Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/06/24 12:00]
kolarikj [mod_security configuration - CentOS8]
+++ tutorial:adm:server_preparation_tmp [2020/07/24 12:35]
fiserp [Tomcat]
@@ Line 11: / Line 11: @@
 {{tag>installation java tomcat quickstart "apache httpd"}}
-This tutorial shows how to prepare the server for test or production usage of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[:getting-started|]]
+This tutorial shows how to prepare the server for test or production use of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[:getting-started|]]
 ===== Basic system setup =====
-  * 1 server (can be virtualized) for all: backend, frontend and database.
+  * 1 server (can be virtualized) for everything: backend, frontend and database.
-  * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation
+  * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation
-    * It is possible to use Debian but you have to adjust the installation guide a little. We tested CzechIdM installation on Stretch.
+    * It is possible to use Debian (we tested on Stretch) or other distributions, but you have to adjust steps in this guide accordingly.
-  * PostgreSQL - installed from a new repository
+  * PostgreSQL 12.x - installed from OS packages.
-  * Java - distribution repository (OpenJDK 1.8)
+  * Java 11 - installed from OS packages.
-  * Apache Tomcat - manually installed into /opt/tomcat
+  * Apache Tomcat 8.5.x - installed manually into ''/opt/tomcat''.
-  * Services start via systemd in OS
+  * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx.
-  * Services run under dedicated user (non-privileged one)
+  * All services start via systemd.
+  * Each service runs under dedicated non-privileged user.
 ===== Instalation and software configuration =====
 Prerequisities - Basic installation of CentOS 8
 <code bash>
 # EPEL installation
-yum clean all
+dnf clean all
-yum install -y epel-release
+dnf -y install epel-release
-yum update -y
+dnf update -y
 # other recommended packages installation
-yum install -y mc haveged nmap screen sysstat telnet net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
+dnf -y install mc haveged nmap screen sysstat telnet net-tools nano wget vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils tar
 # enable haveged after OS start
 systemctl start haveged.service
 systemctl enable haveged.service
-# remove unnecessary software
-yum remove -y postfix
-systemctl stop avahi-daemon.socket avahi-daemon.service
-systemctl disable avahi-daemon.socket avahi-daemon.service
-yum remove -y avahi-autoipd avahi
 # set the hostname
 hostnamectl set-hostname FQDN_server_name
@@ Line 48: / Line 46: @@
 ===== PostgreSQL  =====
-<note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
+<note tip>If you are installing CzechIdM on Microsoft SQL Server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
-CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option.
+We install PostgreSQL 12 database binaries and change database data directory from ''/var/lib'' to ''/data''.
 ==== Database server installation - CentOS8 ====
   * Software installation on CentOS8(versions can vary):
@@ Line 55: / Line 53: @@
 <code bash>
 # enable module postgres 12
-yum module enable postgresql:12
+dnf module enable postgresql:12
-yum install -y postgresql-server postgresql-contrib postgresql-libs
+dnf -y install postgresql-server postgresql-contrib postgresql-libs
 </code>
-  * create new system directory:
+  * create new directory for database data:
 <code bash>
-mkdir -p /data/pgsql/12/data/
 mkdir -p /data/pgsql/12/data/
 chown -R postgres:postgres /data/pgsql/
@@ Line 68: / Line 65: @@
 </code>
-  * Copy of the configuration file for systemd, in which we will make change of directory for data:
+  * Copy the PostgreSQL's systemd unit to the /etc:
 <code bash>
@@ Line 80: / Line 77: @@
 </code>
-  * In the file ''~postgres/.bash_profile'' change the variable PGDATA value to:
+  * In the file ''/var/lib/pgsql/.bash_profile'' (bash profile for postgres user) change the variable PGDATA to:
 <code>
@@ Line 97: / Line 94: @@
 <code bash>
-/usr/bin/postgresql-setup --initdb --unit postgresql
+postgresql-setup --initdb --unit postgresql
 </code>
@@ Line 145: / Line 142: @@
-==== DB server configuration ====
+==== Database server configuration and sizing ====
-First of all, enable the password authentication.
+  * Enable the password authentication.
 In the file ''/data/pgsql/12/data/pg_hba.conf'' find lines:
@@ Line 154: / Line 151: @@
 host    all             all             ::1/128                 ident
 </code>
+and change the value at the end of each line to ''md5'' like this:
-and change the value at the end of each line into md5 like this:
 <code>
 host    all             all             127.0.0.1/32            md5
@@ Line 161: / Line 157: @@
 </code>
-Now we can do DB sizing. We presume the system has 3GB dedicated for the db. We can also log the queries logging (those over 200ms). **For particular sizing, use a [[https://pgtune.leopard.in.ua/#/|calculator]]**.
+  * Adjust DB instance sizing.
-In a file ''/data/pgsql/12/data/postgresql.conf'' edit (add those if not exist) lines:
+    * In following snippet, we presume the system has 3GB of memory dedicated for the database and about 100 db connections. **For your deployment, adjust the sizing accordingly. Use a [[https://pgtune.leopard.in.ua/#/|calculator]] if in doubt**.
+    * We also log queries running longer than 200ms.
+In a file ''/data/pgsql/12/data/postgresql.conf'' change (or add) following lines:
 <code>
-max_connections = 100			# (change requires restart)
+# This is an EXAMPLE. Use the calculator to adjust for your deployment!
-shared_buffers = 768MB			# min 128kB
+# DB Version: 12
+# OS Type: linux
+# DB Type: web
+# Total Memory (RAM): 3 GB
+# Connections num: 100
+# Data Storage: ssd
+max_connections = 100
+shared_buffers = 768MB
 effective_cache_size = 2304MB
-work_mem = 7864kB
 maintenance_work_mem = 192MB
-min_wal_size = 1GB
-max_wal_size = 2GB
 checkpoint_completion_target = 0.7
 wal_buffers = 16MB
 default_statistics_target = 100
+random_page_cost = 1.1
+effective_io_concurrency = 200
+work_mem = 3932kB
+min_wal_size = 1GB
+max_wal_size = 4GB
 log_min_duration_statement = 200
 </code>
-Restart DB: ''systemctl restart  postgresql.service''
+  * Restart the database
-<note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
+<code>
+systemctl restart  postgresql.service
+</code>
+<note>If you install the database to a different server than the CzechIdM application itself, don't forget to configure PostgreSQL with SSL certificates and to enforce remote SSL connections.</note>
 ===== Java - CentOS8 =====
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository.
+Tomcat application server needs Java installed. We recommend to use OpenJDK 11 from standard OS repository. (OpenJDK 1.8 is also supported, check [[devel:documentation:compatibility|compatibility page]]).
 Installation:
-<code bash>
+<code>
-yum install -y java-11-openjdk-headless java-11-openjdk-devel
+dnf install -y java-11-openjdk-headless java-11-openjdk-devel
 </code>
-Then create the file ''/etc/profile.d/java.sh'' with following:
-<file bash java.sh>
-[ -d /usr/lib/jvm/java-openjdk ] && export JAVA_HOME=/usr/lib/jvm/java-openjdk
-</file>
@@ Line 206: / Line 211: @@
 <code>
 groupadd -r tomcat
-useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
+useradd -r -s /usr/sbin/nologin -g tomcat -d /opt/tomcat tomcat
 getent passwd tomcat
-#tomcat:x:995:993::/opt/tomcat:/bin/nologin
+#tomcat:x:995:993::/opt/tomcat:/usr/sbin/nologin
 </code>
@@ Line 218: / Line 223: @@
 </code>
-  * Download Apache Tomcat 8.5.x from the website [[https://tomcat.apache.org/download-80.cgi]] to **/opt/tomcat/**
+  * Download Apache Tomcat 8.5.x from the website [[https://tomcat.apache.org/download-80.cgi]] to ''/opt/tomcat/''
-    * In our exapmle the version is 8.5.8.
+    * In our exapmle the version is 8.5.57.
-  * extract files from archive:
+  * extract files from the archive:
 <code bash>
-tar xzf apache-tomcat-8.5.8.tar.gz
+tar xzf apache-tomcat-8.5.57.tar.gz
 </code>
@@ Line 231: / Line 236: @@
 <code bash>
 cd /opt/tomcat
-ln -s apache-tomcat-8.5.8 current
+ln -s apache-tomcat-8.5.57 current
 </code>
@@ Line 241: / Line 246: @@
 chmod 750 /opt/tomcat
 cd /opt/tomcat/current
-chmod o+rX -R ./
+chmod -R o+rX ./
 chgrp -R tomcat conf/ bin/ lib/
-chmod g+rwx conf
+chmod g+rx conf
 chmod g+r conf/*
 chown -R tomcat webapps/ work/ temp/ logs/
+mkdir /opt/tomcat/current/conf/Catalina
+chown tomcat:tomcat /opt/tomcat/current/conf/Catalina
+chmod 750 /opt/tomcat/current/conf/Catalina
 </code>
@@ Line 263: / Line 272: @@
 [Unit]
 Description=Apache Tomcat Web Application Container
-After=syslog.target network.target
+After=syslog.target network.target postgresql.service
 [Service]
@@ Line 286: / Line 295: @@
 WantedBy=multi-user.target
 </file>
+<note>
+  * Values of ''-Xms'' and ''-Xmx'' se are closely dependent on server sizing. If you have enough memory, we strongly recommend to use ''-Xmx 6128M'' or more.
+  * Tomcat will be started under user ''tomcat:tomcat''.
+</note>
-  * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more.
+  * Reload systemd configuration:
-  * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.
-  * After every systemd configuration change it is necessary to reload:
 <code>
 systemctl daemon-reload
 </code>
-  * Test start:
+  * Start the Tomcat to ensure it is configured properly. Enable its start on OS start.
 <code>
 systemctl start tomcat
+systemctl enable tomcat
 </code>
   * Check that Tomcat runs with desirable parameters:
 <code bash>
-[root@tomcat1 logs]# ps -u tomcat -fwww
+[root@tomcat1 logs]# ps -ef | grep ^tomcat
-UID        PID  PPID  C STIME TTY          TIME CMD
+tomcat      1623       1  9 11:08 ?        00:00:04 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start
-tomcat    1602     1  1 09:44 ?        00:00:02 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start
 </code>
-  * Stop Apache Tomcat:
+  * Stop the Tomcat.
 <code>
 systemctl stop tomcat
-</code>
-  * Enable tomcat start after OS start:
-<code bash>
-systemctl enable tomcat
 </code>
@@ Line 325: / Line 337: @@
 If you want to use them, it is necessary to do following steps.
-First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
+First of all, create a Tomcat's database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
-Create user like this:
-Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui".
+  * Create administration user
-The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
+    * Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui".
+    * The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
-The file ''/opt/tomcat/current/conf/tomcat-users.xml'' looks like this:
+The file ''/opt/tomcat/current/conf/tomcat-users.xml'' should now look like this:
 <file xml tomcat-users.xml>
 <?xml version="1.0" encoding="UTF-8"?>
@@ Line 348: / Line 359: @@
 </file>
-If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see ''403 Access Denied'' it might be you did not do this setting.
+  * If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
+    * If you see ''403 Access Denied'' when accessing Tomcat's management remotely, it might be because you did not perform this configuration.
-Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add net mask for your IP (both files should have the same content):
+Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add netmask for your IP (both files should have the same content):
-In my case, I want to access to Tomcat management from network 192.168.0.0/24:
+For example, if you want to access Tomcat's management from the network ''192.168.0.0/24'':
 <file xml context.xml>
@@ Line 362: / Line 374: @@
 </file>
-Again, restart the tomcat:
+  * Again, restart the tomcat
 <code bash>
 systemctl restart tomcat
 </code>
-===  Apache Tomcat configuration recommended for production usage ===
+===  Apache Tomcat configuration recommended for production use ===
-It is advised to follow these steps for production usage:
+We advise to follow these steps to configure Tomcat for production deployment.
-  * Remove unnecessary applications that comes with Tomcat:
+  * Remove unnecessary applications that come with Tomcat:
 <code bash>
@@ Line 390: / Line 402: @@
     * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein.
-  * In same file configure ajp port(''8009'') to look like this:
+  * In same file configure AJP port (''8009/tcp'') to look like this:
 <code>
@@ Line 402: / Line 414: @@
   * Do not show aplication server version:
-    * In the file ''/opt/tomcat/current/conf/web.xml'' set showServerInfo to false (default is true):
+    * In the file ''/opt/tomcat/current/conf/web.xml'' set ''showServerInfo'' to false (default is true):
 <code xml>
@@ Line 472: / Line 484: @@
 HTTPd basic configuration:
-Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment all lines but mod\_mpm\_worker.so:
+Change MPM to worker - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment-out all lines but mod\_mpm\_worker.so:
 <code bash>
@@ Line 502: / Line 514: @@
 </code>
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
+Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'SERVER' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
 <code xml>
 <VirtualHost _default_:80>
@@ Line 536: / Line 548: @@
 </code>
-We also have to secure the communication. **Edit** corresponding lines in ''ssl.conf'' so they look like this.
+Syntax check before httpd restart
-<code>
-SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA
-SSLHonorCipherOrder on
-</code>
-<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note>
-Syntax check before httpd restart:
 <code>
 httpd -t -D DUMP_VHOST
+# or apachectl configtest
 </code>
@@ Line 616: / Line 621: @@
 ==== mod_security configuration - CentOS8  ====
-In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf
+Edit the file ''/etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf''.
-  * find the rule 900200 and add methods PUT DELETE and PATCH on the line with tx.allowed\_methods. It look like this after change:
+  * find the rule ''900200'' and add methods ''PUT'', ''DELETE'' and ''PATCH'' on the line starting ''tx.allowed\_methods''. It should look like this after change:
 <code>
@@ Line 630: / Line 635: @@
 </code>
-  * find the rule 900220 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, after change:
+  * find the rule ''900220'' and add support for content type ''application/hal+json'' on the line starting with ''tx.allowed\_request\_content\_type''. Result should look like this:
 <code>