Versions Compared

Old Version 7

changes.mady.by.user Nigel Banks

Saved on

compared with

New Version Current

changes.mady.by.user Nigel Banks

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Table of Contents

Fedora, along with Drupal, is one of the core technologies behind Islandora. This chapter will cover the basic steps for installing Fedora - for more information, please see the FedoraCommons documentation.

Fedora is available under the terms of the Apache License and has a very active open source community producing additional tools, applications and utilities. Islandora currently uses Fedora version 3.5.

Pre-installation Software Checklist

Fedora requires the following to be set-up and running prior to beginning your installation:

  • Java SE Development Kit (JDK) 6
  • A database: Installed for Drupal. Consult the Fedora installation guide for notes on running other databases.
  • An application server: Fedora includes the Tomcat Application Server. Consult the Fedora installation guide for notes on running other application servers.

Installation Steps

1. Download the latest release of Fedora from Fedora Commons (3.5 is the latest tested for use with Islandora).

2. Read through the online guide to ensure the pre-installation system pre-requisites are met.

3. Prepare your local environment variables by modifying the .bash_profile or .profile file in the home directory of the fedora user.

 Fedora will need to be given variables to find the main fedora directory, the main tomcat directory, and the location of your Java installation (JDK 6).


The following example assumes Java is installed in /opt/java and Fedora is installed in /usr/local/fedora:

Code Block
PATH=/opt/java/bin:$PATH:$HOME/bin
export FEDORA_HOME=/usr/local/fedora
export CATALINA_HOME=/usr/local/fedora/tomcat
export JAVA_OPTS="-Xms1024m -Xmx1024m -XX:MaxPermSize=128m -Djavax.net.ssl.trustStore=/usr/local/fedora/server/truststore
-Djavax.net.ssl.trustStorePassword=tomcat"
export JAVA_HOME=/opt/java

4. Before beginning your Fedora installation, create a database for Fedora to use. This is not the same database that you used for your Drupal installation.

5. To start the installer, navigate to the directory where the install file (fcrepo-installer-3.5.jar) was downloaded and run the following command:

Code Block
java -jar fcrepo-installer-3.5.jar

6. Select the CUSTOM INSTALL.

Note

It is important to select the Custom Install as it will enable the resource index by default, which is the backbone of Islandora's collection views and other functionality.

7. The Fedora installer script will ask you a series of questions:

Expand
titleCustom Install details:

(Source: Installation and Configuration Guide - Fedora 3.5 Documentation)

Servlet Container

The installer will automatically configure and deploy to Tomcat 6.0.x and 7.0.x servlet containers. However, if an existing Tomcat installation (as opposed to the Tomcat bundled with the installer) was selected, the installer will not overwrite your existing server.xml, but rather, place a modified copy at FEDORA_HOME/install so that you may review it before before installing it yourself.

Other servlet containers will require manual deployment of the war files located at FEDORA_HOME/install.

Application Server Context

The installer provides the option to enter an application server context name under which Fedora will be deployed. The context name defaults to Fedora (resulting in http[s]://host:port/fedora), however any other valid context name can be supplied. The installer will name the resulting war file according to the supplied context name (defaults to fedora.war). Please ensure that the servlet container configuration reflects the name of the Fedora context name in case it needs to be configured explicitly. For further details see Alternative Webapp Context Configuration.

SSL

Configuring SSL support for Fedora's API-M interface is an optional feature. It strongly recommended for production environments if Fedora is exposed to unsecured application and users. However, if your installation is within a managed data center with firewall services, you may choose to provide SSL using a software or hardware front-end instead. For example, a reverse proxy implemented using the Apache HTTP Server and hiding Fedora generally provides better SSL performance.

If the Tomcat servlet container is selected, the installer will configure server.xml for you. However, as noted above, if an existing Tomcat installation was selected, the installer will not overwrite your existing server.xml.

Please consult your servlet container's documentation for certificate generation and installation. (In particular, the example certificate provided by the installer for Tomcat should not be used in a production environment).

If Fedora is configured to use SSL, the JAVA_OPTS environment variable must include the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties. The value of javax.net.ssl.trustStore should be the location of the truststore file and the value of javax.net.ssl.trustStorePassword is the password for the keystore. The following values may be used with the sample keystore included with the installer:

Code Block
-Djavax.net.ssl.trustStore=$FEDORA_HOME/server/truststore -Djavax.net.ssl.trustStorePassword=tomcat

FeSL

The Fedora Security Layer is an experimental feature introduced from Fedora 3.3. FeSL consists of two separate components, which can be selected independently during the installation: FeSL Authentication and FeSL Authorisation.

FeSL Authentication is now the default authentication mechanism, however Fesl Authorization is still considered experimental. FeSL Authorization is a replacement for the legacy XACML policy enforcement, so you should not enable XACML policy enforcement if you are going to use FeSL Authorization, as this will provide an alternative XACML policy enforcement engine. See FeSL Installation for more information about FeSL requirements that must be satisfied prior to installation.

Resource Index

If the Resource Index is enabled, Fedora will use Mulgara as its underlying triplestore, with full-text indexing disabled.

Messaging
If Messaging is enabled, Fedora will create and send a message via JMS whenever an API-M method is called.

Once the script has collected your answers and configured Fedora on your system, the values are written to the install.properties file located in $FEDORA_HOME/install.

An output of a sample install.properties file is included here to guide you through the installation.  To use this file, copy the full contents of the textbox below into a text editor, and where applicable change the database name, database user, database password and database port number, and server host to match your database configuration (these items are noted in square brackets), and save the edited file as install.properties to the same directory where the fcrepo jar is stored.  Fedora can now be installed by entering 

Code Block
java -jar fcrepo-installer-3.5.jar install.properties

An example of an install.properties file (specific to an OSX environment): 
 

Code Block
Installation type - custom
home directory - /usr/local/fedora
Password - [fedora_password]
server host - localhost [could be a domain name etc depending on your environment]
app server context - default
API-A - default false
ssl avail - true
ssl required for api-a - default false
ssl required for api-m - false
servlet included - default included
tomcat home -default
tomcat http port - 8080 default
tomcat shutdown - 8005 default
tomcat ssl - 8443 default
keystore file - included
databse - mysql
mysql driver - default
database username - [fedora_database_user]
database password - [password]
jdbc url - default
jdbc class- default
Enable FESL authn - true
Enable FESL authz - false
policy enforcement - true
low level storage - default akubra-fs
resource index - true
messaging - true
messaging provider - default
deploy local services - true

8. Once the installation script has completed and Fedora is installed, you should start your Fedora instance by running:

Code Block
$FEDORA_HOME/tomcat/bin/startup.sh

9. To verify that Fedora has successfully started:

 a. $FEDORA_HOME/tomcat/logs/catalina.out should contain no errors.
 b. View your Fedora instance through a web browser: http://localhost:8080/fedora/ or http://[yourdomain]:8443/fedora

Set XACML Policies

10. Install required polices, remove some restrictive policies.

First stop your Fedora instance by running:$FEDORA_HOME/tomcat/bin/shutdown.sh

Remove they deny-purge policies.

rm /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/deny-purge-*

Create a folder for islandora specific policies.

cd /usr/local/fedora/data/fedora-xacml-policies/repository-policies/

mkdir islandora

Then copy all the policies included with islandora into the newly created "islandora" folder located here "/usr/local/fedora/data/fedora-xacml-policies/repository-policies/"

These policies will be located in the policies folder of the islandora module, hereThere should be at least these 4 policies:

permit-apim-to-authenticated-user.xml

permit-getDatastream-unrestricted.xml

permit-getDatastreamHistory-unrestricted.xml

permit-upload-to-authenticated-user.xml

 

11. Navigate to $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/deny-apim-if-not-localhost.xml
 
Go to where you see <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">127.0.0.1</AttributeValue>
 
insert additional entries below for IPs that need to access fedora admin example your own machine or other admins. Also might want to add the systems actual IP Example:
 

Code Block
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">192.168.56.1</AttributeValue>

12. Restart Fedora by using the startup command from step 8:

Code Block
$FEDORA_HOME/tomcat/bin/startup.sh

13. Access the Fedora Web Administrator: http://localhost:8080/fedora/admin and ensure you can ingest and purge objects.

14. For information on using Fedora, make use of the tutorials at the Fedora Commons site.

Note

There are two global policies that block/override purge rights. This behaviour is correct as it assumes that items will be set to a status of "deleted" rather than being purged directly. By default it assumes that if an object or Datastream is set to active or inactive, then only the "administrator" role can purge.

To resolve this, you can simply remove these policies in $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/:

  • deny-purge-datastream-if-active-or-inactive.xml 
  • deny-purge-object-if-active-or-inactive.xml