Table of Contents

Software Components

ADUCID supports two database systems: PostgreSQL and Microsoft SQL.

PostgreSQL

Software Installation

Configure repository files to make sure correct software is installed: Modify [base] and [updates] sections of /etc/yum.repos.d/CentOS-Base.repo

vi /etc/yum.repos.d/CentOS-Base.repo

exclude=postgresql*
Next, get the packages and install them

yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-redhat96-9.6-3.noarch.rpm 
yum install postgresql96 postgresql96-server postgresql96-devel postgresql-jdbc
#
/usr/pgsql-9.6/bin/postgresql96-setup initdb
systemctl enable postgresql-9.6.service
systemctl start postgresql-9.6.service

DB configuration

Roles after installation

su - postgres
createuser -l -s root
vi /var/lib/pgsql/9.6/data/pg_hba.conf

# IPv4 local connections:
host    all             all             127.0.0.1/32            trust

logout
systemctl restart postgresql-9.6.service

Java

Software Installation

We use OpenJDK 13. Get it and save the file in /opt directory

cd /opt
wget https://download.java.net/java/GA/jdk13.0.2/d4173c853231432d94f001e99d882ca7/8/GPL/openjdk-13.0.2_linux-x64_bin.tar.gz 
tar -xvf openjdk-13.0.2_linux-x64_bin.tar.gz
ln -s jdk-13.0.2 jdk-13

Software Configuration

We need to add one more file to JDK distribution

/opt/jdk-13/lib/fontconfig.properties

version=1
sequence.allfonts=default 

Tomcat

Tomcat 9.0.6 installation bash commands:

# A | installation
cd ~
mkdir development
cd development
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.6/bin/apache-tomcat-9.0.6.tar.gz 
# install tomcat to the /opt/tomcat directory
mkdir /opt/apache-tomcat-9.0.6
 
tar xvf apache-tomcat-9*tar.gz -C /opt/apache-tomcat-9.0.6 --strip-components=1
 
# symlink /opt/tomcat to /opt/apache-tomcat-9.0.6
ln -s /opt/apache-tomcat-9.0.6 /opt/tomcat
 
# B | create tomcat user :: should be run as an unprivileged user
# 1. create a new tomcat group
groupadd tomcat
 
# 2. create a tomcat user ::
# member of the tomcat group, home directory of /opt/tomcat (install), shell of /bin/false (nobody login)
useradd -M -s /sbin/nologin -g tomcat -d /opt/tomcat tomcat
 
# C | update permissions :: proper access to the tomcat installation
cd /opt/tomcat
 
# tomcat group ownership over the entire installation directory
chgrp -R tomcat /opt/tomcat
 
# tomcat group read access to the conf directory, and execute access to the directory
chmod -R g+r conf
chmod g+x conf
 
# make the tomcat user the owner of the directories
chown -R tomcat webapps/ work/ temp/ logs/
chown -R tomcat /opt/tomcat
chown -R tomcat /opt/apache-tomcat-9.0.6

Next, create systemd unit file

vi /usr/lib/systemd/system/tomcat9.service

 
[Unit]
Description=Apache Tomcat 9.0.x Servlet Container
After=syslog.target network.target
 
[Service]
User=tomcat
Group=tomcat
Type=forking
Environment=JAVA_HOME=/opt/jdk-13
Environment=CATALINA_PID=/opt/tomcat/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
ExecStart=/opt/tomcat/bin/tomcat-startup.sh
ExecStop=/opt/tomcat/bin/tomcat-shutdown.sh
 
[Install]
WantedBy=multi-user.target

Prepare config files

vi /opt/tomcat/bin/tomcat-startup.sh

 
#!/bin/bash -x
cd $CATALINA_BASE
./bin/startup.sh

vi /opt/tomcat/bin/tomcat-shutdown.sh

 
#!/bin/bash -x
cd $CATALINA_BASE
./bin/shutdown.sh

vi /opt/tomcat/bin/setenv.sh

* IMPORTANT: Check validity of Xms-Xmx settings according in your environment *

 
CATALINA_OPTS="-server 
 -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true 
 -Xms2g -Xmx2g 
 -XX:+UseG1GC 
 -XX:+UseStringDeduplication 
 -XX:MaxGCPauseMillis=100"

Make the scripts executable

chmod +x /opt/tomcat/bin/*.sh

Add ${catalina.home}/conf to the common.loader values in the catalina.properties file and change the lines for jarsToSkip, jarsToScan to somewhat speed Tomcat startup

vi /opt/tomcat/conf/catalina.properties

 
common.loader="${catalina.base}/lib","${catalina.base}/lib/*.jar","${catalina.home}/lib","${catalina.home}/lib/*.jar","${catalina.home}/conf"
# ... 
tomcat.util.scan.StandardJarScanFilter.jarsToSkip=*.jar
tomcat.util.scan.StandardJarScanFilter.jarsToScan=jstl-*.jar,spring-webmvc-*.jar,web_platform-*.jar

reload Systemd to load the tomcat9 unit file

systemctl daemon-reload
systemctl enable tomcat9.service

Start tomcat9 service. This is only to check, if everything goes well

systemctl start tomcat9.service
systemctl -l status tomcat9.service

Delete all default webapps

systemctl stop tomcat9.service
cd /opt/tomcat/webapps
rm -rf *

Set up AJP connector for requests from Apache

vi /opt/tomcat/conf/server.xml

 
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!-- ADUCID AJP options -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 
    enableLookups="false" 
    acceptCount="300"  
    keepAliveTimeout="7000" 
    connectionTimeout="10000" 
    URIEncoding="UTF-8" />

Make tomcat user also owner of the jdk-13 directory

chown -R tomcat:root /opt/jdk-13/

Optional:

Apache

Software Installation

CodeIT Apache 2.4 and related modules

Download CodeIT Apache 2.4.25 (NOT NEWER) RPMs from https://repo.codeit.guru/packages/centos/7/x86_64/.

If the files are no longer on the above URL, you can download them from here: httpd-2.4.25-codeit.zip

cd ~
mkdir -p apache/CodeIT
cd apache/CodeIT
 
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/apr-1.5.2-1.el7.codeit.x86_64.rpm
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-2.4.25-3.el7.codeit.x86_64.rpm
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-filesystem-2.4.25-3.el7.codeit.noarch.rpm
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-tools-2.4.25-3.el7.codeit.x86_64.rpm
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/mod_ssl-2.4.25-3.el7.codeit.x86_64.rpm

Put them into selected directory (/root/apache/CodeIT) and from it yum localinstall one module after another, to prevent installation from external repositories.

Except for modules libnghttp2 and apr-util. They will be downloaded from the epel-release repository.

yum -y localinstall apr-1.5.2-1.el7.codeit.x86_64.rpm
yum -y localinstall httpd-filesystem-2.4.25-3.el7.codeit.noarch.rpm
yum -y localinstall httpd-tools-2.4.25-3.el7.codeit.x86_64.rpm
yum -y localinstall httpd-2.4.25-3.el7.codeit.x86_64.rpm
yum -y localinstall mod_ssl-2.4.25-3.el7.codeit.x86_64.rpm
 
rpm -qa | grep codeit
# you should see this:
httpd-tools-2.4.25-3.el7.codeit.x86_64
apr-1.5.2-1.el7.codeit.x86_64
mod_ssl-2.4.25-3.el7.codeit.x86_64
httpd-filesystem-2.4.25-3.el7.codeit.noarch
httpd-2.4.25-3.el7.codeit.x86_64
 
rpm -qa | grep http2
# you should see this:
libnghttp2-1.31.1-1.el7.x86_64

System variables setting

vi /usr/lib/systemd/system/httpd.service

Modify file commenting out the Environment line and add the next one:

 
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=notify
#Environment=LANG=C
EnvironmentFile=/etc/sysconfig/httpd

ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Modify /etc/sysconfig/httpd

LANG=C
OPENAAA_PROTOCOL="aaa"
OPENAAA_HANDLER="/usr/local/bin/tlsbinder"
OPENAAA_AUTHORITY=`hostname` 

Config files settings

They are in /etc/httpd.

vi /etc/httpd/conf/httpd.conf

 
### Keep the Include conf.modules.d/*.conf setting in the file,
### but append one line in front of it, so the result will be:
# ...
Loadfile "/usr/lib64/libssl.so.10"
Include conf.modules.d/*.conf
# ...
 
### Fill in your DNS server name
ServerName your.server.dnsname:80
 
### Choose desired log level   
LogLevel info

# Supplemental configuration is commented out
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
#IncludeOptional conf.d/*.conf

# Place these three lines at the end of file
TraceEnable Off
Include /opt/aaa/conf/aducid-aaa.conf
Include /opt/aaa/conf/aducid-aim.conf
Include /opt/aaa/conf/aducid-error-pages.conf
Modules from directory conf.d are NOT USED.

Modules from directory conf.modules.d: some were left intact, some put away, some changed.

cd /etc/httpd/conf.modules.d/
mv 00-optional.conf 00-optional.conf.xxx
mv 00-lua.conf 00-lua.conf.xxx
mv 00-dav.conf 00-dav.conf.xxx
cat 00-mpm.conf | grep prefork
# … result should be:
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
vi 00-proxy.conf

 
# This file configures all the proxy modules:
LoadModule proxy_module modules/mod_proxy.so
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so  

vi 00-base.conf

 
#
# This file loads most of the modules included with the Apache HTTP
# Server itself.
#
 
# This module is substantional
# as it communicates with other ADUCID non-Apache components
 
LoadModule authnz_ssl_module /usr/lib64/openaaa/modules/mod_authnz_ssl.so
 
# other modules as you like/need
LoadModule access_compat_module modules/mod_access_compat.so
#LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
#LoadModule allowmethods_module modules/mod_allowmethods.so
#LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_core_module modules/mod_authn_core.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authz_core_module modules/mod_authz_core.so
#LoadModule authz_dbd_module modules/mod_authz_dbd.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule cache_socache_module modules/mod_cache_socache.so
LoadModule data_module modules/mod_data.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
#LoadModule dumpio_module modules/mod_dumpio.so
#LoadModule echo_module modules/mod_echo.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule http2_module modules/mod_http2.so
LoadModule include_module modules/mod_include.so
LoadModule info_module modules/mod_info.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
#LoadModule macro_module modules/mod_macro.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule remoteip_module modules/mod_remoteip.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule request_module modules/mod_request.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
LoadModule socache_memcache_module modules/mod_socache_memcache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule status_module modules/mod_status.so
LoadModule substitute_module modules/mod_substitute.so
#LoadModule suexec_module modules/mod_suexec.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule userdir_module modules/mod_userdir.so
LoadModule version_module modules/mod_version.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule watchdog_module modules/mod_watchdog.so

Further steps

Prepare SSL certificates

Certificates for SSL communication (like other parameters of SSL/TLS communication) need to be set in the file /opt/aaa/conf/aducid-aaa.conf, that will be installed during ADUCID software install phase. At this point, just make sure, that you have these certificates ready.

Example files:

SSLCertificateFile      /opt/aaa/certs/wild.aducid.com.crt
SSLCertificateKeyFile   /opt/aaa/certs/wild.aducid.com.key
SSLCertificateChainFile /opt/aaa/certs/Thawte.CA.Intermediate.SHA256.crt
SSLCACertificateFile    /opt/aaa/certs/Thawte.CA.Primary.Root.G3.crt

Enable on system startup

systemctl daemon-reload
systemctl enable httpd.service