Detailed XWiki Install Info For RPM-Based Systems

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Detailed XWiki Install Info For RPM-Based Systems

JMorris
Hi Folks,

After LOTS of research, we have decided to seriously explore XWiki; one feature in particular (among many) that stands out is the support for annotation. We like the idea of a "second generation Wiki" (especially after some extensive experience with MediaWiki and Confluence).

Right now the biggest hurdle is getting a successful install. We have ready a large number of documents, but have now run out of insights.

TARGET SYSTEM: VPS running 42.1 OpenSUSE Linux (RPM-based). Latest MySQL (actually MariaDB), Java, Apache etc. Currently a CRM system (PHP-based) and an accounting system (PostBooks) running.

CHALLENGE: Tomcat and the WAR file.

SPECIFIC QUESTION: What is the best documentation that would enable us to very systematically install and configure XWiki?

Especially in a non-deb environment. And with details concerning e.g. "ports". Widespread adoption will be encouraged when technically savvy individuals and small teams can try XWiki without having a sysadmin as a permanent team member.

We have voted for a Bitnami XWiki stack package. But we don't want to wait!

Thanks for any pointers!
Reply | Threaded
Open this post in threaded view
|

Re: Detailed XWiki Install Info For RPM-Based Systems

Thomas Mortagne
Administrator
You have Docker images, makes things a bit easier but it's not really
less technically than Tomcat. See https://hub.docker.com/_/xwiki/.

If you really don't want to deal with system administration at all you
can look at professional hosting, see
https://www.xwiki.org/xwiki/bin/view/Hosted/.

On Thu, Apr 27, 2017 at 7:35 PM, JMorris <[hidden email]> wrote:

> Hi Folks,
>
> After LOTS of research, we have decided to seriously explore XWiki; one
> feature in particular (among many) that stands out is the support for
> *annotation*. We like the idea of a "*second generation Wiki*" (especially
> after some extensive experience with MediaWiki and Confluence).
>
> Right now the biggest *hurdle is getting a successful install*. We have
> ready a large number of documents, but have now run out of insights.
>
> *TARGET SYSTEM*: VPS running 42.1 OpenSUSE Linux (RPM-based). Latest MySQL
> (actually MariaDB), Java, Apache etc. Currently a CRM system (PHP-based) and
> an accounting system (PostBooks) running.
>
> *CHALLENGE*: Tomcat and the WAR file.
>
> *SPECIFIC QUESTION: What is the best documentation that would enable us to
> very systematically install and configure XWiki? *
>
> /Especially in a non-deb environment. And with details concerning e.g.
> "ports". Widespread adoption will be encouraged when technically savvy
> individuals and small teams can try XWiki without having a sysadmin as a
> permanent team member.
> /
> We have voted for a *Bitnami *XWiki stack package. But we don't want to
> wait!
>
> Thanks for any pointers!
>
>
>
> --
> View this message in context: http://xwiki.475771.n2.nabble.com/Detailed-XWiki-Install-Info-For-RPM-Based-Systems-tp7603669.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.



--
Thomas Mortagne
Reply | Threaded
Open this post in threaded view
|

Re: Detailed XWiki Install Info For RPM-Based Systems

Douglas Landau
In reply to this post by JMorris
John,

As far as I know it might be my own instructions.  :-)   They will get you a successful install/running MySQL+XWiki-8.4.4(WAR)+Tomcat+NGINX on CentOS-7.   But my own XWiki is still under construction and there are at least a few loose ends left to be addressed before I can announce it.  For example:

- I got LDAP auth working and yesterday I got, at length, XWiki-group-sync-from-AD working.  So now when I log in using my AD credentials, because I'm in the Admins AD group, I am a member of the XWikiAdminGroup group.  I don't know if there is anything special built-in to that group, or if it's just a name chosen as an example.  I see it has full rights to some pages and not others and now don't remember if I granted the ones that exist, or if it came that way.   In any case I made a lot of groups yesterday and now cannot remove some.  Maybe all, not sure.  I can add them but if I remove them and then refresh they come back, and I get this in the logs:

2017-04-28 12:31:41,492 [http://dwswiki10.westmarine.net:8080/xwiki/bin/admin/XWiki/XWikiPreferences?xpage=deleteuorg&docname=XWiki.Application+Development&form_token=whLkhIQlmWnx4c7FHacGdA] WARN  o.x.c.i.DefaultCSRFToken       - CSRFToken: Secret token verification failed, token: "whLkhIQlmWnx4c7FHacGdA", stored token: "mdkkxCCQAFB4fwoqoceMYw"

- I don't have usable startup and shutdown scripts working.  The files are owned by the user xwiki and to run as the same user I've been starting and stopping it with "cd /data/tomcat;  sudo -u xwiki bin/startup.sh" and "sudo -u xwiki bin/shutdown.sh".   The Tomcat docs say to use jsvc but their example doesn't pick up bin/setenv.sh, and blah blah blah.  I guess I need to merge that script into the suggested jsvc usage, and then use the option that switches who it's running as, even tho I don't need to do this stuff to make it run on port 80, I just want it to run as xwiki.  I guess I'll just let NGINX run as root, not sure yet.

- The HTTP -> HTTPS redirection doesn't seem to work as I expected/would like and I'm not sure I'm doing it right.  I have this in my xwiki.cfg:   xwiki.url.protocol=https  ...but I'm not sure that's the right way to go about it.  I see the bit on the XWiki InstallationTomcat page about Let's Encrypt but glanced at that page and it seemed like it was about creating certs and didn't understand how it relates.
Today my NGINX is not working; not sure why.  It -was-.  Last week I stuck this in there:      return 301 https://$host$request_uri;
... but now it's commented out.  Think I got it from https://www.bjornjohansen.no/redirect-to-https-with-nginx  which makes it sound great but I then commented it out and don't remember why.
Seems to me that the best place for the redirection to happen would be at the NGINX layer.

- There is a "server" section for port 80 and another for 443 in conf/nginx.conf.  As per the InstallationTomcat page I added the dir conf.d and inside it tomcat.conf, with similar sections.  I dunno if I should go and comment out the server sections in conf/nginx.conf.


- I get this error in catalina.out, and dunno why or what I'm going to do:
27-Apr-2017 19:00:57.513 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:MaxPermSize=192m
OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=192m; support was removed in 8.0

... if I remember correctly, wherever it was I saw that, that place said it was important!  Oh yeah, it too was on this page:
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat


- I get this message in the logs and dunno what to do about it:

27-Apr-2017 14:56:48.633 SEVERE [localhost-startStop-2] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [xwiki] created a ThreadLocal with key of type [java.lang.ThreadLocal] (value [java.lang.ThreadLocal@38058fb1]) and a value of type [java.util.Stack] (value [[org.xwiki.context.ExecutionContext@c0f4827]]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.

I get these in my logs and dunno what to do about it:
27-Apr-2017 22:02:09.501 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.


- I get this in my logs and don't understand it... I dunno what java.library.path is, all I know is this:

27-Apr-2017 14:43:24.720 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib

... I don't understand it, all I know is:

[root@dwswiki10 tomcat]# which java
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/bin/java

Setting JAVA_HOME in this way:
export JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::")
...yields this:
[root@dwswiki10 tomcat]# echo $JAVA_HOME
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/


I'm procrastinating dealing with these issues at the moment and starting to try to push the UI into shape.  I think our old wiki was using the spaces extension, or is it a macro, and that's no longer the correct thing to do, now that nested pages have replaced spaces, I guess... Vincent says, on the spaces extension page, to use the Document Tree macro instead,  so I guess I'll install that now and try using it.

Finally, looking at them today, I see a few places where the instructions need minor editing:
- I say something about xwiki.preferences.redirect but am not sure if I should have that in there or not, part of my http->https redirection confusion
- I set the "permanentDirectory" setting in xwiki.properties to get the attachments out of the DB and out of the application tree.  I don't see that mentioned in the instructions.  Before I set it, I did fire up the wiki, so there was stuff that needed to be moved, and when I moved it, and restarted, I had brought some problems down upon myself.  I struggled with it for a short while and then started over by removing the xwiki database, recreating it, and repeating the setup I had done to that point.  Anyway I have to get that into the doc.
- I no longer think that the JAVA_HOME needs to be set in anyone's .bashrc; that is now done in setenv.sh.


With that said, here are my own instructions:
-Doug
--------------------------------------
There are five parts:

Hardware/OS
MySQL
AppServer
XWiki
NGINX

Hardware/OS
Start by deploying a VM from the CentOS-7.2 template on vcenter01
Power on the new clone and log in as anchor
# sudo su -
# yum -y update

Add the following lines to root's .bashrc, to anchor's .bashrc, and to the .bashrc of the xwiki user:
export JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::")
export PATH=$JAVA_HOME/bin:$PATH

Prepare the Volume
Edit
I am installing everything on a new disk, which is mounted at /data.  The volume will be owned by anchor.  This was necessary for some unknown reason for the MySQL installation to work.  I don't know why.  It doesn't appear to put anything outside of the install dir, /data/mysql.  But I had to nonetheless.

# chown anchor:anchor /data



Install MySQL
Edit
See https://dev.mysql.com/doc/refman/5.7/en/source-installation.html

Create the user

# groupadd mysql
# useradd -r -g mysql -s /bin/false mysql

While we are at it we may as well go ahead and make the xwiki user at this time:

# groupadd -r xwiki
# useradd -r -g xwiki -s /bin/false xwiki

Unpack MySQL source

As anchor, cd to $HOME, and unpack the MySQL 5.7 source from /opt:

anchor$ cd
anchor$ tar zxvf /opt/soft/mysql-5.7.17.tar.gz
anchor$ mkdir bld
anchor$ cd bld

Install Boost Library

Before you can configure and build MySQL you must install Boost in /usr/local/boost_1_59_0.

See https://dev.mysql.com/doc/refman/5.7/en/source-installation.html

1. Untar the boost 1.59_0 from /opt/soft:

anchor$ pushd /usr/local
anchor$ tar zxvfp /opt/soft/boost_1_59_0.tar.gz

2. I don't remember how I figured this out, but I had to place the tarball inside the unpacked directory:

anchor$ cp !$ boost_1_59_0

3. I also had to open up the permissions on the files and directories in the boost installation, /usr/local/boost_1_59_0, which were owned by root, but I'm building as anchor, and when unpacked, there were no read or search permissions for group or others on the subdirectories.

$ sudo su -

# cd /usr/local
# chgrp -R anchor boost_1_59_0
# chmod g+w /usr/local/boost_1_59_0
# cd boost_1_59_0
# find . -type d | xargs chmod g+rx
# find . -type f | xargs chmod g+rw
# find . -type d | xargs chmod o+rx

Build MySQL

Now we can get back to configuring and building MySQL:
$ cmake ../mysql-5.7.17  -DWITH_BOOST=/usr/local/boost_1_59_0  -DCMAKE_INSTALL_PREFIX=/data/mysql
$ make
$ make test

Install MySQL

See https://dev.mysql.com/doc/refman/5.7/en/installing-source-distribution.html

As root:

Place these lines in /etc/my.cnf:
basedir=/data/mysql
max_allowed_packet=32M

Give these commands:

# cd /data
# chown anchor:anchor .
# chmod 775 .
# cd /home/anchor/bld
# make install
# cd /data/mysql
# chown -R mysql .

# bin/mysqld --user=mysql --initialize

# bin/mysql_ssl_rsa_setup

# chgrp -R mysql data
# bin/mysqld_safe --user=mysql &
# cp support-files/mysql.server /etc/init.d/mysql
# /etc/init.d/mysql start

Set the password for root in MySQL

# mysql -u -root -p

Log in with the password for root that was given to you in the output of the steps above.  You will see the message:

"You must reset your password using the ALTER USER statement before executing this statement."

mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'crappypass';

This completes the MySQL installation.

Create the XWiki Database

See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationMySQL

Finally, create the xwiki database and grant permissions accordingly:

# mysql -u root -p

mysql> create database xwiki default character set utf8 collate utf8_bin;
mysql> grant all privileges on *.* to xwiki@localhost identified by 'badpass';

Should you make a mistake and not want to start completely over, you can drop the XWiki database and recreate it:

# mysql -uroot -p -e "drop database xwiki; CREATE DATABASE xwiki CHARACTER SET utf8 COLLATE utf8_general_ci; GRANT ALL PRIVILEGES ON xwiki.* TO 'xwiki'@'localhost' IDENTIFIED BY 'password';

Install Tomcat
Edit
# cd /data
# tar xvfp /opt/soft/apache-tomcat-9.0.0.M15.tar.gz
# mv apache-tomcat-9.0.0.M15.tar.gz tomcat
# chown -R xwiki:xwiki tomcat

Configure Tomcat
See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat

# cd /data/tomcat
# cp -rp conf conf.orig
# cd conf

Edit server.xml and find these lines in the default connector, the only one which is uncommented.  Insert this line at line 71:

URIEncoding="UTF-8"

Install XWiki
Edit
See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat

# cd tomcat
# cd webapps
# mkdir xwiki
# cd xwiki
# jar -xvf /opt/soft/xwiki-enterprise-web-8.4.4.war
# cd ..
# chown -R xwiki:xwiki xwiki
# cd xwiki/WEB_INF/lib
# cp /opt/soft/mysql-connector-java-5.1.40-bin.jar .
# chown xwiki:xwiki mysql-conn*

Configure XWiki Attachment Storage
See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Attachments

# cd ../webapps/xwiki
# cd WEB-INF
# cp -p xwiki.cfg xwiki.cfg.orig

Edit xwiki.cfg and add this line at line 93:
xwiki.store.attachement.hint=file

Add this line at line 100:
xwiki.store.attachment.versioning.hint=file

And at 107:
xwiki.store.attachment.recyclebin.hint=file

Configure XWiki to work with MySQL
See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationMySQL

Modify hibernate.cfg by commenting out the default database settings and uncommenting the MySQL section.  Then modify the settings in theat section to match those shown here:

# cp -p hibernate.cfg.xml hibernate.cfg.xml.orig

Edit hibernate.cfg and set the following settings

<property name="connection.url">jdbc:mysql://localhost/xwiki</property>
<property name="connection.username">xwiki</property>
<property name="connection.password">badpass</property>
<property name="connection.driver_class">com.mysql.jdbc.Driver</property>
<property name="dialect">org.hibernate.dialect.MySQL5InnoDBDialect</property>
<property name="connection.useUnicode">true</property>
<property name="connection.characterEncoding">UTF-8</property>

Configure XWiki Policy Configuration
See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat

The Tomcat Security Manager is enabled to be by default.  Add these lines to the bottom of /data/tomcat/conf/catalina.policy:

grant codeBase "file:${catalina.base}/webapps/xwiki/WEB-INF/lib/-" {
  // for mySQL connection
  permission java.net.SocketPermission "127.0.0.1:3306", "connect,resolve";

  // XWiki must have access to all properties in read/write
  permission java.util.PropertyPermission "*", "read, write";

  // Generic detected permissions
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "setContextClassLoader";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.loader";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "getenv.ProgramFiles";
  permission java.lang.RuntimePermission "getenv.APPDATA";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.connector";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.threads";
  permission java.lang.RuntimePermission "reflectionFactoryAccess";
  permission java.lang.RuntimePermission "accessClassInPackage.com.sun.jmx.interceptor";
  permission java.lang.RuntimePermission "accessClassInPackage.com.sun.jmx.mbeanserver";
  permission java.lang.RuntimePermission "modifyThread";
  permission java.lang.RuntimePermission "getProtectionDomain";

  // JAXB permissions
  permission javax.xml.bind.JAXBPermission "setDatatypeConverter";

  // Serialization related permissions
  permission java.io.SerializablePermission "allowSerializationReflection";
  permission java.io.SerializablePermission "creator";
  permission java.io.SerializablePermission "enableSubclassImplementation";

  // Internal resources access permissions
  permission java.io.FilePermission "synonyms.txt", "read";
  permission java.io.FilePermission "lang/synonyms_en.txt", "read";
  permission java.io.FilePermission "quartz.properties", "read";
  permission java.io.FilePermission "/templates/-", "read";
  permission java.io.FilePermission "/skins/-", "read";
  permission java.io.FilePermission "/resources/-", "read";

  // MBean related permissions
  permission javax.management.MBeanServerPermission "createMBeanServer";
  permission javax.management.MBeanPermission "*", "registerMBean";
  permission javax.management.MBeanPermission "*", "unregisterMBean";
  permission javax.management.MBeanTrustPermission "register";
  permission javax.management.MBeanPermission "-#-[-]", "queryNames";
  permission javax.management.MBeanServerPermission "findMBeanServer";

  // LibreOffice/OpenOffice related permissions
  permission java.io.FilePermission "/opt/openoffice.org3/program/soffice.bin", "read";
  permission java.io.FilePermission "/opt/libreoffice/program/soffice.bin", "read";
  permission java.io.FilePermission "/usr/lib/openoffice/program/soffice.bin", "read";
  permission java.io.FilePermission "/usr/lib/libreoffice/program/soffice.bin", "read";

  // Allow file storage directory reading - for directory and everything underneath
  // This is dependent on the setting of environment.permanentDirectory in xwiki.properties
  permission java.io.FilePermission "${catalina.base}${file.separator}xwikidata${file.separator}", "read,write,delete";
  permission java.io.FilePermission "${catalina.base}${file.separator}xwikidata${file.separator}-", "read,write,delete";

  // Allow file storage directory reading - temporary directory and everything underneath
  // This is dependent on the setting of environment.temporaryDirectory in xwiki.properties.
  permission java.io.FilePermission "${catalina.base}${file.separator}temp${file.separator}", "read,write,delete";
  permission java.io.FilePermission "${catalina.base}${file.separator}temp${file.separator}-", "read,write,delete";
};

Create Tomcat Environment Script
See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat

Put these lines in /data/tomcat/bin/setenv.sh:

#!/bin/sh

export JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::")
export PATH=$JAVA_HOME/bin:$PATH

export JAVA_OPTS="${JAVA_OPTS} -Djava.awt.headless=true"

export CATALINA_HOME=/data/tomcat
CATALINA_OPTS="-Xmx1024m -XX:MaxPermSize=192m"

# Use the Java security manager? (yes/no)
#TOMCAT5_SECURITY=

Make that file owned by xwiki, group xwiki.

# chown xwiki:xwiki /data/tomcat/bin/setenv.sh

Confirm File Ownership
Once again make sure that -all- files under /data/tomcat are owned by xwiki, group xwiki:

# cd /data/tomcat
# chown -R xwiki:xwiki .

Start and Initialize
Edit
See http://platform.xwiki.org/xwiki/bin/view/Features/DistributionWizard

At this point, we should be able to start XWiki.  We have no SSL, and no front-end yet, so we will have to hit it on port 8080.  But now is the time to test and initialize it.  The first time we run it, it will run its "Distribution Wizard", adding its default pages to the database, and setting up an admin user.

Start XWiki as the user xwiki:

# cd /data/tomcat
# sudo -u xwiki bin/startup.sh

Then surf to http://pwswiki10.westmarine.net:8080/xwiki.  You will see a grey background and soon a white bar with the words "Initializing" followed by a quickly-changing percentage.  When the percentage hits 100, the Distribution wizard will start.  Enter admin for the admin user's first name, user for the last name, admin for the username, badpass for the password, which must be six letters or we'd just leave it at admin for now.  Change it later.  Enter your email for the email address.  Click Continue.   On the next screen install the default theme and main pages by clicking Install and then Continue to install the default theme/main pages.  When the Distribution Wizard completes, you will be logged in as admin.  Click Next through the guided tour.


Increase Maximum Attachment Size Limit
The maximum size of an attachment is limited by a configuration parameter in the XWikiPreferences document. It is set to about 32MB by default.
To change it follow these steps:

Go to http://<yourwiki>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object
Click on the line that says XWikiPreferences 0 (right below the line that says Objects of type XWiki.XWikiPreferences (1)) and expand it
Scroll down to the field that says Maximum Upload Size and change the number to whatever size you want (it is expressed in bytes)
Scroll to the bottom and click "Save"
Install PDF and LDAP Authentication Extensions
Click on More applications on the left side of the home page.  Click Install New Applications.

Scroll down until you get to PDF Viewer Macro.  Click Install and then Continue.

When the PDF Viewer install finishes, scroll up a bit to LDAP Authenticator, and click on Install on Farm and then Continue to install it.  When the LDAP Authenticator extension is finished installing, exit XWiki, and shut down tomcat

# sudo -u xwiki bin/shutdown.sh

Configure XWiki for LDAP
Add the following to the bottom of xwiki.cfg:

#------------------------------
# LDAP
#
xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=<server>
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.bind_DN=westmarine\\{0}
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.base_DN=dc=westmarine,dc=net
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=last_name=name=sAMAccountName,last_name=sn,first_name=givenName,fullName=displayName,email=mail,ldap_dn=dn
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.mode_group_sync=always
xwiki.authentication.ldap.trylocal=1

Confirm LDAP operation
Start tomcat and surf to xwiki.  After it completes reloading (re-initializing), try logging in with your LDAP credentials.

# sudo -u xwiki bin/startup.sh

With LDAP now working, what remains is to enable SSL in Tomcat and in XWiki, and to install and configure NGINX as a front-end.
Edit
First, log out of XWiki and shut down Tomcat.
# sudo -u xwiki bin/shutdown.sh

Configure Tomcat for SSL
#

#  Note:  This part is commented out / not in use.
#  We are not currently configuring Tomcat for SSL; we have NGINX listen on 80 and 443 and talk to Tomcat on 8080 in both cases.
#
# # cd /data/tomcat
# # cd conf
# Edit server.xml and add these lines immediately below the line you already added which reads URIEncoding="UTF-8" :
# secure="true"
# scheme="https"
#

Configure XWiki for SSL
Add this to the bottom of xwiki.cfg:
# SSL
xwiki.preferences.redirect

At line 236, under the section URLs, add the line:
xwiki.url.protocol=https

Build and Install NGINX
Edit
NGINX requires the zlib-1.2.11 and pcre-8.40 sources.  The digital signatures have already been verified on the copies that exist in /opt/soft.  It is not necessary to build the packages.

# su - anchor
anchor$ tar zxvf /opt/soft/zip-1.2.11.tar.gz
anchor$ tar zxvf /opt/soft/pcre-8.40.tar.gz
anchor$ tar zxvf /opt/soft/nginx-1.10.3.tar.gz
anchor$ cd nginx-1.10.3
anchor$ ./configure --prefix=/data/nginx --user=xwiki --group=xwiki --with-http_ssl_module --with-pcre=/home/anchor/pcre-8.40 --with-pcre-jit --with-zlib=/home/anchor/zlib-1.2.11
anchor$ make
anchor$ exit

# cd /home/anchor/nginx-1.10.3
# cd nginx-1.10.3
# make install
# ls -l /data/nginx
# cd /data/nginx

Configure NGINX
See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat

# cd /data/nginx
# cd conf
# cp nginx.conf nginx.conf.orig

Configure conf/nginx.conf

Edit nginx.conf and add this line before the closing curly brace:

include ../conf.d/*.conf;

Just above that, uncomment the lines of the section titled # HTTPS server.   Inside that section:

Place /data/nginx/keys/dwswiki10.westmarine.net.pem; as the value of ssl_certificate
Place /data/nginx/keys/dwswiki10.westmarine.net.key; as the value of ssl_certificate_key

Place SSL Certificates in NGINX

CD up one level and make the keys/ dir and populate it with your new certificate and key for this host:

# cd ..
# mkdir keys
# cp /tmp/pwswiki10.westmarine.net.pem keys
# cp /tmp/pwswiki10.westmarine.net.key keys

Create the new directory conf.d and populate it with tomcat.conf:

# cd ..
# mkdir conf.d
# cd conf.d

Create the file tomcat.conf with the following content:

server {
    listen       80;
    server_name  pwswiki10.westmarine.net;
    # Root to the XWiki application    root /data/tomcat/webapps/xwiki;

    location / {
        #All "root" requests will have /xwiki appended AND redirected to mydomain.com again
        rewrite ^ $scheme://$server_name/xwiki$request_uri? permanent;
    }

    location ^~ /xwiki {
       # If path starts with /xwiki - then redirect to backend: XWiki application in Tomcat
       # Read more about proxy_pass: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
       proxy_pass <a href="http://localhost:8080;">http://localhost:8080;
       proxy_set_header        X-Real-IP $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        Host $http_host;
       proxy_set_header        X-Forwarded-Proto $scheme;    }
}

server {
    listen       443;
    server_name  pwswiki10.westmarine.net;
    # Root to the XWiki application
    root /data/tomcat/webapps/xwiki;

    location / {
        #All "root" requests will have /xwiki appended AND redirected to mydomain.com again
        rewrite ^ $scheme://$server_name/xwiki$request_uri? permanent;
    }
    location ^~ /xwiki {
       # If path starts with /xwiki - then redirect to backend: XWiki application in Tomcat
       # Read more about proxy_pass: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
       proxy_pass <a href="http://localhost:8080;">http://localhost:8080;
       proxy_set_header        X-Real-IP $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        Host $http_host;
       proxy_set_header        X-Forwarded-Proto $scheme;
    }
}

Finally, make sure that all the files under /data/nginx are owned by xwiki, group xwiki:

# chown -R xwiki:xwiki conf.d

Start and stop NGINX:

# cd /data/nginx; sbin/start

# cd /data/nginx; sbin/nginx -s stop

#

Additional Documents
Edit
platform.xwiki.org/xwiki/bin/view/AdminGuide/Backup
https://dev.mysql.com/doc/refman/5.7/en/installing-source-distribution.html
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationMySQL


The information contained in this transmission may contain West Marine proprietary, confidential and/or privileged
information.  It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are
hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited.
If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original
message. To reply to our email administrator directly, please send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Detailed XWiki Install Info For RPM-Based Systems

Craig Wright
I basically (re)wrote the instructions for SSL+nginx a couple of weeks ago.

See this instruction page: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat#Hhttps28secure29 <http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat#Hhttps28secure29>

Based on information gleaned from this bug: http://jira.xwiki.org/browse/XWIKI-13963 <http://jira.xwiki.org/browse/XWIKI-13963>

Looks like you skipped this from your install:

First, you will need to add the following config to tomcat's server.xml (located at /etc/tomcat8/server.xml on Ubuntu 16.04). The first line should already be in the file, I include it to give you something to search for (that line is located on line 108 in the Ubuntu 16.04 tomcat8 package). This will help tomcat find your proxy headers.

<Engine name="Catalina" defaultHost="localhost">
  <Valve className="org.apache.catalina.valves.RemoteIpValve"
    internalProxies="127\.0\.[0-1]\.1"
    remoteIpHeader="x-forwarded-for"
    requestAttributesEnabled="true"
    protocolHeader="x-forwarded-proto"
    protocolHeaderHttpsValue="https"/>
I hope this helps,
Craig

> On Apr 28, 2017, at 9:09 PM, Douglas Landau <[hidden email]> wrote:
>
> John,
>
> As far as I know it might be my own instructions.  :-)   They will get you a successful install/running MySQL+XWiki-8.4.4(WAR)+Tomcat+NGINX on CentOS-7.   But my own XWiki is still under construction and there are at least a few loose ends left to be addressed before I can announce it.  For example:
>
> - I got LDAP auth working and yesterday I got, at length, XWiki-group-sync-from-AD working.  So now when I log in using my AD credentials, because I'm in the Admins AD group, I am a member of the XWikiAdminGroup group.  I don't know if there is anything special built-in to that group, or if it's just a name chosen as an example.  I see it has full rights to some pages and not others and now don't remember if I granted the ones that exist, or if it came that way.   In any case I made a lot of groups yesterday and now cannot remove some.  Maybe all, not sure.  I can add them but if I remove them and then refresh they come back, and I get this in the logs:
>
> 2017-04-28 12:31:41,492 [http://dwswiki10.westmarine.net:8080/xwiki/bin/admin/XWiki/XWikiPreferences?xpage=deleteuorg&docname=XWiki.Application+Development&form_token=whLkhIQlmWnx4c7FHacGdA] WARN  o.x.c.i.DefaultCSRFToken       - CSRFToken: Secret token verification failed, token: "whLkhIQlmWnx4c7FHacGdA", stored token: "mdkkxCCQAFB4fwoqoceMYw"
>
> - I don't have usable startup and shutdown scripts working.  The files are owned by the user xwiki and to run as the same user I've been starting and stopping it with "cd /data/tomcat;  sudo -u xwiki bin/startup.sh" and "sudo -u xwiki bin/shutdown.sh".   The Tomcat docs say to use jsvc but their example doesn't pick up bin/setenv.sh, and blah blah blah.  I guess I need to merge that script into the suggested jsvc usage, and then use the option that switches who it's running as, even tho I don't need to do this stuff to make it run on port 80, I just want it to run as xwiki.  I guess I'll just let NGINX run as root, not sure yet.
>
> - The HTTP -> HTTPS redirection doesn't seem to work as I expected/would like and I'm not sure I'm doing it right.  I have this in my xwiki.cfg:   xwiki.url.protocol=https  ...but I'm not sure that's the right way to go about it.  I see the bit on the XWiki InstallationTomcat page about Let's Encrypt but glanced at that page and it seemed like it was about creating certs and didn't understand how it relates.
> Today my NGINX is not working; not sure why.  It -was-.  Last week I stuck this in there:      return 301 https://$host$request_uri;
> ... but now it's commented out.  Think I got it from https://www.bjornjohansen.no/redirect-to-https-with-nginx  which makes it sound great but I then commented it out and don't remember why.
> Seems to me that the best place for the redirection to happen would be at the NGINX layer.
>
> - There is a "server" section for port 80 and another for 443 in conf/nginx.conf.  As per the InstallationTomcat page I added the dir conf.d and inside it tomcat.conf, with similar sections.  I dunno if I should go and comment out the server sections in conf/nginx.conf.
>
>
> - I get this error in catalina.out, and dunno why or what I'm going to do:
> 27-Apr-2017 19:00:57.513 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:MaxPermSize=192m
> OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=192m; support was removed in 8.0
>
> ... if I remember correctly, wherever it was I saw that, that place said it was important!  Oh yeah, it too was on this page:
> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat
>
>
> - I get this message in the logs and dunno what to do about it:
>
> 27-Apr-2017 14:56:48.633 SEVERE [localhost-startStop-2] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [xwiki] created a ThreadLocal with key of type [java.lang.ThreadLocal] (value [java.lang.ThreadLocal@38058fb1]) and a value of type [java.util.Stack] (value [[org.xwiki.context.ExecutionContext@c0f4827]]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.
>
> I get these in my logs and dunno what to do about it:
> 27-Apr-2017 22:02:09.501 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
>
>
> - I get this in my logs and don't understand it... I dunno what java.library.path is, all I know is this:
>
> 27-Apr-2017 14:43:24.720 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
>
> ... I don't understand it, all I know is:
>
> [root@dwswiki10 tomcat]# which java
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/bin/java
>
> Setting JAVA_HOME in this way:
> export JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::")
> ...yields this:
> [root@dwswiki10 tomcat]# echo $JAVA_HOME
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/
>
>
> I'm procrastinating dealing with these issues at the moment and starting to try to push the UI into shape.  I think our old wiki was using the spaces extension, or is it a macro, and that's no longer the correct thing to do, now that nested pages have replaced spaces, I guess... Vincent says, on the spaces extension page, to use the Document Tree macro instead,  so I guess I'll install that now and try using it.
>
> Finally, looking at them today, I see a few places where the instructions need minor editing:
> - I say something about xwiki.preferences.redirect but am not sure if I should have that in there or not, part of my http->https redirection confusion
> - I set the "permanentDirectory" setting in xwiki.properties to get the attachments out of the DB and out of the application tree.  I don't see that mentioned in the instructions.  Before I set it, I did fire up the wiki, so there was stuff that needed to be moved, and when I moved it, and restarted, I had brought some problems down upon myself.  I struggled with it for a short while and then started over by removing the xwiki database, recreating it, and repeating the setup I had done to that point.  Anyway I have to get that into the doc.
> - I no longer think that the JAVA_HOME needs to be set in anyone's .bashrc; that is now done in setenv.sh.
>
>
> With that said, here are my own instructions:
> -Doug
> --------------------------------------
> There are five parts:
>
> Hardware/OS
> MySQL
> AppServer
> XWiki
> NGINX
>
> Hardware/OS
> Start by deploying a VM from the CentOS-7.2 template on vcenter01
> Power on the new clone and log in as anchor
> # sudo su -
> # yum -y update
>
> Add the following lines to root's .bashrc, to anchor's .bashrc, and to the .bashrc of the xwiki user:
> export JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::")
> export PATH=$JAVA_HOME/bin:$PATH
>
> Prepare the Volume
> Edit
> I am installing everything on a new disk, which is mounted at /data.  The volume will be owned by anchor.  This was necessary for some unknown reason for the MySQL installation to work.  I don't know why.  It doesn't appear to put anything outside of the install dir, /data/mysql.  But I had to nonetheless.
>
> # chown anchor:anchor /data
>
>
>
> Install MySQL
> Edit
> See https://dev.mysql.com/doc/refman/5.7/en/source-installation.html
>
> Create the user
>
> # groupadd mysql
> # useradd -r -g mysql -s /bin/false mysql
>
> While we are at it we may as well go ahead and make the xwiki user at this time:
>
> # groupadd -r xwiki
> # useradd -r -g xwiki -s /bin/false xwiki
>
> Unpack MySQL source
>
> As anchor, cd to $HOME, and unpack the MySQL 5.7 source from /opt:
>
> anchor$ cd
> anchor$ tar zxvf /opt/soft/mysql-5.7.17.tar.gz
> anchor$ mkdir bld
> anchor$ cd bld
>
> Install Boost Library
>
> Before you can configure and build MySQL you must install Boost in /usr/local/boost_1_59_0.
>
> See https://dev.mysql.com/doc/refman/5.7/en/source-installation.html
>
> 1. Untar the boost 1.59_0 from /opt/soft:
>
> anchor$ pushd /usr/local
> anchor$ tar zxvfp /opt/soft/boost_1_59_0.tar.gz
>
> 2. I don't remember how I figured this out, but I had to place the tarball inside the unpacked directory:
>
> anchor$ cp !$ boost_1_59_0
>
> 3. I also had to open up the permissions on the files and directories in the boost installation, /usr/local/boost_1_59_0, which were owned by root, but I'm building as anchor, and when unpacked, there were no read or search permissions for group or others on the subdirectories.
>
> $ sudo su -
>
> # cd /usr/local
> # chgrp -R anchor boost_1_59_0
> # chmod g+w /usr/local/boost_1_59_0
> # cd boost_1_59_0
> # find . -type d | xargs chmod g+rx
> # find . -type f | xargs chmod g+rw
> # find . -type d | xargs chmod o+rx
>
> Build MySQL
>
> Now we can get back to configuring and building MySQL:
> $ cmake ../mysql-5.7.17  -DWITH_BOOST=/usr/local/boost_1_59_0  -DCMAKE_INSTALL_PREFIX=/data/mysql
> $ make
> $ make test
>
> Install MySQL
>
> See https://dev.mysql.com/doc/refman/5.7/en/installing-source-distribution.html
>
> As root:
>
> Place these lines in /etc/my.cnf:
> basedir=/data/mysql
> max_allowed_packet=32M
>
> Give these commands:
>
> # cd /data
> # chown anchor:anchor .
> # chmod 775 .
> # cd /home/anchor/bld
> # make install
> # cd /data/mysql
> # chown -R mysql .
>
> # bin/mysqld --user=mysql --initialize
>
> # bin/mysql_ssl_rsa_setup
>
> # chgrp -R mysql data
> # bin/mysqld_safe --user=mysql &
> # cp support-files/mysql.server /etc/init.d/mysql
> # /etc/init.d/mysql start
>
> Set the password for root in MySQL
>
> # mysql -u -root -p
>
> Log in with the password for root that was given to you in the output of the steps above.  You will see the message:
>
> "You must reset your password using the ALTER USER statement before executing this statement."
>
> mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'crappypass';
>
> This completes the MySQL installation.
>
> Create the XWiki Database
>
> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationMySQL
>
> Finally, create the xwiki database and grant permissions accordingly:
>
> # mysql -u root -p
>
> mysql> create database xwiki default character set utf8 collate utf8_bin;
> mysql> grant all privileges on *.* to xwiki@localhost identified by 'badpass';
>
> Should you make a mistake and not want to start completely over, you can drop the XWiki database and recreate it:
>
> # mysql -uroot -p -e "drop database xwiki; CREATE DATABASE xwiki CHARACTER SET utf8 COLLATE utf8_general_ci; GRANT ALL PRIVILEGES ON xwiki.* TO 'xwiki'@'localhost' IDENTIFIED BY 'password';
>
> Install Tomcat
> Edit
> # cd /data
> # tar xvfp /opt/soft/apache-tomcat-9.0.0.M15.tar.gz
> # mv apache-tomcat-9.0.0.M15.tar.gz tomcat
> # chown -R xwiki:xwiki tomcat
>
> Configure Tomcat
> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat
>
> # cd /data/tomcat
> # cp -rp conf conf.orig
> # cd conf
>
> Edit server.xml and find these lines in the default connector, the only one which is uncommented.  Insert this line at line 71:
>
> URIEncoding="UTF-8"
>
> Install XWiki
> Edit
> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat
>
> # cd tomcat
> # cd webapps
> # mkdir xwiki
> # cd xwiki
> # jar -xvf /opt/soft/xwiki-enterprise-web-8.4.4.war
> # cd ..
> # chown -R xwiki:xwiki xwiki
> # cd xwiki/WEB_INF/lib
> # cp /opt/soft/mysql-connector-java-5.1.40-bin.jar .
> # chown xwiki:xwiki mysql-conn*
>
> Configure XWiki Attachment Storage
> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Attachments
>
> # cd ../webapps/xwiki
> # cd WEB-INF
> # cp -p xwiki.cfg xwiki.cfg.orig
>
> Edit xwiki.cfg and add this line at line 93:
> xwiki.store.attachement.hint=file
>
> Add this line at line 100:
> xwiki.store.attachment.versioning.hint=file
>
> And at 107:
> xwiki.store.attachment.recyclebin.hint=file
>
> Configure XWiki to work with MySQL
> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationMySQL
>
> Modify hibernate.cfg by commenting out the default database settings and uncommenting the MySQL section.  Then modify the settings in theat section to match those shown here:
>
> # cp -p hibernate.cfg.xml hibernate.cfg.xml.orig
>
> Edit hibernate.cfg and set the following settings
>
> <property name="connection.url">jdbc:mysql://localhost/xwiki</property>
> <property name="connection.username">xwiki</property>
> <property name="connection.password">badpass</property>
> <property name="connection.driver_class">com.mysql.jdbc.Driver</property>
> <property name="dialect">org.hibernate.dialect.MySQL5InnoDBDialect</property>
> <property name="connection.useUnicode">true</property>
> <property name="connection.characterEncoding">UTF-8</property>
>
> Configure XWiki Policy Configuration
> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat
>
> The Tomcat Security Manager is enabled to be by default.  Add these lines to the bottom of /data/tomcat/conf/catalina.policy:
>
> grant codeBase "file:${catalina.base}/webapps/xwiki/WEB-INF/lib/-" {
>  // for mySQL connection
>  permission java.net.SocketPermission "127.0.0.1:3306", "connect,resolve";
>
>  // XWiki must have access to all properties in read/write
>  permission java.util.PropertyPermission "*", "read, write";
>
>  // Generic detected permissions
>  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>  permission java.lang.RuntimePermission "createClassLoader";
>  permission java.lang.RuntimePermission "setContextClassLoader";
>  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.loader";
>  permission java.lang.RuntimePermission "accessDeclaredMembers";
>  permission java.lang.RuntimePermission "getenv.ProgramFiles";
>  permission java.lang.RuntimePermission "getenv.APPDATA";
>  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
>  permission java.lang.RuntimePermission "getClassLoader";
>  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.connector";
>  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.threads";
>  permission java.lang.RuntimePermission "reflectionFactoryAccess";
>  permission java.lang.RuntimePermission "accessClassInPackage.com.sun.jmx.interceptor";
>  permission java.lang.RuntimePermission "accessClassInPackage.com.sun.jmx.mbeanserver";
>  permission java.lang.RuntimePermission "modifyThread";
>  permission java.lang.RuntimePermission "getProtectionDomain";
>
>  // JAXB permissions
>  permission javax.xml.bind.JAXBPermission "setDatatypeConverter";
>
>  // Serialization related permissions
>  permission java.io.SerializablePermission "allowSerializationReflection";
>  permission java.io.SerializablePermission "creator";
>  permission java.io.SerializablePermission "enableSubclassImplementation";
>
>  // Internal resources access permissions
>  permission java.io.FilePermission "synonyms.txt", "read";
>  permission java.io.FilePermission "lang/synonyms_en.txt", "read";
>  permission java.io.FilePermission "quartz.properties", "read";
>  permission java.io.FilePermission "/templates/-", "read";
>  permission java.io.FilePermission "/skins/-", "read";
>  permission java.io.FilePermission "/resources/-", "read";
>
>  // MBean related permissions
>  permission javax.management.MBeanServerPermission "createMBeanServer";
>  permission javax.management.MBeanPermission "*", "registerMBean";
>  permission javax.management.MBeanPermission "*", "unregisterMBean";
>  permission javax.management.MBeanTrustPermission "register";
>  permission javax.management.MBeanPermission "-#-[-]", "queryNames";
>  permission javax.management.MBeanServerPermission "findMBeanServer";
>
>  // LibreOffice/OpenOffice related permissions
>  permission java.io.FilePermission "/opt/openoffice.org3/program/soffice.bin", "read";
>  permission java.io.FilePermission "/opt/libreoffice/program/soffice.bin", "read";
>  permission java.io.FilePermission "/usr/lib/openoffice/program/soffice.bin", "read";
>  permission java.io.FilePermission "/usr/lib/libreoffice/program/soffice.bin", "read";
>
>  // Allow file storage directory reading - for directory and everything underneath
>  // This is dependent on the setting of environment.permanentDirectory in xwiki.properties
>  permission java.io.FilePermission "${catalina.base}${file.separator}xwikidata${file.separator}", "read,write,delete";
>  permission java.io.FilePermission "${catalina.base}${file.separator}xwikidata${file.separator}-", "read,write,delete";
>
>  // Allow file storage directory reading - temporary directory and everything underneath
>  // This is dependent on the setting of environment.temporaryDirectory in xwiki.properties.
>  permission java.io.FilePermission "${catalina.base}${file.separator}temp${file.separator}", "read,write,delete";
>  permission java.io.FilePermission "${catalina.base}${file.separator}temp${file.separator}-", "read,write,delete";
> };
>
> Create Tomcat Environment Script
> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat
>
> Put these lines in /data/tomcat/bin/setenv.sh:
>
> #!/bin/sh
>
> export JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::")
> export PATH=$JAVA_HOME/bin:$PATH
>
> export JAVA_OPTS="${JAVA_OPTS} -Djava.awt.headless=true"
>
> export CATALINA_HOME=/data/tomcat
> CATALINA_OPTS="-Xmx1024m -XX:MaxPermSize=192m"
>
> # Use the Java security manager? (yes/no)
> #TOMCAT5_SECURITY=
>
> Make that file owned by xwiki, group xwiki.
>
> # chown xwiki:xwiki /data/tomcat/bin/setenv.sh
>
> Confirm File Ownership
> Once again make sure that -all- files under /data/tomcat are owned by xwiki, group xwiki:
>
> # cd /data/tomcat
> # chown -R xwiki:xwiki .
>
> Start and Initialize
> Edit
> See http://platform.xwiki.org/xwiki/bin/view/Features/DistributionWizard
>
> At this point, we should be able to start XWiki.  We have no SSL, and no front-end yet, so we will have to hit it on port 8080.  But now is the time to test and initialize it.  The first time we run it, it will run its "Distribution Wizard", adding its default pages to the database, and setting up an admin user.
>
> Start XWiki as the user xwiki:
>
> # cd /data/tomcat
> # sudo -u xwiki bin/startup.sh
>
> Then surf to http://pwswiki10.westmarine.net:8080/xwiki.  You will see a grey background and soon a white bar with the words "Initializing" followed by a quickly-changing percentage.  When the percentage hits 100, the Distribution wizard will start.  Enter admin for the admin user's first name, user for the last name, admin for the username, badpass for the password, which must be six letters or we'd just leave it at admin for now.  Change it later.  Enter your email for the email address.  Click Continue.   On the next screen install the default theme and main pages by clicking Install and then Continue to install the default theme/main pages.  When the Distribution Wizard completes, you will be logged in as admin.  Click Next through the guided tour.
>
>
> Increase Maximum Attachment Size Limit
> The maximum size of an attachment is limited by a configuration parameter in the XWikiPreferences document. It is set to about 32MB by default.
> To change it follow these steps:
>
> Go to http://<yourwiki>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object
> Click on the line that says XWikiPreferences 0 (right below the line that says Objects of type XWiki.XWikiPreferences (1)) and expand it
> Scroll down to the field that says Maximum Upload Size and change the number to whatever size you want (it is expressed in bytes)
> Scroll to the bottom and click "Save"
> Install PDF and LDAP Authentication Extensions
> Click on More applications on the left side of the home page.  Click Install New Applications.
>
> Scroll down until you get to PDF Viewer Macro.  Click Install and then Continue.
>
> When the PDF Viewer install finishes, scroll up a bit to LDAP Authenticator, and click on Install on Farm and then Continue to install it.  When the LDAP Authenticator extension is finished installing, exit XWiki, and shut down tomcat
>
> # sudo -u xwiki bin/shutdown.sh
>
> Configure XWiki for LDAP
> Add the following to the bottom of xwiki.cfg:
>
> #------------------------------
> # LDAP
> #
> xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
> xwiki.authentication.ldap=1
> xwiki.authentication.ldap.server=<server>
> xwiki.authentication.ldap.port=389
> xwiki.authentication.ldap.bind_DN=westmarine\\{0}
> xwiki.authentication.ldap.bind_pass={1}
> xwiki.authentication.ldap.base_DN=dc=westmarine,dc=net
> xwiki.authentication.ldap.UID_attr=sAMAccountName
> xwiki.authentication.ldap.fields_mapping=last_name=name=sAMAccountName,last_name=sn,first_name=givenName,fullName=displayName,email=mail,ldap_dn=dn
> xwiki.authentication.ldap.update_user=1
> xwiki.authentication.ldap.mode_group_sync=always
> xwiki.authentication.ldap.trylocal=1
>
> Confirm LDAP operation
> Start tomcat and surf to xwiki.  After it completes reloading (re-initializing), try logging in with your LDAP credentials.
>
> # sudo -u xwiki bin/startup.sh
>
> With LDAP now working, what remains is to enable SSL in Tomcat and in XWiki, and to install and configure NGINX as a front-end.
> Edit
> First, log out of XWiki and shut down Tomcat.
> # sudo -u xwiki bin/shutdown.sh
>
> Configure Tomcat for SSL
> #
>
> #  Note:  This part is commented out / not in use.
> #  We are not currently configuring Tomcat for SSL; we have NGINX listen on 80 and 443 and talk to Tomcat on 8080 in both cases.
> #
> # # cd /data/tomcat
> # # cd conf
> # Edit server.xml and add these lines immediately below the line you already added which reads URIEncoding="UTF-8" :
> # secure="true"
> # scheme="https"
> #
>
> Configure XWiki for SSL
> Add this to the bottom of xwiki.cfg:
> # SSL
> xwiki.preferences.redirect
>
> At line 236, under the section URLs, add the line:
> xwiki.url.protocol=https
>
> Build and Install NGINX
> Edit
> NGINX requires the zlib-1.2.11 and pcre-8.40 sources.  The digital signatures have already been verified on the copies that exist in /opt/soft.  It is not necessary to build the packages.
>
> # su - anchor
> anchor$ tar zxvf /opt/soft/zip-1.2.11.tar.gz
> anchor$ tar zxvf /opt/soft/pcre-8.40.tar.gz
> anchor$ tar zxvf /opt/soft/nginx-1.10.3.tar.gz
> anchor$ cd nginx-1.10.3
> anchor$ ./configure --prefix=/data/nginx --user=xwiki --group=xwiki --with-http_ssl_module --with-pcre=/home/anchor/pcre-8.40 --with-pcre-jit --with-zlib=/home/anchor/zlib-1.2.11
> anchor$ make
> anchor$ exit
>
> # cd /home/anchor/nginx-1.10.3
> # cd nginx-1.10.3
> # make install
> # ls -l /data/nginx
> # cd /data/nginx
>
> Configure NGINX
> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationTomcat
>
> # cd /data/nginx
> # cd conf
> # cp nginx.conf nginx.conf.orig
>
> Configure conf/nginx.conf
>
> Edit nginx.conf and add this line before the closing curly brace:
>
> include ../conf.d/*.conf;
>
> Just above that, uncomment the lines of the section titled # HTTPS server.   Inside that section:
>
> Place /data/nginx/keys/dwswiki10.westmarine.net.pem; as the value of ssl_certificate
> Place /data/nginx/keys/dwswiki10.westmarine.net.key; as the value of ssl_certificate_key
>
> Place SSL Certificates in NGINX
>
> CD up one level and make the keys/ dir and populate it with your new certificate and key for this host:
>
> # cd ..
> # mkdir keys
> # cp /tmp/pwswiki10.westmarine.net.pem keys
> # cp /tmp/pwswiki10.westmarine.net.key keys
>
> Create the new directory conf.d and populate it with tomcat.conf:
>
> # cd ..
> # mkdir conf.d
> # cd conf.d
>
> Create the file tomcat.conf with the following content:
>
> server {
>    listen       80;
>    server_name  pwswiki10.westmarine.net;
>    # Root to the XWiki application    root /data/tomcat/webapps/xwiki;
>
>    location / {
>        #All "root" requests will have /xwiki appended AND redirected to mydomain.com again
>        rewrite ^ $scheme://$server_name/xwiki$request_uri? permanent;
>    }
>
>    location ^~ /xwiki {
>       # If path starts with /xwiki - then redirect to backend: XWiki application in Tomcat
>       # Read more about proxy_pass: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
>       proxy_pass <a href="http://localhost:8080;">http://localhost:8080;
>       proxy_set_header        X-Real-IP $remote_addr;
>       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
>       proxy_set_header        Host $http_host;
>       proxy_set_header        X-Forwarded-Proto $scheme;    }
> }
>
> server {
>    listen       443;
>    server_name  pwswiki10.westmarine.net;
>    # Root to the XWiki application
>    root /data/tomcat/webapps/xwiki;
>
>    location / {
>        #All "root" requests will have /xwiki appended AND redirected to mydomain.com again
>        rewrite ^ $scheme://$server_name/xwiki$request_uri? permanent;
>    }
>    location ^~ /xwiki {
>       # If path starts with /xwiki - then redirect to backend: XWiki application in Tomcat
>       # Read more about proxy_pass: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
>       proxy_pass <a href="http://localhost:8080;">http://localhost:8080;
>       proxy_set_header        X-Real-IP $remote_addr;
>       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
>       proxy_set_header        Host $http_host;
>       proxy_set_header        X-Forwarded-Proto $scheme;
>    }
> }
>
> Finally, make sure that all the files under /data/nginx are owned by xwiki, group xwiki:
>
> # chown -R xwiki:xwiki conf.d
>
> Start and stop NGINX:
>
> # cd /data/nginx; sbin/start
>
> # cd /data/nginx; sbin/nginx -s stop
>
> #
>
> Additional Documents
> Edit
> platform.xwiki.org/xwiki/bin/view/AdminGuide/Backup
> https://dev.mysql.com/doc/refman/5.7/en/installing-source-distribution.html
> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/InstallationMySQL
>
>
> The information contained in this transmission may contain West Marine proprietary, confidential and/or privileged
> information.  It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are
> hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited.
> If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original
> message. To reply to our email administrator directly, please send an email to [hidden email].