====== Software Components ====== ADUCID supports two database systems: PostgreSQL and Microsoft SQL. * If you decide to use default PostgerSQL database, install it according to the next section. * If you want to use Microsoft SQL database located on some other host, refer to section [[installation:04-ms-sql|MS SQL Database]]. ===== PostgreSQL ===== ==== Software Installation ==== Configure repository files to make sure correct software is installed: Modify [base] and [updates] sections of /etc/yum.repos.d/CentOS-Base.repo vi /etc/yum.repos.d/CentOS-Base.repo exclude=postgresql* Next, get the packages and install them yum install ~~codedoc:clean:https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-redhat96-9.6-3.noarch.rpm~~ yum install postgresql96 postgresql96-server postgresql96-devel postgresql-jdbc # /usr/pgsql-9.6/bin/postgresql96-setup initdb systemctl enable postgresql-9.6.service systemctl start postgresql-9.6.service ==== DB configuration ==== Roles after installation su - postgres createuser -l -s root vi /var/lib/pgsql/9.6/data/pg_hba.conf # IPv4 local connections: host all all 127.0.0.1/32 trust logout systemctl restart postgresql-9.6.service ===== Java ===== ==== Software Installation ==== We use OpenJDK 13. Get it and save the file in /opt directory cd /opt wget https://download.java.net/java/GA/jdk13.0.2/d4173c853231432d94f001e99d882ca7/8/GPL/openjdk-13.0.2_linux-x64_bin.tar.gz tar -xvf openjdk-13.0.2_linux-x64_bin.tar.gz ln -s jdk-13.0.2 jdk-13 ==== Software Configuration ==== We need to add one more file to JDK distribution /opt/jdk-13/lib/fontconfig.properties version=1 sequence.allfonts=default ===== Tomcat ===== Tomcat 9.0.6 installation bash commands: # A | installation cd ~ mkdir development cd development wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.6/bin/apache-tomcat-9.0.6.tar.gz # install tomcat to the /opt/tomcat directory mkdir /opt/apache-tomcat-9.0.6 tar xvf apache-tomcat-9*tar.gz -C /opt/apache-tomcat-9.0.6 ~~codedoc:clean:--~~strip-components=1 # symlink /opt/tomcat to /opt/apache-tomcat-9.0.6 ln -s /opt/apache-tomcat-9.0.6 /opt/tomcat # B | create tomcat user :: should be run as an unprivileged user # 1. create a new tomcat group groupadd tomcat # 2. create a tomcat user :: # member of the tomcat group, home directory of /opt/tomcat (install), shell of /bin/false (nobody login) useradd -M -s /sbin/nologin -g tomcat -d /opt/tomcat tomcat # C | update permissions :: proper access to the tomcat installation cd /opt/tomcat # tomcat group ownership over the entire installation directory chgrp -R tomcat /opt/tomcat # tomcat group read access to the conf directory, and execute access to the directory chmod -R g+r conf chmod g+x conf # make the tomcat user the owner of the directories chown -R tomcat webapps/ work/ temp/ logs/ chown -R tomcat /opt/tomcat chown -R tomcat /opt/apache-tomcat-9.0.6 Next, create systemd unit file vi /usr/lib/systemd/system/tomcat9.service [Unit] Description=Apache Tomcat 9.0.x Servlet Container After=syslog.target network.target [Service] User=tomcat Group=tomcat Type=forking Environment=JAVA_HOME=/opt/jdk-13 Environment=CATALINA_PID=/opt/tomcat/tomcat.pid Environment=CATALINA_HOME=/opt/tomcat Environment=CATALINA_BASE=/opt/tomcat ExecStart=/opt/tomcat/bin/tomcat-startup.sh ExecStop=/opt/tomcat/bin/tomcat-shutdown.sh [Install] WantedBy=multi-user.target Prepare config files vi /opt/tomcat/bin/tomcat-startup.sh #!/bin/bash -x cd $CATALINA_BASE ./bin/startup.sh vi /opt/tomcat/bin/tomcat-shutdown.sh #!/bin/bash -x cd $CATALINA_BASE ./bin/shutdown.sh vi /opt/tomcat/bin/setenv.sh *** IMPORTANT: Check validity of Xms-Xmx settings according in your environment *** CATALINA_OPTS="-server -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xms2g -Xmx2g -XX:+UseG1GC -XX:+UseStringDeduplication -XX:MaxGCPauseMillis=100" Make the scripts executable chmod +x /opt/tomcat/bin/*.sh Add ${catalina.home}/conf to the common.loader values in the catalina.properties file and change the lines for jarsToSkip, jarsToScan to somewhat speed Tomcat startup vi /opt/tomcat/conf/catalina.properties common.loader="${catalina.base}/lib","${catalina.base}/lib/*.jar","${catalina.home}/lib","${catalina.home}/lib/*.jar","${catalina.home}/conf" # ... tomcat.util.scan.StandardJarScanFilter.jarsToSkip=*.jar tomcat.util.scan.StandardJarScanFilter.jarsToScan=jstl-*.jar,spring-webmvc-*.jar,web_platform-*.jar reload Systemd to load the tomcat9 unit file systemctl daemon-reload systemctl enable tomcat9.service Start tomcat9 service. This is only to check, if everything goes well systemctl start tomcat9.service systemctl -l status tomcat9.service Delete all default webapps systemctl stop tomcat9.service cd /opt/tomcat/webapps rm -rf * Set up AJP connector for requests from Apache vi /opt/tomcat/conf/server.xml Make tomcat user also owner of the jdk-13 directory chown -R tomcat:root /opt/jdk-13/ Optional: * change the port of tomcat webserver in case of conflicts * search for cd ~ mkdir -p apache/CodeIT cd apache/CodeIT wget ~~codedoc:clean:https:~~//repo.codeit.guru/packages/archive/centos/7/x86_64/apr-1.5.2-1.el7.codeit.x86_64.rpm wget ~~codedoc:clean:https:~~//repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-2.4.25-3.el7.codeit.x86_64.rpm wget ~~codedoc:clean:https:~~//repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-filesystem-2.4.25-3.el7.codeit.noarch.rpm wget ~~codedoc:clean:https:~~//repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-tools-2.4.25-3.el7.codeit.x86_64.rpm wget ~~codedoc:clean:https:~~//repo.codeit.guru/packages/archive/centos/7/x86_64/mod_ssl-2.4.25-3.el7.codeit.x86_64.rpm Put them into selected directory (/root/apache/CodeIT) and from it yum localinstall one module after another, to prevent installation from external repositories. Except for modules libnghttp2 and apr-util. They will be downloaded from the epel-release repository. yum -y localinstall apr-1.5.2-1.el7.codeit.x86_64.rpm yum -y localinstall httpd-filesystem-2.4.25-3.el7.codeit.noarch.rpm yum -y localinstall httpd-tools-2.4.25-3.el7.codeit.x86_64.rpm yum -y localinstall httpd-2.4.25-3.el7.codeit.x86_64.rpm yum -y localinstall mod_ssl-2.4.25-3.el7.codeit.x86_64.rpm rpm -qa | grep codeit # you should see this: httpd-tools-2.4.25-3.el7.codeit.x86_64 apr-1.5.2-1.el7.codeit.x86_64 mod_ssl-2.4.25-3.el7.codeit.x86_64 httpd-filesystem-2.4.25-3.el7.codeit.noarch httpd-2.4.25-3.el7.codeit.x86_64 rpm -qa | grep http2 # you should see this: libnghttp2-1.31.1-1.el7.x86_64 ==== System variables setting ==== vi /usr/lib/systemd/system/httpd.service Modify file commenting out the Environment line and add the next one: [Unit] Description=The Apache HTTP Server After=network.target remote-fs.target nss-lookup.target [Service] Type=notify #Environment=LANG=C EnvironmentFile=/etc/sysconfig/httpd ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND ExecReload=/usr/sbin/httpd $OPTIONS -k graceful # Send SIGWINCH for graceful stop KillSignal=SIGWINCH KillMode=mixed PrivateTmp=true [Install] WantedBy=multi-user.target Modify /etc/sysconfig/httpd LANG=C OPENAAA_PROTOCOL="aaa" OPENAAA_HANDLER="/usr/local/bin/tlsbinder" OPENAAA_AUTHORITY=`hostname` ==== Config files settings ==== They are in /etc/httpd. vi /etc/httpd/conf/httpd.conf ### Keep the Include conf.modules.d/*.conf setting in the file, ### but append one line in front of it, so the result will be: # ... Loadfile "/usr/lib64/libssl.so.10" Include conf.modules.d/*.conf # ... ### Fill in your DNS server name ServerName your.server.dnsname:80 ### Choose desired log level LogLevel info # Supplemental configuration is commented out # # Load config files in the "/etc/httpd/conf.d" directory, if any. #IncludeOptional conf.d/*.conf # Place these three lines at the end of file TraceEnable Off Include /opt/aaa/conf/aducid-aaa.conf Include /opt/aaa/conf/aducid-aim.conf Include /opt/aaa/conf/aducid-error-pages.conf Modules from directory conf.d are **NOT USED**. Modules from directory conf.modules.d: some were left intact, some put away, some changed. cd /etc/httpd/conf.modules.d/ mv 00-optional.conf 00-optional.conf.xxx mv 00-lua.conf 00-lua.conf.xxx mv 00-dav.conf 00-dav.conf.xxx cat 00-mpm.conf | grep prefork # ... result should be: LoadModule mpm_prefork_module modules/mod_mpm_prefork.so vi 00-proxy.conf # This file configures all the proxy modules: LoadModule proxy_module modules/mod_proxy.so #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_express_module modules/mod_proxy_express.so #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so #LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so vi 00-base.conf # # This file loads most of the modules included with the Apache HTTP # Server itself. # # This module is substantional # as it communicates with other ADUCID non-Apache components LoadModule authnz_ssl_module /usr/lib64/openaaa/modules/mod_authnz_ssl.so # other modules as you like/need LoadModule access_compat_module modules/mod_access_compat.so #LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so #LoadModule allowmethods_module modules/mod_allowmethods.so #LoadModule auth_basic_module modules/mod_auth_basic.so #LoadModule auth_digest_module modules/mod_auth_digest.so #LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_core_module modules/mod_authn_core.so #LoadModule authn_dbd_module modules/mod_authn_dbd.so #LoadModule authn_dbm_module modules/mod_authn_dbm.so #LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_socache_module modules/mod_authn_socache.so LoadModule authz_core_module modules/mod_authz_core.so #LoadModule authz_dbd_module modules/mod_authz_dbd.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_host_module modules/mod_authz_host.so #LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule cache_module modules/mod_cache.so #LoadModule cache_disk_module modules/mod_cache_disk.so LoadModule cache_socache_module modules/mod_cache_socache.so LoadModule data_module modules/mod_data.so #LoadModule dbd_module modules/mod_dbd.so #LoadModule deflate_module modules/mod_deflate.so LoadModule dir_module modules/mod_dir.so #LoadModule dumpio_module modules/mod_dumpio.so #LoadModule echo_module modules/mod_echo.so LoadModule env_module modules/mod_env.so #LoadModule expires_module modules/mod_expires.so #LoadModule ext_filter_module modules/mod_ext_filter.so LoadModule filter_module modules/mod_filter.so LoadModule headers_module modules/mod_headers.so LoadModule http2_module modules/mod_http2.so LoadModule include_module modules/mod_include.so LoadModule info_module modules/mod_info.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so #LoadModule macro_module modules/mod_macro.so #LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule mime_module modules/mod_mime.so LoadModule negotiation_module modules/mod_negotiation.so #LoadModule remoteip_module modules/mod_remoteip.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule request_module modules/mod_request.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule setenvif_module modules/mod_setenvif.so #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #LoadModule socache_dbm_module modules/mod_socache_dbm.so LoadModule socache_memcache_module modules/mod_socache_memcache.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule status_module modules/mod_status.so LoadModule substitute_module modules/mod_substitute.so #LoadModule suexec_module modules/mod_suexec.so #LoadModule unique_id_module modules/mod_unique_id.so LoadModule unixd_module modules/mod_unixd.so #LoadModule userdir_module modules/mod_userdir.so LoadModule version_module modules/mod_version.so #LoadModule vhost_alias_module modules/mod_vhost_alias.so #LoadModule watchdog_module modules/mod_watchdog.so ==== Further steps ==== **Prepare SSL certificates** Certificates for SSL communication (like other parameters of SSL/TLS communication) need to be set in the file /opt/aaa/conf/aducid-aaa.conf, that will be installed during ADUCID software install phase. At this point, just make sure, that you have these certificates ready. Example files: SSLCertificateFile /opt/aaa/certs/wild.aducid.com.crt SSLCertificateKeyFile /opt/aaa/certs/wild.aducid.com.key SSLCertificateChainFile /opt/aaa/certs/Thawte.CA.Intermediate.SHA256.crt SSLCACertificateFile /opt/aaa/certs/Thawte.CA.Primary.Root.G3.crt **Enable on system startup** systemctl daemon-reload systemctl enable httpd.service [<>]