SmarterApp Logo
Administration and Registration Tools (ART) Installation Checklist
2024-03-26 14:03:06 -0400 |

Overview

Item Description
Purpose Provide user interface for managing assessments and students
Communicates With OpenAM
ProgMan
Permissions
TestSpecBank
Proctor
Repository Location https://github.com/SmarterApp/SS_AdministrationAndRegistrationTools
Additional Documentation ART User Guide
Task Order 10 Requirements
Task Order 15 Requirements
Task Order 15 Test Cases
Task Order 15 Test Plan
ART Design Pictures

Instructions

Create AWS MongoDB Instance

# mongodb.conf

# Where to store the data.
dbpath=/var/lib/mongodb

#where to log
logpath=/var/log/mongodb/mongodb.log

logappend=true

#bind_ip = 127.0.0.1
bind_ip = 0.0.0.0
port = 27017

# Enable journaling, http://www.mongodb.org/display/DOCS/Journaling
journal=true

# Enables periodic logging of CPU utilization and I/O wait
#cpu = true

# Turn on/off security.  Off is currently the default
noauth = true
#auth = true

# Verbose logging output.
#verbose = true

# Inspect all client data for validity on receipt (useful for
# developing drivers)
#objcheck = true

# Enable db quota management
#quota = true

# Set oplogging level where n is
#   0=off (default)
#   1=W
#   2=R
#   3=both
#   7=W+some reads
#oplog = 0

# Diagnostic/debugging option
#nocursors = true

# Ignore query hints
#nohints = true

# Disable the HTTP interface (Defaults to localhost:27018).
#nohttpinterface = true

# Turns off server-side scripting.  This will result in greatly limited
# functionality
#noscripting = true

# Turns off table scans.  Any query that would do a table scan fails.
#notablescan = true

# Disable data file preallocation.
#noprealloc = true

# Specify .ns file size for new databases.
# nssize = <size>

# Accout token for Mongo monitoring server.
#mms-token = <token>

# Server name for Mongo monitoring server.
#mms-name = <server-name>

# Ping interval for Mongo monitoring server.
#mms-interval = <seconds>

# Replication Options

# in replicated mongo databases, specify here whether this is a slave or master
#slave = true
#source = master.example.com
# Slave only: specify a single database to replicate
#only = master.example.com
# or
#master = true
#source = slave.example.com

# Address of a server to pair with.
#pairwith = <server:port>
# Address of arbiter server.
#arbiter = <server:port>
# Automatically resync if slave data is stale
#autoresync
# Custom size for replication operation log.
#oplogSize = <MB>
# Size limit for in-memory storage of op ids.
#opIdMem = <bytes>

$ mongo admin
db.addUser({
    user:"mongo_admin",
    pwd:"[choose a suitable password]",
    roles:["dbAdminAnyDatabase","userAdminAnyDatabase","clusterAdmin","readWrite"]
});

# Turn on/off security.  Off is currently the default
#noauth = true
auth = true

use [name of database];
db.addUser({
    user:"[name of user]",
    pwd:"[password for user]",
    roles:["readWrite"]
});

use progman;
db.addUser({
    user:"progman",
    pwd:"[redacted]",
    roles:["readWrite"]
});

Verify User Can Authenticate to MongoDB

MongoDB shell version: 2.4.9
connecting to: admin
>

Create AWS Web Application Instance

ART Setup

Set Up Tomcat Server


     <Connector port="8080" protocol="HTTP/1.1"
          connectionTimeout="20000"
          URIEncoding="UTF-8"
          redirectPort="8443"
          maxHttpHeaderSize="65536" />

Set Up a Keystore

-----BEGIN CERTIFICATE-----
// This is where the certificate content is
-----END CERTIFICATE-----

sudo keytool -genkey -alias progman-saml-sp -keyalg RSA -keystore ./resources/security/samlKeystore.jks  -keysize 2048
Enter keystore password:
What is your first and last name?
  [Unknown]:  ProgMan Component
What is the name of your organizational unit?
  [Unknown]:  sbac
What is the name of your organization?
  [Unknown]:  SBAC
What is the name of your City or Locality?
  [Unknown]:  San Diego
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=ProgMan Component, OU=sbac, O=SBAC, L=San Diego, ST=California, C=US correct?
  [no]:  yes

Verify Keystore Contents

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

sbtdsorg, Apr 6, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): D6:06:FA:33:AB:E4:27:26:D5:E1:B2:AB:1E:1D:FF:1E:7E:C0:21:4F
progman-saml-sp, Apr 6, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 8D:3A:66:1D:0C:7B:0A:40:96:B7:A6:8F:13:27:AB:E8:05:7D:8D:3A

Additional Notes

Set up RabbitMQ

Get and Install Package

Configure RabbitMQ Installation

Set up Data Warehouse Integration Passphrase

gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n> = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) [choose when the key should expire]
Key expires at Fri 21 Apr 2017 01:24:53 AM UTC
Is this correct? (y/N) [y if you are satisfied with your input; otherwise n]

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: [Provide a name]
Email address: [Provide an email address]
Comment: [Provide a description/comment]
You selected this USER-ID:
    "[Real name value] ([Comment value]) <[email address value]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++
.....+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
...+++++
gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
gpg: key B777B118 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2017-04-21
pub   2048R/B777B118 [expiration date based on input above] [expires: [expiration date based on input above]]
      Key fingerprint = 5B1A 565C 7E19 CDF0 E8A0  31C7 699B 1179 B777 B118
uid                  [Real name value] ([Comment value]) <[email address value]>
sub   2048R/C4C16F48 [expiration date based on input above] [expires: [expiration date based on input above]]

gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri 21 Apr 2017 01:24:53 AM UTC
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: SBAC Administrator
Email address: deploy-admin@example.com
Comment: ART Data Warehouse integration
You selected this USER-ID:
    "SBAC Administrator (ART Data Warehouse integration) <deploy-admin@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++
.....+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
...+++++
gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
gpg: key B777B118 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2017-04-21
pub   2048R/B777B118 2016-04-21 [expires: 2017-04-21]
      Key fingerprint = 5B1A 565C 7E19 CDF0 E8A0  31C7 699B 1179 B777 B118
uid                  SBAC Administrator (ART Data Warehouse integration) <deploy-admin@example.com>
sub   2048R/C4C16F48 2016-04-21 [expires: 2017-04-21]

Generate SFTP Server Passphrase File

Configure ART in ProgMan

testreg.tds.proctorUrl=http://54.213.81.243:8080/
user.timezone=PST
tsb.tsbUrl=http://54.149.254.189:8080/rest/
testreg.user.export.frequency.milliseconds=10000
testreg.sftp.port=22
testreg.sftp.dir=sso
testreg.sftp.pass=[redacted]
testreg.sftp.user=art
testreg.sftp.host=54.149.142.124
testreg.sso.filename.suffix=art
gpgKeyring.public.location=
gpgKeyring.secret.location=
testreg.secret.key.userid=
landingzone.public.key.userid=
dw.export.callback.url=
dw.host=
dw.private.key.loc=
dw.port=
dw.user=
dw.remote.dir=
dw.gpgfile.prefix=
testreg.mna.description=ART
mna.mnaUrl=
mna.oauth.batch.account=
mna.oauth.batch.password=
rabbitmq.vhost=/
rabbitmq.password=[redacted]
rabbitmq.username=art_user
rabbitmq.host=127.0.0.1
testreg.security.idp=https://sso-deployment.sbtds.org/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac
testreg.security.profile=Development
component.name=Assessment and Registration Tools
permission.uri=http://54.213.111.234:8080/rest
testreg.mongo.hostname=54.186.65.111
testreg.mongo.port=27017
testreg.mongo.username=art
testreg.mongo.password=[redacted]
testreg.mongo.dbname=art
client=
language.codes=en
testreg.minJs=false
testreg.rest.context.root=/rest/
testreg.userguid.location=http://test.com
testreg.security.dir=/var/lib/tomcat7/resources/security
testreg.webapp.saml.metadata.filename=art_local_sp.xml
testreg.security.saml.keystore.cert=art-saml-sp
testreg.security.saml.keystore.pass=[redacted]
dw.sbac.port=22
dw.local.port=22
student.identity.share=false
testreg.rest.saml.metadata.filename=art_rest_local_sp.xml
clientId=98765
clientName=CA98765
systemId=33ce4370-b9c0-44a8-9adb-abf1d02a8ceb
testreg.oauth.resource.client.id=pm
testreg.oauth.resource.client.secret=[redacted]
dw.local.import.types=
oauth.access.url=https://sso-deployment.sbtds.org/auth/oauth2/access_token?realm=/sbac
testreg.oauth.checktoken.endpoint=https://sso-deployment.sbtds.org/auth/oauth2/tokeninfo?realm=/sbac
oauth.tsb.client=pm
oauth.tsb.client.secret=[redacted]

Deploy ART Components

Configure Tomcat

JAVA_OPTS="-Djava.awt.headless=true\
 -XX:+UseConcMarkSweepGC\
 -Xms[initial amount of memory that can be allocated to the JVM heap]\
 -Xmx[maximum amount of memory that can be allocated to the JVM heap]\
 -XX:PermSize=[initial amount of memory that can be used for PermGen]\
 -XX:MaxPermSize=[maximum amount of memory that can be used for PermGen]\
 -DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
 -Dspring.profiles.active=progman.client.impl.integration,mna.client.null,server.singleinstance\
 -Dprogman.baseUri=http://[URL to the ProgMan REST component]/rest/\
 -Dprogman.locator=[name of component in ProgMan],[name of Component's environment in ProgMan]"

JAVA_OPTS="-Djava.awt.headless=true\
 -XX:+UseConcMarkSweepGC\
 -Xms512m\
 -Xmx1024m\
 -XX:PermSize=512m\
 -XX:MaxPermSize=1512m\
 -DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
 -Dprogman.baseUri=http://54.213.81.243:8080/rest/\
 -Dtestreg.secret.passphrase.file=$CATALINA_BASE/resources/security/testreg.secret.passphrase\
 -Dspring.profiles.active=mna.client.null,progman.client.impl.integration,rabbit,test-write-dw-gen-data,server.singleinstance\
 -Dprogman.locator=testreg,Development"

Create ART Log File Directories

Download War Files

oauth.access.url=https://[FQDN or IP address of OpenAM server]/auth/oauth2/access_token?realm=/sbac
pm.oauth.client.id=[OAuth client id from OpenAM]
pm.oauth.client.secret=[OAuth client secret from OpenAM]
pm.oauth.batch.account=[User account in OpenDJ]
pm.oauth.batch.password=[Password for OpenDJ user account]

oauth.access.url=https://sso-dev.sbtds.org/auth/oauth2/access_token?realm=/sbac
pm.oauth.client.id=pm
pm.oauth.client.secret=[redacted]
pm.oauth.batch.account=prime.user@example.com
pm.oauth.batch.password=[redacted]

IMPORTANT: Conduct the SAML Setup and Configuration for the REST component and Web Application Component. After completing the SAML Setup and Configuration steps, there should be two metadata files:

SAML (Security Assertion Markup Language) Setup and Configuration

Configure Automatic Metadata Generation

Create SAML Metadata File For the Component

Update the securityContext.xml File for Automatic Metadata Generation

<security:http entry-point-ref="delegatingAuthenticationEntryPoint" use-expressions="true">
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
    <security:custom-filter ref="oauth2ProviderFilter" before="PRE_AUTH_FILTER" />
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
    <security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
</security:http>

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg ref="metadataGenerator"/>
</bean>

<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="bindingsSSO">
        <list>
            <value>redirect</value>
            <value>artifact</value>
        </list>
    </property>
    <property name="entityId" value="[name of component]"/>
</bean>

NOTE: The component name should not have spaces.

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg ref="metadataGenerator"/>
</bean>

<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="bindingsSSO">
        <list>
            <value>redirect</value>
            <value>artifact</value>
        </list>
    </property>
    <property name="entityId" value="progman_rest"/>
</bean>

Verify SAML Metadata Setup

SAML Pre-Configured Metadata Configuration

Verify SAML Metadata Setup

Additional Notes

SAML Service Provider Registration

Verify the Service Provider is Configured

back to Deployment Checklists

As of Fall 2018 the Smarter Balanced Test Delivery System (TDS) is no longer supported.

The code base and documentation for the TDS is available within the Smarter Balanced GitHub repository.
Creative Commons License Unless stated otherwise, all content on SmarterApp.org is licensed under a Creative Commons Attribution 4.0 International License.