Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation_tmp [2020/03/12 09:31] urbanl [nginx as reverse proxy] |
tutorial:adm:server_preparation_tmp [2020/03/12 14:49] urbanl |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | <note important> | + | <note important> |
Author: Ludek Urban | Author: Ludek Urban | ||
Line 22: | Line 22: | ||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
- | Prerequisities - Basic installation of CentOS | + | Prerequisities - Basic installation of CentOS |
<code bash> | <code bash> | ||
# EPEL installation | # EPEL installation | ||
Line 28: | Line 28: | ||
yum install -y epel-release | yum install -y epel-release | ||
yum update -y | yum update -y | ||
+ | # check installed packages. It's recommanded to have them installed. | ||
+ | yum list installed | ||
# other recommended packages installation | # other recommended packages installation | ||
- | yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc | + | yum install -y mc haveged nmap screen sysstat |
# enable haveged after OS start | # enable haveged after OS start | ||
systemctl start haveged.service | systemctl start haveged.service | ||
Line 45: | Line 47: | ||
</ | </ | ||
- | -!CHANGED | + | ===== PostgreSQL |
- | When installing to centos8, check and install these packages: | + | |
- | < | + | |
- | # check installed packages. It's recommanded to have them installed. | + | |
- | yum list installed | + | |
- | # other recommended packages installation | + | |
- | yum install -y mc haveged nmap screen sysstat telnet | + | |
- | </ | + | |
- | + | ||
- | When installing on Debian, install these packages: | + | |
- | < | + | |
- | screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent | + | |
- | </ | + | |
- | ===== PostgreSQL | + | |
<note tip>If you are install CzechIdM on Sql server, please follow [[tutorial: | <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial: | ||
CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option. | CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option. | ||
Line 155: | Line 144: | ||
</ | </ | ||
- | ==== Database server installation - Debian Stretch ==== | + | |
- | Install the database from OS packages: | + | ==== DB server configuration ==== |
- | < | + | |
- | apt-get install postgresql-9.6 | + | |
- | </ | + | |
- | We will move the database - create directory structure: | + | |
- | < | + | |
- | mkdir -p / | + | |
- | chown -R postgres: | + | |
- | chmod -R 700 / | + | |
- | </ | + | |
- | Create the file .bash\_profile in postgres user's home (default / | + | |
- | < | + | |
- | PGDATA=/ | + | |
- | </ | + | |
- | Stop the database: | + | |
- | < | + | |
- | systemctl stop postgresql | + | |
- | </ | + | |
- | Move database directory (run this as root): | + | |
- | < | + | |
- | mv / | + | |
- | </ | + | |
- | In the PostgreSQL configuration file / | + | |
- | < | + | |
- | data_directory = '/ | + | |
- | </ | + | |
- | Enable and start the database: | + | |
- | < | + | |
- | systemctl start postgresql | + | |
- | systemctl enable postgresql | + | |
- | </ | + | |
- | ==== DB server configuration | + | |
First of all, enable the password authentication. | First of all, enable the password authentication. | ||
Line 233: | Line 191: | ||
< | < | ||
- | ===== Java - CentOS8 | + | ===== Java - CentOS8 ===== |
Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository. | Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository. | ||
Line 247: | Line 205: | ||
</ | </ | ||
- | ===== Java - Debian ===== | ||
- | |||
- | Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. | ||
- | |||
- | Installation: | ||
- | <code bash> | ||
- | apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless | ||
- | </ | ||
- | |||
- | Then create the file ''/ | ||
- | <file bash java.sh> | ||
- | [ -d / | ||
- | </ | ||
===== Tomcat ===== | ===== Tomcat ===== | ||
Line 433: | Line 378: | ||
It is advised to follow these steps for production usage: | It is advised to follow these steps for production usage: | ||
- | * Remove unnecessary | + | * Remove unnecessary |
<code bash> | <code bash> | ||
Line 485: | Line 430: | ||
<file txt tomcat> | <file txt tomcat> | ||
/ | / | ||
- | rotate | + | rotate |
daily | daily | ||
dateext | dateext | ||
Line 529: | Line 474: | ||
</ | </ | ||
- | On Debian install those packages and allow modules: | + | HTTPd basic configuration: |
- | < | + | |
- | apt-get install apache2 libapache2-mod-security2 modsecurity-crs | + | |
- | a2enmod ssl | + | |
- | a2enmod proxy | + | |
- | a2enmod proxy_ajp | + | |
- | a2enmod proxy_http | + | |
- | a2enmod security2 | + | |
- | a2enmod rewrite | + | |
- | a2enmod headers | + | |
- | </ | + | |
- | + | ||
- | HTTPd basic configuration | + | |
Change MPM to worker (lower system requirements) - in the file ''/ | Change MPM to worker (lower system requirements) - in the file ''/ | ||
Line 587: | Line 520: | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
ProxyAddHeaders on | ProxyAddHeaders on | ||
- | ProxyPass / ajp:// | + | ProxyPass / ajp:// |
- | ProxyPassReverse / ajp:// | + | ProxyPassReverse / ajp:// |
</ | </ | ||
Line 613: | Line 546: | ||
</ | </ | ||
< | < | ||
- | |||
- | On Debian, create symlinks to sites-enabled: | ||
- | < | ||
- | cd / | ||
- | ln -s ../ | ||
- | ln -s ../ | ||
- | </ | ||
Syntax check before httpd restart: | Syntax check before httpd restart: | ||
Line 631: | Line 557: | ||
</ | </ | ||
+ | Allow in SELINUX to httpd connect to network: | ||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
Enable httpd after OS start: | Enable httpd after OS start: | ||
<code bash> | <code bash> | ||
Line 637: | Line 568: | ||
===== mod_security configuration ===== | ===== mod_security configuration ===== | ||
- | Mod_security files locations (on CentOS7): | + | Mod_security files locations (on CentOS8): |
* Audit log: ''/ | * Audit log: ''/ | ||
Line 694: | Line 625: | ||
</ | </ | ||
- | ==== mod_security configuration - CentOS7 | + | ==== mod_security configuration - CentOS8 |
- | In the file / | + | In the file / |
- | Whole rule after the changes looks like this: | + | Whole rules after the changes looks like this: |
< | < | ||
- | SecAction | + | # Default HTTP policy: allowed_methods (rule 900200) |
- | "id:' | + | SecRule & |
- | phase:1, \ | + | "id:901160,\ |
- | | + | phase:1,\ |
- | setvar:' | + | |
- | setvar:' | + | nolog,\ |
- | setvar:' | + | setvar:' |
- | setvar:' | + | |
- | setvar:' | + | # Default HTTP policy: allowed_request_content_type (rule 900220) |
- | nolog, \ | + | SecRule & |
- | pass" | + | " |
+ | | ||
+ | pass,\ | ||
+ | nolog,\ | ||
+ | | ||
</ | </ | ||
Line 800: | Line 735: | ||
The patch of httpd should come soon so the first option is OK too. | The patch of httpd should come soon so the first option is OK too. | ||
- | ===== SSO ===== | ||
- | |||
- | If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial: | ||
====== INSTALACTNI NAVOD ====== | ====== INSTALACTNI NAVOD ====== | ||
- | ==== 2. JDBC driver installation - CentOS8 ==== | + | <note important> |
- | **CentOS** | + | |
- | Install the package with PostgreSQL JDBC driver: | ||
- | <code bash> | ||
- | yum install -y postgresql-jdbc | ||
- | </ | ||
- | allow Tomcat to use the driver: | + | ==== Application properties ==== |
- | <code bash> | + | * The most important file is **/ |
- | ln -s /usr/share/java/postgresql-jdbc.jar /opt/tomcat/current/lib/ | + | |
- | </code> | + | <file properties application-production.properties> |
+ | # Doc: https://wiki.czechidm.com/devel/dev/ | ||
+ | |||
+ | idm.pub.app.instanceId=idm-primary | ||
+ | idm.pub.app.stage=production | ||
+ | |||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.username=czechidm | ||
+ | spring.datasource.password=********** TODO ********* | ||
+ | spring.datasource.driver-class-name=org.postgresql.Driver | ||
+ | spring.datasource.validationQuery=SELECT 1 | ||
+ | spring.datasource.test-on-borrow=true | ||
+ | spring.jpa.generate-ddl=false | ||
+ | spring.jpa.hibernate.ddl-auto=none | ||
+ | flyway.enabled=true | ||
+ | |||
+ | |||
+ | scheduler.properties.location=quartz-production.properties | ||
+ | |||
+ | logging.config=/opt/czechidm/etc/logback-spring.xml | ||
+ | |||
+ | idm.sec.core.demo.data.enabled=false | ||
+ | |||
+ | # attachments will be stored under this path. | ||
+ | # new directories for attachment will be created in this folder (permissions has to be added) | ||
+ | # System.getProperty(" | ||
+ | idm.sec.core.attachment.storagePath=/ | ||
+ | # configuration property for default backup | ||
+ | idm.sec.core.backups.default.folder.path=/ | ||
+ | |||
+ | |||
+ | idm.pub.security.allowed-origins=http:// | ||
+ | # Generate JWT token security string as "cat / | ||
+ | # We recommend the VALUE to be at least 25. | ||
+ | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
+ | idm.sec.security.jwt.expirationTimeout=36000000 | ||
+ | |||
+ | # Cipher secret key for crypt values in confidential storage | ||
+ | # for crypt values is used secretKey or secretKey defined by file - secretKeyPath | ||
+ | # | ||
+ | cipher.crypt.secret.keyPath=/ | ||
+ | |||
+ | # Defaults for: emailer.* | ||
+ | # test.enabled=true means mail WILL NOT be sent | ||
+ | idm.sec.core.emailer.test.enabled=true | ||
+ | # http:// | ||
+ | idm.sec.core.emailer.protocol=smtp | ||
+ | idm.sec.core.emailer.host=something.tld | ||
+ | idm.sec.core.emailer.port=25 | ||
+ | # idm.sec.core.emailer.username=czechidm@domain.tld | ||
+ | # idm.sec.core.emailer.password=password | ||
+ | idm.sec.core.emailer.from=czechidm@localhost | ||
+ | |||
+ | # Default user role will be added automatically, | ||
+ | # could contains default authorities and authority policies configuration | ||
+ | # for adding autocomplete or all record read permission etc. | ||
+ | idm.sec.core.role.default=userRole | ||
+ | # Admin user role | ||
+ | idm.sec.core.role.admin=superAdminRole | ||
+ | |||
+ | # Max file size of uploaded file. Values can use the suffixed " | ||
+ | spring.servlet.multipart.max-file-size=100MB | ||
+ | spring.servlet.multipart.max-request-size=100MB | ||
+ | </file> | ||
+ | |||
+ | |||
+ | |||
+ |