ADUCID software

Prepare the aducid-aaa.service

# --- AAA modules need the following directories are created before installation:

mkdir -p /opt/aaa/install
mkdir /opt/aaa/logs
mkdir /opt/aaa/conf
mkdir /opt/aaa/conf/aducid
mkdir /opt/aaa/certs
mkdir /opt/aaa/aducid-error-pages
mkdir /opt/aaa/bin
mkdir -p /usr/lib64/openaaa/modules

# --- Files for aducid-aaa-modules. 
# **Please check your server hostname in these files, as indicated.**

# --- Export system variables
# /etc/profile.d/openaaa.sh
echo \
"#!/bin/bash
export OPENAAA_PROTOCOL=aaa
export OPENAAA_HANDLER=/usr/local/bin/aducid
export OPENAAA_AUTHORITY=`hostname` 
" > /etc/profile.d/openaaa.sh 

# --- Define the aducid-aaa.service
# /usr/lib/systemd/system/aducid-aaa.service
echo \
"[Unit]
Description=The ADUCID AAA Module
After=network.target remote-fs.target nss-lookup.target
 
[Service]
Type=forking
EnvironmentFile=/etc/sysconfig/aducid-aaa
ExecStart=/opt/aaa/bin/aducid-aaa.sh start
ExecReload=/opt/aaa/bin/aducid-aaa.sh restart
ExecStop=/opt/aaa/bin/aducid-aaa.sh stop
 
[Install]
WantedBy=multi-user.target 
" >/usr/lib/systemd/system/aducid-aaa.service

# --- Create service files
# /etc/sysconfig/aducid-aaa
echo \
"OPENAAA_PROTOCOL=aaa
OPENAAA_HANDLER=/usr/local/bin/aducid
OPENAAA_AUTHORITY=`hostname` 
" > /etc/sysconfig/aducid-aaa

vi /opt/aaa/bin/aducid-aaa.sh

#!/bin/bash -x
#
# Start stop or restart the ADUCID-AAA service
#
 
# PATH=/sbin:/usr/sbin:$PATH
RETVAL=0
 
# Check that networking is up.
. /etc/sysconfig/network
  
usage ()
{
        echo $"Usage: $0 {start|stop|restart}" 1>&2
        RETVAL=2
}
  
start ()
{
/usr/bin/aaa -s -vv &
}
 
stop ()
{
kill -9 `cat /var/run/aaad.pid`
}
 
restart ()
{
        stop
        start
}
  
case "$1" in
    stop) stop ;;
    status) status ;;
    start|restart|reload|force-reload) restart ;;
    *) usage ;;
esac
 
exit $RETVAL

Directory to import mypeig.aducid.com info

mkdir -p ~/psqltools/myPEIG
Put the following files into the above directory and strip the “.file” extension:

cd ~/psqltools/myPEIG 
mv insert_home_aim_mypeig.sql.file insert_home_aim_mypeig.sql
mv mypeig.aducid.com.crt.file mypeig.aducid.com.crt

Do one of the following:

  • Connect the ADUCID Server Kit DVD to virtual machine and mount it to /media/ADUCID
  • Copy the repository directory from the ADUCID Server Kit DVD to /media/ADUCID

Install and run the aducid-installer script

# in this directory, rpm files are located
cd /media/ADUCID/repository/el7/x86_64
# find the exact filename using the TAB key in the command prompt
yum localinstall aducid-repository-1.0-4.el7.centos.noarch.rpm
# dtto as above
yum localinstall aducid-installer-4.1.0-1.rc1.el7.centos.noarch.rpm   
# now, the install script will be in the path (/usr/local/bin), invoke it
aducid-installer

The aducid-installer script (see /usr/local/bin/aducid-installer.sh) asks about AIM server parameters:

hostname Preferably whole DNS name
service provider ID AIM machine inner identification. DNS hostname is a good candidate.
icon file 100×100 .png file that will be seen on client PEIGs. This can be changed anytime, files are located in /usr/share/pixmaps
replication password In fact, DB access password for account created during install

Post-install checks

Certificates

Certificates for SSL comunication (like other parameters of SSL/TLS comunication) need to be set in /opt/aaa/conf/aducid-aaa.conf. It may happen that the install script rewrites your previous settings. Having corrected this settings, please restart the httpd24-httpd service.

SSLCertificateFile      /opt/aaa/certs/wild.aducid.com.crt
SSLCertificateKeyFile   /opt/aaa/certs/wild.aducid.com.key
SSLCertificateChainFile /opt/aaa/certs/Thawte.CA.Intermediate.SHA256.crt
SSLCACertificateFile    /opt/aaa/certs/Thawte.CA.Primary.Root.G3.crt

Other certificates used by ADUCID server are listed in /opt/tomcat/conf/ADUCID.properties. After you set this parameters to your certificate files, restart of the tomcat9.service is needed.

PUBLIC_KEY=/opt/aaa/certs/wild.aducid.com.crt
PRIVATE_KEY=/opt/aaa/certs/wild.aducid.com.key

It is recommended to restart the server after installation.

Component checks

After restart, check main status of main components. postinstall checks

orange-d3:~ root$ systemctl -l status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-11-07 23:11:21 CET; 2h 50min ago
 Main PID: 4800 (httpd)
   Status: “Total requests: 38; Idle/Busy workers 100/0;Requests/sec: 0.00373; Bytes served/sec:   7 B/sec”   CGroup: /system.slice/httpd.service
           ├─4800 /usr/sbin/httpd -DFOREGROUND
           ├─4801 /usr/sbin/httpd -DFOREGROUND
           ├─4802 /usr/sbin/httpd -DFOREGROUND
           ├─4803 /usr/sbin/httpd -DFOREGROUND
           ├─4804 /usr/sbin/httpd -DFOREGROUND
           ├─4806 /usr/sbin/httpd -DFOREGROUND
           └─5528 /usr/sbin/httpd -DFOREGROUND
 
orange-d3:~ root$ systemctl -l status aducid-aaa.service
● aducid-aaa.service - The ADUCID AAA Module
   Loaded: loaded (/usr/lib/systemd/system/aducid-aaa.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2018-06-25 22:54:50 CEST; 11min ago
  Process: 890 ExecStart=/opt/aaa/bin/aducid-aaa.sh start (code=exited, status=0/SUCCESS)
 Main PID: 901 (aaa)
   CGroup: /system.slice/aducid-aaa.service
           ├─901 aaad
           ├─905 aaa/1
           ├─906 aaa/2
           ├─907 aaa/3
           └─908 aaa/4
 
Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.created:1529960583
Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.modified:1529960583
Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.expires:1529967783
Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: 127.0.0.1:36274 sent 168 byte(s)
Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:52677 recv 94 byte(s)
Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.id:a6ae3724b541fb22127a207882e99ee2d1b0c762922ceff78dd4839872a712ab
Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.created:1529960583
Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.modified:1529960583
Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.expires:1529967783
Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:52677 sent 168 byte(s)
 
orange-d3:~ root$ systemctl -l status tomcat9.service
● tomcat9.service - Apache Tomcat 9.0.6 Servlet Container
   Loaded: loaded (/usr/lib/systemd/system/tomcat9.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2018-06-25 22:54:50 CEST; 12min ago
  Process: 887 ExecStart=/opt/tomcat/bin/tomcat-startup.sh (code=exited, status=0/SUCCESS)
 Main PID: 921 (java)
   CGroup: /system.slice/tomcat9.service
           └─921 /usr/java/default/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -server -Dcom.sun.management.jmxremote.port=8086 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Xms2g -Xmx2g -XX:+UseG1GC -XX:+UseStringDeduplication -XX:MaxGCPauseMillis=100 -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
 
Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Starting Apache Tomcat 9.0.6 Servlet Container…Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]: + cd /opt/tomcat
Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]: + ./bin/startup.sh
Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Started Apache Tomcat 9.0.6 Servlet Container.

Compoment log checks

The system is fully ready after tomcat server start. This can be checked by looking into tomcat's catalina.out. tomcat log

orange-d3:~ root$ tail -f /opt/tomcat/logs/catalina.out
Not found in 'org.owasp.esapi.resources' directory or file not readable: /opt/apache-tomcat-9.0.6/validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
Not found in 'user.home' (/opt/tomcat) directory: /opt/tomcat/esapi/validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
25-Jun-2018 22:57:07.841 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/apache-tomcat-9.0.6/webapps/qrtest.war] has finished in [3,228] ms
25-Jun-2018 22:57:07.861 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“http-nio-8080]
25-Jun-2018 22:57:07.884 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“ajp-nio-8009]
25-Jun-2018 22:57:07.889 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 133079 ms

Other log files:

AIM /opt/tomcat/log/aim.log
tomcat9.service /opt/tomcat/logs/*
aducid-aaa.service /var/log/messages
httpd.service /var/log/httpd/*

RPM Component summary

aducid-configurator.rpm installation and config script
aducid-repository.rpm yum repository file
aducid-aaa-modules.rpm Apache settings for ADUCID components
aim.rpm AIM and all basic components
aducid-proof.rpm Sample identity proofing apps
  • installation/aducid-software.txt
  • Last modified: 2019/08/01 09:09
  • by tjotov