This is an old revision of the document!
Directories for aducid-aaa-modules
AAA modules need the following directories are created before installation:
mkdir /opt/aaa/install mkdir /opt/aaa/logs mkdir /opt/aaa/conf mkdir /opt/aaa/conf/aducid mkdir /opt/aaa/certs mkdir /opt/aaa/aducid-error-pages mkdir /opt/aaa/bin
Files for aducid-aaa-modules
Please adjust your server hostname in these files, as indicated.
# A. File /usr/lib/systemd/system/aducid-aaa.service # ————————————————–# cat /etc/sysconfig/aducid-aaa # # This file can be used to set additional environment variables for # the httpd process, or pass additional options to the httpd # executable. # # Note: With previous versions of httpd, the MPM could be changed by # editing an “HTTPD” variable here. With the current version, that # variable is now ignored. The MPM is a loadable module, and the # choice of MPM can be changed by editing the configuration file # /etc/httpd/conf.modules.d/00-mpm.conf. # # # To pass additional options (for instance, -D definitions) to the # httpd binary at startup, set OPTIONS here. # #OPTIONS= # # This setting ensures the httpd process is started in the “C” locale # by default. (Some modules will not behave correctly if # case-sensitive string comparisons are performed in a different # locale.) # OPENAAA_PROTOCOL=aaa OPENAAA_HANDLER=/usr/local/bin/aducid OPENAAA_AUTHORITY=your.server.dnsname # cat /usr/lib/systemd/system/aducid-aaa.service [Unit] Description=The ADUCID Apache HTTP Server After=network.target remote-fs.target nss-lookup.target [Service] #Type=notify Type=forking EnvironmentFile=/etc/sysconfig/aducid-aaa ExecStart=/opt/aaa/bin/aducid-aaa.sh start ExecReload=/opt/aaa/bin/aducid-aaa.sh restart ExecStop=/opt/aaa/bin/aducid-aaa.sh stop # We want systemd to give httpd some time to finish gracefully, but still want # it to kill httpd after TimeoutStopSec if something went wrong during the # graceful stop. Normally, Systemd sends SIGTERM signal right after the # ExecStop, which would kill httpd. We are sending useless SIGCONT here to give # httpd time to finish. #KillSignal=SIGCONT #PrivateTmp=true [Install] WantedBy=multi-user.target # B. File /etc/sysconfig/aducid-aaa # ———————————# cat /etc/sysconfig/aducid-aaa # # This file can be used to set additional environment variables for # the httpd process, or pass additional options to the httpd # executable. # # Note: With previous versions of httpd, the MPM could be changed by # editing an “HTTPD” variable here. With the current version, that # variable is now ignored. The MPM is a loadable module, and the # choice of MPM can be changed by editing the configuration file # /etc/httpd/conf.modules.d/00-mpm.conf. # # # To pass additional options (for instance, -D definitions) to the # httpd binary at startup, set OPTIONS here. # #OPTIONS= # # This setting ensures the httpd process is started in the “C” locale # by default. (Some modules will not behave correctly if # case-sensitive string comparisons are performed in a different # locale.) # OPENAAA_PROTOCOL=aaa OPENAAA_HANDLER=/usr/local/bin/aducid OPENAAA_AUTHORITY=your.server.dnsname # C. File /opt/aaa/bin/aducid-aaa.sh # ———————————- # cat /usr/lib/systemd/system/aducid-aaa.service [Unit] Description=The ADUCID Apache HTTP Server After=network.target remote-fs.target nss-lookup.target [Service] #Type=notify Type=forking EnvironmentFile=/etc/sysconfig/aducid-aaa ExecStart=/opt/aaa/bin/aducid-aaa.sh start ExecReload=/opt/aaa/bin/aducid-aaa.sh restart ExecStop=/opt/aaa/bin/aducid-aaa.sh stop # We want systemd to give httpd some time to finish gracefully, but still want # it to kill httpd after TimeoutStopSec if something went wrong during the # graceful stop. Normally, Systemd sends SIGTERM signal right after the # ExecStop, which would kill httpd. We are sending useless SIGCONT here to give # httpd time to finish. #KillSignal=SIGCONT #PrivateTmp=true [Install] WantedBy=multi-user.target # D. File /etc/profile.d/openaaa.sh # ———————————# cat /etc/profile.d/openaaa.sh #!/bin/bash export OPENAAA_PROTOCOL=aaa export OPENAAA_HANDLER=/usr/local/bin/aducid export OPENAAA_AUTHORITY=`hostname` # E. Just check contents of the file /opt/aaa/bin/aducid-aaa.sh # ————————————————————- # cat /opt/aaa/bin/aducid-aaa.sh #!/bin/bash -x # # Start stop or restart the ADUCID-AAA service # # PATH=/sbin:/usr/sbin:$PATH RETVAL=0 # Check that networking is up. . /etc/sysconfig/network usage () { echo $“Usage: $0 {start|stop|restart}” 1>&2 RETVAL=2 } start () { /usr/bin/aaa -s -vv & /opt/aaa/bin/httpd -k start } stop () { /opt/aaa/bin/httpd -k stop kill -9 `cat /var/run/aaad.pid` } restart () { stop start } case “$1” in stop) stop ;; status) status ;; start|restart|reload|force-reload) restart ;; *) usage ;; esac exit $RETVAL
Do one of the following:
Install and run the aducid-installer script
# in this directory, rpm files are located cd /media/ADUCID/repository/el7/x86_64 # find the exact filename using the TAB key in the command prompt yum localinstall aducid-repository- # dtto as above yum localinstall aducid-installer- # now, the install script will be in the path (/usr/local/bin), invoke it aducid-installer
The aducid-installer script (see /usr/local/bin/aducid-installer.sh) asks about AIM server parameters:
| hostname | Preferably whole DNS name | 
| service provider ID | AIM machine inner identification. DNS hostname is a good candidate. | 
| icon file | 100×100 .png file that will be seen on client PEIGs. This can be changed anytime, files are located in /usr/share/pixmaps | 
| replication password | In fact, DB access password for account created during install | 
Certificates for SSL comunication (like other parameters of SSL/TLS comunication) need to be set in /opt/aaa/conf/aducid-aaa.conf. It may happen that the install script rewrites your previous settings. Having corrected this settings, please restart the httpd24-httpd service.
SSLCertificateFile /opt/aaa/certs/wild.aducid.com.crt SSLCertificateKeyFile /opt/aaa/certs/wild.aducid.com.key SSLCertificateChainFile /opt/aaa/certs/Thawte.CA.Intermediate.SHA256.crt SSLCACertificateFile /opt/aaa/certs/Thawte.CA.Primary.Root.G3.crt
Other certificates used by ADUCID server are listed in /opt/tomcat/conf/ADUCID.properties. After you set this parameters to your certificate files, restart of the tomcat9.service is needed.
PUBLIC_KEY=/opt/aaa/certs/wild.aducid.com.crt PRIVATE_KEY=/opt/aaa/certs/wild.aducid.com.key
It is recommended to restart the server after installation.
After restart, check main status of main components. postinstall checks
orange-d3:~ root$ systemctl -l status httpd24-httpd.service ● httpd24-httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd24-httpd.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2018-06-25 22:54:51 CEST; 9min ago Main PID: 913 (httpd) Status: “Total requests: 11; Idle/Busy workers 100/0;Requests/sec: 0.0187; Bytes served/sec: 37 B/sec” CGroup: /system.slice/httpd24-httpd.service ├─ 913 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND ├─1129 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND ├─1130 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND ├─1131 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND ├─1132 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND ├─1133 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND └─1697 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 read certificate verify A Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 read finished A Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 write change cipher spec A Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 write finished A Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 flush data Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:negotiate:SSL negotiation finished successfully Jun 25 23:03:03 orange-d3.aducid.com [1697]: id=a6ae3724b541fb22127a207882e99ee2d1b0c762922ceff78dd4839872a712ab hash=8112 index=0 Jun 25 23:03:03 orange-d3.aducid.com [1697]: 127.0.0.1:8888 sent 94 byte(s) Jun 25 23:03:03 orange-d3.aducid.com [1697]: 127.0.0.1:8888 recv 168 byte(s) Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:alert write:warning:close notify # do not be confused with the following message: “The ADUCID Apache HTTP Server”orange-d3:~ root$ systemctl -l status aducid-aaa.service ● aducid-aaa.service - The ADUCID Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/aducid-aaa.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2018-06-25 22:54:50 CEST; 11min ago Process: 890 ExecStart=/opt/aaa/bin/aducid-aaa.sh start (code=exited, status=0/SUCCESS) Main PID: 901 (aaa) CGroup: /system.slice/aducid-aaa.service ├─901 aaad ├─905 aaa/1 ├─906 aaa/2 ├─907 aaa/3 └─908 aaa/4 Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.created:1529960583 Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.modified:1529960583 Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.expires:1529967783 Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: 127.0.0.1:36274 sent 168 byte(s) Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:52677 recv 94 byte(s) Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.id:a6ae3724b541fb22127a207882e99ee2d1b0c762922ceff78dd4839872a712ab Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.created:1529960583 Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.modified:1529960583 Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.expires:1529967783 Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:52677 sent 168 byte(s) orange-d3:~ root$ systemctl -l status tomcat9.service ● tomcat9.service - Apache Tomcat 9.0.6 Servlet Container Loaded: loaded (/usr/lib/systemd/system/tomcat9.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2018-06-25 22:54:50 CEST; 12min ago Process: 887 ExecStart=/opt/tomcat/bin/tomcat-startup.sh (code=exited, status=0/SUCCESS) Main PID: 921 (java) CGroup: /system.slice/tomcat9.service └─921 /usr/java/default/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -server -Dcom.sun.management.jmxremote.port=8086 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xms2g -Xmx2g -XX:+UseG1GC -XX:+UseStringDeduplication -XX:MaxGCPauseMillis=100 -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Starting Apache Tomcat 9.0.6 Servlet Container…Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]: + cd /opt/tomcat Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]: + ./bin/startup.sh Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Started Apache Tomcat 9.0.6 Servlet Container.
The system is fully ready after tomcat server start. This can be checked by looking into tomcat's catalina.out. tomcat log
orange-d3:~ root$ tail -f /opt/tomcat/logs/catalina.out Not found in 'org.owasp.esapi.resources' directory or file not readable: /opt/apache-tomcat-9.0.6/validation.properties Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties Not found in 'user.home' (/opt/tomcat) directory: /opt/tomcat/esapi/validation.properties Loading validation.properties via file I/O failed. Attempting to load validation.properties via the classpath. SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader! 25-Jun-2018 22:57:07.841 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/apache-tomcat-9.0.6/webapps/qrtest.war] has finished in [3,228] ms 25-Jun-2018 22:57:07.861 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“http-nio-8080”] 25-Jun-2018 22:57:07.884 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“ajp-nio-8009”] 25-Jun-2018 22:57:07.889 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 133079 ms
Other log files:
RPM Component summary aducid-configurator.rpm installation and config script aducid-repository.rpm yum repository file aducid-aaa-modules.rpm Apache settings for ADUCID components aim.rpm AIM and all basic components aducid-proof.rpm Identity proofing apps aducid-demo.rpm Demo apps