-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathINSTALL
328 lines (226 loc) · 11.7 KB
/
INSTALL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
Building and Installing
=======================
Building
--------
IoTa uses Apache Maven for build automation (http://maven.apache.org).
A convenience building script is provided: make-all.sh.
Compilation of each module is achieved with this command:
mvn compile
Maven will download all the necessary jar files and install them in a local
repository (usually ~/.m2/repository).
Installation of IoTa libraries in the local repository for further use (as
needed for several IoTa modules) is achieved with this command:
mvn install
Note that this command also compiles the module if necessary.
Some of the modules provide unit tests and some of these tests need some
application to be running (eg. the tests for the IoTa-DiscoveryWS-Client
library need an up and running Discovery Web Service). To skip those tests,
use this command to compile or install:
mvn -DskipTests install
You can manually install already downloaded jar files with this command:
mvn install:install-file \
-Dfile=sunxacml-2.0-SNAPSHOT.jar \
-DgroupId=net.sf.sunxacml \
-DartifactId=sunxacml \
-Dversion=2.0-SNAPSHOT \
-Dpackaging=jar
Note that this will be necessary for the sunxacml library as it’s on no
widespread known Maven repository. The jar file can be downloaded from the
SourceForge page for the project: http://sunxacml.sf.net
Here is a direct link: http://sourceforge.net/projects/sunxacml/files/maven/snapshots/net/sf/sunxacml/sunxacml/2.0-SNAPSHOT/sunxacml-2.0-SNAPSHOT.jar/download
Installing
----------
(All bracketted values `<name>` are place-holders.)
**The IoTa-Installer can help you to install and configure all the servers and
databases.**
All the applications and web applications have a `log4j.properties` file to
configure the logging output (file output, log format, log level, and so on).
### Applications
Get and extract the `<application>-<version>-bin-with-dependency.tar.gz`
tarball for the application.
Modify or create the configuration files (see the application `README` file
for a list and each file for comments).
A file in the current directory overrides the default version which is
embedded in the jar file.
You can extract the default commented version of the files from the jar file:
jar xf <application>-<version>.jar application.properties
or
unzip <application>-<version>.jar application.properties
Use the provided script to start the application.
### Servlet Container and SSL/TLS
A servlet container need to be installed.
For now, the IoTa-Installer knows only about Apache Tomcat (versions 6 or 7).
The IoTa-Installer can help you install and configure one.
In order to use SSL/TLS as a mutual authentication means for the IoTa web
applications and their clients, an SSL/TLS connector must be configured.
For Apache Tomcat 7, if you don’t use the IoTa-Installer, you need to add a
connector element similar to the following snippet in the file
`${CATALINA_HOME}/conf/server.xml`:
<Connector protocol="HTTP/1.1"
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="${catalina.home}/conf/ssl/keystore.jks"
keystorePass="changeit"
keyAlias="if_more_than_one_key_in_keystore"
keyPass="changeit"
truststoreFile="${catalina.home}/conf/ssl/truststore.jks"
truststorePass="changeit"
crlFile="${catalina.home}/conf/ssl/revocations_list.pem"
clientAuth="true"
sslProtocol="TLS"/>
Or, if the Apache Portable Runtime library (APR) is installed and used on the
target system:
<Connector protocol="HTTP/1.1"
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
SSLCertificateFile="${catalina.home}/conf/ssl/server.crt"
SSLCertificateKeyFile="${catalina.home}/conf/ssl/server.pem"
SSLCACertificatePath="${catalina.home}/conf/ssl/clients/"
SSLCARevocationPath="${catalina.home}/conf/ssl/revocations/"
SSLVerifyClient="require"
SSLProtocol="TLSv1"/>
Add the client's certificates to the Tomcat's truststore, with a command like:
keytool -importcert -storetype "jks" -keystore "truststore.jks" -alias "key" -file "client.cert"
The ETa, OMeGa and EpcisPHi applications need roles in `$CATALINA_HOME/conf/tomcat-users.xml`
to manage identity with TLS:
* for ETa: <role rolename="eta_user"/>
* for OMeGa: <role rolename="omega_user"/>
* for EpcisPHi: <role rolename="ephi_user"/>
The names can be different depending on the configuration of
`<webapp-dir>/WEB-INF/web.xml`.
Each user who wants to request the services of ETa, OMeGa or the web interface
of EpcisPHi must be identified in `$CATALINA_HOME/conf/tomcat-users.xml`
and one or more roles must be attributed.
Each application using these services must be known.
The user (or application) is recognyzed by the Distinguished Name (DN) of
the certificate used to connect to the service.
The user roles (ETa and/or OMeGa and/or EpcisPHi) are determined by the
"roles" attribute and corresponds to the "rolename" above.
To add the ETa, OMeGa and EpcisPHi services to the user whose DN certificate is
"CN=foo", add to the `$CATALINA_HOME/conf/tomcat-users.xml` file:
<user username="CN=foo" password="" roles="eta_user,omega_user"/>
To log to the web interface of Epcis-PHi as "superadmin", who manages the user
accounts, you must use a certificate (generated by IoTa-Installer or keytool).
The DN of this certificate ("UID=superadmin" by default) needs to be similar to
the LDAP directory.
This user must be added to the previous file:
<user username="UID=superadmin" password="" roles="ephi_user"/>
### Web Applications
Get the `<application>-<version>.war` war file for the web application.
Deploy it in you servlet container (see the container documentation for
information). For Apache Tomcat, this can be done in several ways:
1. manually dejar the war file in `$CATALINA_HOME/webapps`
2. copy the war file in `$CATALINA_HOME/webapps` and let Tomcat deploy it
(either at its next restart or while running if its autodeploy option is
on)
3. use the manager web application (http://localhost:8080/manager)
4. use the deploy-tools
5. use the Maven Tomcat plugin
Edit the configuration files in `<webapp-dir>/WEB-INF/classes/` (see the web
application `README` for a list and each file for comments).
Reload the web application or restart the servlet container.
### Web Applications with databases
1. The database
Create the database for the application:
CREATE DATABASE <app_db>;
Create a specific user and grant them access rights:
GRANT SELECT, INSERT, UPDATE, DELETE ON <app_db>.*
TO <app_db_user>@localhost IDENTIFIED BY <app_db_password>;
Create the tables:
use <app_db>;
source <app>_schema.sql;
The file `<app>_schema.sql` for each application can be found in
`IoTa-Installer/resources` and in `<app>/src/main/resources/sql`.
2. Install the web application as explained earlier.
At this point, the web application will probably fail to properly start.
3. The context file
Modify the file `$CATALINA_HOME/webapps/<webapp>/META-INF/context.xml` to
reflect the values for your database (name, login and password).
Sometimes, it is needed to have a copy of this file as
`$CATALINA_HOME/conf/localhost/<webapp>.xml`.
Reload the web application or restart the servlet container.
Do not forget to install the JDBC connector jar file. (For Apache Tomcat and
MySQL, copy `mysql-connector-java.jar` in `$CATALINA_HOME/lib`.)
### ONS
Some applications need an Object Naming Service. NAPTR records are use to find
the URL of the Discovery Service for a given EPC code.
Here is a typical zone file for the product `urn:epc:id:sgtin:1234567.89012`:
;;
$TTL 1d
;; zone, the vendor Id
$ORIGIN 7.6.5.4.3.2.1.sgtin.id.ons-peer.com.
@ IN SOA localhost info.example.com ( ; [email protected]
2012010101 ; serial version number
3h ; refresh
1h ; retry
1d ; expire
1 ; negative cache TTL
)
;; this server’s name
IN NS ons.example.com.
; NAPTRs for products
; example product
; order pref flags service regex
2.1.0.9.8 IN NAPTR 0 0 "u" "epc+html" "!^.*$!http://www.example.com/!" .
IN NAPTR 1 0 "u" "epc+epcis" "!^.*$!http://epcis.example.com/epcis/!" .
IN NAPTR 2 0 "u" "epc+ided_epcis" "!^.*$!http://epcis.example.com/eta/!" .
IN NAPTR 3 0 "u" "epc+ds" "!^.*$!http://ds.example.com/ds/services/ESDS_Service!" .
IN NAPTR 4 0 "u" "epc+ds" "!^.*$!http://ds.example.com/dseta/ds/!" .
IN NAPTR 5 0 "u" "epc+ided_ds" "!^.*$!http://ds.example.com/dseta/ided_ds/!" .
; first, the HTML web page for product information
; then, the EPCIS-repository web service associated to this EPC
; then, the identified EPCIS-repository (ETa) web service associated to this EPC
; then, the Discovery web service associated to this EPC (WINGS version)
; then, the Discovery web service associated to this EPC
; finally, the identified Discovery web service associated to this EPC
; the order is free
On Debian and Debian-derived systems, you just need to install the `bind9`
package, to create one or more zone file as the cited example and to activate
those zones, that is to add that kind of statement in `named.conf.local`:
zone "7.6.5.4.3.2.1.sgtin.id.ons-peer.com" {
type master;
file "/etc/bind/db.ons.peer.com";
};
Remember that in order to avoid a recursive open relay DNS, you need to add
these options (in the `options` statement of `named.conf.options`):
allow-transfer { none; };
allow-recursion { none; };
recursion no;
### LDAP
Some applications (YPSilon) need an LDAP server.
From a fonctionnal LDAP server, the script `YPSilon/ldap.sh` or the LDAP module of
the IoTa-Installer adds a schema, a group and the two users superadmin and
anonymous.
On Debian and Debian-derived systems, you just need to install the packages
`slapd` and `ldap-utils`. You have to execute `dpkg-reconfigure slapd` in
order to complete the configuration.
To add index on attributes (like the DN of user certificate used when this DN is
incompatible with the LDAP tree, "aliasdn" by default), you can use the
ldapmodify command with this properties:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: aliasdn eq
where "olcDatabase={1}hdb" is the used base.
### ActiveMQ
Some applications (ETa-Callback*) need an ActiveMQ JMS broker.
On Debian and Debian-derived systems, you just need to install the package
`activemq`.
### Memory Issues
Due to extensive introspection (e.g. by Hibernate or CXF), and if you want to
install all the web applications on the same server, the JVM “PermGen” memory
needs to be increased. For Apache Tomcat, it can be done with the environment
variable JAVA_OPTS. In POSIX shells, that can be done by a command like the
following one:
export JAVA_OPTS='-Xms2048m -Xmx4096m -XX:MaxPermSize=512m'
This environment variable needs to be set before starting Apache Tomcat hence
before starting the IoTa installer (as the IoTa installer starts Apache
Tomcat).
This is only necessary if you install all (or most of) the web applications in
the same servlet container.