Differences

This shows you the differences between two versions of the page.

--- documentation:server-install-aducid [2018/06/26 00:13]
mpospisek created
+++ — (current)
@@ Line 1: / Line 1: @@
-====== ADUCID software ======
-===== File and directory preparation =====
-Directories for aducid-aaa-modules
-AAA modules need the following directories are created before installation:
-<codedoc code:bash>
-mkdir /opt/aaa/install
-mkdir /opt/aaa/logs
-mkdir /opt/aaa/conf
-mkdir /opt/aaa/conf/aducid
-mkdir /opt/aaa/certs
-mkdir /opt/aaa/aducid-error-pages
-mkdir /opt/aaa/bin
-</codedoc>
-Files for aducid-aaa-modules
-Please adjust your server hostname in these files, as indicated.
-<codedoc code:bash>
-# A. File /usr/lib/systemd/system/aducid-aaa.service
-# --------------------------------------------------
-# cat /etc/sysconfig/aducid-aaa
-#
-# This file can be used to set additional environment variables for
-# the httpd process, or pass additional options to the httpd
-# executable.
-#
-# Note: With previous versions of httpd, the MPM could be changed by
-# editing an "HTTPD" variable here.  With the current version, that
-# variable is now ignored.  The MPM is a loadable module, and the
-# choice of MPM can be changed by editing the configuration file
-# /etc/httpd/conf.modules.d/00-mpm.conf.
-#
-#
-# To pass additional options (for instance, -D definitions) to the
-# httpd binary at startup, set OPTIONS here.
-#
-#OPTIONS=
-#
-# This setting ensures the httpd process is started in the "C" locale
-# by default.  (Some modules will not behave correctly if
-# case-sensitive string comparisons are performed in a different
-# locale.)
-#
-OPENAAA_PROTOCOL=aaa
-OPENAAA_HANDLER=/usr/local/bin/aducid
-OPENAAA_AUTHORITY=your.server.dnsname
-# cat /usr/lib/systemd/system/aducid-aaa.service
-[Unit]
-Description=The ADUCID Apache HTTP Server
-After=network.target remote-fs.target nss-lookup.target
-[Service]
-#Type=notify
-Type=forking
-EnvironmentFile=/etc/sysconfig/aducid-aaa
-ExecStart=/opt/aaa/bin/aducid-aaa.sh start
-ExecReload=/opt/aaa/bin/aducid-aaa.sh restart
-ExecStop=/opt/aaa/bin/aducid-aaa.sh stop
-# We want systemd to give httpd some time to finish gracefully, but still want
-# it to kill httpd after TimeoutStopSec if something went wrong during the
-# graceful stop. Normally, Systemd sends SIGTERM signal right after the
-# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
-# httpd time to finish.
-#KillSignal=SIGCONT
-#PrivateTmp=true
-[Install]
-WantedBy=multi-user.target
-# B. File /etc/sysconfig/aducid-aaa
-# ---------------------------------
-# cat /etc/sysconfig/aducid-aaa
-#
-# This file can be used to set additional environment variables for
-# the httpd process, or pass additional options to the httpd
-# executable.
-#
-# Note: With previous versions of httpd, the MPM could be changed by
-# editing an "HTTPD" variable here.  With the current version, that
-# variable is now ignored.  The MPM is a loadable module, and the
-# choice of MPM can be changed by editing the configuration file
-# /etc/httpd/conf.modules.d/00-mpm.conf.
-#
-#
-# To pass additional options (for instance, -D definitions) to the
-# httpd binary at startup, set OPTIONS here.
-#
-#OPTIONS=
-#
-# This setting ensures the httpd process is started in the "C" locale
-# by default.  (Some modules will not behave correctly if
-# case-sensitive string comparisons are performed in a different
-# locale.)
-#
-OPENAAA_PROTOCOL=aaa
-OPENAAA_HANDLER=/usr/local/bin/aducid
-OPENAAA_AUTHORITY=your.server.dnsname
-# C. File /opt/aaa/bin/aducid-aaa.sh
-# ----------------------------------
-# cat /usr/lib/systemd/system/aducid-aaa.service
-[Unit]
-Description=The ADUCID Apache HTTP Server
-After=network.target remote-fs.target nss-lookup.target
-[Service]
-#Type=notify
-Type=forking
-EnvironmentFile=/etc/sysconfig/aducid-aaa
-ExecStart=/opt/aaa/bin/aducid-aaa.sh start
-ExecReload=/opt/aaa/bin/aducid-aaa.sh restart
-ExecStop=/opt/aaa/bin/aducid-aaa.sh stop
-# We want systemd to give httpd some time to finish gracefully, but still want
-# it to kill httpd after TimeoutStopSec if something went wrong during the
-# graceful stop. Normally, Systemd sends SIGTERM signal right after the
-# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
-# httpd time to finish.
-#KillSignal=SIGCONT
-#PrivateTmp=true
-[Install]
-WantedBy=multi-user.target
-# D. File /etc/profile.d/openaaa.sh
-# ---------------------------------
-# cat /etc/profile.d/openaaa.sh
-#!/bin/bash
-export OPENAAA_PROTOCOL=aaa
-export OPENAAA_HANDLER=/usr/local/bin/aducid
-export OPENAAA_AUTHORITY=`hostname`
-# E. Just check contents of the file /opt/aaa/bin/aducid-aaa.sh
-# -------------------------------------------------------------
-# cat /opt/aaa/bin/aducid-aaa.sh
-#!/bin/bash -x
-#
-# Start stop or restart the ADUCID-AAA service
-#
-# PATH=/sbin:/usr/sbin:$PATH
-RETVAL=0
-# Check that networking is up.
-. /etc/sysconfig/network
-usage ()
-{
-        echo $"Usage: $0 {start|stop|restart}" 1>&2
-        RETVAL=2
-}
-start ()
-{
-/usr/bin/aaa -s -vv &
-/opt/aaa/bin/httpd -k start
-}
-stop ()
-{
-/opt/aaa/bin/httpd -k stop
-kill -9 `cat /var/run/aaad.pid`
-}
-restart ()
-{
-        stop
-        start
-}
-case "$1" in
-    stop) stop ;;
-    status) status ;;
-    start|restart|reload|force-reload) restart ;;
-    *) usage ;;
-esac
-exit $RETVAL
-</codedoc>
-===== Installation =====
-Do one of the following:
-  * Connect the ADUCID Server Kit DVD to virtual machine and mount it to /media/ADUCID
-  * Copy the repository directory from the ADUCID Server Kit DVD to  /media/ADUCID
-Install and run the aducid-installer script
-<codedoc code:bash>
-cd /media/ADUCID/repository/el7/x86_64
-yum localinstall aducid-repository
-yum localinstall aducid-installer
-aducid-installer
-</codedoc>
-The aducid-installer script (see /usr/local/bin/aducid-installer.sh) asks about AIM server parameters:
-    hostname. Preferably whole DNS name.
-    service provider ID, AIM machine inner identification. DNS hostname is a good candidate.
-    icon file. 40x40 .png Will be seen on client PEIGs. This can be changed anytime, files are located in /usr/share/pixmaps
-    replication password. In fact, DB access password for account created during install
-===== Post-install checks =====
-==== Certificates ====
-Certificates for SSL comunication (like other parameters of SSL/TLS comunication) need to be set in /opt/aaa/conf/aducid-aaa.conf. It may happen that the install script rewrites your previous settings. Having corrected this settings, please restart the httpd24-httpd service.
-<codedoc code:bash>
-SSLCertificateFile      /opt/aaa/certs/wild.aducid.com.crt
-SSLCertificateKeyFile   /opt/aaa/certs/wild.aducid.com.key
-SSLCertificateChainFile /opt/aaa/certs/Thawte.CA.Intermediate.SHA256.crt
-SSLCACertificateFile    /opt/aaa/certs/Thawte.CA.Primary.Root.G3.crt
-</codedoc>
-Other certificates used by ADUCID server are listed in /opt/tomcat/conf/ADUCID.properties. After you set this parameters to your certificate files, restart of the tomcat9.service is needed.
-<codedoc code:bash>
-PUBLIC_KEY=/opt/aaa/certs/wild.aducid.com.crt
-PRIVATE_KEY=/opt/aaa/certs/wild.aducid.com.key
-</codedoc>
-It is recommended to restart the server after installation.
-==== Component checks ====
-After restart, check main status of main components.
-postinstall checks
-<codedoc code:bash>
-orange-d3:~ root$ systemctl -l status httpd24-httpd.service
-● httpd24-httpd.service - The Apache HTTP Server
-   Loaded: loaded (/usr/lib/systemd/system/httpd24-httpd.service; enabled; vendor preset: disabled)
-   Active: active (running) since Mon 2018-06-25 22:54:51 CEST; 9min ago
- Main PID: 913 (httpd)
-   Status: "Total requests: 11; Idle/Busy workers 100/0;Requests/sec: 0.0187; Bytes served/sec:  37 B/sec"
-   CGroup: /system.slice/httpd24-httpd.service
-           ├─ 913 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
-           ├─1129 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
-           ├─1130 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
-           ├─1131 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
-           ├─1132 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
-           ├─1133 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
-           └─1697 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 read certificate verify A
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 read finished A
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 write change cipher spec A
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 write finished A
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 flush data
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:negotiate:SSL negotiation finished successfully
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: id=a6ae3724b541fb22127a207882e99ee2d1b0c762922ceff78dd4839872a712ab hash=8112 index=0
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: 127.0.0.1:8888 sent 94 byte(s)
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: 127.0.0.1:8888 recv 168 byte(s)
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:alert write:warning:close notify
-# do not be confused with the following message: "The ADUCID Apache HTTP Server"
-orange-d3:~ root$ systemctl -l status aducid-aaa.service
-● aducid-aaa.service - The ADUCID Apache HTTP Server
-   Loaded: loaded (/usr/lib/systemd/system/aducid-aaa.service; enabled; vendor preset: disabled)
-   Active: active (running) since Mon 2018-06-25 22:54:50 CEST; 11min ago
-  Process: 890 ExecStart=/opt/aaa/bin/aducid-aaa.sh start (code=exited, status=0/SUCCESS)
- Main PID: 901 (aaa)
-   CGroup: /system.slice/aducid-aaa.service
-           ├─901 aaad
-           ├─905 aaa/1
-           ├─906 aaa/2
-           ├─907 aaa/3
-           └─908 aaa/4
-Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.created:1529960583
-Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.modified:1529960583
-Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.expires:1529967783
-Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: 127.0.0.1:36274 sent 168 byte(s)
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:52677 recv 94 byte(s)
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.id:a6ae3724b541fb22127a207882e99ee2d1b0c762922ceff78dd4839872a712ab
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.created:1529960583
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.modified:1529960583
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.expires:1529967783
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:52677 sent 168 byte(s)
-orange-d3:~ root$ systemctl -l status tomcat9.service
-● tomcat9.service - Apache Tomcat 9.0.6 Servlet Container
-   Loaded: loaded (/usr/lib/systemd/system/tomcat9.service; enabled; vendor preset: disabled)
-   Active: active (running) since Mon 2018-06-25 22:54:50 CEST; 12min ago
-  Process: 887 ExecStart=/opt/tomcat/bin/tomcat-startup.sh (code=exited, status=0/SUCCESS)
- Main PID: 921 (java)
-   CGroup: /system.slice/tomcat9.service
-           └─921 /usr/java/default/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -server -Dcom.sun.management.jmxremote.port=8086 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xms2g -Xmx2g -XX:+UseG1GC -XX:+UseStringDeduplication -XX:MaxGCPauseMillis=100 -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
-Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Starting Apache Tomcat 9.0.6 Servlet Container...
-Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]: + cd /opt/tomcat
-Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]: + ./bin/startup.sh
-Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Started Apache Tomcat 9.0.6 Servlet Container.
-</codedoc>
-==== Compoment log checks ====
-The system is fully ready after tomcat server start. This can be checked by looking into tomcat's catalina.out.
-tomcat log
-<codedoc code:bash>
-orange-d3:~ root$ tail -f /opt/tomcat/logs/catalina.out
-Not found in 'org.owasp.esapi.resources' directory or file not readable: /opt/apache-tomcat-9.0.6/validation.properties
-Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
-Not found in 'user.home' (/opt/tomcat) directory: /opt/tomcat/esapi/validation.properties
-Loading validation.properties via file I/O failed.
-Attempting to load validation.properties via the classpath.
-SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
--Jun-2018 22:57:07.841 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/apache-tomcat-9.0.6/webapps/qrtest.war] has finished in [3,228] ms
--Jun-2018 22:57:07.861 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
--Jun-2018 22:57:07.884 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
--Jun-2018 22:57:07.889 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 133079 ms
-</codedoc>
-Other log files:
-  * AIM: /opt/tomcat/log/aim.log
-  * tomcat9.service:	/opt/tomcat/logs/*
-  * aducid-aaa.service	/var/log/messages
-  * httpd24-httpd.service	/var/log/httpd24/*
-RPM Component summary
-aducid-configurator.rpm	installation and config script
-aducid-repository.rpm	yum repository file
-aducid-aaa-modules.rpm	Apache settings for ADUCID components
-aim.rpm	AIM and all basic components
-aducid-proof.rpm	Identity proofing apps
-aducid-demo.rpm	Demo apps

ADUCID 4.x

User Tools

Site Tools

Differences

Page Tools