Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:adm:server_preparation_win [2019/11/28 13:27]
fiserp [HTTPd installation and configuration]
tutorial:adm:server_preparation_win [2020/06/09 11:21] (current)
fiserp [mod_security installation]
Line 8: Line 8:
   * 1 server (can be virtualized) for everything: backend, frontend and database. ​   * 1 server (can be virtualized) for everything: backend, frontend and database. ​
   * OS Windows, ideally W2012 and newer   * OS Windows, ideally W2012 and newer
-  * PostgreSQL - installed from OpenSCG+  * PostgreSQL - installed from EnterpriseDB
   * Java - installed from Oracle JDK   * Java - installed from Oracle JDK
   * Apache Tomcat - installed by Tomcat .exe installer   * Apache Tomcat - installed by Tomcat .exe installer
Line 23: Line 23:
   * Disable Microsoft IIS if installed.   * Disable Microsoft IIS if installed.
 ===== PostgreSQL ===== ===== PostgreSQL =====
-On Windows, we use [[https://​www.openscg.com/bigsql/​postgresql/​installers/​|OpenSCG]] PostgreSQL ​distribution,​ version at least 9.6. +On Windows, we use [[https://​www.enterprisedb.com/downloads/postgres-postgresql-downloads|EnterpriseDB]] PostgreSQL distribution. Recommended version is 12.x. 
-  * Leave locations ​at default+  * For installation,​ basically follow [[https://​www.enterprisedb.com/​edb-docs/​d/​postgresql/​installation-getting-started/​installation-guide-installers/12/​invoking_the_graphical_installer.html|the official guide]]
-  * Make sure you check the option to install ​the windows ​service.+  * Set location for binaries to ''​C:​\PostgreSQL\9.6''​. 
 +  * Set location for database to ''​C:​\PostgreSQL\9.6\data''​. 
 +  * Install all components (pgAdmin, StackBuilder,​ etc.)
 +  * Leave the locale ​at ''​[Default locale]'',​ we will set locale explicitly when creating a database
 +  * After installation, ​check the Windows services - the ''​postgresql-x86_64'' ​service ​should be there, configured with autostart. 
 +    * To enter services menu, get to the Start->​Run and invoke ''​services.msc''​.
  
-Open the elevated shell (right-click on cmd and select "run as admin"​) and install the pgAdmin: +Edit the PostgreSQL configuration file ''​C:​\PostgreSQL\9.6\data\postgresql.conf''​ to make it listen on 127.0.0.1 only. Adjust the database sizing as necessary. The following example is for 6GB RAM. Do not hasten to overwrite your PgSQL configuration out of hand! When in doubt, use a [[https://​pgtune.leopard.in.ua/​|calculator]].
-<​code>​ +
-cd c:/​postgresql +
-pgc install pgadmin3 +
-</​code>​ +
-If your server does not have Internet access, you can download and install pgAdmin from [[https://​www.pgadmin.org/​|here]]. +
- +
-Edit the PostgreSQL configuration file ''​C:​\PostgreSQL\data\pg96\postgresql.conf''​ to make it listen on 127.0.0.1 only. Adjust the database sizing as necessary. The following example is for 6GB RAM. Do not hasten to overwrite your PgSQL configuration out of hand! When in doubt, use a [[https://​pgtune.leopard.in.ua/​|calculator]].+
 <​code>​ <​code>​
 listen_addresses = '​127.0.0.1'​ #​ what IP address(es) to listen on; listen_addresses = '​127.0.0.1'​ #​ what IP address(es) to listen on;
Line 75: Line 73:
 </​code>​ </​code>​
  
-Configure the authentication in the ''​C:​\PostgreSQL\data\pg96\pg_hba.conf''​ to accept passwords. The basic configuration file should then look like this:+Configure the authentication in the ''​C:​\PostgreSQL\9.6\data\pg_hba.conf''​ to accept passwords. The basic configuration file should then look like this:
 <​code>​ <​code>​
 # TYPE  DATABASE ​       USER            CIDR-ADDRESS ​           METHOD # TYPE  DATABASE ​       USER            CIDR-ADDRESS ​           METHOD
Line 86: Line 84:
 </​code>​ </​code>​
  
-Open Windows services'​ dialogue (Win+r and type **services.msc** therein). Look for the "​PostgreSQL 9.6 Server"​ service and set its ''​StartupType''​ to ''​Automatic''​. Then start the service. +<​note>​If you install the database onto a server distinct from the one on which the CzechIdM application itself (Tomcat etc.) is deployed, don't forget to configure PostgreSQL to allow remote SSL connection from that server.</​note>​
- +
-<​note>​If you install the database onto a server distinct from the one on which the CzechIdM application itself (Tomcat etc.) is mounted, don't forget to configure PostgreSQL to allow remote SSL connection from that server.</​note>​+
 ===== Java ===== ===== Java =====
 Install the Oracle JDK (minimal version is 1.8). You can download it from [[http://​www.oracle.com/​technetwork/​java/​javase/​downloads/​jdk8-downloads-2133151.html|here]]. Be sure to download the **JDK**, and not only **JRE**. Install the Oracle JDK (minimal version is 1.8). You can download it from [[http://​www.oracle.com/​technetwork/​java/​javase/​downloads/​jdk8-downloads-2133151.html|here]]. Be sure to download the **JDK**, and not only **JRE**.
Line 102: Line 98:
   * Let the setup create a Tomcat windows service.   * Let the setup create a Tomcat windows service.
  
-After installation,​ run the **Monitor Tomcat** application from the Start menu. Configure following settings:+<note important>​Installers for Tomcat 8.5.43 and older configure the service to run as ''​Local System''​ which is an account with elevated privileges. Reconfigure this to ''​Local Service''​ on the service configuration "​LogOn"​ tab. 
 + 
 +You can also use Tomcat 8.5.45 and newer, those installers set the service account to ''​Local Service''​ themselves.</​note>​ 
 + 
 +After installation,​ run the **Monitor Tomcat** application from the Start menu (or run ''​Tomcat8w.exe''​ from the Tomcat bin directory - usually ''​C:​\Program Files\Apache Software Foundation\Tomcat 8.5\bin''​). Configure following settings:
   * ''​initial memory pool: 512MB''​ (example for about 5GB RAM).   * ''​initial memory pool: 512MB''​ (example for about 5GB RAM).
   * ''​maximum memory pool: 4096MB''​ (example for about 5GB RAM).   * ''​maximum memory pool: 4096MB''​ (example for about 5GB RAM).
-  * Add ''​C:​\CzechIdM\etc;​C:​\CzechIdM\lib;​C:​\CzechIdM\lib\\*;''​ to the **beginning of the** ''​CLASSPATH''​.+  * Add ''​C:​\CzechIdM\etc;​C:​\CzechIdM\lib;​C:​\CzechIdM\lib\*;''​ to the **beginning of the** ''​CLASSPATH''​.
  
 Configure addresses the server will listen on. Open the ''​server.xml''​ configuration file in the Tomcat installation. Make these changes: Configure addresses the server will listen on. Open the ''​server.xml''​ configuration file in the Tomcat installation. Make these changes:
   * Add ''​address="​127.0.0.1"''​ to the **8080/​tcp** and **8009/​tcp** connectors. This will make Tomcat listen only on localhost.   * Add ''​address="​127.0.0.1"''​ to the **8080/​tcp** and **8009/​tcp** connectors. This will make Tomcat listen only on localhost.
   * Change port number ''​8005''​ to ''​-1''​ at the Shutdown Port setting. This will effectively turn off the shutdown port.   * Change port number ''​8005''​ to ''​-1''​ at the Shutdown Port setting. This will effectively turn off the shutdown port.
 +  * In the section for ''​Connector protocol="​HTTP/​1.1"''​ on port 8080, add the ''​maxSwallowSize="​-1"''​ property.
 +  * Uncomment the section ''​Connector protocol="​AJP/​1.3"''​ for the port 8009 and adjust the address parameter: ''​address="​127.0.0.1"''​ and add ''​secretRequired="​false"''​. It should look like this:
 +<​code>​
 +    <​Connector protocol="​AJP/​1.3"​
 +               ​address="​127.0.0.1"​
 +               ​port="​8009"​
 +               ​redirectPort="​8443"​
 +               ​secretRequired="​false"​
 +               /> ​   ​
 +</​code>​
 +<note important>​
 +The parameter ''​secretRequired="​false"''​ can be used on isolated installations. E.g. apache and tomcat run on the same dedicated host and tomcat listens on localhost only. ''​secretRequired''​ and ''​secret''​ were introduced in Tomcat 8.5.51
 +</​note>​
  
 Use the **services.msc** dialogue to set the Apache Tomcat ''​StartupType''​ to ''​Automatic (Delayed Start)''​. This will make the application container start after the PostgreSQL database. Use the **services.msc** dialogue to set the Apache Tomcat ''​StartupType''​ to ''​Automatic (Delayed Start)''​. This will make the application container start after the PostgreSQL database.
Line 137: Line 150:
 </​code>​ </​code>​
  
-Open the **services.msc** and reconfigure "​Apache2.4"​ service ​to have ''​StartupType=Automatic (Delayed start)''​.+Open the **services.msc** and reconfigure "​Apache2.4"​ service
 +  * To have ''​StartupType=Automatic (Delayed start)''​. 
 +  * To execute under ''​Local Service''​ user. (On the "Log On" card, set user to ''​Local Service'',​ delete contents of password fields and click Apply.)
  
 Configure the HTTPd in its core config file ''​C:​\Apache24\conf\httpd.conf''​. You can use the following file, just replace values for ''​ServerAdmin''​ and ''​ServerName''​. Configure the HTTPd in its core config file ''​C:​\Apache24\conf\httpd.conf''​. You can use the following file, just replace values for ''​ServerAdmin''​ and ''​ServerName''​.
 <file apache httpd.conf>​ <file apache httpd.conf>​
-ServerRoot ​"​c:/​Apache24"​+Define SRVROOT ​"​c:/​Apache24
 +ServerRoot "​${SRVROOT}"
  
 Listen 80 Listen 80
Line 427: Line 443:
  
 Supply SSL certificate and key in x509 PEM form to ''​c:/​Apache24/​conf/​server.key''​ and ''​c:/​Apache24/​conf/​server.crt''​ files. Apache HTTPd will not start without those files. If you need to generate some ad-hoc certificates,​ use for example [[https://​www.akadia.com/​services/​ssh_test_certificate.html|this guide]]. You can easily invoke the **openssl** tool from the Git Bash prompt. Supply SSL certificate and key in x509 PEM form to ''​c:/​Apache24/​conf/​server.key''​ and ''​c:/​Apache24/​conf/​server.crt''​ files. Apache HTTPd will not start without those files. If you need to generate some ad-hoc certificates,​ use for example [[https://​www.akadia.com/​services/​ssh_test_certificate.html|this guide]]. You can easily invoke the **openssl** tool from the Git Bash prompt.
 +
 +Self-signed cert and key for testing purposes can be created like this:
 +<​code>​
 +openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes
 +</​code>​
 ===== mod_security installation ===== ===== mod_security installation =====
-Download the mod\_security module from the [[https://​www.apachelounge.com/​download/​VC15/​modules/​mod_security-2.9.2-win64-VC15.zip|Apache Lounge project]].+Download the mod\_security module from the [[https://​www.apachelounge.com/​download/​VS16/​modules/​mod_security-2.9.3-win64-VS16.zip|Apache Lounge project]].
 Unpack the zip and perform following actions: Unpack the zip and perform following actions:
   * Copy the ''​mod\_security2.so''​ int ''​C:​\Apache24\modules''​ directory.   * Copy the ''​mod\_security2.so''​ int ''​C:​\Apache24\modules''​ directory.
-  * Copy ''​libcurl.dll''​ and ''​yajl.dll''​ into ''​C:​\Apache24\bin''​ directory.+  * Copy ''​yajl.dll''​ into ''​C:​\Apache24\bin''​ directory.
  
 Create general mod\_security configuration file ''​C:​\Apache24\conf\extra\modsec.conf'':​ Create general mod\_security configuration file ''​C:​\Apache24\conf\extra\modsec.conf'':​
Line 497: Line 518:
  
 Now you can start the Apache HTTPd using its service. If it fails to start, check the Windows EventLog for errors. Now you can start the Apache HTTPd using its service. If it fails to start, check the Windows EventLog for errors.
 +<note important>​It is possible the Apache HTTPd fails to create its logfiles. In that case, there is probably a privilege problem on the ''​logs/''​ directory (you can confirm this by looking into EventLog). If this is the case, grant the ''​Local Service''​ user a write access to the ''​logs/''​.</​note>​