This is an old revision of the document!
ADUCID supports two database systems: PostgreSQL and Microsoft SQL. If you decide to use default PostgerSQL database, install it according to the next section. If you want to use Microsoft SQL database located on some other host, refer to section MS SQL Support.
Configure repository files to make sure correct software is installed: Modify [base] and [updates] sections of /etc/yum.repos.d/CentOS-Base.repo
vi /etc/yum.repos.d/CentOS-Base.repo
exclude=postgresql*Next, get the packages and install them
yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-redhat96-9.6-3.noarch.rpm yum install postgresql96 postgresql96-server postgresql96-devel postgresql-jdbc # /usr/pgsql-9.6/bin/postgresql96-setup initdb systemctl enable postgresql-9.6.service systemctl start postgresql-9.6.service
Roles after installation
su - postgres createuser -l -s root vi /var/lib/pgsql/9.6/data/pg_hba.conf
# IPv4 local connections: host all all 127.0.0.1/32 trust
logout systemctl restart postgresql-9.6.service
We use OpenJDK 13. Get it and save the file in /opt directory
cd /opt wget https://download.java.net/java/GA/jdk13.0.2/d4173c853231432d94f001e99d882ca7/8/GPL/openjdk-13.0.2_linux-x64_bin.tar.gz tar -xvf openjdk-13.0.2_linux-x64_bin.tar.gz ln -s jdk-13.0.2 jdk-13
We need to add one more file to JDK distribution
/opt/jdk-13/lib/fontconfig.properties
version=1 sequence.allfonts=default
Tomcat 9.0.6 installation bash commands:
# A | installation cd ~ mkdir development cd development wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.6/bin/apache-tomcat-9.0.6.tar.gz # install tomcat to the /opt/tomcat directory mkdir /opt/apache-tomcat-9.0.6 tar xvf apache-tomcat-9*tar.gz -C /opt/apache-tomcat-9.0.6 --strip-components=1 # symlink /opt/tomcat to /opt/apache-tomcat-9.0.6 ln -s /opt/apache-tomcat-9.0.6 /opt/tomcat # B | create tomcat user :: should be run as an unprivileged user # 1. create a new tomcat group groupadd tomcat # 2. create a tomcat user :: # member of the tomcat group, home directory of /opt/tomcat (install), shell of /bin/false (nobody login) useradd -M -s /sbin/nologin -g tomcat -d /opt/tomcat tomcat # C | update permissions :: proper access to the tomcat installation cd /opt/tomcat # tomcat group ownership over the entire installation directory chgrp -R tomcat /opt/tomcat # tomcat group read access to the conf directory, and execute access to the directory chmod -R g+r conf chmod g+x conf # make the tomcat user the owner of the directories chown -R tomcat webapps/ work/ temp/ logs/ chown -R tomcat /opt/tomcat chown -R tomcat /opt/apache-tomcat-9.0.6
Next, create systemd unit file
vi /usr/lib/systemd/system/tomcat9.service
[Unit] Description=Apache Tomcat 9.0.x Servlet Container After=syslog.target network.target [Service] User=tomcat Group=tomcat Type=forking Environment=JAVA_HOME=/opt/jdk-13 Environment=CATALINA_PID=/opt/tomcat/tomcat.pid Environment=CATALINA_HOME=/opt/tomcat Environment=CATALINA_BASE=/opt/tomcat ExecStart=/opt/tomcat/bin/tomcat-startup.sh ExecStop=/opt/tomcat/bin/tomcat-shutdown.sh [Install] WantedBy=multi-user.target
Prepare config files
vi /opt/tomcat/bin/tomcat-startup.sh
#!/bin/bash -x cd $CATALINA_BASE ./bin/startup.sh
vi /opt/tomcat/bin/tomcat-shutdown.sh
#!/bin/bash -x cd $CATALINA_BASE ./bin/shutdown.sh
vi /opt/tomcat/bin/setenv.sh
* IMPORTANT: Check validity of Xms-Xmx settings according in your environment *
CATALINA_OPTS="-server -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xms2g -Xmx2g -XX:+UseG1GC -XX:+UseStringDeduplication -XX:MaxGCPauseMillis=100"
Make the scripts executable
chmod +x /opt/tomcat/bin/*.sh
Add ${catalina.home}/conf to the common.loader values in the catalina.properties file and change the lines for jarsToSkip, jarsToScan to somewhat speed Tomcat startup
vi /opt/tomcat/conf/catalina.properties
common.loader="${catalina.base}/lib","${catalina.base}/lib/*.jar","${catalina.home}/lib","${catalina.home}/lib/*.jar","${catalina.home}/conf" # ... tomcat.util.scan.StandardJarScanFilter.jarsToSkip=*.jar tomcat.util.scan.StandardJarScanFilter.jarsToScan=jstl-*.jar,spring-webmvc-*.jar,web_platform-*.jar
reload Systemd to load the tomcat9 unit file
systemctl daemon-reload
systemctl enable tomcat9.service
Start tomcat9 service. This is only to check, if everything goes well
systemctl start tomcat9.service
systemctl -l status tomcat9.service
Delete all default webapps
systemctl stop tomcat9.service cd /opt/tomcat/webapps rm -rf *
Set up AJP connector for requests from Apache
vi /opt/tomcat/conf/server.xml
<!-- Define an AJP 1.3 Connector on port 8009 --> <!-- ADUCID AJP options --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" enableLookups="false" acceptCount="300" keepAliveTimeout="7000" connectionTimeout="10000" URIEncoding="UTF-8" />
Make tomcat user also owner of the jdk-13 directory
chown -R tomcat:root /opt/jdk-13/
Optional:
CodeIT Apache 2.4 and related modules
Download CodeIT Apache 2.4.25 (NOT NEWER) RPMs from https://repo.codeit.guru/packages/centos/7/x86_64/.
If the files are no longer on the above URL, you can download them from here: httpd-2.4.25-codeit.zip
cd ~ mkdir -p apache/CodeIT cd apache/CodeIT wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/apr-1.5.2-1.el7.codeit.x86_64.rpm wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-2.4.25-3.el7.codeit.x86_64.rpm wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-filesystem-2.4.25-3.el7.codeit.noarch.rpm wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/httpd-tools-2.4.25-3.el7.codeit.x86_64.rpm wget https://repo.codeit.guru/packages/archive/centos/7/x86_64/mod_ssl-2.4.25-3.el7.codeit.x86_64.rpm
Put them into selected directory (/root/apache/CodeIT) and from it yum localinstall one module after another, to prevent installation from external repositories.
Except for modules libnghttp2 and apr-util. They will be downloaded from the epel-release repository.
yum -y localinstall apr-1.5.2-1.el7.codeit.x86_64.rpm yum -y localinstall httpd-filesystem-2.4.25-3.el7.codeit.noarch.rpm yum -y localinstall httpd-tools-2.4.25-3.el7.codeit.x86_64.rpm yum -y localinstall httpd-2.4.25-3.el7.codeit.x86_64.rpm yum -y localinstall mod_ssl-2.4.25-3.el7.codeit.x86_64.rpm rpm -qa | grep codeit # you should see this: httpd-tools-2.4.25-3.el7.codeit.x86_64 apr-1.5.2-1.el7.codeit.x86_64 mod_ssl-2.4.25-3.el7.codeit.x86_64 httpd-filesystem-2.4.25-3.el7.codeit.noarch httpd-2.4.25-3.el7.codeit.x86_64 rpm -qa | grep http2 # you should see this: libnghttp2-1.31.1-1.el7.x86_64
vi /usr/lib/systemd/system/httpd.service
Modify file commenting out the Environment line and add the next one:
[Unit] Description=The Apache HTTP Server After=network.target remote-fs.target nss-lookup.target [Service] Type=notify #Environment=LANG=C EnvironmentFile=/etc/sysconfig/httpd ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND ExecReload=/usr/sbin/httpd $OPTIONS -k graceful # Send SIGWINCH for graceful stop KillSignal=SIGWINCH KillMode=mixed PrivateTmp=true [Install] WantedBy=multi-user.target
Modify /etc/sysconfig/httpd
LANG=C OPENAAA_PROTOCOL="aaa" OPENAAA_HANDLER="/usr/local/bin/tlsbinder" OPENAAA_AUTHORITY=`hostname`
They are in /etc/httpd.
vi /etc/httpd/conf/httpd.conf
### Keep the Include conf.modules.d/*.conf setting in the file, ### but append one line in front of it, so the result will be: # ... Loadfile "/usr/lib64/libssl.so.10" Include conf.modules.d/*.conf # ... ### Fill in your DNS server name ServerName your.server.dnsname:80 ### Choose desired log level LogLevel info # Supplemental configuration is commented out # # Load config files in the "/etc/httpd/conf.d" directory, if any. #IncludeOptional conf.d/*.conf # Place these three lines at the end of file TraceEnable Off Include /opt/aaa/conf/aducid-aaa.conf Include /opt/aaa/conf/aducid-aim.conf Include /opt/aaa/conf/aducid-error-pages.confModules from directory conf.d are NOT USED.
Modules from directory conf.modules.d: some were left intact, some put away, some changed.
cd /etc/httpd/conf.modules.d/ mv 00-optional.conf 00-optional.conf.xxx mv 00-lua.conf 00-lua.conf.xxx mv 00-dav.conf 00-dav.conf.xxx
cat 00-mpm.conf | grep prefork # … result should be: LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
vi 00-proxy.conf
# This file configures all the proxy modules: LoadModule proxy_module modules/mod_proxy.so #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_express_module modules/mod_proxy_express.so #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so #LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
vi 00-base.conf
# # This file loads most of the modules included with the Apache HTTP # Server itself. # # This module is substantional # as it communicates with other ADUCID non-Apache components LoadModule authnz_ssl_module /usr/lib64/openaaa/modules/mod_authnz_ssl.so # other modules as you like/need LoadModule access_compat_module modules/mod_access_compat.so #LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so #LoadModule allowmethods_module modules/mod_allowmethods.so #LoadModule auth_basic_module modules/mod_auth_basic.so #LoadModule auth_digest_module modules/mod_auth_digest.so #LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_core_module modules/mod_authn_core.so #LoadModule authn_dbd_module modules/mod_authn_dbd.so #LoadModule authn_dbm_module modules/mod_authn_dbm.so #LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_socache_module modules/mod_authn_socache.so LoadModule authz_core_module modules/mod_authz_core.so #LoadModule authz_dbd_module modules/mod_authz_dbd.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_host_module modules/mod_authz_host.so #LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule cache_module modules/mod_cache.so #LoadModule cache_disk_module modules/mod_cache_disk.so LoadModule cache_socache_module modules/mod_cache_socache.so LoadModule data_module modules/mod_data.so #LoadModule dbd_module modules/mod_dbd.so #LoadModule deflate_module modules/mod_deflate.so LoadModule dir_module modules/mod_dir.so #LoadModule dumpio_module modules/mod_dumpio.so #LoadModule echo_module modules/mod_echo.so LoadModule env_module modules/mod_env.so #LoadModule expires_module modules/mod_expires.so #LoadModule ext_filter_module modules/mod_ext_filter.so LoadModule filter_module modules/mod_filter.so LoadModule headers_module modules/mod_headers.so LoadModule http2_module modules/mod_http2.so LoadModule include_module modules/mod_include.so LoadModule info_module modules/mod_info.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so #LoadModule macro_module modules/mod_macro.so #LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule mime_module modules/mod_mime.so LoadModule negotiation_module modules/mod_negotiation.so #LoadModule remoteip_module modules/mod_remoteip.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule request_module modules/mod_request.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule setenvif_module modules/mod_setenvif.so #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #LoadModule socache_dbm_module modules/mod_socache_dbm.so LoadModule socache_memcache_module modules/mod_socache_memcache.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule status_module modules/mod_status.so LoadModule substitute_module modules/mod_substitute.so #LoadModule suexec_module modules/mod_suexec.so #LoadModule unique_id_module modules/mod_unique_id.so LoadModule unixd_module modules/mod_unixd.so #LoadModule userdir_module modules/mod_userdir.so LoadModule version_module modules/mod_version.so #LoadModule vhost_alias_module modules/mod_vhost_alias.so #LoadModule watchdog_module modules/mod_watchdog.so
Prepare SSL certificates
Certificates for SSL communication (like other parameters of SSL/TLS communication) need to be set in the file /opt/aaa/conf/aducid-aaa.conf, that will be installed during ADUCID software install phase. At this point, just make sure, that you have these certificates ready.
Example files:
SSLCertificateFile /opt/aaa/certs/wild.aducid.com.crt SSLCertificateKeyFile /opt/aaa/certs/wild.aducid.com.key SSLCertificateChainFile /opt/aaa/certs/Thawte.CA.Intermediate.SHA256.crt SSLCACertificateFile /opt/aaa/certs/Thawte.CA.Primary.Root.G3.crt
Enable on system startup
systemctl daemon-reload
systemctl enable httpd.service