CMDBuild is an awesome tool to keep track of your assets. Tecnoteca also have a preconfigured version which adheres to the ITIL specification called READY2USE, but this only covers CMDBuild, where you can set up your own assets and relations.
This manual is for Debian 9, but CMDBuild works on other distributions as well.
Preparing
- Install Debian 9
- Install required packages
sudo apt install sudo vim unzip screen tomcat8 tomcat8-admin postgresql postgresql-9.6-postgis-scripts openjdk-8-jre
PostgreSQL setup
Set a password for user postgres.
sudo su postgres psql alter user postgres with password 'yourpassword';
Test logon.
psql -U postgres -W -h 127.0.0.1
Tomcat setup with certificates
Increase memory for Tomcat by editing /usr/share/tomcat8/bin/setenv.sh
export CATALINA_OPTS="$CATALINA_OPTS -Xms128m" export CATALINA_OPTS="$CATALINA_OPTS -Xmx768m" export CATALINA_OPTS="-server"
Enable access to Manager GUI and Admin GUI in Tomcat by editing /etc/tomcat8/tomcat-users.xml. Set your own password, obviously.
<role rolename="manager-gui"/> <user username="admin" password="yourpassword" roles="manager-gui,admin-gui"/>
Restart Tomcat with sudo systemctl restart tomcat8.service
. Manager GUI should be available at http://hostname:8080/manager/html. Replace with your hostname, obviously.
Download the CMDBuild WAR-file and copy this as cmdbuild.war to /var/lib/tomcat8/webapps. This should extract CMDBuild in this folder if Tomcat is started.
OPTIONAL: Generate a certificate for the server/website and copy it to /etc/ssl/private/. Generating a certificate is not covered here. We use Active Directory, so I also had to install the CA certificate from Active Directory:
sudo mkdir /usr/local/share/ca-certificates/extra cp /tmp/Domain-RootCA.crt /usr/local/share/ca-certificates/extra sudo update-ca-certificates
OPTIONAL: Change the connector in /var/lib/tomcat8/conf/server.xml to use port 80 and 443.
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIENcoding="UTF-8" enableLookups="false" redirectPort="443" /> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="200" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/etc/ssl/private/yourcertificate.pfx" keystorePass="<se keepass>" clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"> </Connector>
Then you can set up redirect to HTTPS in /var/lib/tomcat8/conf/web.xml.
(...) <security-constraint> <web-resource-collection> <web-resource-name>Redirect to HTTPS</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> </web-app>
You have to enable Tomcat to use portnumbers below 1024. First set AUTHBIND=yes
in /etc/default/tomcat8. Then run these commands.
sudo touch /etc/authbind/byport/80 sudo touch /etc/authbind/byport/443 sudo chown tomcat8 /etc/authbind/byport/80 sudo chown tomcat8 /etc/authbind/byport/443 sudo chmod 500 /etc/authbind/byport/80 sudo chmod 500 /etc/authbind/byport/443
Reboot the server. CMDBuild and Manager GUI should now be available at https://hostname/cmdbuild and https://hostname/manager/html.
Alfresco setup
This is optional. If you don’t need attachements in CMDBuild, your can skip this part.
Create a database for Alfresco.
create database alfresco; grant all privileges on database alfresco to alfresco;
Create a Linux user for alfresco.
adduser alfresco
Download Alfresco Community Edition and run the installer.
$ ./alfresco-community-installer-201707-linux-x64.bin --mode text Language Selection Please select the installation language [1] English - English [2] French - Français [3] Spanish - Español [4] Italian - Italiano [5] German - Deutsch [6] Japanese - 日本語 [7] Dutch - Nederlands [8] Russian - Русский [9] Simplified Chinese - 简体中文 [10] Norwegian - Norsk bokmål [11] Brazilian Portuguese - Português Brasileiro Please choose an option [1] : ---------- Welcome to the Alfresco Community Setup Wizard. ---------- Installation Type [1] Easy - Install using the default configuration. [2] Advanced - Configure server ports and service properties.: Choose optional components to install. Please choose an option [1] : 2 ---------- Select the components you want to install; clear the components you do not want to install. Click Next when you are ready to continue. Java [Y/n] : PostgreSQL [Y/n] :n LibreOffice [Y/n] : Alfresco Community : Y (Cannot be edited) Solr1 [y/N] : Solr4 [Y/n] : Alfresco Office Services [Y/n] :n Web Quick Start [y/N] : Google Docs Integration [Y/n] :n Is the selection above correct? [Y/n]: Y ---------- Installation Folder Choose a folder to install Alfresco Community. Select a folder: [/home/alfresco/alfresco-community]: ---------- Database Configuration JDBC URL: [jdbc:postgresql://localhost/alfresco]: jdbc:postgresql://localhost:5432/alfresco JDBC Driver: [org.postgresql.Driver]: Database name: [alfresco]: Username: []: alfresco Password: : yourpassword Verify: : yourpassword ---------- Tomcat Port Configuration Enter your Tomcat configuration parameters. Web Server Domain: [127.0.0.1]: Tomcat Server Port: [8080]: 8081 Tomcat Shutdown Port: [8005]: 8006 Tomcat SSL Port: [8443]: 8444 Tomcat AJP Port: [8009]: 8010 ---------- LibreOffice Server Port Enter the port that the LibreOffice Server will listen to. LibreOffice Server Port: [8100]: ---------- FTP Port Choose a port number for the integrated FTP server. Port: [2121]: ---------- Admin Password Specify a password for the Alfresco Content Services administrator account. Admin Password: : Repeat Password: : ---------- Setup is now ready to begin installing Alfresco Community on your computer. Do you want to continue? [Y/n]: Y ---------- Please wait while Setup installs Alfresco Community on your computer. . Installing 0% __ 50% __ 100% ######################################### Warning: Problem creating uninstaller. Installation may have not completed correctly. Press [Enter] to continue: ---------- Setup has finished installing Alfresco Community on your computer. View Readme File [Y/n]: n Launch Alfresco Community [Y/n]: Using CATALINA_BASE: /home/alfresco/alfresco-community/tomcat Using CATALINA_HOME: /home/alfresco/alfresco-community/tomcat Using CATALINA_TMPDIR: /home/alfresco/alfresco-community/tomcat/temp Using JRE_HOME: /home/alfresco/alfresco-community/java Using CLASSPATH: /home/alfresco/alfresco-community/tomcat/bin/bootstrap.jar:/home/alfresco/alfresco-community/tomcat/bin/tomcat-juli.jar Using CATALINA_PID: /home/alfresco/alfresco-community/tomcat/temp/catalina.pid Tomcat started. /home/alfresco/alfresco-community/tomcat/scripts/ctl.sh : tomcat started
You need to set up certificate for Alfresco also. Make sure the alfresco user has read permissions to the certificate. The easiest way is probably to add alfresco to the group ssl-cert and make sure that group has permissions.
$ ls -l /etc/ssl/private/ total 12 -rwxr-x--- 1 root ssl-cert 5953 Sep 13 11:47 yourcertificate.pfx -rw-r----- 1 root ssl-cert 1704 Jun 7 13:34 ssl-cert-snakeoil.key $
Now change connector settings to use this certificate.
<Connector port="8444" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="150" scheme="https" keystoreFile="/etc/ssl/private/yourcertificate.pfx" keystorePass="yourpassword" secure="true" connectionTimeout="240000" clientAuth="false" sslProtocol="TLSv1.2" sslEnableProtocols="TLSv1.2" maxHttpHeaderSize="32768" maxSavePostSize="-1" />
NOTE: I get some SOLR certificate errors in catalina.out, but I haven’t found out how to fix it yet. I will update this post when I have a complete solution for Alfresco setup. You also have to create a share in Alfresco and configure that i CMDBuild. None of that is covered here yet.
LDAP/Active Directory setup
NOTE: It might be better to use this approach: https://forum.cmdbuild.org/t/ldap-cmdbuild-3-1/3415
Use restws to set up logins from Active Directory (this is stored in the _SystemConfig table).
cd /var/lib/tomcat8/webapps/cmdbuild/ ./cmdbuild.sh restws setconfig org.cmdbuild.auth.ldap.basedn "dc=example,dc=com" -username admin -password <password> ./cmdbuild.sh restws setconfig org.cmdbuild.auth.ldap.use.ssl false -username admin -password <password> ./cmdbuild.sh restws setconfig org.cmdbuild.auth.ldap.server.port 389 -username admin -password <password> ./cmdbuild.sh restws setconfig org.cmdbuild.auth.ldap.search.filter "(&(ObjectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=CMDBuild-Users,ou=Groups,ou=HR,ou=Customers,dc=example,dc=com))" -username admin -password <password> ./cmdbuild.sh restws setconfig org.cmdbuild.auth.ldap.bind.attribute sAMAccountName -username admin -password <password> ./cmdbuild.sh restws setconfig org.cmdbuild.auth.ldap.server.address dc.example.com -username admin -password <password> ./cmdbuild.sh restws setconfig org.cmdbuild.auth.ldap.search.auth.method simple -username admin -password <password> ./cmdbuild.sh restws setconfig org.cmdbuild.auth.ldap.search.auth.password <adpassword> -username admin -password <password> ./cmdbuild.sh restws setconfig org.cmdbuild.auth.ldap.search.auth.principal "cn=service-cmdbuild,ou=Service Users,dc=example,dc=com" -username admin -password <password> ./cmdbuild.sh restws setconfig org.cmdbuild.auth.methods "LdapAuthenticator,DBAuthenticator" -username admin -password <password>
Replace the passwords and paths in Active Directory accordingly.
Restart Tomcat
sudo systemctl restart tomcat8.service
You should now be able to set up AD-users in CMDBuild. NOTE: You have to create the users in CMDBuild first with the same username as in Active Directory and set a fallback password.
Other settings
You might want to turn on Tecnoteca River (workflow engine) in CMDBuild Administrator.