Rozdiely
Tu môžete vidieť rozdiely medzi vybranou verziou a aktuálnou verziou danej stránky.
Obojstranná predošlá revízia Predchádzajúca revízia Nasledujúca revízia | Predchádzajúca revízia | ||
install:idp:konfiguracia_a_instalacia_openjdk_a_jetty [20. 08. 2021 09:03] jnamesny@umb.sk |
— (aktuálne) | ||
---|---|---|---|
Riadok 1: | Riadok 1: | ||
- | ====== Konfigurácia a inštalácia OpenJDK a Jetty ====== | ||
- | |||
- | Budú sa inštalovať nasledovné verzie softvérov: | ||
- | |||
- | Java OpenJDK 11 | ||
- | |||
- | Jetty 9.4 | ||
- | |||
- | > OpenJDK | ||
- | >> https:// | ||
- | |||
- | > Akú verziu Jetty mám použiť? | ||
- | >> https:// | ||
- | |||
- | **Inštalácia OpenJDK** | ||
- | |||
- | < | ||
- | dnf -y install java-11-openjdk | ||
- | </ | ||
- | |||
- | Adresár s nainštalovanou verziou: / | ||
- | Zobrazenie podrobností nainštalovanej verzie: | ||
- | |||
- | < | ||
- | java -version | ||
- | </ | ||
- | |||
- | Nastavíme Java_HOME (premennú používajú aplikácie Java na určenie umiestnenia inštalácie Java): | ||
- | |||
- | < | ||
- | vim / | ||
- | </ | ||
- | |||
- | Do vytvoreného súboru zapíšeme: | ||
- | |||
- | <alert type=" | ||
- | Pod " | ||
- | </ | ||
- | |||
- | |||
- | < | ||
- | JAVA_HOME="/ | ||
- | </ | ||
- | |||
- | Po uložení súboru java.sh uplatníme zmeny: | ||
- | |||
- | < | ||
- | source / | ||
- | </ | ||
- | |||
- | Skontrolujeme nastavenie: | ||
- | |||
- | < | ||
- | echo $JAVA_HOME | ||
- | </ | ||
- | |||
- | Mal by sa zobraziť výsledok: | ||
- | |||
- | < | ||
- | / | ||
- | </ | ||
- | |||
- | **Inštalácia a konfigurácia Jetty** | ||
- | |||
- | Vytvoríme novú skupinu " | ||
- | |||
- | < | ||
- | groupadd idp | ||
- | useradd -m -g idp -s /bin/bash idp | ||
- | </ | ||
- | |||
- | Stiahneme aktuálnu verziu Jetty (v tomto návode je to jetty-distribution-9.4.31...) | ||
- | |||
- | > Eclipse Jetty Downloads - The latest release | ||
- | >> https:// | ||
- | |||
- | < | ||
- | wget URL=odkaz-na-stiahnutie-jetty | ||
- | </ | ||
- | |||
- | <alert type=" | ||
- | V ďalších krokoch návod pokračuje s verziou jetty použitou v príklade. | ||
- | </ | ||
- | |||
- | |||
- | < | ||
- | wget https:// | ||
- | </ | ||
- | |||
- | Rozbalíme, premiestnime a premenujeme: | ||
- | |||
- | < | ||
- | tar -zxvf jetty-distribution-9.4.31.v20200723.tar.gz | ||
- | mv jetty-distribution-9.4.31.v20200723 /opt/ | ||
- | mv / | ||
- | </ | ||
- | |||
- | Zmeníme vlastníka adresára: | ||
- | |||
- | < | ||
- | chown -R idp:idp /opt/jetty | ||
- | </ | ||
- | |||
- | Vytvoríme konfiguračný súbor: | ||
- | |||
- | < | ||
- | vim / | ||
- | </ | ||
- | |||
- | S obsahom: | ||
- | |||
- | < | ||
- | JETTY_HOME=/ | ||
- | JETTY_BASE=/ | ||
- | </ | ||
- | |||
- | <alert type=" | ||
- | Ďalej pracujeme pod používateľom " | ||
- | </ | ||
- | |||
- | |||
- | < | ||
- | su idp | ||
- | cd /opt/jetty | ||
- | </ | ||
- | |||
- | Konfigurácia Jetty: | ||
- | |||
- | < | ||
- | java -jar / | ||
- | java -jar / | ||
- | </ | ||
- | |||
- | Úprava konfiguračného súboru '' | ||
- | |||
- | < | ||
- | vim / | ||
- | </ | ||
- | |||
- | <code xml> | ||
- | # --------------------------------------- | ||
- | # Module: http | ||
- | # Enables an HTTP connector on the server. | ||
- | # By default HTTP/1 is support, but HTTP2C can | ||
- | # be added to the connector with the http2c module. | ||
- | # --------------------------------------- | ||
- | --module=http | ||
- | jetty.http.host=localhost | ||
- | jetty.http.port=80 | ||
- | </ | ||
- | |||
- | <code xml> | ||
- | # --------------------------------------- | ||
- | # Module: ssl | ||
- | # Enables a TLS(SSL) Connector on the server. | ||
- | # This may be used for HTTPS and/or HTTP2 by enabling | ||
- | # the associated support modules. | ||
- | # --------------------------------------- | ||
- | --module=ssl | ||
- | jetty.ssl.port=443 | ||
- | </ | ||
- | |||
- | Úprava konfiguračného súboru " | ||
- | |||
- | < | ||
- | vim / | ||
- | </ | ||
- | |||
- | < | ||
- | # --------------------------------------- | ||
- | # Module: setuid | ||
- | # Enables the unix setUID configuration so that the server | ||
- | # may be started as root to open privileged ports/files before | ||
- | # changing to a restricted user (eg jetty). | ||
- | # --------------------------------------- | ||
- | --module=setuid | ||
- | |||
- | ## SetUID Configuration | ||
- | # jetty.setuid.startServerAsPrivileged=false | ||
- | # jetty.setuid.userName=jetty | ||
- | # jetty.setuid.groupName=jetty | ||
- | # jetty.setuid.umask=002 | ||
- | # jetty.setuid.clearSupplementalGroups=false | ||
- | jetty.setuid.startServerAsPrivileged=false | ||
- | jetty.setuid.userName=idp | ||
- | jetty.setuid.groupName=idp | ||
- | jetty.setuid.umask=002 | ||
- | </ | ||
- | |||
- | Vytvorenie domovskej stránky pre webový server: | ||
- | |||
- | < | ||
- | mkdir -p / | ||
- | vim / | ||
- | </ | ||
- | |||
- | Príklad obsahu '' | ||
- | |||
- | <code html> | ||
- | < | ||
- | < | ||
- | < | ||
- | DemoIdP | ||
- | </ | ||
- | </ | ||
- | < | ||
- | < | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | Príprava pre aplikáciu Shibboleth IdP: | ||
- | |||
- | < | ||
- | mkdir / | ||
- | vim / | ||
- | </ | ||
- | |||
- | Konfiguračný súbor '' | ||
- | |||
- | <code xml> | ||
- | < | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | </ | ||
- | </ | ||
- | |||
- | Upravíme konfiguračný súbor '' | ||
- | |||
- | < | ||
- | vim / | ||
- | </ | ||
- | |||
- | < | ||
- | # --------------------------------------- | ||
- | # Module: server | ||
- | # Enables the core Jetty server on the classpath. | ||
- | # --------------------------------------- | ||
- | --module=server | ||
- | jetty.httpConfig.sendServerVersion=false | ||
- | </ | ||
- | |||
- | Konfiguráciu '' | ||
- | |||
- | < | ||
- | vim / | ||
- | </ | ||
- | |||
- | <code xml> | ||
- | <?xml version=" | ||
- | |||
- | < | ||
- | |||
- | <!-- =========================================================== --> | ||
- | <!-- configure rewrite handler | ||
- | <!-- =========================================================== --> | ||
- | <Call name=" | ||
- | <Arg> | ||
- | <New class=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | |||
- | <!-- Set DispatcherTypes | ||
- | <Set name=" | ||
- | <Array type=" | ||
- | < | ||
- | < | ||
- | </ | ||
- | </ | ||
- | |||
- | <Get id=" | ||
- | |||
- | <!-- see rewrite-compactpath.xml for example how to add a rule --> | ||
- | |||
- | <Call name=" | ||
- | <Arg> | ||
- | <New class=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | <Call name=" | ||
- | <Arg> | ||
- | <New class=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | <Call name=" | ||
- | <Arg> | ||
- | <New class=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | <!-- | ||
- | <Call name=" | ||
- | <Arg> | ||
- | <New class=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | --> | ||
- | |||
- | <Call name=" | ||
- | <Arg> | ||
- | <New class=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | <Call name=" | ||
- | <Arg> | ||
- | <New class=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | <Set name=" | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | </ | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | ====== Konfigurácia SSL ====== | ||
- | |||
- | |||
- | <alert type=" | ||
- | Pracujeme pod používateľom " | ||
- | </ | ||
- | |||
- | Pre webový server budeme potrebovať verejný certifikát vydaný verejnou certifikačnou autoritou (ďalej CA). | ||
- | |||
- | Vygenerujeme si žiadosť o certifikát (nachádzame sa v domovskom adresári používateľa " | ||
- | |||
- | < | ||
- | mkdir ssl_cert (vytvoríme si adresár, do ktorého budeme ukladať všetko potrebné) | ||
- | cd / | ||
- | openssl req -new -newkey rsa:2048 -nodes -keyout demoidp.key -out demoidp.csr | ||
- | </ | ||
- | |||
- | Proces generovania prebieha nasledovne (možeme si pripraviť informácie, | ||
- | |||
- | < | ||
- | Generating a RSA private key | ||
- | .......+++++ | ||
- | ........+++++ | ||
- | writing new private key to ' | ||
- | ----- | ||
- | You are about to be asked to enter information that will be incorporated | ||
- | into your certificate request. | ||
- | What you are about to enter is what is called a Distinguished Name or a DN. | ||
- | There are quite a few fields but you can leave some blank | ||
- | For some fields there will be a default value, | ||
- | If you enter ' | ||
- | ----- | ||
- | Country Name (2 letter code) [XX]: | ||
- | State or Province Name (full name) []: | ||
- | Locality Name (eg, city) [Default City]: | ||
- | Organization Name (eg, company) [Default Company Ltd]: | ||
- | Organizational Unit Name (eg, section) []: | ||
- | Common Name (eg, your name or your server' | ||
- | Email Address []: | ||
- | |||
- | Please enter the following ' | ||
- | to be sent with your certificate request | ||
- | A challenge password []: | ||
- | An optional company name []: | ||
- | </ | ||
- | |||
- | V adresári "/ | ||
- | |||
- | > demoidp.csr | ||
- | > demoidp.key | ||
- | |||
- | Súbor demoidp.csr je určený pre vygenerovanie SSL certifikátu verejnou CA. | ||
- | |||
- | Certifikát, | ||
- | |||
- | V adresári "/ | ||
- | |||
- | > demoidp.csr | ||
- | > demoidp.key | ||
- | > demoidp.crt (skopírovaný a premenovaný certifikát od verejnej CA) | ||
- | > intermediate.crt (medziľahlý certifikát od verejnej CA doručený spolu s SSL certifikátom - koreňový certifikát verejnej CA nepotrebujeme | ||
- | |||
- | V prípade, že verejná CA používa medziľahlý certifikát potrebujeme ho zlúčiť s SSL certifikátom vygenerovaným pre webový server: | ||
- | |||
- | < | ||
- | cat demoidp.crt intermediate.crt > jetty-cert.txt | ||
- | </ | ||
- | |||
- | Vytvorený súbor '' | ||
- | |||
- | Budeme vyzvaný na zadanie hesla (nezabudneme si ho poznačiť, pre účely tohto návodu ho nazveme Heslo_1) | ||
- | |||
- | < | ||
- | openssl pkcs12 -export -inkey demoidp.key -in jetty-cert.txt -out jetty-cert.pkcs12 | ||
- | </ | ||
- | |||
- | V adresári "/ | ||
- | |||
- | > demoidp.csr | ||
- | > demoidp.key | ||
- | > demoidp.crt | ||
- | > intermediate.crt | ||
- | > jetty-cert.txt | ||
- | > jetty-cert.pkcs12 | ||
- | |||
- | Ďalej importujeme súbor " | ||
- | |||
- | Pri vytváraní keystore budeme vyzvaný na zadanie nového hesla, ktoré si tiež nezabudneme poznačiť (pre účely tohto návodu ho nazveme Heslo_2). | ||
- | |||
- | Následne potom budeme vyzvaný na zadanie hesla - Heslo_1, ktoré sme zadali pri vytváraní'' | ||
- | |||
- | < | ||
- | $JAVA_HOME/ | ||
- | </ | ||
- | |||
- | Proces prebieha nasledovne: | ||
- | |||
- | < | ||
- | Importing keystore jetty-cert.pkcs12 to keystore... | ||
- | Enter destination keystore password: | ||
- | Re-enter new password: -------------> | ||
- | Enter source keystore password: ----------------> | ||
- | Entry for alias 1 successfully imported. | ||
- | Import command completed: | ||
- | </ | ||
- | |||
- | V adresáry "/ | ||
- | Presunieme ho do umiestnenia "/ | ||
- | |||
- | < | ||
- | mv keystore / | ||
- | chown idp:idp / | ||
- | </ | ||
- | |||
- | **Obsfukácia hesla.** | ||
- | |||
- | Účelom je skomplikovať viditeľnosť hesla " | ||
- | |||
- | <alert type=" | ||
- | Uvedený príkaz obsahuje verziu jetty-util súvisiacu s verziou Jetty, ktorá bola nainštalovaná pre účely tohto návodu. | ||
- | </ | ||
- | |||
- | |||
- | < | ||
- | java -cp / | ||
- | </ | ||
- | |||
- | Výstup po úspešnej obsfukácii vyzerá nasledovne (pre príklad sú použité " | ||
- | |||
- | < | ||
- | Heslo_2 | ||
- | OBF: | ||
- | MD5: | ||
- | </ | ||
- | |||
- | <alert type=" | ||
- | Ďalej pracujeme pod používateľom " | ||
- | </ | ||
- | |||
- | |||
- | Do konfigurácie '' | ||
- | |||
- | < | ||
- | vim / | ||
- | </ | ||
- | |||
- | < | ||
- | # --------------------------------------- | ||
- | # Module: ssl | ||
- | # Enables a TLS(SSL) Connector on the server. | ||
- | # This may be used for HTTPS and/or HTTP2 by enabling | ||
- | # the associated support modules. | ||
- | # --------------------------------------- | ||
- | --module=ssl | ||
- | jetty.ssl.port=443 | ||
- | |||
- | ## Keystore password | ||
- | jetty.sslContext.keyStorePassword=OBF: | ||
- | |||
- | ## KeyManager password | ||
- | jetty.sslContext.keyManagerPassword=OBF: | ||
- | |||
- | ## Truststore password | ||
- | jetty.sslContext.trustStorePassword=OBF: | ||
- | </ | ||
- | |||
- | <alert type=" | ||
- | [[https:// | ||
- | </ | ||
- | |||
- | **Zakázanie nedôveryhodných protokolov a slabých šifier** | ||
- | |||
- | Vytvoríme súbor '' | ||
- | |||
- | < | ||
- | vim / | ||
- | </ | ||
- | |||
- | S obsahom: | ||
- | |||
- | <code xml> | ||
- | <?xml version=" | ||
- | < | ||
- | |||
- | < | ||
- | |||
- | <!-- Zakázání starých a nedůvěryhodných šifer --> | ||
- | <Call name=" | ||
- | <Arg> | ||
- | <Array type=" | ||
- | < | ||
- | < | ||
- | < | ||
- | < | ||
- | < | ||
- | < | ||
- | < | ||
- | < | ||
- | < | ||
- | < | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | <!-- Zakázání nedůvěryhodných protokolů --> | ||
- | <Call name=" | ||
- | <Arg> | ||
- | < | ||
- | < | ||
- | < | ||
- | < | ||
- | < | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | <!-- Povolení Forward Secrecy --> | ||
- | <Set name=" | ||
- | <Array type=" | ||
- | < | ||
- | < | ||
- | </ | ||
- | </ | ||
- | |||
- | </ | ||
- | </ | ||
- | |||
- | Ďalej pridáme obsah súboru do konfigurácie HTTPS: | ||
- | |||
- | < | ||
- | echo / | ||
- | </ | ||
- | |||
- | **Vytvorenie systemd service file pre Jetty** | ||
- | |||
- | <alert type=" | ||
- | Pracujeme pod používateľom " | ||
- | </ | ||
- | |||
- | |||
- | > jetty.service | ||
- | >> https:// | ||
- | |||
- | < | ||
- | vim / | ||
- | </ | ||
- | |||
- | Vytvoríme súbor '' | ||
- | |||
- | < | ||
- | # | ||
- | # A basic systemd configuration for Jetty to start on boot | ||
- | # | ||
- | # Uses the Service scenario of ' | ||
- | # and once the process has run, it is considered successful | ||
- | # regardless of error code (even ' | ||
- | # may take longer to start than jetty.sh observes it's logs | ||
- | # for. | ||
- | # | ||
- | # | ||
- | |||
- | [Unit] | ||
- | Description=Jetty Web Application Server | ||
- | After=network.target | ||
- | |||
- | [Install] | ||
- | WantedBy=multi-user.target | ||
- | Alias=jetty.service | ||
- | |||
- | [Service] | ||
- | Type=oneshot | ||
- | |||
- | # Execute pre and post scripts as root | ||
- | PermissionsStartOnly=true | ||
- | |||
- | # The process will be considered active after it exits | ||
- | RemainAfterExit=yes | ||
- | |||
- | # Note on the Start we do not wait for successful start. | ||
- | # This is to allow the container to run beyond the jetty shell script | ||
- | # in cases where it takes very long to start and results in jetty.sh | ||
- | # reporting FAILED. | ||
- | |||
- | ExecStart=-/ | ||
- | ExecStop=/ | ||
- | ExecReload=/ | ||
- | </ | ||
- | |||
- | Povolíme službu HTTPS vo firewall: | ||
- | |||
- | < | ||
- | firewall-cmd --zone=public --permanent --add-service=https | ||
- | firewall-cmd --reload | ||
- | firewall-cmd --zone=public --list-services | ||
- | </ | ||
- | |||
- | Nastavíme automatické spustenie služby '' | ||
- | |||
- | < | ||
- | systemctl daemon-reload | ||
- | systemctl enable jetty | ||
- | systemctl start jetty | ||
- | systemctl status jetty (môžeme skontrolovať stav) | ||
- | </ | ||
- | |||
- | Stav Jetty môžeme skontrolovať aj spustením skriptu: | ||
- | |||
- | < | ||
- | / | ||
- | </ | ||
- | |||
- | Môžete pokračovať [[install: |