-
Notifications
You must be signed in to change notification settings - Fork 252
Installation on Ubuntu Server 20.04 LTS (Draft)
These instructions will have you store the PWM created user data, questions & answers and store them in MySQL securely. You can also store them in Active Directory by creating... (researching...)
First let's run updates and install them before starting so you get all the latest version of the tools below
sudo apt-get -y update && sudo apt-get -y upgrade
sudo apt-get install -y apache2
sudo apt-get install -y php libapache2-mod-php
sudo apt-get install -y tomcat9 tomcat9-docs tomcat9-examples tomcat9-admin
Add roles and a user to tomcat in order to install .war files trough the browser later on: Edit /etc/tomcat9/tomcat-users.xml and add the following as children of tomcat-users. I added mine at the bottom before the
sudo vi /etc/tomcat9/tomcat-users.xml
`<role rolename="manager-gui"/>`
`<role rolename="admin-gui"/>`
`<role rolename="manager-script"/>`
`<user username="YourUsernameChange" password="YourPasswordChange" roles="manager-gui,admin-gui,manager-script"/>`
Restart tomcat for changes to take effect
sudo service tomcat9 restart
Note: Restarting may take long (couple of minutes for me). You can install haveged entropy gathering daemon to greatly reduce tomcat startup delays, but this is not required:
sudo apt-get install -y haveged
sudo apt install -y openjdk-14-jre-headless
sudo apt install -y mysql-server
Run a MySQL Security Script to harden security for MySql
sudo mysql_secure_installation
TIP: Don't forget to store/save your password in your favorite password manager app. Bitwarden is free and OpenSource!
Click this link for more information on this MySQL security hardening process https://mariadb.com/kb/en/mysql_secure_installation/
sudo apt-get install -y phpmyadmin
TIP: Don't forget to store/save your password in your favorite password manager app. Bitwarden is free and OpenSource! Feel free to secure PHPMyAdmin but at this stage you might cause other issues configuring down below. I usually secure everything last.
Now create your pwm databasse using PHPMyAdmin by going to http://<servername-or-ip>/phpmyadmin
NOTE: I had to change the privilages on my phpmyadmin database user created during the phpmyadmin install process
sudo mysql
flush privileges;
GRANT ALL PRIVILEGES ON *.* TO 'phpmyadmin'@'localhost';
sudo apt-get install automysqlbackup
(Optional) To change the configuration of AutoMySQLBackkup edit the following config file:
`sudo vi /etc/default/automysqlbackup'
The backup files are created by AutoMySQLBackup in the following location:
/var/lib/automysqlbackup
Run the following to make your first database backups:
sudo automysqlbackup
AutoMySQLBackup should already automatically run daily but in case it does not run the following command
sudo ln -s /usr/local/bin/automysqlbackup /etc/cron.daily/
Download the latest WAR version and rename the war file to pwm.war if it isn't already.
Go to http://server-ip:8080/manager/html in your browser and login when prompted with the credentials defined in /etc/tomcat9/tomcat-users.xml
I renamed the pwm-2.0.0-SNAPSHOT.war to pwm.war as this is what TomCat9 uses to name your website. Use the gui to install the pwm.war file by uploading it. Then you have to start the pwm website after it uploads and deploys the war file.
If you have issues issues with this, then you can upload pwm.war to the webapps folder located at /var/lib/tomcat9/webapps/ instead. Then restart Tomcat9 to deploy
`sudo service tomcat9 restart'
If you go to your pwm website a this point you will get a 5083 ERROR_ENVIRONMENT_ERROR (application path is not specified) on the site, please follow next step
Create a folder for pwm to store config files and add it's path to pwm.
Create a folder somewhere and make 'tomcat' the owner
Example commands if you want to create the folder in /home/YourHomeFolder/
mkdir /home/YourHomeFolder/pwm-data/
sudo chown tomcat:tomcat /home/YourHomeFolder/pwm-data/
If you create a folder outside of /home (for example: /media/pwm) you need to make changes in tomcat9 service file as follows. (Credit Bruce Wood. https://groups.google.com/d/embed/msg/pwm-general/_G8t6p-ygis/uOE2TwfgBQAJ)
sudo vi /lib/systemd/system/tomcat9.service
under
[Service]
# Configuration
add:
Environment="PWM_APPLICATIONPATH=/home/YourHomeFolder/pwm-data/"
under
[Service]
# Security
add:
ReadWritePaths=/home/YourHomeFolder/pwm-data/
Than you need to reload the dameon.
sudo systemctl daemon-reload
sudo systemctl enable --now tomcat9
sudo service tomcat9 restart
Tell pwm about the newly created folder
sudo vi /etc/default/tomcat9and add in the top line below then save it
PWM_APPLICATIONPATH=/home/YourHomeFolder/pwm-data
Note: If you rename the war for example to password.war, pwd.war, or idm.war, change PWM_ to your wars name like below
PASSWORD_APPLICATIONPATH=/home/YourHomeFolder/pwm-data
Restart tomcat9 for the changes to take effect
sudo service tomcat9 restart
Sometimes this above method does not work for the 5083 error, then try the below and while not idea due to PWM upgrades would wipe it out, it does work.
Locate your tomcat9 webapps folder, mine was located at /var/lib/tomcat9/webapps/. In there you can go into the pwm folder and finally into the WEB-INF folder. In the WEB-INF folder you need to edit the web.xml file.
sudo vi /var/lib/tomcat9/webapps/pwm/WEB-INF/web.xml
find the following section and change it accordingly
`<param-name>applicationPath</param-name>`
`<param-value>/home/YourHomeFolder/pwm-data</param-value>`
sudo service tomcat9 restart
(Optional) If you would prefer to use port 80 & 443 vs telling users to go to :8080 run the following command to forward port 80 & 443 traffic to 8080 & 8443
`sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080`
`sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443`
`sudo service tomcat9 restart`
Now go to http://server-ip:8080/pwm/ (or http://server-ip/pwm if you did the port forwarding above)
Configure pwm....
Still working on adding these steps as some are not super apparent what needs to be done
Test away but when done configuring I highly suggest to secure with a cert! WARNING: Until you secure your site (https) passwords are potentially being sent in the clear!
To secure follow the Tomcat9 instructions below https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
Still a work in progress......Never stop learning
~T3chGuy77