Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/03/12 14:49]
urbanl 		tutorial:adm:server_preparation_tmp [2020/03/12 14:55]
urbanl [Apache Tomcat configuration]
Line 50: Line 50:
 <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note> <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
 CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option. CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option.
-==== Database server installation - CentOS8 -!CHANGED ====+==== Database server installation - CentOS8 ====
   * Software installation on CentOS8(versions can vary):   * Software installation on CentOS8(versions can vary):
  
Line 182: Line 182:
  
 Restart DB: ''systemctl restart  postgresql.service'' Restart DB: ''systemctl restart  postgresql.service''
- 
-For Debian installation, edit those configuration files instead: 
-<code> 
-/etc/postgresql/12/main/pg_hba.conf 
-/etc/postgresql/12/main/postgresql.conf 
-</code> 
  
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note> <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
Line 208: Line 202:
 ===== Tomcat ===== ===== Tomcat =====
  
-  * Create a new group and add user for the tomcat to run under (for Debian, use /usr/sbin/nologin in the useradd):+  * Create a new group and add user for the tomcat to run under:
  
 <code> <code>
Line 296: Line 290:
  
   * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.   * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.
-  * For Debian, change the JAVA\_HOME to ''JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64''. 
   * After every systemd configuration change it is necessary to reload:   * After every systemd configuration change it is necessary to reload:
  
Line 390: Line 383:
 <Server port="-1" shutdown="SHUTDOWN"> <Server port="-1" shutdown="SHUTDOWN">
 </code> </code>
--! CHANGED+
   * Make Tomcat listen only on localhost:   * Make Tomcat listen only on localhost:
     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
Line 454: Line 447:
   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
 </note> </note>
- 
-Please note that on Debian, the log is not rotate during the first day, but after the second day. 
  
  
Line 506: Line 497:
 </code> </code>
  
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'' (or ''/etc/apache2/sites-available/vhost-redirect.conf'' for Debian):+Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
 <code xml> <code xml>
 <VirtualHost _default_:80> <VirtualHost _default_:80>
Line 514: Line 505:
 </code> </code>
  
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) add following before ending "tag" VirtualHost:+Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:
  
 <code> <code>
Line 587: Line 578:
 ==== Disabling mod_security rules ==== ==== Disabling mod_security rules ====
  
-In the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) deactivate following rules and set their logging:+In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 <code xml> <code xml>
 <IfModule mod_security2.c> <IfModule mod_security2.c>
Line 646: Line 637:
     nolog,\     nolog,\
     setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"     setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
-</code> 
- 
-==== mod_security configuration - Debian ==== 
-Enable mod\_security configuration: 
-<code> 
-cd /etc/modsecurity 
-cp modsecurity.conf-recommended modsecurity.conf 
-</code> 
- 
-Uncomment following rules in the ''/etc/modsecurity/crs/crs-setup.conf'' and change them accordingly (add allowed content types and allowed HTTP methods): 
-<code> 
-SecAction \ 
- "id:900200,\ 
-  phase:1,\ 
-  nolog,\ 
-  pass,\ 
-  t:none,\ 
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" 
- 
-SecAction \ 
- "id:900220,\ 
-  phase:1,\ 
-  nolog,\ 
-  pass,\ 
-  t:none,\ 
-  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'" 
 </code> </code>
  
Line 736: Line 701:
  
  
-====== INSTALACTNI NAVOD ====== 
  
-<note important>Tato cast se vlozi do instalacniho navodu pro IdM</note> 
  
  
  
-==== Application properties ​====  
- 
-  * The most important file is **/opt/czechidm/etc/application-production.properties** (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file: 
- 
-<file properties application-production.properties> 
-# Doc: https://wiki.czechidm.com/devel/dev/configuration/backend 
-  
-idm.pub.app.instanceId=idm-primary 
-idm.pub.app.stage=production 
-  
-spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm 
-spring.datasource.username=czechidm 
-spring.datasource.password=********** TODO ********* 
-spring.datasource.driver-class-name=org.postgresql.Driver 
-spring.datasource.validationQuery=SELECT 1 
-spring.datasource.test-on-borrow=true 
-spring.jpa.generate-ddl=false 
-spring.jpa.hibernate.ddl-auto=none 
-flyway.enabled=true 
-  
- 
-scheduler.properties.location=quartz-production.properties 
- 
-logging.config=/opt/czechidm/etc/logback-spring.xml 
- 
-idm.sec.core.demo.data.enabled=false 
- 
-# attachments will be stored under this path. 
-# new directories for attachment will be created in this folder (permissions has to be added) 
-# System.getProperty("user.home")/idm_data will be used if no path is given 
-idm.sec.core.attachment.storagePath=/opt/czechidm/data 
-# configuration property for default backup  
-idm.sec.core.backups.default.folder.path=/opt/czechidm/backup 
- 
-  
-idm.pub.security.allowed-origins=http://localhost 
-# Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255. 
-# We recommend the VALUE to be at least 25. 
-idm.sec.security.jwt.secret.token=********** TODO ********* 
-idm.sec.security.jwt.expirationTimeout=36000000 
- 
-# Cipher secret key for crypt values in confidential storage 
-# for crypt values is used secretKey or secretKey defined by file - secretKeyPath 
-#cipher.crypt.secret.key=XXXXXXXXXXXXXXXX 
-cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key 
- 
-# Defaults for: emailer.* 
-# test.enabled=true means mail WILL NOT be sent 
-idm.sec.core.emailer.test.enabled=true 
-# http://camel.apache.org/mail.html 
-idm.sec.core.emailer.protocol=smtp 
-idm.sec.core.emailer.host=something.tld 
-idm.sec.core.emailer.port=25 
-# idm.sec.core.emailer.username=czechidm@domain.tld 
-# idm.sec.core.emailer.password=password 
-idm.sec.core.emailer.from=czechidm@localhost 
-  
-# Default user role will be added automatically, after an identity is logged in 
-# could contains default authorities and authority policies configuration 
-# for adding autocomplete or all record read permission etc. 
-idm.sec.core.role.default=userRole 
-# Admin user role 
-idm.sec.core.role.admin=superAdminRole 
- 
-# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. 
-spring.servlet.multipart.max-file-size=100MB 
-spring.servlet.multipart.max-request-size=100MB 
-</file> 
- 
- 
- 
-