This will guide through basic installation of LEARN Federation Registry in Ubuntu 18.04 based on Jagger Documentation
This guide assumes you have pre installed Ubuntu 22.04 server with default configurations and have a public IP connectivity including DNS setup. Requirements:
- User with sudo privilleges
- Add FQDN to your hosts file
vi /etc/hosts
Add as follows
<Public IP address> <FQDN for your server>
All Commands will be run as the root user. You may use sudo su to become root.
apt install apache2
a2enmod rewritea2enmod unique_idservice apache2 restart
apt install mariadb-server
mysql_secure_installation
Securing the MySQL server deployment.
Connecting to MySQL using a blank password.
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?
Press y|Y for Yes, any other key for No: y
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1
Please set the password for root here.
New password:
Re-enter new password:
Estimated strength of the password: 50
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.
Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.
Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
- Dropping test database...
Success.
- Removing privileges on test database...
Success.
Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.
All done!
apt install php libapache2-mod-php
edit php settings as
vim /etc/php/8.1/apache2/php.ini
date.timezone = Asia/Colombo
memory_limit = 256M
max_execution_time = 60vim /etc/php/8.1/cli/php.ini
date.timezone = Asia/Colombo
max_execution_time = 60apt install php-apcuapt install php-mysqlapt install php-xmlapt install php-memcachedapt install php-amqplibapt install php8.1-bcmathapt install php-amqplibservice apache2 restart
follow these steps to install php7.X deprecated php-mcrypt from here
curl -sS https://getcomposer.org/installer | phpcp composer.phar /usr/local/bin/composer
apt-get install memcached
apt-get install gearman-job-serverapt-get install php-gearman
cd /optwget https://github.com/bcit-ci/CodeIgniter/archive/3.1.13.zipapt install unzipunzip 3.1.13.zipmv CodeIgniter-3.1.13 codeigniter
git clone https://github.com/Edugate/Jagger /opt/rr3cd /opt/rr3/applicationcomposer install
Note: Ignore the warning about running composer as root/super user!
cp /opt/codeigniter/index.php /opt/rr3/
Open /opt/rr3/index.php file and find
$system_path = 'system';
and change to
$system_path = '/opt/codeigniter/system';
You may also want to set production environment. To do it find the line
define('ENVIRONMENT', isset($_SERVER['CI_ENV']) ? $_SERVER['CI_ENV'] : 'development');
and change to
define('ENVIRONMENT', isset($_SERVER['CI_ENV']) ? $_SERVER['CI_ENV'] : 'production ');
Disable the default configuration
cd /etc/apache2/sites-available/a2dissite 000-default.confsystemctl reload apache2
Create a new conf file for RR3 as rr3.conf
cp 000-default.conf rr3.conf
Edit rr3.conf with following
vim rr3.conf
<VirtualHost *:80>
ServerName HOSTNAME.YOUR-DOMAIN.ac.lk
ServerAdmin [email protected]
DocumentRoot /opt/rr3/
Alias /rr3 /opt/rr3
<Directory /opt/rr3>
Require all granted
RewriteEngine On
RewriteBase /rr3
RewriteCond $1 !^(Shibboleth\.sso|index\.php|logos|signedmetadata|flags|images|app|schemas|fonts|styles|images|js|robots\.txt|pub|includes)
RewriteRule ^(.*)$ /rr3/index.php?/$1 [L]
</Directory>
<Directory /opt/rr3/application>
Order allow,deny
Deny from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>Enable rr3 site by,
a2ensite rr3
and restart Apache
systemctl reload apache2
Log in to MYSQL as root
mysql -u root -p
CREATE DATABASE rr3 CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL ON rr3.* to rr3user@'localhost' IDENTIFIED BY 'rr3@PasS';
FLUSH PRIVILEGES;cd /opt/rr3
./install.shNext, copy the default configurations as samples
cd application/config
cp config-default.php config.php
cp config_rr-default.php config_rr.php
cp database-default.php database.php
cp email-default.php email.php
cp memcached-default.php memcached.phpGive permission to Apache User www-data as following
chgrp www-data /opt/rr3/application/models/Proxies
chmod 755 /opt/rr3/application/models/Proxies
chgrp www-data /opt/rr3/application/cache
chmod 755 /opt/rr3/application/cachevim config.php
$config['base_url'] = 'https://YOUR-DOMAIN/rr3/';
$config['log_path'] = '/var/log/rr3/';You must also create this directory and make it writable by the Apache user www-data
mkdir /var/log/rr3
chown www-data:www-data /var/log/rr3
chmod 750 /var/log/rr3get a copy of following random output and put it back on config.php
tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
as
$config['encryption_key'] = '8mixahy22evqp4k6wbzce16oglg1zlyr';vim config_rr.php
rr_setup_allowed - it should be always be set to FALSE. TRUE only when setup is initialized
$config['rr_setup_allowed'] = TRUE;Note: This will be changed back to FALSE later in the setup.
site_logo - set filename to be used as main logo in top-left corner. File should be stored in /opt/rr3/images/ folder (Optional)
Note: The default logo is 515 pixels wide and 146 pixels high. Your own site logo should be about the same size.
$config['site_logo'] = 'your_logo.png';syncpass - please generate strong key. It’s used by synchronization - interfederation tool
tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
then assign generated value to attr like:
$config['syncpass'] = 'qp7zwgm6vqzptb87uoe7zzfiq1gx1oa6';support_mailto - set support email. For example this email is displayed as contact mail.
$config['support_mailto'] = '[email protected]';nameids - array of allowed NameID in JAGGER remove it from config
/*
$config['nameids'] = array(
'urn:mace:shibboleth:1.0:nameIdentifier' => 'urn:mace:shibboleth:1.0:nameIdentifier',
'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'=>'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
);
*/Note: The above config has been commented out!
$config['protocol'] = 'smtp';
$config['smtp_host'] = "SMTP_HOST";
$config['smtp_port'] = 25;
$config['smtp_user'] = 'USER';
$config['smtp_pass'] = 'PASS';
$config['smtp_crypto'] = 'tls';$db['default']['hostname'] = '127.0.0.1';
$db['default']['username'] = 'rr3user';
$db['default']['password'] = 'rr3@PasS';
$db['default']['database'] = 'rr3';
$db['default']['dsn'] = 'mysql:host=127.0.0.1;port=3306;dbname=rr3';To populate tables we are going to use doctrine tool.
cd /opt/rr3/application
edit composer.json to add
"doctrine/common": "2.8.1", in to the beginning of the require section
then run,
composer update
./doctrine orm:schema-tool:createIf you going to run application in production mode then you also need to regenerate proxies:
./doctrine orm:generate-proxies
and verify owner of application/models/Proxies/* - apache user should be owner
or
chown -R www-data models/Proxies/
In the future after every update you will need to run
./doctrine orm:schema-tool:update --force
./doctrine orm:generate-proxies
Log in to MYSQL as root
mysql -u root -p
CREATE DATABASE rr3 CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL ON rr3.* to rr3user@'localhost' IDENTIFIED BY 'rr3@PasS';
FLUSH PRIVILEGES;Restore the mysql dump in to the new server database;
After editing composer.json for doctrine
composer updateThen execute,
./doctrine orm:schema-tool:update --force
./doctrine orm:generate-proxies
add-apt-repository ppa:certbot/certbot
apt install python-certbot-apache
certbot --apache -d YOUR-DOMAINPlugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): YOU@YOUR-DOMAIN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for YOUR_DOMAIN
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/rr3-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/rr3-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/rr3-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/rr3.conf to ssl vhost in /etc/apache2/sites-available/rr3-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://YOUR-DOMAIN
Open page https://YOUR-DOMAIN/rr3/setup and fill the form.
Once the default user is created switch OFF the setup mode on config_rr.php by
$config['rr_setup_allowed'] = FALSE;Next : Metadata signing with pyff