1 Last Update: 20-FEB-2014 SecDocs V2.1A04 Installation Guide Index Software Requirements........................................................................................................................... 3 Delivered Software .................................................................................................................................. 4 Configuring the SecDocs Runtime Environment ..................................................................................... 5 Language Environment........................................................................................................................ 5 SELinux................................................................................................................................................. 5 File system Configuration .................................................................................................................... 5 Database Configuration....................................................................................................................... 5 Oracle Database Configuration ....................................................................................................... 6 MySQL Database Configuration ...................................................................................................... 9 Mount Point Creation for Fujitsu ETERNUS CS High End or the NetApp Filer (User: root) ............... 10 Upgrade Installation Hints ................................................................................................................. 11 OpenLimit Middleware Version 3 Server (User: root) ...................................................................... 11 OpenLimit Middleware Version 3 Server Installation ................................................................... 11 Starting of the Middleware Version 3 Server (User: root): .......................................................... 14 Check whether the Middleware Version 3 Server Is Running (User: root): ................................ 15 Stopping the Middleware Version 3 Server (User: root): .............................................................. 15 SecDocs Installation........................................................................................................................... 15 SecDocs Installation (User: root) ................................................................................................... 15 SecDocs Configuration........................................................................................................................... 18 SecDocs Multi Node Configuration ....................................................................................................... 19 SecDocs Logging .................................................................................................................................... 22 SecDocs Application Start/Stop ............................................................................................................. 22 SecDocs: Further Configuration Steps ................................................................................................... 23 SecDocs Database Migration ................................................................................................................. 23 SecDocs Recovery Tool (recoverFromStorage) ..................................................................................... 24 SecDocs Diagnostic Scripts (User: root/secdocs) .................................................................................. 24
31
Embed
SecDocs Installation Guide - Fujitsumanuals.ts.fujitsu.com/file/11357/SecDocs-Installation... · 2014-02-25 · OpenLimit Middleware Version 3 Server (User: ... Adding the JBoss AS
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Last Update: 20-FEB-2014
SecDocs V2.1A04 Installation Guide
Index Software Requirements ........................................................................................................................... 3
Adding the JBoss AS Admin Applications .............................................................................................. 26
SecDocs: English PDF Verification Protocols ......................................................................................... 26
Usage of SecDocs With Another Database Software ............................................................................ 27
MySQL ............................................................................................................................................... 27
SecDocs Software SecDocs is a Java EE5 application, programmed in Java 6, and runs on a JBoss AS 5.1.0 application server. The Java SE 6 SDK and the JBoss AS 5.1.0 software are delivered with the SecDocs software.
OpenLimit Software OpenLimit Middleware Version 3 Server (needed to run the SecDocs software)
5
Configuring the SecDocs Runtime Environment
Language Environment
The SecDocs software is based on the UTF-8 encoding. To guarantee proper
input/output behavior make sure that a proper language environment variable is set,
e.g.:
LANG= en_US.UTF-8
or
LANG= de_DE.UTF-8
SELinux
SELinux is enabled by default on RHEL systems. To assure a proper runtime
environment for the SecDocs application (Java based application) SELinux must be
disabled.
File system Configuration
Approximately 12 inodes are needed in the file system to store an SDO. The max
number of inodes in a file system is limited but usually can be raised by tuning the file
system.
Implication: check the max inodes value of your file system configuration before
starting to archive data with SecDocs.
Database Configuration
Have the following configuration requirements in mind for all supported database
systems:
Use UTF-8 as the default character set
The SecDocs database user needs the following permissions: ALTER TABLE,
CREATE TABLE, CREATE TEMPORARY TABLES, DROP TABLE, CREATE
INDEX, SELECT, INSERT, UPDATE, DELETE.
Additional permission for a MySQL database:
LOCK TABLES
6
Oracle Database Configuration
Attention: By default the XA support isn’t configured for an Oracle database instance
but mandatory for the SecDocs application. The Oracle database administrator can
activate the XA support by performing the xaview script:
$ cd $ORACLE_HOME/rdbms/admin
$ sqlplus /nolog
connect sys/<password> as sysdba
@xaview
exit
An Oracle database user (dbUser) is needed to run the SecDocs application:
CREATE USER "dbUser" IDENTIFIED BY "dbPassword"
PROFILE "DEFAULT" DEFAULT TABLESPACE "USERS"
ACCOUNT UNLOCK;
This database user needs the following permissions: GRANT SELECT ON sys.v$xatrans$ TO dbUser;
GRANT SELECT ON sys.dba_pending_transactions TO dbUser;
GRANT SELECT ON sys.pending_trans$ TO dbUser;
GRANT SELECT ON sys.dba_2pc_pending TO dbUser;
GRANT EXECUTE ON sys.dbms_system TO dbUser;
GRANT CONNECT TO dbUser;
GRANT RESOURCE TO dbUser;
7
For the SecDocs TripleStore functionality you have to perform the following SQL statements as Oracle administrator: CREATE GLOBAL TEMPORARY TABLE "dbUser".NNodeQuads(
n0 NUMBER(20) ,
n1 NCLOB ,
n2 NVARCHAR2(10) ,
n3 NVARCHAR2(200) ,
n4 INT
) ON COMMIT DELETE ROWS;
--
CREATE GLOBAL TEMPORARY TABLE "dbUser".NQuads(
t0 NUMBER(20) ,
t1 NUMBER(20) ,
t2 NUMBER(20) ,
t3 NUMBER(20)
) ON COMMIT DELETE ROWS;
CREATE OR REPLACE TRIGGER secDocsJenaTempTables
INSTEAD OF CREATE OR DROP ON "dbUser".schema
WHEN (upper(ora_dict_obj_name) LIKE 'NQUADS' OR
upper(ora_dict_obj_name) LIKE 'NNODEQUADS')
BEGIN
null;
END;
/
8
The following data provided by your Oracle database administrator are needed for the SecDocs application configuration:
dbHost
Name of the machine running the listener of the Oracle database instance.
dbPort
Port number used by the listener of the Oracle database instance.
(Default: 1521)
dbService
Name of the Oracle database service.
dbUser
Name of the Oracle database user.
dbPassword
Password of the Oracle database user.
9
MySQL Database Configuration
For the SecDocs operation you must add the following parameters to the section of your MySQL configuration file: transaction-isolation = READ-COMMITTED
innodb_locks_unsafe_for_binlog = 1
The following data provided by your MySQL database administrator are needed for the SecDocs application configuration
dbHost
Name of the machine running the MySQL database server.
dbPort
Port number used by MySQL database server.
(Default: 3306)
dbName
Name of the MySQL database.
dbUser
Name of the MySQL database user.
dbPassword
Password of the MySQL database user.
10
Mount Point Creation for Fujitsu ETERNUS CS High End or the NetApp Filer
(User: root)
Add a NFS3 mount to the file /etc/fstab as operating system administrator (user root),
After the installation you will have the following directories in the home directory:
admin
Administration tools directory
recovery contains the script
recoverFromStorage (SecDocs Recovery Tool).
bin
SecDocs start/stop script and diagnostic scripts
docs/licenses
Licenses of the open source software used in SecDocs.
The file ThirdPartyLicenseReadme.txt contains a list of all
used components.
install
Data used by the SecDocs RPM installation and
optional data for the SecDocs JBoss AS instance.
migration This directory contains the script startMigration
which will migrate the SecDocs database
java
Java SE 6 64bit SDK Update 45.
jaxws wsimport generated web service client stub classes
In the directory bin you will find the script
genArchivingSRWsClientStubs. This script shows how to create
the Archiving web service client stub classes from the file
schemas/2.1/ArchivingSR.wsdl.
javadoc JavaDoc of the generated stub classes
lib JAR files with the stub classes and sources
jboss
JBoss 5.1.0 based SecDocs application.
schemas SecDocs Web Services and related data types 2.1 AdminData.xsd SecDocs Administrator specific data types AdminUpdateData.xsd SecDocs Administrator specific data types ArchiveAdmin.wsdl Archiv Administrator WSDL ArchivingSR.wsdl Archiving WSDL sample for the customer specific s submit and retrieve operations Archiving.wsdl Archiving WSDL ArchivingData.xsd Archiving specific data types
17
filter.xsd SDO filter schema file MandantAdmin.wsdl Mandant Administrator WSDL result2.xjb JAXB mapping file fort he wsimport tool secdocs.xsd SecDocs specific data types sparql-protocol-types.xjb JAXB mapping file fort he wsimport tool VerificationInfo.xsd Data types of the element SignatureVerificationInfo of the requestForEvidence Response Archiving operation 2.1/query SPARQL related schemat files rdf.xsd result.xsd sparql-protocol-types.xsd xml.xsd 2.1/samples MultiDocument.xsd Schema for the sample MyDocument SDO MultiDocumentFilter.xml Sample filter
SecDocs: Further Configuration Steps Further configuration steps are described in the SecDocs manual „Administration and
Operation“. You will find an overview about the needed steps in the chapter „Step-by-
step guides“
SecDocs Database Migration After upgrading an existing SecDocs 2.0 installation the SecDocs database tables
must be migrated to the new SecDocs version. Without this step the new version of
the SecDocs application won’t start.
This migration task step is performed by the script startMigration. You will find this
script ion the directory install/migration of the SecDocs installation:
$ cd install/migration
$ ./startMigration
Attention (Oracle database): is an Oracle database in use the Oracle database
administrator must enter the following SQL statements for the SecDocs database
user before starting the SecDocs application (s. „Oracle Database Configuration“)
CREATE GLOBAL TEMPORARY TABLE "dbUser".NNodeQuads ...
CREATE GLOBAL TEMPORARY TABLE "dbUser".NQuads ...
CREATE OR REPLACE TRIGGER secDocsJenaTempTables ...
Attention (new feature: Short Subject): If $Subject is used in a filter SecDocs 2.1
will add also up to 200 characters of the given subject into a Short Subject database
field. The migration software will add this new field to the database but won’t fill the
field for already submitted documents. To fill the Short Subject field for already
submitted documents you have to run the SecDocs Recovery Tool with option
update.
24
SecDocs Recovery Tool (recoverFromStorage) You will find the storage recovery tool in the directory admin/recovery in the JAR file
StorageRecovery.jar. You can start this tool easily with the help of the script
recoveryFromStorage.
recoverFromStorage <Optionen>
The storage recovery tool needs a properties file to run. The file recover.properties is
available in the directory admin/recovery. You must adapt the following entire in this
file:
asPath=/home/secdocs/jboss
JBoss AS home directory.
A detailed description of the storage recovery tools can be found in the SecDocs manual (chapter: Recovery (Script: recoverFromStorage)).
SecDocs Diagnostic Scripts (User: root/secdocs) The diagnostics scripts are located in the directory bin of the account secdocs and can be used by the system administrator (user root) and the user secdocs.
genArchivingSRWsClientStubs This script shows how to create the web service client stub classes form the file schemas/2.1/ArchivingSR.wsdl with the Java SDK wsimport tool. Running this script will create the files wsStubsArchivingSR-2.1.jar and wsStubsArchivingSourcesSR-2.1.jar in the directory jaxws/lib.
getDiagnosticData A tool to collect diagnostic information.
getMultiNodeStatus Shows the running SecDocs multi node instanzen in this multi node configuration.
getSecDocsConfigData This script shows important diagnostic information of a running SecDocs application.. Is the SecDocs application not running you won’t get any data.
getStatus Shows whether the SecDocs web services are available or not
25
SecDocs web services available or SecDocs web services NOT available Is the SecDocs application not running you won’t get any data.
getVersion Show the version of the running SecDocs application. Is the SecDocs application not running you won’t get any data.
heapdump Creates a JVM heap dump oft he running SecDocs instance.
jhatRunner Start the Java SDK tool jhat
jstatdRunner / jstatdRunner.policy Skript und configuration file for starting the Java SDK tool jstatd.
jtop Diagnostic tool: starts the Java SE 6 console with the JTop plugin.
olscStatus Shows whether the OpenLimit Middleware Version 3 Server is running or not. (works only if the server is running on the same machine)
removeLogs Removes the SecDocs JBoss logging files
secdocs Same functionality as the RHEL service secdocs
setSecDocsEnv.sh The SecDocs related environment variables are set in this script. All SecDocs scripts do call this script.
sysinfo This script collect important diagnostic information about the machine configuration.
26
Adding the JBoss AS Admin Applications For security reasons the standard JBoss AS administration applications aren’t available in the SecDocs JBoss AS instance. If, by any means, these applications are needed, you can copy them from the directory /home/secdocs/install/jboss/adminApps into the /home/secdocs/jboss/server/secdocs/deploy directory. After restarting the SecDocs application the JBoss AS administration applications are available. Attention: by default anybody can use the JBoss AS administration applications! Make sure that you secure this applications (e.g. by user/password).
SecDocs: English PDF Verification Protocols The verification protocols generated by the OpenLimit Middleware Version 3 Server can optionally be delivered as a human readable PDF report. These reports are by default in German. The reports can also be generated in English. To do so you have to exchange the PDFCreator.jar file with the following commands # service secdocs stop
Name of the machine running the MySQL database server.
dbPort
Port number used by MySQL database server.er lauscht
(Default: 3306)
dbName
Name of the MySQL database.
dbUser
Name of the MySQL database user.
dbPassword
Password of the MySQL database user..
SecDocs Tuning In this chapter we describe some parameters that can be adapted to your needs.
SecDocs JBoss AS Memory Shortage
The memory heap size of the SecDocs JBoss AS application is limited by the following line: # SecDocs JBoss AS maximum Java heap size
JAVA_MEM_MX=-Xmx4096m
This default value of 4GB may be too small in a production environment. If enough RAM is available in your server machine you can raise this value. You will find the above line in the script file /home/secdocs/bin/secdocs . Examples for possible memory shortages in the standard configuration:
Parallel store of big/many SDOs.
Parallel store of SDOs with many signatures
Transaction Timeout
You will find the following line in the file jboss/server/secdocs/deploy/transaction-jboss-beans.xml :
This property limits the maximum time for a transaction to 1800 seconds. This value may be too small for big data (= big SDOs and/or many signatures in a SDO) and can be raised, if necessary.
Database Connection Pool
The database connections are managed in a connection pool by the JBoss application server. In the file jboss/server/secdocs/deploy/secdocs-ds.xml you will find two times (2 data sources!) the following line: <max-pool-size>500</max-pool-size>
I.e.: each data source can use at most 500 (all together 1000!) connections to a database. Depending on your environment you can lower/raise this value.
Oracle
Attention: each database connection uses an Oracle database process. The default value may be too small for your SecDocs configuration. The database administrator can get the configured number of Oracle database processes with the following command: show parameter processes;
Beside other configuration parameters of the database instance you will see a line of the following form: NAME TYPE VALUE
processes integer 150
The database administrator can change this value with the following commands (in this example we change the value to 1100): shut immediate;
startup mount;
alter system set processes=1100 scope=spfile;
alter database open;
shutdown immediate;
startup;
show parameter processes;
30
MySQL
In a standard MySQL configuration the max number of allowed connections (max_connections) is too small for the SecDocs connection pools. The database administrator can get the configured value with the following command: show variables like 'max_connections';
The database administrator can change the value with the following command (in this example we set the value to 1100): set global max_connections=1100;
Maximal Number of Open Files
Each mandant use a permanent open audit log file. Beside this a lot of files are used frequently for most of the web service operations (e.g.: submit a document, retrieve a document, or seal a document). It may happen that the number of open files gets bigger than the value configured in the RHEL5 Linux kernel. The system administrator (user root) can change the value of kernel parameter:
1. Get the current value of the fs.file-max kernel parameter # sysctl –e fs.file-max
2. Change the value of the kernel parameter
Open the file /etc/sysctl.conf
and add a line of the following format with the desired value to this file fs.file-max = <number of max open files>
Example: fs.file-max = 6815744
3. Either reboot the machine or activate the new value immediately.
To activate the new value without reboot use the following command: # sysctl –p
4. Check that the new kernel parameter value is active:
# sysctl –e fs.file-max
31
Reset of the SecDocs Environemnt In a test environment you may want to delete the archive data without reinstalling the
software.
The following data must be deleted:
Database
All tables of the SecDocs database user.
Either use “DROP TABLE tablename;“ for all tables or delete the database
user and create it again
File system
All directories/files in the directory given in the property archiveRoot (file
secdocs.properties).
Attention: if mandant specific mount points are in use you can remove the
related directories (mount points) only if they are no longer needed. The data