Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/03/10 11:46]
urbanl [Instalation and software configuration]
+++ tutorial:adm:server_preparation_tmp [2020/03/12 14:49]
urbanl
@@ Line 1: / Line 1: @@
-<note important>temp pro centos 8
+<note important>Instalation pro centos 8
 Author: Ludek Urban
@@ Line 22: / Line 22: @@
 ===== Instalation and software configuration =====
-Prerequisities - Basic installation of CentOS 7
+Prerequisities - Basic installation of CentOS 8
 <code bash>
 # EPEL installation
@@ Line 28: / Line 28: @@
 yum install -y epel-release
 yum update -y
+# check installed packages. It's recommanded to have them installed.
+yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
 # other recommended packages installation
-yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet policycoreutils-python
+yum install -y mc haveged nmap screen sysstat telnet
 # enable haveged after OS start
 systemctl start haveged.service
@@ Line 45: / Line 47: @@
 </code>
--!CHANGED
+===== PostgreSQL  =====
-When installing to centos8, check and install these packages:
+<note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
-<code>
+CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option.
-# check installed packages. It's recommanded to have them installed.
+==== Database server installation - CentOS8 -!CHANGED ====
-yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
+  * Software installation on CentOS8(versions can vary):
-# other recommended packages installation
-yum install -y mc haveged nmap screen sysstat telnet
-</code>
-When installing on Debian, install these packages:
-<code>
-screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent
-</code>
-===== PostgreSQL =====
-<note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
-CentOS7 default repository version of PostgreSQL is 9.2 but IdM not support that version. In our tutorial, we will install newer version 9.6. Moreover, we install database data into /data not /var/lib which is the default option.
-==== Database server installation - CentOS7 and CentOS8 -!CHANGED ====
-  * Software installation on CentOS7(versions can vary):
 <code bash>
-yum install -y https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm
+# enable module postgres 12
-yum install -y postgresql96-server postgresql96-contrib pgstat2_96 pg_top96  postgresql96-libs
+yum module enable postgresql:12
-</code>
+yum install -y postgresql-server postgresql-contrib postgresql-libs
-#TODO
-  * Software installation on CentOS7(versions can vary):
-<code bash>
-# add repository
-yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
-# disable centos8 build-in module
-yum module disable postgresql
-# install postgresql components
-yum install -y postgresql11-server postgresql11-contrib pgstat2_11 pg_top11  postgresql11-libs
 </code>
   * create new system directory:
-<code>
-mkdir -p /data/pgsql/11/data/
+<code bash>
+mkdir -p /data/pgsql/12/data/
+mkdir -p /data/pgsql/12/data/
 chown -R postgres:postgres /data/pgsql/
 chmod 700 /data/pgsql
 </code>
   * Copy of the configuration file for systemd, in which we will make change of directory for data:
 <code bash>
-cp /usr/lib/systemd/system/postgresql-11.service /etc/systemd/system/
+cp /usr/lib/systemd/system/postgresql.service /etc/systemd/system/
 </code>
-In the file ''/etc/systemd/system/postgresql-11.service'' change the directory for data as follows:
+In the file ''/etc/systemd/system/postgresql.service'' change the directory for data as follows:
 <code>
 # Location of database directory
-Environment=PGDATA=/data/pgsql/9.6/data/
+Environment=PGDATA=/data/pgsql/12/data/
 </code>
@@ Line 97: / Line 83: @@
 <code>
-PGDATA=/data/pgsql/11/data
+PGDATA=/data/pgsql/12/data
 </code>
@@ Line 111: / Line 97: @@
 <code bash>
-/usr/pgsql-11/bin/postgresql96-setup initdb
+/usr/bin/postgresql-setup --initdb --unit postgresql
 </code>
+Change SELINUX labels:
+<code>
+chcon -Rt postgresql_db_t pgsql/
+chcon -Rt postgresql_log_t /data/pgsql/12/data/log/
+</code>
   * Enable and start database:
 <code bash>
-systemctl start postgresql-11.service
+systemctl start postgresql.service
-systemctl enable postgresql-11.service
+systemctl enable postgresql.service
 </code>
@@ Line 126: / Line 116: @@
 <code bash>
-[root@tomcat1 system]# systemctl status postgresql-9.6.service -l
+[root@HOSTNAME data]# systemctl status postgresql.service -l
-● postgresql-9.6.service - PostgreSQL 9.6 database server
+● postgresql.service - PostgreSQL database server
-   Loaded: loaded (/etc/systemd/system/postgresql-9.6.service; enabled; vendor preset: disabled)
+   Loaded: loaded (/etc/systemd/system/postgresql.service; enabled; vendor preset: disabled)
-   Active: active (running) since Pá 2016-11-18 23:50:06 CET; 2min 57s ago
+   Active: active (running) since Wed 2020-03-11 10:48:06 CET; 1min 8s ago
- Main PID: 2626 (postmaster)
+ Main PID: 25715 (postmaster)
-   CGroup: /system.slice/postgresql-9.6.service
+    Tasks: 8 (limit: 52428)
-           ├─2626 /usr/pgsql-9.6/bin/postmaster -D /data/pgsql/9.6/data/
+   Memory: 19.8M
-           ├─2628 postgres: logger process
+   CGroup: /system.slice/postgresql.service
-           ├─2630 postgres: checkpointer process
+           ├─25715 /usr/bin/postmaster -D /data/pgsql/12/data/
-           ├─2631 postgres: writer process
+           ├─25716 postgres: logger
-           ├─2632 postgres: wal writer process
+           ├─25718 postgres: checkpointer
-           ├─2633 postgres: autovacuum launcher process
+           ├─25719 postgres: background writer
-           └─2634 postgres: stats collector process
+           ├─25720 postgres: walwriter
+           ├─25721 postgres: autovacuum launcher
+           ├─25722 postgres: stats collector
+           └─25723 postgres: logical replication launcher
-lis 18 23:50:06 tomcat1.localdomain systemd[1]: Starting PostgreSQL 9.6 database server...
+Mar 11 10:48:06 HOSTNAME systemd[1]: Starting PostgreSQL database server...
-lis 18 23:50:06 tomcat1.localdomain postmaster[2626]: < 2016-11-18 23:50:06.608 CET > LOG:  redirecting log output to logging collector process
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.255 CET [25715] LOG:  starting PostgreSQL 12.1 on x86_64-redhat-linux-gnu, compiled by gcc (G>
-lis 18 23:50:06 tomcat1.localdomain postmaster[2626]: < 2016-11-18 23:50:06.608 CET > HINT:  Future log output will appear in directory "pg_log".
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.256 CET [25715] LOG:  listening on IPv6 address "::1", port 5432
-lis 18 23:50:06 tomcat1.localdomain systemd[1]: Started PostgreSQL 9.6 database server.
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.256 CET [25715] LOG:  listening on IPv4 address "127.0.0.1", port 5432
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.285 CET [25715] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.300 CET [25715] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.330 CET [25715] LOG:  redirecting log output to logging collector process
+Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.330 CET [25715] HINT:  Future log output will appear in directory "log".
+Mar 11 10:48:06 HOSTNAME systemd[1]: Started PostgreSQL database server.
 </code>
-==== Database server installation - Debian Stretch ====
-Install the database from OS packages:
-<code>
-apt-get install postgresql-9.6
-</code>
-We will move the database - create directory structure:
-<code>
-mkdir -p /data/pgsql/9.6/data/
-chown -R postgres:postgres /data/pgsql/
-chmod -R 700 /data/pgsql
-</code>
-Create the file .bash\_profile in postgres user's home (default /var/lib/postgresql) with following contents:
-<code>
-PGDATA=/data/pgsql/9.6/data
-</code>
-Stop the database:
-<code>
-systemctl stop postgresql
-</code>
-Move database directory (run this as root):
-<code>
-mv /var/lib/postgresql/9.6/main/* /data/pgsql/9.6/data/
-</code>
-In the PostgreSQL configuration file /etc/postgresql/9.6/main/postgresql.conf set the data\_directory property to:
-<code>
-data_directory = '/data/pgsql/9.6/data'
-</code>
-Enable and start the database:
-<code>
-systemctl start postgresql
-systemctl enable postgresql
-</code>
 ==== DB server configuration ====
 First of all, enable the password authentication.
-In the file ''/data/pgsql/9.6/data/pg_hba.conf'' find lines:
+In the file ''/data/pgsql/12/data/pg_hba.conf'' find lines:
 <code>
 host    all             all             127.0.0.1/32            ident
@@ Line 195: / Line 162: @@
 Now we can do DB sizing. We presume the system has 3GB dedicated for the db. We can also log the queries logging (those over 200ms). **For particular sizing, use a [[https://pgtune.leopard.in.ua/#/|calculator]]**.
-In a file ''/data/pgsql/9.6/data/postgresql.conf'' edit (add those if not exist) lines:
+In a file ''/data/pgsql/12/data/postgresql.conf'' edit (add those if not exist) lines:
 <code>
 max_connections = 100			# (change requires restart)
@@ Line 214: / Line 181: @@
 </code>
-Restart DB: ''systemctl restart  postgresql-9.6.service''
+Restart DB: ''systemctl restart  postgresql.service''
 For Debian installation, edit those configuration files instead:
 <code>
-/etc/postgresql/9.6/main/pg_hba.conf
+/etc/postgresql/12/main/pg_hba.conf
-/etc/postgresql/9.6/main/postgresql.conf
+/etc/postgresql/12/main/postgresql.conf
 </code>
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
-===== Java - CentOS7 =====
+===== Java - CentOS8 =====
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository.
+Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository.
 Installation:
 <code bash>
-yum install -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel
+yum install -y java-11-openjdk-headless java-11-openjdk-devel
 </code>
@@ Line 238: / Line 205: @@
 </file>
-===== Java - Debian =====
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository.
-Installation:
-<code bash>
-apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless
-</code>
-Then create the file ''/etc/profile.d/java.sh'' with following:
-<file bash java.sh>
-[ -d /usr/lib/jvm/java-1.8.0-openjdk-amd64 ] && export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64
-</file>
 ===== Tomcat =====
@@ Line 424: / Line 378: @@
 It is advised to follow these steps for production usage:
-  * Remove unnecessary aplications that comes with Tomcat:
+  * Remove unnecessary applications that comes with Tomcat:
 <code bash>
@@ Line 436: / Line 390: @@
 <Server port="-1" shutdown="SHUTDOWN">
 </code>
+-! CHANGED
   * Make Tomcat listen only on localhost:
-    * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8009'' and ''8080'' ports.
+    * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
+    * In same file configure ajp port(''8009'') to look like this:
+    <Connector protocol="AJP/1.3"
+                address="127.0.0.1"
+                secretRequired="true"
+                secret="***password for ajp port***"
+                port="8009"
+                redirectPort="8443" />
   * Do not show aplication server version:
@@ Line 466: / Line 430: @@
 <file txt tomcat>
 /opt/tomcat/current/logs/catalina.out {
-	rotate COUNT
+	rotate 90
 	daily
 	dateext
@@ Line 508: / Line 472: @@
 <code bash>
 yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs
-</code>
-On Debian install those packages and allow modules:
-<code>
-apt-get install apache2 libapache2-mod-security2 modsecurity-crs
-a2enmod ssl
-a2enmod proxy
-a2enmod proxy_ajp
-a2enmod proxy_http
-a2enmod security2
-a2enmod rewrite
-a2enmod headers
 </code>
 HTTPd basic configuration:
-Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment the lines with mod\_mpm\_prefork.so and uncomment mod\_mpm\_worker.so:
+Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment all lines but mod\_mpm\_worker.so:
 <code bash>
@@ Line 568: / Line 520: @@
   ProxyPreserveHost on
   ProxyAddHeaders on
-  ProxyPass / ajp://127.0.0.1:8009/
+  ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
-  ProxyPassReverse / ajp://127.0.0.1:8009/
+  ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
 </code>
@@ Line 594: / Line 546: @@
 </code>
 <note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note>
-On Debian, create symlinks to sites-enabled:
-<code>
-cd /etc/apache2/sites-enabled
-ln -s ../sites-available/vhost-redirect.conf 01vhost-redirect.conf
-ln -s ../sites-available/ssl.conf 02ssl.conf
-</code>
 Syntax check before httpd restart:
@@ Line 612: / Line 557: @@
 </code>
+Allow in SELINUX to httpd connect to network:
+<code>
+/usr/sbin/setsebool -P httpd_can_network_connect 1
+</code>
 Enable httpd after OS start:
 <code bash>
@@ Line 618: / Line 568: @@
 ===== mod_security configuration =====
-Mod_security files locations (on CentOS7):
+Mod_security files locations (on CentOS8):
   * Audit log: ''/var/log/httpd/modsec\_audit.log''
@@ Line 675: / Line 625: @@
 </code>
-==== mod_security configuration - CentOS7  ====
+==== mod_security configuration - CentOS8  ====
-In the file /etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf, find the rule with id=900012 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods.
+In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf, find the rule 900200 and 900220 then add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods.
-Whole rule after the changes looks like this:
+Whole rules after the changes looks like this:
 <code>
-SecAction \
+# Default HTTP policy: allowed_methods (rule 900200)
-  "id:'900012', \
+SecRule &TX:allowed_methods "@eq 0" \
-  phase:1, \
+    "id:901160,\
-  t:none, \
+    phase:1,\
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE', \
+    pass,\
-  setvar:'tx.allowed_request_content_type=application/hal+json|application/json|text/plain|application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', \
+    nolog,\
-  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
+    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
-  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
-  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
+# Default HTTP policy: allowed_request_content_type (rule 900220)
-  nolog, \
+SecRule &TX:allowed_request_content_type "@eq 0" \
-  pass"
+    "id:901162,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
 </code>
@@ Line 781: / Line 735: @@
 The patch of httpd should come soon so the first option is OK too.
-===== SSO =====
-If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial:adm:sso_ad_domain#configure_apache_httpd_-_linux|SSO installation guide]] for more details.
+====== INSTALACTNI NAVOD ======
-====== nginx as reverse proxy ======
+<note important>Tato cast se vlozi do instalacniho navodu pro IdM</note>
-In case that you want to use nginx instead of Apache httpd, the configuration is as follows.
-<code ini>
-server {
-	listen   *:443 ssl http2;
-	server_name  idm.domain.tld;
-	client_max_body_size 1G;
-	ssl on;
-	ssl_certificate      /path/to/fullchain.pem;
-	ssl_certificate_key  /path/to/privkey.pem;
-	gzip on;
-	gzip_proxied any;
-	gzip_types
-        	text/css
-       		text/javascript
-        	text/xml
-       		text/plain
-        	application/javascript
-       		application/x-javascript
-        	application/json;
-	location / {
+==== Application properties ====
-		proxy_hide_header X-Frame-Options;
-		add_header X-Frame-Options SAMEORIGIN;
+  * The most important file is **/opt/czechidm/etc/application-production.properties** (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file:
-		proxy_pass http://localhost:8080/;
-		proxy_set_header Host $host;
+<file properties application-production.properties>
-		proxy_set_header X-Real-IP $remote_addr;
+# Doc: https://wiki.czechidm.com/devel/dev/configuration/backend
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Proto "https";
+idm.pub.app.instanceId=idm-primary
-		proxy_ssl_session_reuse off;
+idm.pub.app.stage=production
-		proxy_redirect off;
+spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm
+spring.datasource.username=czechidm
+spring.datasource.password=********** TODO *********
+spring.datasource.driver-class-name=org.postgresql.Driver
+spring.datasource.validationQuery=SELECT 1
+spring.datasource.test-on-borrow=true
+spring.jpa.generate-ddl=false
+spring.jpa.hibernate.ddl-auto=none
+flyway.enabled=true
+scheduler.properties.location=quartz-production.properties
+logging.config=/opt/czechidm/etc/logback-spring.xml
+idm.sec.core.demo.data.enabled=false
+# attachments will be stored under this path.
+# new directories for attachment will be created in this folder (permissions has to be added)
+# System.getProperty("user.home")/idm_data will be used if no path is given
+idm.sec.core.attachment.storagePath=/opt/czechidm/data
+# configuration property for default backup
+idm.sec.core.backups.default.folder.path=/opt/czechidm/backup
+idm.pub.security.allowed-origins=http://localhost
+# Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255.
+# We recommend the VALUE to be at least 25.
+idm.sec.security.jwt.secret.token=********** TODO *********
+idm.sec.security.jwt.expirationTimeout=36000000
+# Cipher secret key for crypt values in confidential storage
+# for crypt values is used secretKey or secretKey defined by file - secretKeyPath
+#cipher.crypt.secret.key=XXXXXXXXXXXXXXXX
+cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key
+# Defaults for: emailer.*
+# test.enabled=true means mail WILL NOT be sent
+idm.sec.core.emailer.test.enabled=true
+# http://camel.apache.org/mail.html
+idm.sec.core.emailer.protocol=smtp
+idm.sec.core.emailer.host=something.tld
+idm.sec.core.emailer.port=25
+# idm.sec.core.emailer.username=czechidm@domain.tld
+# idm.sec.core.emailer.password=password
+idm.sec.core.emailer.from=czechidm@localhost
+# Default user role will be added automatically, after an identity is logged in
+# could contains default authorities and authority policies configuration
+# for adding autocomplete or all record read permission etc.
+idm.sec.core.role.default=userRole
+# Admin user role
+idm.sec.core.role.admin=superAdminRole
+# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size.
+spring.servlet.multipart.max-file-size=100MB
+spring.servlet.multipart.max-request-size=100MB
+</file>
-		# WebSocket support
-		proxy_http_version 1.1;
-    		proxy_set_header Upgrade $http_upgrade;
-    		proxy_set_header Connection "upgrade";
-	}
-}
-</code>