Subsonic 4.6 WAR, Tomcat 6, Ubuntu 12.04, HTTPS, LDAPS
Posted: Sun Apr 29, 2012 3:25 am
These instructions should walk you through getting Subsonic 4.6 in Tomcat on a headless Ubuntu 12.04 server using HTTPS and LDAPS. HTTPS will be run on port 8081 for this tutorial, but you can run it on the default 443. I've chosen to go with a Tomcat installation for scalability. Security is always a concern and I do what I can to mitigate risk.
Assumptions:
This is a based off a brand new install with nothing more than an SSH server installed.
An SSL cert has already been generated for the web server or we're using the snakeoil certificates provided by the ssl-cert package
An SSL cert is available for the issuing CA for the LDAPS server
LDAPS is already working on the LDAP server
LDAP server is 192.168.1.2
1) Install Tomcat6 w/APR and transcoders
sudo apt-get install ssl-cert tomcat6 tomcat6-admin libtcnative-1 lame ffmpeg ttf-dejavu-core
2) Prep directories; A previous version of subsonic didn't create /var/subsonic. I don't know if this has been fixed, but I do it anyway.
mkdir /var/subsonic
chown -R tomcat6:tomcat6 /var/subsonic
3) Edit Tomcat users; change the password to something useful. BE SURE TO UNCOMMENT THE STANZA (I wasted 10 minutes trying to figure out why my changes weren't taking effect. Duh.)
sudo vim /etc/tomcat6/tomcat-users.xml
4) Copy certificate and private key to /etc/tomcat6 or use a real certificate that you've generated.
sudo cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/tomcat6/
sudo cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/tomcat6/
sudo chown root:tomcat6 ssl-cert-snakeoil.*
5) Enable SSL on server
sudo vim /etc/tomcat6/server.xml
uncomment the following line
add the following stanza where connectors are defined
6) Modify the following files for basic ACL to management pages; change the IP to whatever is relevant to you.
sudo vim /etc/tomcat6/Catalina/localhost/manager.xml
sudo vim /etc/tomcat6/Catalina/localhost/host-manager.xml
sudo vim /etc/tomcat6/Catalina/localhost/ROOT.xml
7) Restart Tomcat
8) Import certificates to the Java keystore for LDAPs. Default password is 'changeit'. Replace YOURCA with your actually CA name and certificate.
sudo keytool -import -trustcacerts -alias YOURCA -file YOURCA.cer -keystore /etc/ssl/certs/java/cacerts
9) Change the Java keystore password
sudo keytool -storepasswd -keystore /etc/ssl/certs/java/cacerts
10) Log into Tomcat Manager WebApp and deploy subsonic.war
Open a browser to https://yourserver:8081
Download subsonic WAR deploy using Tomcat manager-webapp
11) Link transcoders
sudo ln -s /usr/bin/lame /var/subsonic/transcode/lame && sudo ln -s /usr/bin/ffmpeg /var/subsonic/transcode/ffmpeg
12) Log into subsonic (https://yourserver:8081/subsonic) and configure LDAPS under Settings\Advanced. You can do it by users in an given OU or in a group. In the example below, users are part of a group called Subsonic. The LDAP Manager account should not be a privileged account anywhere.
By OU
LDAP URL: ldaps://192.168.1.2:636/ou=users,dc=domain,dc=local
LDAP Search Filter: (sAMAccountName={0})
LDAP Manager DN: DOMAIN\username
Check Box: Automatically create users in Subsonic
Or by Group
LDAP URL: ldaps://192.168.1.2:636/dc=domain,dc=local
LDAP Search Filter: (&(sAMAccountName={0})(&(objectCategory=user)(memberof=cn=subsonic,ou=groups,dc=domain,dc=local)))
LDAP Manager DN: DOMAIN\username
Check Box: Automatically create users in Subsonic
13) Some tweaks
Add cache memory and change usercache. I've set my usercache to be 1 hour. That means if I remove access for a user it will take up to an hour for Subsonic to reflect the change. The defaults are ridiculously high and users never lose access until a restart of the service.
sudo vim /var/lib/tomcat6/webapps/subsonic/WEB-INF/classes/ehcache.xml
14) Increase heap memory available to tomcat. This is what I have configured. My library is only 13,000 songs with 5 users. My install is on a VM with 2 vCPUs and 2GB RAM. Adjust your values to fit your needs.
vim /etc/default/tomcat6
JAVA_OPTS="-Djava.awt.headless=true -Xmx512m -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode"
Assumptions:
This is a based off a brand new install with nothing more than an SSH server installed.
An SSL cert has already been generated for the web server or we're using the snakeoil certificates provided by the ssl-cert package
An SSL cert is available for the issuing CA for the LDAPS server
LDAPS is already working on the LDAP server
LDAP server is 192.168.1.2
1) Install Tomcat6 w/APR and transcoders
sudo apt-get install ssl-cert tomcat6 tomcat6-admin libtcnative-1 lame ffmpeg ttf-dejavu-core
2) Prep directories; A previous version of subsonic didn't create /var/subsonic. I don't know if this has been fixed, but I do it anyway.
mkdir /var/subsonic
chown -R tomcat6:tomcat6 /var/subsonic
3) Edit Tomcat users; change the password to something useful. BE SURE TO UNCOMMENT THE STANZA (I wasted 10 minutes trying to figure out why my changes weren't taking effect. Duh.)
sudo vim /etc/tomcat6/tomcat-users.xml
- Code: Select all
<tomcat-users>
<role rolename="admin"/>
<role rolename="manager"/>
<user username="admin" password="password" roles="admin,manager"/>
</tomcat-users>
4) Copy certificate and private key to /etc/tomcat6 or use a real certificate that you've generated.
sudo cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/tomcat6/
sudo cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/tomcat6/
sudo chown root:tomcat6 ssl-cert-snakeoil.*
5) Enable SSL on server
sudo vim /etc/tomcat6/server.xml
uncomment the following line
- Code: Select all
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
add the following stanza where connectors are defined
- Code: Select all
<!-- SSL Connector in APR format -->
<Connector port="8081" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/etc/tomcat6/ssl-cert-snakeoil.pem"
SSLCertificateKeyFile="/etc/tomcat6/ssl-cert-snakeoil.key"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLProtocol="TLSv1"/>
6) Modify the following files for basic ACL to management pages; change the IP to whatever is relevant to you.
sudo vim /etc/tomcat6/Catalina/localhost/manager.xml
- Code: Select all
<Context path="/manager"
docBase="/usr/share/tomcat6-admin/manager"
antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="192.168.1.*"/>
</Context>
sudo vim /etc/tomcat6/Catalina/localhost/host-manager.xml
- Code: Select all
<Context path="/host-manager"
docBase="/usr/share/tomcat6-admin/host-manager"
antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="192.168.1.*"/>
</Context>
sudo vim /etc/tomcat6/Catalina/localhost/ROOT.xml
- Code: Select all
<Context path="/"
antiResourceLocking="false" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="192.168.1.*"/>
</Context>
7) Restart Tomcat
8) Import certificates to the Java keystore for LDAPs. Default password is 'changeit'. Replace YOURCA with your actually CA name and certificate.
sudo keytool -import -trustcacerts -alias YOURCA -file YOURCA.cer -keystore /etc/ssl/certs/java/cacerts
9) Change the Java keystore password
sudo keytool -storepasswd -keystore /etc/ssl/certs/java/cacerts
10) Log into Tomcat Manager WebApp and deploy subsonic.war
Open a browser to https://yourserver:8081
Download subsonic WAR deploy using Tomcat manager-webapp
11) Link transcoders
sudo ln -s /usr/bin/lame /var/subsonic/transcode/lame && sudo ln -s /usr/bin/ffmpeg /var/subsonic/transcode/ffmpeg
12) Log into subsonic (https://yourserver:8081/subsonic) and configure LDAPS under Settings\Advanced. You can do it by users in an given OU or in a group. In the example below, users are part of a group called Subsonic. The LDAP Manager account should not be a privileged account anywhere.
By OU
LDAP URL: ldaps://192.168.1.2:636/ou=users,dc=domain,dc=local
LDAP Search Filter: (sAMAccountName={0})
LDAP Manager DN: DOMAIN\username
Check Box: Automatically create users in Subsonic
Or by Group
LDAP URL: ldaps://192.168.1.2:636/dc=domain,dc=local
LDAP Search Filter: (&(sAMAccountName={0})(&(objectCategory=user)(memberof=cn=subsonic,ou=groups,dc=domain,dc=local)))
LDAP Manager DN: DOMAIN\username
Check Box: Automatically create users in Subsonic
13) Some tweaks
Add cache memory and change usercache. I've set my usercache to be 1 hour. That means if I remove access for a user it will take up to an hour for Subsonic to reflect the change. The defaults are ridiculously high and users never lose access until a restart of the service.
sudo vim /var/lib/tomcat6/webapps/subsonic/WEB-INF/classes/ehcache.xml
- Code: Select all
<defaultCache maxElementsInMemory="10000"
eternal="false"
timeToIdleSeconds="120"
timeToLiveSeconds="120"
overflowToDisk="true"
maxElementsOnDisk="10000000"
diskPersistent="false"
diskExpiryThreadIntervalSeconds="120"
memoryStoreEvictionPolicy="LRU"/>
<cache name="musicFileCache"
maxElementsInMemory="1000"
eternal="true"
timeToIdleSeconds="0"
timeToLiveSeconds="0"
overflowToDisk="false"/>
<cache name="childDirCache"
maxElementsInMemory="100"
eternal="true"
timeToIdleSeconds="0"
timeToLiveSeconds="0"
overflowToDisk="false"/>
<cache name="coverArtCache"
maxElementsInMemory="200"
eternal="false"
timeToIdleSeconds="300"
timeToLiveSeconds="300"
overflowToDisk="false"/>
<cache name="userCache"
maxElementsInMemory="1000"
eternal="false"
timeToIdleSeconds="3600"
timeToLiveSeconds="3600"
overflowToDisk="false"/>
<cache name="musicFolderCache"
maxElementsInMemory="250"
eternal="true"
diskPersistent="true"
overflowToDisk="true"/>
<cache name="chatCache"
maxElementsInMemory="10"
eternal="true"
diskPersistent="true"
overflowToDisk="true"/>
</ehcache>
14) Increase heap memory available to tomcat. This is what I have configured. My library is only 13,000 songs with 5 users. My install is on a VM with 2 vCPUs and 2GB RAM. Adjust your values to fit your needs.
vim /etc/default/tomcat6
JAVA_OPTS="-Djava.awt.headless=true -Xmx512m -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode"