Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:shibboleth:idpv3xc8 [2020/06/04 14:38]
procacci@tem-tsp.eu created
+++ docpublic:systemes:shibboleth:idpv3xc8 [2020/07/04 15:15] (current)
procacci@tem-tsp.eu [proxy et TLS via apache]
@@ Line 81: / Line 81: @@
 </code>
+==== tomcat package tgz ====
+<code>
+[root@idpx ~]# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.35/bin/apache-tomcat-9.0.35.tar.gz
+[root@idpx ~]# cd /opt
+[root@idpx opt]# tar xvfz /root/apache-tomcat-9.0.35.tar.gz
+[root@idpx opt]# mv apache-tomcat-9.0.35/* ./tomcat/
+</code>
+resultat
+<code>
+[root@idpx opt]# ls -al tomcat/
+total 164
+drwx------ 9 tomcat tomcat  4096 Jun  4 21:56 .
+drwxr-xr-x 5 root   root    4096 Jun  4 21:54 ..
+-rw-r--r-- 1 tomcat tomcat    18 Oct  1  2019 .bash_logout
+-rw-r--r-- 1 tomcat tomcat   141 Oct  1  2019 .bash_profile
+-rw-r--r-- 1 tomcat tomcat   312 Oct  1  2019 .bashrc
+-rw-r----- 1 root   root   18982 May  5 22:40 BUILDING.txt
+-rw-r----- 1 root   root    5409 May  5 22:40 CONTRIBUTING.md
+-rw-r----- 1 root   root   57092 May  5 22:40 LICENSE
+-rw-r----- 1 root   root    2333 May  5 22:40 NOTICE
+-rw-r----- 1 root   root    3255 May  5 22:40 README.md
+-rw-r----- 1 root   root    6898 May  5 22:40 RELEASE-NOTES
+-rw-r----- 1 root   root   16262 May  5 22:40 RUNNING.txt
+drwxr-x--- 2 root   root    4096 Jun  4 21:54 bin
+drwx------ 2 root   root    4096 May  5 22:40 conf
+drwxr-x--- 2 root   root    4096 Jun  4 21:54 lib
+drwxr-x--- 2 root   root    4096 May  5 22:36 logs
+drwxr-x--- 2 root   root    4096 Jun  4 21:54 temp
+drwxr-x--- 7 root   root    4096 May  5 22:37 webapps
+drwxr-x--- 2 root   root    4096 May  5 22:36 work
+</code>
+positionnement des droits d'acces au comte tomcat
+<code>
+[root@idpx opt]# chown -R tomcat:tomcat /opt/tomcat/
+</code>
+==== parametrage tomcat =====
+acces manager
+<code>
+[root@idpx opt]# diff /opt/tomcat/webapps/manager/META-INF/context.xml /opt/tomcat/webapps/manager/META-INF/context.xml.orig
+c20
+<          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|157.19.19.13" />
+---
+>          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
+</code>
-==== parametrage compte admin tomcat =====
 compte admin d'acces au l'appli manager/html
 <code>
-[root@idp3 tomcat]# diff -ur tomcat-users.xml.orig tomcat-users.xml
+[root@idpx opt]# diff /opt/tomcat/conf/tomcat-users.xml /opt/tomcat/conf/tomcat-users.xml.orig
---- tomcat-users.xml.orig	2016-05-11 22:26:59.631449352 +0200
+,46d43
-+++ tomcat-users.xml	2016-05-11 22:29:33.294032465 +0200
+<   <role rolename="manager-gui"/>
-@@ -34,13 +34,13 @@
+<   <role rolename="admin-gui"/>
-   <user username="role1" password="tomcat" roles="role1"/>
+<   <user username="dsi" password="secret" roles="manager-gui,admin-gui"/>
- -->
--<!-- <role rolename="admin"/> -->
--<!-- <role rolename="admin-gui"/> -->
--<!-- <role rolename="admin-script"/> -->
--<!-- <role rolename="manager"/> -->
--<!-- <role rolename="manager-gui"/> -->
--<!-- <role rolename="manager-script"/> -->
--<!-- <role rolename="manager-jmx"/> -->
--<!-- <role rolename="manager-status"/> -->
--<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> -->
-+<role rolename="admin"/>
-+<role rolename="admin-gui"/>
-+<role rolename="admin-script"/>
-+<role rolename="manager"/>
-+<role rolename="manager-gui"/>
-+<role rolename="manager-script"/>
-+<role rolename="manager-jmx"/>
-+<role rolename="manager-status"/>
-+<user name="admin" password="secretadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" />
- </tomcat-users>
 </code>
-==== activation au boot ====
+==== activation par systemd ====
 <code>
-[root@idp3 tomcat]# systemctl enable tomcat.service
+[root@idpx opt]# vim /etc/systemd/system/tomcat.service
-Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /usr/lib/systemd/system/tomcat.service.
+[root@idpx opt]# cat /etc/systemd/system/tomcat.service
+[Unit]
+Description=Tomcat 9
+After=network.target
+[Service]
+Type=forking
+User=tomcat
+Group=tomcat
+Environment="JAVA_HOME=/usr/lib/jvm/jre"
+Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
+Environment="CATALINA_BASE=/opt/tomcat"
+Environment="CATALINA_HOME=/opt/tomcat"
+Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
+Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
+ExecStart=/opt/tomcat/bin/startup.sh
+ExecStop=/opt/tomcat/bin/shutdown.sh
+[Install]
+WantedBy=multi-user.target
-[root@idp3 tomcat]# systemctl start tomcat.service
 </code>
+==== start ====
+<code>
+[root@idpx ~]# systemctl daemon-reload
+[root@idpx ~]# systemctl enable tomcat.service
+[root@idpx ~]# systemctl start tomcat.service
+</code>
+===== firewall =====
+<code>
+[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/24" port port=8080 protocol=tcp log prefix="http8080" accept'
+success
+[root@idpx opt]# firewall-cmd --reload
+success
+[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="http" log prefix="http" accept'
+success
+[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="https" log prefix="https" accept'
+success
+[root@idpx opt]# firewall-cmd --reload
+success
+</code>
+ou plus generalement
+firewall-cmd --zone=public --permanent --add-port=8080/tcp
 ==== acces tomcat ====
-le serveur est maintenant acessible , exemple
+le serveur est maintenant accessible , exemple
-http://idp3.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)
+http://idpx.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)
-==== proxy-ajp et TLS via apache =====
+sauf si l'adresse ip source de consultation n'est pas autorisé par le control d'acces de l'application manager , cf adresse IP dans le parametre allow :
-mise en place d'un proxy ajp pour une gestion de TLS et ports par defaut (80/443) par apache
+<code>
+[root@idpx ~]# vim /opt/tomcat/webapps/manager/META-INF/context.xml
+<Context antiResourceLocking="false" privileged="true" >
+  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
+         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.10|10.10.10.11" />
+  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
+</Context>
+</code>
+==== proxy et TLS via apache =====
+https://tomcat.apache.org/tomcat-9.0-doc/proxy-howto.html
+https://tomcat.apache.org/tomcat-9.0-doc/connectors.html
+https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp (secretRequired="false")
+mise en place d'un proxy pour une gestion de TLS et ports par defaut (80/443) par apache
 il faut installer le mod_ssl d'apache pour disposer d'https
 <code>
-[root@idp34 tomcat]# yum install mod_ssl
+[root@idpx opt]# yum install httpd mod_ssl
-Installé :
-  mod_ssl.x86_64 1:2.4.6-88.el7.centos
+Total download size: 2.0 M
+Is this ok [y/N]: y
 </code>
@@ Line 144: / Line 255: @@
 <code>
-[root@idp34 certs]#grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3
+[root@idpx certs]#grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3
 SSLCertificateFile /etc/pki/tls/certs/idp.imtbstsp_eu.pem
 SSLCertificateKeyFile /etc/pki/tls/private/idp.imtbstsp.key
@@ Line 153: / Line 264: @@
 <code>
-[root@idp3' ~]# cat /etc/httpd/conf.d/shibboleth.conf
+[root@idpx ~]# cat /etc/httpd/conf.d/shibboleth.conf
 ProxyPass /idp/ ajp://127.0.0.1:8009/idp/ retry=0
 ProxyPass /manager/ ajp://127.0.0.1:8009/manager/
+</code>
+et l'activer coté tomcat
+<code>
+[root@idpx opt]# vim /opt/tomcat/conf/server.xml
+<!-- Define an AJP 1.3 Connector on port 8009 -->
+ <Connector protocol="AJP/1.3"
+               port="8009"
+               secretRequired="false"
+               address="127.0.0.1"
+               redirectPort="8443" />
+</code>
+sans l'option secretRequired="false" (cf https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp ) , impossible d'acceder au manager via proxy_ajp, il faudrai mieux controler cet acces en limitant les acces proxy uniquement a 127.0.0.1 entre httpd et tomcat .
+lancement httpd et verification de la presence du module AJP
+<code>
+[root@idpx opt]# systemctl start httpd.service
+[root@idpx opt]# httpd -M | grep ajp
+ proxy_ajp_module (shared)
 </code>
 acces sans le port 8080 :
-http://idp3.tem-tsp.eu/manager/html
+http://idpx.imtbstsp.eu/manager/html
 puis en https via le proxy-ajp sans precision du port 443
-https://idp3.tem-tsp.eu/manager/html
+https://idpx.imtbstsp.eu/manager/html

docpublic/systemes/shibboleth/idpv3xc8.1591281539.txt.gz · Last modified: 2020/06/04 14:38 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top