User Tools

Site Tools


documentation:server-install-aducid

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:server-install-aducid [2018/11/08 01:03]
mpospisek [Compoment log checks]
— (current)
Line 1: Line 1:
-====== ADUCID software ====== 
-===== File and directory preparation ===== 
- 
-Directories for aducid-aaa-modules 
- 
-AAA modules need the following directories are created before installation: 
-<codedoc code:bash> 
-mkdir /opt/aaa/install 
-mkdir /opt/aaa/logs 
-mkdir /opt/aaa/conf 
-mkdir /opt/aaa/conf/aducid 
-mkdir /opt/aaa/certs 
-mkdir /opt/aaa/aducid-error-pages 
-mkdir /opt/aaa/bin 
-mkdir -p /usr/lib64/openaaa/modules 
-</codedoc> 
- 
-Files for aducid-aaa-modules. **Please adjust your server hostname in these files, as indicated.** 
- 
-<codedoc code:bash> 
-vi /etc/profile.d/openaaa.sh 
-</codedoc> 
-<sxh bash> 
-#!/bin/bash 
-export OPENAAA_PROTOCOL=aaa 
-export OPENAAA_HANDLER=/usr/local/bin/aducid 
-export OPENAAA_AUTHORITY=`hostname` 
-</sxh> 
- 
- 
-  
-<codedoc code:bash> 
-vi /usr/lib/systemd/system/aducid-aaa.service 
-</codedoc> 
-<sxh bash> 
-[Unit] 
-Description=The ADUCID AAA Module 
-After=network.target remote-fs.target nss-lookup.target 
-  
-[Service] 
-Type=forking 
-EnvironmentFile=/etc/sysconfig/aducid-aaa 
-ExecStart=/opt/aaa/bin/aducid-aaa.sh start 
-ExecReload=/opt/aaa/bin/aducid-aaa.sh restart 
-ExecStop=/opt/aaa/bin/aducid-aaa.sh stop 
-  
-[Install] 
-WantedBy=multi-user.target 
-</sxh>  
-  
-<codedoc code:bash> 
-vi /etc/sysconfig/aducid-aaa 
-</codedoc> 
-<sxh bash; highlight: [25]> 
-# 
-# This file can be used to set additional environment variables for 
-# the httpd process, or pass additional options to the httpd 
-# executable. 
-# 
-# Note: With previous versions of httpd, the MPM could be changed by 
-# editing an "HTTPD" variable here.  With the current version, that 
-# variable is now ignored.  The MPM is a loadable module, and the 
-# choice of MPM can be changed by editing the configuration file 
-# /etc/httpd/conf.modules.d/00-mpm.conf. 
-# 
-# 
-# To pass additional options (for instance, -D definitions) to the 
-# httpd binary at startup, set OPTIONS here. 
-# 
-#OPTIONS= 
-# 
-# This setting ensures the httpd process is started in the "C" locale 
-# by default.  (Some modules will not behave correctly if 
-# case-sensitive string comparisons are performed in a different 
-# locale.) 
-# 
-OPENAAA_PROTOCOL=aaa 
-OPENAAA_HANDLER=/usr/local/bin/aducid 
-OPENAAA_AUTHORITY=your.server.dnsname 
-</sxh> 
-  
-<codedoc code:bash> 
-vi /opt/aaa/bin/aducid-aaa.sh 
-</codedoc> 
-<sxh bash> 
-#!/bin/bash -x 
-# 
-# Start stop or restart the ADUCID-AAA service 
-# 
-  
-# PATH=/sbin:/usr/sbin:$PATH 
-RETVAL=0 
-  
-# Check that networking is up. 
-. /etc/sysconfig/network 
-  
-  
-usage () 
-{ 
-        echo $"Usage: $0 {start|stop|restart}" 1>&2 
-        RETVAL=2 
-} 
-  
-  
-start () 
-{ 
-/usr/bin/aaa -s -vv & 
-} 
-  
-stop () 
-{ 
-kill -9 `cat /var/run/aaad.pid` 
-} 
-  
-  
-restart () 
-{ 
-        stop 
-        start 
-} 
-  
-  
-case "$1" in 
-    stop) stop ;; 
-    status) status ;; 
-    start|restart|reload|force-reload) restart ;; 
-    *) usage ;; 
-esac 
-  
-exit $RETVAL 
-</sxh> 
- 
- 
-===== Installation ===== 
- 
- 
-Do one of the following: 
- 
-  * Connect the ADUCID Server Kit DVD to virtual machine and mount it to /media/ADUCID 
-  * Copy the repository directory from the ADUCID Server Kit DVD to  /media/ADUCID 
- 
-Install and run the aducid-installer script 
-<codedoc code:bash> 
-# in this directory, rpm files are located 
-cd /media/ADUCID/repository/el7/x86_64 
-# find the exact filename using the TAB key in the command prompt 
-yum localinstall aducid-repository- 
-# dtto as above 
-yum localinstall aducid-installer-    
-# now, the install script will be in the path (/usr/local/bin), invoke it 
-aducid-installer 
-</codedoc> 
- 
-The aducid-installer script (see /usr/local/bin/aducid-installer.sh) asks about AIM server parameters: 
- 
-| hostname | Preferably whole DNS name | 
-| service provider ID | AIM machine inner identification. DNS hostname is a good candidate. | 
-| icon file | 100x100 .png file that will be seen on client PEIGs. This can be changed anytime, files are located in /usr/share/pixmaps | 
-| replication password | In fact, DB access password for account created during install | 
- 
-===== Post-install checks ===== 
-==== Certificates ==== 
- 
-Certificates for SSL comunication (like other parameters of SSL/TLS comunication) need to be set in /opt/aaa/conf/aducid-aaa.conf. It may happen that the install script rewrites your previous settings. Having corrected this settings, please restart the httpd24-httpd service. 
-<codedoc code:bash> 
-SSLCertificateFile      /opt/aaa/certs/wild.aducid.com.crt 
-SSLCertificateKeyFile   /opt/aaa/certs/wild.aducid.com.key 
-SSLCertificateChainFile /opt/aaa/certs/Thawte.CA.Intermediate.SHA256.crt 
-SSLCACertificateFile    /opt/aaa/certs/Thawte.CA.Primary.Root.G3.crt 
-</codedoc> 
- 
-Other certificates used by ADUCID server are listed in /opt/tomcat/conf/ADUCID.properties. After you set this parameters to your certificate files, restart of the tomcat9.service is needed. 
-<sxh bash> 
-PUBLIC_KEY=/opt/aaa/certs/wild.aducid.com.crt 
-PRIVATE_KEY=/opt/aaa/certs/wild.aducid.com.key 
-</sxh> 
- 
-It is recommended to restart the server after installation. 
-==== Component checks ==== 
- 
- 
-After restart, check main status of main components. 
-postinstall checks 
-<codedoc code:bash> 
-orange-d3:~ root$ systemctl -l status httpd24-httpd.service 
-● httpd24-httpd.service - The Apache HTTP Server 
-   Loaded: loaded (/usr/lib/systemd/system/httpd24-httpd.service; enabled; vendor preset: disabled) 
-   Active: active (running) since Mon 2018-06-25 22:54:51 CEST; 9min ago 
- Main PID: 913 (httpd) 
-   Status: "Total requests: 11; Idle/Busy workers 100/0;Requests/sec: 0.0187; Bytes served/sec:  37 B/sec" 
-   CGroup: /system.slice/httpd24-httpd.service 
-           ├─ 913 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND 
-           ├─1129 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND 
-           ├─1130 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND 
-           ├─1131 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND 
-           ├─1132 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND 
-           ├─1133 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND 
-           └─1697 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND 
-  
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 read certificate verify A 
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 read finished A 
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 write change cipher spec A 
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 write finished A 
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:accept:SSLv3 flush data 
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:negotiate:SSL negotiation finished successfully 
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: id=a6ae3724b541fb22127a207882e99ee2d1b0c762922ceff78dd4839872a712ab hash=8112 index=0 
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: 127.0.0.1:8888 sent 94 byte(s) 
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: 127.0.0.1:8888 recv 168 byte(s) 
-Jun 25 23:03:03 orange-d3.aducid.com [1697]: msg:alert write:warning:close notify 
-  
-# do not be confused with the following message: "The ADUCID Apache HTTP Server" 
-orange-d3:~ root$ systemctl -l status aducid-aaa.service 
-● aducid-aaa.service - The ADUCID Apache HTTP Server 
-   Loaded: loaded (/usr/lib/systemd/system/aducid-aaa.service; enabled; vendor preset: disabled) 
-   Active: active (running) since Mon 2018-06-25 22:54:50 CEST; 11min ago 
-  Process: 890 ExecStart=/opt/aaa/bin/aducid-aaa.sh start (code=exited, status=0/SUCCESS) 
- Main PID: 901 (aaa) 
-   CGroup: /system.slice/aducid-aaa.service 
-           ├─901 aaad 
-           ├─905 aaa/1 
-           ├─906 aaa/2 
-           ├─907 aaa/3 
-           └─908 aaa/4 
-  
-Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.created:1529960583 
-Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.modified:1529960583 
-Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.expires:1529967783 
-Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: 127.0.0.1:36274 sent 168 byte(s) 
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:52677 recv 94 byte(s) 
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.id:a6ae3724b541fb22127a207882e99ee2d1b0c762922ceff78dd4839872a712ab 
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.created:1529960583 
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.modified:1529960583 
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.expires:1529967783 
-Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:52677 sent 168 byte(s) 
-  
-orange-d3:~ root$ systemctl -l status tomcat9.service 
-● tomcat9.service - Apache Tomcat 9.0.6 Servlet Container 
-   Loaded: loaded (/usr/lib/systemd/system/tomcat9.service; enabled; vendor preset: disabled) 
-   Active: active (running) since Mon 2018-06-25 22:54:50 CEST; 12min ago 
-  Process: 887 ExecStart=/opt/tomcat/bin/tomcat-startup.sh (code=exited, status=0/SUCCESS) 
- Main PID: 921 (java) 
-   CGroup: /system.slice/tomcat9.service 
-           └─921 /usr/java/default/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -server -Dcom.sun.management.jmxremote.port=8086 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xms2g -Xmx2g -XX:+UseG1GC -XX:+UseStringDeduplication -XX:MaxGCPauseMillis=100 -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start 
-  
-Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Starting Apache Tomcat 9.0.6 Servlet Container... 
-Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]: + cd /opt/tomcat 
-Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]: + ./bin/startup.sh 
-Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Started Apache Tomcat 9.0.6 Servlet Container. 
-</codedoc> 
- 
-==== Compoment log checks ==== 
- 
- 
-The system is fully ready after tomcat server start. This can be checked by looking into tomcat's catalina.out. 
-tomcat log 
- 
-<codedoc code:bash> 
-orange-d3:~ root$ tail -f /opt/tomcat/logs/catalina.out 
-Not found in 'org.owasp.esapi.resources' directory or file not readable: /opt/apache-tomcat-9.0.6/validation.properties 
-Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties 
-Not found in 'user.home' (/opt/tomcat) directory: /opt/tomcat/esapi/validation.properties 
-Loading validation.properties via file I/O failed. 
-Attempting to load validation.properties via the classpath. 
-SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader! 
-25-Jun-2018 22:57:07.841 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/apache-tomcat-9.0.6/webapps/qrtest.war] has finished in [3,228] ms 
-25-Jun-2018 22:57:07.861 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 
-25-Jun-2018 22:57:07.884 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"] 
-25-Jun-2018 22:57:07.889 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 133079 ms 
-</codedoc> 
- 
-Other log files: 
-| AIM | /opt/tomcat/log/aim.log | 
-| tomcat9.service | /opt/tomcat/logs/* | 
-| aducid-aaa.service | /var/log/messages | 
-| httpd.service | /var/log/httpd/* | 
- 
- 
-RPM Component summary 
-| aducid-configurator.rpm | installation and config script | 
-| aducid-repository.rpm | yum repository file | 
-| aducid-aaa-modules.rpm | Apache settings for ADUCID components | 
-| aim.rpm | AIM and all basic components | 
-| aducid-proof.rpm | Sample identity proofing apps | 
- 
- 
- 
  
documentation/server-install-aducid.1541639001.txt.gz · Last modified: 2018/11/08 01:03 by mpospisek