| commit | author | age | ||
| 8c99a7 | 1 | ## Gitblit GO Installation & Setup |
| JM | 2 | |
| 3 | 1. Download and unzip Gitblit GO [${project.releaseVersion} (Windows)](%GCURL%gitblit-${project.releaseVersion}.zip) or [${project.releaseVersion} (Linux/OSX)](%GCURL%gitblit-${project.releaseVersion}.tar.gz). | |
| 17ae31 | 4 | *It is best to eliminate spaces in the path name.* |
| 6c4be1 | 5 | 2. The server itself is configured through a simple text file. |
| 8c99a7 | 6 | Open `data/gitblit.properties` in your favorite text editor and make sure to review and set: |
| JM | 7 | - *server.httpPort* and *server.httpsPort* |
| 69eeaa | 8 | - *server.storePassword* (do not enter *#* characters) |
| 8c99a7 | 9 | **https** is strongly recommended because passwords are insecurely transmitted form your browser/git client using Basic authentication! |
| JM | 10 | - *git.packedGitLimit* (set larger than the size of your largest repository) |
| 6c4be1 | 11 | 3. Execute `authority.cmd` or `java -cp gitblit.jar com.gitblit.authority.Launcher --baseFolder data` from a command-line |
| 17ae31 | 12 | **NOTE:** The Authority is a Swing GUI application. Use of this tool is not required as Gitblit GO will startup and create SSL certificates itself, BUT use of this tool allows you to control the identification metadata used in the generated self-signed certificates. Skipping this step will result in certificates with default metadata. |
| 8c99a7 | 13 | 1. fill out the fields in the *new certificate defaults* dialog |
| JM | 14 | 2. enter the store password used in *server.storePassword* when prompted. This generates an SSL certificate for **localhost**. |
| 6c4be1 | 15 | 3. you may want to generate an SSL certificate for the hostname or ip address hostnames you are serving from |
| JM | 16 | **NOTE:** You can only have **one** SSL certificate specified for a port. |
| 8c99a7 | 17 | 5. exit the authority app |
| JM | 18 | 4. Execute `gitblit.cmd` or `java -jar gitblit.jar --baseFolder data` from a command-line |
| 19 | 5. Open your browser to <http://localhost:8080> or <https://localhost:8443> depending on your chosen configuration. | |
| 20 | 6. Enter the default administrator credentials: **admin / admin** and click the *Login* button | |
| 21 | **NOTE:** Make sure to change the administrator username and/or password!! | |
| 22 | ||
| 23 | ### GO Data Location | |
| 24 | ||
| 25 | By default, Gitblit GO stores all data (users, settings, repositories, etc) in the `data` subfolder of your GO installation. You may specify an external location for your data on the command-line by setting the *--baseFolder* argument. If you relocate the data folder then you must supply the *--baseFolder* argument to both GO and the Certificate Authority. | |
| 26 | ||
| 27 | If you are deploying Gitblit to a *nix platform, you might consider moving the data folder out of the GO installation folder and then creating a symlink named "data" that points to your moved folder. | |
| 28 | ||
| 8a8bc3 | 29 | #### Specifying baseFolder via GITBLIT_HOME |
| JM | 30 | |
| 31 | You can specify `GITBLIT_HOME` either as an environment variable or as a `-DGITBLIT_HOME` JVM system property. | |
| 32 | ||
| 17ae31 | 33 | ### Including Other Properties |
| JM | 34 | SINCE 1.7.0 |
| 35 | ||
| 36 | Gitblit supports loading it's settings from multiple properties files. You can achieve this using the `include=filename` key. This setting supports loading multiple files using a *comma* as the delimiter. They are processed in the order defined and they may be nested (i.e. your included properties may include properties, etc, etc). | |
| 37 | ||
| 8c99a7 | 38 | ### Creating your own Self-Signed SSL Certificate |
| JM | 39 | Gitblit GO (and Gitblit Certificate Authority) automatically generates a Certificate Authority (CA) certificate and an ssl certificate signed by this CA certificate that is bound to *localhost*. |
| 40 | ||
| 41 | Remote Eclipse/EGit/JGit clients (< 3.0) will fail to communicate using this certificate because JGit always verifies the hostname of the certificate, regardless of the *http.sslVerify=false* client-side setting. | |
| 42 | ||
| 43 | The EGit failure message is something like: | |
| 44 | ||
| 45 | Cannot get remote repository refs. | |
| 46 | Reason: https:/myserver.com/git/myrepo.git: cannot open git-upload-pack | |
| 47 | ||
| 48 | If you want to serve your repositories to another machine over https then you will want to generate a new certificate for the hostname or ip address you are serving from. | |
| 49 | ||
| 69eeaa | 50 | **NOTE:** The Gitblit Authority is a GUI tool and will require X11 forwarding on headless UNIX boxes. |
| JM | 51 | |
| 8c99a7 | 52 | 1. `authority.cmd` or `java -jar authority.jar --baseFolder data` |
| JM | 53 | 2. Click the *new ssl certificate* button (red rosette in the toolbar in upper left of window) |
| 54 | 3. Enter the hostname or ip address | |
| 55 | 4. Make sure the checkbox *serve https with this certificate* is checked | |
| 56 | 5. In the keystore password prompt, enter the *server.storePassword* password | |
| 57 | ||
| 58 | If you decide to change the value of *server.storePassword* (recommended) <u>after</u> you have already started Gitblit or Gitblit Certificate Authority, then you will have to delete the following files and then restart the Gitblit Certificate Authority app: | |
| 59 | ||
| 60 | 1. data/serverKeyStore.jks | |
| 61 | 2. data/serverTrustStore.jks | |
| 62 | 3. data/certs/caKeyStore.jks | |
| 63 | 4. data/certs/ca.crt | |
| 64 | 5. data/certs/caRevocationList.crl (optional) | |
| 65 | ||
| 66 | ### Client SSL Certificates | |
| 67 | SINCE 1.2.0 | |
| 68 | ||
| 69 | Gitblit supports X509 certificate authentication. This authentication method relies on your servlet container to validate/verify/trust your client certificate and can be used by your browser and your git client. | |
| 70 | ||
| 71 | All X509 certificates have a *distinguished name (DN)* which is a signature of several fields like: | |
| 72 | ||
| 73 | C=US,O=Gitblit,OU=Gitblit,CN=james | |
| 74 | ||
| 75 | Gitblit must be able to map the DN of the certificate to an *existing* account username. The default mapping is to extract the *common name (CN)* value from the DN and use that as the account name. If the CN is a valid account, then the user is authenticated. The servlet container which runs Gitblit validates, verifies, and trusts the certificate passed to Gitblit. If you need to specify an alternative DN mapping you may do so with the *git.certificateUsernameOIDs* setting, but this mapping must be matched to the user account name. | |
| 76 | ||
| 77 | How do you make your servlet container trust a client certificate? | |
| 78 | ||
| 79 | In the WAR variant, you will have to manually setup your servlet container to: | |
| 80 | ||
| 81 | 1. want/need client certificates | |
| 82 | 2. trust a CA certificate used to sign your client certificates | |
| 83 | 3. generate client certificates signed by your CA certificate | |
| 84 | ||
| 85 | Alternatively, Gitblit GO is designed to facilitate use of client certificate authentication. Gitblit GO ships with a tool that simplifies creation and management of client certificates, Gitblit Certificate Authority. | |
| 86 | ||
| 87 | #### Creating SSL Certificates with Gitblit Certificate Authority | |
| 88 | ||
| 89 | When you generate a new client certificate, a zip file bundle is created which includes a P12 keystore for browsers and a PEM keystore for Git. Both of these are password-protected. Additionally, a personalized README file is generated with setup instructions for popular browsers and Git. The README is generated from `data\certs\instructions.tmpl` and can be modified to suit your needs. | |
| 90 | ||
| 91 | 1. `authority.cmd` or `java -jar authority.jar --baseFolder data` | |
| 92 | 2. Select the user for which to generate the certificate | |
| 93 | 3. Click the *new certificate* button and enter the expiration date of the certificate. You must also enter a password for the generated keystore. This password is *not* the same as the user's login password. This password is used to protect the privatekey and public certificate you will generate for the selected user. You must also enter a password hint for the user. | |
| 94 | 4. If your mail server settings are properly configured you will have a *send email* checkbox which you can use to immediately send the generated certificate bundle to the user. | |
| 95 | ||
| 96 | #### Certificate Inspection and Advanced Troubleshooting | |
| 97 | ||
| 98 | X509 certificates can be confusing and tricky even with the simplified Gitblit Certificate Authority tool. If you find you need more tooling to understand your keystores, certificates, and certificate revocation lists (CRLs), I highly recommend [Portecle](http://portecle.sourceforge.net) which can be conveniently launched as a [Java Web Start app](http://portecle.sourceforge.net/webstart/portecle.jnlp). | |
| 99 | ||
| 100 | ### Running as a Windows Service | |
| 101 | Gitblit uses [Apache Commons Daemon](http://commons.apache.org/daemon) to install and configure its Windows service. | |
| 102 | ||
| 103 | 1. **Review the contents** of the `installService.cmd` where you may have to change the <u>default keystore password</u>. | |
| 104 | 2. Set the *ARCH* value as appropriate for your installed Java Virtual Machine. | |
| 105 | 3. Add any necessary *--StartParams* as enumerated below in **Command-Line Parameters**. | |
| 106 | 4. Execute the script. | |
| 107 | ||
| 6c4be1 | 108 | After service installation you can use the `gitblitw.exe` utility to control and modify the runtime settings of the service. |
| 8c99a7 | 109 | Additional service definition options and runtime capabilities of `gitblitw.exe` (prunmgr.exe) are documented [here](http://commons.apache.org/daemon/procrun.html). |
| JM | 110 | |
| 6c4be1 | 111 | **NOTE:** |
| 8c99a7 | 112 | If you change the name of the service from *gitblit* you must also change the name of `gitblitw.exe` to match the new service name otherwise the connection between the service and the utility is lost, at least to double-click execution. |
| JM | 113 | |
| 114 | #### VM Considerations | |
| 6c4be1 | 115 | By default, the service installation script configures your Windows service to use your default JVM. This setup usually defaults to a client VM. |
| 8c99a7 | 116 | If you have installed a JDK, you might consider using the `gitblitw.exe` utility to manually specify the *server* VM. |
| JM | 117 | |
| 118 | 1. Execute `gitblitw.exe` | |
| 119 | 2. On the *Java* tab uncheck *Use default*. | |
| 6c4be1 | 120 | 3. Manually navigate your filesystem and specify the server VM with the `...` button |
| JM | 121 | <pre>Java Virtual Machine: |
| 8c99a7 | 122 | C:\Program Files\Java\jre6\bin\server\jvm.dll</pre> |
| JM | 123 | |
| 124 | #### Command-Line Parameters | |
| 125 | Command-Line parameters override the values in `gitblit.properties` at runtime. | |
| 126 | ||
| 127 | --baseFolder The default base folder for all relative file reference settings | |
| 128 | --repositoriesFolder Git Repositories Folder | |
| 129 | --userService Authentication and Authorization Service (filename or fully qualified classname) | |
| 130 | --httpPort HTTP port for to serve. (port <= 0 will disable this connector) | |
| 131 | --httpsPort HTTPS port to serve. (port <= 0 will disable this connector) | |
| 9ef027 | 132 | --sshPort SSH Daemon port to serve. (port <= 0 will disable this daemon) |
| JM | 133 | --gitPort Git Daemon port to serve. (port <= 0 will disable this daemon) |
| 8c99a7 | 134 | --alias Alias in keystore of SSL cert to use for https serving |
| JM | 135 | --storePassword Password for SSL (https) keystore. |
| 136 | --shutdownPort Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor) | |
| aa61fc | 137 | --dailyLogFile Redirect logging to a rolling, daily log file instead of stdout |
| 8c99a7 | 138 | --tempFolder Folder for server to extract built-in webapp |
| JM | 139 | |
| 140 | **Example** | |
| 141 | ||
| 142 | java -jar gitblit.jar --userService c:/myrealm.config --storePassword something --baseFolder c:/data | |
| 143 | ||
| 144 | #### Overriding Gitblit GO's Log4j Configuration | |
| 145 | ||
| 146 | You can override Gitblit GO's default Log4j configuration with a command-line parameter to the JVM. | |
| 147 | ||
| 148 | java -Dlog4j.configuration=file:///home/james/log4j.properties -jar gitblit.jar <optional_gitblit_args> | |
| aa61fc | 149 | |
| JM | 150 | You can not use override the default log4j configuration *AND* specify the `--dailyLogFile` parameter. For reference, here is [Gitblit's default Log4j configuration](https://github.com/gitblit/gitblit/blob/master/src/log4j.properties). It includes some file appenders that are disabled by default. |
| 8c99a7 | 151 | |
