...
Note |
---|
icon | false |
---|
title | This Guide assumes |
---|
|
- A fresh, minimal (e.g. netinst.iso) install of Debian 1011 ("BusterBullseye") with no "tasks" except
openssh-server - Ubuntu 18.04 LTS ("xenial") Server works the same as Debian 10 11 for the purpose of this guide
- Accessed via SSH or the console (no X11 required nor recommended),
- Correct server time configuration using NTP (e.g. using
systemd-timesyncd or ntpd ) - Packet filters or firewall rules in place, e.g.:
- With outgoing (ports TCP/80 and TCP/443) network access:
- Port 80 for Debian APT updates, i.e., for downloading signed software packages
- Port 80 and 443 for downloading signed eduID.at Metadata
- Port 443 is also needed for downloads of the Shibboleth IDP software (you can copy that to the server yourself, of course)or additional modules
- The IDP will also need to connect to your LDAP Directory Servers for authentication and attribute lookup,
- either on the standard port TCP/389 for LDAP(+STARTTLS),
- or on port TCP/636 for LDAPS (which which no formal specification exists),
- or maybe on the "global catalog" port of your Microsoft Active Directory (only if you need to access that).
- For NTP you also need outgoing connectivity to the configured NTP servers (e.g. ACOnet's)
- And incoming HTTPS access (on port TCP/443 only, noone accesses . Noone needs to access your IDP manually by entering its URL, so no need to be even listening on TCP/80 and therefore also no need for a redirect from TCP/80 to TCP/443, either).
- also Also incoming port TCP/22 for access only from a management network, if the server is managed via SSH
- All commands in this guide are to be issued by user
root (uid=0) so sudo -s first as needed. - The shell to use is
/bin/bash (you can get fancy with fish/zsh/etc. after finishing the install/configuration) - Use of systemd for service management using the amended service unit as described in this documentation
|
...
Install required (and used, throughout this documentation) packages, possibly replacing vim
with your $EDITOR
of choice (e.g. emacs-nox
or nano
, both of which also support syntax highlighting, which helps when editing XML files) and stop the automatically started tomcat until we've completed more configuration performed further below:
No Format |
---|
apt install --no-install-recommends default-jdk-headless tomcat9 \
vim less openssl unzip curl expat multitail gnupg net-tools
systemctl stop tomcat9 |
...
Tip |
---|
title | Renewing an existing TLS certificate? |
---|
|
In case you're replacing an expiring TLS certificate where the matching private key is still considered to be secure and of sufficient strength (in 2021 2024 CE for RSA keys that means a key size of at least 2048 bits) you may want to keep using the existing private key (and PKCS#12 keystore passphrase) and generate the CSR from that key. To do that first extract the private key from your keystore (instead of generating a new one): No Format |
---|
openssl pkcs12 -in /etc/tomcat9/webserver.p12 -nocerts | tail +5 > webserver.key |
When asked to "Enter Import Password" supply the existing keystorePass for the port="443" Connector from your /etc/tomcat9/server.xml configuration file. When asked to "Enter PEM pass phrase" simply enter/paste that same passphrase again. And yet again, when asked to "Verifying - Enter PEM pass phrase". Then generate a CSR from the extracted private key, either by supplying the necessary data (at least the subject) on the command line or by entering any data interactively when being prompted for it (when not adding -subj to the command): No Format |
---|
openssl req -new -key webserver.key -out webserver.csr -subj "/CN=WEBSERVER-FQDN" |
When asked to "Enter pass phrase for webserver.key" again provide the passphrase from the previous steps. The content of webserver.csr is what you provide to your CA then, e.g. via cat webserver.csr and pasting the result into the CA's web interface. |
...
No Format |
---|
rm -f /var/log/tomcat9/*
systemctl restart tomcat9
ls -l /var/log/tomcat9/
multitail /var/log/tomcat9/* -l 'journalctl -u tomcat9.service -f' # exit with 'q'
systemctl stop tomcat9 |
Since If you're certain there's no catalina.log file being generated anymore we you can also disable the default logrotate config snippet for it:
No Format |
---|
sed -i 's/^/#/' /etc/logrotate.d/tomcat9 |
Systemd service
Debian 10's Tomcat comes with an almost-usable systemd service that needs to be amended in order to
- Avoid the systemd-house-of-horror that's still all too common with Tomcat/Java packaging
- Avoid slow startup times due to use of a blocking /dev/random (cf. Myths about urandom also linked from the Shib wiki).
- Allow the IDP application to write logs and metadata to the filesystem as needed
- Avoid Try avoiding the creation of catalina.out (we already have its content in journald using this configuration)
...