Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_win [2021/05/04 08:39]
kopro [HTTPd installation and configuration] update configuration for certificates
+++ tutorial:adm:server_preparation_win [2024/01/10 10:38] (current)
koulaj [Java]
@@ Line 79: / Line 79: @@
 <note>If you install the database onto a server distinct from the one on which the CzechIdM application itself (Tomcat etc.) is deployed, don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
 ===== Java =====
-Install the openjdk (preferred version is 11.0.2). You can download it from [[https://jdk.java.net/archive/|here]]. Be sure to download the **JDK**, and not only **JRE**.
+Install the openjdk (preferred version is 11.0.2, for CzechIdm 13.1.0+ Java 21 is needed). You can download it from [[https://jdk.java.net/archive/|here]]. Be sure to download the **JDK**, and not only **JRE**.
 === OpenJDK Installation ===
-Crete directory ''C:\Program Files\Java\'' and extract there downloaded zip.
+Crete directory ''C:\Program Files\Java\'' and extract there downloaded zip. Then set path and JAVA HOME:
-Then set path and JAVA HOME:
-  * Open the **sysdm.cpl** (Win+r ant type sysdm.cpl) dialogue and navigate to ''> Advanced > Environment Variables''
+   * Open the **sysdm.cpl**  (Win+r ant type sysdm.cpl) dialogue and navigate to ''> Advanced > Environment Variables''
-  * Add this line to PATH variable. <code>%JAVA_HOME%\bin</code>
+  * Add this line to PATH variable.
-  * Add new variable ''JAVA_HOME'' with value ''C:\Program Files\Java\jdk-11.0.2''
+<code>
-  * Then run ''java -version'' from the windows cmd to check if it is working properly.
+%JAVA_HOME%\bin
+</code>
+  * Add new variable ''JAVA_HOME''  with value ''C:\Program Files\Java\jdk-11.0.2''
+  * Then run ''java -version''  from the windows cmd to check if it is working properly.
 ===== Tomcat =====
-Download and install the latest 8.5 branch of Apache Tomcat from [[https://tomcat.apache.org/download-80.cgi|here]]. Use the Windows installer.
+Download and install the latest 9.0 branch of Apache Tomcat from [[https://tomcat.apache.org/download-90.cgi|here]]. Use the Windows installer.
   * Agree with licence agreement
-  * Deselect ''Manager'' from components and click ''Next''
+  * Deselect ''Manager''  from components and click ''Next''
   * Set shutdown port to "-1" and connector port to "8080" and click ''Next''
-  * Modify the ''JRE path'' to make it point to installed openjde **JDK** and click ''Next''
+  * Modify the ''JRE path''  to make it point to installed openjde **JDK**  and click ''Next''
   * Leave the installation path on default and click ''Install''
   * When it's done deselect option "start tomcat" and click ''finish''.
-You can also use Tomcat 8.5.45 and newer, those installers set the service account to ''Local Service'' themselves.</note>
+You can also use Tomcat 9.0.45 and newer, those installers set the service account to ''Local Service''  themselves.</note>
-After installation, run the **Monitor Tomcat** application from the Start menu (or run ''Tomcat8w.exe'' from the Tomcat bin directory - usually ''C:\Program Files\Apache Software Foundation\Tomcat 8.5\bin''). Configure following settings:
+After installation, run the **Monitor Tomcat**  application from the Start menu (or run ''Tomcat9w.exe''  from the Tomcat bin directory - usually ''C:\Program Files\Apache Software Foundation\Tomcat 9.0\bin''). Configure following settings:
-  * ''initial memory pool: 512MB'' (example for about 5GB RAM).
-  * ''maximum memory pool: 4096MB'' (example for about 5GB RAM).
-  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib\*;'' to the **beginning of the** ''CLASSPATH''.
-Configure addresses the server will listen on. Open the ''C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\server.xml'' configuration file in the Tomcat installation. Make these changes:
+  * ''initial memory pool: 512MB''  (example for about 5GB RAM).
-  * Add ''address="127.0.0.1"'' to the **8080/tcp** and **8009/tcp** connectors. This will make Tomcat listen only on localhost.
+  * ''maximum memory pool: 4096MB''  (example for about 5GB RAM).
-  * Change port number ''8005'' to ''-1'' at the Shutdown Port setting. This will effectively turn off the shutdown port.
+  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib\*;''  to the **beginning of the**''CLASSPATH''.
-  * In the section for ''Connector protocol="HTTP/1.1"'' on port 8080, add the ''maxSwallowSize="-1"'' property.
-  * Uncomment the section ''Connector protocol="AJP/1.3"'' for the port 8009 and adjust the address parameter: ''address="127.0.0.1"'',''secretRequired="true"'' and ''secret="password for ajp port" ''. It should look like this:
+Configure addresses the server will listen on. Open the ''C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\server.xml''  configuration file in the Tomcat installation. Make these changes:
+  * Add ''address="127.0.0.1"''  to the **8080/tcp**  and **8009/tcp**  connectors. This will make Tomcat listen only on localhost.
+  * Change port number ''8005''  to ''-1''  at the Shutdown Port setting. This will effectively turn off the shutdown port.
+  * In the section for ''Connector protocol="HTTP/1.1"''  on port 8080, add the ''maxSwallowSize="-1"''  property.
+  * Uncomment the section ''Connector protocol="AJP/1.3"''  for the port 8009 and adjust the address parameter: ''address="127.0.0.1"'',''secretRequired="true"''  and ''secret="password for ajp port" ''. It should look like this:
 <code>
     <Connector protocol="AJP/1.3"
                address="127.0.0.1"
@@ Line 119: / Line 130: @@
                secretRequired="true"
                secret="***password for ajp port***"
                />
 </code>
-<note important>
-The parameter ''secretRequired="false"'' can be used on isolated installations. E.g. apache and tomcat run on the same dedicated host and tomcat listens on localhost only. ''secretRequired'' and ''secret'' were introduced in Tomcat 8.5.51
-</note>
-Use the **services.msc** dialogue to set the Apache Tomcat ''StartupType'' to ''Automatic (Delayed Start)''. This will make the application container start after the PostgreSQL database.
+Use the **services.msc**  dialogue to set the Apache Tomcat ''StartupType''  to ''Automatic (Delayed Start)''. This will make the application container start after the PostgreSQL database. <note important>For production use, we strongly advise to remove all Tomcat's management applications from the container.
-<note important>For production use, we strongly advise to remove all Tomcat's management applications from the container.
-  * Locate the ''webapps'' folder in the Tomcat installation and delete everything that is inside.
+  * Locate the ''webapps''  folder in the Tomcat installation and delete everything that is inside.
 </note>
-For roles and advanced management configuration, please see the relevant chapters in the [[tutorial:adm:server_preparation|Server Preparation - Linux]] tutorial.
+For roles and advanced management configuration, please see the relevant chapters in the [[.:server_preparation|Server Preparation - Linux]] tutorial.
+==== Change Tomcat logging properties ====
+In order to set-up log rotation we need stop logging to stdout and start logging to catalina.log .
+After change of these tomcat setting and setting-up **logback-spring.xml** in [[.:czechidm_installation_win#create_czechidm_configuration|create_czechidm_configuration]] IdM will log into catalina.out and after day rotate it into catalina.YYYY-MM-DD.log. Tomcat engine will log into tomcat.log and no totate because there are only log of tomat start. Tomcat will log logs of IdM connectors into tomcat-stdout tomcat9-stdout.YYYY-MM-DD.log - it's well knows bug with workaround to make manual log rotation.
+Make these changes in file ''C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\logging.properties'': Comment out console handler. We don't want tomcat to log to stdout or stderr and other unnesesary logs.
+<code>
+handlers = 1catalina.org.apache.juli.AsyncFileHandler
+#handlers =  java.util.logging.ConsoleHandler, 2localhost.org.apache.juli.AsyncFileHandler, 3manager.org.apache.juli.AsyncFileHandler, 4host-manager.org.apache.juli.AsyncFileHandler
+.handlers = 1catalina.org.apache.juli.AsyncFileHandler
+#.handlers = java.util.logging.ConsoleHandler,
+###2localhost.org.apache.juli.AsyncFileHandler.level = FINE
+###2localhost.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
+###2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost.
+###2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90
+###2localhost.org.apache.juli.AsyncFileHandler.encoding = UTF-8
+###3manager.org.apache.juli.AsyncFileHandler.level = FINE
+###3manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
+###3manager.org.apache.juli.AsyncFileHandler.prefix = manager.
+###3manager.org.apache.juli.AsyncFileHandler.maxDays = 90
+###3manager.org.apache.juli.AsyncFileHandler.encoding = UTF-8
+###4host-manager.org.apache.juli.AsyncFileHandler.level = FINE
+###4host-manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
+###4host-manager.org.apache.juli.AsyncFileHandler.prefix = host-manager.
+###4host-manager.org.apache.juli.AsyncFileHandler.maxDays = 90
+###4host-manager.org.apache.juli.AsyncFileHandler.encoding = UTF-8
+###java.util.logging.ConsoleHandler.level = FINE
+###java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter
+###java.util.logging.ConsoleHandler.encoding = UTF-8
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.AsyncFileHandler
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.AsyncFileHandler
+</code>
+In 1catalina file handler change log level to "INFO" and prefix from "catalina" to "tomcat". Also set property rotable to "false". Tomcat write to this file only when starting or shutting down.
+<code>
+#1catalina.org.apache.juli.AsyncFileHandler.level = FINE
+#1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
+catalina.org.apache.juli.AsyncFileHandler.level = INFO
+catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
+catalina.org.apache.juli.AsyncFileHandler.prefix = tomcat
+catalina.org.apache.juli.AsyncFileHandler.rotatable = false
+catalina.org.apache.juli.AsyncFileHandler.suffix = .log
+</code>
+Then in file ''C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\server.xml'' remove creation of access logs. Coment out org.apache.catalina.valves.AccessLogValve.'' ''
+<code>
+    <!--   <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t "%r" %s %b" /> -->
+</code>
 ====== Apache httpd as a reverse proxy ======
@@ Line 141: / Line 221: @@
 ===== HTTPd installation and configuration =====
 First, install necessary [[https://aka.ms/vs/16/release/vc_redist.x64.exe|VCredist library]].
@@ Line 147: / Line 228: @@
 Fire up an elevated shell and install the Apache HTTPd service:
 <code>
 cd C:\apache24\bin
 httpd.exe -k install
 </code>
 Open the **services.msc** and reconfigure "Apache2.4" service:
-  * To have ''StartupType=Automatic (Delayed start)''.
-  * To execute under ''Local Service'' user. (On the "Log On" card, set user to ''Local Service'', delete contents of password fields and click Apply.)
+   * To have ''StartupType=Automatic (Delayed start)''.
+  * To execute under ''Local Service''  user. (On the "Log On" card, set user to ''Local Service'', delete contents of password fields and click Apply.)
 Configure the HTTPd in its core config file ''C:\Apache24\conf\httpd.conf''.
-<file apache httpd.conf>
+<file apache httpd.conf>
 #uncomment these modules
 LoadModule access_compat_module modules/mod_access_compat.so
@@ Line 174: / Line 258: @@
 #add modsecurity module:
-	LoadModule security2_module modules/mod_security2.so
+    LoadModule security2_module modules/mod_security2.so
 #change ServerName and Server Admin
@@ Line 186: / Line 270: @@
 # Include modsec configuration if module is loaded
 <IfModule mod_security2.c>
-	Include conf/extra/modsec.conf
+    Include conf/extra/modsec.conf
 </IfModule>
 </file>
-Configure the HTTP->HTTPS redirect in the ''C:\Apache24\conf\extra\httpd-vhosts.conf''. Replace ''demo.czechidm.com'' with the name of your server. Comment other template vhost which you don't need:
+Configure the HTTP→HTTPS redirect in the ''C:\Apache24\conf\extra\httpd-vhosts.conf''. Replace ''demo.czechidm.com''  with the name of your server. Comment other template vhost which you don't need:
 <file apache httpd-vhosts.conf>
 # Virtual Hosts
@@ Line 208: / Line 294: @@
 #    Redirect / https://demo.czechidm.com
 </VirtualHost>
 </file>
-Configure the HTTPS virtual host in the ''C:\Apache24\conf\extra\httpd-ssl.conf'' file. Change ''demo.czechidm.com'' to the name of your server.
+Configure the HTTPS virtual host in the ''C:\Apache24\conf\extra\httpd-ssl.conf''  file. Change ''demo.czechidm.com''  to the name of your server. <note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM due to the SSL settings. If this is your case, you may need to slacken the cipher settings a bit.</note>
-<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM due to the SSL settings. If this is your case, you may need to slacken the cipher settings a bit.</note>
 <file apache httpd-ssl.conf>
 Listen 443
@@ Line 217: / Line 304: @@
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA
 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
 SSLHonorCipherOrder on
 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLProxyProtocol all -SSLv2 -SSLv3
@@ Line 223: / Line 310: @@
 SSLSessionCache        "shmcb:c:/Apache24/logs/ssl_scache(512000)"
 SSLSessionCacheTimeout  300
 <VirtualHost _default_:443>
@@ Line 251: / Line 337: @@
 # workaround for bad font handling in IE 11
 <LocationMatch "/idm/.*(\.ttf|\.woff2|\.eot)$">
         Header set Cache-Control "no-cache, public, must-revalidate, proxy-revalidate"
 </LocationMatch>
-Protocols       h2 https/1.1
+Protocols       https/1.1
 ProxyRequests     off
 ProxyPreserveHost on
@@ Line 268: / Line 354: @@
         SecRuleRemoveById 960015
         SecRuleRemoveById 950109
         # Allow Czech signs
         SecRuleRemoveById 981318
@@ Line 274: / Line 360: @@
         SecRuleRemoveById 960024
         SecRuleRemoveById 981245
         # Too restrictive for login format
         SecRuleRemoveById 960035
         # Needed by Websockets
         <Location "/idm/api/v1/websocket-info/">
                 SecRuleRemoveById 970901
         </Location>
         # These break Certificate Authority module
         <Location "/idm/api/v1/crt/certificates">
@@ Line 288: / Line 374: @@
                 SecRuleRemoveById 200003
         </Location>
-	# Modsec can throw false positives on some files due to multipart boundary check
+    # Modsec can throw false positives on some files due to multipart boundary check
-	<Location "/idm/api/v1/attachments/upload">
+    <Location "/idm/api/v1/attachments/upload">
-		SecRuleRemoveById 960915
+        SecRuleRemoveById 960915
-		SecRuleRemoveById 200003
+        SecRuleRemoveById 200003
-	</Location>
+    </Location>
         # do not log request/response body
         SecAuditLogParts AFHZ
@@ Line 324: / Line 410: @@
         AddOutputFilterByType DEFLATE application/json
         AddOutputFilterByType DEFLATE application/hal+json
         # Remove browser bugs (only needed for really old browsers)
         BrowserMatch ^Mozilla/4 gzip-only-text/html
@@ Line 333: / Line 419: @@
 </VirtualHost>
 </file>
-Supply SSL certificate and key in x509 PEM form to ''c:/Apache24/conf/server.key'' and ''c:/Apache24/conf/server.crt'' files. Apache HTTPd will not start without those files. If you need to generate some ad-hoc certificates, use for example [[https://www.akadia.com/services/ssh_test_certificate.html|this guide]]. You can easily invoke the **openssl** tool from the Git Bash prompt.
+Supply SSL certificate and key in x509 PEM form to ''c:/Apache24/conf/server.key''  and ''c:/Apache24/conf/server.crt''  files. Apache HTTPd will not start without those files. If you need to generate some ad-hoc certificates, use for example [[https://www.akadia.com/services/ssh_test_certificate.html|this guide]]. You can easily invoke the **openssl**  tool from the Git Bash prompt.
 Self-signed cert and key for testing purposes can be created like this:
 <code>
 openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes
 </code>
 ===== mod_security installation =====
 Download the mod\_security module v 2.x from the [[https://www.apachelounge.com/download/VS16/modules/mod_security-2.9.3-win64-VS16.zip|Apache Lounge project]].