PortalInstall
How the machine was prepared
Create a VM in the T2B cloud with 12GB of disk size, 1 CPU, 2GB of RAM, and 2 NICs (one in the public and the other in the private network).
For the disk creation in OpenNebula, we chose a persistent datablock.
Deployment of the machine with Quattor :
- machine-type : grid/base (ui would have been a best choice for grid jobs support)
- filesystem : classic_single_root (see config/filesystems)
- operating system : SL6x
Installation of some extra packages required by gUSE done by adding these lines in the machine profile :
'/software/packages/{java-1.7.0-openjdk}' ?= nlist();
'/software/packages/{java-1.7.0-openjdk-devel}' ?= nlist();
'/software/packages/{xorg-x11-xauth}' ?= nlist();
'/software/packages/{mysql-server}' ?= nlist();
Choice of the version of the portal
After some compatibility tests, we chose to install gUSE 3.6.8 with java-1.7.0-openjdk.
Installation process
We followed the procedure described in the PDF "gUSE_Install_Wizard_Manual_v3.6.8" to the letter, thus using the wizard.
Installation of release 3.7.x
It has been tested under SL6.8 with java-1.8.0-openjdk-1.8.0.111-0.b15. We have met the problem described in this thread : https://sourceforge.net/p/guse/discussion/1672628/thread/4aa465ec/
To solve the problem :
- remove apache-tomcat-7.0.55/lib/javaee-api-5.0-1.jar
- copy http://central.maven.org/maven2/javax/transaction/jta/1.1/jta-1.1.jar and http://central.maven.org/maven2/javax/persistence/persistence-api/1.0.2/persistence-api-1.0.2.jar under apache-tomcat-7.0.55/lib/.
And then, follow the installation procedure from the manual.
Securing the portal
Hardening tomcat
As explained in the manual, it is very important to change the default password of the test@liferay.com user right after the first login. But that's not enough ! After you've done with the Service Wizard step (http://<URL_install_backend>:8080/information), shutdown the portal, change the password of the admin user in tomcat-users.xml, and create the file /home/guse/guse/apache-tomcat-7.0.55/conf/Catalina/localhost/manager.xml with the following content :
<Context antiResourceLocking="false" privileged="true" docBase="${catalina.home}/webapps/manager">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1|192.168.10.*|193.190.247.*|193.58.172.*" denyStatus="404" />
</Context>
(Don't forget to "chown guse:guse" this file !)
After the restart of the portal, access to http://<URL_install_backend>:8080/manager will be restricted to the IPs allowed in manager.xml. If you don't do this, you will undergo brute force attacks (trying to guess the admin password), and this kind of attacks will put some pressure on the server.
Switching to https
First you need to generate a java kestore (JKS format) from the certificate and key :
openssl pkcs12 -export -inkey /etc/grid-security/hostkey.pem -in /etc/grid-security/hostcert.pem -out cert.p12 keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -deststorepass changeit
Tomcat will expect to find a keystore file .keystore in the home directory of the user that is running the application (i.e. "guse"). In clear, you still need to do :
cp keystore.jks /home/guse/.keystore chown guse:guse /home/guse/.keystore
Now you can activate the https connector by uncommenting the following stenza in server.xml :
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
After having restarted the portal, you can access it through an 'https://' URL.