Versions Compared

Old Version 1

changes.mady.by.user Melissa Anez

Saved on

compared with

New Version 2

changes.mady.by.user Melissa Anez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Fedora, along with Drupal, is one of the core technologies behind Islandora. This chapter will cover the basic steps for installing Fedora - for more information, please see the FedoraCommons documentation.

 

Fedora is available under the terms of the Apache License and has a very active open source community producing additional tools, applications and utilities. Islandora currently uses Fedora version 3.5. 

Pre-installation software checklist

 

Fedora requires the following to be set-up and running prior to beginning your installation: 

  • Java SE Development Kit (JDK) 6
  • A database: Installed for Drupal. Consult the Fedora installation guide for notes on running other databases.
  • An application server: Fedora includes the Tomcat Application Server. Consult the Fedora installation guide for notes on running other application servers.

...

Expand
titleCustom Install details. Click here to expand...

(Source: Installation and Configuration Guide - Fedora 3.5 Documentation)

Servlet Container

The installer will automatically configure and deploy to Tomcat 6.0.x and 7.0.x servlet containers. However, if an existing Tomcat installation (as opposed to the Tomcat bundled with the installer) was selected, the installer will not overwrite your existing server.xml, but rather, place a modified copy at FEDORA_HOME/install so that you may review it before before installing it yourself.

Other servlet containers will require manual deployment of the war files located at FEDORA_HOME/install.

Application Server Context

The installer provides the option to enter an application server context name under which Fedora will be deployed. The context name defaults to Fedora (resulting in http[s]://host:port/fedora), however any other valid context name can be supplied. The installer will name the resulting war file according to the supplied context name (defaults to fedora.war). Please ensure that the servlet container configuration reflects the name of the Fedora context name in case it needs to be configured explicitly. For further details see Alternative Webapp Context Configuration.

SSL

Configuring SSL support for Fedora's API-M interface is an optional feature. It strongly recommended for production environments if Fedora is exposed to unsecured application and users. However, if your installation is within a managed data center with firewall services, you may choose to provide SSL using a software or hardware front-end instead. For example, a reverse proxy implemented using the Apache HTTP Server and hiding Fedora generally provides better SSL performance.

If the Tomcat servlet container is selected, the installer will configure server.xml for you. However, as noted above, if an existing Tomcat installation was selected, the installer will not overwrite your existing server.xml.

Please consult your servlet container's documentation for certificate generation and installation. (In particular, the example certificate provided by the installer for Tomcat should not be used in a production environment).

If Fedora is configured to use SSL, the JAVA_OPTS environment variable must include the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties. The value of javax.net.ssl.trustStore should be the location of the truststore file and the value of javax.net.ssl.trustStorePassword is the password for the keystore. The following values may be used with the sample keystore included with the installer:

-Djavax.net.ssl.trustStore=$FEDORA_HOME/server/truststore -Djavax.net.ssl.trustStorePassword=tomcat

FeSL

The Fedora Security Layer is an experimental feature introduced from Fedora 3.3. FeSL consists of two separate components, which can be selected independently during the installation: FeSL Authentication and FeSL Authorisation.

FeSL Authentication is now the default authentication mechanism, however Fesl Authorization is still considered experimental. FeSL Authorization is a replacement for the legacy XACML policy enforcement, so you should not enable XACML policy enforcement if you are going to use FeSL Authorization, as this will provide an alternative XACML policy enforcement engine. See FeSL Installation for more information about FeSL requirements that must be satisfied prior to installation.

Resource Index

If the Resource Index is enabled, Fedora will use Mulgara as its underlying triplestore, with full-text indexing disabled.

Messaging
If Messaging is enabled, Fedora will create and send a message via JMS whenever an API-M method is called.

...

Once the script has collected your answers and configured Fedora on your system, the values are written to the install.properties file located in $FEDORA_HOME/install.

 

An output of a sample install.properties file is included here to guide you through the installation.  To use this file, copy the full contents of the textbox below into a text editor, and where applicable change the database name, database user, database password and database port number, and server host to match your database configuration (these items are noted in square brackets), and save the edited file as install.properties to the same directory where the fcrepo jar is stored.  Fedora can now be installed by entering 

Code Block
java -jar fcrepo-installer-3.5.jar install.properties

...

An example of an install.properties file (specific to an OSX environment): 
 
 Code Block
Installation type - custom
home directory - /usr/local/fedora
Password - [fedora_password]
server host - localhost [could be a domain name etc depending on your environment]
app server context - default
API-A - default false
ssl avail - true
ssl required for api-a - default false
ssl required for api-m - false
servlet included - default included
tomcat home -default
tomcat http port - 8080 default
tomcat shutdown - 8005 default
tomcat ssl - 8443 default
keystore file - included
databse - mysql
mysql driver - default
database username - [fedora_database_user]
database password - [password]
jdbc url - default
jdbc class- default
Enable FESL authn - true
Enable FESL authz - false
policy enforcement - true
low level storage - default akubra-fs
resource index - true
messaging - true
messaging provider - default
deploy local services - true
 
8. Once the installation script has completed and Fedora is installed, you should start your Fedora instance by running: 
 Code Block
$FEDORA_HOME/tomcat/bin/startup.sh
...
9. To verify that Fedora has successfully started:
 
 a. $FEDORA_HOME/tomcat/logs/catalina.out should contain no errors.
  b. View your Fedora instance through a web browser: http://localhost:8080/fedora/ or http://[yourdomain]:8443/fedora
Set 
...
XACML Policies
 10. 
...
 
 
 Stop your Fedora instance by running:$FEDORA_HOME/tomcat/bin/shutdown.sh
 
vi mv /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/permitdeny-apim-to-authenticated.purge-* ~/ 
 
Navigate to $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default and create a file with the following xml -
 Code Block
languagehtml/xml
<?xml version="1.0" encoding="UTF-8"?>
...

<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
...

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
...

        PolicyId="permit-apim-to-authenticated"
...

        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
...


  <Description>note that other policies may provide exceptions to 
this broad policy.  This policy assumes api-m users have to be 
authenticated</Description>
  <Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Resources>
      <AnyResource/>
 
    </Resources>    
    <Actions>
      <Action>
        <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
...

          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"
...
>urn:fedora:names:fedora:2.1:action:api-
...
m</AttributeValue>
...

          <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
...

            AttributeId="urn:fedora:names:fedora:2.1:action:api"/>
...

        </ActionMatch>
      </Action>
    </Actions>    
  </Target>
 
  <Rule RuleId="1" Effect="Permit"/>
...

</Policy>
    
 mv /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/deny-purge-* ~/
 
Save as permit-apim-to-authenticated.xml.
11. Navigate to $FEDORA_HOME/vi /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/deny-apim-if-not-localhost.xml
 
Go to where you see <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">127.0.0.1</AttributeValue>
 
insert additional entries below for IPs that need to access fedora admin example your own machine or other admins. Also might want to add the systems actual IP Example:
 
 Code Block
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">192.168.56.1</AttributeValue> 
 
 
12. Restart Fedora by using the startup command from step 8:
 
 Code Block
$FEDORA_HOME/tomcat/bin/startup.sh
 
13. Access the Fedora Web Administrator: http://localhost:8080/fedora/admin and ensure you can ingest and purge objects.
 
14. For information on using Fedora, make use of the tutorials at the Fedora Commons site.
 
 Note
There are two global policies that block/override purge rights. This behaviour is correct as it assumes that items will be set to a status of "deleted" rather than being purged directly. By default it assumes that if an object or Datastream is set to active or inactive, then only the "administrator" role can purge.
To resolve this, you can simply remove these policies in $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/:
  • deny-purge-datastream-if-active-or-inactive.xml 
  • deny-purge-object-if-active-or-inactive.xml
 /etc/init.d/fedora start