Installing Community on fedora 10 (incomplete)

    #
    # Run as root
    su -

    TOMCAT_USER=astrogrid
    TOMCAT_PASS=36r3456fl


    #
    # Install the Open JDK packages.
    yum install java-1.6.0-openjdk-devel

    #
    # Select the OpenJDK Java implementation.
    /usr/sbin/alternatives --config java
    /usr/sbin/alternatives --config javac

    #
    # Install Tomcat and the admin webapps.
    yum install tomcat5
    yum install tomcat5-webapps
    yum install tomcat5-admin-webapps

    #
    # Configure Tomcat to start on boot.
    /sbin/chkconfig tomcat5 on

    #
    # Remove DOS characters (can cause patch to fail).
    dos2unix /etc/tomcat5/tomcat-users.xml

    #
    # Add the astrogrid user account.
    patch /etc/tomcat5/tomcat-users.xml << EOF
    *** /old/tomcat5/tomcat-users.xml
    --- /new/tomcat5/tomcat-users.xml
    ***************
    *** 5,8 ****
    --- 5,9 ----
        <user username="tomcat" password="tomcat" roles="tomcat"/>
        <user username="both" password="tomcat" roles="tomcat,role1"/>
    +   <user username="${TOMCAT_USER}" password="${TOMCAT_PASS}" roles="manager,admin"/>
        <user username="role1" password="tomcat" roles="role1"/>
      </tomcat-users>
    EOF

    #
    # Generate the SSL certificate.
    keytool \
        -genkey \
        -alias tomcat \
        -keyalg RSA \
        -validity 365 \
        -keystore keystore.jks \
        -storetype JKS \
        -dname "C=UK,O=Testing,OU=Astronomy,CN=${COMMUNITY_HOST}"

    #
    # Install the keystore file.
    cp keystore.jks /usr/share/tomcat5/keystore.jks

    #
    # Allow Tomcat to read the keystore.
    chmod a+r /usr/share/tomcat5/keystore.jks

    #
    # Enable the HTTPS connector.
    patch /etc/tomcat5/server.xml << EOF
    *** /old/etc/tomcat5/server.xml
    --- /new/etc/tomcat5/server.xml
    ***************
    *** 107,119 ****
         -->
      
          <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    -     <!--
          <Connector port="8443" maxHttpHeaderSize="8192"
                     maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                     enableLookups="false" disableUploadTimeout="true"
                     acceptCount="100" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS" />
    -     -->
      
          <!-- Define an AJP 1.3 Connector on port 8009 -->
          <Connector port="8009" 
    --- 107,118 ----
         -->
      
          <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
          <Connector port="8443" maxHttpHeaderSize="8192"
                     maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                     enableLookups="false" disableUploadTimeout="true"
                     acceptCount="100" scheme="https" secure="true"
    +                keystorePass="123456789" keystoreFile="/usr/share/tomcat5/keystore.jks"
                     clientAuth="false" sslProtocol="TLS" />
      
          <!-- Define an AJP 1.3 Connector on port 8009 -->
          <Connector port="8009" 
    EOF

    #
    # (re)start the Tomcat service.
    /sbin/service tomcat5 restart

#
# Create local temp directory
mkdir /tmp/astrogrid


#
# Download the latest war file.
pushd /tmp/astrogrid
    wget http://www.astrogrid.org/maven2/org/astrogrid/astrogrid-community/2008.2.01/astrogrid-community-2008.2.01.war
popd

#
# Set the ASTROGRID base directory.
ASTROGRID_HOME=/var/lib/astrogrid

#
# Set the COMMUNITY variables.
COMMUNITY_HOST=`hostname -f`
COMMUNITY_PORT=8080
COMMUNITY_BASE=${ASTROGRID_BASE}/community

#
# Set the REGISTRY variables.
REGISTRY_HOST=registry.metagrid.co.uk:8080
REGISTRY_AUTH=org.astrogrid.test

#
# Create the directory structure.
mkdir -p ${COMMUNITY_BASE}/
mkdir -p ${COMMUNITY_BASE}/db/
mkdir -p ${COMMUNITY_BASE}/pem/
mkdir -p ${COMMUNITY_BASE}/ca/

#
# Assign ownership to Tomcat.
chown -R tomcat.tomcat ${COMMUNITY_BASE}

#
# Download the templates.
pushd /tmp/astrogrid
    wget http://deployer.astrogrid.org/software/community-2008.2.01/astrogrid-community-database.xml
    wget http://deployer.astrogrid.org/software/community-2008.2.01/astrogrid-community-mapping.xml
    wget http://deployer.astrogrid.org/software/community-2008.2.01/sample-environment.xml
popd

#
# Update the database config.
sed -i '
    s#"jdbc:hsqldb:[^"]*"#"jdbc:hsqldb:'"${COMMUNITY_BASE}"'/db/org.astrogrid.community"#
    ' /tmp/astrogrid/astrogrid-community-database.xml

#
# Install the database config and mapping files.
cp /tmp/astrogrid/astrogrid-community-database.xml ${COMMUNITY_BASE}/db/ 
cp /tmp/astrogrid/astrogrid-community-mapping.xml  ${COMMUNITY_BASE}/db/
#
# Allow Tomcat to read the files.
chmod a+r ${COMMUNITY_BASE}/db/*.xml

#
# Download the CA generator.
wget http://www.astrogrid.org/maven/org.astrogrid/apps/cagenerator-app-2007.2.jar

#
# Run the CA generator
java -jar cagenerator-app-2007.2.jar

#
# Install the generated CA files.
cp ca-key.pem     ${COMMUNITY_BASE}/ca/
cp ca-cert.pem    ${COMMUNITY_BASE}/ca/
cp ca-serial.txt  ${COMMUNITY_BASE}/ca/

#
# Allow Tomcat to read the files.
chmod a+r ${COMMUNITY_BASE}/ca/*
chown tomcat.tomcat ${COMMUNITY_BASE}/ca/ca-serial.txt

#
# Create context file.
cat >> /tmp/astrogrid/community-context.xml << EOF
<?xml version='1.0' encoding='utf-8'?>
<Context displayName="AstroGrid Community">

    <Environment
        override="false"
        name="org.astrogrid.community.ident"
        type="java.lang.String"
        value="${REGISTRY_AUTH}/community-service"
        />

    <Environment
        override="false"
        name="org.astrogrid.vosi.baseurl"
        type="java.lang.String"
        value="http://${COMMUNITY_HOST}:8080/astrogrid-community"
        />

    <Environment
        override="false"
        name="org.astrogrid.vosi.baseurlsecure"
        type="java.lang.String"
        value="https://${COMMUNITY_HOST}:8443/astrogrid-community"
        />
    <Environment
        override="false"
        name="org.astrogrid.community.default.vospace"
        type="java.lang.String"
        value="ivo://${REGISTRY_AUTH}/vospace-service"
        />

    <Environment
        override="false"
        name="org.astrogrid.registry.query.endpoint"
        type="java.lang.String"
        value="http://${REGISTRY_HOST}/astrogrid-registry/services/RegistryQuery"
        />

    <Environment
        override="false"
        name="org.astrogrid.registry.query.alt.endpoint"
        type="java.lang.String"
        value="http://${REGISTRY_HOST}/astrogrid-registry/services/RegistryQuery"
        />

    <Environment
        override="false"
        name="org.astrogrid.community.dbconfigurl"
        type="java.lang.String"
        value="file://${COMMUNITY_BASE}/db/astrogrid-community-database.xml"
        />

    <Environment
        override="false"
        name="org.astrogrid.community.myproxy"
        type="java.lang.String"
        value="${COMMUNITY_BASE}/pem"
        />

    <Environment
        override="false"
        name="org.astrogrid.community.cakey"
        type="java.lang.String"
        value="${COMMUNITY_BASE}/ca/ca-key.pem"
        />

    <Environment
        override="false"
        name="org.astrogrid.community.cacert"
        type="java.lang.String"
        value="${COMMUNITY_BASE}/ca/ca-cert.pem"
        />

    <Environment
        override="false"
        name="org.astrogrid.community.caserial"
        type="java.lang.String"
        value="${COMMUNITY_BASE}/ca/ca-serial.txt"
        />

</Context>
EOF


# Deploy the webapp.
curl --user ${TOMCAT_USER}:${TOMCAT_PASS} \
http://localhost:8080/manager/deploy\
?path=/astrogrid-community\
\&config=file:/tmp/astrogrid/community-context.xml\
\&war=file:/tmp/astrogrid/astrogrid-community-2008.2.01.war

#
# Reset the database.
# http://localhost:8080/astrogrid-community/admin/ResetDB.jsp

#
# Registration
# http://localhost:8080/astrogrid-community/admin/RegistrationInstructions.jsp

#
# Enable the CA.
# http://localhost:8080/astrogrid-community/admin/CaEnablementForm.jsp

#
# Create accounts ...
# http://localhost:8080/astrogrid-community/admin/account-list.jsp



#
# Set logging to INFO only
vi /var/lib/tomcat5/webapps/astrogrid-community/WEB-INF/classes/log4j.properties 

-   log4j.rootLogger=DEBUG, CONSOLE
+   log4j.rootLogger=INFO, CONSOLE

-- DaveMorris - 12 Jan 2009

Very good; but here are some comments on the details.

Community is supposed to be installed with the files owned by root. If the files are owned by some other account, then you get two problems:

• The security of the private-key files is weakened.
• It won't interoperate with MyProxy (which does have to be owned by root and shares the credential files).

We've established in the field that ports other that 80 and 443 for HTTP and HTTPS cause problems. The standard installation should either include an httpd proxy or put the servlet container on 80/443. The httpd proxy should work well enough with Community.

If you establish an httpd proxy using the ProxyPass and ProxyPassReverse directives, as we have done before, then I don't think you need the AJP connector in Tomcat. AFAIK, we've never used AJP. We don't even know if it works properly with our applications.

If the community be owned by root and run on ports 80 and 443, then it would be worth using the jsvc daemon to launch it. The usual reason for not using this daemon is that it has a platform-specific part that needs to be obtained separately and compiled. In an installation script for a particular platform, this is less of a problem.

Since the script has the power to choose the context path, would it be worth dropping the astrogrid- prefix? I.e. http://foo.bar/community rather than http://foo.bar/astrogrid-community.

You need to make the CA's serial-number file, ca-serial.txt, writeable as well as readable. This is really important.

The CA key and certificate should be write-locked.

The JSPs referred to in the comments above are web pages rather than web services. They're not designed to be scriptable and I don't think it's feasible to script them here. Therefore I suggest that the URLs be dropped from the commentary and replaced with a reference to the operation instructions. The link to the registration instructions is already of this nature.

-- GuyRixon - 13 Jan 2009