Production Set Up Guide¶

MySQL
Web Server (Apache + mod_wsgi)
NO CAPTCHA reCAPTCHA
Email Configuration

This section covers how to set up the IdM for production, covering topics like email sending, No CAPTCHA reCAPTCHA support or how to serve static and media files. Some topics, for example HTTPS, are beyond the scope of this documentation and only some pointers to related documentation are provided as a starting point.

Make sure to also check the documentation for the respective parts of the IdM for more in-depth information of the components.

Back-end ging/keystone
Front-end ging/horizon

MySQL ¶

If you have installed the IdM using the automated tools the back-end (Keystone) will be configured to use a SQLite database. This is NOT recommended for production, we strongly advise to switch to a production-ready SQL database. This guide covers how to configure MySQL but any other database compatible with SQLAlchemy would probably work too.

Install MySQL ¶

sudo apt-get install mysql-server

Configure Keystone ¶

Edit keystone/etc/keystone/keystone.conf and change the [database] section.

[database]
# The SQLAlchemy connection string used to connect to the database
connection = mysql://keystone:KEYSTONE_DBPASS@MYSQL_ADDRESS/keystone

Use the password that you set previously to log in as root. Create a keystone database user:

# mysql -u root -p
mysql> CREATE DATABASE keystone;
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';

Populate Database ¶

You need to create the database tables and populate them.

$ sudo tools/with_venv.sh bin/keystone-manage -v db_sync
$ sudo tools/with_venv.sh bin/keystone-manage -v db_sync --extension=oauth2
$ sudo tools/with_venv.sh bin/keystone-manage -v db_sync --extension=roles
$ sudo tools/with_venv.sh bin/keystone-manage -v db_sync --extension=user_registration
$ sudo tools/with_venv.sh bin/keystone-manage -v db_sync --extension=two_factor_auth
$ sudo tools/with_venv.sh bin/keystone-manage -v db_sync --extension=endpoint_filter
$ sudo tools/with_venv.sh bin/keystone-manage -v db_sync --populate

You can find aditional help for setting up Keystone + MySQL here.

Web Server (Apache + mod_wsgi)¶

The web server used by the tools is a development server that should NOT be used for a production setting. There are several servers and configurations to serve a Django (Python) web application but only Apache + mod_wsgi will be covered here. Take a look at the oficial Django documentation for other options available and further information on this topic.

Install apache and mod_wsgi ¶

sudo apt-get install apache2 libapache2-mod-wsgi

Configure Apache ¶

The details on how to correctly configure Apache or set up HTTPS are beyond the scope this document, check the Django documentation and Apache HTTPS documentation for a starting point. Make sure that the following elements are present: (take special care with the venv)

WSGIPassAuthorization On
WSGIScriptAlias / [PATH_TO_HORIZON]/horizon/openstack_dashboard/wsgi/django.wsgi
WSGIPythonPath [PATH_TO_HORIZON]/horizon/openstack_dashboard:[PATH_TO_HORIZON]/horizon/.venv/lib/python2.7/site-packages

If you want to serve your static and media files from Apache itself, also make sure to create the Alias

Alias /media/ /root/horizon/media/
Alias /static/ /root/horizon/static/
Alias /assets/ /root/horizon/static/fiware/
<Directory [PATH_TO_HORIZON]/horizon/static>
  Require all granted
</Directory>
<Directory [PATH_TO_HORIZON]/horizon/media>
  Require all granted
</Directory>

As reference, here you can see a full Apache configuration file using HTTPS

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName  foo
    ServerAdmin bar

    WSGIScriptAlias / /home/someone/horizon/openstack_dashboard/wsgi/django.wsgi

    <Directory /home/someone/horizon/openstack_dashboard/wsgi>
      Order allow,deny
      Allow from all
    </Directory>

    Alias /media/ /home/someone/horizon/media/
    Alias /static/dashboard/fonts /home/someone/horizon/openstack_dashboard/static/dashboard/fonts
    Alias /static/dashboard/img /home/someone/horizon/openstack_dashboard/static/dashboard/img
    Alias /static/dashboard/css /home/someone/horizon/static/dashboard/css
    Alias /static/dashboard/js /home/someone/horizon/static/dashboard/js

    <Directory /path/to/foo/static>
     Require all granted
    </Directory>

    <Directory /path/to/foo/media>
     Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel debug

    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    SSLCertificateFile    /etc/ssl/private/someplace.org/somecert.crt
    SSLCertificateKeyFile /etc/ssl/private/someplace.org/*.somepem.pem
    SSLCertificateChainFile    /etc/ssl/private/someplace.org/chain.crt

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

#rdeirection to the secure version
<VirtualHost 0.0.0.0:80>
    ServerName foo2
    Redirect permanent / foo
</VirtualHost>

Collect Static Assets ¶

Now, go to the folder you have installed Horizon and run

sudo tools/with_venv.sh python manage.py collectstatic
sudo tools/with_venv.sh python manage.py compress --force

Edit the local_settings.py file and set

DEBUG = False
ALLOWED_HOSTS = [
    'your.domain.com',
    'another.domain.es'
]
SECRET_KEY = 'arandomstringhere' # DON'T LEAVE THIS SAMPLE STRING

Warning

Please set your SECRET_KEY. A known SECRET_KEY is a huge security vulnerability.

More information here

NO CAPTCHA reCAPTCHA ¶

Warning

Don’t deploy KeyRock in a public domain with CAPTCHA disabled.

Get your keys here. More documentation in the captcha package repository.

USE_CAPTCHA = False
NORECAPTCHA_SITE_KEY   = '6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI'
NORECAPTCHA_SECRET_KEY = '6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe'

Email Configuration ¶

The IdM can’t send emails by itself, you must set up a SMTP server to send it. This section covers how to set up a mail server using POSTFIX and connect the front-end to it. Further information can be found in the Django documentation.

Install and configure POSTFIX, Ubuntu guide.

sudo apt-get install postfix

Go to the folder where you have installed the front-end and edit local_settings.py

EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'

This will get the settings from the default SMTP server in your host (it should be POSTFIX after installing it) If you are not running POSTFIX in the same host or want to use a different configuration, make use of the following settings

# Configure these for your outgoing email host
EMAIL_HOST = 'smtp.my-company.com'
EMAIL_PORT = 25
EMAIL_HOST_USER = 'djangomail'
EMAIL_HOST_PASSWORD = 'top-secret!'
EMAIL_URL = 'your-webstie-domain.com'
DEFAULT_FROM_EMAIL = 'your-no-reply-address'
EMAIL_SUBJECT_PREFIX = '[Prefix for emails subject]'