Differences

This shows you the differences between two versions of the page.

Link to this comparison view

installation:aducid-software [2019/08/01 09:09] (current)
tjotov created
Line 1: Line 1:
 +====== ADUCID software ======
 +===== File and directory preparation =====
 +
 +**Prepare the aducid-aaa.service**
 +<sxh bash>
 +# --- AAA modules need the following directories are created before installation:​
 +
 +mkdir -p /​opt/​aaa/​install
 +mkdir /​opt/​aaa/​logs
 +mkdir /​opt/​aaa/​conf
 +mkdir /​opt/​aaa/​conf/​aducid
 +mkdir /​opt/​aaa/​certs
 +mkdir /​opt/​aaa/​aducid-error-pages
 +mkdir /​opt/​aaa/​bin
 +mkdir -p /​usr/​lib64/​openaaa/​modules
 +
 +# --- Files for aducid-aaa-modules. ​
 +# **Please check your server hostname in these files, as indicated.**
 +
 +# --- Export system variables
 +# /​etc/​profile.d/​openaaa.sh
 +echo \
 +"#​!/​bin/​bash
 +export OPENAAA_PROTOCOL=aaa
 +export OPENAAA_HANDLER=/​usr/​local/​bin/​aducid
 +export OPENAAA_AUTHORITY=`hostname` ​
 +" > /​etc/​profile.d/​openaaa.sh ​
 +
 +# --- Define the aducid-aaa.service
 +# /​usr/​lib/​systemd/​system/​aducid-aaa.service
 +echo \
 +"​[Unit]
 +Description=The ADUCID AAA Module
 +After=network.target remote-fs.target nss-lookup.target
 + 
 +[Service]
 +Type=forking
 +EnvironmentFile=/​etc/​sysconfig/​aducid-aaa
 +ExecStart=/​opt/​aaa/​bin/​aducid-aaa.sh start
 +ExecReload=/​opt/​aaa/​bin/​aducid-aaa.sh restart
 +ExecStop=/​opt/​aaa/​bin/​aducid-aaa.sh stop
 + 
 +[Install]
 +WantedBy=multi-user.target ​
 +" >/​usr/​lib/​systemd/​system/​aducid-aaa.service
 +
 +# --- Create service files
 +# /​etc/​sysconfig/​aducid-aaa
 +echo \
 +"​OPENAAA_PROTOCOL=aaa
 +OPENAAA_HANDLER=/​usr/​local/​bin/​aducid
 +OPENAAA_AUTHORITY=`hostname` ​
 +" > /​etc/​sysconfig/​aducid-aaa
 +</​sxh>​
 +<​codedoc>​
 +vi /​opt/​aaa/​bin/​aducid-aaa.sh
 +</​codedoc>​
 +<sxh>
 +#!/bin/bash -x
 +#
 +# Start stop or restart the ADUCID-AAA service
 +#
 + 
 +# PATH=/​sbin:/​usr/​sbin:​$PATH
 +RETVAL=0
 + 
 +# Check that networking is up.
 +. /​etc/​sysconfig/​network
 +  ​
 +usage ()
 +{
 +        echo $"​Usage:​ $0 {start|stop|restart}"​ 1>&2
 +        RETVAL=2
 +}
 +  ​
 +start ()
 +{
 +/​usr/​bin/​aaa -s -vv &
 +}
 + 
 +stop ()
 +{
 +kill -9 `cat /​var/​run/​aaad.pid`
 +}
 + 
 +restart ()
 +{
 +        stop
 +        start
 +}
 +  ​
 +case "​$1"​ in
 +    stop) stop ;;
 +    status) status ;;
 +    start|restart|reload|force-reload) restart ;;
 +    *) usage ;;
 +esac
 + 
 +exit $RETVAL
 +</​sxh>​
 +
 +**Directory to import mypeig.aducid.com info**
 +<sxh>
 +mkdir -p ~/​psqltools/​myPEIG
 +</​sxh>​
 +Put the following files into the above directory and strip the "​.file"​ extension:
 +  * {{ :​documentation:​install:​insert_home_aim_mypeig.sql.file |insert_home_aim_mypeig.sql.file}}
 +  * {{ :​documentation:​install:​mypeig.aducid.com.crt.file |mypeig.aducid.com.crt.file}}
 +<sxh>
 +cd ~/​psqltools/​myPEIG ​
 +mv insert_home_aim_mypeig.sql.file insert_home_aim_mypeig.sql
 +mv mypeig.aducid.com.crt.file mypeig.aducid.com.crt
 +</​sxh>​
 +
 + 
 +===== Installation =====
 +
 +
 +Do one of the following:
 +
 +  * Connect the ADUCID Server Kit DVD to virtual machine and mount it to /​media/​ADUCID
 +  * Copy the repository directory from the ADUCID Server Kit DVD to  /​media/​ADUCID
 +
 +Install and run the aducid-installer script
 +<sxh>
 +# in this directory, rpm files are located
 +cd /​media/​ADUCID/​repository/​el7/​x86_64
 +# find the exact filename using the TAB key in the command prompt
 +yum localinstall aducid-repository-1.0-4.el7.centos.noarch.rpm
 +# dtto as above
 +yum localinstall aducid-installer-4.1.0-1.rc1.el7.centos.noarch.rpm ​  
 +# now, the install script will be in the path (/​usr/​local/​bin),​ invoke it
 +aducid-installer
 +</​sxh>​
 +
 +The aducid-installer script (see /​usr/​local/​bin/​aducid-installer.sh) asks about AIM server parameters:
 +
 +| hostname | Preferably whole DNS name |
 +| service provider ID | AIM machine inner identification. DNS hostname is a good candidate. |
 +| icon file | 100x100 .png file that will be seen on client PEIGs. This can be changed anytime, files are located in /​usr/​share/​pixmaps |
 +| replication password | In fact, DB access password for account created during install |
 +
 +===== Post-install checks =====
 +==== Certificates ====
 +
 +Certificates for SSL comunication (like other parameters of SSL/TLS comunication) need to be set in /​opt/​aaa/​conf/​aducid-aaa.conf. It may happen that the install script rewrites your previous settings. Having corrected this settings, please restart the httpd24-httpd service.
 +<codedoc code:​bash>​
 +SSLCertificateFile ​     /​opt/​aaa/​certs/​wild.aducid.com.crt
 +SSLCertificateKeyFile ​  /​opt/​aaa/​certs/​wild.aducid.com.key
 +SSLCertificateChainFile /​opt/​aaa/​certs/​Thawte.CA.Intermediate.SHA256.crt
 +SSLCACertificateFile ​   /​opt/​aaa/​certs/​Thawte.CA.Primary.Root.G3.crt
 +</​codedoc>​
 +
 +Other certificates used by ADUCID server are listed in /​opt/​tomcat/​conf/​ADUCID.properties. After you set this parameters to your certificate files, restart of the tomcat9.service is needed.
 +<sxh bash>
 +PUBLIC_KEY=/​opt/​aaa/​certs/​wild.aducid.com.crt
 +PRIVATE_KEY=/​opt/​aaa/​certs/​wild.aducid.com.key
 +</​sxh>​
 +
 +It is recommended to restart the server after installation.
 +==== Component checks ====
 +
 +
 +After restart, check main status of main components.
 +postinstall checks
 +<codedoc code:​bash>​
 +orange-d3:~ root$ systemctl -l status httpd.service
 +● httpd.service - The Apache HTTP Server
 +   ​Loaded:​ loaded (/​usr/​lib/​systemd/​system/​httpd.service;​ enabled; vendor preset: disabled)
 +   ​Active:​ active (running) since Wed 2018-11-07 23:11:21 CET; 2h 50min ago
 + Main PID: 4800 (httpd)
 +   ​Status:​ "Total requests: 38; Idle/Busy workers 100/​0;​Requests/​sec:​ 0.00373; Bytes served/​sec: ​  7 B/sec"
 +   ​CGroup:​ /​system.slice/​httpd.service
 +           ​├─4800 /​usr/​sbin/​httpd -DFOREGROUND
 +           ​├─4801 /​usr/​sbin/​httpd -DFOREGROUND
 +           ​├─4802 /​usr/​sbin/​httpd -DFOREGROUND
 +           ​├─4803 /​usr/​sbin/​httpd -DFOREGROUND
 +           ​├─4804 /​usr/​sbin/​httpd -DFOREGROUND
 +           ​├─4806 /​usr/​sbin/​httpd -DFOREGROUND
 +           ​└─5528 /​usr/​sbin/​httpd -DFOREGROUND
 +
 +orange-d3:~ root$ systemctl -l status aducid-aaa.service
 +● aducid-aaa.service - The ADUCID AAA Module
 +   ​Loaded:​ loaded (/​usr/​lib/​systemd/​system/​aducid-aaa.service;​ enabled; vendor preset: disabled)
 +   ​Active:​ active (running) since Mon 2018-06-25 22:54:50 CEST; 11min ago
 +  Process: 890 ExecStart=/​opt/​aaa/​bin/​aducid-aaa.sh start (code=exited,​ status=0/​SUCCESS)
 + Main PID: 901 (aaa)
 +   ​CGroup:​ /​system.slice/​aducid-aaa.service
 +           ​├─901 aaad
 +           ​├─905 aaa/1
 +           ​├─906 aaa/2
 +           ​├─907 aaa/3
 +           ​└─908 aaa/4
 + 
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.created:​1529960583
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.modified:​1529960583
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: sess.expires:​1529967783
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[906]: 127.0.0.1:​36274 sent 168 byte(s)
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:​52677 recv 94 byte(s)
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.id:​a6ae3724b541fb22127a207882e99ee2d1b0c762922ceff78dd4839872a712ab
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.created:​1529960583
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.modified:​1529960583
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: sess.expires:​1529967783
 +Jun 25 23:03:03 orange-d3.aducid.com aaa[905]: 127.0.0.1:​52677 sent 168 byte(s)
 + 
 +orange-d3:~ root$ systemctl -l status tomcat9.service
 +● tomcat9.service - Apache Tomcat 9.0.6 Servlet Container
 +   ​Loaded:​ loaded (/​usr/​lib/​systemd/​system/​tomcat9.service;​ enabled; vendor preset: disabled)
 +   ​Active:​ active (running) since Mon 2018-06-25 22:54:50 CEST; 12min ago
 +  Process: 887 ExecStart=/​opt/​tomcat/​bin/​tomcat-startup.sh (code=exited,​ status=0/​SUCCESS)
 + Main PID: 921 (java)
 +   ​CGroup:​ /​system.slice/​tomcat9.service
 +           ​└─921 /​usr/​java/​default/​bin/​java -Djava.util.logging.config.file=/​opt/​tomcat/​conf/​logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -server -Dcom.sun.management.jmxremote.port=8086 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.security.egd=file:/​dev/​./​urandom -Djava.awt.headless=true -Xms2g -Xmx2g -XX:​+UseG1GC -XX:​+UseStringDeduplication -XX:​MaxGCPauseMillis=100 -Dignore.endorsed.dirs= -classpath /​opt/​tomcat/​bin/​bootstrap.jar:/​opt/​tomcat/​bin/​tomcat-juli.jar -Dcatalina.base=/​opt/​tomcat -Dcatalina.home=/​opt/​tomcat -Djava.io.tmpdir=/​opt/​tomcat/​temp org.apache.catalina.startup.Bootstrap start
 + 
 +Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Starting Apache Tomcat 9.0.6 Servlet Container...
 +Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]:​ + cd /opt/tomcat
 +Jun 25 22:54:50 orange-d3.aducid.com tomcat-startup.sh[887]:​ + ./​bin/​startup.sh
 +Jun 25 22:54:50 orange-d3.aducid.com systemd[1]: Started Apache Tomcat 9.0.6 Servlet Container.
 +</​codedoc>​
 +
 +==== Compoment log checks ====
 +
 +
 +The system is fully ready after tomcat server start. This can be checked by looking into tomcat'​s catalina.out.
 +tomcat log
 +
 +<codedoc code:​bash>​
 +orange-d3:~ root$ tail -f /​opt/​tomcat/​logs/​catalina.out
 +Not found in '​org.owasp.esapi.resources'​ directory or file not readable: /​opt/​apache-tomcat-9.0.6/​validation.properties
 +Not found in SystemResource Directory/​resourceDirectory:​ .esapi/​validation.properties
 +Not found in '​user.home'​ (/​opt/​tomcat) directory: /​opt/​tomcat/​esapi/​validation.properties
 +Loading validation.properties via file I/O failed.
 +Attempting to load validation.properties via the classpath.
 +SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)'​ using current thread context class loader!
 +25-Jun-2018 22:​57:​07.841 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/​opt/​apache-tomcat-9.0.6/​webapps/​qrtest.war] has finished in [3,228] ms
 +25-Jun-2018 22:​57:​07.861 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["​http-nio-8080"​]
 +25-Jun-2018 22:​57:​07.884 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["​ajp-nio-8009"​]
 +25-Jun-2018 22:​57:​07.889 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 133079 ms
 +</​codedoc>​
 +
 +Other log files:
 +| AIM | /​opt/​tomcat/​log/​aim.log |
 +| tomcat9.service | /​opt/​tomcat/​logs/​* |
 +| aducid-aaa.service | /​var/​log/​messages |
 +| httpd.service | /​var/​log/​httpd/​* |
 +
 +
 +RPM Component summary
 +| aducid-configurator.rpm | installation and config script |
 +| aducid-repository.rpm | yum repository file |
 +| aducid-aaa-modules.rpm | Apache settings for ADUCID components |
 +| aim.rpm | AIM and all basic components |
 +| aducid-proof.rpm | Sample identity proofing apps |
 +
 +
 +
  
  • installation/aducid-software.txt
  • Last modified: 2019/08/01 09:09
  • by tjotov