Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/07/24 08:35]
fiserp [DB server configuration]
+++ tutorial:adm:server_preparation_tmp [2020/07/24 09:15]
fiserp [Apache Tomcat configuration]
@@ Line 142: / Line 142: @@
-==== DB server configuration ====
+==== Database server configuration and sizing ====
   * Enable the password authentication.
@@ Line 187: / Line 187: @@
 </code>
-Restart DB: ''systemctl restart  postgresql.service''
+  * Restart the database
-<note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
+<code>
+systemctl restart  postgresql.service
+</code>
+<note>If you install the database to a different server than the CzechIdM application itself, don't forget to configure PostgreSQL with SSL certificates and to enforce remote SSL connections.</note>
 ===== Java - CentOS8 =====
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository.
+Tomcat application server needs Java installed. We recommend to use OpenJDK 11 from standard OS repository. (OpenJDK 1.8 is also supported, check [[devel:documentation:compatibility|compatibility page]]).
 Installation:
-<code bash>
+<code>
-yum install -y java-11-openjdk-headless java-11-openjdk-devel
+dnf install -y java-11-openjdk-headless java-11-openjdk-devel
 </code>
-Then create the file ''/etc/profile.d/java.sh'' with following:
-<file bash java.sh>
-[ -d /usr/lib/jvm/java-openjdk ] && export JAVA_HOME=/usr/lib/jvm/java-openjdk
-</file>
@@ Line 212: / Line 211: @@
 <code>
 groupadd -r tomcat
-useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
+useradd -r -s /usr/sbin/nologin -g tomcat -d /opt/tomcat tomcat
 getent passwd tomcat
-#tomcat:x:995:993::/opt/tomcat:/bin/nologin
+#tomcat:x:995:993::/opt/tomcat:/usr/sbin/nologin
 </code>
@@ Line 224: / Line 223: @@
 </code>
-  * Download Apache Tomcat 8.5.x from the website [[https://tomcat.apache.org/download-80.cgi]] to **/opt/tomcat/**
+  * Download Apache Tomcat 8.5.x from the website [[https://tomcat.apache.org/download-80.cgi]] to ''/opt/tomcat/''
-    * In our exapmle the version is 8.5.8.
+    * In our exapmle the version is 8.5.57.
-  * extract files from archive:
+  * extract files from the archive:
 <code bash>
-tar xzf apache-tomcat-8.5.8.tar.gz
+tar xzf apache-tomcat-8.5.57.tar.gz
 </code>
@@ Line 237: / Line 236: @@
 <code bash>
 cd /opt/tomcat
-ln -s apache-tomcat-8.5.8 current
+ln -s apache-tomcat-8.5.57 current
 </code>
@@ Line 247: / Line 246: @@
 chmod 750 /opt/tomcat
 cd /opt/tomcat/current
-chmod o+rX -R ./
+chmod -R o+rX ./
 chgrp -R tomcat conf/ bin/ lib/
-chmod g+rwx conf
+chmod g+rx conf
 chmod g+r conf/*
 chown -R tomcat webapps/ work/ temp/ logs/
@@ Line 269: / Line 268: @@
 [Unit]
 Description=Apache Tomcat Web Application Container
-After=syslog.target network.target
+After=syslog.target network.target postgresql.service
 [Service]
@@ Line 292: / Line 291: @@
 WantedBy=multi-user.target
 </file>
+<note>
+  * Values of ''-Xms'' and ''-Xmx'' se are closely dependent on server sizing. If you have enough memory, we strongly recommend to use ''-Xmx 6128M'' or more.
+  * Tomcat will be started under user ''tomcat:tomcat''.
+</note>
-  * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more.
+  * Reload systemd configuration:
-  * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.
-  * After every systemd configuration change it is necessary to reload:
 <code>
 systemctl daemon-reload
 </code>
-  * Test start:
+  * Start the Tomcat to ensure it is configured properly. Enable its start on OS start.
 <code>
 systemctl start tomcat
+systemctl enable tomcat
 </code>
   * Check that Tomcat runs with desirable parameters:
 <code bash>
-[root@tomcat1 logs]# ps -u tomcat -fwww
+[root@tomcat1 logs]# ps -ef | grep ^tomcat
-UID        PID  PPID  C STIME TTY          TIME CMD
+tomcat      1623       1  9 11:08 ?        00:00:04 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start
-tomcat    1602     1  1 09:44 ?        00:00:02 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start
 </code>
-  * Stop Apache Tomcat:
+  * Stop the Tomcat.
 <code>
 systemctl stop tomcat
-</code>
-  * Enable tomcat start after OS start:
-<code bash>
-systemctl enable tomcat
 </code>
@@ Line 331: / Line 333: @@
 If you want to use them, it is necessary to do following steps.
-First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
+First of all, create a Tomcat's database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
-Create user like this:
-Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui".
+  * Create administration user
-The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
+    * Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui".
+    * The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
-The file ''/opt/tomcat/current/conf/tomcat-users.xml'' looks like this:
+The file ''/opt/tomcat/current/conf/tomcat-users.xml'' should now look like this:
 <file xml tomcat-users.xml>
 <?xml version="1.0" encoding="UTF-8"?>
@@ Line 354: / Line 355: @@
 </file>
-If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see ''403 Access Denied'' it might be you did not do this setting.
+  * If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
+    * If you see ''403 Access Denied'' when accessing Tomcat's management remotely, it might be because you did not perform this configuration.
-Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add net mask for your IP (both files should have the same content):
+Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add netmask for your IP (both files should have the same content):
-In my case, I want to access to Tomcat management from network 192.168.0.0/24:
+For example, if you want to access Tomcat's management from the network ''192.168.0.0/24'':
 <file xml context.xml>
@@ Line 368: / Line 370: @@
 </file>
-Again, restart the tomcat:
+  * Again, restart the tomcat
 <code bash>
 systemctl restart tomcat
 </code>
-===  Apache Tomcat configuration recommended for production usage ===
+===  Apache Tomcat configuration recommended for production use ===
-It is advised to follow these steps for production usage:
+We advise to follow these steps to configure Tomcat for production deployment.
-  * Remove unnecessary applications that comes with Tomcat:
+  * Remove unnecessary applications that come with Tomcat:
 <code bash>
@@ Line 396: / Line 398: @@
     * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein.
-  * In same file configure ajp port(''8009'') to look like this:
+  * In same file configure AJP port (''8009/tcp'') to look like this:
 <code>
@@ Line 408: / Line 410: @@
   * Do not show aplication server version:
-    * In the file ''/opt/tomcat/current/conf/web.xml'' set showServerInfo to false (default is true):
+    * In the file ''/opt/tomcat/current/conf/web.xml'' set ''showServerInfo'' to false (default is true):
 <code xml>