Installing The Open Source Certificate Authority EJBCA on Open SUSE Leap 15.1

EJBCA is an Open Source Certificate Authority and covers all your needs – from certificate management, registration and enrollment to certificate validation. There is an enterprise offering with more advanced features, so please review any requirements before installing the community edition that this blog focuses on.

To quote from https://www.ejbca.org/

“EJBCA Community is a free edition of PrimeKey’s PKI Software. It is an outstanding tool for those who want to test and learn the core functionalities of PKI. If you have a need for PKI and don’t require any advanced features or guaranteed certifications and regulations, this is for you. You can find more about EJBCA Community on ejbca.org.”

The following blog post “EJBCA Community” edition, I had some issues following the standard guides. These were around the mariadb install and SQL dialect used in wildfly and the following documents my fixes for these issues.

Outline of my installation

Suse Version Information

rootca:~ # more /etc/os*rel*

NAME="openSUSE Leap"

VERSION="15.1"

….

….

Network Setup

I find the wicked network service more stable in my Hyper-V environment

Server IP address

10.10.50.100

hostnamectl

    rjrussca

hostname --fqdn

rjrussca.rjruss.org

ping rjrussca

ping rjrussca.rjruss.org

Checked HOST FILE

rjrussca:~ # tail /etc/hosts

::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix

ff02::1         ipv6-allnodes

ff02::2         ipv6-allrouters

ff02::3         ipv6-allhosts

10.10.50.100    rjrussca.rjruss.org rjrussca

rjrussca:~ #

Install pre-reqs for EJBCA from SUSE repo

Using Yast install ant and openjdk, the install chose the dependencies required automatically - as shown below.

Install Maria DB

Following the guide on the maria db page

https://mariadb.com/kb/en/installing-mariadb-with-zypper/

I found the automatic script did not work for Open Suse Leap 15.1

rjrussca:~ # curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash

[error] Could not identify OS type or version.

[error] The MariaDB Repository supports these Linux OSs, on x86-64 only:

    * RHEL/CentOS 6, 7, & 8

    * Ubuntu 16.04 LTS (xenial), 18.04 LTS (bionic), & 20.04 LTS (focal)

    * Debian 8 (jessie), 9 (stretch), & 10 (buster)

    * SLES 12 & 15

rjrussca:~ #

Adding the repo manually - I chose this version

https://yum.mariadb.org/10.4.13/

Adapted the repo command to match the opensuse site above

One liner as follows

sudo zypper addrepo --gpgcheck --refresh https://yum.mariadb.org/10.4.13/opensuse15-amd64/ mariadb

Run this and the repo is added

rjrussca:~ #  zypper addrepo --gpgcheck --refresh https://yum.mariadb.org/10.4.13/opensuse15-amd64/ mariadb

Adding repository 'mariadb' ....................................................................................................................................[done]

Repository 'mariadb' successfully added

URI         : https://yum.mariadb.org/10.4.13/opensuse15-amd64/

Enabled     : Yes

GPG Check   : Yes

Autorefresh : Yes

Priority    : 99 (default priority)

Repository priorities are without effect. All enabled repositories share the same priority.

rjrussca:~ #

Check repo list

rjrussca:~ # zypper ls

#  | Alias                     | Name                               | Enabled | GPG Check | Refresh | Type

---+---------------------------+------------------------------------+---------+-----------+---------+-------

1  | mariadb                   | mariadb                            | Yes     | ( p) Yes  | Yes     | NONE

2  | openSUSE-Leap-15.1-1      | openSUSE-Leap-15.1-1               | No      | ----      | ----    | rpm-md

3  | repo-debug                | Debug Repository                   | No      | ----      | ----    | NONE

4  | repo-debug-non-oss        | Debug Repository (Non-OSS)         | No      | ----      | ----    | NONE

5  | repo-debug-update         | Update Repository (Debug)          | No      | ----      | ----    | NONE

6  | repo-debug-update-non-oss | Update Repository (Debug, Non-OSS) | No      | ----      | ----    | NONE

7  | repo-non-oss              | Non-OSS Repository                 | Yes     | (r ) Yes  | Yes     | rpm-md

8  | repo-oss                  | Main Repository                    | Yes     | (r ) Yes  | Yes     | rpm-md

9  | repo-source               | Source Repository                  | No      | ----      | ----    | NONE

10 | repo-source-non-oss       | Source Repository (Non-OSS)        | No      | ----      | ----    | NONE

11 | repo-update               | Main Update Repository             | Yes     | (r ) Yes  | Yes     | rpm-md

12 | repo-update-non-oss       | Update Repository (Non-Oss)        | Yes     | (r ) Yes  | Yes     | rpm-md

rjrussca:~ #

ADD KEY

sudo rpm --import https://yum.mariadb.org/RPM-GPG-KEY-MariaDB

**to bypass ERROR “Problem: nothing provides libboost_program_options.”

zypper in boost-devel.x86_64 zypper in libboost_program_options1_66_0 libboost_program_options1_66_0-devel

Remove mariadb lib

rjrussca:~ # zypper remove  libmariadb3

Disable standard repos temporarily

rjrussca:~ # zypper mr -d 7 8 11 12

Repository 'repo-non-oss' has been successfully disabled.

Repository 'repo-oss' has been successfully disabled.

Repository 'repo-update' has been successfully disabled.

Repository 'repo-update-non-oss' has been successfully disabled.

rjrussca:~ # zypper ls

#  | Alias                     | Name                               | Enabled | GPG Check | Refresh | Type

---+---------------------------+------------------------------------+---------+-----------+---------+-------

1  | mariadb                   | mariadb                            | Yes     | ( p) Yes  | Yes     | NONE

2  | openSUSE-Leap-15.1-1      | openSUSE-Leap-15.1-1               | No      | ----      | ----    | rpm-md

3  | repo-debug                | Debug Repository                   | No      | ----      | ----    | NONE

4  | repo-debug-non-oss        | Debug Repository (Non-OSS)         | No      | ----      | ----    | NONE

5  | repo-debug-update         | Update Repository (Debug)          | No      | ----      | ----    | NONE

6  | repo-debug-update-non-oss | Update Repository (Debug, Non-OSS) | No      | ----      | ----    | NONE

7  | repo-non-oss              | Non-OSS Repository                 | No      | ----      | ----    | rpm-md

8  | repo-oss                  | Main Repository                    | No      | ----      | ----    | rpm-md

9  | repo-source               | Source Repository                  | No      | ----      | ----    | NONE

10 | repo-source-non-oss       | Source Repository (Non-OSS)        | No      | ----      | ----    | NONE

11 | repo-update               | Main Update Repository             | No      | ----      | ----    | rpm-md

12 | repo-update-non-oss       | Update Repository (Non-Oss)        | No      | ----      | ----    | rpm-md

rjrussca:~ #

Only the mariadb repo is active

zypper install MariaDB-server galera-4 MariaDB-client MariaDB-shared MariaDB-backup MariaDB-common

The following 6 NEW packages are going to be installed:   MariaDB-backup MariaDB-client MariaDB-common MariaDB-server MariaDB-shared galera-4 6 new packages to install. Overall download size: 0 B. Already cached: 41.3 MiB. After the operation, additional 280.7 MiB will be used. Continue? [y/n/v/...? shows all options] (y): y In cache MariaDB-common-10.4.13-1.x86_64.rpm                                                                                     (1/6),  78.2 KiB (298.0 KiB unpacked) In cache galera-4-26.4.4-1.suse15.0.x86_64.rpm                                                                                   (2/6),  14.5 MiB ( 69.8 MiB unpacked) In cache MariaDB-shared-10.4.13-1.x86_64.rpm                                                                                     (3/6), 105.5 KiB (328.6 KiB unpacked) In cache MariaDB-client-10.4.13-1.x86_64.rpm                                                                                     (4/6),   6.6 MiB ( 59.2 MiB unpacked) In cache MariaDB-backup-10.4.13-1.x86_64.rpm                                                                                     (5/6),   5.6 MiB ( 25.9 MiB unpacked) In cache MariaDB-server-10.4.13-1.x86_64.rpm                                                                                     (6/6),  14.5 MiB (125.1 MiB unpacked) Checking for file conflicts: ...................................................................................................................................[done] (1/6) Installing: MariaDB-common-10.4.13-1.x86_64 ..............................................................................................................[done] (2/6) Installing: galera-4-26.4.4-1.suse15.0.x86_64 ............................................................................................................[done] (3/6) Installing: MariaDB-shared-10.4.13-1.x86_64 ..............................................................................................................[done] (4/6) Installing: MariaDB-client-10.4.13-1.x86_64 ..............................................................................................................[done] (5/6) Installing: MariaDB-backup-10.4.13-1.x86_64 ..............................................................................................................[done] (6/6) Installing: MariaDB-server-10.4.13-1.x86_64 ..............................................................................................................[done] Additional rpm output: Two all-privilege accounts were created. One is root@localhost, it has no password, but you need to be system 'root' user to connect. Use, for example, sudo mysql The second is mysql@localhost, it has no password either, but you need to be the system 'mysql' user to connect. After connecting you can set the password, if you would need to be able to connect as any of these users with a password and without sudo See the MariaDB Knowledgebase at http://mariadb.com/kb or the MySQL manual for more instructions. Please report any problems at http://mariadb.org/jira The latest information about MariaDB is available at http://mariadb.org/. You can find additional information about the MySQL part at: http://dev.mysql.com Consider joining MariaDB's strong and vibrant community: https://mariadb.org/get-involved/ Executing %posttrans scripts ...................................................................................................................................[done] rjrussca:~ #

ENABLE mariadb service

rjrussca:~ # systemctl enable mariadb

Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service.

Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service.

Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.

rjrussca:~ #

rjrussca:~ # systemctl start mariadb

rjrussca:~ #

Test Connection

rjrussca:~ # mysql

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 8

Server version: 10.4.13-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> connect

Connection id:    9

Current database: *** NONE ***

MariaDB [(none)]>

MariaDB [(none)]> exit

Bye

rjrussca:~ #

No Database created at the moment, that will be later as part of EJBCA

Reset SUSE repos

Enable default repos & I chose to disable mariadb repo

rjrussca:~ # zypper mr -e 7 8 11 12

Repository 'repo-non-oss' has been successfully enabled.

Repository 'repo-oss' has been successfully enabled.

Repository 'repo-update' has been successfully enabled.

Repository 'repo-update-non-oss' has been successfully enabled.

rjrussca:~ # zypper mr -d 1

Repository 'mariadb' has been successfully disabled.

rjrussca:~ # zypper ls

#  | Alias                     | Name                               | Enabled | GPG Check | Refresh | Type

---+---------------------------+------------------------------------+---------+-----------+---------+-------

1  | mariadb                   | mariadb                            | No      | ----      | ----    | rpm-md

2  | openSUSE-Leap-15.1-1      | openSUSE-Leap-15.1-1               | No      | ----      | ----    | rpm-md

3  | repo-debug                | Debug Repository                   | No      | ----      | ----    | NONE

4  | repo-debug-non-oss        | Debug Repository (Non-OSS)         | No      | ----      | ----    | NONE

5  | repo-debug-update         | Update Repository (Debug)          | No      | ----      | ----    | NONE

6  | repo-debug-update-non-oss | Update Repository (Debug, Non-OSS) | No      | ----      | ----    | NONE

7  | repo-non-oss              | Non-OSS Repository                 | Yes     | (r ) Yes  | Yes     | rpm-md

8  | repo-oss                  | Main Repository                    | Yes     | (r ) Yes  | Yes     | rpm-md

9  | repo-source               | Source Repository                  | No      | ----      | ----    | NONE

10 | repo-source-non-oss       | Source Repository (Non-OSS)        | No      | ----      | ----    | NONE

11 | repo-update               | Main Update Repository             | Yes     | (r ) Yes  | Yes     | rpm-md

12 | repo-update-non-oss       | Update Repository (Non-Oss)        | Yes     | (r ) Yes  | Yes     | rpm-md

rjrussca:~ #

EJBCA on Wildfly 14

Downloaded the required software as follows

EJBCA - download

https://sourceforge.net/projects/ejbca/files/ejbca6/ejbca_6_15_2_6/

Wildfly Download

https://wildfly.org/downloads/

Version 14.0.1 TGZ

MariaDB J

https://mariadb.com/kb/en/about-mariadb-connector-j/

https://mariadb.com/downloads/#connectors

Setup Wildfly user

rjrussca:~ # groupadd wildfly

rjrussca:~ # useradd -G wildfly wildfly

rjrussca:~ # mkdir /home/wildfly

rjrussca:~ # chown wildfly:wildfly /home/wildfly

rjrussca:~ #

rjrussca:~ #

Setup Installation Directory

rjrussca:/opt # cd /opt

rjrussca:/opt # mkdir installs

rjrussca:/opt # chown wildfly:wildfly installs

rjrussca:/opt #

rjrussca:/opt/installs # pwd

/opt/installs

rjrussca:/opt/installs #

If you chose a different install directory “/opt/installs” this base directory will be important later for configuration files to point to the correct software locations

Transfer EJBCA, Wildfly & MariaDB connector to install dir

rjrussca:/opt/installs # ls -lrta

total 228176

drwxr-xr-x 1 root    root           16 May 30 09:21 ..

-rw-r--r-- 1 root    root       616389 May 30 09:24 mariadb-java-client-2.5.4.jar

-rw-r--r-- 1 root    root     54688540 May 30 09:24 ejbca_ce_6_15_2_61.zip

drwxr-xr-x 1 wildfly wildfly       156 May 30 09:24 .

-rw-r--r-- 1 root    root    178343287 May 30 09:24 wildfly-14.0.1.Final.tar.gz

rjrussca:/opt/installs #

Change ownership to the created wildfly user

rjrussca:/opt/installs # chown wildfly:wildfly *

rjrussca:/opt/installs # ls -lrta

total 228176

drwxr-xr-x 1 root    root           16 May 30 09:21 ..

-rw-r--r-- 1 wildfly wildfly    616389 May 30 09:24 mariadb-java-client-2.5.4.jar

-rw-r--r-- 1 wildfly wildfly  54688540 May 30 09:24 ejbca_ce_6_15_2_61.zip

drwxr-xr-x 1 wildfly wildfly       156 May 30 09:24 .

-rw-r--r-- 1 wildfly wildfly 178343287 May 30 09:24 wildfly-14.0.1.Final.tar.gz

rjrussca:/opt/installs #

Switch to Wildfly user

rjrussca:/opt/installs # su - wildfly

wildfly@rjrussca:~>

Extract Software

wildfly@rjrussca:/opt/installs> unzip ejbca_ce_6_15_2_61.zip

wildfly@rjrussca:/opt/installs> tar -zxf wildfly-14.0.1.Final.tar.gz

wildfly@rjrussca:/opt/installs>

Create link directories

wildfly@rjrussca:/opt/installs> ln -s wildfly-14.0.1.Final wildfly

wildfly@rjrussca:/opt/installs> ln -s ejbca_ce_6_15_2_6 ejbca

wildfly@rjrussca:/opt/installs> ls -lrta

total 228184

drwxr-xr-x 1 wildfly users         274 Sep  6  2018 wildfly-14.0.1.Final

drwx------ 1 wildfly users         236 Apr  6 09:56 ejbca_ce_6_15_2_6

drwxr-xr-x 1 root    root           16 May 30 09:21 ..

-rw-r--r-- 1 wildfly wildfly    616389 May 30 09:24 mariadb-java-client-2.5.4.jar

-rw-r--r-- 1 wildfly wildfly  54688540 May 30 09:24 ejbca_ce_6_15_2_61.zip

-rw-r--r-- 1 wildfly wildfly 178343287 May 30 09:24 wildfly-14.0.1.Final.tar.gz

lrwxrwxrwx 1 wildfly users          20 May 30 09:33 wildfly -> wildfly-14.0.1.Final

lrwxrwxrwx 1 wildfly users          17 May 30 09:34 ejbca -> ejbca_ce_6_15_2_6

drwxr-xr-x 1 wildfly wildfly       254 May 30 09:34 .

wildfly@rjrussca:/opt/installs>

***At this point - Take a snapshot/checkpoint of the VM

Configuration of Wildfly based on link

Instruction Page

https://download.primekey.com/docs/EJBCA-Enterprise/latest/WildFly_14___JBoss_EAP_7.2.html

Adjust Java settings

wildfly@rjrussca:/opt/installs/wildfly/bin> pwd

/opt/installs/wildfly/bin

wildfly@rjrussca:/opt/installs/wildfly/bin> vi standalone.conf

   JAVA_OPTS="-Xms2048m -Xmx2048m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"

Start Wildfly

wildfly@rjrussca:/opt/installs/wildfly/bin> ./standalone.sh

****LEAVE SESSION OPEN AS THIS SHOWS THE CONSOLE LOG OF WILDFLY

The logging will be referred to later in this blog

Continue on another terminal session - useful to open a few connections 

Copy MariaDB client

wildfly@rjrussca:/opt/installs> pwd

/opt/installs

wildfly@rjrussca:/opt/installs> cp  mariadb-java-client.jar /opt/installs/wildfly-14.0.1.Final/standalone/deployments/mariadb-java-client.jar

wildfly@rjrussca:/opt/installs>

Check Wildfly Log for MariaDB client deployment

Just checking MariaDB client was picked up

06:21:31,463 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "mariadb-java-client.jar" (runtime-name: "mariadb-java-client.jar") 06:21:32,159 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0004: Deploying JDBC-compliant driver class org.mariadb.jdbc.Driver (version 2.5) 06:21:32,197 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0018: Started Driver service with driver-name = mariadb-java-client.jar 06:21:32,562 INFO  [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Estrella Galicia' 9.3.1.Final 06:21:32,764 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 72) WFLYCLINF0002: Started client-mappings cache from ejb container 06:21:32,909 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed "mariadb-java-client.jar" (runtime-name : "mariadb-java-client.jar")

Wildfly – add management User

wildfly@rjrussca:/opt/installs/wildfly/bin> ./add-user.sh

What type of user do you wish to add?

 a) Management User (mgmt-users.properties)

 b) Application User (application-users.properties)

(a):

Enter the details of the new user to add.

Using realm 'ManagementRealm' as discovered from the existing property files.

Username : wildadmin

Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file.

 - The password should be different from the username

 - The password should not be one of the following restricted values {root, admin, administrator}

 - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)

Password :

WFLYDM0102: ***Password should have at least 1 non-alphanumeric symbol.

Are you sure you want to use the password entered yes/no? yes

Re-enter Password :

What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]:

About to add user 'wildadmin' for realm 'ManagementRealm'

Is this correct yes/no? yes

Added user 'wildadmin' to file '/opt/installs/wildfly-14.0.1.Final/standalone/configuration/mgmt-users.properties'

Added user 'wildadmin' to file '/opt/installs/wildfly-14.0.1.Final/domain/configuration/mgmt-users.properties'

Added user 'wildadmin' with groups  to file '/opt/installs/wildfly-14.0.1.Final/standalone/configuration/mgmt-groups.properties'

Added user 'wildadmin' with groups  to file '/opt/installs/wildfly-14.0.1.Final/domain/configuration/mgmt-groups.properties'

Is this new user going to be used for one AS process to connect to another AS process?

e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.

yes/no? no

wildfly@rjrussca:/opt/installs/wildfly/bin>

***My password did not meet the requirement for special character

Create Database on MariaDB

https://download.primekey.com/docs/EJBCA-Enterprise/latest/Creating_the_Database.html

As root

rjrussca:/opt/installs # id

uid=0(root) gid=0(root) groups=0(root)

rjrussca:/opt/installs #

rjrussca:/opt/installs # pwd

/opt/installs

rjrussca:/opt/installs #

rjrussca:/opt/installs # mysql -u root -p

Enter password:

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 8

Server version: 10.4.13-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE ejbca CHARACTER SET utf8 COLLATE utf8_general_ci;

Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON ejbca.* TO 'ejbca'@'localhost' IDENTIFIED BY 'ejbca';

Query OK, 0 rows affected (0.109 sec)

MariaDB [(none)]>

Wildfly – add datasource

wildfly@rjrussca:/opt/installs/wildfly/bin> ./jboss-cli.sh -c

[standalone@localhost:9990 /] data-source add --name=ejbcads --driver-name="mariadb-java-client.jar" --connection-url="jdbc:mysql://127.0.0.1:3306/ejbca" --jndi-name="java:/EjbcaDS" --use-ccm=true --driver-class="org.mariadb.jdbc.Driver" --user-name="ejbca" --password="ejbca" --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql="select 1;"

[standalone@localhost:9990 /] :reload

{

    "outcome" => "success",

    "result" => undefined

}

[standalone@localhost:9990 /]

****KEEP THIS CONNECTION OPEN it will be used later -- open another terminal session (or connect back to jboss-cli.sh each time)

Check Wildfly Logs

06:35:58,851 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = mariadb-java-client.jar 06:35:58,867 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:/EjbcaDS]

Configure WildFly Remoting

Using the jboss-cli.sh connection again enter the following

/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=connector-ref,value=remoting)

/socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447,interface=management)

/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting,enable-http2=true)

/subsystem=infinispan/cache-container=ejb:remove()

/subsystem=infinispan/cache-container=server:remove()

/subsystem=infinispan/cache-container=web:remove()

/subsystem=ejb3/cache=distributable:remove()

/subsystem=ejb3/passivation-store=infinispan:remove()

:reload

{

    "outcome" => "success",

    "result" => undefined

}

Configure Logging

/subsystem=logging/logger=org.ejbca:add(level=INFO)

/subsystem=logging/logger=org.cesecore:add(level=INFO)

/subsystem=logging/logger=org.ejbca:write-attribute(name=level, value=DEBUG)

/subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=DEBUG)

:reload

{

    "outcome" => "success",

    "result" => undefined

}

[standalone@localhost:9990 /]

HTTP(S) Listener Configuration with 3-port Separation

/subsystem=undertow/server=default-server/http-listener=default:remove()

/subsystem=undertow/server=default-server/https-listener=https:remove()

/socket-binding-group=standard-sockets/socket-binding=http:remove()

/socket-binding-group=standard-sockets/socket-binding=https:remove()

:reload

Confirm Wildfly running after reloads

[standalone@localhost:9990 /]  :read-attribute(name=server-state)

{

    "outcome" => "success",

    "result" => "running"

}

[standalone@localhost:9990 /]

Add new interfaces

/interface=http:add(inet-address="0.0.0.0")

/interface=httpspub:add(inet-address="0.0.0.0")

/interface=httpspriv:add(inet-address="0.0.0.0")

/socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")

/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442",interface="httpspub")

/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")

Configure TLS

/subsystem=elytron/key-store=httpsKS:add(path="keystore/keystore.jks",relative-to=jboss.server.config.dir,credential-reference={clear-text="serverpwd"},type=JKS)

/subsystem=elytron/key-store=httpsTS:add(path="keystore/truststore.jks",relative-to=jboss.server.config.dir,credential-reference={clear-text="changeit"},type=JKS)

/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text="serverpwd"})

/subsystem=elytron/trust-manager=httpsTM:add(key-store=httpsTS)

/subsystem=elytron/server-ssl-context=httpspub:add(key-manager=httpsKM,protocols=["TLSv1.2"])

/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.2"],trust-manager=httpsTM,need-client-auth=true,authentication-optional=false,want-client-auth=true)

Add HTTP listeners

/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding="http", redirect-socket="httpspriv")

/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding="httpspub", ssl-context="httpspub", max-parameters=2048)

/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding="httpspriv", ssl-context="httpspriv", max-parameters=2048)

:reload

Check Wildfly Log

06:49:31,452 INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-1) WFLYDS0013: Started FileSystemDeploymentService for directory /opt/installs/wildfly-14.0.1.Final/standalone/deployments 06:49:31,461 WARN  [org.wildfly.extension.elytron] (MSC service thread 1-2) WFLYELY00023: KeyStore file '/opt/installs/wildfly-14.0.1.Final/standalone/configuration/keystore/truststore.jks' does not exist. Used blank. 06:49:31,461 WARN  [org.wildfly.extension.elytron] (MSC service thread 1-2) WFLYELY00023: KeyStore file '/opt/installs/wildfly-14.0.1.Final/standalone/configuration/keystore/keystore.jks' does not exist. Used blank. 06:49:31,462 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0012: Started server default-server. 06:49:31,484 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0018: Host default-host starting 06:49:31,484 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow HTTP listener remoting listening on 127.0.0.1:4447 06:49:31,485 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow HTTP listener http listening on 0.0.0.0:8080 06:49:31,487 INFO  [org.jboss.as.ejb3] (MSC service thread 1-2) WFLYEJB0493: EJB subsystem suspension complete 06:49:31,489 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow HTTPS listener httpspriv listening on 0.0.0.0:8443

** keystore is a warning at this stage - further action on this later.

HTTP Protocol Config

/system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")

/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)

/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)

/system-property=org.apache.tomcat.util.http.Parameters.MAX_COUNT:add(value=2048)

/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)

/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)

/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)

:reload

Remove RESTEasy-Crypto

Backup file first ***only out of habit to backup before deletion

wildfly@rjrussca:/opt/installs/wildfly> id

uid=1001(wildfly) gid=100(users) groups=100(users),1000(wildfly)

wildfly@rjrussca:/opt/installs/wildfly> pwd

/opt/installs/wildfly

wildfly@rjrussca:/opt/installs/wildfly> cp modules/system/layers/base/org/jboss/as/jaxrs/main/module.xml /var/tmp/BACKUP_modfile.xml

wildfly@rjrussca:/opt/installs/wildfly>

Follow the guide to use the sed command

wildfly@rjrussca:/opt/installs/wildfly> sed -i 's|.*org.jboss.resteasy.resteasy-crypto.*||' modules/system/layers/base/org/jboss/as/jaxrs/main/module.xml

**just checking differences between the backup and original file - and crypto line has been removed

wildfly@rjrussca:/opt/installs/wildfly> diff modules/system/layers/base/org/jboss/as/jaxrs/main/module.xml /var/tmp/BACKUP_modfile.xml

58c58

<

---

>         <module name="org.jboss.resteasy.resteasy-crypto" optional="true"/>

wildfly@rjrussca:/opt/installs/wildfly>

Configure EJBCA

As wildfly user to edit config files

wildfly@rjrussca:/opt/installs/wildfly> id

uid=1001(wildfly) gid=100(users) groups=100(users),1000(wildfly)

wildfly@rjrussca:/opt/installs/wildfly> cd /opt/installs/ejbca/conf

wildfly@rjrussca:/opt/installs/ejbca/conf>

*****Online CheckPoint backup taken in Hyper-V

wildfly@rjrussca:/opt/installs/ejbca/conf> cp ejbca.properties.sample ejbca.properties

wildfly@rjrussca:/opt/installs/ejbca/conf> vi ejbca.properties

appserver.home=/opt/installs/wildfly

wildfly@rjrussca:/opt/installs/ejbca/conf> cp database.properties.sample database.properties

wildfly@rjrussca:/opt/installs/ejbca/conf> vi database.properties

database.name=mysql database.url=jdbc:mysql://127.0.0.1:3306/ejbca database.driver=org.mariadb.jdbc.Driver database.username=ejbca database.password=ejbca

wildfly@rjrussca:/opt/installs/ejbca/conf> cp cesecore.properties.sample cesecore.properties

wildfly@rjrussca:/opt/installs/ejbca/conf>

NO CHANGES to this file

Check full hostname

hostname -f

rjrussca.rjruss.org

wildfly@rjrussca:/opt/installs/ejbca/conf> cp web.properties.sample web.properties

wildfly@rjrussca:/opt/installs/ejbca/conf> vi web.properties

httpsserver.hostname=rjrussca.rjruss.org

Change Wildfly Dialect for MariaDB connection

wildfly@rjrussca:/opt/installs/ejbca/conf> id

uid=1001(wildfly) gid=100(users) groups=100(users),1000(wildfly)

wildfly@rjrussca:/opt/installs/ejbca/conf> cd /opt/installs

Find the files that need the dialect updated

wildfly@rjrussca:/opt/installs> find . -name "*.xml"  -exec sh -c " grep  -l org.hibernate.dialect.MySQLD {}" \;

./ejbca_ce_6_15_2_6/modules/clientToolBox/resources/properties/META-INF/persistence.xml

./ejbca_ce_6_15_2_6/modules/ejbca-entity/resources/persistence-test-template.xml

./ejbca_ce_6_15_2_6/modules/oldlogexport-cli/build.xml

./ejbca_ce_6_15_2_6/propertyDefaults.xml

wildfly@rjrussca:/opt/installs>

Backup current files as user wildfly

wildfly@rjrussca:/opt/installs> tar -cvf /var/tmp/persistanceSQL5D-change.tar `find . -name "*.xml"  -exec sh -c " grep -l org.hibernate.dialect.MySQLD {}" \;`

./ejbca_ce_6_15_2_6/modules/clientToolBox/resources/properties/META-INF/persistence.xml

./ejbca_ce_6_15_2_6/modules/ejbca-entity/resources/persistence-test-template.xml

./ejbca_ce_6_15_2_6/modules/oldlogexport-cli/build.xml

./ejbca_ce_6_15_2_6/propertyDefaults.xml

wildfly@rjrussca:/opt/installs>

Replace 4 files with the updated Dialect setting 

Changing

org.hibernate.dialect.MySQLDialect

To

org.hibernate.dialect.MySQL5Dialect

*4 one line sed commands

sed -i -e 's/org.hibernate.dialect.MySQLDialect/org.hibernate.dialect.MySQL5Dialect/g' ./ejbca_ce_6_15_2_6/modules/clientToolBox/resources/properties/META-INF/persistence.xml sed -i -e 's/org.hibernate.dialect.MySQLDialect/org.hibernate.dialect.MySQL5Dialect/g' ./ejbca_ce_6_15_2_6/modules/ejbca-entity/resources/persistence-test-template.xml sed -i -e 's/org.hibernate.dialect.MySQLDialect/org.hibernate.dialect.MySQL5Dialect/g' ./ejbca_ce_6_15_2_6/modules/oldlogexport-cli/build.xml sed -i -e 's/org.hibernate.dialect.MySQLDialect/org.hibernate.dialect.MySQL5Dialect/g' ./ejbca_ce_6_15_2_6/propertyDefaults.xml

Check updated files

wildfly@rjrussca:/opt/installs> find . -name "*.xml"  -exec sh -c " grep -l  org.hibernate.dialect.MySQL5D {}" \;

./ejbca_ce_6_15_2_6/modules/clientToolBox/resources/properties/META-INF/persistence.xml

./ejbca_ce_6_15_2_6/modules/ejbca-entity/resources/persistence-test-template.xml

./ejbca_ce_6_15_2_6/modules/oldlogexport-cli/build.xml

./ejbca_ce_6_15_2_6/propertyDefaults.xml

wildfly@rjrussca:/opt/installs>

Now to build and install EJBCA

Building EJBCA

wildfly@rjrussca:/opt/installs/ejbca> pwd

/opt/installs/ejbca

wildfly@rjrussca:/opt/installs/ejbca> id

uid=1001(wildfly) gid=100(users) groups=100(users),1000(wildfly)

wildfly@rjrussca:/opt/installs/ejbca> ant -q clean deployear

...

     [echo] Task completed 2020-05-31 07:46:00 +0000.

BUILD SUCCESSFUL

Total time: 1 minute 1 second

Installing EJBCA as a CA with a Management CA

wildfly@rjrussca:/opt/installs/ejbca> ant runinstall

Buildfile: /opt/installs/ejbca_ce_6_15_2_6/build.xml

customejbca.message:

     [echo] No custom changes to merge.

appserver.error.message:

runinstall:

check:bootstrapdone:

ejbca:prompt:

    [input] Please enter the CA name (default: ManagementCA) ? [ManagementCA]

    [input] Please enter the CA dn (default: CN=ManagementCA,O=EJBCA Sample,C=SE) ? [CN=ManagementCA,O=EJBCA Sample,C=SE]

    [input] Please enter the CA key type (default: RSA) ? [RSA]

    [input] Please enter the CA key spec (default: 2048) ? [2048]

    [input] Please enter the CA signature algorithm (default: SHA256WithRSA) ? [SHA256WithRSA]

    [input] Please enter the CA validity in days (default: 3650) ? [3650]

    [input] Please enter the CA policy id (default, no policy) ? [null]

     [echo] To set httpsserver.hostname you need to configure conf/web.properties. See sample config file conf/web.properties.sample.

    [input] skipping input as property httpsserver.hostname has already been set.

     [echo]

     [echo] Common Name (CN) of httpsserver dn is by default taken from the httpsserver.hostname.

    [input] skipping input as property httpsserver.dn has already been set.

    [input] skipping input as property superadmin.cn has already been set.

    [input] skipping input as property superadmin.dn has already been set.

    [input] skipping input as property superadmin.batch has already been set.

    [input] skipping input as property superadmin.password has already been set.

Enter password CA token password:  [null]

….

   [delete] Deleting: /tmp/rootca.der

BUILD SUCCESSFUL

Total time: 51 seconds

*** All default answers to prompts other than password as it was my choice

Deploy Keystore

wildfly@rjrussca:/opt/installs/ejbca> ant deploy-keystore

…

…

jee:deploytruststore:

     [copy] Copying 1 file to /opt/installs/wildfly/standalone/configuration/keystore

BUILD SUCCESSFUL

Total time: 1 second

Get the Client Certificate to your Control PC/Laptop

You need the superadmin.p12 certificate to logon to EJBCA management page

wildfly@rjrussca:/opt/installs/ejbca> find . -name "superadmin.p12"

./p12/superadmin.p12

wildfly@rjrussca:/opt/installs/ejbca>

Download to PC.

Double click to install cert

Enter password ejbca to import  - you may want to read up on changing this  ;)

Restart WILDFLY

---Ctrl-C on the running Wildfly 

08:01:01,557 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0028: Stopped deployment ejbca.ear (runtime-name: ejbca.ear) in 312ms

08:01:01,560 INFO  [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: WildFly Full 14.0.1.Final (WildFly Core 6.0.2.Final) stopped in 315ms

wildfly@rjrussca:/opt/installs/wildfly/bin>

Restart

wildfly@rjrussca:/opt/installs/wildfly/bin> ./standalone.sh

From your PC with the superadmin.p12 certificate confirm host file entry

10.10.50.100 rjrussca rjrussca.rjruss.org

SETUP Systemd file setup for Auto Start/Stop

rjrussca:~ # cd /opt/installs/wildfly/docs/contrib/scripts/systemd

rjrussca:/opt/installs/wildfly/docs/contrib/scripts/systemd # more README  ** NOTE THE CHANGES BELOW TO ADAPT TO MY SETUP

= How to configure WildFly as a systemd service

== Create a wildfly user                        ***ALREADY setup

    # groupadd -r wildfly

    # useradd -r -g wildfly -d /opt/wildfly -s /sbin/nologin wildfly

== Install WildFly ***ALREADY installed

    # tar xvzf wildfly-10.0.0.Final.tar.gz -C /opt

    # ln -s /opt/wildfly-10.0.0.Final /opt/wildfly

    # chown -R wildfly:wildfly /opt/wildfly

== Configure systemd   ***FOLLOW THESE STEPS

    # mkdir /etc/wildfly

    # cp wildfly.conf /etc/wildfly/

    # cp wildfly.service /etc/systemd/system/

    # cp launch.sh /opt/installs/wildfly/bin/

    # chmod +x /opt/installs/wildfly/bin/launch.sh

rjrussca:/opt/installs/wildfly/docs/contrib/scripts/systemd # vi /etc/systemd/system/wildfly.service

[Unit] Description=The WildFly Application Server After=syslog.target network.target Before=httpd.service [Service] Environment=LAUNCH_JBOSS_IN_BACKGROUND=1 EnvironmentFile=-/etc/wildfly/wildfly.conf User=wildfly LimitNOFILE=102642 PIDFile=/var/run/wildfly/wildfly.pid ExecStart=/opt/installs/wildfly/bin/launch.sh $WILDFLY_MODE $WILDFLY_CONFIG $WILDFLY_BIND StandardOutput=null [Install] WantedBy=multi-user.target

rjrussca:/opt/installs/wildfly/docs/contrib/scripts/systemd # vi /opt/installs/wildfly/bin/launch.sh

#!/bin/bash if [ "x$WILDFLY_HOME" = "x" ]; then     WILDFLY_HOME="/opt/installs/wildfly" fi if [[ "$1" == "domain" ]]; then     $WILDFLY_HOME/bin/domain.sh -c $2 -b $3 else     $WILDFLY_HOME/bin/standalone.sh -c $2 -b $3 fi

STOP ANY RUNNING WILDFLY session

Ctrl-C

08:18:16,792 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0028: Stopped deployment ejbca.ear (runtime-name: ejbca.ear) in 841ms

08:18:16,800 INFO  [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: WildFly Full 14.0.1.Final (WildFly Core 6.0.2.Final) stopped in 832ms

wildfly@rjrussca:/opt/installs/wildfly/bin>

== Start and enable

rjrussca:/opt/installs/wildfly/docs/contrib/scripts/systemd # systemctl start wildfly.service

rjrussca:/opt/installs/wildfly/docs/contrib/scripts/systemd # systemctl enable wildfly.service

Created symlink /etc/systemd/system/multi-user.target.wants/wildfly.service → /etc/systemd/system/wildfly.service.

Check wildfly service is running

rjrussca:/opt/installs/wildfly/docs/contrib/scripts/systemd # ps -ef |grep wild

root       1965   1918  0 06:13 pts/0    00:00:00 su - wildfly

wildfly    1966   1965  0 06:13 pts/0    00:00:00 -bash

root       2072   2026  0 06:16 pts/1    00:00:00 su - wildfly

wildfly    2073   2072  0 06:16 pts/1    00:00:00 -bash

wildfly    9546   1966  0 06:35 pts/0    00:00:05 /usr/lib64/jvm/java/bin/java -Djboss.modules.system.pkgs=com.sun.java.swing -Dcom.ibm.jsse2.overrideDefaultTLS=true -Dlogging.configuration=file:/opt/installs/wildfly/bin/jboss-cli-logging.properties -jar /opt/installs/wildfly/jboss-modules.jar -mp /opt/installs/wildfly/modules org.jboss.as.cli -c

root      10919   9442  0 06:54 pts/2    00:00:00 su - wildfly

wildfly   10920  10919  0 06:54 pts/2    00:00:00 -bash

wildfly   18090      1  0 08:18 ?        00:00:00 /bin/bash /opt/installs/wildfly/bin/launch.sh standalone standalone.xml 0.0.0.0

wildfly   18091  18090  0 08:18 ?        00:00:00 /bin/sh /opt/installs/wildfly/bin/standalone.sh -c standalone.xml -b 0.0.0.0

wildfly   18162  18091 86 08:18 ?        00:00:15 java -D[Standalone] -server -Xms2048m -Xmx2048m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED --add-modules=java.se -Dorg.jboss.boot.log.file=/opt/installs/wildfly/standalone/log/server.log -Dlogging.configuration=file:/opt/installs/wildfly/standalone/configuration/logging.properties -jar /opt/installs/wildfly/jboss-modules.jar -mp /opt/installs/wildfly/modules org.jboss.as.standalone -Djboss.home.dir=/opt/installs/wildfly -Djboss.server.base.dir=/opt/installs/wildfly/standalone -c standalone.xml -b 0.0.0.0

root      18295  10989  0 08:19 pts/3    00:00:00 grep --color=auto wild

rjrussca:/opt/installs/wildfly/docs/contrib/scripts/systemd #

Check Web Access

Reboot To Confirm Wildfly is Automatically Started

rjrussca:/opt/installs/wildfly/docs/contrib/scripts/systemd # shutdown -r now

On restart access web page

Further blog posts will follow on how to actually use it :)))

.