Versions Compared

Old Version 1

changes.mady.by.user Jason Elwood

Saved on

compared with

New Version Current

changes.mady.by.user Jason Elwood

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

 

Info

Release Date: TBDJanuary 20, 2017

Warning

SSP 2.8 requires Java JDK 1.8 and Tomcat 8.0.X or 8.5.X. No other versions of Java or Tomcat will work. Both Java and Tomcat must be updated prior to installing SSP 2.8.

Info

For all existing installations of 2.0.X and 2.1.X, important upgrade instructions exist in the previous 2.12.2, 2.3, 2.4, 2.5.1, 2.5.2 and , 2.6.0, 2.7.0  Release notes. 

  • To upgrade from any previous v2.0.0-v2.67.0 follow the Release Notes for previous versions
  • New installations of 2.78.0 are not required to make any additional change

If you are running a SSP version prior to 1.1.1, you are strongly encouraged to upgrade or otherwise apply the reporting subsystem security patches described by SSP-701.

If you are running SSP version 2.0.0 or 2.0.0-b3, you are strongly encouraged to upgrade to 2.0.1 or 2.1.0 or 2.2.0 or later or otherwise apply the Confidentiality Level-related patches for the Student Documents tool as described by SSP-1917.

Also please take a few minutes to review additional security-related announcements detailed at the top of the SSP space here in Confluence.

Table of Contents

Step by step instructions for building and deploying the SSP 2.

...

8.0 release.

  1. Software Prerequisites (JDK, Tomcat, Maven, Ant, RDBMS)
  2. SSP Platform build and deployment

...

The following software prerequisites must be installed with the appropriate environment variables to build and run SSP:ssp-platform.PNG

  • JDK 1.7 8 is required starting with SSP v2.68.0.  JAVA SE jdk 1.6 7 and earlier will no longer work.  The SSP development team has also observed somewhat better GC performance with the Sun/Oracle JDK vs OpenJDK)
    • Download Location: http://java.sun.com     Increasingly 1.7 is being hidden, the last known good link is here: JAVA 1.7 If that doesn't work, use the query "java jdk 1.7 download" in a search engine.

    • Environment Variable: JAVA_Environment Variable: JAVA_HOME

      Tip
      titleJava Environment Variable
      JAVA_HOME=/path/to/your/java (ie: /usr/local/java or C:\java\jdk)


      (optional)
      PATH= append the bin subdirectory to the path statement
  • Tomcat 68.X (Tomcat 7 6 is not supported as of 2015/10the 2.8 release)

    1. Instructions for installing and configuring Tomcat for the SSP-Platform (uPortal 4.0).  Last known good link to download Tomcat is here: Tomcat 6.

      Warning
      titleTomcat Configuration

      It is important to complete sections:

    Environment Variables,

    1. Shared Libraries, Shared Sessions, Context and Java Heap. 

       

      1. Minimally, the catalina.properties file must contain:


      shared.loader=${catalina.base}/shared/lib/*.jar
       

      2. And your active connector/s in <tomcat>/conf/server.xml must have the emptySessionPath flag set:

       

      <Connector port="8080" protocol="HTTP/1.1"
          connectionTimeout="20000" redirectPort="8443" emptySessionPath="true"/>
    And increase the heap in <tomcat>/bin/setenv.sh (*nix) or <tomcat>/bin/setenv.bat (Windows). Smaller sizing is probably feasible, but the examples below match what our SSP CI envs run with. For production systems, start with a max heap of roughly half available physical memory and increase from there if necessary.
    The uPortal instructions above recommend using JAVA_OPTS for heap sizing. This can lead to problems on memory constrained systems because JAVA_OPTS will be used when trying to stop Tomcat with its own scripts. You don't typically need a large heap at all for that operation. So CATALINA_OPTS is a better choice for sizing the heap in setenv scripts, because that var will only be used for Tomcat's http-serving runtime.

    setenv.sh:

    CATALINA_OPTS=-Xms2G -Xmx2G -XX:PermSize=256m -XX:MaxPermSize=256m

    setenv.bat (uPortal instructions linked to above are missing the 'set'):

    set CATALINA_OPTS=-Xms2G -Xmx2G -XX:PermSize=256m -XX:MaxPermSize=256m

  • Additionally, a performance improvement has been experienced by enabling compression in Tomcat

    Tip

    Add compression="force" to the server.xml in the connector like the following:

     

    <Connector port="8080" protocol="HTTP/1.1

    connectionTimeout="20000"

    redirectPort="8443"

    emptySessionPath="true"

    compression="force" />

    • Maven 3.0.3 or later
  • Download Location: http://maven.apache.org

    • Environment Variable: MAVEN_HOME

    Tip
    titleMaven Environment Variables
    MAVEN_HOME= /path/to/your/maven (ie: /usr/local/maven or C:\tools\maven)
    M2_HOME= /path/to/your/maven (ie: /usr/local/maven or C:\tools\maven)
    (optional)
    PATH= append the bin subdirectory to the path statementAnt 1.8.2 (use this exact version)

  • Download Location: http://ant.apache.org    Last known good link: Ant Binaries

    • Environment Variable: ANT_HOME

    Tip
    titleAnt Environment Variable
    ANT_HOME= /path/to/your/ant (ie: /usr/local/ant or C:\tools\ant)
    (optional)
    PATH= append the bin subdirectory to the path statementSencha SDK

    1. 3. (new in Tomcat 8) The context must be updated with two changes. The context.xml should be modified with an updated Context tag and new lines for Resources. The following excerpt can replace the existing section.

      <Context crossContext="true" sessionCookiePath="/">

    <!-- Default set of monitored resources. If one of these changes, the    -->
    <!-- web application will be reloaded.                                   -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
    <Resources cachingAllowed="true" cacheMaxSize="100000" />

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->
</Context>


      4. Increase the heap in <tomcat>/bin/setenv.sh (*nix) or <tomcat>/bin/setenv.bat (Windows). Smaller sizing is probably feasible, but the examples below match what our SSP CI envs run with. For production systems, start with a max heap of roughly half available physical memory and increase from there if necessary.
      The uPortal instructions above recommend using JAVA_OPTS for heap sizing. This can lead to problems on memory constrained systems because JAVA_OPTS will be used when trying to stop Tomcat with its own scripts. You don't typically need a large heap at all for that operation. So CATALINA_OPTS is a better choice for sizing the heap in setenv scripts, because that var will only be used for Tomcat's http-serving runtime.

      setenv.sh:

      CATALINA_OPTS=-Xms2G -Xmx2G -XX:PermSize=256m -XX:MaxPermSize=256m

      setenv.bat (uPortal instructions linked to above are missing the 'set'):

      set CATALINA_OPTS=-Xms2G -Xmx2G -XX:PermSize=256m -XX:MaxPermSize=256m

    • Additionally, a performance improvement has been experienced by enabling compression in Tomcat

      Tip

      Add compression="force" to the server.xml in the connector like the following:

       

      <Connector port="8080" protocol="HTTP/1.1

      connectionTimeout="20000"

      redirectPort="8443"

      emptySessionPath="true"

      compression="force" />

  • Maven 3.0.3 or later
    • Download Location: http://wwwmaven.sencha.com/products/sdk-tools/download  Note: Sencha CMD may not work well, particularly on Linux. If so use this query "SenchaSDKTools-2.0.0-beta3" in a search engine and pick the appropriate version from an alternate download source.
      Tip
      PATH= append the root to the path statement
      See  SSP Sencha Build Tool Usage for additional installation steps on 64-bit OSs
    RDBMS (support for PostgreSQL and Microsoft SQL Server)
    • PostgreSQL 9.1 or laterapache.org

    • Environment Variable: MAVEN_HOME

      Tip
      titleMaven Environment Variables
      MAVEN_HOME= /path/to/your/maven (ie: /usr/local/maven or C:\tools\maven)
      M2_HOME= /path/to/your/maven (ie: /usr/local/maven or C:\tools\maven)

      (optional)
      PATH= append the bin subdirectory to the path statement
  • Ant 1.8.2 (use this exact version)

    • Download Location: http://

      www

      ant.

      postgresql

      apache.org


      • On Unix:
      • On Mac:
        • PostgreSQL is available via the homebrew package manager or as a download on the postgresql.org site.
      • On Windows:
        • PostgreSQL is available as a download on the postgresql.org site.
      Configure PostgreSQL
    • Server Connection
      • Launch the PG Admin application
      • In the Object Browser, navigate to and right click on Server Groups -> Servers -> PostgreSQL 9.1 (localhost:5432)
      • Click Connect and the enter the administrator password
      • Login Roles
    • In the Object Browser, right click on Login Roles and click New Login Role

      • In the Properties tab, enter a Role name of "sspadmin" without the quotes

      • In the Definition tab, enter a Password of "sspadmin" without the quotes

      • In the Object Browser, right click on Login Roles and click New Login Role

      • In the Properties tab, enter a Role name of "ssp" without the quotes

      • In the Definition tab, enter a Password of "ssp" without the quotes

    • Confirm the new Login Roles exist in the Object Browser
      • Database

          Last known good link: Ant Binaries

    • Environment Variable: ANT_HOME

      Tip
      titleAnt Environment Variable
      ANT_HOME= /path/to/your/ant (ie: /usr/local/ant or C:\tools\ant)

      (optional)
      PATH= append the bin subdirectory to the path statement
  • Sencha SDK

    • Download Location: http://www.sencha.com/products/sdk-tools/download  Note: Sencha CMD may not work well, particularly on Linux. If so use this query "SenchaSDKTools-2.0.0-beta3" in a search engine and pick the appropriate version from an alternate download source.

      Tip
      PATH= append the root to the path statement


    • See  SSP Sencha Build Tool Usage for additional installation steps on 64-bit OSs

  • RDBMS (support for PostgreSQL and Microsoft SQL Server)
    • PostgreSQL 9.1 or later
      • Download Location: http://www.postgresql.org
        • On Unix:
        • On Mac:
          • PostgreSQL is available via the homebrew package manager or as a download on the postgresql.org site.
        • On Windows:
          • PostgreSQL is available as a download on the postgresql.org site.
      • Configure PostgreSQL
        • Server Connection
          • Launch the PG Admin application
          • In the Object Browser, navigate to and right click on Server Groups -> Servers -> PostgreSQL 9.1 (localhost:5432)
          • Click Connect and the enter the administrator password
        • Login Roles
          • In the Object Browser, right click on Databases Login Roles and click New Database
            Enter "sspLogin Role

            • In the Properties tab, enter a Role name of "sspadmin" without the quotes

              as the database nameEnter

            • In the Definition tab, enter a Password of "sspadmin" without the quotes

              as the database owner
            Confirm the new database exists in

          • In the Object Browser

      Microsoft SQL Server 2008 R2, 2012 and 2014
      • Server Connection
        • Launch the SQL Server Management Studio application
        • Enter your database connection info including administrator account credentials, and click Connect
      • Login Roles
        • Navigate to Security->Logins, and right click on New Login
          • Login name of "sspadmin" without the quotes
          • Select SQL Server authentication and enter a Password of "sspadmin" without the quote
          • Uncheck Enforce password policy
        • Right click on Logins again, and New Login Role
          • Login name of "ssp

            , right click on Login Roles and click New Login Role


            • In the Properties tab, enter a Role name of "ssp" without the quotes

            • In the Definition tab, enter a Password of "ssp" without the quotes

          • Confirm the new Login Roles exist in the Object Browser
        • Database
          • In the Object Browser, right click on Databases and click New Database
            • Enter "ssp" without the quotes as the database name
            • Enter "sspadmin" without the quotes as the database owner
          • Confirm the new database exists in the Object Browser
    • Microsoft SQL Server 2008 R2, 2012 and 2014
      • Server Connection
        • Launch the SQL Server Management Studio application
        • Enter your database connection info including administrator account credentials, and click Connect
      • Login Roles
        • Navigate to Security->Logins, and right click on New Login
          • Login name of "sspadmin" without the quotes
          • Select SQL Server authentication and enter a Password of "sspsspadmin" without the quote
          • Uncheck Enforce password policy
        • Confirm the new users exist
        Database
        • Navigate to and right Right click on Databases Logins again, and click New Database
          Enter Login Role
          • Login name of "ssp" without the quotes as the
          • Select SQL Server authentication and enter a Password of "ssp" without the quote
          • Uncheck Enforce password policy
        • Confirm the new users exist
      • Database
        • Navigate to and right click on Databases and click New Database
          • Enter "ssp" without the quotes as the database name
        • Confirm the new database exists
        • Run the following SQL to assign user permissions and configure the required database settings

...

Zip Download
The source files can be downloaded in a zip file.

Download Location: SSP-Platformplatform-2-78.0.zip    ("SSP Platform" is a portal application which acts container for SSP itself. The two applications are versioned independently. By default, version 2.78.0 of SSP Platform will include version 2.78.0 of SSP.) Note: If you wish to make customizations to SSP, you'll want to download SSP separately see: Developer Install Instructions

  • Unzip the file into a suitable path (e.g. on Windows C:\ssp\platform-src or on Unix/Linux/Mac /usr/local/ssp/platform-src)

...

  • Create a directory for the local SSP configuration files
    • Example:
      • Unix/Linux/Mac example: /usr/local/ssp/ssp-local

      • Windows example: C:\ssp\ssp-local

    • Make the directory only readable by the user that is running Tomcat

    • Set an Environment Variable for the local configuration file location

      Tip
      SSP_CONFIGDIR=/path/to/your/local-configuration (ie: /usr/local/ssp/ssp-local or C:\ssp\ssp-local)
  • ssp-config.properties
    • The ssp-config.properties file must be modified for database connectivity and email settings
    • Baseline File Location: ,ssp root>/src/main/config/external//ssp-config.properties  Note: If you didn't download SSP separetely, copy or download the file from here: ssp-config.properties

    • Action: Copy the baseline ssp-config.properties file into the local configuration directory created above and rename it to ssp-config.properties. Or start with an empty ssp-config.properties in that directory and add only the properties for which you need to override the default value.

        • Configuration Values:

          ValueDescriptionNote
          system_idUnique identifier of the SSP instance 
          db_usernameValues for connecting to the SSP database 
          db_passwordValues for connecting to the SSP database 
          db_admin_usernameValues for connecting to the SSP database 
          db_admin_passwordValues for connecting to the SSP database 
          db_username_liquibaseValue to allow for MS SQL Server domain accounts
          ${db_username_liquibase} and ${db_username} should be set the same value unless you're on SqlServer, using the JTDS driver, and SSP connects to the database as domain users. If that applies to you, keep ${db_username} set to the unqualified account name, but change ${db_username_liquibase} to the fully-qualified domain account name as shown here. Include the brackets and double back-slashes.

          db_username_liquibase=[DOMAIN\\username]

          default is ${db_username}

          db_schemaDb schema for the SSP database

          Examples:

          Postgres: public

          SQLServer: dbo

          db_nameValue for the SSP database 
          db_urljdbc connection syntax

          For Microsoft SQL Server, either specify a port (the default is 1433) or ensure that the SQL Server Browser service is running because the SQL Server JDBC driver defaults to port 1434 which is the SQL Server Server Browser service default port. Depending on the server configuration, either may work, or you may want to explicitly specify the port and instance name, if applicable.

          For best results with SQL Server, the JTDS driver included with the Platform installation is recommended.  Examples of the url are provided in the sample ssp-config.properties file.

           

          SQL Server db_url w DOMAIN USER AUTHN may look like this; substitute machine name, instance and domain names w/o <>'s
          db_url=jdbc:jtds:sqlserver://<machine_name>:1433/${db_name};instance=<instance_name>;domain=<domain_name>
          db_driver_classjdbc database connectivity syntax

          For best results with SQL Server, the JTDS driver included with the Platform installation is recommended.  Examples of the class are provided in the sample ssp-config.properties file.

          db_dialectHibernate dialectUse of one of the org.jasig.ssp.util.hibernate.ExtendedSQLServer*Dialects is strongly encouraged if running against SQLSever. The default ssp-config.properties has an example.)
          db_conns_max_activeValues for the database connection poolThe default value will need to be increased for test and production
          db_conns_max_idleValues for the database connection poolThe default value will need to be increased for test and production
          db_conns_max_waitValues for the database connection pool 
          db_conns_validation_queryValues for the database connection pool 
          db_liquibase_enabledEnables the liquibase script for database table management 
          db_liquibase_changelogLocation for the liquibase change log 
          db_liquibase_set_mssql_snapshot_isolationParameter for configuring a MSSQL databaseIMPORTANT The default value is 'true'.  Set this value to 'false for MSSQL.  The liquibase changeset 000014.xml will be ignored.  The sql above configures the database correctly.
          db_liquibase_strip_journal_comment_markupParameter to enable a script to convert HTML Journal Entries to plain text 
          db_liquibase_strip_tuition_paid_is_yTrue value will delete the existing values forced into the database in v1.2.0, False will leave the existing values aloneThis only applies to implementers who installed v1.2.0 or earlier AND populated the external_registration_status_by_term.tuition_paid field with external data
          db_liquibase_external_fa_not_null_drop_yTrue value allows the table to be re-created with the correct column definitions for null values 
          db_liquibase_external_apply_natural_keysTrue value will apply the new primary keys to the external databaseVersion 2.0.0 added primary keys to the external database tables for performance and uniqueness enhancements.  If there are non-unique values in the database, the liquibase will fail to make the table changes.
          db_liquibase_manage_external_database_by_default
          		True value will allow SSP to manage the tables and viewsIf you want to take total control of SSP's external views and tables, change that property to false in your SSP_CONFIGDIR/ssp-config.properties before first startup. And once you've started up, there's really no point in ever changing that value afterwards. (If you turn it off, then decide you want SSP to manage external views and tables after all, you'll need to update config set value = 'true' where name = 'manage_integration_database' and then restart.)
          db_liquibase_convert_external_term_timestamps
          True value in external_term.start_date and external_term.end_date will be interpreted in ${db_time_zone_legacy} and re-written in
          ${db_time_zone_legacy}.

          True usually makes sense for both upgrades and fresh installs. Would only set to false if for some reason these fields have already been converted to ${db_time_zone) via some external process.
          db_batchsize 
          		The number of records to process for database transactions.The default value is 300.  Use of the parameter can increase performance of queries writing large sums of data into the database.  This is primarily used in the Caseload Re-assignment tool.
          student_documents_base_dir
          Base Directory for student documents
          		The default is ${catalina.base}/ssp-uploads/student-docs

          It is important to not end in path separator like / or \
          student_documents_volumes
          Comma seperated list of subdirectories under student documents

          		It is important to not end in path separator like / or \
          student_documents_file_types
          Comma separated list of allowable file types that will be used to validate student document files

          The initial types are pdf,gif,jpg,jpeg,doc,docx,xls,png

          It is important to not include the period/dot in the definition.  Only the type abbreviation is required.

          student_documents_max_sizeMaximum size of an individual file, in bytesThe default value is 5000000
          cacheLifeSpanInMillis 
          This property will dictate how long lived a cache will be only external courses uses a cache
          		default is 86400000 = 1 day
          db_time_zone_legacyParameter to set the timezone for data migration

          Used for migrating persistent timestamps. Prior to work on SSP-1002, SSP-1035, and SSP-1076, timestamps were stored in the JVM default timezone.  After that the application assumes they are stored in ${db_time_zone}. In order to correctly migrate existing data, though, the app needs to know the original timezone. This is almost always going to be the current JVM default timezone, hence the default value here, which is a special value instructing the app to lookup and inject that timezone into this config property. In the rare event you need to change that value, you can do so here. This would likely only be necessary if, for whatever reason you change the JVM default *after* the migrations run, which would result in a Liquibase checksum error. To avoid that, just set the relevant timezone here when and if you make that change.


          Default is CURRENT_JVM_DEFAULT
          db_time_zoneTimezone ID for the JVM

          JVM-recognized TimeZone ID for the zone in which persistent date/time values should be interpreted. Should rarely if ever need to be overridden. If overridden, should always be set to a TimeZone that does not observe Daylight Savings Time unless trying to cope with legacy data that was stored in a DST-aware TimeZone. Once set, should never be changed else date/time values in the database will be interpreted incorrectly. (SSP does not store timezone data on persistent date/time values and implements no logic for  detecting and/or handling changes to this configuration option.)

          Default is UTC

          highly_trusted_ipsThe list of IP addresses that are allowed to access the APIsThis is used in conjunction with high_trusted_ips_enabled in the System Configuration
          smtp_usernameValue for email relay 
          smtp_passwordValue for email relay 
          smtp_hostValue for email relay 
          smtp_portValue for email relay 
          smtp_protocolProtocol for emailDefault is smtp
          ssp_admins_email_addressesRecipient of system generated messages 
          scheduled_coach_sync_enabledParameter to enable coach sync process 
          per_coach_sync_transactionsParameter to enable the sync process to run per coach instead of one large transaction for all coaches 
          scheduled_task_cleanup_wait_millis 
          Max amount of time, in milliseconds, the app will wait during shutdown for any background tasks to abandon their work.
          		Default is 10000
          uportal_session_keep_alive_timeoutLength of time for uPortal sessions KeepAliveFilter 
          oauth2_client_password_encoding_secretConfig for setting the key with which OAuth2 Client secrets are hashed before being placed into the databaseSee SSP OAuth2 API Authentication
          spring.profiles.activeDeployment options
          • dev-standalone: completely free of uPortal
          • standalone: as the only portlet in a uPortal instance
          • uPortal: as one of many portlets in a uPortal instance
          ssp_main_use_minifed_js  
          		Parameter to determine the javascript file used in the deployment
          When set to true, ssp-main.jsp will include a minified js called app-all.js
          When set to false, ssp-main.jsp will include the non-minified app.js
          ssp_trusted_code_run_as_key

          When the scheduled jobs run they have to "run as" a particular user.  SSP uses SpringSecurity for this, and the application code is allowed to sudo to a different user as long as it knows the special shared secret defined in the configuration.

          		Default is SZP.  If you plan on running deployment-specific third-party code, or really even other webapps in the same Tomcat contains, you should probably select a more complex, deployment-specific value.
          ssp_platform_sso_ticket_service_shared_secretEnables LTI and legacy inbound SSO mechanismsIf unset, LTI and legacy inbound SSO will be disabled. To enable those features, set to a non-empty value and ensure the same value is set as environment.build.sso.local.sharedSecret in $SSP_CONFIGDIR/ssp-platform-config.properties.
          background_jobsControls background jobs for multi-server deploymentsThe default is 'On' which allows background tasks to run. Off will disable background jobs from running and would generally only apply to multi-server deployments where only one instance will run the background jobs
          reroute_all_mail_to_addressEnables email override for email messages
          If an address is specified here, this configuration is enabled and the body of the delivered message will specify the original intended recipient(s) including cc and bcc

logback.xml

  • The logback.xml controls the log location and level
  • Baseline File Location: <ssp root>/src/main/config/external/logback.xml   Note: If you didn't download SSP separetely, copy or download the file from here: logback.xml

  • Action: Copy the baseline logback.xml file into the local configuration directory created above

  • Configuration Values: Typically you only need to modify the path at which this file will find the ssp-config.properties file you configured above. E.g.:

...