ICCS ICT Platform Deployment
General
This document describes the process of deploying the CIRC4Life ICT Platform as a VMware Virtual Machine or a x86_64 architecture hardware based standalone server.
ICT Platform Core Node Operating System
ICT Platform Core Node is based on the Debian GNU/Linux distribution version 9.
This operating system provides a lightweight and fully featured stable Linux OS with the basic software requirements pre-packaged with Apt package manager and sane default configuration for performance and security. Below there is a detailed description on how to install and configure a Debian Linux 9 system for the purpose of hosting the ICT Platform software.
CAUTION: On July 6th 2019 the new version Debian 10 (codenamed “Buster”) was released. This is a new system with significant differences from the Debian 9 release. Download Debian 9 to avoid any problems in the rest of the installation, as it is the version used and deployed up till now. Migration to Debian 10 is not planned during the CIRC4Life project lifetime.
Official network installation ISO method
-
Download the Network Installer ISO for amd64 architecture from an official Debian mirror: 9.12.0 page. The ISO file is named as follows:
debian-<VERSION>-amd64-netinst.iso
-
Verify the authenticity of the download with these instructions
-
Boot the target installation machine with the ISO. See official installation guide on how to do this.
-
Follow the installation guide
-
Use a hostname and domain name the reflects the real domain name of the system you are deploying. In the ICCS deployed server with DNS circ4life.iccs.gr the installation was performed with Hostname circ4life and Domain name iccs.gr.
-
Once the installation is finished and the system correctly boots into the newly created system, login as an administrator and setup the Network Time Protocol which is essential for servers date and time accuracy:
sudo apt-get install ntp ntpq -p
-
Setup the network firewall of your choice with the following rules:
- Block all incoming and outgoing traffic by DEFAULT
- Allow incoming traffic on TCP ports 80 and 443 for the HTTP/HTTPS protocol services
- Allow outgoing traffic to UDP/TCP port 53 for DNS resolution
- Allow outgoing traffic to UDP port 123 for Network Time Protocol
- Allow outgoing traffic to TCP ports 80 and 443 for the HTTP/HTTPS protocol services
The above steps are essential and required for the ICT Platform Core Node software to operate properly. You can customize the server further for other needs (e.g. SSH access for remote management) but be very careful to not make any change that may disrupt the configuration above.
3rd party software
Java 8 Runtime Environment
The Java 8 Runtime Environment is the base upon which the ICT Platform Access Control Manager and RESTful API Web Services are executed. This runtime environment is the Java Platform, Standard Edition (Java SE) computing platform and the specific implementation used is the OpenJDK version 8 package provide by the Debian package manager.
Install the Java Runtime Environment 8 with this command:
sudo apt-get install default-jre
By default in Debian 9, OpenJDK is version 8.
Access Control Manager: User Authentication and Access Management
Keycloak is the 3rd party software deployed in the CIRC4LIFE ICT Platform core node that implements the Access Control Manager component. It handles user authentication and authorization for all applications and services.
Go to the Keycloak downloads page and download the Standalone server distribution archive. The version deployed in the ICT Platform is 4.8.3.Final and a migration to later version is not planned during the CIRC4Life project lifetime.
For a detailed installation guide see the online official documentation.
For a detailed guide on configuration see the online official documentation.
Extract the downloaded archive in the installation folder of your choice, e.g. /opt/keycloak. Then start the ACMserver with command:
/opt/keycloak/bin/standalone.sh -c standalone.xml -b 127.0.0.1
Once the server is up and running, we can visit the administration interface in the address http://127.0.0.1:8080 and setup the password of the administrator of the Master Realm that is also the main administrator account of the server. Once you have logged in with the Master Realm administrator, create the CIRC4LIFE Realm and add these Client IDs and accounts for REST Services API access.
Database Server: Data Persistence Layer
MongoDB is the 3rd party software deployed in the CIRC4LIFE ICT Platform core node that implements the database component.
The ICT Platform uses the MongoDB Community Edition 4.2 for Debian 9. For a detailed guide see the online official documentation.
Once the installation is ready, test that you can connect via the MongoDB shell:
mongo --host 127.0.0.1:27017
If the service is not started yet, start it with the command:
sudo systemctl start mongod.service
By default the mongod listens on loopback address 127.0.0.1 and TCP port 27017.
Application Server: ICCS ICT Platform RESTful API Services
Glassfish is the 3rd party software deployed in the CIRC4LIFE ICT Platform core node that implements the RESTful API Web Services component. It implements the main service back-end of the core node.
The ICT Platform uses the Glassfish 5.0 - Full Platform for Debian 9. For a detailed guide see the online official documentation.
The Glassfish server is setup with the CIRC4LIFE domain services to run from the base port 9000. Thus, after the initial extraction of the package files to the installation directory of your choice, you should run the following commands in order to prepare the domain to execute from a specific user glassfish_server (assuming you install the package under /opt/glassfish5):
sudo adduser --system --shell /bin/false glassfish_server sudo chown -R glassfish_server /opt/glassfish5/glassfish/domains/ sudo su - glassfish_server -s /bin/bash -c '/opt/glassfish5/glassfish/bin/asadmin create-domain --portbase 9000 CIRC4LIFE'
The asadmin program will ask for a domain administrator username and password. The --portbase is the TCP port base number used by this domain. All domain services are listening to port offsets with this number as their base. In this case the 9000 will create this domain port configuration:
Using port 9048 for Admin. Using port 9080 for HTTP Instance. Using port 9076 for JMS. Using port 9037 for IIOP. Using port 9081 for HTTP_SSL. Using port 9038 for IIOP_SSL. Using port 9039 for IIOP_MUTUALAUTH. Using port 9086 for JMX_ADMIN. Using port 9066 for OSGI_SHELL. Using port 9009 for JAVA_DEBUGGER.
Then start the application server with command:
sudo su - glassfish_server -s /bin/bash -c '/opt/glassfish5/glassfish/bin/asadmin start-domain CIRC4LIFE'
Now see the CIRC4Life ICT Systems Source Code instructions on how to build the RESTful API Services Web Archive (WAR) packages from source code. To deploy the WAR packages on this application server we use the following configuration:
| WAR file | Deployed Context Root | Type | Status | Implicit CDI |
|---|---|---|---|---|
| EcoCreditCalculatorWS-VERSION.war | /EcoCreditCalculator | Web Application | Enabled | Checked |
| EndUserModuleWS-VERSION.war | /EndUserModule | Web Application | Enabled | Checked |
| RecycleModuleWS-VERSION.war | /RecycleModule | Web Application | Enabled | Checked |
| RetailerModuleWS-VERSION.war | /RetailerModule | Web Application | Enabled | Checked |
Reverse Proxy Server: Front-end HTTP(S) Traffic Handling
NGINX is the 3rd Party software deployed in the CIRC4LIFE ICT Platform core node that implements the HTTP/HTTPs Web server front-end/reverse proxy to the rest of the Web Services running on the system. The single entry point proxy allows for a single Domain Name and TLS/SSL encrypted end-point. All other services are passed via the proxy via local host network interfaces. All traffic is TLS/SSL enabled and a single hostname and port pair is used.
The ICT Platform uses the NGINX 1.14.1 for Debian 9. For a detailed guide see the online official documentation. The default version of Debian 9 package manager is 1.10.3, but the ICT Platform use the 1.14.1 from the backports repositories, due to required functionality in the newer version.
Make sure you have issued a proper SSL certificate for the domain name the ICT Platform system uses. Then setup NGINX to use the certificate on the server directive of the configuration file. For details see the NGINX SSL Termination.
The SSL/TLS support, since we do not want to keep unencrypted HTTP access enabled, is setup only on the public facing NGINX reverse proxy. All HTTP traffic is redirected to HTTPS and all services are not directly accessed by incoming client requests, thus all external systems can only communicate via HTTPS protocol. All services behind the proxy are setup to listen only in local host loopback IP address 127.0.0.1 and on top their respective ports are blocked by the system firewall. Maintenance and administration URL paths are also blocked by the reverse proxy to avoid public exposure of administrative login forms.
Here is a more detailed view:
| Web Service | Proxied | URL | Bind Network Address | Network Port | Redirects to |
|---|---|---|---|---|---|
| HTTP portal | No | http://circ4life.iccs.gr | IP of circ4life.iccs.gr | 80 | https://circ4life.iccs.gr |
| HTTPS portal | No | https://circ4life.iccs.gr | IP of circ4life.iccs.gr | 443 | - |
| Development portal | No | https://circ4life.iccs.gr/AppsICTPlatform/ | IP of circ4life.iccs.gr | 443 | - |
| Access Control Manager | Yes | https://circ4life.iccs.gr/auth | 127.0.0.1 | 8080 | - |
| Application Server | Yes | https://circ4life.iccs.gr/* | 127.0.0.1 | 9080 | - |