Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/03/12 12:50]
urbanl [HTTPd installation and configuration] 		tutorial:adm:server_preparation_tmp [2020/03/12 14:52]
urbanl [mod_security configuration - Debian]
Line 1: Line 1:
-<note important>temp pro centos 8+<note important>Instalation pro centos 8
  
 Author: Ludek Urban Author: Ludek Urban
Line 22: Line 22:
  
 ===== Instalation and software configuration ===== ===== Instalation and software configuration =====
-Prerequisities - Basic installation of CentOS 7+Prerequisities - Basic installation of CentOS 8
 <code bash> <code bash>
 # EPEL installation # EPEL installation
Line 28: Line 28:
 yum install -y epel-release yum install -y epel-release
 yum update -y yum update -y
 +# check installed packages. It's recommanded to have them installed.
 +yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
 # other recommended packages installation # other recommended packages installation
-yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet policycoreutils-python+yum install -y mc haveged nmap screen sysstat telnet
 # enable haveged after OS start # enable haveged after OS start
 systemctl start haveged.service systemctl start haveged.service
Line 45: Line 47:
 </code> </code>
  
--!CHANGED +===== PostgreSQL  =====
-When installing to centos8, check and install these packages: +
-<code> +
-# check installed packages. It's recommanded to have them installed. +
-yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils +
-# other recommended packages installation +
-yum install -y mc haveged nmap screen sysstat telnet +
-</code> +
- +
-When installing on Debian, install these packages: +
-<code> +
-screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent +
-</code> +
-===== PostgreSQL -!CHANGED =====+
 <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note> <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
 CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option. CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option.
-==== Database server installation - CentOS8 -!CHANGED ====+==== Database server installation - CentOS8 ====
   * Software installation on CentOS8(versions can vary):   * Software installation on CentOS8(versions can vary):
  
Line 155: Line 144:
 </code> </code>
  
-==== Database server installation - Debian Stretch ==== + 
-Install the database from OS packages: +==== DB server configuration ====
-<code> +
-apt-get install postgresql-9.6 +
-</code> +
-We will move the database - create directory structure: +
-<code> +
-mkdir -p /data/pgsql/9.6/data/ +
-chown -R postgres:postgres /data/pgsql/ +
-chmod -R 700 /data/pgsql +
-</code> +
-Create the file .bash\_profile in postgres user's home (default /var/lib/postgresql) with following contents: +
-<code> +
-PGDATA=/data/pgsql/9.6/data +
-</code> +
-Stop the database: +
-<code> +
-systemctl stop postgresql +
-</code> +
-Move database directory (run this as root): +
-<code> +
-mv /var/lib/postgresql/9.6/main/* /data/pgsql/9.6/data/ +
-</code> +
-In the PostgreSQL configuration file /etc/postgresql/9.6/main/postgresql.conf set the data\_directory property to: +
-<code> +
-data_directory = '/data/pgsql/9.6/data' +
-</code> +
-Enable and start the database: +
-<code> +
-systemctl start postgresql +
-systemctl enable postgresql +
-</code> +
-==== DB server configuration -!CHANGED ====+
  
 First of all, enable the password authentication. First of all, enable the password authentication.
Line 233: Line 191:
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note> <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
  
-===== Java - CentOS8 -! CHANGED =====+===== Java - CentOS8 =====
  
 Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository. Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository.
Line 247: Line 205:
 </file> </file>
  
-===== Java - Debian ===== 
- 
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. 
- 
-Installation: 
-<code bash> 
-apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless 
-</code> 
- 
-Then create the file ''/etc/profile.d/java.sh'' with following: 
-<file bash java.sh> 
-[ -d /usr/lib/jvm/java-1.8.0-openjdk-amd64 ] && export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64 
-</file> 
  
 ===== Tomcat ===== ===== Tomcat =====
Line 433: Line 378:
 It is advised to follow these steps for production usage: It is advised to follow these steps for production usage:
  
-  * Remove unnecessary aplications that comes with Tomcat:+  * Remove unnecessary applications that comes with Tomcat:
  
 <code bash> <code bash>
Line 485: Line 430:
 <file txt tomcat> <file txt tomcat>
 /opt/tomcat/current/logs/catalina.out { /opt/tomcat/current/logs/catalina.out {
- rotate COUNT+ rotate 90
  daily  daily
  dateext  dateext
Line 529: Line 474:
 </code> </code>
  
-On Debian install those packages and allow modules: +HTTPd basic configuration:
-<code> +
-apt-get install apache2 libapache2-mod-security2 modsecurity-crs +
-a2enmod ssl +
-a2enmod proxy +
-a2enmod proxy_ajp +
-a2enmod proxy_http +
-a2enmod security2 +
-a2enmod rewrite +
-a2enmod headers +
-</code> +
- +
-HTTPd basic configuration -!CHANGED:+
  
 Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment all lines but mod\_mpm\_worker.so: Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment all lines but mod\_mpm\_worker.so:
Line 613: Line 546:
 </code> </code>
 <note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note> <note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note>
- 
-On Debian, create symlinks to sites-enabled: 
-<code> 
-cd /etc/apache2/sites-enabled 
-ln -s ../sites-available/vhost-redirect.conf 01vhost-redirect.conf 
-ln -s ../sites-available/ssl.conf 02ssl.conf 
-</code> 
  
 Syntax check before httpd restart: Syntax check before httpd restart:
Line 642: Line 568:
  
 ===== mod_security configuration ===== ===== mod_security configuration =====
-Mod_security files locations (on CentOS7):+Mod_security files locations (on CentOS8):
  
   * Audit log: ''/var/log/httpd/modsec\_audit.log''   * Audit log: ''/var/log/httpd/modsec\_audit.log''
Line 720: Line 646:
     nolog,\     nolog,\
     setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"     setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
-</code> 
- 
-==== mod_security configuration - Debian ==== 
-Enable mod\_security configuration: 
-<code> 
-cd /etc/modsecurity 
-cp modsecurity.conf-recommended modsecurity.conf 
-</code> 
- 
-Uncomment following rules in the ''/etc/modsecurity/crs/crs-setup.conf'' and change them accordingly (add allowed content types and allowed HTTP methods): 
-<code> 
-SecAction \ 
- "id:900200,\ 
-  phase:1,\ 
-  nolog,\ 
-  pass,\ 
-  t:none,\ 
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" 
- 
-SecAction \ 
- "id:900220,\ 
-  phase:1,\ 
-  nolog,\ 
-  pass,\ 
-  t:none,\ 
-  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'" 
 </code> </code>
  
Line 809: Line 709:
 The patch of httpd should come soon so the first option is OK too. The patch of httpd should come soon so the first option is OK too.
  
-===== SSO ===== 
  
-If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial:adm:sso_ad_domain#configure_apache_httpd_-_linux|SSO installation guide]] for more details. 
  
-====== INSTALACTNI NAVOD ====== 
  
-<note important>Tato cast se vlozi do instalacniho navodu pro IdM</note> 
-==== 2. JDBC driver installation ​- CentOS8 ​====  
-**CentOS** 
  
-Install the package with PostgreSQL JDBC driver: 
  
-<code bash> 
-yum install -y postgresql-jdbc 
-</code> 
- 
-allow Tomcat to use the driver: 
- 
-<code bash> 
-ln -s /usr/share/java/postgresql-jdbc.jar /opt/tomcat/current/lib/ 
-</code> 
- 
-==== Application properties ​====  
- 
-  * The most important file is **/opt/czechidm/etc/application-production.properties** (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file: 
- 
-<file properties application-production.properties> 
-# Doc: https://wiki.czechidm.com/devel/dev/configuration/backend 
-  
-idm.pub.app.instanceId=idm-primary 
-idm.pub.app.stage=production 
-  
-spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm 
-spring.datasource.username=czechidm 
-spring.datasource.password=********** TODO ********* 
-spring.datasource.driver-class-name=org.postgresql.Driver 
-spring.datasource.validationQuery=SELECT 1 
-spring.datasource.test-on-borrow=true 
-spring.jpa.generate-ddl=false 
-spring.jpa.hibernate.ddl-auto=none 
-flyway.enabled=true 
-  
- 
-scheduler.properties.location=quartz-production.properties 
- 
-logging.config=/opt/czechidm/etc/logback-spring.xml 
- 
-idm.sec.core.demo.data.enabled=false 
- 
-# attachments will be stored under this path. 
-# new directories for attachment will be created in this folder (permissions has to be added) 
-# System.getProperty("user.home")/idm_data will be used if no path is given 
-idm.sec.core.attachment.storagePath=/opt/czechidm/data 
-# configuration property for default backup  
-idm.sec.core.backups.default.folder.path=/opt/czechidm/backup 
- 
-  
-idm.pub.security.allowed-origins=http://localhost 
-# Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255. 
-# We recommend the VALUE to be at least 25. 
-idm.sec.security.jwt.secret.token=********** TODO ********* 
-idm.sec.security.jwt.expirationTimeout=36000000 
- 
-# Cipher secret key for crypt values in confidential storage 
-# for crypt values is used secretKey or secretKey defined by file - secretKeyPath 
-#cipher.crypt.secret.key=XXXXXXXXXXXXXXXX 
-cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key 
- 
-# Defaults for: emailer.* 
-# test.enabled=true means mail WILL NOT be sent 
-idm.sec.core.emailer.test.enabled=true 
-# http://camel.apache.org/mail.html 
-idm.sec.core.emailer.protocol=smtp 
-idm.sec.core.emailer.host=something.tld 
-idm.sec.core.emailer.port=25 
-# idm.sec.core.emailer.username=czechidm@domain.tld 
-# idm.sec.core.emailer.password=password 
-idm.sec.core.emailer.from=czechidm@localhost 
-  
-# Default user role will be added automatically, after an identity is logged in 
-# could contains default authorities and authority policies configuration 
-# for adding autocomplete or all record read permission etc. 
-idm.sec.core.role.default=userRole 
-# Admin user role 
-idm.sec.core.role.admin=superAdminRole 
- 
-# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. 
-spring.servlet.multipart.max-file-size=100MB 
-spring.servlet.multipart.max-request-size=100MB 
-</file> 
- 
- 
- 
-