Prerequisites
Ubuntu Server 20.04 (will also run on Centos/Red Hat), 8GB RAM, 100GB HDD PG 10+ (14 recommended ), JDK 1.8 ( 291+ ), OpenSSL, Resin 4.0.66
PostgreSQL
Installation Instructions: https://www.postgresql.org/download/linux/ubuntu/ Tune postgresql: https://www.pgconfig.org/ File to edit when tuning PG:
| sudo nano /etc/postgresql/14/main/postgresql.conf |
Starting (or stopping) postgres: ( stop | start | restart )
| sudo pg_ctlcluster 14 main start |
Set password for user "postgres"
| sudo -u postgres psql postgres \password postgres ( enter desired password when prompted ) \q (to exit the posgreSQL command interface ) |
Edit pg_hba.conf to force password confirmation for postgres commands Look for --- "Database administrative login by Unix domain socket", replace "peer" with "md5"
| sudo nano /etc/postgresql/14/main/pg_hba.conf |
Restart PG for changes to take effect:
| sudo pg_ctlcluster 14 main restart |
Create empty registry database:
| sudo -u postgres psql postgres CREATE database registry; \q |
Download and extraxct the CoCCA database template with default db structure:
| wget --inet4-only https://updates.coccaregistry.org/pg/cocca.tar.gz --no-check-certificate |
Import CoCCA database template extracted from cocca.tar.gz:
| psql -U postgres -d registry -f cocca.sql |
OpenSSL
Install Complier Tools
|
sudo apt update sudo apt install build-essential checkinstall zlib1g-dev -y |
Install Open SSL
| cd /usr/local/src/ sudo wget --inet4-only https://www.openssl.org/source/openssl-1.1.1m.tar.gz --no-check-certificate sudo tar -xf openssl-1.1.1m.tar.gz cd openssl-1.1.1m sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib sudo make sudo make test sudo make install cd /etc/ld.so.conf.d/ sudo nano openssl-1.1.1m.conf |
Insert the following line in openssl-1.1.1m.conf /usr/local/ssl/lib Save and Exit, run the following commands
| sudo ldconfig -v sudo mv /usr/bin/c_rehash /usr/bin/c_rehash.backup sudo mv /usr/bin/openssl /usr/bin/openssl.backup |
Set Envronment
| sudo nano /etc/environment |
Append the following: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/ssl/bin" Save, and Exit
Load environment
| source /etc/environment echo $PATH |
Check and verify
| openssl version -a |
Java
Install Java JDK 1.8 (Java Licence may be required for production use, CoCCA is still testing Open JDK versions 1.8+)
| sudo mkdir /usr/lib/jvm cd /usr/lib/jvm wget --inet4-only https://updates.coccaregistry.org/jdk-8u311-linux-x64.tar.gz --no-check-certificate https://www.oracle.com/java/technologies/downloads/ sudo tar -xvzf jdk-8u311-linux-x64.tar.gz |
Append the following command to open the environment variables file.
|
sudo nano /etc/environment
JAVA_HOME="/usr/lib/jvm/jdk1.8.0_311" |
Run from command line.
|
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_311/bin/java" 0 sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_311/bin/javac" 0 sudo update-alternatives --set java /usr/lib/jvm/jdk1.8.0_311/bin/java sudo update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_311/bin/javac |
Check Version
| java -version |
Resin
The http server used with CoCCA https://caucho.com
Before installing resin, install OpenSSL and the JDK
Recomended : Create a host name for your instance with an A record to match the server IP
| cd /opt sudo wget --inet4-only http://caucho.com/download/resin-4.0.66.tar.gz --no-check-certificate tar -vzxf resin-4.0.66.tar.gz cd resin-4.0.66 ./configure --enable-64bit --prefix=/opt/resin/ --with-resin-root=/opt/resin --with-resin-log=/opt/resin/log --with-resin-conf=/opt/resin/conf sudo make sudo make install |
Post Install Configuration: Download the CoCCA lab jks from CoCCA ( needed for EPP and https ).
| cd /opt/resin/conf/keys/ sudo wget --inet4-only https://updates.coccaregistry.org/star_coccaregistry_org.jks --no-check-certificate |
Download the latest CoCCA ROOT.war file
| cd /opt/resin/webapps/ sudo wget --inet4-only https://updates.coccaregistry.org/ROOT.war --no-check-certificate |
Delete default resin.xml and download resin config file for CoCCA:
| cd /opt/resin/conf/ rm -fr resin.xml sudo wget --inet4-only https://updates.coccaregistry.org/resin/resin.xml --no-check-certificate |
Edit resin config file:
- replace default IPs with your server IPs ( line 28 and 42 )
- replace default host registry.example.tld with your host name (line 75 and 83 ). Note: If you have not created an A record yet, you may put the server IP in place of the host name.
- insert postgreql password you created in postgesql section above ( line 92 )
| sudo nano /opt/resin/conf/resin.xml |
Get postgreSQL jdbc driver
| cd /opt/resin/lib/ wget --inet4-only https://jdbc.postgresql.org/download/postgresql-42.2.18.jar --no-check-certificate |
Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.
| /etc/init.d/resin stop | start | restart |
Go to your host name URL- https://registry.example.tld ( or https://ipaddress - will take ±15-20 seconds to load ) Default credentials for lab db - registry_admin / h&6UQjJ3
letsencrypt
Optional The CoCCA lab jks downloaded above will enable https connections but with a browser warning. If you want a free https certificate to match your host name, we suggest https://letsencrypt.org Tool - https://snapcraft.io/docs/installing-snapd
| sudo snap install core; sudo snap refresh core sudo snap install --classic certbot |
Stop resin webserver to release port 80 and 443 temporarily.
| /etc/init.d/resin stop |
Request a new certificate
| sudo certbot certonly --standalone |
Create p12 (one long srting/command)
/usr/local/ssl/bin/openssl pkcs12 -export -name sslcertificate -in /etc/letsencrypt/live/registry.example.tld/fullchain.pem -inkey /etc/letsencrypt/live/registry.example.tld/privkey.pem -out registry.example.tld.p12 |
Create Java keystore and import p12 (one long string/command):
/usr/lib/jvm/jdk1.8.0_311/bin/keytool -importkeystore -destkeystore registry.example.tld.jks -srckeystore registry.example.tld.p12 -srcstoretype pkcs12 -alias sslcertificate |
Move newly created jks to the resin keys folder
| mv registry.example.tld.jks /opt/resin/conf/keys/registry.example.tld.jks |
Edit resin config file to enable new http certificate:
| sudo nano /opt/resin/conf/resin.xml |
Add the path, jks file name and password for the custom jks created above (lines 45 & 46)
Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.
| /etc/init.d/resin stop | start | restart |
Other
Set server time to UTC for RFC compliance:
| sudo timedatectl set-timezone UTC |
Ubunutu firewall basic configuration, handy commands:
- sudo ufw enable | disable
- sudo ufw status numbered ( see rules )
- sudo ufw delete X ( delete a rule by number )
- sudo ufw reload ( after rule changes )
| sudo ufw enable sudo ufw allow from "my trusted IP" to any port 22 sudo ufw allow from "my trusted IP" to any port 53 sudo ufw allow from any to any port 80 sudo ufw allow from any to any port 443 sudo ufw allow from any to any port 43 sudo ufw allow from any to any port 700 |
Secure from brute force/dictionary ssh attacks
| sudo apt install fail2ban |