User Tools

Site Tools


installation:02-software-components

Software Components

ADUCID supports two database systems: PostgreSQL and Microsoft SQL.

  • If you decide to use default PostgerSQL database, install it according to the next section.
  • If you want to use Microsoft SQL database located on some other host, refer to section MS SQL Database.

PostgreSQL

Software Installation

Configure repository files to make sure correct software is installed: Modify [base] and [updates] sections of /etc/yum.repos.d/CentOS-Base.repo

vi /etc/yum.repos.d/CentOS-Base.repo

exclude=postgresql*
Next, get the packages and install them

yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-redhat96-9.6-3.noarch.rpm 
yum install postgresql96 postgresql96-server postgresql96-devel postgresql-jdbc
#
/usr/pgsql-9.6/bin/postgresql96-setup initdb
systemctl enable postgresql-9.6.service
systemctl start postgresql-9.6.service

DB configuration

Roles after installation

su - postgres
createuser -l -s root
vi /var/lib/pgsql/9.6/data/pg_hba.conf

# IPv4 local connections:
host    all             all             127.0.0.1/32            trust

logout
systemctl restart postgresql-9.6.service

Java

Software Installation

We use OpenJDK 13. Get it and save the file in /opt directory

cd /opt
wget https://download.java.net/java/GA/jdk13.0.2/d4173c853231432d94f001e99d882ca7/8/GPL/openjdk-13.0.2_linux-x64_bin.tar.gz 
tar -xvf openjdk-13.0.2_linux-x64_bin.tar.gz
ln -s jdk-13.0.2 jdk-13

Software Configuration

We need to add one more file to JDK distribution

/opt/jdk-13/lib/fontconfig.properties

version=1
sequence.allfonts=default 

Tomcat

Tomcat 9.0.6 installation bash commands:

# A | installation
cd ~
mkdir development
cd development
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.6/bin/apache-tomcat-9.0.6.tar.gz 
# install tomcat to the /opt/tomcat directory
mkdir /opt/apache-tomcat-9.0.6
 
tar xvf apache-tomcat-9*tar.gz -C /opt/apache-tomcat-9.0.6 --strip-components=1
 
# symlink /opt/tomcat to /opt/apache-tomcat-9.0.6
ln -s /opt/apache-tomcat-9.0.6 /opt/tomcat
 
# B | create tomcat user :: should be run as an unprivileged user
# 1. create a new tomcat group
groupadd tomcat
 
# 2. create a tomcat user ::
# member of the tomcat group, home directory of /opt/tomcat (install), shell of /bin/false (nobody login)
useradd -M -s /sbin/nologin -g tomcat -d /opt/tomcat tomcat
 
# C | update permissions :: proper access to the tomcat installation
cd /opt/tomcat
 
# tomcat group ownership over the entire installation directory
chgrp -R tomcat /opt/tomcat
 
# tomcat group read access to the conf directory, and execute access to the directory
chmod -R g+r conf
chmod g+x conf
 
# make the tomcat user the owner of the directories
chown -R tomcat webapps/ work/ temp/ logs/
chown -R tomcat /opt/tomcat
chown -R tomcat /opt/apache-tomcat-9.0.6

Next, create systemd unit file

vi /usr/lib/systemd/system/tomcat9.service

 
[Unit]
Description=Apache Tomcat 9.0.x Servlet Container
After=syslog.target network.target
 
[Service]
User=tomcat
Group=tomcat
Type=forking
Environment=JAVA_HOME=/opt/jdk-13
Environment=CATALINA_PID=/opt/tomcat/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
ExecStart=/opt/tomcat/bin/tomcat-startup.sh
ExecStop=/opt/tomcat/bin/tomcat-shutdown.sh
 
[Install]
WantedBy=multi-user.target

Prepare config files

vi /opt/tomcat/bin/tomcat-startup.sh

 
#!/bin/bash -x
cd $CATALINA_BASE
./bin/startup.sh

vi /opt/tomcat/bin/tomcat-shutdown.sh

 
#!/bin/bash -x
cd $CATALINA_BASE
./bin/shutdown.sh

vi /opt/tomcat/bin/setenv.sh

* IMPORTANT: Check validity of Xms-Xmx settings according in your environment *

 
CATALINA_OPTS="-server 
 -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true 
 -Xms2g -Xmx2g 
 -XX:+UseG1GC 
 -XX:+UseStringDeduplication 
 -XX:MaxGCPauseMillis=100"

Make the scripts executable

chmod +x /opt/tomcat/bin/*.sh

Add ${catalina.home}/conf to the common.loader values in the catalina.properties file and change the lines for jarsToSkip, jarsToScan to somewhat speed Tomcat startup

vi /opt/tomcat/conf/catalina.properties

 
common.loader="${catalina.base}/lib","${catalina.base}/lib/*.jar","${catalina.home}/lib","${catalina.home}/lib/*.jar","${catalina.home}/conf"
# ... 
tomcat.util.scan.StandardJarScanFilter.jarsToSkip=*.jar
tomcat.util.scan.StandardJarScanFilter.jarsToScan=jstl-*.jar,spring-webmvc-*.jar,web_platform-*.jar

reload Systemd to load the tomcat9 unit file

systemctl daemon-reload
systemctl enable tomcat9.service

Start tomcat9 service. This is only to check, if everything goes well

systemctl start tomcat9.service
systemctl -l status tomcat9.service

Delete all default webapps

systemctl stop tomcat9.service
cd /opt/tomcat/webapps
rm -rf *

Set up AJP connector for requests from Apache

vi /opt/tomcat/conf/server.xml

 
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!-- ADUCID AJP options -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 
    enableLookups="false" 
    acceptCount="300"  
    keepAliveTimeout="7000" 
    connectionTimeout="10000" 
    URIEncoding="UTF-8" />

Make tomcat user also owner of the jdk-13 directory

chown -R tomcat:root /opt/jdk-13/

Optional:

  • change the port of tomcat webserver in case of conflicts
  • search for <Connector port=“8080” …

Apache

Software Installation

CodeIT Apache 2.4 and related modules

Download CodeIT Apache 2.4.25 (NOT NEWER) RPMs from https://repo.codeit.guru/packages/centos/7/x86_64/.

If the files are no longer on the above URL, you can download them from here: httpd-2.4.25-codeit.zip

cd ~
mkdir -p apache/CodeIT
cd apache/CodeIT
 
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/apr-1.5.2-1.el7.codeit.x86_64.rpm
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-2.4.25-3.el7.codeit.x86_64.rpm
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-filesystem-2.4.25-3.el7.codeit.noarch.rpm
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-tools-2.4.25-3.el7.codeit.x86_64.rpm
wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/mod_ssl-2.4.25-3.el7.codeit.x86_64.rpm

Put them into selected directory (/root/apache/CodeIT) and from it yum localinstall one module after another, to prevent installation from external repositories.

Except for modules libnghttp2 and apr-util. They will be downloaded from the epel-release repository.

yum -y localinstall apr-1.5.2-1.el7.codeit.x86_64.rpm
yum -y localinstall httpd-filesystem-2.4.25-3.el7.codeit.noarch.rpm
yum -y localinstall httpd-tools-2.4.25-3.el7.codeit.x86_64.rpm
yum -y localinstall httpd-2.4.25-3.el7.codeit.x86_64.rpm
yum -y localinstall mod_ssl-2.4.25-3.el7.codeit.x86_64.rpm
 
rpm -qa | grep codeit
# you should see this:
httpd-tools-2.4.25-3.el7.codeit.x86_64
apr-1.5.2-1.el7.codeit.x86_64
mod_ssl-2.4.25-3.el7.codeit.x86_64
httpd-filesystem-2.4.25-3.el7.codeit.noarch
httpd-2.4.25-3.el7.codeit.x86_64
 
rpm -qa | grep http2
# you should see this:
libnghttp2-1.31.1-1.el7.x86_64

System variables setting

vi /usr/lib/systemd/system/httpd.service

Modify file commenting out the Environment line and add the next one:

 
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=notify
#Environment=LANG=C
EnvironmentFile=/etc/sysconfig/httpd

ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Modify /etc/sysconfig/httpd

LANG=C
OPENAAA_PROTOCOL="aaa"
OPENAAA_HANDLER="/usr/local/bin/tlsbinder"
OPENAAA_AUTHORITY=`hostname` 

Config files settings

They are in /etc/httpd.

vi /etc/httpd/conf/httpd.conf

 
### Keep the Include conf.modules.d/*.conf setting in the file,
### but append one line in front of it, so the result will be:
# ...
Loadfile "/usr/lib64/libssl.so.10"
Include conf.modules.d/*.conf
# ...
 
### Fill in your DNS server name
ServerName your.server.dnsname:80
 
### Choose desired log level   
LogLevel info

# Supplemental configuration is commented out
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
#IncludeOptional conf.d/*.conf

# Place these three lines at the end of file
TraceEnable Off
Include /opt/aaa/conf/aducid-aaa.conf
Include /opt/aaa/conf/aducid-aim.conf
Include /opt/aaa/conf/aducid-error-pages.conf
Modules from directory conf.d are NOT USED.

Modules from directory conf.modules.d: some were left intact, some put away, some changed.

cd /etc/httpd/conf.modules.d/
mv 00-optional.conf 00-optional.conf.xxx
mv 00-lua.conf 00-lua.conf.xxx
mv 00-dav.conf 00-dav.conf.xxx
cat 00-mpm.conf | grep prefork
# … result should be:
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
vi 00-proxy.conf

 
# This file configures all the proxy modules:
LoadModule proxy_module modules/mod_proxy.so
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so  

vi 00-base.conf

 
#
# This file loads most of the modules included with the Apache HTTP
# Server itself.
#
 
# This module is substantional
# as it communicates with other ADUCID non-Apache components
 
LoadModule authnz_ssl_module /usr/lib64/openaaa/modules/mod_authnz_ssl.so
 
# other modules as you like/need
LoadModule access_compat_module modules/mod_access_compat.so
#LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
#LoadModule allowmethods_module modules/mod_allowmethods.so
#LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_core_module modules/mod_authn_core.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authz_core_module modules/mod_authz_core.so
#LoadModule authz_dbd_module modules/mod_authz_dbd.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule cache_socache_module modules/mod_cache_socache.so
LoadModule data_module modules/mod_data.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
#LoadModule dumpio_module modules/mod_dumpio.so
#LoadModule echo_module modules/mod_echo.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule http2_module modules/mod_http2.so
LoadModule include_module modules/mod_include.so
LoadModule info_module modules/mod_info.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
#LoadModule macro_module modules/mod_macro.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule remoteip_module modules/mod_remoteip.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule request_module modules/mod_request.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
LoadModule socache_memcache_module modules/mod_socache_memcache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule status_module modules/mod_status.so
LoadModule substitute_module modules/mod_substitute.so
#LoadModule suexec_module modules/mod_suexec.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule userdir_module modules/mod_userdir.so
LoadModule version_module modules/mod_version.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule watchdog_module modules/mod_watchdog.so

Further steps

Prepare SSL certificates

Certificates for SSL communication (like other parameters of SSL/TLS communication) need to be set in the file /opt/aaa/conf/aducid-aaa.conf, that will be installed during ADUCID software install phase. At this point, just make sure, that you have these certificates ready.

Example files:

SSLCertificateFile      /opt/aaa/certs/wild.aducid.com.crt
SSLCertificateKeyFile   /opt/aaa/certs/wild.aducid.com.key
SSLCertificateChainFile /opt/aaa/certs/Thawte.CA.Intermediate.SHA256.crt
SSLCACertificateFile    /opt/aaa/certs/Thawte.CA.Primary.Root.G3.crt

Enable on system startup

systemctl daemon-reload
systemctl enable httpd.service

installation/02-software-components.txt · Last modified: 2020/03/25 21:17 by mpospisek