Versions Compared

Old Version 1

changes.mady.by.user Peter Brand

Saved on

compared with

New Version 2

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Back to the beginning of this guide

Note
iconfalse
titleThis Guide assumes
  • A fresh, minimal (e.g. netinst.iso) install of Debian 10 ("Buster") with no "tasks" except openssh-server
    • Ubuntu 18.04 LTS ("xenial") Server works the same as Debian 10 for the purpose of this guide
  • Accessed via SSH or the console (no X11 required nor recommended),
  • Correct server time configuration using NTP (e.g. using systemd-timesyncd or ntpd)
  • Packet filters or firewall rules in place, e.g.:
    • With outgoing (ports TCP/80 and TCP/443) network access:
      • Port 80 for Debian APT updates, i.e., for downloading signed software packages
      • Port 80 and 443 for downloading signed eduID.at Metadata
      • Port 443 is also needed for downloads of the Shibboleth IDP software (you can copy that to the server yourself, of course)
      • The IDP will also need to connect to your LDAP Directory Servers for authentication and attribute lookup,
        • either on the standard port TCP/389 for LDAP(+STARTTLS),
        • or on port TCP/636 for LDAPS (which which no formal specification exists),
        • or maybe on the "global catalog" port of your Microsoft Active Directory (only if you need to access that).
      • For NTP you also need outgoing connectivity to the configured NTP servers (e.g. ACOnet's)
    • And incoming HTTPS access (port TCP/443 only, no port 80 necessary nor recommended),
      • also incoming port 22 for access only from a management network, if the server is managed via SSH,
  • All commands in this guide are to be issued by user root (uid=0), and will make of setuidgid as needed to change to other accounts.
  • The shell to use is /bin/bash (you can get fancy with fish/zsh/etc. after finishing the install/configuration)
  • Use of systemd for service management using the amended service unit as described in this documentation

...

No Format
apt install --no-install-recommends default-jdk-headless tomcat9 libservlet3.1-java \
  vim less openssl unzip curl expat multitail gnupg net-tools

systemctl stop tomcat9

...

No Format
rm /var/lib/tomcat9/webapps/ROOT/index.html
echo '<% response.sendRedirect("httphttps://www.example.edu"); %>' > /var/lib/tomcat9/webapps/ROOT/index.jsp
echo -e "User-agent: *\nDisallow: /" > /var/lib/tomcat9/webapps/ROOT/robots.txt

...