Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/03/12 09:31]
urbanl [nginx as reverse proxy] 		tutorial:adm:server_preparation_tmp [2020/03/12 12:50]
urbanl [HTTPd installation and configuration]
Line 587: Line 587:
   ProxyPreserveHost on   ProxyPreserveHost on
   ProxyAddHeaders on   ProxyAddHeaders on
-  ProxyPass / ajp://127.0.0.1:8009/ +  ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret** 
-  ProxyPassReverse / ajp://127.0.0.1:8009/+  ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
 </code> </code>
  
Line 631: Line 631:
 </code> </code>
  
 +Allow in SELINUX to httpd connect to network:
 +<code>
 +/usr/sbin/setsebool -P httpd_can_network_connect 1
 +</code>
 + 
 Enable httpd after OS start: Enable httpd after OS start:
 <code bash> <code bash>
Line 694: Line 699:
 </code> </code>
  
-==== mod_security configuration - CentOS7  ====+==== mod_security configuration - CentOS8  ====
  
-In the file /etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf, find the rule with id=900012 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods. +In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf, find the rule 900200 and 900220 then add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods. 
-Whole rule after the changes looks like this:+Whole rules after the changes looks like this:
  
 <code> <code>
-SecAction +# Default HTTP policy: allowed_methods (rule 900200) 
-  "id:'900012', \ +SecRule &TX:allowed_methods "@eq 0" 
-  phase:1, \ +    "id:901160,\ 
-  t:none, \ +    phase:1,\ 
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE',+    pass,
-  setvar:'tx.allowed_request_content_type=application/hal+json|application/json|text/plain|application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', \ +    nolog,\ 
-  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ +    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'
-  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',+ 
-  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \ +# Default HTTP policy: allowed_request_content_type (rule 900220) 
-  nolog, \ +SecRule &TX:allowed_request_content_type "@eq 0" \ 
-  pass"+    "id:901162,\ 
 +    phase:1,
 +    pass,\ 
 +    nolog,\ 
 +    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
 </code> </code>
  
Line 806: Line 815:
 ====== INSTALACTNI NAVOD ====== ====== INSTALACTNI NAVOD ======
  
 +<note important>Tato cast se vlozi do instalacniho navodu pro IdM</note>
 ==== 2. JDBC driver installation ​- CentOS8 ​====  ==== 2. JDBC driver installation ​- CentOS8 ​==== 
 **CentOS** **CentOS**
Line 819: Line 829:
 <code bash> <code bash>
 ln -s /usr/share/java/postgresql-jdbc.jar /opt/tomcat/current/lib/ ln -s /usr/share/java/postgresql-jdbc.jar /opt/tomcat/current/lib/
-</code> +</code> 
 + 
 +==== Application properties ​====  
 + 
 +  * The most important file is **/opt/czechidm/etc/application-production.properties** (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file: 
 + 
 +<file properties application-production.properties> 
 +# Doc: https://wiki.czechidm.com/devel/dev/configuration/backend 
 +  
 +idm.pub.app.instanceId=idm-primary 
 +idm.pub.app.stage=production 
 +  
 +spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm 
 +spring.datasource.username=czechidm 
 +spring.datasource.password=********** TODO ********* 
 +spring.datasource.driver-class-name=org.postgresql.Driver 
 +spring.datasource.validationQuery=SELECT 1 
 +spring.datasource.test-on-borrow=true 
 +spring.jpa.generate-ddl=false 
 +spring.jpa.hibernate.ddl-auto=none 
 +flyway.enabled=true 
 +  
 + 
 +scheduler.properties.location=quartz-production.properties 
 + 
 +logging.config=/opt/czechidm/etc/logback-spring.xml 
 + 
 +idm.sec.core.demo.data.enabled=false 
 + 
 +# attachments will be stored under this path. 
 +# new directories for attachment will be created in this folder (permissions has to be added) 
 +# System.getProperty("user.home")/idm_data will be used if no path is given 
 +idm.sec.core.attachment.storagePath=/opt/czechidm/data 
 +# configuration property for default backup  
 +idm.sec.core.backups.default.folder.path=/opt/czechidm/backup 
 + 
 +  
 +idm.pub.security.allowed-origins=http://localhost 
 +# Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255. 
 +# We recommend the VALUE to be at least 25. 
 +idm.sec.security.jwt.secret.token=********** TODO ********* 
 +idm.sec.security.jwt.expirationTimeout=36000000 
 + 
 +# Cipher secret key for crypt values in confidential storage 
 +# for crypt values is used secretKey or secretKey defined by file - secretKeyPath 
 +#cipher.crypt.secret.key=XXXXXXXXXXXXXXXX 
 +cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key 
 + 
 +# Defaults for: emailer.* 
 +# test.enabled=true means mail WILL NOT be sent 
 +idm.sec.core.emailer.test.enabled=true 
 +# http://camel.apache.org/mail.html 
 +idm.sec.core.emailer.protocol=smtp 
 +idm.sec.core.emailer.host=something.tld 
 +idm.sec.core.emailer.port=25 
 +# idm.sec.core.emailer.username=czechidm@domain.tld 
 +# idm.sec.core.emailer.password=password 
 +idm.sec.core.emailer.from=czechidm@localhost 
 +  
 +# Default user role will be added automatically, after an identity is logged in 
 +# could contains default authorities and authority policies configuration 
 +# for adding autocomplete or all record read permission etc. 
 +idm.sec.core.role.default=userRole 
 +# Admin user role 
 +idm.sec.core.role.admin=superAdminRole 
 + 
 +# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. 
 +spring.servlet.multipart.max-file-size=100MB 
 +spring.servlet.multipart.max-request-size=100MB 
 +</file> 
 + 
 + 
 + 
 +