Introduction
This guide details the process for configuring the Direct Certificate Discovery Tool (DCDT, or the Tool).
Requirements
The following ports must be available for binding of services:
Ports | Service |
---|
25 (TCP) | Mail |
53 (UDP and TCP) | DNS |
10080 (TCP) | HTTP |
10389, 11389, 12389 (TCP) | LDAP |
Stop the Tomcat 7 service by running:
sudo service tomcat7 stop
Append the following lines to the file /etc/default/tomcat7:
JAVA_HOME="/usr/lib/jvm/java-8-oracle"
JAVA_OPTS="-Djava.awt.headless=true -Xms1024m -Xmx1536m -XX:+UseG1GC -XX:MaxGCPauseMillis=50"
ulimit -n 8192
If the file /usr/share/tomcat7/bin/setenv.sh does not exist, create it by running:
sudo touch /usr/share/tomcat7/bin/setenv.sh
Append the following lines to the file /usr/share/tomcat7/bin/setenv.sh:
JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true"
CATALINA_OPTS="$CATALINA_OPTS -XX:MetaspaceSize=512m -XX:MaxMetaspaceSize=768m"
CATALINA_OPTS="$CATALINA_OPTS -Ddcdt.data.dir=<path to data directory> -Ddcdt.web.user.admin.secret=<admin console admin user password>"
Then, run the following command so that the Tomcat user will be able to create and write data in the specified directory:
sudo chown -R tomcat7:tomcat7 "$(dirname "<path to data directory>")"
Start the Tomcat 7 service by running:
sudo service tomcat7 start
If you are installing DCDT on Ubuntu, authbind is required to allow the Tomcat user to run on privileged ports (port numbers 0-1023). For DCDT, the DNS service must bind to port 53 and the mail service must bind to port 25. Authbind may already be installed on your version of Ubuntu and can be found in /etc/authbind. If it is not already installed:
sudo apt-get install authbind
To enable authbind so that Tomcat can bind to privileged ports, change the default setting AUTHBIND=no to AUTHBIND=yes in /etc/default/tomcat7.
Since authbind requires the use of IPv4, add the following to /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Reinitialize sysctl by running the following:
Restart the Tomcat service by running:
sudo service tomcat7 restart
Verify that Tomcat can access the privileged ports. The user ID of the Tomcat user can be viewed in /etc/passwd. A file with the name of the Tomcat user ID (e.g. 106) should exist in /etc/authbind/byuid/ and contain the following entry: