On This page
On Related Pages
Set Up AWS EC2 Instance
- Log into console.aws.amazon.com, using the Platform account's credentials.
- Ensure that the "crowd" security group exists. Under "Security Groups" click the "crowd" group's check box. Under "Inbound" you should see:
- Port Range=8443 and source=140.107.0.0/16 to allow HTTPS to Crowd from FHCRC
- Port Range=8443 and source=sg-xxxxxxxx the Elastic Beanstalk security group
- “SSH” with Fred Hutch CIDR 140.107.0.0/16 to allow remote log-in from FHCRC
- “Custom TCP rule” with Port Range=0-65535 and net mask=127.0.0.1/32 to allow localhost to connect to itself on any port, such as when Tomcat shutdown sends a message to a particular port
- Now launch an EC2 instance:
- Basic 32-bit Amazon Linux AMI 2011.02.1 Beta
- Availability Zone: No preference
- Instance Type: m1.small
- Accepted default choices except where specified.
- Description: Production Crowd Server
- “PlatformKeyPairEast”
- Choose "crowd" security group.
- Result: new Server is created, with an external DNS name, something like:
ec2-50-16-164-35.compute-1.amazonaws.com
- Create the new Elastic IP address (something like“50.17.212.74”) and associate with the new EC2 instance.
- EC2 Dashboard > Elastic IPs > Allocate new address (if the address to be used does not already exist. Note it's most expensive to have UNallocated addresses, so don't make extra ones.)
- Under EC2 Dashboard > Elastic IPs, click Associate address
- Note: It seems that you have to do the Elastic IP association BEFORE you first SSH-in, otherwise you can never access the server!
- Now point an owned host name to this elastic IP address. Log in to GoDaddy.com.
- Under My Account > Domain Manager, chose “sagebase.org”. Then under “DNS Manager” click “launch”.
- Under “A(Host)” clicked “Quick Add”, to map the hostname “crowd” to the Elastic IP address above, e.g. 50.17.212.74.
Set Up Database Schema
The reference for this section is:
http://confluence.atlassian.com/display/CROWD/MySQL
Using the MySQL workbench, create a new user: ‘crowd’ having ‘DBManager’ privileges. The password for the account is on our Unix system in
/work/platform/PasswordsAndCredentials/passwords.txt.
Create a new schema ‘crowd’ having “Collation” “utf8-default collation”
Go to “schema privileges” view and give the “crowd” user all privileges under the “crowd” schema.
Skip Steps 1.4-5.
Add the EC2 security group to the DB Security group for the AWS MySQL instance.
Make a note of the database host name. This should be a CNAME in GoDaddy, not direct connection to RDS e.g. syndb-prod.sagebase.org
Download mysql-connector-java-5.1.16.tar.gz and copy it to /usr/local
The installation of the driver comes after the installation of Crowd, below.
Download and Install Crowd
Download the file atlassian-crowd-2.2.7.tar.gz from Atlassian’s web site.
Upload to the EC-2 instance.
Note: I use Win SCP to transfer from my desktop to the EC-2 instance, with the following settings:
host name: 50.17.212.74 (i.e. the elastic IP address)
Port: 22
User name: ec2-user
Private key file: (file: ) PlatformKeyPairEast.ppk
File Protocol: SCP
See also
http://sagebionetworks.jira.com/wiki/display/PLFM/AWS+Info#AWSInfo-HowtoSSHtoanEC2Host
From /usr, “sudo chmod 777 local”
Copy the zip file to /usr/local on the EC-2 instance
The reference for the subsequent steps is here:
http://confluence.atlassian.com/display/CROWD/Installing+Crowd+and+CrowdID
gunzip atlassian-crowd-2.2.7.tar.gz
sudo tar -xvf atlassian-crowd-2.2.7.tar
sudo chmod -R 777 atlassian-crowd-2.2.7
edit /usr/local/atlassian-crowd-2.2.7/crowd-webapp/WEB-INF/classes/crowd-init.properties
Just uncomment the default:
crowd.home=/var/crowd-home
sudo mkdir /var/crowd-home
sudo chmod -R 777 /var/crowd-home
Now complete the installation of the MySQL Connector:
In /usr/local:
gunzip mysql-connector-java-5.1.16.tar.gz
tar -xvf mysql-connector-java-5.1.16.tar
Copy
/usr/local/mysql-connector-java-5.1.16/mysql-connector-java-5.1.16-bin.jar
to
/usr/local/atlassian-crowd-2.2.7/apache-tomcat/lib/
Configure Crowd to work with SSL
The reference for these steps is here:http://confluence.atlassian.com/display/CROWD/Configuring+Crowd+to+Work+with+SSL
Edit the Connector element in the apache-tomcat/conf/server.xml file, adding this Connector tag (inside the “Service” tag):
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLEnabled="true"
keystoreFile="/usr/local/tomcat.keystore" keystorePass="changeit"
connectionTimeout="20000" useBodyEncodingForURI="true"/>
Obtain Certificate
Either copy the file found at
/work/platform/PasswordsAndCredentials/crowdServerCertificate/tomcat.keystore
to
/usr/local/
or follow the instructions here for creating a new private key and set of certificates.
Edit apache-tomcat/bin/setenv.sh to:
JAVA_OPTS="-Xms128m -Xmx512m -XX:MaxPermSize=256m -Dfile.encoding=UTF-8 $JAVA_OPTS -Djavax.net.ssl.keyStore=/usr/local/tomcat.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/usr/local/tomcat.keystore -Djavax.net.ssl.trustStorePassword=changeit"
export JAVA_OPTS
Complete Set-Up
In /usr/local/atlassian-crowd-2.2.7/
Run ./start_crowd.sh
In a web browser, go to
https://crowd.sagebase.org:8443/crowd/console
If all the steps were done correctly, the Crowd screen should appear, prompting for a license key. You should NOT be warned that it is an untrusted site. If so, there was a mistake in the certificate generation, signing, or installation on the Crowd server.
Follow the instructions to get an evaluation license.
“Select the type of database you would like to use with Crowd.:” JDBC Connection
Database: MySQL
JDBC URL: jdbc:mysql://syndb-prod.sagebase.org/crowd?autoReconnect=true&characterEncoding=utf8&useUnicode=true
Username: crowd
Password: The password for the database account is on our Unix system in /work/platform/PasswordsAndCredentials/passwords.txt.
Otherwise accept the defaults.
Session timeout: 1440 (i.e. one day)
Notification email address: platform@sagebase.org
From email address: crowd-sage-production@sagebase.org
Mail server type: SMTP Server
SMTP Host: smtp.gmail.com
SMTP Port: 465
Username / Password: Use 'synapse@sagebase.org'. The password for the (google) email account is on our Unix system in /work/platform/PasswordsAndCredentials/passwords.txt.
Use SSL: *Check*
Internal Directory: Synapse
Accepted all other defaults.
Add 'platform@sagebase.org' as a ‘default administrator’. Password should be the one under 'Crowd admin console' in the file /work/platform/PasswordsAndCredentials/passwords.txt.
Complete the installation wizard. Crowd is now set up and you can log into the console.
Further Configuration
Log into the Crowd console.
Click on ‘Groups’ and create a group called ‘Administrators’. This is the administrative group for Synapse.
Select Applications > Add application
Application type: Generic application
Name: platform
Description: Synapse authentication service
Password: This password, kept on file, must match the one used by the Synapse authentication services.
Allow all users to authenticate: True
URL: https://prod-auth.elasticbeanstalk.com (To be updated with the production URL)
After completing the set-up wizard for the application, go to the “Remote Addresses” tab and add these subnets:
0.0.0.0/1
128.0.0.0/1
i.e. we 'disable' subnet restrictions.
For the non-prod instance of crowd, create all the integration test users:
- all use email address integration.test@sagebase.org
- all use the password "password"
- none should have administrator privileges
- the usernames are as follows:
- devUser1
- devUser2
- bambooUser1
- bambooUser2
Verify Set-Up
Open Crowd console. Should see log in screen w/o getting any ‘untrusted site’ errors.
Select reset password option. Should receive an email with reset password link. Link should have server crowd.sagebase.org. Clicking on link should return to Crowd console, where password can be changed.
Log into Crowd using REST API:
Temporarily add your IP address or subnet to the ‘allowed’ list for the ‘platform’ application. Execute the following request, replacing [password] with the application password for the platform app and [username] with your user name.
curl -u platform:[password] -H "Accept: application/xml" -H "Content-Type: application/xml" -v -k -d "<?xml version='1.0' encoding='UTF-8'?> <authentication-context> <username>[username]</username></authentication-context>" -X POST https://crowd.sagebase.org:8443/crowd/rest/usermanagement/latest/session?validate-password=false
Response should include a HTTP status of 201 and a session token
Restarting Crowd
If the server goes down:
To check if Crowd is up, in web browser go to the appropriate URL as defined above.
You should see Crowd log-in page. If not then ssh in to xxx-crowd.sagebase.org as ec2-user, using the standard key for 'platform' owned ec2 instances, PlatformKeyPairEast
At the unix prompt:
sudo reboot
The machine should restart keeping the existing elastic ip.