SmarterApp Logo
Program Management (ProgMan) Installation Checklist
2024-03-26 14:03:06 -0400 |

Overview

Item Description
Purpose Provide configuration settings for TDS components
Communicates With OpenAM
Permissions
ART
Proctor
Teacher Hand-Scoring System
TestSpecBank
Repository Location https://github.com/SmarterApp/SS_ProgramManagement
Additional Documentation Program Management User Guide
ProgMan Technical Design
API Documentation
Design Diagrams
Sequence Diagrams

Instructions

Create AWS MongoDB Instance

# mongodb.conf

# Where to store the data.
dbpath=/var/lib/mongodb

#where to log
logpath=/var/log/mongodb/mongodb.log

logappend=true

#bind_ip = 127.0.0.1
bind_ip = 0.0.0.0
port = 27017

# Enable journaling, http://www.mongodb.org/display/DOCS/Journaling
journal=true

# Enables periodic logging of CPU utilization and I/O wait
#cpu = true

# Turn on/off security.  Off is currently the default
noauth = true
#auth = true

# Verbose logging output.
#verbose = true

# Inspect all client data for validity on receipt (useful for
# developing drivers)
#objcheck = true

# Enable db quota management
#quota = true

# Set oplogging level where n is
#   0=off (default)
#   1=W
#   2=R
#   3=both
#   7=W+some reads
#oplog = 0

# Diagnostic/debugging option
#nocursors = true

# Ignore query hints
#nohints = true

# Disable the HTTP interface (Defaults to localhost:27018).
#nohttpinterface = true

# Turns off server-side scripting.  This will result in greatly limited
# functionality
#noscripting = true

# Turns off table scans.  Any query that would do a table scan fails.
#notablescan = true

# Disable data file preallocation.
#noprealloc = true

# Specify .ns file size for new databases.
# nssize = <size>

# Accout token for Mongo monitoring server.
#mms-token = <token>

# Server name for Mongo monitoring server.
#mms-name = <server-name>

# Ping interval for Mongo monitoring server.
#mms-interval = <seconds>

# Replication Options

# in replicated mongo databases, specify here whether this is a slave or master
#slave = true
#source = master.example.com
# Slave only: specify a single database to replicate
#only = master.example.com
# or
#master = true
#source = slave.example.com

# Address of a server to pair with.
#pairwith = <server:port>
# Address of arbiter server.
#arbiter = <server:port>
# Automatically resync if slave data is stale
#autoresync
# Custom size for replication operation log.
#oplogSize = <MB>
# Size limit for in-memory storage of op ids.
#opIdMem = <bytes>
$ mongo admin
db.addUser({
    user:"mongo_admin",
    pwd:"[choose a suitable password]",
    roles:["dbAdminAnyDatabase","userAdminAnyDatabase","clusterAdmin","readWrite"]
});
# Turn on/off security.  Off is currently the default
#noauth = true
auth = true
use [name of database];
db.addUser({
    user:"[name of user]",
    pwd:"[password for user]",
    roles:["readWrite"]
});
use progman;
db.addUser({
    user:"progman",
    pwd:"[redacted]",
    roles:["readWrite"]
});

Verify User Can Authenticate to MongoDB

MongoDB shell version: 2.4.9
connecting to: admin
>

Create AWS Web Application Instance

ProgMan Setup

Set Up Tomcat Server


     <Connector port="8080" protocol="HTTP/1.1"
          connectionTimeout="20000"
          URIEncoding="UTF-8"
          redirectPort="8443"
          maxHttpHeaderSize="65536" />

Set Up a Keystore

-----BEGIN CERTIFICATE-----
// This is where the certificate content is
-----END CERTIFICATE-----
sudo keytool -genkey -alias progman-saml-sp -keyalg RSA -keystore ./resources/security/samlKeystore.jks  -keysize 2048
Enter keystore password:
What is your first and last name?
  [Unknown]:  ProgMan Component
What is the name of your organizational unit?
  [Unknown]:  sbac
What is the name of your organization?
  [Unknown]:  SBAC
What is the name of your City or Locality?
  [Unknown]:  San Diego
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=ProgMan Component, OU=sbac, O=SBAC, L=San Diego, ST=California, C=US correct?
  [no]:  yes

Verify Keystore Contents

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

sbtdsorg, Apr 6, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): D6:06:FA:33:AB:E4:27:26:D5:E1:B2:AB:1E:1D:FF:1E:7E:C0:21:4F
progman-saml-sp, Apr 6, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 8D:3A:66:1D:0C:7B:0A:40:96:B7:A6:8F:13:27:AB:E8:05:7D:8D:3A

Additional Notes

Deploy ProgMan Components

Configure Tomcat

JAVA_OPTS="-Djava.awt.headless=true\
 -XX:+UseConcMarkSweepGC\
 -Xms[initial amount of memory that can be allocated to the JVM heap]\
 -Xmx[maximum amount of memory that can be allocated to the JVM heap]\
 -XX:PermSize=[initial amount of memory that can be used for PermGen]\
 -XX:MaxPermSize=[maximum amount of memory that can be used for PermGen]\
 -DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
 -Dspring.profiles.active=progman.client.impl.integration,mna.client.null,server.singleinstance"
JAVA_OPTS="-Djava.awt.headless=true\
 -XX:+UseConcMarkSweepGC\
 -Xms512m\
 -Xmx2048m\
 -XX:PermSize=512m\
 -XX:MaxPermSize=1512m\
 -DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
 -Dspring.profiles.active=mna.client.null,server.singleinstance,progman.client.impl.null,special.role.required"
 

Download REST Component War File

#base URLs for REST endpoints, replace with URLs that work for the server this is being run on
pm.rest.service.endpoint=http://[FQDN or IP Address of ProgMan REST component, defeault port is 8080]/rest
pm.rest.context.root=/rest/
pm.minJs=false

An example of a configured rest-endpoints.properties:

#base URLs for REST endpoints, replace with URLs that work for the server this is being run on
pm.rest.service.endpoint=http://52.32.255.241:8080/rest
pm.rest.context.root=/rest/
pm.minJs=false

Download ProgMan Web Application Component

#mna.properties
progman.mna.description="The Program Management Component ([environment name])"
#mna.mnaUrl=https://your.mna.server/rest
#mna.logger.level=INFO
#mna.oauth.batch.account=mna-client-email-address
#mna.oauth.batch.password=mna-client-password
#mongo.properties
#placeholder for mongo settings - note: do not check in real credentials
pm.mongo.hostname=[FQDN or IP address of MongoDB server]
pm.mongo.port=[port that MongoDB listens on, default is 27017]
pm.mongo.user=[mongo user name, mongo_admin if following this checklist]
pm.mongo.password=[password for mongo_admin user account]
pm.mongo.dbname=[Name of database created for ProgMan in MongoDB]
#pbe.properties
pm.pbe.pass=password123
#pm.pbe.pass=secret-salt
#rest-endpoints.properties
#base URLs for REST endpoints, replace with URLs that work for the server this is being run on
pm.rest.service.endpoint=http://[FQDN or IP address of AWS instance hosting ProgMan REST component, default port is 8080]/rest
pm.minJs=false
pm.rest.context.root=/rest/
###########################
# pm-security.properties
###########################
#security props
pm.security.saml.keystore.user=[alias of private key stored in samlKeystore.jks]
pm.security.saml.keystore.pass=[password for samlKeystore.jks]
pm.security.dir=file:///[path to samlKeystore.jks, use /var/lib/tomcat7/resources/security if following this checklist]
pm.rest.saml.metadata.filename=[name of SAML metadata file for REST component]
pm.webapp.saml.metadata.filename=[name of SAML metadata file for web application component]
component.name=ProgramManagement
pm.oauth.checktoken.endpoint=https://[load balancer for OpenAM]/auth/oauth2/tokeninfo?realm=/sbac
pm.security.idp=https://[load balancer for OpenAM]/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac
permission.uri=http://[FQDN or IP address of Permissions application. NOTE:  the Permissions program has not been installed yet.  This can be configured after Permissions has been deployed; ProgMan should still start up]/rest

logfile.path=/var/log/tomcat7/

An example of a configured progman-bootstrap.properties:

#mna.properties
progman.mna.description="The Program Management Component (Development)"
#mna.mnaUrl=https://your.mna.server/rest
#mna.logger.level=INFO
#mna.oauth.batch.account=mna-client-email-address
#mna.oauth.batch.password=mna-client-password
#mongo.properties
#placeholder for mongo settings - note: do not check in real credentials
pm.mongo.hostname=52.32.123.173
pm.mongo.port=27017
pm.mongo.user=mongo_admin
pm.mongo.password=[redacted]
pm.mongo.dbname=progman
#pbe.properties
pm.pbe.pass=[redacted]
#pm.pbe.pass=secret-salt
#rest-endpoints.properties
#base URLs for REST endpoints, replace with URLs that work for the server this is being run on
pm.rest.service.endpoint=http://52.34.140.123:8080/rest
pm.minJs=false
pm.rest.context.root=/rest/
###########################
# pm-security.properties
###########################
#security props
pm.security.saml.keystore.user=progman-saml-sp
pm.security.saml.keystore.pass=[redacted]
pm.security.dir=file:////var/lib/tomcat7/resources/security
pm.rest.saml.metadata.filename=rest_metadata.xml
pm.webapp.saml.metadata.filename=web_metadata.xml
component.name=ProgramManagement
pm.oauth.checktoken.endpoint=https://sso-dev.sbtds.org/auth/oauth2/tokeninfo?realm=/sbac
pm.security.idp=https://sso-dev.sbtds.org/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac
permission.uri=http://52.32.19.35:8080/rest

logfile.path=/var/log/tomcat7/

IMPORTANT: Conduct the SAML Setup and Configuration for the REST component and Web Application Component. After completing the SAML Setup and Configuration steps, there should be two metadata files:

SAML (Security Assertion Markup Language) Setup and Configuration

Configure Automatic Metadata Generation

Create SAML Metadata File For the Component

Update the securityContext.xml File for Automatic Metadata Generation

<security:http entry-point-ref="delegatingAuthenticationEntryPoint" use-expressions="true">
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
    <security:custom-filter ref="oauth2ProviderFilter" before="PRE_AUTH_FILTER" />
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
    <security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
</security:http>
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg ref="metadataGenerator"/>
</bean>

<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="bindingsSSO">
        <list>
            <value>redirect</value>
            <value>artifact</value>
        </list>
    </property>
    <property name="entityId" value="[name of component]"/>
</bean>

NOTE: The component name should not have spaces.

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg ref="metadataGenerator"/>
</bean>

<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="bindingsSSO">
        <list>
            <value>redirect</value>
            <value>artifact</value>
        </list>
    </property>
    <property name="entityId" value="progman_rest"/>
</bean>

Verify SAML Metadata Setup

SAML Pre-Configured Metadata Configuration

Verify SAML Metadata Setup

Additional Notes

Update ProgMan Bootstrap Properties

SAML Service Provider Registration

Verify the Service Provider is Configured

Load Seed Data into ProgMan

IMPORTANT: MongoDB must be installed on whatever computer runs the script to load the ProgMan seed data.

HOST=54.201.173.209     # The FQDN or IP address of the MongoDB server hosting the ProgMan database
PORT=27017              # The port on which MongoDB is listening
USER=admin              # The user account with "readWrite" privileges in the ProgMan database
PW=[redacted]          # The password for the user account
DB=progman              # The name of the database containing ProgMan's data

Verification

back to Deployment Checklists

As of Fall 2018 the Smarter Balanced Test Delivery System (TDS) is no longer supported.

The code base and documentation for the TDS is available within the Smarter Balanced GitHub repository.

Creative Commons License Unless stated otherwise, all content on SmarterApp.org is licensed under a Creative Commons Attribution 4.0 International License.