Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/03/12 14:51]
urbanl [Database server installation - CentOS8 -!CHANGED]
+++ tutorial:adm:server_preparation_tmp [2020/04/15 14:17]
fiserp
@@ Line 1: / Line 1: @@
-<note important>Instalation pro centos 8
+<note important>Instalation pro CentOS8
+**This tutorial is under development, DO NOT USE.**
 Author: Ludek Urban
@@ Line 5: / Line 7: @@
-====== Server preparation - Linux ======
+====== Server preparation - Linux - CentOS8 ======
 {{tag>installation java tomcat quickstart "apache httpd"}}
@@ Line 28: / Line 30: @@
 yum install -y epel-release
 yum update -y
-# check installed packages. It's recommanded to have them installed.
-yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
 # other recommended packages installation
-yum install -y mc haveged nmap screen sysstat telnet
+yum install -y mc haveged nmap screen sysstat telnet net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
 # enable haveged after OS start
 systemctl start haveged.service
@@ Line 102: / Line 102: @@
 Change SELINUX labels:
 <code>
-chcon -Rt postgresql_db_t pgsql/
+chcon -Rt postgresql_db_t /data/pgsql/
 chcon -Rt postgresql_log_t /data/pgsql/12/data/log/
 </code>
@@ Line 182: / Line 182: @@
 Restart DB: ''systemctl restart  postgresql.service''
-For Debian installation, edit those configuration files instead:
-<code>
-/etc/postgresql/12/main/pg_hba.conf
-/etc/postgresql/12/main/postgresql.conf
-</code>
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
@@ Line 208: / Line 202: @@
 ===== Tomcat =====
-  * Create a new group and add user for the tomcat to run under (for Debian, use /usr/sbin/nologin in the useradd):
+  * Create a new group and add user for the tomcat to run under:
 <code>
@@ Line 214: / Line 208: @@
 useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
 getent passwd tomcat
-tomcat:x:995:993::/opt/tomcat:/bin/nologin
+#tomcat:x:995:993::/opt/tomcat:/bin/nologin
 </code>
@@ Line 296: / Line 290: @@
   * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.
-  * For Debian, change the JAVA\_HOME to ''JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64''.
   * After every systemd configuration change it is necessary to reload:
@@ Line 390: / Line 383: @@
 <Server port="-1" shutdown="SHUTDOWN">
 </code>
--! CHANGED
   * Make Tomcat listen only on localhost:
     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
     * In same file configure ajp port(''8009'') to look like this:
-    <Connector protocol="AJP/1.3"
+<code>
+<Connector protocol="AJP/1.3"
                 address="127.0.0.1"
                 secretRequired="true"
@@ Line 401: / Line 395: @@
                 port="8009"
                 redirectPort="8443" />
+</code>
   * Do not show aplication server version:
@@ Line 454: / Line 448: @@
   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
 </note>
-Please note that on Debian, the log is not rotate during the first day, but after the second day.
@@ Line 506: / Line 498: @@
 </code>
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'' (or ''/etc/apache2/sites-available/vhost-redirect.conf'' for Debian):
+Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
 <code xml>
 <VirtualHost _default_:80>
@@ Line 514: / Line 506: @@
 </code>
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) add following before ending "tag" VirtualHost:
+Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:
 <code>
+  Protocols       h2 https/1.1
   ProxyRequests     off
   ProxyPreserveHost on
@@ Line 587: / Line 580: @@
 ==== Disabling mod_security rules ====
-In the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) deactivate following rules and set their logging:
+In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 <code xml>
 <IfModule mod_security2.c>
@@ Line 646: / Line 639: @@
     nolog,\
     setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
-</code>
-==== mod_security configuration - Debian ====
-Enable mod\_security configuration:
-<code>
-cd /etc/modsecurity
-cp modsecurity.conf-recommended modsecurity.conf
-</code>
-Uncomment following rules in the ''/etc/modsecurity/crs/crs-setup.conf'' and change them accordingly (add allowed content types and allowed HTTP methods):
-<code>
-SecAction \
- "id:900200,\
-  phase:1,\
-  nolog,\
-  pass,\
-  t:none,\
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
-SecAction \
- "id:900220,\
-  phase:1,\
-  nolog,\
-  pass,\
-  t:none,\
-  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
 </code>
@@ Line 713: / Line 680: @@
 </code>
-===== Workaround for slow HTTPD shutdown =====
-In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https://bugzilla.redhat.com/show_bug.cgi?id=906321]].
-Workaround is to edit '''/usr/lib/systemd/system/httpd.service''' and add the option:
-<code>
-KillMode=none
-</code>
-Then reload systemd:
-<code>
-systemctl daemon-reload
-</code>
-It is absolutely correct to create new versions of unity in /etc, that has the option:
-<code>
-cp /usr/lib/systemd/system/httpd.service /etc/systemd/system/httpd.service
-vim /etc/systemd/system/httpd.service # add parametr KillMode=none
-systemctl daemon-reload
-</code>
-The patch of httpd should come soon so the first option is OK too.
-====== INSTALACTNI NAVOD ======
-<note important>Tato cast se vlozi do instalacniho navodu pro IdM</note>
-==== Application properties ====
-  * The most important file is **/opt/czechidm/etc/application-production.properties** (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file:
-<file properties application-production.properties>
-# Doc: https://wiki.czechidm.com/devel/dev/configuration/backend
-idm.pub.app.instanceId=idm-primary
-idm.pub.app.stage=production
-spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm
-spring.datasource.username=czechidm
-spring.datasource.password=********** TODO *********
-spring.datasource.driver-class-name=org.postgresql.Driver
-spring.datasource.validationQuery=SELECT 1
-spring.datasource.test-on-borrow=true
-spring.jpa.generate-ddl=false
-spring.jpa.hibernate.ddl-auto=none
-flyway.enabled=true
-scheduler.properties.location=quartz-production.properties
-logging.config=/opt/czechidm/etc/logback-spring.xml
-idm.sec.core.demo.data.enabled=false
-# attachments will be stored under this path.
-# new directories for attachment will be created in this folder (permissions has to be added)
-# System.getProperty("user.home")/idm_data will be used if no path is given
-idm.sec.core.attachment.storagePath=/opt/czechidm/data
-# configuration property for default backup
-idm.sec.core.backups.default.folder.path=/opt/czechidm/backup
-idm.pub.security.allowed-origins=http://localhost
-# Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255.
-# We recommend the VALUE to be at least 25.
-idm.sec.security.jwt.secret.token=********** TODO *********
-idm.sec.security.jwt.expirationTimeout=36000000
-# Cipher secret key for crypt values in confidential storage
-# for crypt values is used secretKey or secretKey defined by file - secretKeyPath
-#cipher.crypt.secret.key=XXXXXXXXXXXXXXXX
-cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key
-# Defaults for: emailer.*
-# test.enabled=true means mail WILL NOT be sent
-idm.sec.core.emailer.test.enabled=true
-# http://camel.apache.org/mail.html
-idm.sec.core.emailer.protocol=smtp
-idm.sec.core.emailer.host=something.tld
-idm.sec.core.emailer.port=25
-# idm.sec.core.emailer.username=czechidm@domain.tld
-# idm.sec.core.emailer.password=password
-idm.sec.core.emailer.from=czechidm@localhost
-# Default user role will be added automatically, after an identity is logged in
-# could contains default authorities and authority policies configuration
-# for adding autocomplete or all record read permission etc.
-idm.sec.core.role.default=userRole
-# Admin user role
-idm.sec.core.role.admin=superAdminRole
-# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size.
-spring.servlet.multipart.max-file-size=100MB
-spring.servlet.multipart.max-request-size=100MB
-</file>