EJBCA Installation Tutorial +postgresql+wildfly10

1. Installation Environment Instructions

The author in this machine under the virtual machine installation, the database has been installed.

ubuntu16.04 x64

Postgresql:9

Wildfly10

2. Preparation before installation

Download the necessary packages (download them directly to the website):

• Wildfly-10.0.0.final.zip
• Ejbca_ce_6_5.0.5.zip
• Apache-ant-1.10.1-bin.tar.gz http://mirrors.tuna.tsinghua.edu.cn/apache//ant/binaries/apache-ant-1.10.1-bin.tar.gz
• jdk1.8
• Postgresql-9.4.1207.jar Database Driver Package

This time the author of the above software are installed in the/OPT directory

The user named Royoan is logged into the operating system, and all of the following actions are user actions

The installation of the JDK is not mentioned, note the setting of the environment variable java_home.

2.1 Setting up a database

The author creates a user and a schema for that user on the existing test database, which is equivalent to a new database.

--Login database test to add a user and mode
Create user ejbca password ‘ejbca‘;
CREATE SCHEMA ejbca AUTHORIZATION ejbca; 

2.2 Ant Installation

Unzip the apache-ant-1.10.1-bin.tar.gz into the/opt directory and get the/opt/apache-ant-1.10.1

Configure the environment variable, modify the/home/royoan/.profile file, and at the end of the file, insert the following code

export JAVA_HOME=/opt/jdk1.8.0_131
PATH="$JAVA_HOME/bin:$PATH" export ANT_HOME=/opt/apache-ant-1.10.1 PATH="$ANT_HOME/bin:$PATH"

After saving, execute

$:/opt$ source ~/.profile
$:/opt$ cd /opt
$:/opt$ ant Buildfile: build.xml does not exist!
Build failed

The following build failed hint appears, indicating that Ant is loaded

2.3 Wildfly Installation

Also unzip the package to the/OPT directory to get

/opt/wildfly-10.0.0.final Directory

Execute the following command to start the Wildfly server:

cd /opt/wildfly-10.0.0.Final
bin/standalone.sh

2.3.1 Installing the PostgreSQL driver and configuration data source in the Wildfly

Put the Postgresql-9.4.1207.jar file in the/home/royoan/directory, and wait for Wildfly to execute the following command:

Jboss-cli.bat-c

This command goes into the command line tool and executes the following CLI command to install the module

module add --name=org.postgresql --resources=/home/roy/postgresql-9.4.1207.jar --dependencies=javax.api,javax.transaction.api

The command creates a directory below the Jboss_home/modules

|-org/postgresql/main
|-module.xml
∟-postgresql-9.4.1207.jar

Add CLI commands to drive and increase data sources:

/subsystem=datasources/jdbc-driver=postgresql:add(driver-name="postgresql",driver-module-name="org.postgresql",driver-xa-datasource-class-name=org.postgresql.Driver)

data-source add --name=ejbcads --driver-name="postgresql" --connection-url="jdbc:postgresql://localhost:5432/test" --jndi-name="java:/EjbcaDS" --use-ccm=true --driver-class="org.postgresql.Driver" --user-name="ejbca" --password="ejbca" --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql="select 1;"

The above command modifies the Standalone.xml configuration file, please note that the above url,username,password is actually filled in according to your database configuration.

2.3.2 Wildfly Remote Configuration

The command is also executed under the CLI command line:

/subsystem=remoting/http-connector=http-remoting-connector:remove
/subsystem=remoting/http-connector=http-remoting-connector:add(connector-ref="remoting",security-realm="ApplicationRealm")
/socket-binding-group=standard-sockets/socket-binding=remoting:add(port="4447")
/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting)
:reload

Configuration log:

/subsystem=logging/logger=org.ejbca:add
/subsystem=logging/logger=org.ejbca:write-attribute(name=level, value=DEBUG)
/subsystem=logging/logger=org.cesecore:add
/subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=DEBUG)

3. EJBCA Installation and Configuration

Unzip the ejbca_ce_6_5.0.5.zip to the/OPT directory, and enter the extracted folder.

3.1 Configuration

The Conf directory is a EJBCA configuration file that reads some of the settings in this file when build and the CA is generated, and the configuration files in the. Sample end, and if we want to modify the default configuration, we need to rename the file that needs to be modified, remove the. Sample
We need to change a few files, Sir, into 4 important files:

 
 
cd /opt/ejbca_ce_6_5.0.5/conf
mv ejbca.properties.sample ejbca.properties
mv web.properties.sample  web.properties
mv database.properties.sample database.properties
mv install.properties.sample install.properties

Modify the Ejbca.properties file

Set the value of the Appserver.home (the installation location of the application server, which is/opt/wildfly-10.0.0.final for us)

Modify the Web.properties file

Set the certificate password for the Super administrator of the CA, the certificate password for the server-side certificate generated by the application server, the password for the CA's truststory, and so on, the settings of these passwords can be set as needed, or the default configuration will be maintained. Note that the httpsserver.hostname, which corresponds to the alias behind, my IP address is 147.128.105.149, and here we set the 147.128.105.149

Modify the Database.properties file

In fact, just use the wildfly data source. Cancel the Datasource.jndi-name=ejbcads comment, and also release the database type database.name=postgres the comment. Otherwise, the installation of the library table of the H2 database will be executed with an error. The author is not open this option causes the first installation error.

Modify the Install.properties file

Set the name of the CA, encryption, and so on, it is recommended to leave the default.

3.2 Installation

Go to the command line and execute the following command:

cd /opt/ejbca_ce_6_5.0.5/
ant clean deployear
ant runinstall
ant deploy-keystore

Deployear's step will be a little longer,

Ant Runinstall You do not need to perform this step when removing an existing installation (with available TLS KeyStore). The truth has not been read.

After the ant Deploy-keystore is executed, the KEYSTORE.JKS is generated in the EJBCA directory, Truststore.jks, and the script is automatically copied to the $JBOSS _home/standalone/configuration/ KeyStore, we don't care.

4. Finally configure Wildfly4.1 to remove the existing TLS and HTTP features in Wildfly

Also execute jboss-cli.sh-c into CLI command line interface in the/opt/wild directory, execute the following CLI:

/subsystem=undertow/server=default-server/http-listener=default:remove
/subsystem=undertow/server=default-server/https-listener=https:remove
/socket-binding-group=standard-sockets/socket-binding=http:remove
/socket-binding-group=standard-sockets/socket-binding=https:remove

4.2 Configuring the new TLS

/interface=http:add(inet-address="0.0.0.0")
/interface=httpspub:add(inet-address="0.0.0.0")
/interface=httpspriv:add(inet-address="0.0.0.0")
/socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")
/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding=http)
/subsystem=undertow/server=default-server/http-listener=http:write-attribute(name=redirect-socket, value="httpspriv")
:reload

The above "0.0.0.0" means that the other machine can also be accessed, the original default is 127.0.0.1 is only native access.

Then configure realm, socket-binding, note two password, here alias is mentioned earlier to configure the IP address.

/core-service=management/security-realm=SSLRealm:add()
/core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path="${jboss.server.config.dir}/keystore/keystore.jks", keystore-password="serverpwd", alias="147.128.105.149")
/core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-path="${jboss.server.config.dir}/keystore/truststore.jks", keystore-password="changeit")
/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")
/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442", interface="httpspub")

When you're done, exit jboss-cli.sh.

Stop Wildfly and reboot. (Be sure not to forget it)

4.3 Configuring the Undertow Service

Re-entry into jboss-cli.sh-c

Perform:

/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding=httpspriv, security-realm="SSLRealm", verify-client=REQUIRED)
/subsystem=undertow/server=default-server/https-listener=httpspriv:write-attribute(name=max-parameters, value="2048")
/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding=httpspub, security-realm="SSLRealm")
/subsystem=undertow/server=default-server/https-listener=httpspub:write-attribute(name=max-parameters, value="2048")
:reload

Then there are some important configurations

/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)
/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)
/system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")
/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)
/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)
/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)
:reload

If you have an Apache service in front of Wildfly, execute the following command, or do not:

/subsystem=undertow/server=default-server/ajp-listener=ajp-listener:add(socket-binding=ajp, scheme=https, enabled=true)
:reload

Download the certificate/opt/ejbca_ce_6_5.0.5/p12/superadmin.p12 to the local, then import the browser, you can access the background () because two-way authentication is required)
EJBCA Management Background
Https://147.128.105.149:8443/ejbca/adminweb

Done!!!

This article copyright belongs to author Royoan (Bowen address: http://www.cnblogs.com/royoan/p/7763633.html) all, welcome reprint and Commercial, please in the article page obvious location give the original link and retain this paragraph statement, Otherwise reserves the right to hold legal responsibility, other matters, can leave a message to consult.

EJBCA Installation Tutorial +postgresql+wildfly10