwt.secret.token=********** TODO *********
+idm.sec.security.jwt.expirationTimeout=36000000
+# Cipher secret key for crypt values in confidential storage
+# for crypt values is used secretKey or secretKey defined by file - secretKeyPath
+#cipher.crypt.secret.key=XXXXXXXXXXXXXXXX
+cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key
+# Defaults for: emailer.*
+# test.enabled=true means mail WILL NOT be sent
+idm.sec.core.emailer.test.enabled=true
+# http://camel.apache.org/mail.html
+idm.sec.core.emailer.protocol=smtp
+idm.sec.core.emailer.host=something.tld
+idm.sec.core.emailer.port=25
+# idm.sec.core.emailer.username=czechidm@domain.tld
+# idm.sec.core.emailer.password=password
+idm.sec.core.emailer.from=czechidm@localhost
+# Default user role will be added automatically, after an identity is logged in
+# could contains default authorities and authority policies configuration
+# for adding autocomplete or all record read permission etc.
+idm.sec.core.role.default=userRole
+# Admin user role
+idm.sec.core.role.admin=superAdminRole
+# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size.
+spring.servlet.multipart.max-file-size=100MB
+spring.servlet.multipart.max-request-size=100MB
+</file>