Versions Compared

Old Version 4

changes.mady.by.user Melissa Anez

Saved on

compared with

New Version 5

changes.mady.by.user Melissa Anez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Fedora, along with Drupal, is one of the core technologies behind Islandora. This chapter will cover the basic steps for installing Fedora - for more information, please see the the FedoraCommons documentation.

Fedora is available under the terms of the the Apache License and has a very active open source community producing additional tools, applications and utilities. Islandora currently uses Fedora version 3.5.

Pre-installation Software Checklist

...

  • Java SE Development Kit (JDK) 6
  • A database: Installed for Drupal. Consult the Fedora installation guide for notes on running other databases.
  • An application server: Fedora includes the Tomcat Application Server. Consult the Fedora installation guide for notes on running other application servers.

Installation Steps

1. Download the latest release of Fedora from from Fedora Commons (3.5 is the latest tested for use with Islandora).

2. Read through the online guide to ensure the pre-installation system pre-requisites are met.

...

4. Before beginning your Fedora installation, create a database for Fedora to use. This is is not the  the same database that you used for your Drupal installation.

5. To start the installer, navigate to the directory where the install file (fcrepo-installer-x3.x5.jar) was downloaded and run the following command:

Code Block
java -jar fcrepo-installer-x3.x5.jar

6. Select the CUSTOM INSTALL.

...

Expand
titleCustom Install details:

(Source: Installation and Configuration Guide - Fedora 3.5 Documentation)

Servlet Container

The installer will automatically configure and deploy to Tomcat 6.0.x and 7.0.x servlet containers. However, if an existing Tomcat installation (as opposed to the Tomcat bundled with the installer) was selected, the installer will not overwrite your existing server.xml, but rather, place a modified copy at FEDORA_HOME/install so that you may review it before before installing it yourself.

Other servlet containers will require manual deployment of the war files located at FEDORA_HOME/install.

Application Server Context

The installer provides the option to enter an application server context name under which Fedora will be deployed. The context name defaults to Fedora (resulting in http[s]://host:port/fedora), however any other valid context name can be supplied. The installer will name the resulting war file according to the supplied context name (defaults to fedora.war). Please ensure that the servlet container configuration reflects the name of the Fedora context name in case it needs to be configured explicitly. For further details see Alternative Webapp Context Configuration.

SSL

Configuring SSL support for Fedora's API-M interface is an optional feature. It strongly recommended for production environments if Fedora is exposed to unsecured application and users. However, if your installation is within a managed data center with firewall services, you may choose to provide SSL using a software or hardware front-end instead. For example, a reverse proxy implemented using the Apache HTTP Server and hiding Fedora generally provides better SSL performance.

If the Tomcat servlet container is selected, the installer will configure server.xml for you. However, as noted above, if an existing Tomcat installation was selected, the installer will not overwrite your existing server.xml.

Please consult your servlet container's documentation for certificate generation and installation. (In particular, the example certificate provided by the installer for Tomcat should not be used in a production environment).

If Fedora is configured to use SSL, the JAVA_OPTS environment variable must include the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties. The value of javax.net.ssl.trustStore should be the location of the truststore file and the value of javax.net.ssl.trustStorePassword is the password for the keystore. The following values may be used with the sample keystore included with the installer:

Code Block
-Djavax.net.ssl.trustStore=$FEDORA_HOME/server/truststore -Djavax.net.ssl.trustStorePassword=tomcat

FeSL

The Fedora Security Layer is an experimental feature introduced from Fedora 3.3. FeSL consists of two separate components, which can be selected independently during the installation: FeSL Authentication and FeSL Authorisation.

FeSL Authentication is now the default authentication mechanism, however Fesl Authorization is still considered experimental. FeSL Authorization is a replacement for the legacy XACML policy enforcement, so you should not enable XACML policy enforcement if you are going to use FeSL Authorization, as this will provide an alternative XACML policy enforcement engine. See FeSL Installation for more information about FeSL requirements that must be satisfied prior to installation.

Resource Index

If the Resource Index is enabled, Fedora will use Mulgara as its underlying triplestore, with full-text indexing disabled.

Messaging
If Messaging is enabled, Fedora will create and send a message via JMS whenever an API-M method is called.

...

Code Block
java -jar fcrepo-installer-x3.x5.jar install.properties

An example of an install.properties file (specific to an OSX environment): 
 

Code Block
Installation type - custom
home directory - /usr/local/fedora
Password - [fedora_password]
server host - localhost [could be a domain name etc depending on your environment]
app server context - default
API-A - default false
ssl avail - true
ssl required for api-a - default false
ssl required for api-m - false
servlet included - default included
tomcat home -default
tomcat http port - 8080 default
tomcat shutdown - 8005 default
tomcat ssl - 8443 default
keystore file - included
databse - mysql
mysql driver - default
database username - [fedora_database_user]
database password - [password]
jdbc url - default
jdbc class- default
Enable FESL authn - true
Enable FESL authz - false
policy enforcement - true
low level storage - default akubra-fs
resource index - true
messaging - true
messaging provider - default
deploy local services - true

...

 a. $FEDORA_HOME/tomcat/logs/catalina.out should contain no errors.
 b. View your Fedora instance through a web browser: http://localhost:8080/fedora/ or  or http://[yourdomain]:8443/fedora

Set XACML Policies

10. Install required polices, remove some restrictive policies.

First stop . Stop your Fedora instance by running:$FEDORA_HOME/tomcat/bin/shutdown.sh

Remove they deny-purge policies.

rm  
mv /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/deny-purge-* ~/

Create a folder for islandora specific policies.

cd /usr/local/fedora 
 Navigate to $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default and create a file with the following xml -

...

languagehtml/xml

...

mkdir islandora

Then copy all the policies included with islandora into the newly created "islandora" folder located here "/usr/local/fedora/data/fedora-xacml-policies/repository-policies/"

These policies will be located in the policies folder of the islandora moduleThere should be at least these 4 policies:

permit-apim-to-authenticated

...

-user.xml

permit-getDatastream-unrestricted.xml

permit-getDatastreamHistory-unrestricted.xml

permit-upload-to-authenticated-user.xml

 

Save as permit-apim-to-authenticated.xml.

11. Navigate to 11. Navigate to $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/deny-apim-if-not-localhost.xml
 
Go to where you see <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">127.0.0.1</AttributeValue>
 
insert additional entries below for IPs that need to access fedora admin example your own machine or other admins. Also might want to add the systems actual IP Example:
 

Code Block
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">192.168.56.1</AttributeValue>

...

14. For information on using Fedora, make use of the the tutorials at  at the Fedora Commons site.

Note

There are two global policies that block/override purge rights. This behaviour is correct as it assumes that items will be set to a status of "deleted" rather than being purged directly. By default it assumes that if an object or Datastream is set to active or inactive, then only the "administrator" role can purge.

To resolve this, you can simply remove these policies in $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/:

  • deny-purge-datastream-if-active-or-inactive.xml 
  • deny-purge-object-if-active-or-inactive.xml