Versions Compared

Old Version 2

changes.mady.by.user Melissa Anez

Saved on

compared with

New Version Current

changes.mady.by.user Nigel Banks

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Table of Contents

Fedora, along with Drupal, is one of the core technologies behind Islandora. This chapter will cover the basic steps for installing Fedora - for more information, please see the FedoraCommons documentation.

Fedora is available under the terms of the Apache License and has a very active open source community producing additional tools, applications and utilities. Islandora currently uses Fedora version 3.5.

Pre-installation

...

Software Checklist

Fedora requires the following to be set-up and running prior to beginning your installation:

  • Java SE Development Kit (JDK) 6
  • A database: Installed for Drupal. Consult the Fedora installation guide for notes on running other databases.
  • An application server: Fedora includes the Tomcat Application Server. Consult the Fedora installation guide for notes on running other application servers.

Installation Steps

1. Download the latest release of Fedora from Fedora Commons (3.5 is the latest tested for use with Islandora).

...

Expand
titleCustom Install details. Click here to expand...:

(Source: Installation and Configuration Guide - Fedora 3.5 Documentation)

Servlet Container

The installer will automatically configure and deploy to Tomcat 6.0.x and 7.0.x servlet containers. However, if an existing Tomcat installation (as opposed to the Tomcat bundled with the installer) was selected, the installer will not overwrite your existing server.xml, but rather, place a modified copy at FEDORA_HOME/install so that you may review it before before installing it yourself.

Other servlet containers will require manual deployment of the war files located at FEDORA_HOME/install.

Application Server Context

The installer provides the option to enter an application server context name under which Fedora will be deployed. The context name defaults to Fedora (resulting in http[s]://host:port/fedora), however any other valid context name can be supplied. The installer will name the resulting war file according to the supplied context name (defaults to fedora.war). Please ensure that the servlet container configuration reflects the name of the Fedora context name in case it needs to be configured explicitly. For further details see Alternative Webapp Context Configuration.

SSL

Configuring SSL support for Fedora's API-M interface is an optional feature. It strongly recommended for production environments if Fedora is exposed to unsecured application and users. However, if your installation is within a managed data center with firewall services, you may choose to provide SSL using a software or hardware front-end instead. For example, a reverse proxy implemented using the Apache HTTP Server and hiding Fedora generally provides better SSL performance.

If the Tomcat servlet container is selected, the installer will configure server.xml for you. However, as noted above, if an existing Tomcat installation was selected, the installer will not overwrite your existing server.xml.

Please consult your servlet container's documentation for certificate generation and installation. (In particular, the example certificate provided by the installer for Tomcat should not be used in a production environment).

If Fedora is configured to use SSL, the JAVA_OPTS environment variable must include the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties. The value of javax.net.ssl.trustStore should be the location of the truststore file and the value of javax.net.ssl.trustStorePassword is the password for the keystore. The following values may be used with the sample keystore included with the installer:

Code Block
-Djavax.net.ssl.trustStore=$FEDORA_HOME/server/truststore -Djavax.net.ssl.trustStorePassword=tomcat

FeSL

The Fedora Security Layer is an experimental feature introduced from Fedora 3.3. FeSL consists of two separate components, which can be selected independently during the installation: FeSL Authentication and FeSL Authorisation.

FeSL Authentication is now the default authentication mechanism, however Fesl Authorization is still considered experimental. FeSL Authorization is a replacement for the legacy XACML policy enforcement, so you should not enable XACML policy enforcement if you are going to use FeSL Authorization, as this will provide an alternative XACML policy enforcement engine. See FeSL Installation for more information about FeSL requirements that must be satisfied prior to installation.

Resource Index

If the Resource Index is enabled, Fedora will use Mulgara as its underlying triplestore, with full-text indexing disabled.

Messaging
If Messaging is enabled, Fedora will create and send a message via JMS whenever an API-M method is called.

...

 a. $FEDORA_HOME/tomcat/logs/catalina.out should contain no errors.
 b. View your Fedora instance through a web browser: http://localhost:8080/fedora/ or http://[yourdomain]:8443/fedora

Set XACML Policies

10. Install required polices, remove some restrictive policies.

First stop . Stop your Fedora instance by running:$FEDORA_HOME/tomcat/bin/shutdown.sh

Remove they deny-purge policies.

rm  
mv /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/deny-purge-* ~/

Create a folder for islandora specific policies.

cd /usr/local/fedora 
 Navigate to $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default and create a file with the following xml -

...

languagehtml/xml

...

mkdir islandora

Then copy all the policies included with islandora into the newly created "islandora" folder located here "/usr/local/fedora/data/fedora-xacml-policies/repository-policies/"

These policies will be located in the policies folder of the islandora module, hereThere should be at least these 4 policies:

permit-apim-to-authenticated

...

-user.xml

permit-getDatastream-unrestricted.xml

permit-getDatastreamHistory-unrestricted.xml

permit-upload-to-authenticated-user.xml

 

 

Save as permit-apim-to-authenticated.xml.

11. Navigate to $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/deny-apim-if-not-localhost.xml
 
Go to where you see <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">127.0.0.1</AttributeValue>
 
insert additional entries below for IPs that need to access fedora admin example your own machine or other admins. Also might want to add the systems actual IP Example:
 

Code Block
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">192.168.56.1</AttributeValue>

 

 

12. Restart Fedora by using the startup command from step 8:

 

Code Block
$FEDORA_HOME/tomcat/bin/startup.sh

 

13. Access the Fedora Web Administrator: http://localhost:8080/fedora/admin and ensure you can ingest and purge objects.

 

14. For information on using Fedora, make use of the tutorials at the Fedora Commons site. 

Note

There are two global policies that block/override purge rights. This behaviour is correct as it assumes that items will be set to a status of "deleted" rather than being purged directly. By default it assumes that if an object or Datastream is set to active or inactive, then only the "administrator" role can purge.

To resolve this, you can simply remove these policies in $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/:

  • deny-purge-datastream-if-active-or-inactive.xml 
  • deny-purge-object-if-active-or-inactive.xml

...