Commit 97b8bc69 authored by Gerrit Hübbers's avatar Gerrit Hübbers 🃏
Browse files

Harden sensitive configuration. Provide sample configuration for 1&1 email...

Harden sensitive configuration. Provide sample configuration for 1&1 email sending. Closes issue #31.
parent 7727ff41
......@@ -62,15 +62,6 @@ adduser --system --no-create-home --disabled-login --group dda
# sudo -u dda bash
```
Update file `src/main/config/application-prod.yml` to reflect your production environment. In particular, provide correct values for the following keys:
* `spring.datasource.password`: this is the password of MySQL user `dda`.
* `spring.mail.(host, port, username, password`: these are settings for an SMTP mail server. Events such as user registration will send out e-mails using these settings.
* `server.port`: a TCP port that this DDA instance will listen on. Use a port which is not in use yet on your machine (e.g. 8081, if so).
* `ingester.endpoint`: your DSpace installation's REST endpoint, e.g. `https://www.example.com/rest`
* `ingester.email`: the e-mail address of the DSpace DDA user which you created in step [*Creating a Document Deposit Assistant DSpace user*](#creating-a-document-deposit-assistant-dspace-user)
* `ingester.password`: the password of aforementioned DSpace user
* `ingester.targetCollection`: the DSpace collection *ID* (not collection *handle*) of DDA's import collection which you created in step [*Creating a Document Deposit Assistant DSpace collection*](#creating-a-document-deposit-assistant-dspace-collection).
Now build a DDA production release. Run the following command:
```
mvn clean package -Pprod -DskipTests
......@@ -85,8 +76,18 @@ sudo sh -c "mkdir /srv/dda"
```
Copy
* `target/dda-wizard.war` to `/srv/dda/dda-wizard.war` and
* `etc/conf-files/prod/dda-wizard.conf` to `/srv/dda/dda-wizard.conf`.
* `target/dda-wizard.war` to `/srv/dda/dda-wizard.war`,
* `etc/conf-files/prod/dda-wizard.conf` to `/srv/dda/dda-wizard.conf`, and
* `etc/conf-files/prod/application-prod.yml` to `/srv/dda/application-prod.yml`
Update file `/srv/dda/application-prod.yml` to reflect your production environment - that file has further helpful comments inside. In particular, provide correct values for the following keys:
* `spring.datasource.password`: this is the password of MySQL user `dda`.
* `spring.mail.(host, port, username, password`: these are settings for an SMTP mail server. Events such as user registration will send out e-mails using these settings.
* `server.port`: a TCP port that this DDA instance will listen on. Use a port which is not in use yet on your machine (e.g. 8081, if so).
* `ingester.endpoint`: your DSpace installation's REST endpoint, e.g. `https://www.example.com/rest`
* `ingester.email`: the e-mail address of the DSpace DDA user which you created in step [*Creating a Document Deposit Assistant DSpace user*](#creating-a-document-deposit-assistant-dspace-user)
* `ingester.password`: the password of aforementioned DSpace user
* `ingester.targetCollection`: the DSpace collection *ID* (not collection *handle*) of DDA's import collection which you created in step [*Creating a Document Deposit Assistant DSpace collection*](#creating-a-document-deposit-assistant-dspace-collection).
Set correct directory and file permissions:
......@@ -133,7 +134,7 @@ The logs will let you know about the local and external IP addresses and ports o
#### Reverse proxy configuration
TODO Apache configuration, tracked in issue #32.
#### System user passwords
#### DDA user passwords
TODO how to change passwords, tracked in issue #33.
......
# this file is supposed to hold all sensitive DDA configuration data
# copy this file to /srv/dda/application-prod.yml,
# have it owned by your dda unix user, e.g. sudo chown dda:dda /srv/dda/application-prod.yml
# give it minimal file permissions, sudo chmod u=rx,g=,o= /srv/dda/application-prod.yml
# then edit that copy to reflect your environment, especially those values marked `"**change**`
# /srv/dda/application-prod.yml's property values will take precedence over the property values from
# the WAR-bundled application-prod.yml file
# as per https://docs.spring.io/spring-boot/docs/1.3.1.RELEASE/reference/html/boot-features-external-config.html
spring:
datasource:
url: **change** e.g. jdbc:mysql://localhost/dda
name:
username: **change** e.g. dda
password: **change**
mail:
host: **change** e.g. smtp.1und1.de
port: **change** e.g. 587
username: **change**
password: **change**
protocol: **change** e.g. smtp
properties:
mail.debug.auth: **change** e.g. true
mail.debug: **change** e.g. true
mail.smtp.auth: **change** e.g. true
mail.smtp.starttls.enable: **change** e.g. true
mail.smtp.host: **change** e.g. smtp.1und1.de
mail.smtp.port: **change** e.g. 587
server:
port: **change**
jhipster:
mail:
from: **change**
security:
rememberme:
key: **change** e.g. a lowercase 40-characters random hexadecimal string
ingester:
endpoint: **change** e.g. http://dspace.example.com/rest
email: **change**
password: **change**
targetCollection: **change** e.g. 11
......@@ -2,6 +2,7 @@
# Spring Boot configuration for the "prod" profile.
#
# This configuration overrides the application.yml file.
# for sensitive configuration data, follow the instructions in file etc/conf-files/prod/application-prod.yml
# ===================================================================
# ===================================================================
......@@ -19,17 +20,16 @@ spring:
livereload:
enabled: false
datasource:
driver-class-name: org.h2.jdbcx.JdbcDataSource
url: jdbc:h2:mem:dda;DB_CLOSE_DELAY=-1
driver-class-name: com.mysql.jdbc.jdbc2.optional.MysqlDataSource
url:
name:
username: DDA
username:
password:
h2:
console:
enabled: false
jpa:
database-platform: org.gesis.dda.wizard.domain.util.FixedH2Dialect
database: H2
database-platform: org.hibernate.dialect.MySQL5InnoDBDialect
show_sql: true
properties:
hibernate.cache.use_second_level_cache: true
......@@ -37,8 +37,8 @@ spring:
hibernate.generate_statistics: true
hibernate.cache.region.factory_class: org.hibernate.cache.ehcache.SingletonEhCacheRegionFactory
mail:
host: localhost
port: 25
host:
port:
username:
password:
messages:
......@@ -50,7 +50,7 @@ liquibase:
contexts: prod
server:
port: 8085
port:
compression:
enabled: true
mime-types: text/html,text/xml,text/plain,text/css, application/javascript, application/json
......@@ -68,7 +68,7 @@ jhipster:
ehcache:
maxBytesLocalHeap: 256M
mail: # specific JHipster mail property, for standard properties see MailProperties
from: DDA@localhost
from:
metrics: # DropWizard Metrics configuration, used by MetricsConfiguration
jmx.enabled: true
spark:
......@@ -80,3 +80,13 @@ jhipster:
host: localhost
port: 2003
prefix: DDA
# ===================================================================
# Ingesting repository-specific configuration
# ===================================================================
ingester:
endpoint:
email:
password:
targetCollection:
......@@ -25,7 +25,8 @@
<logger name="org.gesis.dda.wizard" level="@logback.loglevel@"/>
<logger name="javax.activation" level="WARN"/>
<logger name="javax.mail" level="WARN"/>
<logger name="javax.mail" level="DEBUG"/>
<logger name="com.sun.mail" level="DEBUG"/>
<logger name="javax.xml.bind" level="WARN"/>
<logger name="ch.qos.logback" level="WARN"/>
<logger name="com.codahale.metrics" level="WARN"/>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment