Difference between revisions of "SUNScholar/Prepare Ubuntu/S05/Ubuntu-14.04"

From Libopedia
Jump to navigation Jump to search
 
(29 intermediate revisions by 2 users not shown)
Line 21: Line 21:
 
AUTHBIND=yes
 
AUTHBIND=yes
 
</pre>
 
</pre>
 +
 +
Save and exit the file.
 +
 
Now we need to tell "authbind" that Tomcat is allowed to use lower port numbers. Type the following commands:
 
Now we need to tell "authbind" that Tomcat is allowed to use lower port numbers. Type the following commands:
 
  sudo touch /etc/authbind/byport/80
 
  sudo touch /etc/authbind/byport/80
Line 63: Line 66:
  
 
<font color="red">'''If enabled, comment out the AJP 1.3 connector. It is not needed.'''</font>
 
<font color="red">'''If enabled, comment out the AJP 1.3 connector. It is not needed.'''</font>
 +
 +
Save and exit the file.
  
 
===Step 5.2.3: Setup Tomcat to listen on secure port 443===
 
===Step 5.2.3: Setup Tomcat to listen on secure port 443===
Line 83: Line 88:
 
</tomcat-users>
 
</tomcat-users>
 
</pre>
 
</pre>
 +
 +
Save and exit the file.
  
 
==Step 5.4 Java  environment settings for Tomcat webapp server==
 
==Step 5.4 Java  environment settings for Tomcat webapp server==
 
To setup the environment variables for Tomcat java web applications, type the following:
 
To setup the environment variables for Tomcat java web applications, type the following:
 
  sudo nano /etc/default/tomcat7
 
  sudo nano /etc/default/tomcat7
 +
 +
''After determining how much RAM is installed on your server, it is best practice to use about 50% of the RAM for Java.''
  
 
Check the following for comparison:
 
Check the following for comparison:
Line 93: Line 102:
 
# options (-Djava.awt.headless=true -Xmx128m) will be used.
 
# options (-Djava.awt.headless=true -Xmx128m) will be used.
 
#JAVA_OPTS="-Djava.awt.headless=true -Xmx128m"
 
#JAVA_OPTS="-Djava.awt.headless=true -Xmx128m"
JAVA_OPTS="-Djava.awt.headless=true -Xms1024m -Xmx2048m -XX:MaxPermSize=1024m"
+
JAVA_OPTS="-Djava.awt.headless=true -Xmx2048m -Xms1024m -XX:MaxPermSize=1024m"
 
</pre>
 
</pre>
  
===Java environment settings used for [http://scholar.sun.ac.za SUNScholar]===
+
See: http://stackoverflow.com/questions/5241743/what-is-the-use-of-java-opts-environment-variable
 +
 
 +
Save and exit the file.
 +
 
 +
===Java settings used on [http://scholar.sun.ac.za SUNScholar] currently===
 
Your settings will depend on how much RAM you have available to assign to the Tomcat server. See graph below as well.
 
Your settings will depend on how much RAM you have available to assign to the Tomcat server. See graph below as well.
  JAVA_OPTS="-Djava.awt.headless=true -Xmx8192m -Xms4096m -XX:PermSize=4096m -XX:MaxPermSize=8192m"
+
  JAVA_OPTS="-Djava.awt.headless=true -Xmx65536m -XX:+UseConcMarkSweepGC"
 
----
 
----
 
Graph of RAM memory usage on SUNScholar.
 
Graph of RAM memory usage on SUNScholar.
  
[[File:Sunscholar-memory-year.png]]
+
[[File:Memory-year.png]]
  
 
==Step 5.5 Setup Tomcat server permissions==
 
==Step 5.5 Setup Tomcat server permissions==
<font color="red">'''Please note: This procedure violates best security practice on an Ubuntu server. See: http://dspace.2283337.n4.nabble.com/DSpace-Security-td4664584.html for a discussion on the DSpace tech mailing list. You apply this procedure at your own risk!'''</font>
+
Please see: http://stackoverflow.com/questions/2645298/how-to-sanely-configure-security-policy-in-tomcat-6 and https://www.mulesoft.com/tcat/tomcat-security
 +
 
 +
Type the following;
 +
 
 
  sudo nano /etc/default/tomcat7
 
  sudo nano /etc/default/tomcat7
 +
Change "TOMCAT7_SECURITY" to yes.
 +
<pre>
 +
# Use the Java security manager? (yes/no, default: no)
 +
TOMCAT7_SECURITY=yes
 +
</pre>
  
See example below.
+
Save and exit the file.
 +
----
 +
Create DSpace security policy
 +
sudo nano /etc/tomcat7/policy.d/05dspace.policy
 +
Copy and paste the following;
 
<pre>
 
<pre>
# Run Tomcat as this user ID. Not setting this or leaving it blank will use the
+
grant codeBase "file:/home/dspace/-" {
# default of tomcat6.
+
  permission java.security.AllPermission;
TOMCAT6_USER=root
+
};
 +
grant codeBase "file:/tmp/-" {
 +
  permission java.security.AllPermission;
 +
};
 +
</pre>
  
# Run Tomcat as this group ID. Not setting this or leaving it blank will use
+
Save and exit the file.
# the default of tomcat6.
+
----
TOMCAT6_GROUP=root
+
Update file permissions for the policy
</pre>
+
sudo chown root.tomcat7 /etc/tomcat7/policy.d/05dspace.policy
  
==Step 5.6: Setup file permissions==
+
==Step 5.6: Setup user permissions==
 
  cd
 
  cd
  
Line 125: Line 154:
  
 
  sudo adduser dspace tomcat7
 
  sudo adduser dspace tomcat7
 
sudo chown dspace.dspace -R $HOME
 
 
sudo chmod 0777 -R $HOME
 
  
 
==Step 5.7: Restart the Tomcat server==
 
==Step 5.7: Restart the Tomcat server==
Line 159: Line 184:
  
 
==References==
 
==References==
 +
*https://help.ubuntu.com/lts/serverguide/tomcat.html
 
*http://manage.jujucharms.com/charms/trusty/tomcat
 
*http://manage.jujucharms.com/charms/trusty/tomcat
 +
*https://dzone.com/refcardz/getting-started-with-apache-tomcat
 +
[[Category:Installation]]
 +
__NOTOC__

Latest revision as of 20:27, 22 June 2016

BACK TO STEP 5


Step 5.1: Install Tomcat

Type the following:

sudo apt-get install tomcat7

Step 5.2: Allow Tomcat to listen on ports "80" and "443"

Step 5.2.1: Setup "authbind" for Tomcat

To enable Tomcat to listen on a privileged port below 100, we need to enable "authbind". Edit the /etc/default/tomcat7 file as follows:

sudo nano /etc/default/tomcat7

Remove the hash sign from in front of the authbind parameter and change authbind to yes as follows

# If you run Tomcat on port numbers that are all higher than 1023, then you
# do not need authbind.  It is used for binding Tomcat to lower port numbers.
# NOTE: authbind works only with IPv4.  Do not enable it when using IPv6.
# (yes/no, default: no)
AUTHBIND=yes

Save and exit the file.

Now we need to tell "authbind" that Tomcat is allowed to use lower port numbers. Type the following commands:

sudo touch /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 0755 /etc/authbind/byport/80
sudo chmod 0755 /etc/authbind/byport/443
sudo chown tomcat7.tomcat7 /etc/authbind/byport/80
sudo chown tomcat7.tomcat7 /etc/authbind/byport/443
cd /etc/authbind/byport
ls -l

Now Tomcat has permission to use ports 80 and 443. See below for an example listing of the files in the /etc/authbind/byport folder.

dspace@dspace:/etc/authbind/byport# ls -l
total 0
-rwxr-xr-x 1 tomcat7 tomcat7 0 2011-06-10 18:33 443
-rwxr-xr-x 1 tomcat7 tomcat7 0 2011-06-10 18:33 80

Step 5.2.2: Setup Tomcat to listen on insecure port 80

Now we tell the Tomcat server to listen on the "authbind" ports. Edit the following file.

sudo nano /etc/tomcat7/server.xml

Find the connector for port 8080 and change it to port 80.

See example below.

    <Connector port="80" protocol="HTTP/1.1" 
               enableLookups="false"
               maxConnections="-1"
               maxThreads="450"
               maxHttpHeaderSize="16384"
               connectionTimeout="20000" 
               URIEncoding="UTF-8"
               redirectPort="443" />

If enabled, comment out the AJP 1.3 connector. It is not needed.

Save and exit the file.

Step 5.2.3: Setup Tomcat to listen on secure port 443

Please go to: http://wiki.lib.sun.ac.za/index.php/SUNScholar/Secure_Internet_Connections later, after installation to do secure port 443 setup.

For now and testing it is ok, just to use port 80 only for Tomcat connections.

Step 5.3: Setup Tomcat admin users

Type as follows:

sudo nano /etc/tomcat7/tomcat-users.xml

Delete all the contents of the file and add the following admin and manager roles with a password. Replace XXXX with your password!

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="manager-gui"/>
  <role rolename="manager-jmx"/>
  <user username="dspace" password="XXXX" roles="manager-gui,manager-jmx"/>
</tomcat-users>

Save and exit the file.

Step 5.4 Java environment settings for Tomcat webapp server

To setup the environment variables for Tomcat java web applications, type the following:

sudo nano /etc/default/tomcat7

After determining how much RAM is installed on your server, it is best practice to use about 50% of the RAM for Java.

Check the following for comparison:

# You may pass JVM startup parameters to Java here. If unset, the default
# options (-Djava.awt.headless=true -Xmx128m) will be used.
#JAVA_OPTS="-Djava.awt.headless=true -Xmx128m"
JAVA_OPTS="-Djava.awt.headless=true -Xmx2048m -Xms1024m -XX:MaxPermSize=1024m"

See: http://stackoverflow.com/questions/5241743/what-is-the-use-of-java-opts-environment-variable

Save and exit the file.

Java settings used on SUNScholar currently

Your settings will depend on how much RAM you have available to assign to the Tomcat server. See graph below as well.

JAVA_OPTS="-Djava.awt.headless=true -Xmx65536m -XX:+UseConcMarkSweepGC"

Graph of RAM memory usage on SUNScholar.

Memory-year.png

Step 5.5 Setup Tomcat server permissions

Please see: http://stackoverflow.com/questions/2645298/how-to-sanely-configure-security-policy-in-tomcat-6 and https://www.mulesoft.com/tcat/tomcat-security

Type the following;

sudo nano /etc/default/tomcat7

Change "TOMCAT7_SECURITY" to yes.

# Use the Java security manager? (yes/no, default: no)
TOMCAT7_SECURITY=yes

Save and exit the file.


Create DSpace security policy

sudo nano /etc/tomcat7/policy.d/05dspace.policy

Copy and paste the following;

grant codeBase "file:/home/dspace/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:/tmp/-" {
  permission java.security.AllPermission;
};

Save and exit the file.


Update file permissions for the policy

sudo chown root.tomcat7 /etc/tomcat7/policy.d/05dspace.policy

Step 5.6: Setup user permissions

cd
sudo adduser tomcat7 dspace
sudo adduser dspace tomcat7

Step 5.7: Restart the Tomcat server

Now restart the tomcat server as follows:

sudo service tomcat7 restart

Step 5.8: Post Tomcat installation checks

Now let's look if all went well:

sudo netstat -tapn | grep java

Tomcat should be listening on port 80 now:

dspace@dspace:~# sudo netstat -tapn | grep java
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      11093/java      
tcp6       0      0 :::80                   :::*                    LISTEN      11093/java      

Thats it, now you have a working Java webapp server.

Step 5.9: Troubleshooting

  • Check optimisations done for Tomcat in the link below
http://wiki.lib.sun.ac.za/index.php/SUNScholar/Optimisations/Tomcat
  • Please remember only ONE server at time may listen on any TCP/UDP port on your server.
  • A reboot of the server may be needed to get Tomcat working on ports 80 and 443 correctly.
  • Later on during the actual DSpace installation, you will have to select a "root" webapp so that you have a clean URL. See link below.
http://wiki.lib.sun.ac.za/index.php/SUNScholar/Install_DSpace/S08

References