Installing Jagger

/
/
/
189 Views

Installing Jagger

This guide extends the installation guide provide as part of the Jagger documentation. It provides specific information for and install onto a Centos 7 server using the current versions of software available on various repositories. This guide will follow the same format as the Jagger Installation documentation and each heading will link back to the Jagger documentation.

Info: This installation will be on a Centos 7 server.

Info: The name of the server I am deploying to is rr.example.com which will be referred to throughout the guide. Please select an appropriate server name for your deployment.

Ensure your operating system is patched and up to date before beginning. Operating system patching should be performed regularly.

yum update

Requirements

Note: This requires php to be installed first! These steps will be run after php is installed below.

  • mysql > 5.1 (it should work with postgres etc but not tested)

Note: We will Install mariadb instead of mysql. Mariadb is available on Centos 7 via one of the default repos. The database instance will have some basic security applied and be configured to start automatically on system restart.

Install the mariadb software

yum install mariadb-server

Start the database engine

systemctl start mariadb

Secure up the database before use by following the prompts.

The default db root is the empty string, i.e. press return when prompted “Enter current password for root”. Answer “Y” to all other questions.

mysql_secure_installation

Ensure the database engine starts after reboot.

systemctl enable mariadb
  • PHP >= 5.5.x with modules: php-apc, php5-cli, php5-curl, php5-mysql, php5-mcrypt, php5-memcached

Note: php-apc has been replaced with opcache.

Note: php-curl is part of php70w-common

Note: The version of PHP that is available on Centos 7 is 5.4.16. I will be using the version available from webtatic which is 7.0.30. There are some dependencies that required PHP 7 or greater.

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Note: This may already be installed!

yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm

yum install yum-utils

yum-config-manager –enable remi-php70

Install PHP

yum install php php-opcache

Note: This also installs Apache, php70w-cli, php70w-common and other dependencies.

Install required PHP extensions

yum install php-mysql -y

yum install php-mcrypt -y

yum install php-pecl-memcached -y

yum install php-xml -y

It is now possible to install Composer!

curl -sS https://getcomposer.org/installer | php

cp composer.phar /usr/bin/composer

Note: Changed destination to /usr/bin as this is in $PATH

Additional PHP configuration

Some additional configuration for php in the file /etc/php.ini modify the following settings.

date.timezone = Australia/BrisbaneReplace Australia/Brisbane with your local timezone – see http://php.net/date.timezone for your own time zone.
memory_limit = 256Mthe default is 128M
max_execution_time = 60the default is 30 seconds
  • Apache >= 2.2 with enabled modules: rewrite, unique_id

Note: Centos 7 installs Apache 2.4.6 and it will already be installed as a result of installing PHP above. Some changes are required to the Apache configuration due to the change in version from 2.2 to 2.4.

Install mod_ssl so we can ensure the site is secure.

yum install mod_ssl

Ensure Apache started on system restart!

systemctl enable httpd
  • Shibboleth-SP >= 2.4 – optional needed for federated access

Add the Shibboleth repos to the server.

wget http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/security:shibboleth.repo -P /etc/yum.repos.d

Install Shibboleth Service provider software. Current version is 2.6.1

yum install shibboleth -y

Note: The Shibboleth SP will need to be configured later in the install process.

  • Codeigniter framework 3.1.5 (Installed later in the guide)
  • Doctrine >= 2.4.x http://www.doctrine-project.org (Installed later in the guide)
  • Zend-ACL Framework (Installed later in the guide)
  • Memcached server on the same host

Install memcached

yum install memcached -y

Ensure memcached start on system restart

systemctl enable memcached
  • gearman-php, gearman-job-server – allows to enable additional features in JAGGER

Install gearman

yum install php-pecl-gearman -y

yum install -y gearmand

Ensure memcached start on system restart

systemctl enable gearmand
  • Install additional Tools used in by the install process
yum install -y unzip

yum install -y git

Download JAGGER and Codeigniter

Note: We will be using Codeigniter 3.1.8 available from https://github.com/bcit-ci/CodeIgniter/archive/3.1.8.zip.

Download codeigniter and unpack into /opt and rename to “codeigniter”

cd /opt

wget https://github.com/bcit-ci/CodeIgniter/archive/3.1.8.zip

unzip 3.1.8.zip

mv CodeIgniter-3.1.8 codeigniter

rm 3.1.8.zip

JAGGER (ResourceRegistry3) is published on GITHUB https://github.com/Edugate/Jagger under MIT License.

git clone https://github.com/Edugate/Jagger /opt/rr3

cd /opt/rr3

Install required third parties libraries with composer tool. Go to application folder and run

Note: Composer will complain about several missing libraries. The following software needs to be installed.

yum install -y php-amqplib -y

Now run composer

cd /opt/rr3/application

composer install

Note: Ignore the warning about running composer as root/super user!

Set index.php file

cp /opt/codeigniter/index.php /opt/rr3/

and modify it. You need to change default path to system folder. Open /opt/rr3/index.php file and find

$system_path = ‘system’;

and change to

$system_path = ‘/opt/codeigniter/system’;

Set up as a production environment (optional). The line of code “$_SERVER[‘CI_ENV’] = ‘production’;” needs to be added before the following line.

define(‘ENVIRONMENT’, isset($_SERVER[‘CI_ENV’]) ? $_SERVER[‘CI_ENV’] : ‘development’);

Resulting in…

$_SERVER[‘CI_ENV’] = ‘production’;

define(‘ENVIRONMENT’, isset($_SERVER[‘CI_ENV’]) ? $_SERVER[‘CI_ENV’] : ‘development’);

Apache/PHP configuration

These section provides configuration for the Apache 2.4.6 server that was installed earlier. It includes configuration for https:// as well as configuration for the resource registry. This configuration also caters for changes that occurred between version 2.2 and 2.4 of Apache.

Pick a DNS name for your Jagger Resource registry and create a DNS A-record or CName for it. Some options for a name include;

rr.example.comResource Registry
fr.example.comFederation Registry
manager.example.comFederation Manager tool

Replace example.com with the your domain name.

rr configuration file

Create the file /etc/httpd/conf.d/rr3.conf. This file hold the apache configuration pass requests to the Resource Registry.

Change rr.example.com (highlighted in yellow) to your selected host name.

# Redirect all http request to https

<VirtualHost *:80>
ServerName rr.example.com:80RedirectMatch 301 (.*) https://rr.example.com$1
</VirtualHost><VirtualHost *:443>ServerName rr.example.com:443ServerAlias rr.example.comCustomLog logs/ssl_access_log commonCustomLog logs/ssl_request_log sslErrorLog logs/ssl_error_logLogLevel warnSSLEngine onSSLProtocol             all -SSLv2 -SSLv3SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder     on

SSLCompression          off

SSLCertificateFile      /etc/pki/tls/certs/localhost.crt

#SSLCertificateChainFile /opt/keypairs/intermediate.crt

SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Alias /rr3 /opt/rr3

<Directory /opt/rr3>

Require all granted

RewriteEngine On

RewriteBase /rr3

RewriteCond $1 !^(Shibboleth\.sso|index\.php|logos|signedmetadata|flags|images|app|schemas|fonts|styles|images|js|robots\.txt|pub|includes)

RewriteRule  ^(.*)$ /rr3/index.php?/$1 [L]

</Directory>

<Directory /opt/rr3/application>

Require all granted

</Directory>

</VirtualHost>

Remove the VirtualHost from the file /etc/httpd/conf.d/ssl.conf

The file /etc/httpd/conf.d/ssl.conf should have the following content. The Virtual host config having been removed.

#

# When we also provide SSL we have to listen to the

# the HTTPS port in addition.

#

Listen 443 https

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin’ is a internal

#   terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism

#   to use and second the expiring timeout (in seconds).

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)

SSLSessionCacheTimeout  300

#   Pseudo Random Number Generator (PRNG):

#   Configure one or more sources to seed the PRNG of the

#   SSL library. The seed data should be of good random quality.

#   WARNING! On some platforms /dev/random blocks if not enough entropy

#   is available. This means you then cannot use the /dev/random device

#   because it would lead to very long connection times (as long as

#   it requires to make more entropy available). But usually those

#   platforms additionally provide a /dev/urandom device which doesn’t

#   block. So, if available, use this one instead. Read the mod_ssl User

#   Manual for more details.

SSLRandomSeed startup file:/dev/urandom  256

SSLRandomSeed connect builtin

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

#

# Use “SSLCryptoDevice” to enable any supported hardware

# accelerators. Use “openssl engine -v” to list supported

# engine names.  NOTE: If you enable an accelerator and the

# server does not start, consult the error logs and ensure

# your accelerator is functioning properly.

#

SSLCryptoDevice builtin

#SSLCryptoDevice ubsec

Ensure Apache starts at system startup

systemctl enable httpd

Start Apache

systemctl start httpd

Testing Apache

Ensure your Apache web server is working by navigating to the address you have selected. You should end up on the secure server after having negotiated the bad certificate warnings.

Apply a signed certificate to your server

This is left for you to complete as each certificate authority is different. If you want to use a free certificate you can use Let’s Encrypt. The site provides instructions on generating and managing the certificate.

Replace the default Apache home page

You should replace the default Testing 123.. home page with something more appropriate.

MySQL

You need to create database and set permissions for instance:

Note: MariaDB uses the exact same commands as MySQL

DBUSER = ‘rr3user’
DBPASS = ‘rr3pass’
DATABASENAME= ‘rr3’

Note: Change the password to something different!

Log in to mysql as superuser and run:

mysql> create database rr3 CHARACTER SET utf8 COLLATE utf8_general_ci;
mysql> grant all on rr3.* to rr3user@’localhost’ identified by ‘rr3pass’;
mysql> flush privileges;

install.sh script

Now it’s time to run install.sh script. Go to /opt/rr3/

cd /opt/rr3

./install.sh

What it does is downloading Doctrine, Zend-ACL, Geshi, XMLseclib and exctract them. Then you need to set required config files – you can copy templates and customize them. Stay in /opt/rr3/

cd application/config

cp config-default.php config.php
cp config_rr-default.php config_rr.php
cp database-default.php database.php
cp email-default.php email.php
cp memcached-default.php memcached.php

cd ../..

Please follow section Configuration files

Note: The Configuration file changes are described here in this document.

Set permission – writeable by apache user. Relative path of folders need to be set:

  • application/cache
  • application/models/Proxies
chgrp apache /opt/rr3/application/models/Proxies

chmod 775 /opt/rr3/application/models/Proxies

chgrp  apache /opt/rr3/application/cache

chmod 775 /opt/rr3/application/cache

Configuration files

There are a few config files used by JAGGER and they’re stored in /opt/rr3/application/config/ folder.

Only configuration options that have changed or additional work is required are listed below. For all documented options see the Jagger documentation Configuration files section.

config.php

  • Base_url
$config[‘base_url’]     = ‘rr.example.com/rr3/’;
  • log_path – set location for example:
$config[‘log_path’] = ‘/var/log/rr3/’;

Note: You must also create this directory and make it writable by the Apache user (in this case rr3).

mkdir /var/log/rr3

chown apache.apache /var/log/rr3

chmod 750 /var/log/rr3

  • encryption_key – you need to set encryption key. you can generate with
tr -c -d ‘0123456789abcdefghijklmnopqrstuvwxyz’ </dev/urandom | dd  bs=32 count=1 2>/dev/null;echo
$config[‘encryption_key’] = ‘8mixahy22evqp4k6wbzce16oglg1zlyr’;

config_rr.php

As template please use config_rr-default.php

  • pageTitlePref – if set then is included into every page’s title as prefix, example:
Warning: deprecated, managed via web. you should remove it from config_rr.php file

Note: Config has been removed from file.

  • rr_setup_allowed – it should be always be set to FALSE. TRUE only when setup is initialized
$config[‘rr_setup_allowed’] = TRUE;

Note: This will be changed back to FALSE later in the setup.

  • site_logo – set filename to be used as main logo in top-left corner. File should be stored in /opt/rr3/images/ folder (Optional)

Note: The default logo is 515 pixels wide and 146 pixels high. Your own site logo should be about the same size.

$config[‘site_logo’] = ‘your_logo.png’;
cp ~/backfire.png /opt/rr3/images/
  • syncpass – please generate strong key. It’s used by synchronization – interfederation tool
tr -c -d ‘0123456789abcdefghijklmnopqrstuvwxyz’ </dev/urandom | dd bs=32 count=1 2>/dev/null;echo

then assign generated value to attr like:

$config[‘syncpass’] = ‘qp7zwgm6vqzptb87uoe7zzfiq1gx1oa6’;
  • support_mailto – set support email. For example this email is displayed as contact mail.
$config[‘support_mailto’] = ‘support@example.com’;
  • autoregister_federated – if federated access to JAGGER is enabled you can decide whether user who used federated access but doesn’t exist in JAGGER should be auto provisioned or not. Strongly recommend to not allow it. If it’s set to FALSE then new (not registered) user will get error page with contact support email address.
$config[‘autoregister_federated’] = true;

Note: Have gone against the recommended config. Will review this decision later!

  • nameids – array of allowed NameID in JAGGER
Warning: deprecated – you can remove it from config
$config[‘nameids’] = array(
‘urn:mace:shibboleth:1.0:nameIdentifier’ => ‘urn:mace:shibboleth:1.0:nameIdentifier’,
‘urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’ => ‘urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’,
‘urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified’=>’urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified’,
‘urn:oasis:names:tc:SAML:2.0:nameid-format:transient’ => ‘urn:oasis:names:tc:SAML:2.0:nameid-format:transient’,
‘urn:oasis:names:tc:SAML:2.0:nameid-format:persistent’ => ‘urn:oasis:names:tc:SAML:2.0:nameid-format:persistent’,
);

Note: The above config has been commented out!

email.php

  1. connection details
$config[‘protocol’] = ‘smtp’;
$config[‘smtp_host’] = “SMTP_HOST”;
$config[‘smtp_port’] = 25;
$config[‘charset’] = ‘utf-8’;
$config[‘crlf’] = “\r\n”;
$config[‘newline’] = “\r\n”;
$config[‘wordwrap’] = TRUE;
$config[‘useragent’]=’ResourceRegistr3′;
$config[‘smtp_user’] = ‘USER’;
$config[‘smtp_pass’] = ‘PASS’;
$config[‘smtp_crypto’] = ‘tls’;

database.php

$active_group = ‘default’;
$active_record = TRUE;$db[‘default’][‘hostname’] = ‘127.0.0.1’;
$db[‘default’][‘username’] = ‘rr3user’;
$db[‘default’][‘password’] = ‘CHANGEME’;
$db[‘default’][‘database’] = ‘rr3’;$db[‘default’][‘dsn’]      = ‘mysql:host=127.0.0.1;port=3306;dbname=rr3’;
$db[‘default’][‘dbdriver’] = ‘pdo’;
$db[‘default’][‘dbprefix’] = ”;
$db[‘default’][‘pconnect’] = TRUE;
$db[‘default’][‘db_debug’] = TRUE;
$db[‘default’][‘cache_on’] = FALSE;
$db[‘default’][‘cachedir’] = ”;
$db[‘default’][‘char_set’] = ‘utf8’;
$db[‘default’][‘dbcollat’] = ‘utf8_general_ci’;
$db[‘default’][‘swap_pre’] = ”;
$db[‘default’][‘autoinit’] = TRUE;
$db[‘default’][‘stricton’] = FALSE;

Database – populate tables

To populate tables we are going to use doctrine tool.

Go to application folder and you should see doctrine file. It should be executable.

cd /opt/rr3/application

./doctrine

You will get many available options, be careful. To populate tables please run below command. It will parse all entities in application/model

./doctrine orm:schema-tool:create

If you going to run application in production mode then you also need to regenerate proxies:

./doctrine orm:generate-proxies

and verify owner of application/models/Proxies/* – apache user should be owner

In the future after every update you will need to run

./doctrine orm:schema-tool:update –force
./doctrine orm:generate-proxies

Selinux

If you have selinux set to enforcing mode you MUST add settings to allow the Apache server to communicate with the Maria database. The following command are a start on getting Jagger to work with selinux in enforcing mode, it is not however compete! More testing is required.

setsebool -P httpd_can_network_connect 1

setsebool -P httpd_can_network_connect_db 1

chcon -t httpd_sys_rw_content_t /opt/rr3/application/models/Proxies

chcon -t httpd_sys_rw_content_t /opt/rr3/application/cache

Set selinux to permissive mode. Modify  /etc/sysconfig/selinux and set SELINUX=permissive.

SELINUX=permissive

Ensure your system is running in permissive mode.

setenforce permissive

Final setup step

This is the last step in Installation process. To be able to run it you need to set in config_rr.php file:

$config[‘rr_setup_allowed’] = TRUE;

Open page https://rr.example.com/rr3/setup and fill the form.

 

Turn off the Install option in the config_rr.php file.

$config[‘rr_setup_allowed’] = FALSE;

Ready to login

Goto https://rr.example.com/rr3/and you will be presented with the login page. At the moment the only login the will work is the login you created using the setup page.

After successfully logging in you will the following dashboard.

You have successfully installed Jagger, a federation registry tool for managing you federation entities. There is still some more configuration work required which will be discussed in a follow up guide.

 

  • Facebook
  • Twitter
  • Google+
  • Linkedin
  • Pinterest

Leave a Comment

Your email address will not be published. Required fields are marked *

Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views : Ad Clicks :Ad Views :