Wiki source code of Guide d'installation Linux

Last modified by Aurelie Bertrand on 2024/11/25 11:18
Show last authors
1 (% class="wikigeneratedid" %)
2 This guide provides installation and configuration instructions in a production environment on Ubuntu 20.04 and Ubuntu 22.04.
3
4 ----
5
6 {{ddtoc/}}
7
8 ----
9
10 (% class="box warningmessage" %)
11 (((
12 Java is required to run DigDash. The minimum requirement is Java 11. We recommend using **Java 17**.
13 )))
14
15 This document describes how to install DigDash on Linux.
16
17 To install DigDash on Windows, please refer to the [[Installation Guide for Windows>>doc:Digdash.deployment.installation.install_guide_windows.WebHome]].
18
19 To update an existing installation, please refer to the [[Upgrade Guide>>doc:Digdash.deployment.installation.upgrade_dde.WebHome]].
20
21 = Supported versions =
22
23 The following versions are supported :
24
25 * Tomcat 9 : last patch
26 * OpenDJ (recommended) : version 4.6.2 and later
27 * MariaDB : OS version or last patch of last LTS version
28 * Nginx : system version
29
30 (((
31 = Digdash =
32 )))
33
34 == OpenJDK ==
35
36 (% class="box warningmessage" %)
37 (((
38 It is recommended to install **JDK 17**. 
39 ​​​​​​JDK 11 is supported.
40 )))
41
42 {{code language="shell"}}
43 # Install last version of openjdk
44 sudo apt install default-jdk
45
46 # Check the installation
47 java -version
48 {{/code}}
49
50 == Tomcat 9 ==
51
52 === Installation ===
53
54 {{code language="shell"}}
55 sudo apt install tomcat9
56 {{/code}}
57
58 === Creating the file tree ===
59
60 {{code language="shell"}}
61 # Location of webapps
62 sudo mkdir -p /home/digdash/webapps/default/
63 # Working directory
64 sudo mkdir -p /home/digdash/appdata/default/
65 # Location of the .properties file
66 sudo mkdir -p /etc/digdash/
67 # Location of logs
68 sudo mkdir -p /var/log/digdash/
69 {{/code}}
70
71 Changing folder rights
72
73 {{code language="shell"}}
74 sudo chown -R tomcat:tomcat /home/digdash
75 sudo chown -R tomcat:tomcat /var/log/digdash
76 sudo chmod a+w /var/log/digdash
77 {{/code}}
78
79 === Configuring server.xml ===
80
81 (% class="wikigeneratedid" %)
82 Location : /etc/tomcat9/server.xml
83
84 ==== Location of webapps ====
85
86 {{code language="shell"}}
87 # Replace the appBase value
88 <Host name="localhost" appBase="webapps"
89
90 # by this one
91 <Host name="localhost" appBase="/home/digdash/webapps/default"
92 {{/code}}
93
94 ==== Connector Valve ====
95
96 {{code language="shell"}}
97 # Complete the Connector valve
98 <Connector port="8080" protocol="HTTP/1.1"
99 connectionTimeout="20000"
100 redirectPort="8443" ></Connector>
101
102 # as follows
103 <Connector port="8080" protocol="HTTP/1.1"
104 connectionTimeout="20000"
105 maxConnections="30000"
106 maxParameterCount="100000"
107 maxThreads="10000" maxPostSize="62914560"
108 redirectPort="8443" compression="on" ></Connector>
109 {{/code}}
110
111 ==== Reverse Proxy Valve ====
112
113 {{code language="shell"}}
114 # Add this valve in the Host element near the end of the file
115 <Valve className="org.apache.catalina.valves.RemoteIpValve"
116 internalProxies="127\.0\.[0-1]\.1"
117 remoteIpHeader="X-Forwarded-For"
118 requestAttributesEnabled="true"
119 protocolHeader="X-Forwarded-Proto"
120 protocolHeaderHttpsValue="https"></Valve>
121 {{/code}}
122
123 In the case of an IPv6 server, use:
124
125 {{code language="shell"}}
126 <Valve className="org.apache.catalina.valves.RemoteIpValve"
127 internalProxies="127\.0\.[0-1]\.1|0:0:0:0:0:0:0:1|::1"
128 remoteIpHeader="X-Forwarded-For"
129 requestAttributesEnabled="true"
130 protocolHeader="X-Forwarded-Proto"
131 protocolHeaderHttpsValue="https"></Valve>
132 {{/code}}
133
134 (% class="box warningmessage" %)
135 (((
136 In very rare cases, the reverse proxy is not installed on the machine. Then replace the value "127\.0\.[0-1]\.1" with the IP address of the reverse proxy.
137 ❗Attention: the use of “.*” should only be done as a last resort.
138 )))
139
140 ==== Log Valve ====
141
142 {{code language="shell"}}
143 # Add this valve in the Host element near the end of the file
144 <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" ></Valve>
145 {{/code}}
146
147 ==== Limiting the localhost_access_log file (optional) ====
148
149 To limit the size of the localhost_access_log file, add the //maxDays// parameter to the Access Log Valve and give it the value of the desired number of days.
150
151 {{code language="shell"}}
152 # For example
153 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
154                prefix="localhost_access_log" suffix=".txt"
155                pattern="%h %l %u %t &quot;%r&quot; %s %b" maxDays="10" ></Valve>
156
157 {{/code}}
158
159 === Editing the context.xml file ===
160
161 (% class="wikigeneratedid" id="HEmplacement:2Fetc2Ftomcat92Fcontext.xml" %)
162 Location: /etc/tomcat9/context.xml
163
164 {{code language="shell"}}
165 # Add the following line in the <Context> tag
166 <Resources cachingAllowed="true" cacheMaxSize="100000"></Resources>
167 {{/code}}
168
169 [[image:edit_context_file.png]]
170
171 === Changing RAM ===
172
173 {{code language="shell"}}
174 # Edit the following file
175 sudo vi /etc/default/tomcat9
176
177 # Replace the existing JAVA_OPTS by
178 JAVA_OPTS="-Djava.awt.headless=true -XX:+UseShenandoahGC -Xms6G -Xmx6G -Djava.security.egd=file:/dev/urandom -DPROP_MAX_CONCURRENT_TOTAL=5000 -DPROP_MAX_CONCURRENT_CON_PER_HOST=5000"
179
180 # Change the 6G parameter depending on the capacity of the machine, leaving at least 2G for the OS.
181 # In the example above, the machine has 8G of RAM.
182 # It is recommended to use the same value for Xms and Xmx.
183 {{/code}}
184
185 === Activating log write permission for tomcat ===
186
187 {{code language="shell"}}
188 # Create the folder in /etc/systemd/system/
189 sudo mkdir -p /etc/systemd/system/tomcat9.service.d
190
191 # Create the file
192 sudo vi /etc/systemd/system/tomcat9.service.d/logging-allow.conf
193
194 # Add the following lines
195 [Service]
196 ReadWritePaths=/var/log/digdash/
197
198 # Reload the "daemon" configuration
199 sudo systemctl daemon-reload
200
201 sudo systemctl restart tomcat9.service
202 {{/code}}
203
204 === Enabling automatic service start on startup ===
205
206 {{code language="shell"}}
207 sudo systemctl enable tomcat9
208 {{/code}}
209
210 == Deploying Digdash Version 24R1 ==
211
212 {{warning}}
213 Download Digdash version.
214
215 Unzip the version you have just downloaded.
216 {{/warning}}
217
218 === Properties files ===
219
220 Place the digdash.properties file (located at the root of the unzipped folder) in the folder// /etc/digdash//.
221
222 Create the following file in the folder /etc/digdash :
223
224 * [[log4j2_api.properties>>attach:log4j2_api.properties]]
225 * [[log4j2_dash.properties>>attach:log4j2_dash.properties]]
226 * [[log4j2_studio.properties>>attach:log4j2_studio.properties]]
227
228 Edit the digdash.properties file previously copied.
229
230 {{code language="shell"}}
231 # Add these lines at the beginning of the file
232
233 # Log files location
234 ddenterpriseapi.ddlog4j.properties.file=/etc/digdash/log4j2_api.properties
235 studio.ddlog4j.properties.file=/etc/digdash/log4j2_studio.properties
236 digdash_dashboard.ddlog4j.properties.file=/etc/digdash/log4j2_dash.properties
237
238 # Appadata location
239 ddenterpriseapi.AppDataPath=/home/digdash/appdata/default
240 digdash_dashboard.AppDataPath=/home/digdash/appdata/default
241 studio.AppDataPath=/home/digdash/appdata/default
242 adswrapper.ads.instance.name=/home/digdash/appdata/default/ldapdigdash
243
244 adminconsole.adminconsole_domain=adminconsole
245 adminconsole.webstudio_domain=studio
246 adminconsole.server_domain_list=ddenterpriseapi
247 adminconsole.dashboard_domain=digdash_dashboard
248
249 studio.DOMAIN=ddenterpriseapi
250 studio.FORCEDOMAIN=true
251 studio.SERVERURL=http://localhost:8080
252 studio.FORCESERVERURL=true
253 studio.adminconsole_domain=adminconsole
254
255 digdash_dashboard.DOMAIN=ddenterpriseapi
256 digdash_dashboard.FORCEDOMAIN=true
257 digdash_dashboard.SERVERURL=http://localhost:8080
258 digdash_dashboard.FORCESERVERURL=true
259 digdash_dashboard.adminconsole_domain=adminconsole
260
261 ########### Nettoyage automatique des fichiers programmé
262 ########### Scheduled automatic file cleaning
263 ddenterpriseapi.startCleaner=true
264
265 ########### Nettoyage des fichiers inutilisés au démarrage du serveur
266 ########### Clean up unused files on server startup
267 ddenterpriseapi.cleanOnStart=false
268
269 ########### Sauvegarde automatique programmée
270 ########### Scheduled automatic backup
271 ddenterpriseapi.autoBackup=true
272 ddenterpriseapi.autoBackupKeepDays=7
273 digdash_dashboard.CANCHANGEPASSWORD=true
274
275 {{/code}}
276
277 === Deploying WebApps ===
278
279 Place the following (contained in the <DD Install>\apache-tomcat\webapps directory) in the folder ///home/digdash/webapps/default ~://
280
281 * adminconsole.war
282 * ddenterpriseapi.war
283 * digdash_dashboard.war
284 * studio.war
285 * ROOT/ folder
286
287 = OpenDJ{{id name="OpenDJ"/}} =
288
289 == Installation ==
290
291 1. Start by getting the latest version of the **opendj-4.x.x_all.deb **file from the website [[https:~~/~~/github.com/OpenIdentityPlatform/OpenDJ/releases>>url:https://github.com/OpenIdentityPlatform/OpenDJ/releases]] :
292
293 {{code language="shell"}}
294 wget https://github.com/OpenIdentityPlatform/OpenDJ/releases/download/4.x.x/opendj-4.x.x_all.deb
295 {{/code}}
296
297 (% start="2" %)
298 1. Run the installation :
299
300 {{code language="shell"}}
301 sudo dpkg -i opendj_4.x.x_all.deb
302 {{/code}}
303
304 (((
305 == (% style="color:inherit; font-family:inherit; font-size:26px" %)Initial setup(%%) ==
306 )))
307
308 To simplify OpenDJ configuration, we are going to create a ‘setupOpenDJ.props’ file containing the options available to respond to the OpenDJ ‘setup’ utility (this avoids the configuration interface).
309 The contents of this file are detailed below:
310
311 (% class="box warningmessage" %)
312 (((
313 ❗Don't forget to replace the parameters with your own. For example, replace the password with the one you want (here ‘adminOpenDJ1’).
314 )))
315
316 {{code language="shell"}}
317 #
318 # Sample properties file to set up OpenDJ directory server
319 # See OpenDJ Setup command man for more options
320 #
321 rootUserDN =cn=Directory Manager
322 rootUserPassword =adminOpenDJ1
323 hostname =localhost.localdomain
324 ldapPort =389
325 adminConnectorPort =4444
326 backendType =je
327 baseDN =dc=digdash,dc=com
328 addBaseEntry =true
329 ldapsPort =636
330 enableStartTLS =false
331 generateSelfSignedCertificate =true
332 start =true
333 #sampleData =2000
334 {{/code}}
335
336 After saving the file, run the following command line:
337
338 {{code language="shell"}}
339 sudo /opt/opendj/setup --cli --propertiesFilePath setupOpenDJ.props --acceptLicense --no-prompt
340 {{/code}}
341
342 (% style="line-height:1.38; text-indent:-14.173228346456689pt; margin-top:13px; margin-bottom:13px; padding:0pt 0pt 0pt 14.173228346456689pt" %)
343 == Additional setup ==
344
345 1. Go to the OpenDJ installation directory:
346
347 {{code language="shell"}}
348 cd /opt/opendj/bin/
349 {{/code}}
350
351 (% start="2" %)
352 1. (((
353 LDIF files can be downloaded by clicking on the following link [[LDIF_OpenDJ>>attach:LDIF_OpenDJ.zip]].
354 )))
355 1. Create organisations using the ‘neworganisation.ldif’ file below :
356
357 {{code language="shell"}}
358 sudo /opt/opendj/bin/ldapmodify --port 389 --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" neworganisation.ldif
359 {{/code}}
360
361 {{code}}
362 dn: ou=default,dc=digdash,dc=com
363
364 objectClass: organizationalUnit
365
366 ou: default
367 {{/code}}
368
369 (% start="4" %)
370 1. Set the password checker "Custom Character-set Password Validator":
371
372 {{code language="shell"}}
373 sudo /opt/opendj/bin/dsconfig create-password-validator --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" --validator-name "Custom Character-set Password Validator" --set character-set:1:abcdefghijklmnopqrstuvwxyz --set character-set:1:ABCDEFGHIJKLMNOPQRSTUVWXYZ --set character-set:1:0123456789 --set "character-set:1:\!\"#$%&'()*+,-./:;<=>?@[]^_\`{|}~" --set enabled:true --type character-set --no-prompt --trustAll --set allow-unclassified-characters:true
374 {{/code}}
375
376 (% start="5" %)
377 1. Set the second password checker "Custom length Password Validator":
378
379 {{code language="shell"}}
380 sudo /opt/opendj/bin/dsconfig create-password-validator --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1"  --validator-name "Custom length Password Validator" --set min-password-length:12 --set enabled:true --type length-based --no-prompt
381 {{/code}}
382
383 (% start="6" %)
384 1. Apply the two password checkers :
385
386 {{code language="shell"}}
387 sudo /opt/opendj/bin/dsconfig set-password-policy-prop --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" --policy-name "Default Password Policy" --set password-validator:"Custom Character-set Password Validator" --set password-validator:"Custom length Password Validator" --no-prompt
388 {{/code}}
389
390 (% start="7" %)
391 1. Set the password policy for users using the ‘ppolicy.ldif’ file below:
392
393 {{code language="shell"}}
394 sudo /opt/opendj/bin/ldapmodify --port 389 --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" ppolicy.ldif
395 {{/code}}
396
397 {{code}}
398 dn: cn=ppolicy,ou=default,dc=digdash,dc=com
399 objectClass: top
400 objectClass: subentry
401 objectClass: pwdPolicy
402 cn: ppolicy
403 pwdAttribute: userPassword
404 pwdAllowUserChange: TRUE
405 pwdCheckQuality: 1
406 pwdExpireWarning: 600
407 pwdFailureCountInterval: 30
408 pwdGraceAuthNLimit: 5
409 pwdInHistory: 5
410 pwdLockout: TRUE
411 pwdLockoutDuration: 900
412 pwdMaxAge: 0
413 pwdMaxFailure: 5
414 pwdMinAge: 0
415 pwdMustChange: FALSE
416 pwdSafeModify: FALSE
417 subtreeSpecification: {base "ou=users", specificationFilter "!(uid=admin)" }
418 {{/code}}
419
420 (% start="8" %)
421 1. Set a second password policy for admin using the ‘ppolicy-admin.ldif’ file below:
422
423 {{code language="shell"}}
424 sudo /opt/opendj/bin/ldapmodify --port 389 --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" ppolicy-admin.ldif
425 {{/code}}
426
427 {{code}}
428 dn: cn=ppolicy-admin,ou=default,dc=digdash,dc=com
429 objectClass: top
430 objectClass: subentry
431 objectClass: pwdPolicy
432 cn: ppolicy-admin
433 pwdAttribute: userPassword
434 pwdAllowUserChange: TRUE
435 pwdCheckQuality: 1
436 pwdFailureCountInterval: 30
437 pwdGraceAuthNLimit: 5
438 pwdInHistory: 5
439 pwdLockout: FALSE
440 pwdMaxAge: 0
441 pwdMinAge: 0
442 pwdMustChange: FALSE
443 pwdSafeModify: FALSE
444 subtreeSpecification: {base "ou=users", specificationFilter "(uid=admin)" }
445 {{/code}}
446
447 (% start="9" %)
448 1. Change password policy to allow pre-encoded passwords (useful for restores in Digdash):
449
450 {{code language="shell"}}
451 sudo /opt/opendj/bin/dsconfig set-password-policy-prop --policy-name "Default Password Policy" --set allow-pre-encoded-passwords:true --hostname localhost --trustAll --bindDN "cn=directory manager" --bindPassword "adminOpenDJ1" --no-prompt
452 {{/code}}
453
454 (% start="10" %)
455 1. Create an admin user for Digdash using the “create_user_admin.ldif” file below:
456
457 {{code language="shell"}}
458 sudo /opt/opendj/bin/ldapmodify --port 389 --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" create_user_admin.ldif
459 {{/code}}
460
461 {{code}}
462 dn: uid=admin,ou=default,dc=digdash,dc=com
463 objectClass: shadowAccount
464 objectClass: inetOrgPerson
465 cn: Admin Domain Default
466 sn: Default
467 uid: admin_default
468 {{/code}}
469
470 (% start="11" %)
471 1. Assign the admin user the necessary rights using the “add_admin_right.ldif” and “add_admin_right2.ldif” files below:
472
473 {{code language="shell"}}
474 sudo /opt/opendj/bin/ldapmodify --port 389 --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" add_admin_right.ldif
475 {{/code}}
476
477 {{code}}
478 dn: ou=default,dc=digdash,dc=com
479 changetype: modify
480 add: aci
481 aci: (target ="ldap:///ou=default,dc=digdash,dc=com")(targetattr = "userpassword || shadowlastchange")(version 3.0; acl "allow write on userpassword and shadowlastchange for admin"; allow(write) (userdn = "ldap:///uid=admin,ou=default,dc=digdash,dc=com");)
482 aci: (target ="ldap:///ou=default,dc=digdash,dc=com")(targetattr = "userpassword || shadowlastchange")(version 3.0; acl "allow read,write on userpassword and shadowlastchange for auth users"; allow(read) (userdn = "ldap:///all");)
483 aci: (target ="ldap:///ou=default,dc=digdash,dc=com")(targetattr = "userpassword || shadowlastchange")(version 3.0; acl "allow read on userpassword and shadowlastchange for anonymous"; allow(selfwrite) (userdn = "ldap:///anyone");)
484 aci: (target ="ldap:///ou=default,dc=digdash,dc=com")(targetattr = "*")(version 3.0; acl "allow write on * for admin"; allow(all) (userdn = "ldap:///uid=admin,ou=default,dc=digdash,dc=com");)
485 aci: (target ="ldap:///ou=default,dc=digdash,dc=com")(targetattr = "*")(version 3.0; acl "allow read on * for anonymous"; allow(read) (userdn = "ldap:///all");)
486 {{/code}}
487
488 {{code language="shell"}}
489 sudo /opt/opendj/bin/ldapmodify --port 389 --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" add_admin_right2.ldif
490 {{/code}}
491
492 {{code}}
493 dn: uid=admin,ou=default,dc=digdash,dc=com
494 changetype: modify
495 add: ds-privilege-name
496 ds-privilege-name: config-read
497 ds-privilege-name: password-reset
498 ds-privilege-name: unindexed-search
499 {{/code}}
500
501 (% start="12" %)
502 1. Generate an administrator password and remember it for later:
503
504 {{code language="shell"}}
505 sudo /opt/opendj/bin/ldappasswordmodify --port 389 --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" --authzID "u:admin"
506 {{/code}}
507
508 (% class="box infomessage" %)
509 (((
510 💡 If you want to set your own password for the admin user, you need to use a variation of the previous command:
511
512 {{code language="shell"}}
513 sudo /opt/opendj/bin/ldappasswordmodify --port 389 --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" --authzID "u:admin" --newPassword "mdpAdmin"
514 {{/code}}
515 )))
516
517 (% style="line-height:1.38; text-indent:-14.173228346456689pt; margin-top:13px; margin-bottom:13px; padding:0pt 0pt 0pt 14.173228346456689pt" %)
518 == Enabling automatic service start on startup ==
519
520 1. Create the opendj.service file:
521
522 {{code language="shell"}}
523 sudo vi /etc/systemd/system/opendj.service
524 {{/code}}
525
526 (% start="2" %)
527 1. And paste the following lines:
528
529 {{code}}
530 [Unit]
531
532 Description=OpenDJ Server Daemon
533
534 Wants=network-online.target
535
536 After=network-online.target
537
538 Conflicts=shutdown.target
539
540  [Service]
541
542 Type=simple
543
544 Restart=no
545
546 TimeoutSec=5min
547
548 IgnoreSIGPIPE=no
549
550 KillMode=process
551
552 GuessMainPID=no
553
554 RemainAfterExit=yes
555
556 ExecStart=/opt/opendj/bin/start-ds --quiet
557
558 ExecStop=/opt/opendj/bin/stop-ds --quiet
559
560  [Install]
561
562 WantedBy=multi-user.target
563 {{/code}}
564
565 (% start="3" %)
566 1. Then type the following commands:
567
568 {{code language="shell"}}
569 systemctl daemon-reload
570
571 systemctl enable --now opendj
572
573 systemctl status opendj
574 {{/code}}
575
576 == Useful option ==
577
578 The operation below is not part of the installation.
579 However, it may be useful to know it for later use.
580
581 === Extending the limit for LDAP searches ===
582
583 It is possible to extend the LDAP search limit to more than 1000 users with the “extend_search_limit.ldif” file below.
584
585 {{code language="shell"}}
586 sudo /opt/opendj/bin/ldapmodify --port 389 --bindDN "cn=Directory Manager" --bindPassword "adminOpenDJ1" extend_search_limit.ldif
587 {{/code}}
588
589 {{code}}
590 dn: uid=admin,ou=default,dc=digdash,dc=com
591 changetype: modify
592 add: ds-rlim-size-limit
593 ds-rlim-size-limit: 10000
594 {{/code}}
595
596
597
598
599 = MariaDB (Recommended){{id name="DB_ubuntu"/}} =
600
601 The MariaDB database will be used to store the following elements: comments, audit data and data entry.
602
603 This database is more durable than an H2 database, that is why we recommend its use. If you already have a database that Digdash can write to and read from then proceed to the configuration step.
604
605 Mysql and Postgresql are also compatible.
606
607 == Installation ==
608
609 {{code language="shell"}}
610 sudo apt install mariadb-server
611 {{/code}}
612
613 {{code language="shell"}}
614 #start mariadb
615 sudo systemctl start mariadb
616 #Stop mariadb
617 sudo systemctl stop mariadb
618 #Reload to take into account the configuration changes
619 sudo systemctl reload mariadb
620 sudo systemctl force-reload mariadb
621 #Display the version
622 mariadb --version
623
624 {{/code}}
625
626 (% class="wikigeneratedid" %)
627 Launch mysql_secure_installation. This will secure the installation.
628
629 {{code language="shell"}}
630 sudo mysql_secure_installation
631
632 # Enter yes at all steps
633 {{/code}}
634
635 == Enabling automatic service start on startup ==
636
637 {{code language="shell"}}
638 sudo systemctl enable mariadb
639
640 {{/code}}
641
642 == Database configuration ==
643
644 We will create a base for each domain and each webapps (for example prod_ddaudit and dev_ddaudit and so on)
645
646 In the example below, we will consider that there is only one 'default' environment.
647
648 {{code language="shell"}}
649 # Start mariadb
650 sudo mariadb -u root -p
651
652 # Create all necessary databases domain_module.
653 CREATE DATABASE default_ddaudit;
654 CREATE DATABASE default_comment;
655 CREATE DATABASE default_ddentry;
656
657 # Create a user for each database domaine_user_module. The password is a new one to create.
658 CREATE USER 'default_user_ddaudit'@'localhost' IDENTIFIED BY 'mynewpassword';
659 CREATE USER 'default_user_comment'@'localhost' IDENTIFIED BY 'mynewpassword';
660 CREATE USER 'default_user_ddentry'@'localhost' IDENTIFIED BY 'mynewpassword';
661
662 # Assign rights on the databases to the user
663 GRANT ALL PRIVILEGES ON default_comment.* TO 'default_user_comment'@'localhost';
664 GRANT ALL PRIVILEGES ON default_ddaudit.* TO 'default_user_ddaudit'@'localhost';
665 GRANT ALL PRIVILEGES ON default_ddentry.* TO 'default_user_ddentry'@'localhost';
666 {{/code}}
667
668 = NGINX (Optional) =
669
670 Nginx is used as reverse proxy.
671
672 == Installation ==
673
674 {{code language="shell"}}
675 sudo apt install nginx
676 {{/code}}
677
678 == Enabling automatic service start on startup ==
679
680 {{code language="shell"}}
681 sudo systemctl enable nginx
682 {{/code}}
683
684 == Configuration ==
685
686 Create the configuration file with the name of your machine or environment. In this example, we use 001-digdash.
687
688 In the /etc/nginx folder:
689
690 {{code language="shell"}}
691 # Create the conf file
692 sudo vi /etc/nginx/sites-available/001-digdash.conf
693 {{/code}}
694
695 {{code language="shell"}}
696 # Add the following content inside.
697 # Replace .mydomain.com for server and paths
698 Certificate(s) and private key, par vos informations.
699 upstream backend_tomcat{
700 least_conn;
701 server localhost:8080 fail_timeout=0;
702 }
703
704
705 server {
706 listen [::]:80;
707 listen 80;
708 server_name *.mondomaine.com;
709
710 # Redirect all non-https requests
711 rewrite ^ https://$host$request_uri? permanent;
712
713 error_log /var/log/nginx/digdash.com.error_log warn;
714 access_log /var/log/nginx/digdash.com.access.log;
715 }
716
717 server {
718 listen [::]:443 ssl http2 default_server;
719 listen 443 ssl http2 default_server;
720 server_name *.mondomaine.com;
721
722 client_max_body_size 4G;
723 proxy_read_timeout 300;
724 proxy_connect_timeout 300;
725 proxy_send_timeout 300;
726
727 error_log /var/log/nginx/digdash.com.error_log warn;
728 access_log /var/log/nginx/digdash.com.access.log;
729
730 # Certificate(s) and private key
731 ssl_certificate_key /emplacement/de/la/clé/macle.key;
732 ssl_certificate /emplacement/du/certificat/moncertif.crt;
733
734 #DigDash Management SSL
735 include digdash_ssl_params;
736
737 location / {
738 include proxy_params;
739 proxy_intercept_errors on;
740 proxy_pass http://backend_tomcat;
741 proxy_cookie_path ~^/(.+)$ "/$1; HTTPOnly; Secure;samesite=none;";
742 }
743 }
744 {{/code}}
745
746 Then create a symbolic link in sites-enabled
747
748 {{code language="shell"}}
749 sudo ln -s  /etc/nginx/sites-available/001-digdash.conf /etc/nginx/sites-enabled/001-digdash.conf
750 {{/code}}
751
752 Create the digdash_ssl_params file containing the security policy:
753
754 {{code language="shell"}}
755 sudo vi digdash_ssl_params
756 {{/code}}
757
758 {{code language="shell"}}
759 # Or, generate random dhparam
760 # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
761 #ssl_dhparam /etc/ssl/dhparam.pem;
762
763 ssl_protocols TLSv1.3 TLSv1.2;
764
765 ssl_prefer_server_ciphers on;
766 ssl_ecdh_curve secp521r1:secp384r1;
767 ssl_ciphers EECDH+AESGCM:EECDH+AES256;
768
769 ssl_session_cache shared:TLS:2m;
770 ssl_buffer_size 4k;
771
772 # OCSP stapling
773 ssl_stapling on;
774 ssl_stapling_verify on;
775 resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
776
777 # Set HSTS to 365 days
778 add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
779 {{/code}}
780
781 = (% id="cke_bm_868S" style="display:none" %) (%%)Configuring DigDash after installation =
782
783 == Starting Digdash ==
784
785 1. Restart Tomcat service.
786
787 {{code language="shell"}}
788 sudo service tomcat9 restart
789 {{/code}}
790
791 (% start="2" %)
792 1. Check the war deployment in the installation folder home/digdash/webapps/default.
793 1. Access DigDash homepage at the following address : [[http:~~/~~/localhost:8080/adminconsole>>url:http://localhost:8080/adminconsole]]
794 The login/password is admin/admin.
795
796 == Connecting Digdash to the installed OpenDJ server ==
797
798 Open [[http:~~/~~/localhost:8080/adminconsole/>>url:http://localhost:8080/adminconsole/]], **Configuration -> Server settings -> Servers -> LDAP Server**.
799
800 * Port:  389
801 * User: uid=admin, ou=default,dc=digdash,dc=com
802 * Password: OpenDJ admin password
803
804 [[image:LDAPserver_ok.png||alt="LDAP server"]]
805
806 Then click the **LDAP Queries** button and enter "**ou=default**" in the **Domain Tree** field for all the fields to be automatically filled as below.
807
808 [[image:LDAPqueries_ok.png||alt="LDAP queries"]]
809
810 == Changing the supervisor password and creating the LDAP account ==
811
812 === Changing the supervisor password ===
813
814 Open **Configuration  -> Server settings > Servers -> Enterprise Server **and enter a new password in the **Supervisor Password** field.
815
816 [[image:EnterpriseServer.png||alt="Supervisor password"]]
817
818 === Creating the LDAP account ===
819
820 1. Open **Configuration -> User management -> Users**.
821 1. Create a new admin user and assign him all roles and authorizations groups.
822 1. In the **Password** field, enter the new supervisor password defined above.
823
824 [[image:User_password.png||alt="User password"]]
825
826 == Database configuration ==
827
828 === Audit data database ===
829
830 Open **Configuration -> Server settings -> Databases -> Audit data **and enter the URL, user and password.
831
832 **URL **: //jdbc:mariadb:~/~/localhost:3306/default_ddaudit//
833
834 This solution makes it possible to secure access to the audit database.
835
836 [[image:Audit_data.png||alt="Audit data"]]
837
838 === Comments database ===
839
840 Open **Configuration -> Server settings -> Databases -> Audit data **and enter the URL, user and password.
841
842 **URL** ~:// jdbc:mariadb:~/~/localhost:3306/default_comment//
843
844 This solution makes it possible to secure access to the comment database.
845
846 [[image:Comments.png||alt="Comments"]]
847
848 (% style="line-height: 1.2; text-indent: 0.153543pt; text-align: justify;" %)
849 === Data entry database ===
850
851 Open **Configuration -> Server settings -> Databases -> Data entry **and enter the URL, user and password.
852
853 Select the **Enable data entry** checkbox and select a database in the drop-down list below.
854
855 (% class="wikigeneratedid" style="line-height: 1.2; text-align: justify; margin-top: 13px; margin-bottom: 13px;" %)
856 [[image:Data_entry.png]]
857
858 (% class="wikigeneratedid" style="line-height: 1.2; text-align: justify; margin-top: 13px; margin-bottom: 13px;" %)
859 You must first have created a connection to the database from the Data connection manager in the Studio.
860 Enter default.user.ddentry for the user and password defined in the previous step.
861 The name defined in the **Login Name** field is the one that will appear in the database selection drop-down list.
862
863 == DigDash Services ==
864
865 Open the Server status page : [[__http:~~/~~/localhost:8080/ddenterpriseapi/serverstatus?adminDomain=adminconsole&serverDomain=ddenterpriseapi__>>url:http://localhost:8080/ddenterpriseapi/serverstatus?adminDomain=adminconsole&serverDomain=ddenterpriseapi]]
866
867 Check that the DigDash services are activated and that the maximum memory is well adapted to the capacity of the server. You must leave at least 4 GB for the system.
868
869 [[image:Server_status.png||alt="Server status"]]