...
| Note |
|---|
| icon | false |
|---|
| title | This Guide assumes |
|---|
|
- A fresh, minimal (e.g. netinst.iso) install of Debian 1011 ("BusterBullseye") with no "tasks" except
openssh-server- Ubuntu 18.04 LTS ("xenial") Server works the same as Debian 10 11 for the purpose of this guide
- Accessed via SSH or the console (no X11 required nor recommended),
- Correct server time configuration using NTP (e.g. using
systemd-timesyncd or ntpd) - Packet filters or firewall rules in place, e.g.:
- With outgoing (ports TCP/80 and TCP/443) network access:
- Port 80 for Debian APT updates, i.e., for downloading signed software packages
- Port 80 and 443 for downloading signed eduID.at Metadata
- Port 443 is also needed for downloads of the Shibboleth IDP software (you can copy that to the server yourself, of course)or additional modules
- The IDP will also need to connect to your LDAP Directory Servers for authentication and attribute lookup,
- either on the standard port TCP/389 for LDAP(+STARTTLS),
- or on port TCP/636 for LDAPS (which which no formal specification exists),
- or maybe on the "global catalog" port of your Microsoft Active Directory (only if you need to access that).
- For NTP you also need outgoing connectivity to the configured NTP servers (e.g. ACOnet's)
- And incoming HTTPS access (on port TCP/443 only, noone accesses . Noone needs to access your IDP manually by entering its URL, so no need to be even listening on TCP/80 and therefore also no need for a redirect from TCP/80 to TCP/443, either).
- also Also incoming port TCP/22 for access only from a management network, if the server is managed via SSH
- All commands in this guide are to be issued by user
root (uid=0) so sudo -s first as needed. - The shell to use is
/bin/bash (you can get fancy with fish/zsh/etc. after finishing the install/configuration) - Use of systemd for service management using the amended service unit as described in this documentation
|
...
Install required (and used, throughout this documentation) packages, possibly replacing vim with your $EDITOR of choice (e.g. emacs-nox or nano, both of which also support syntax highlighting, which helps when editing XML files) and stop the automatically started tomcat until we've completed more configuration performed further below:
| No Format |
|---|
apt install --no-install-recommends default-jdk-headless tomcat9 \
vim less openssl unzip curl expat multitail gnupg net-tools
systemctl stop tomcat9 |
...
| No Format |
|---|
sed -i 's/^/#/' /etc/logrotate.d/tomcat9 |
Systemd service
Debian 10's Tomcat comes with an almost-usable systemd service that needs to be amended in order to
...
