On This page On Related Pages

Set Up AWS EC2 Instance

1. Log into console.aws.amazon.com, using the Platform account's credentials.
2. Ensure that the "crowd" security group exists. Under "Security Groups" click the "crowd" group's check box.  Under "Inbound" you should see:
   1. Port Range=8443 and source=140.107.0.0/16 to allow HTTPS to Crowd from FHCRC
   2. Port Range=8443 and source=sg-xxxxxxxx the Elastic Beanstalk security group
   3. “SSH” with Fred Hutch CIDR 140.107.0.0/16 to allow remote log-in from FHCRC
   4. “Custom TCP rule” with Port Range=0-65535 and net mask=127.0.0.1/32 to allow localhost to connect to itself on any port, such as when Tomcat shutdown sends a message to a particular port
3. Now launch an EC2 instance:
   • Basic 32-bit Amazon Linux AMI 2011.02.1 Beta
   • Availability Zone: No preference
   • Instance Type: m1.small
   • Accepted default choices except where specified.
   • Description: Production Crowd Server
   • “PlatformKeyPairEast”
   • Choose "crowd" security group.
   • Result: new Server is created, with an external DNS name, something like:
      ec2-50-16-164-35.compute-1.amazonaws.com
4. Create the new Elastic IP address (something like“50.17.212.74”) and associate with the new EC2 instance.
   • EC2 Dashboard > Elastic IPs > Allocate new address (if the address to be used does not already exist.  Note it's most expensive to have UNallocated addresses, so don't make extra ones.)
   • Under EC2 Dashboard > Elastic IPs, click Associate address
   • Note: It seems that you have to do the Elastic IP association BEFORE you first SSH-in, otherwise you can never access the server!
5. Now point an owned host name to this elastic IP address.  Log in to GoDaddy.com.
   • Under My Account > Domain Manager, chose “sagebase.org”.  Then under “DNS Manager” click “launch”. 
   • Under “A(Host)” clicked “Quick Add”, to map the hostname “crowd” to the Elastic IP address above, e.g. 50.17.212.74.

Set Up Database Schema

The reference for this section is:

http://confluence.atlassian.com/display/CROWD/MySQL

Using the MySQL workbench, create a new user: ‘crowd’ having ‘DBManager’ privileges.  The password for the account is on our Unix system in

     /work/platform/PasswordsAndCredentials/passwords.txt.

Create a new schema ‘crowd’ having “Collation” “utf8-default collation”

Go to “schema privileges” view and give the “crowd” user all privileges under the “crowd” schema.

Skip Steps 1.4-5.

Add the EC2 security group to the DB Security group for the AWS MySQL instance.

Make a note of the database host name.  This should be a CNAME in GoDaddy, not direct connection to RDS e.g. syndb-prod.sagebase.org

Download mysql-connector-java-5.1.16.tar.gz and copy it to /usr/local

The installation of the driver comes after the installation of Crowd, below.

Download and Install Crowd

Download the file atlassian-crowd-2.2.7.tar.gz from Atlassian’s web site.

Upload to the EC-2               instance.

Note: I use Win SCP to transfer from my desktop to the EC-2               instance, with the following settings:

host name: 50.17.212.74 (i.e. the elastic IP address)

Port: 22

User name: ec2-user

Private key file: (file: ) PlatformKeyPairEast.ppk

File Protocol: SCP

See also

http://sagebionetworks.jira.com/wiki/display/PLFM/AWS+Info#AWSInfo-HowtoSSHtoanEC2Host

From /usr, “sudo chmod 777 local”

Copy the zip file to /usr/local on the EC-2           instance

The reference for the subsequent steps is here:

http://confluence.atlassian.com/display/CROWD/Installing+Crowd+and+CrowdID

gunzip atlassian-crowd-2.2.7.tar.gz
sudo tar -xvf atlassian-crowd-2.2.7.tar
sudo chmod -R 777 atlassian-crowd-2.2.7

edit /usr/local/atlassian-crowd-2.2.7/crowd-webapp/WEB-INF/classes/crowd-init.properties

Just uncomment the default:

crowd.home=/var/crowd-home

sudo mkdir /var/crowd-home

sudo chmod -R 777 /var/crowd-home

Now complete the installation of the MySQL Connector: 

In /usr/local:

gunzip mysql-connector-java-5.1.16.tar.gz

tar -xvf mysql-connector-java-5.1.16.tar

Copy

/usr/local/mysql-connector-java-5.1.16/mysql-connector-java-5.1.16-bin.jar

to

/usr/local/atlassian-crowd-2.2.7/apache-tomcat/lib/

Configure Crowd to work with SSL

The reference for these steps is here:http://confluence.atlassian.com/display/CROWD/Configuring+Crowd+to+Work+with+SSL

Edit the Connector element in the apache-tomcat/conf/server.xml file, adding this Connector tag (inside the “Service” tag):

            <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"

                        minSpareThreads="25" maxSpareThreads="75" enableLookups="false"

                        disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"

                        clientAuth="false" sslProtocol="TLS"

                        SSLEnabled="true"

                        keystoreFile="/usr/local/tomcat.keystore" keystorePass="changeit"
                        connectionTimeout="20000" useBodyEncodingForURI="true"/>  

Obtain Certificate

Either copy the file found at

/work/platform/PasswordsAndCredentials/crowdServerCertificate/tomcat.keystore

to

/usr/local/

or follow the instructions here for creating a new private key and set of certificates.

Edit apache-tomcat/bin/setenv.sh to:

JAVA_OPTS="-Xms128m -Xmx512m -XX:MaxPermSize=256m -Dfile.encoding=UTF-8 $JAVA_OPTS -Djavax.net.ssl.keyStore=/usr/local/tomcat.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/usr/local/tomcat.keystore -Djavax.net.ssl.trustStorePassword=changeit"

export JAVA_OPTS

Complete Set-Up

In /usr/local/atlassian-crowd-2.2.7/

Run ./start_crowd.sh

In a web browser, go to

https://crowd.sagebase.org:8443/crowd/console

If all the steps were done correctly, the Crowd screen should appear, prompting for a license key.  You should NOT be warned that it is an untrusted site.  If so, there was a mistake in the certificate generation, signing, or installation on the Crowd server.

Follow the instructions to get an evaluation license.

“Select the type of database you would like to use with Crowd.:”  JDBC Connection

Database: MySQL

JDBC URL:  jdbc:mysql://syndb-prod.sagebase.org/crowd?autoReconnect=true&characterEncoding=utf8&useUnicode=true

Username:  crowd

Password:   The password for the database account is on our Unix system in   /work/platform/PasswordsAndCredentials/passwords.txt.

Otherwise accept the defaults.

Session timeout: 1440 (i.e. one day)

Notification email address: platform@sagebase.org

From email address: crowd-sage-production@sagebase.org

Mail server type: SMTP Server

SMTP Host: smtp.gmail.com

SMTP Port: 465

Username / Password:  Use 'synapse@sagebase.org'. The password for the (google) email account is on our Unix system in   /work/platform/PasswordsAndCredentials/passwords.txt.

Use SSL: *Check*

Internal Directory: Synapse

Accepted all other defaults.

Add 'platform@sagebase.org' as a ‘default administrator’.  Password should be the one under 'Crowd admin console' in the file /work/platform/PasswordsAndCredentials/passwords.txt.

Complete the installation wizard.  Crowd is now set up and you can log into the console.

Further Configuration

Log into the Crowd console.

Click on ‘Groups’ and create a group called ‘Administrators’.  This is the administrative group for Synapse.

Select Applications > Add application

Application type: Generic application

Name: platform

Description: Synapse authentication service

Password:  This password, kept on file, must match the one used by the Synapse authentication services.

Allow all users to authenticate: True

URL: https://prod-auth.elasticbeanstalk.com (To be updated with the production URL)

After completing the set-up wizard for the application, go to the “Remote Addresses” tab and add these subnets:
0.0.0.0/1
128.0.0.0/1
i.e. we 'disable' subnet restrictions.

For the non-prod instance of crowd, create all the integration test users:

• all use email address integration.test@sagebase.org
• all use the password "password"
• none should have administrator privileges
• the usernames are as follows:
  • devUser1
  • devUser2
  • bambooUser1
  • bambooUser2

Verify Set-Up

Open Crowd console.  Should see log in screen w/o getting any ‘untrusted site’ errors.

Select reset password option.  Should receive an email with reset password link.  Link should have server crowd.sagebase.org. Clicking on link should return to Crowd console, where password can be changed.

Log into Crowd using REST API:

Temporarily add your IP address or subnet to the ‘allowed’ list for the ‘platform’ application.  Execute the following request, replacing [password] with the application password for the platform app and [username] with your user name.

curl -u platform:[password] -H "Accept: application/xml" -H "Content-Type: application/xml" -v -k -d "<?xml version='1.0' encoding='UTF-8'?> <authentication-context> <username>[username]</username></authentication-context>" -X POST https://crowd.sagebase.org:8443/crowd/rest/usermanagement/latest/session?validate-password=false

Response should include a HTTP status of 201 and a session token

Restarting Crowd

If the server goes down:

To check if Crowd is up, in web browser go to the appropriate URL as defined above. 
You should see Crowd log-in page.  If not then ssh in to xxx-crowd.sagebase.org as ec2-user, using the standard key for 'platform' owned ec2 instances, PlatformKeyPairEast

At the unix prompt:

      ps -efwww | grep java

Should show one java process, if not
      cd /usr/local/atlassian-crowd-2.2.7/

     ./start_crowd.sh

Now verify that the log-in page appears in your web browser.

If crowd is running and you feel the need to 'bounce' the server, make sure to stop crowd before running "start_crowd.sh".  To do this, run

    ./stop_crowd.sh

from /usr/local/atlasssian-crowd-2.2.7/.  Use the aforementioned "ps -ef..." command to make sure no Crowd java process is running.  If necessary, 'kill' lingering instances before running "start_crowd.sh".  It's important not to have multiple instances of the java process runnning.