Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/07/24 09:07]
fiserp [Java - CentOS8] 		tutorial:adm:server_preparation_tmp [2020/07/24 11:35]
fiserp [mod_security configuration - CentOS8]
Line 312: Line 312:
  
 <code bash> <code bash>
-[root@tomcat1 logs]# ps -tomcat -fwww +[root@tomcat1 logs]# ps -ef | grep ^tomcat 
-UID        PID  PPID  C STIME TTY          TIME CMD +tomcat      1623       1  9 11:08 ?        00:00:04 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start
-tomcat    1602     1  1 09:44 ?        00:00:02 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start+
 </code> </code>
  
Line 334: Line 333:
 If you want to use them, it is necessary to do following steps. If you want to use them, it is necessary to do following steps.
  
-First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.+First of all, create a Tomcat'database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
  
-Create user like this:+  * Create administration user 
 +    * Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui"
 +    * The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
  
-Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui"+The file ''/opt/tomcat/current/conf/tomcat-users.xml'' should now look like this:
-The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access +
- +
-The file ''/opt/tomcat/current/conf/tomcat-users.xml'' looks like this:+
 <file xml tomcat-users.xml> <file xml tomcat-users.xml>
 <?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
Line 357: Line 355:
 </file> </file>
  
-If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see ''403 Access Denied'' it might be you did not do this setting.+  * If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. 
 +    * If you see ''403 Access Denied'' when accessing Tomcat's management remotely, it might be because you did not perform this configuration.
  
-Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add net mask for your IP (both files should have the same content):+Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add netmask for your IP (both files should have the same content):
  
-In my casewant to access to Tomcat management from network 192.168.0.0/24:+For exampleif you want to access Tomcat'management from the network ''192.168.0.0/24'':
  
 <file xml context.xml> <file xml context.xml>
Line 371: Line 370:
 </file> </file>
  
-Again, restart the tomcat:+  * Again, restart the tomcat
 <code bash> <code bash>
 systemctl restart tomcat systemctl restart tomcat
 </code> </code>
  
-===  Apache Tomcat configuration recommended for production usage ===+===  Apache Tomcat configuration recommended for production use ===
  
-It is advised to follow these steps for production usage:+We advise to follow these steps to configure Tomcat for production deployment.
  
-  * Remove unnecessary applications that comes with Tomcat:+  * Remove unnecessary applications that come with Tomcat:
  
 <code bash> <code bash>
Line 399: Line 398:
     * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein.     * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein.
  
-  * In same file configure ajp port(''8009'') to look like this:+  * In same file configure AJP port (''8009/tcp'') to look like this:
  
 <code> <code>
Line 411: Line 410:
  
   * Do not show aplication server version:   * Do not show aplication server version:
-    * In the file ''/opt/tomcat/current/conf/web.xml'' set showServerInfo to false (default is true):+    * In the file ''/opt/tomcat/current/conf/web.xml'' set ''showServerInfo'' to false (default is true):
  
 <code xml> <code xml>
Line 481: Line 480:
 HTTPd basic configuration: HTTPd basic configuration:
  
-Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment all lines but mod\_mpm\_worker.so:+Change MPM to worker - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment-out all lines but mod\_mpm\_worker.so:
  
 <code bash> <code bash>
Line 511: Line 510:
 </code> </code>
  
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':+Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'SERVER' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
 <code xml> <code xml>
 <VirtualHost _default_:80> <VirtualHost _default_:80>
Line 545: Line 544:
 </code> </code>
  
-We also have to secure the communication. **Edit** corresponding lines in ''ssl.conf'' so they look like this. +Syntax check before httpd restart
-<code> +
-SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA +
-SSLHonorCipherOrder on +
-</code> +
-<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note> +
- +
-Syntax check before httpd restart:+
 <code> <code>
 httpd -t -D DUMP_VHOST httpd -t -D DUMP_VHOST
 +# or apachectl configtest
 </code> </code>
  
Line 625: Line 617:
 ==== mod_security configuration - CentOS8  ==== ==== mod_security configuration - CentOS8  ====
  
-In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf+Edit the file ''/etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf''.
  
-  * find the rule 900200 and add methods PUT DELETE and PATCH on the line with tx.allowed\_methods. It look like this after change:+  * find the rule ''900200'' and add methods ''PUT'', ''DELETE'' and ''PATCH'' on the line starting ''tx.allowed\_methods''. It should look like this after change:
  
 <code> <code>
Line 639: Line 631:
 </code> </code>
  
-  * find the rule 900220 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, after change:+  * find the rule ''900220'' and add support for content type ''application/hal+json'' on the line starting with ''tx.allowed\_request\_content\_type''. Result should look like this:
  
 <code> <code>