Bare-metal

Linux Ubuntu or Debian

Overview

The Trust1Validation can be deployed on a Tomcat 9 server. Below you will find instructions on how you can deploy the Trust1Validation on a bare metal installation.

The utilities service is a play application that can be deployed on the same server.

The OS used to validate this deployment method, is Ubuntu 22.04 LTS

Trust1Validation Service

Installing Java

Tomcat 9 requires Java SE eight or later. We’ll set up OpenJDK 11.

Run the next instructions with sudo privileges, we will update the package registries first and then install OpenJDK 11:

sudo apt update
sudo apt install openjdk-11-jdk

As soon as the installation is done, confirm it by checking with the following command:

java -version

The output should be similar to this:

openjdk version "11.0.7" 2020-04-14
OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing)

System consumer

Deploying Tomcat in a basic consumer context is considered unsafe practice. We’ll create a brand new system consumer and group with residence listing /decide/tomcat that may run the Tomcat service. To create this consumer run the following command:

sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat

Downloading and installing Tomcat

You can retrieve the Tomcat binaries from their downloads page.

We need the core package.

We will use wget to download the binaries. We will set the version as a variable since we will need it later on

VERSION=9.0.88
wget https://dlcdn.apache.org/tomcat/tomcat-9/v${VERSION}/bin/apache-tomcat-${VERSION}.tar.gz -P /tmp

Once the download is complete, extract the tar file to the /opt/tomcat directory::

sudo tar -xf /tmp/apache-tomcat-${VERSION}.tar.gz -C /opt/tomcat/

For ease of use can make a symbolic link

sudo ln -s /opt/tomcat/apache-tomcat-${VERSION} /opt/tomcat/latest

Later, when upgrading Tomcat, unpack the new version and alter the symlink to that version.

Now we need to update the directory ownership to the consumer we've created before:

sudo chown -R tomcat: /opt/tomcat

The shell scripts inside the Tomcat’s bin directory must be made executable:

sudo sh -c 'chmod +x /opt/tomcat/latest/bin/*.sh'

These scripts are used to start, stop and manage the Tomcat instance.

Running as a service

Now we will set up a service so that Tomcat is automatically started on system boot.

Open your text editor and create a tomcat.service unit file in the /etc/systemd/system/ directory:

sudo nano /etc/systemd/system/tomcat.service

Paste the following configuration:

[Unit]
Description=Tomcat 9 servlet container
After=network.target

[Service]
Type=forking
User=tomcat
Group=tomcat
Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true"Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh
ExecStart=/opt/tomcat/latest/bin/startup.sh

[Install]
WantedBy=multi-user.target

Modify the JAVA_HOME variable if the path to your Java installation is different.

Save and close the file and notify systemd that a new service file has been created:

sudo systemctl daemon-reload

Enable and start the Tomcat service:

sudo systemctl enable --now tomcat

Check the service status:

sudo systemctl status tomcat

The output should show that the Tomcat server is enabled and running:

● tomcat.service - Tomcat 9 servlet container
     Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2020-05-25 17:58:37 UTC; 4s ago
    Process: 5342 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited, status=0/SUCCESS)
   Main PID: 5362 (java)
...

You can start, stop and restart Tomcat same as any other systemd service:

sudo systemctl start tomcat
sudo systemctl stop tomcat
sudo systemctl restart tomcat

Trust1Validation deployment

Now we have a running tomcat server we want to deploy our service.

first up we remove the original ROOT application

sudo rm -rf /opt/tomcat/latest/webapps/ROOT

Next up we will deploy our war file.

You can find the war file in filemage instance

mv /location-of-war/t1c-dss-api.war /opt/tomcat/latest/webapps/ROOT.war

Now restart the service to make sure the service is deployed and running

sudo systemctl restart tomcat

You can also verify everything with the Tomcat web application manager

For the manager make sure you've enabled a user in the /opt/tomcat/latest/conf/tomcat-users.xml which is needed to log in to the manager.

Now the service should be available on localhost:8080 and is ready to be exposed.

Fileopen limit

The fileopen limit can be troublesome on webservers causing 503 errors. To prevent this we increase the filopen limit to a more reasonable amount;

To view the current user limits set, add the “-a” option in the “ulimit” command:

ulimit -a

You can change the limit of opened files by adding the following to /etc/security/limits.conf:

* soft nofile 2048 # Set the limit according to your needs
* hard nofile 2048

Then you can reload the configuration using sysctl -p on the shell. Check this article.

Just for completeness you can verify what is the current limit for opened files using: ulimit -n

Extra's

In case your server is protected by a firewall, you’ll want to open port 8080.

Trust1Validation Utilities

Overview

The digital trust service utilities is a extension on the digital trust service. This provide functionalities like PDF/A validation.

Installing Java

We’ll set up OpenJDK 11.

If java is already installed you do not need to do this step

Run the next instructions with sudo privileges, we will update the package registries first and then install OpenJDK 11:

sudo apt update
sudo apt install openjdk-11-jdk

As soon as the installation is done, confirm it by checking with the following command:

java -version

The output should look something like this:

openjdk version "11.0.7" 2020-04-14
OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing)

System consumer

Deploying Play in a basic consumer context is considered unsafe practice. We’ll create a brand new system consumer and group with residence listing /decide/play that may run the Play service. To create this consumer run the following command:

sudo useradd -m -U -d /opt/play -s /bin/false play

Downloading and installing DSS utils

You can retrieve the DSS utils binaries from their our download page

We will use wget to download the binaries. 

wget ${URL} -P /tmp

Once the download is complete, extract the tar file to the /opt/play directory::

sudo unzip /tmp/t1t-dss-utils-api-1.0.0-SNAPSHOT.zip -d /opt

Running as a service

Now we will set up a service so that DSS utils is automatically started on system boot.

Open your text editor and create a dssutils.service unit file in the /etc/systemd/system/ directory:

sudo nano /etc/systemd/system/dssutils.service

Paste the following configuration:

[Unit]
Description=Trust1Team Digital Trust Service Utilities
After=syslog.target network.target
Before=httpd.service

[Service] 
WorkingDirectory=/opt/t1t-dss-utils-api-1.0.0-SNAPSHOT/
ExecStart=/opt/t1t-dss-utils-api-1.0.0-SNAPSHOT/bin/t1t-dss-utils-api
Restart=on-failure

[Install]
WantedBy=multi-user.target

Save and close the file and notify systemd that a new service file has been created:

sudo systemctl daemon-reload

Enable and start the DSS utils service:

sudo systemctl enable --now dssutils

Check the service status:

sudo systemctl status dssutils

The output should show that the Tomcat server is enabled and running:

● dssutils.service - Trust1Team Digital Trust Service Utilities
     Loaded: loaded (/etc/systemd/system/dssutils.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-04-23 09:18:11 CEST; 1s ago
   Main PID: 16016 (java)
      Tasks: 19 (limit: 2184)
     Memory: 149.4M
        CPU: 1.878s
     CGroup: /system.slice/dssutils.service
             └─16016 java -Duser.dir=/opt/t1t-dss-utils-api-1.0.0-SNAPSHOT -Dpidfile.path=/dev/null -cp /opt/t1t-dss-utils-api-1.0.0-SNAPSHOT/lib/../conf/:/opt/t1t-dss-utils-api-1.0.0-SNAPSHOT/lib/com.trust1team.t1t-dss-utils-api-1.0.>

Apr 23 09:18:11 ubuntu-linux-22-04-02-desktop t1t-dss-utils-api[16016]: 07:18:11,379 |-INFO in ch.qos.logback.classic.model.processor.LoggerModelHandler - Setting level of logger [eu.europa.esig.dss] to INFO
Apr 23 09:18:11 ubuntu-linux-22-04-02-desktop t1t-dss-utils-api[16016]: 07:18:11,379 |-INFO in ch.qos.logback.classic.model.processor.LoggerModelHandler - Setting level of logger [org.apache.pdfbox] to WARN
Apr 23 09:18:11 ubuntu-linux-22-04-02-desktop t1t-dss-utils-api[16016]: 07:18:11,379 |-INFO in ch.qos.logback.classic.model.processor.RootLoggerModelHandler - Setting level of ROOT logger to INFO
Apr 23 09:18:11 ubuntu-linux-22-04-02-desktop t1t-dss-utils-api[16016]: 07:18:11,380 |-INFO in ch.qos.logback.core.model.processor.AppenderRefModelHandler - Attaching appender named [ASYNCSTDOUT] to Logger[ROOT]
...

You can start, stop and restart DSS utils same as any other systemd service:

sudo systemctl start dssutils
sudo systemctl stop dssutils
sudo systemctl restart dssutils

Last updated