Skip to content

Installing Fedora, Syn, and Blazegraph

In this section, we will install:

  • Fedora 6, the back-end repository that Islandora will use
  • Syn, the authentication broker that will manage communication with Fedora
  • Blazegraph, the resource index layer on top of Fedora for managing discoverability via RDF

Fedora 6

Stop the Tomcat Service

We're going to stop the Tomcat service while working on setting up Fedora to prevent any autodeploy misconfigurations.

sudo systemctl stop tomcat

Creating a Working Space for Fedora

Fedora’s configuration and data won’t live with Tomcat itself; rather, we’re going to prepare a space for them to make them easier to manage.

sudo mkdir -p /opt/fcrepo/data/objects
sudo mkdir /opt/fcrepo/config
sudo chown -R tomcat:tomcat /opt/fcrepo

Creating a Database for Fedora

The method for creating the database here will closely mimic the method we used to create our database for Drupal.

sudo -u postgres psql
create database FEDORA_DB encoding 'UTF8' LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' TEMPLATE template0;
create user FEDORA_DB_USER with encrypted password 'FEDORA_DB_PASSWORD';
grant all privileges on database FEDORA_DB to FEDORA_DB_USER;
  • FEDORA_DB: fcrepo
    • This will be used as the database Fedora will store the repository in.
  • FEDORA_DB_USER: fedora
    • Again, this should be a secure password of some kind; leaving it as fedora is not recommended.

Adding a Fedora Configuration

The Fedora configuration is going to come in a few different chunks that need to be in place before Fedora will be functional. We’re going to place several files outright, with mildly modified parameters according to our configuration.

The basics of these configuration files have been pulled largely from the templates in Islandora-Devops/islandora-playbook internal Fedora role; you may consider referencing the playbook’s templates directory for more details.

Namespace prefixes

i8_namespaces.yml is a list of namespaces used by Islandora that may not necessarily be present in Fedora; we add them here to ensure we can use them in queries.

/opt/fcrepo/config/i8_namespaces.yml | tomcat:tomcat/644

# Islandora 8/Fedora namespaces
# This file contains ALL the prefix mappings, if a URI
# does not appear in this file it will be displayed as 
# the full URI in Fedora. 
fedoramodel: info:fedora/fedora-system:def/model#
test: info:fedora/test/

Allowed External Content Hosts

We have Fedora provide metadata for some resources that are contained in Drupal. Fedora needs to know to allow access to these External Content hosts.

We create a file /opt/fcrepo/config/allowed_external_hosts.txt | tomcat:tomcat/644


Note: the trailing backslash is important here. For more information on Fedora's External Content and configuring it, see the Fedora Wiki pages

Fedora configuration properties file

Fedora 6 now allows you to put all your configuration properties into a single file. We use 0640 permissions as you will want to put your database credentials in here.

/opt/fcrepo/config/ | tomcat:tomcat/640

# External content using path defined above.
# Namespace registry using path defined above.
# The principal header is the syn-setting.xml "config" element's "header" attribute
# false to use manual versioning, true to create a version on each change
# Can be sha512 or sha256
# Jms moved from 61616 to allow external ActiveMQ to use that port
# Same as above

  • FCREPO_HOME - The home directory for all Fedora generated output and state. Unless otherwise specified, all logs, metadata, binaries, and internally generated indexes, etc. It would default to the Tomcat starting directory. A good default would be /opt/fcrepo
  • FCREPO_DB_URL - This parameter allows you to set the database connection url. In general the format is as follows:


    Fedora currently supports H2, PostgresQL 12.3, MariaDB 10.5.3, and MySQL 8.0

    So using the default ports for the supported databases here are the values we typically use:

    • PostgresQL: jdbc:postgresql://localhost:5432/fcrepo
    • MariaDB: jdbc:mariadb://localhost:3306/fcrepo
    • MySQL: jdbc:mysql://localhost:3306/fcrepo
  • FCREPO_DB_USERNAME - The database username

  • FCREPO_DB_PASSWORD - The database password
  • FCREPO_OCFL_ROOT - Sets the root directory of the OCFL. Defaults to FCREPO_HOME/data/ocfl-root if not set.
  • FCREPO_TEMP_ROOT - Sets the temp directory used by OCFL. Defaults to FCREPO_HOME/data/temp if not set.
  • FCREPO_STAGING_ROOT - Sets the staging directory used by OCFL. Defaults to FCREPO_HOME/data/staging if not set.
  • FCREPO_VELOCITY_LOG - The Fedora HTML template code uses Apache Velocity, which generates a runtime log called velocity.log. Defaults to FCREPO_HOME/logs/velocity. A good choice might be /opt/tomcat/logs/velocity.log
  • FCREPO_JMS_BASE - This specifies the baseUrl to use when generating JMS messages. You can specify the hostname with or without port and with or without path. If your system is behind a NAT firewall you may need this to avoid your message consumers trying to access the system on an invalid port. If this system property is not set, the host, port and context from the user's request will be used in the emitted JMS messages. If your Alpaca is on the same machine as your Fedora and you use the islandora-indexing-fcrepo, you could use http://localhost:8080/fcrepo/rest.

Check the Lyrasis Wiki to find all of Fedora's properties

Adding the Fedora Variables to JAVA_OPTS

We need our Tomcat JAVA_OPTS to include references to our repository configuration.



3 | export JAVA_OPTS="-Djava.awt.headless=true -server -Xmx1500m -Xms1000m"


3 | export JAVA_OPTS="-Djava.awt.headless=true -Dfcrepo.config.file=/opt/fcrepo/config/ -DconnectionTimeout=-1 -server -Xmx1500m -Xms1000m"

Ensuring Tomcat Users Are In Place

While not strictly necessary, we can use the tomcat-users.xml file to give us direct access to the Fedora endpoint. Fedora defines, out of the box, a fedoraAdmin and fedoraUser role that can be reflected in the users list for access. The following file will also include the base tomcat user. As always, these default passwords should likely not stay as the defaults.

/opt/tomcat/conf/tomcat-users.xml | tomcat:tomcat/600

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns=""
              xsi:schemaLocation=" tomcat-users.xsd"
  <role rolename="tomcat"/>
  <role rolename="fedoraAdmin"/>
  <role rolename="fedoraUser"/>
  <user username="tomcat" password="TOMCAT_PASSWORD" roles="tomcat"/>
  <user username="fedoraAdmin" password="FEDORA_ADMIN_PASSWORD" roles="fedoraAdmin"/>
  <user username="fedoraUser" password="FEDORA_USER_PASSWORD" roles="fedoraUser"/>


Downloading and Placing the Latest Release

Fedora .war files are packaged up as releases on the official GitHub repository. You should download the most recent stable release.

sudo wget -O fcrepo.war FCREPO_WAR_URL
sudo mv fcrepo.war /opt/tomcat/webapps
sudo chown tomcat:tomcat /opt/tomcat/webapps/fcrepo.war
  • FCREPO_WAR_URL: This can be found at the fcrepo downloads page; the file you're looking for is:
    • Tagged in green as the 'Latest release'
    • Named "fcrepo-webapp-VERSION.war"

Start the Tomcat Service

As before, start the Tomcat service to get Fedora up and running.

sudo systemctl start tomcat

Note: sometimes it takes a while for Fedora and Tomcat to start up, usually it shouldn't take longer than 5 minutes.

Once it starts up, Fedora REST API should be available at http://localhost:8080/fcrepo/rest. The username is fedoraAdmin and we defined the password before as FEDORA_ADMIN_PASSWORD (default: "islandora").


Downloading the Syn JAR File

A compiled JAR of Syn can be found on the Syn releases page. We’re going to add this to the list libraries accessible to Tomcat.

sudo wget -P /opt/tomcat/lib SYN_JAR_URL
# Ensure the library has the correct permissions.
sudo chown -R tomcat:tomcat /opt/tomcat/lib
sudo chmod -R 640 /opt/tomcat/lib
  • SYN_JAR_URL: The latest stable release of the Syn JAR from the releases page. Specifically, the JAR compiled as -all.jar is required.

Generating an SSL Key for Syn

For Islandora and Fedora to talk to each other, an SSL key needs to be generated for use with Syn. We’re going to make a spot where such keys can live, and generate one.

sudo mkdir /opt/keys
sudo openssl genrsa -out "/opt/keys/syn_private.key" 2048
sudo openssl rsa -pubout -in "/opt/keys/syn_private.key" -out "/opt/keys/syn_public.key"
sudo chown www-data:www-data /opt/keys/syn*

Placing the Syn Settings

Syn sites and tokens belong in a settings file that we’re going to reference in Tomcat.

/opt/fcrepo/config/syn-settings.xml | tomcat:tomcat/600

<config version='1' header='X-Islandora'>
  <site algorithm='RS256' encoding='PEM' anonymous='true' default='true' path='/opt/keys/syn_public.key'/>
  <token user='islandora' roles='fedoraAdmin'>ISLANDORA_SYN_TOKEN</token>

  • ISLANDORA_SYN_TOKEN: islandora
    • This should be a secure generated token rather than this default; it will be configured on the Drupal side later.

Adding the Syn Valve to Tomcat

Referencing the valve we’ve created in our syn-settings.xml involves creating a <Valve> entry in Tomcat’s context.xml:

There are two options here:

1. Enable the Syn Valve for all of Tomcat.



29 | -->

30 | </Context>


29 | -->

30 | <Valve className="ca.islandora.syn.valve.SynValve" pathname="/opt/fcrepo/config/syn-settings.xml"/>

31 | </Context>

2. Enable the Syn Valve for only Fedora.

Create a new file at


    <Valve className="ca.islandora.syn.valve.SynValve" pathname="/opt/fcrepo/config/syn-settings.xml"/>

Your Fedora web application needs to be deployed in Tomcat with the name fcrepo.war. Otherwise, change the name of the above XML file to match the deployed web application's name.

Restarting Tomcat

Finally, restart tomcat to apply the new configurations.

sudo systemctl restart tomcat

Note: sometimes it takes a while for Fedora and Tomcat to start up, usually it shouldn't take longer than 5 minutes.

Note: after installing the Syn valve, you'll no longer be able to manually create/edit or delete objects via Fedora Web UI. All communication with Fedora will now be handled from the Islandora module in Drupal.

Redhat logging

Redhat systems have stopped generating an all inclusive catalina.out, the catalina.<date>.log does not include web application's log statements. To get Fedora log statements flowing, you can create your own LogBack configuration file and point to it.

/opt/fcrepo/config/fcrepo-logback.xml | tomcat:tomcat/644

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE configuration>
  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
      <pattern>%p %d{HH:mm:ss.SSS} [%thread] \(%c{0}\) %m%n</pattern>

  <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
    <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
      <pattern>%p %d{HH:mm:ss.SSS} [%thread] \(%c{0}\) %m%n</pattern>

  <logger name="org.fcrepo.auth" additivity="false" level="${fcrepo.log.auth:-null}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="org.fcrepo.config" additivity="false" level="${fcrepo.log.config:-null}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="org.fcrepo.event" additivity="false" level="${fcrepo.log.event:-null}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="org.fcrepo.http.api" additivity="false" level="${fcrepo.log.http.api:-null}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="org.fcrepo.http.commons" additivity="false" level="${fcrepo.log.http.commons:-null}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="org.fcrepo.jms" additivity="false" level="${fcrepo.log.jms:-null}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="org.fcrepo.kernel" additivity="false" level="${fcrepo.log.kernel:-null}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="org.fcrepo.persistence" additivity="false" level="${fcrepo.log.persistence:-null}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="" additivity="false" level="${}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="" additivity="false" level="${}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>
  <logger name="org.fcrepo" additivity="false" level="${fcrepo.log:-INFO}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>

  <root level="${fcrepo.log.root:-WARN}">
    <appender-ref ref="STDOUT"/>
    <appender-ref ref="FILE"/>

Then alter your $JAVA_OPTS like above to include


This will generate a log file at ${catalina.base}/logs/fcrepo.log and will rotate each day or if the logs reaches 10MB. It will maintain 30 days of old logs, or 2GB whichever comes first.

Blazegraph 2

Creating a Working Space for Blazegraph

Blazegraph needs a space for configurations and data; we’re going to create this space in /opt.

sudo mkdir -p /opt/blazegraph/data
sudo mkdir /opt/blazegraph/conf
sudo chown -R tomcat:tomcat /opt/blazegraph

Downloading and Placing the Blazegraph WAR

The Blazegraph .war file can be found in a few different places, but to ensure we’re able to easily wget it, we’re going to use the repository link to grab it.

cd /opt
sudo wget -O blazegraph.war BLAZEGRAPH_WARFILE_LINK
sudo mv blazegraph.war /opt/tomcat/webapps
sudo chown tomcat:tomcat /opt/tomcat/webapps/blazegraph.war
  • BLAZEGRAPH_WAR_URL: You can find a link to this at the Maven repository for Blazegraph; you’ll want to click the link for the latest version of Blazegraph 2.1.x, then get the link to the .war file within that version folder.

Once this is downloaded, give it a moment to expand before moving on to the next step.

Configuring Logging

We would like to have an appropriate logging configuration for Blazegraph, which can be useful for looking at incoming traffic and determining if anything has gone wrong with Blazegraph. Our logger isn’t going to be much different than the default logger; it can be made more or less verbose by changing the default WARN levels. There are several other loggers that can be enabled, like a SPARQL query trace or summary query evaluation log; if these are desired they should be added in. Consult the Blazegraph documentation for more details.

/opt/blazegraph/conf/ | tomcat:tomcat/644

log4j.rootCategory=WARN, dest1

# Loggers.

# Normal data loader (single threaded).

# dest1
log4j.appender.dest1.layout.ConversionPattern=%-5p: %F:%L: %m%n
#log4j.appender.dest1.layout.ConversionPattern=%-5p: %r %l: %m%n
#log4j.appender.dest1.layout.ConversionPattern=%-5p: %m%n
#log4j.appender.dest1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
#log4j.appender.dest1.layout.ConversionPattern=%-4r(%d) [%t] %-5p %c(%l:%M) %x - %m%n

# Rule execution log. This is a formatted log file (comma delimited).,ruleLog

Adding a Blazegraph Configuration

Our configuration will be built from a few different files that we will eventually reference in JAVA_OPTS and directly apply to Blazegraph; these include most of the functional pieces Blazegraph requires, as well as a generalized configuration for the islandora namespace it will use. As with most large configurations like this, these should likely be tuned to your preferences, and the following files only represent sensible defaults.

/opt/blazegraph/conf/ | tomcat:tomcat/644


/opt/blazegraph/conf/ | tomcat:tomcat/644

/opt/blazegraph/conf/inference.nt | tomcat:tomcat/644

<> <> <> .
<> <> <> .

Specifying the in JAVA_OPTS

In order to enable our configuration when Tomcat starts, we need to reference the location of in the JAVA_OPTS environment variable that Tomcat uses.



3 | export JAVA_OPTS="-Djava.awt.headless=true -Dfcrepo.config.file=/opt/fcrepo/config/ -DconnectionTimeout=-1 -server -Xmx1500m -Xms1000m"


3 | export JAVA_OPTS="-Djava.awt.headless=true -Dfcrepo.config.file=/opt/fcrepo/config/ -DconnectionTimeout=-1 -Dcom.bigdata.rdf.sail.webapp.ConfigParams.propertyFile=/opt/blazegraph/conf/ -Dlog4j.configuration=file:/opt/blazegraph/conf/ -server -Xmx1500m -Xms1000m"

Restarting Tomcat

Finally, restart Tomcat to pick up the changes we’ve made.

sudo systemctl restart tomcat

Installing Blazegraph Namespaces and Inference

The two other files we created, and inference.nt, contain information that Blazegraph requires in order to establish and correctly use the datasets Islandora will send to it. First, we need to create a dataset - contained in - and then we need to inform that dataset of the inference set we have contained in inference.nt.

curl -X POST -H "Content-Type: text/plain" --data-binary @/opt/blazegraph/conf/ http://localhost:8080/blazegraph/namespace
If this worked correctly, Blazegraph should respond with "CREATED: islandora" to let us know it created the islandora namespace.
curl -X POST -H "Content-Type: text/plain" --data-binary @/opt/blazegraph/conf/inference.nt http://localhost:8080/blazegraph/namespace/islandora/sparql
If this worked correctly, Blazegraph should respond with some XML letting us know it added the 2 entries from inference.nt to the namespace.

Last update: June 19, 2024