Funambol on Debian

This document described how I set up Funambol on Debian server. Of course, there are more ways of doing this. I've tried to document the reasons why I've chosen this path. The Configuration and Funambol administration client sections are required for proper operation; at least some of the other staps can probably be omitted, but I haven't tested all possible configuration combinations. I've marked things that may need further improvement, but the text should be usable as-is. If you want to send me improvements to this text, please do so! hakkie42 at gmail free mail 2010-2011 jimbeam. Feel free to (re)use this text, but no warranties, express or implied, are given. Version history: 17 April 2010, jimbeam 12 March 2011, jimbeam Initial version started for Ubuntu Split into Debian version

Table of Contents
Funambol on Debian............................................................................................................................1 Versions and architecture......................................................................................................................2 Preparation............................................................................................................................................2 Installation............................................................................................................................................3 Network...........................................................................................................................................3 Java..................................................................................................................................................3 Apache.............................................................................................................................................3 Funambol.........................................................................................................................................3 Configuration........................................................................................................................................4 Startup on boot.................................................................................................................................6 Ports............................................................................................................................................7 Testing..............................................................................................................................................7 Funambol administration client............................................................................................................7 Server customisation and hardening.....................................................................................................8 Strip out Windows specific files......................................................................................................8 Remove email signature...................................................................................................................8 Replace bundled in Java with native Java.......................................................................................9 Remove bundled admin tool............................................................................................................9 Change log paths............................................................................................................................10 Replace Hypersoniq with Postgresql.............................................................................................12 Prepare your PostgreSQL server...............................................................................................12 Set up Funambol configuration.................................................................................................13 PostgreSQL backups.................................................................................................................16 Remove unused certificates...........................................................................................................16 1

Reverse proxy for easier encrypted connections...........................................................................17 Remove redundant Tomcat connectors.....................................................................................17 Configure Apache web server...................................................................................................18 Internet synchronisation............................................................................................................19 Client authentication using certificates.....................................................................................19 Final steps.................................................................................................................................19 Remove guest user.........................................................................................................................19 Move Funambol to system Tomcat................................................................................................19 Users and clients.................................................................................................................................20 Server configuration......................................................................................................................20 Automatic provisioning.............................................................................................................20 Test and operations.............................................................................................................................20 Troubleshooting..................................................................................................................................21 References..........................................................................................................................................21

Versions and architecture

Versions/components used: Virtual machine with 512MB memory, 8GB Disk in DMZ running Debian 6.0/Squeeze (stable) x64 Separate PostgreSQL database server Funambol Community Edition Version 9 all in one install pack; contains Tomcat 6 application server and Java runtime

Purpose: to synchronize contact and address book information for a Small Office/Home Office environment. I will let Funambol store its data in the PostgreSQL database instead of its embedded Hypersonic database because we can more easily backup the data and interface with other systems. I will use the Apache web server to reverse proxy encrypted SSL/TLS connections for synchonizing over the internet, as I've had a rough time wrestling with Tomcat's SSL certificate system. Email is out of scope for now (you can use IMAP servers for shared access to email data). In future, I intend to hook up an IMAP mail server (at least for dummy/local mail) and Sogo groupware to this combination in order to be able to handle scheduling. Sogo will communicate with PostgreSQL and Funambol on the Debian server. In future, an OpenLDAP server will serve as the repository for user information and will be used as much as possible for integrating the components. Using Kerberos with these components could be possible but must be investigated.

Preparation
Unless otherwise indicated, all commands below are run with root privileges. Use e.g. su -c to become root. In shell commands or nano editing sessions, I often prefix comments for the reader with #. Likewise -- for database SQL commands. You can omit these comments if you want to; sometimes it make sense to comment your files so you know what you've done. I always comment mine with a rare combination like rao redactedaccordingtolocalorganization ;) so a simple grep -r rao /* will dig out my configuration modifications. 2

To make upgrades easier and installs repeateable, I've included an installation-dependent list of variables in the configuration section, with some suggestions of possible values. You can fill that out when you install Funambol and use it when upgrading, changing config or installing other servers.

Installation
I'm assuming Debian, and PostgreSQL are installed.

Network
My network setup is as follows: Funambol host in DMZ so we can use internet sync. Port 5432 tcp/udp for PostgreSQL opened from DMZ to PostgreSQL database server in internal network.

Java
If Java is not yet installed, do this: Enable non-free repository:
nano /etc/apt/sources.list

Add these lines: #rao: added non-free for Sun java:

deb http://ftp.debian.nl/debian/ squeeze non-free deb-src http://ftp.debian.nl/debian/ squeeze non-free

Then:
aptitude update aptitude install sun-java6-jdk #might have used jre but not sure if this is enoughs update-java-alternatives --set java-6-sun #is this really required?

Apache
If Apache is not yet installed, do this:
aptitude install apache2 update-rc.d apache2 defaults #let apache start on boot

Funambol
Download the 9 Linux x64 all in one installer/bundle to a temporary directory with enough space (about 180 MB):
cd /tmp wget http://download.forge.objectweb.org/sync4j/funambol-9.0.0-x64.bin chmod u+x funambol-9.0.0-x64.bin

Run the binary installer:

./funambol-9.0.0-x64.bin

Do you agree to the above license terms? [yes or no]

yes

Directory to extract Funambol [/opt] <return to accept>? 3

<enter>

Extracting... to /opt/Funambol Do you want to start the server? [yes or no]

no rm /tmp/funambol-9.0.0-x64.bin

Configuration
Below is a table where you can record your specific configuration information. The rest of the guide should explain the meaning of the terms or indicate where you can find more information. Item Install location Suggested value/value /opt/Funambol Description I suggest keeping the default value of /opt/Funambol. We assume you used this setting in the text below. Change to match your own setting if that differs. Host name that will become part of the sync URL. If you don't have proper DNS set up, use the IP address of the server. Port Funambol/Tomcat listens on for sync requests. Configured in /opt/Funambol/tools/tomcat/con f/server.xml Default 8080 Port Funambol/Tomcat listens on for sync requests over SSL/TLS. Configured in /opt/Funambol/tools/tomcat/con f/server.xml Default 8443 Port Funambol/Tomcat listens on for AJP proxy requests. We use this for our Apache web server reverse proxy. Configured in /opt/Funambol/tools/tomcat/con f/server.xml Default 8009 Administrative user used by Funambol Administration tool to manage Funambol (users, devices etc) Password for that user. Good idea to change this! 4

Host

funambolserver

Tomcat HTTP sync port

<nothing, as we use the Apache web server reverse proxy>

Tomcat HTTPS sync port

<nothing, as we use the Apache web server reverse proxy>

Tomcat AJP port

8009

Funambol admin username

admin

Funambol admin password

sa

Sync URL

https://<serverip>:8080/funambol/ds or https://serverip/sync

URL that you use on your client devices to synchronize. Consists of hostname Funambol/Tomcat listens on, Tomcat http sync port and /funambol/ds, unless you changed that in the config ;) You can use the shorter form if you use my Apache reverse proxy configuration. Same as Sync URL but for users outside your LAN. Giving a suggested value is impossible as it depends on your external ip address/name. You can also use the shorter form if you use my Apache reverse proxy configuration. Environment variable/location of the Java JDK/JRE/whatever it's called this week. If you strip Java from the Funambol bundle (as I do), Funambol needs to point to the proper JAVA_HOME directory Sync server Java database driver setting in /opt/Funambol/dsserver/install.properties It points to the jar file containing the PostgreSQL driver. Sync server Java database driver setting in /opt/Funambol/dsserver/install.properties Java driver class. Modificaton should be unnecessary, unless you use a non-PostgreSQL database. Sync server Java database driver setting in /opt/Funambol/dsserver/install.properties URL to the Postgresql server and database. Sync server Java database driver setting in

External sync URL

https://<publicserverip>:34528/funambol/ds or https://<publicserverip>:34528/sync

JAVA_HOME

/usr/lib/jvm/java-6-sun/

jdbc.classpath

/usr/share/java/postgresql.jar

jdbc.driver

org.postgresql.Driver

jdbc.url

jdbc:postgresql://localhost/funambol

jdbc.user, same as funambol funambol user

/opt/Funambol/dsserver/install.properties User name for the funambol database on PostgreSQL jdbc.password 4890hjEla#aas&d2sk2 Sync server Java database driver setting in /opt/Funambol/dsserver/install.properties Password for the user connecting to the funambol database on PostgreSQL

For reference, the Funambol readme for 8.0.2 shows this directory structure: BUNDLED_HOME (/opt/Funambol if you followed this guide) + admin + bin + config + ctp-server + ds-server + logs + plug-ins + java-demo -> A sample SyncML PIM graphical tool + tools -> A tools directory, including Hypersonic, JRE and Tomcat -> The graphical admin interface for Funambol Data Synchronization Server -> Starting/Stopping script files -> Configuration files -> The CTP Server -> The SyncML server -> A logs directory

+ inbox-listener -> The InboxListener + pim-listener -> The PIMListener

Startup on boot
Start Funambol manually:
/opt/Funambol/bin/funambol start

Stop Funambol manually:

/opt/Funambol/bin/funambol stop

Do this to run on boot: First edit /opt/Funambol/bin/funambol to enable calls from symlinks:
nano /opt/Funambol/bin/funambol

change:
cd `dirname $0`

to
#rao: hardcoded directory name, so we can call this from a symlink

#in startup script directory /etc/init.d #cd `dirname $0` cd /opt/Funambol/bin

Let Funambol start on boot:

ln -s /opt/Funambol/bin/funambol /etc/init.d/funambol #Link startup script to funambol-supplied script update-rc.d funambol defaults #Let funambol be run on startup (perform actual link)

Ports
For reference, note the ports the bundled Tomcat server listens on:
grep port /opt/Funambol/tools/tomcat/conf/server.xml

should return something like this:

Define a non-SSL HTTP/1.1 Connector on port 8080 <Connector port="8080" protocol="HTTP/1.1" port="8080" protocol="HTTP/1.1" <!-- Define a SSL HTTP/1.1 Connector on port 8443 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

The HTTP/1.1 port is what you would normally use to sync your devices. Note it in our config overview above as Tomcat HTTP sync port. This connector can be disabled if you're going to use the Apache proxy later on (see instructions). Same goes for the SSL HTTP connector; note it as Tomcat HTTPS sync port. The Tomcat server listens to the AJP port for proxy requests. Our Apache web server knows how to reverse proxy connections from clients and pass them on to this port, if you configure Apache correctly. Note it as Tomcat AJP port. This connector should remain enabled; only change the port number if it conflicts with other servers on your system.

Testing
Start the Funambol server, check it's running using
ps ax | grep funambol

and connect with your webbrowser to

http://<host or ip address>:8080/webdemo

Login as guest, password guest and try adding/removing data. We'll be able to really test the server only after adding clients and synchronizing them.

Funambol administration client

I installed the Funambol administration tool (version 9) on my Windows machine. Connecting to my server I get: Cannot write to system temp directory (C:\Users\<username>\AppData\Local\Temp\) This post (http://forums.netbeans.org/topic7027.html) showed me my problem: that directory had the read only attribute set. Go to DOS (cmd)

c: cd \users\<username>\appdata\local attrib -r temp exit

Then I logged in on the funambol host, default port (8080) with the default Funambol admin username (admin) and password (sa). I'd suggest changing the password in the Users tab (and note it in the configuration overview above). Then log out and log in again. Also create a username with password for any users (you?) that want to use your server. I'd suggest simple lowercase usernames, including their email addresses in the users sheet, and adding them as users, not administrators. Leave this tool open as it will come in handy later on for e.g. logging configuration. If you want to, you can now add some clients, work out the Sync URL and try and connect using the usernames and passwords created in the Administration Tool.

Server customisation and hardening

These steps can also be performed after installation and before configuration if you are feeling daring. I did. Then again, I tried this install numerous times ;) They're not all mandatory but helped me a lot.

Strip out Windows specific files

There are some Microsoft Windows-only files we might as well clean up:
rm rm rm rm rm rm rm rm rm rm rm rm rm rm rm rm rm rm rm rm rm /opt/Funambol/bin/admin-passwd.cmd /opt/Funambol/bin/ctp-server.cmd /opt/Funambol/bin/encrypt-passwords.cmd /opt/Funambol/bin/funambol-server.cmd /opt/Funambol/bin/funambol.cmd /opt/Funambol/bin/hypersonic.cmd /opt/Funambol/bin/inbox-listener.cmd /opt/Funambol/bin/install-modules.cmd /opt/Funambol/bin/install.cmd /opt/Funambol/bin/pim-listener.cmd /opt/Funambol/bin/restartall.cmd /opt/Funambol/bin/startall.cmd /opt/Funambol/bin/stopall.cmd /opt/Funambol/bin/wbxml-to-xml.cmd /opt/Funambol/bin/xml-to-wbxml.cmd /opt/Funambol/ds-server/ant/bin/ant.cmd /opt/Funambol/ds-server/ant/bin/antenv.cmd /opt/Funambol/ds-server/ant/bin/envset.cmd /opt/Funambol/ds-server/ant/bin/runrc.cmd /opt/Funambol/plug-ins/cl/bin/run.cmd /opt/Funambol/plug-ins/javademo/bin/demo.cmd

Remove email signature

In Funambol Administration Tool, path <server>,Modules,email,FunambolEmailConnector,Email SyncSource,mail, delete the Funambol Signature that says Funambol :: mobile open source :: http://www.funambol.com, or replace with your own slogan ;)

Replace bundled in Java with native Java

In order to free resources on your server, and make update/patch management easier, you can delete the bundled Java runtime (JRE 1.6.0 for Funambol 9). This lets the Funambol Tomcat server fall back on the system version of Java.
rm -rf /opt/Funambol/tools/jre-1.6.0/

Find out where our java_home is: note: there might be an easier way to do this.
set | grep JAVA_HOME

Mine gives /usr/lib/jvm/java-6-sun; record this as java_home If you don't have a JAVA_HOME set Make sure you have installed java: something like:
aptitude install sun-java6-jdk ls -al `which java`

#mine shows /usr/bin/java is symlinked to /etc/alternatives/java #find out which one that links to:
ls -al /etc/alternatives/java #replace with what you found above

#mine shows a link to /usr/lib/jvm/java-6-sun/jre/bin/java #so this is apparently under the java_home of /usr/lib/jvm/java6-sun. Edit /opt/Funambol/bin/funambol to point to the proper Java_home:
nano /opt/Funambol/bin/funambol export JAVA_HOME=$FUNAMBOL_HOME/tools/jre-1.5.0/jre

to your own java_home (note: can change depending on your system; see section below on Java):
#rao: we stripped out included java, so use fixed java directory #may need to change if you change system Java #export JAVA_HOME=$FUNAMBOL_HOME/tools/jre-1.5.0/jre export JAVA_HOME=/usr/lib/jvm/java-6-sun

***Todo: Is there a better way of doing this? Possibly edit /etc/profile, add JAVA_HOME=/usr/lib/jvm/java-6-sun but that apparently is only run for login users, not for init scripts. So, add it to /etc/environment: bash -c "echo JAVA_HOME=/usr/lib/jvm/java-6-sun/ >> /etc/environment" (but that still didn't work for me) If Funambol errors when starting, complaining about JAVA_HOME: edit funambol start script to include proper java path see section on /etc/init.d ***todo: check memory size for java? Seems you may very well run into memory problems. You can configure the amount of memory Funambol will use using e.g. MEM_OPTS="-Xmx32M" in ctp-server, inbox-listener and pim-listener, but set it to 192M in funambol-server. Probably depends on your load and whether you're using the built-in Hypersonic database or an external database such as PostgreSQL.

Remove bundled admin tool

In order to free resources on your server, you can move or delete the bundled administration tool:
rm -rf /opt/Funambol/admin

Change log paths

By default, the logs are dumped somewhere within /opt/Funambol, but I want them to appear in the regular Debian log directory, /var/log. Also, some of these logs can grow to horrendous sizes and I want to control that.
mkdir /var/log/funambol #create funambol log output directory

The Funambol wiki helps (https://core.forge.funambol.org/wiki/ChangeLogsPath) indicates a lot of log configs need to be changed. First the Tomcat application server that Funambol runs on. #Create tomcat directory under funambol for clarity:
mkdir /var/log/funambol/tomcat nano /opt/Funambol/tools/tomcat/conf/logging.properties

#look for lines like catalina.org.apache.juli.FileHandler.directory and replace lines like ${catalina.base}/../../logs/http with: /var/log/funambol/tomcat You get something like this:
1catalina.org.apache.juli.FileHandler.level = FINE #rao: changed from ${catalina.base}/../../logs/http #to Debian logging directory 1catalina.org.apache.juli.FileHandler.directory = /var/log/funambol/tomcat 1catalina.org.apache.juli.FileHandler.prefix = catalina. 2localhost.org.apache.juli.FileHandler.level = FINE #rao: changed from ${catalina.base}/../../logs/http #to Debian logging directory 2localhost.org.apache.juli.FileHandler.directory = /var/log/funambol/tomcat 2localhost.org.apache.juli.FileHandler.prefix = localhost. 3manager.org.apache.juli.FileHandler.level = FINE #rao: changed from ${catalina.base}/../../logs/http #to Debian logging directory 3manager.org.apache.juli.FileHandler.directory = /var/log/funambol/tomcat 3manager.org.apache.juli.FileHandler.prefix = manager. 4admin.org.apache.juli.FileHandler.level = FINE #rao: changed from ${catalina.base}/../../logs/http #to Debian logging directory 4admin.org.apache.juli.FileHandler.directory = /var/log/funambol/tomcat 4admin.org.apache.juli.FileHandler.prefix = admin. 5host-manager.org.apache.juli.FileHandler.level = FINE #rao: changed from ${catalina.base}/../../logs/http #to Debian logging directory 5host-manager.org.apache.juli.FileHandler.directory = /var/log/funambol/tomcat 5host-manager.org.apache.juli.FileHandler.prefix = host-manager.

Secondly, there is a Tomcat start script that we need to modify; in /opt/Funambol/tools/tomcat/bin/catalina.sh we'll change all references to "$CATALINA_BASE"/logs/ with /var/log/tomcat/ 10

using the sed command (note: those are two commands, spread over a couple of lines):
cp /opt/Funambol/tools/tomcat/bin/catalina.sh /opt/Funambol/tools/tomcat/bin/catalina.sh.original #backup original script sed 's* "$CATALINA_BASE"/logs/* /var/log/funambol/tomcat/*g' /opt/Funambol/tools/tomcat/bin/catalina.sh.original > /opt/Funambol/tools/tomcat/bin/catalina.sh

Note: Tomcat documentation suggests fiddling with a swallowOutput property somewhere. I'm too lazy to do that. Delete any old logs and subdirectories:
rm -rf /opt/Funambol/tools/tomcat/logs/

Now set up logrotate to keep these Tomcat log sizes in check,:

touch /etc/logrotate.d/funamboltomcat cat > /etc/logrotate.d/funamboltomcat <<EOF_STUFF_TO_ADD /var/log/funambol/tomcat/*.log { weekly missingok rotate 52 compress delaycompress notifempty create 640 root adm } EOF_STUFF_TO_ADD

Now for some Funambol specific logs. Note: easier method than this is mentioned below. Skip if you're lazy like me ;)
nano /opt/Funambol/config/log4j-pimlistener.xml

#change:
<param name="File" value="../logs/pim-listener/pim-listener.log"/>

#to
<!-- rao: moved logging to /var/log/funambol <param name="File" value="../logs/pim-listener/pim-listener.log"/> rao: end of comments --> <param name="File" value="/var/log/funambol/pim-listener.log"/>

#and
<param name="File" value="../logs/pim-listener/pim-listener.log"/>

#with
<!-- rao: moved logging to /var/log/funambol <param name="File" value="../logs/pim-listener/pim-listener.log"/> rao: end of comments --> <param name="File" value="/var/log/funambol/pim-listener.log"/>

Easier method, as that is really tiresome: I'd suggest using the Funambol Administration Tool (path <host>,Server Settings, Logging, Appenders and change all File name properties, e.g from /opt/Funambol/logs/content-provider/content-provider.log to /var/log/funambol/content-provider.log While I was at it, I changed the 100MB file size limit to 20MB, and the rotation file count from 5 to 2. Finally, restart Funambol to see if everything worked: 11

/opt/Funambol/bin/funambol stop /opt/Funambol/bin/funambol start

Check your new log locations for indications of what's going on.

Replace Hypersoniq with Postgresql

Hypersonic is a local file based database which works fine on smaller installs. It is simple, works out of the box and you can even read out the actual database data easily as it appears as actual SQL INSERT statements. I wanted to get my data into a client/server database in order to be able to separate Funambol and database server roles if necessary, and because I just love snooping around data with OpenOffice etc. connected to the database ;) I could have chosen MySQL, but prefer PostgreSQL because of its more mature stored procedure and referential integrity support. More importantly, I intend to hook up the Sogo web-based groupware system, which is heavily biased towards PostgreSQL. Note: as Funambol usernames and other details are stored in the database, moving from Hypersonic to another database means you have to migrate your data or re-enter it.

Prepare your PostgreSQL server

Connect to your Postgresql server and create a Funambol user and database:
su postgres -c psql #note: if the O/S username of the PostgreSQL db is not postgres, replace postgres with the correct username.

-- We're going to create a Postgresql database user called funambol with a difficult password. Note username and password in configuration overview as we'll need them later on. Of course, substitute the password with one of your own.
CREATE USER funambol WITH PASSWORD '4890hjEla#aas&d2sk2';

-- something like 'CREATE ROLE' should appear indicating success. -- make sure password never expires. If your security policy is tighter, change accordingly; also change passwords in the Funambol configs.
ALTER USER funambol VALID UNTIL 'infinity'; --password never expires

-- something like 'ALTER ROLE' should appear indicating success. -- Don't allow user to create a database or create other users:
ALTER USER funambol NOCREATEDB NOCREATEUSER; --restrict object creation

-- something like 'ALTER ROLE' should appear indicating success. -- Create our database:
CREATE DATABASE funambol;

-- something like CREATE DATABASE should appear indicating success. -- Assign all privileges on database funambol to user funambol:
GRANT ALL PRIVILEGES ON DATABASE funambol TO funambol; -- allow user full permissions to database

-- something like GRANT should appear indicating success. --Exit out of psql:
\q

12

Now, we might need to make sure we can log in with passwords from the localhost. If you Funambol server is different from your PostgreSQL server, you will need to change this to allow the relevant networks to connect as well as let PostgreSQL listen on the proper interface. This is out of scope for this guide. Change 8.4 below to whatever version you're running:
nano /etc/postgresql/8.4/main/pg_hba.conf

#verify if there is a line like #Allow all TCP/IP connections from local host to any database using md5 password hashes host all all 127.0.0.1/32 md5 #or more restrictive #Allow TCP/IP connections from funambol user on localhost to funambol database using md5 password hashes host funambol funambol 127.0.0.1/32 md5 See PostgreSQL documentation for more details. Reload PostgreSQL settings:
pg_ctl reload

Test logging in to PostgreSQL. Note: by default PostgreSQL tries an ident/unix domain socket login which doesn't allow passwords. So we specify a host to force TCP/IP login:
psql -h 127.0.0.1 -d funambol -U funambol -W #Log in via tcp/ip. enter your db password

Make sure you have a PostgreSQL jdbc driver:

locate postgresql | grep jar

# should return a path with a .jar file. Note this as we'll need it later on. If this doesn't return any results, install a jdbc driver, e.g. using
aptitude install libpgjava

Some sites suggest making sure the database is VACUUMed regularly (see Funambol Installation and Administration Guide, 9.10 Database maintenance). You could do this in a cron job, I suppose. Or possibly PostgreSQL has gotten so smart that it auto-VACUUMs (see autovacuum parameters in postgresql.conf). I've left the system as is for now.

Set up Funambol configuration

The Funambol Installation and Administration Guide, p. 8 says PostgreSQL 8.3 errors on fast syncs. and suggests adding code to /opt/Funambol/ds-server/default/sql/postgresql/create_engine.ddl However, we're restricting the funambol PostgreSQL user from doing too much, including defining system-level functions, so we'll have to run the commands as the PostgreSQL root user. Note: the instructions in the manual were incorrect because of an extra line break; they generated an error.
su postgres -c psql #note: if the O/S username of the PostgreSQL db is not postgres, replace postgres with the correct username.

-- Updated based on Funambol Installation and Administration Guide page 8 for Funambol 8.0.2
CREATE FUNCTION pg_catalog.text(bigint) RETURNS text STRICT IMMUTABLE LANGUAGE SQL AS 'SELECT textin(int8out($1));';

-- should return 'CREATE FUNCTION'

CREATE CAST (bigint AS text) WITH FUNCTION pg_catalog.text(bigint) AS IMPLICIT;

13

-- should return 'CREATE CAST' -- exit out of psql:

\q

Shutdown funambol if it is running. If Funambol complains it can't find Hypersonic: edit Funambol start script to not start Hypersonic this apparently is set by COMED=true around line 44. Source: https://core.forge.funambol.org/wiki/HOWTO64bitMySQLLightHttpd I did this in any case:
nano /opt/Funambol/bin/funambol #rao: apparently this controls Hypersonic startup #COMED=true #we use postgresql instead of Hypersonic, so: COMED=false

Configure database usage for sync server: change these settings:

nano /opt/Funambol/ds-server/install.properties #rao: changed database from hypersonic to postgresql #dbms=hypersonic dbms=postgresql

Uncomment the following entries for Postgresql and edit (use/update the values mentioned in the configuration section of this guide). Change values per your PostgreSQL installation. If you used the guide example settings, you don't have to change anything. I suggest you do change at least the password.
#rao: use postgresql with our setup # jdbc.classpath=<somepath>/postgresql.jar # jdbc.driver=org.postgresql.Driver # jdbc.url=jdbc:postgresql://<hostname>/funambol # jdbc.user=funambol # jdbc.password=funambol jdbc.classpath=/usr/share/java/postgresql.jar #explanation: path where your postgres jdbc driver lives jdbc.driver=org.postgresql.Driver #explanation: Java driver class for postgres driver jdbc.url=jdbc:postgresql://localhost/funambol #explanation: location of funambol database and postgresql server. jdbc.user=funambol #explanation: Funambol user in PostgresSQL jdbc.password=4890hjEla#aas&d2sk2 #explanation: password for the Funambol user on PostgreSQL specified above

Comment out the jdbc configuration for Hypersonic further down:

#rao: we don't use Hypersonic anymore #jdbc.classpath=../tools/hypersonic/lib/hsqldb.jar #jdbc.driver=org.hsqldb.jdbcDriver #jdbc.url=jdbc:hsqldb:hsql://localhost/funambol #jdbc.user=sa #jdbc.password=

Configure the generic database configuration (don't enter the lines marked #; these are my explanations/comments):
nano /opt/Funambol/config/com/funambol/server/db/db.xml

#Change for the database url below this part:

<string>url</string> 14

<!-- rao: changed hypersonic to postgresql <string>jdbc:hsqldb:hsql://localhost/funambol</string> rao: end of comments --> <string>jdbc:postgresql://localhost/funambol</string>

#likewise for

<string>driverClassName</string>

<!-- rao: changed hypersonic to postgresql <string>org.hsqldb.jdbcDriver</string> rao: end of comments --> <string>org.postgresql.Driver</string>

#likewise for <string>username</string> use your own PostgreSQL username (noted in configuration overview as PostgreSQL username
<!-- rao: changed hypersonic to postgresql with a specific user <string>sa</string> rao: end of comments --> <string>funambol</string>

#Likewise for <string>password</string> use your own password (noted in configuration overview as PostgreSQL password
<!-- rao: changed hypersonic to postgresql with a specific user <string></string> rao: end of comments --> <string>4890hjEla#aas&d2sk2</string>

#end of edit For pim-listener, you need additional config; workaround I'm trying:
ln -s /usr/share/java/postgresql.jar /opt/Funambol/pim-listener/lib/

Useful when reviewing other tutorials/guides: for older versions of Funambol you had to edit: /opt/Funambol/inboxlistener/config/com/funambol/email/inboxlistener/InboxListenerConfigurati on.xml /opt/Funambol/pimlistener/config/com/funambol/pimlistener/PIMListenerConfiguration.xml Have Funambol set up the structure of the funambol database: (Note: due to problems with my JAVA_HOME, I first exported it. Don't know if this is the correct workaround:
export JAVA_HOME=/usr/lib/jvm/java-6-sun/ cd /opt/Funambol bin/install

You get the following output: [echo] Funambol Data Synchronization Server will be installed on the Tomcat 6.0.x application server [input] The Funambol Data Synchronization Server installation program can now create the database. [input] You can skip this step if you have already a valid database created. 15

[input] If you choose 'y' your existing data will be deleted. [input] Do you want to recreate the database? [input] #choose: y
y

(y,n)

a lot more stuff rolls by and you repeatedly get the question whether you want to recreate the database. A lot of SQL errors are generated but in the end you should get something like: [war] Warning: selected war files include a WEB-INF/web.xml which will be ignored (please use webxml attribute to war task) [echo] Remove output dir BUILD SUCCESSFUL Total time: 1 minute 54 seconds Try running funambol to see whether it works.

PostgreSQL backups
Let's try running a backup manually:
su postgres -c psql #note: if the O/S username of the PostgreSQL db is not postgres, replace postgres with the correct username.

-- List all databases on the PostgreSQL server; should include the funambol database:
SELECT datname FROM pg_database;

-- exit out of psql:

\q

Do the actual backup into a file in the /tmp directory:

su postgres -c pg_dump funambol | gzip > /tmp/funambol_postgresqldb.backup.gz

To do for the system administrator: integrate PostgreSQL backups into your backup strategy including restore tests (something like psql -d funambol -f funambol_postgresqldb.backup).

Remove unused certificates

We can remove unused root certificates from your bundled Java/Tomcat install. It makes SSL/TLS connection attempts faster as apparently, all root certificates get passed around over the wire by the funambol server. This only makes sense if you have the original bundled Java and use the HTTPS connector. I suggest you don't and use the Apache web server as a reverse proxy. Originally done on Funambol 6.5 with bundled JRE, untested on newer versions: List the certificates (default password for keystore is changeit please DON'T change this unless 16

you really know what you're doing):

cd /opt/Funambol/tools/jre-1.5.0/jre/bin ./keytool -list -keystore /opt/Funambol/tools/jre-1.5.0/jre/lib/security/cacerts

Delete the ones you don't want (use the -alias option to specify it) example for soneraclass1ca:
./keytool -delete -keystore /opt/Funambol/tools/jre1.5.0/jre/lib/security/cacerts -storepass changeit -alias soneraclass1ca

Reverse proxy for easier encrypted connections

We're going to set up the Apache web server to pass on Funambol sync traffic to the Funambol Tomcat server using the AJP proxy protocol. The advantage is that we can use regular Apache SSL/TLS functionality to encrypt traffic (e.g. on port 443), thereby securing internet synchronisation.

Remove redundant Tomcat connectors

First we're going to disable the HTTPS connector on Tomcat as we'll be using Apache for all traffic (simplifies number of ports used, adds another layer between the evil outside world and your sensitive data think mod_secure on Apache ;)). We'll leave HTTP (standard 8080) open for administration using the Funambol Administration Tool:
cp /opt/Funambol/tools/tomcat/conf/server.xml /opt/Funambol/tools/tomcat/conf/server.xml.original nano /opt/Funambol/tools/tomcat/conf/server.xml

Edit this entire piece....:

<!-- Funambol comment: don't modify or remove this Funambol comment! ##### $ <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- Funambol comment: don't modify or remove this Funambol comment! ######$ <!-- A "Connector" using the shared thread pool--> <!-- rao: disabled this port <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <!-<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->

so you get something like this:

<!-rao: beginning of comments We've disabled the HTTP and HTTPS connectors as we'll be serving all sync traffic from our web server using the AJP proxy port. Please see .original file for original config. rao: end of comments -->

17

<!-- Funambol comment: don't modify or remove this Funambol comment! ##### $ <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Configure Apache web server

Make sure mod_ssl is enabled:
a2enmod ssl

You should get a confirmation message or something like Module ssl already enabled. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. I suggest you make sure your cert will work on both your internal network (hostname) and externally reachable hostname; e.g. by having one of the hostnames as your Common Name/CN and adding that and the other hostnames in your certificate SubjectAltName (example: subjectAltName=IP:192.168.7.1,URI:http://localserver,URI:http://*.localserver,URI:http://externals erver,URI:http://*.externalserver Alternatively, for LAN syncs you could just connect out through your firewall/router and back in by specifying the external URL as the sync URL. Make sure you have a virtualhost for port 443 if it isn't set up already (connect to https://serverip and see what happens to check); check what sites you've enabled:
ls /etc/apache2/sites-enabled

If necessary, enable the ssl site:

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sitesavailable/ssl_and_funambol a2ensite ssl_and_funambol

Make sure the mod_proxy_ajp and mod_proxy modules are enabled these will connect to Tomcat to proxy your sync traffic. Also use mod_rewrite to allow user-friendly sync URLs.
a2enmod proxy proxy_ajp rewrite

Edit your Apache config for your site (replace 8009 with your Tomcat AJP port if you've changed that); add the lines below somewhere in the VirtualHost section:
nano /etc/apache2/sites-available/<yournormalserversuchas_default.conf> # rao: funambol sync URL should be proxied to Tomcat Funambol server <Location /sync> Allow from all ProxyPass ajp://127.0.0.1:8009/funambol/ds </Location> #required for funambol pass-through: RewriteEngine on RewriteRule ^/sync(.*)$ /sync/$1 [PT]

And do the same for your SSL site (replace 8009 with your AJP port if you've changed that)
nano /etc/apache2/sites-available/<yoursslserversuchas_ssl_and_funambolconf>

You might want to fiddle with the SSLCipherSuite HIGH:MEDIUM option to make sure you don't allow weak encryption, and generate your own certificates. Please see other documentation for that. 18

Restart Apache:
/etc/init.d/apache2 restart

Now we've set up both the regular web server and the https web server to respond to: http[s]://<server_ip>/sync as the internal Funambol sync URL. Please update your notes.

Internet synchronisation
You would probably need to open up a firewall or router to enable access from the internet for sync. See below. If so, I suggest to let Apache listen on another port dedicated to Funambol, so an attacker can't access any internal sites (hints: add port to /etc/apache2/ports.conf, add a different virtual site, have it rewrite to the proxy; ***todo: document/check how to restrict all other access***. Of course, if you enforce HTTPS and mandatory client side certificate authentication, you might think the risk is acceptable. Note the resulting URL in the config table as your external sync URL.

Client authentication using certificates

Edit the SSL virtual server config in the Client Authentication (Type) section: uncomment SSLVerifyClient require, e.g.:
SSLVerifyClient require SSLVerifyDepth 5 SSLCACertificateFile conf/ssl.crt/ca.crt SSLCACertificatePath conf/ssl.crt SSLOptions +FakeBasicAuth SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq "Your organisation name" \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "DevClient"}

Look at e.g. http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients for more details. Issue client certificates and install them on the clients (see client section for hints). On Debian, you can use the gnomint program or xca to easily manage certificates, or you can use one of the numerous tutorials on Apache SSL/TLS configuration.

Final steps
Restart Apache and Funambol:
/etc/init.d/apache2 restart /etc/init.d/funambol stop /etc/init.d/funambol start

Remove guest user

You can use the Funambol Administration tool to remove the guest user if you want. It does give you a nice way of testing synchronization scenarios though.

Move Funambol to system Tomcat

I haven't performed this, but it might be a good idea to install a Tomcat 6 server using aptitude/aptget and move the Funambol components over from the custom Tomcat in /opt/Funambol/tools to the new one. This eases updates of the Tomcat application server, which keeps the system more 19

secure. Additionally, you can deploy multiple applications on the Tomcat instance. See this blog http://diaspora.gen.nz/~rodgerd/archives/1332-Funambol-+-C903.html for details (If you want things to use a different Java JDK and Tomcat instance, you can simply set environmental values for the installer, then run the installer thus: export JAVA_HOME=/your/jre/home export J2EE_HOME=/usr/share/tomcat6 $FUNAMBOL_DIR/bin/install

Users and clients

If you want to synchronize, you need a Funambol user and client software. See the section on the Funambol Adminsitration Tool on creating users. For clients/devices in general: install the Funambol software for your clients if it isn't already (a lot of smartphones/high end phones have sync software built in). If you use your client over the internet, I suggest setting up our Apache reverse proxy, generating your own self-signed SSL root CA and server certificates, and preferably client certificates, too. Install the CA certificate and client certificate on your client; instruct the client to authenticate with the client certificate. Specify the proper External sync URL, username and passwords. Check the Funambol logs on the server and client if something goes wrong. For further details on specific clients, see other documentation, e.g. my Funambol on Ubuntu guide.

Server configuration
No special configuration for clients is necessary as long as you have users defined in Funambol and the clients can communicate with the server..

Automatic provisioning
You can configure Funambol to automatically allow new devices/software to attach and synchronize. If the given user name doesn't exist, Funambol creates one for you. I've not enabled this as I'm dealing with a small environment and don't want anyone who connects to just be able to set up accounts. If you want to, look for the keyword UserProvisioningOfficer in the documentation.

Test and operations

Day to day operations are described in Funambol documentation.

20

Troubleshooting
The following hints may aid you in troubleshooting: What admin/sa /var/log/funambol /opt/Funambol/* /var/log/postgresql/postgresql-8.4-main.log /opt/Funambol/ds-server/install/install.xml:452: org.postgresql.util.PSQLException: Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections. Tomcat's catalina.*.log log files show something like: INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /opt/Funambol/dsserver/lib/linux Description Default admin username and password for Funambol. Funambol logs (if you've moved them using this guide) Original location of Funambol logs Postgresql log (for PostgreSQL 8.4) I had PostgreSQL 8.4 installed next to 8.3. It listened on port 5433, while 8.3 listened on 5432. After removing 8.3, Funambol install couldn't connect to the right port! You can improve performance by installing the native APR library: aptitude install libapr1 libaprutil1 libaprutil1-dbd-pgsql libtcnative-1. However, the bundled install won't use the system apr library. dpkg -L libapr shows the package provides a symlink you can use /usr/lib/libapr-1.so.0. Use similar procedure for aprutil and postgresql driver: mkdir /opt/Funambol/ds-server/lib/linux; ln -s /usr/lib/libapr-1.so.0 /opt/Funambol/dsserver/lib/linux/libapr-1.so.0; ln -s /usr/lib/aprutil-1 /opt/Funambol/ds-server/lib/linux; ln -s /usr/lib/libtcnative-1.so /opt/Funambol/dsserver/lib/libctnative-1.so Server keeps complaining. ***Who knows a solution? Can happen if you run an init.d startup script linked to an unmodified funambol start script (/opt/Funambol/bin/funambol). See relevant section in this guide.

Please set JAVA_HOME to the path of a valid jre when starting funambol

Apache error log shows entries like File does Proxy_ajp/mod_rewrite not configured correctly. not exist: /var/www/sync;jsessionid=6EE5796564281503 F37119353CBD99D6

References
For more information see:

21

https://wiki.Debian.com/marckaplan/funambol funambol-installation-and-administrationguide.pdf funambol-community-edition-v8sp2-releasenotes.pdf

Marckaplan's Funambol on Debian guide. Covers older versions. Funambol Installation and Administration Guide PDF which you can and should download from the Funambol site. Release notes; review the ones for your version

https://core.forge.funambol.org/wiki/BundleMy HOWTO Configure The Bundled Version To PSSQL Use MySQL Or Postgresql Concerns Funambol 6.4, but the same principles apply for later versions. Used this guide for PostgreSQL (obviously ;) http://diaspora.gen.nz/~rodgerd/archives/1332Funambol-+-C903.html Interesting article on splitting up the Funambol one-click install similar to what this guide does. Also covers running it on an already installed Tomcat server (e.g do export J2EE_HOME=/usr/share/tomcat6 before running bin/install)

https://core.forge.funambol.org/wiki/ChangeLog Log configuration info sPath http://Debianguide.org/wiki/Debian:Gutsy#Usin Some info on Postgresql on Debian g_PostgreSQL_JDBC_driver http://www.cyberciti.biz/faq/howto-addpostgresql-user-account/ Adding databases/users to Postgresql. Too lazy to read the manual, I just Googled for it;)

http://www.postgresql.org/docs/7.4/interactive/a Tsssk, still had to get the manual for info on uth-methods.html#AUTH-PASSWORD password authentication. Is for an older version but couldn't be bothered to get the proper version. https://help.Debian.com/9.10/serverguide/C/http Apache information for Debian, including d.html certificate information http://mail.opengroupware.org/pipermail/sogo/2 Rewrite rules for Apache and AJP connector. 009-November/004193.html https://core.forge.funambol.org/wiki/HOWTO64 Information on JAVA_HOME, external database bitMySQLLightHttpd use.

Thanks to the Funambol and Debian developers and communities for making this work!

22