PortalInstall: Difference between revisions

From T2B Wiki
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 60: Line 60:
chown guse:guse /home/guse/.keystore
chown guse:guse /home/guse/.keystore
</pre>
</pre>
Now you can activate the https connector :
Now you can activate the https connector by uncommenting the following stenza in server.xml :
<pre>
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
              maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" />
</pre>
After having restarted the portal, you can access it through an 'https://' URL.


{{TracNotice|{{PAGENAME}}}}
{{TracNotice|{{PAGENAME}}}}

Latest revision as of 18:29, 21 July 2017

How the machine was prepared

Create a VM in the T2B cloud with 12GB of disk size, 1 CPU, 2GB of RAM, and 2 NICs (one in the public and the other in the private network).

For the disk creation in OpenNebula, we chose a persistent datablock.

Deployment of the machine with Quattor :

  • machine-type : grid/base (ui would have been a best choice for grid jobs support)
  • filesystem : classic_single_root (see config/filesystems)
  • operating system : SL6x

Installation of some extra packages required by gUSE done by adding these lines in the machine profile :

'/software/packages/{java-1.7.0-openjdk}' ?= nlist();
'/software/packages/{java-1.7.0-openjdk-devel}' ?= nlist();
'/software/packages/{xorg-x11-xauth}' ?= nlist();
'/software/packages/{mysql-server}' ?= nlist();

Choice of the version of the portal

After some compatibility tests, we chose to install gUSE 3.6.8 with java-1.7.0-openjdk.


Installation process

We followed the procedure described in the PDF "gUSE_Install_Wizard_Manual_v3.6.8" to the letter, thus using the wizard.

Installation of release 3.7.x

It has been tested under SL6.8 with java-1.8.0-openjdk-1.8.0.111-0.b15. We have met the problem described in this thread : https://sourceforge.net/p/guse/discussion/1672628/thread/4aa465ec/

To solve the problem :

And then, follow the installation procedure from the manual.

Securing the portal

Hardening tomcat

As explained in the manual, it is very important to change the default password of the test@liferay.com user right after the first login. But that's not enough ! After you've done with the Service Wizard step (http://<URL_install_backend>:8080/information), shutdown the portal, change the password of the admin user in tomcat-users.xml, and create the file /home/guse/guse/apache-tomcat-7.0.55/conf/Catalina/localhost/manager.xml with the following content :

<Context antiResourceLocking="false" privileged="true" docBase="${catalina.home}/webapps/manager">
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
           allow="127.0.0.1|192.168.10.*|193.190.247.*|193.58.172.*" denyStatus="404" />
</Context> 

(Don't forget to "chown guse:guse" this file !)

After the restart of the portal, access to http://<URL_install_backend>:8080/manager will be restricted to the IPs allowed in manager.xml. If you don't do this, you will undergo brute force attacks (trying to guess the admin password), and this kind of attacks will put some pressure on the server.

Switching to https

First you need to generate a java kestore (JKS format) from the certificate and key :

openssl pkcs12 -export -inkey /etc/grid-security/hostkey.pem -in /etc/grid-security/hostcert.pem -out cert.p12
keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -deststorepass changeit

Tomcat will expect to find a keystore file .keystore in the home directory of the user that is running the application (i.e. "guse"). In clear, you still need to do :

cp keystore.jks /home/guse/.keystore
chown guse:guse /home/guse/.keystore

Now you can activate the https connector by uncommenting the following stenza in server.xml :

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

After having restarted the portal, you can access it through an 'https://' URL.

Template:TracNotice