-
Notifications
You must be signed in to change notification settings - Fork 253
Installation on Ubuntu Server 22.04 LTS (Draft)
I created these instructions by starting with this great base document:
https://github.com/pwm-project/pwm/wiki/Installation-on-Ubuntu-Server-20.04-LTS-(Draft)
I have modified them to be an install on Ubuntu 22.04 LTS. I have also removed apache2 and phpmyadmin, as I prefer to use the command line to create and configure. Without phpmyadmin, apache2 wasn't needed either.
These instructions will have you store the PWM created user data, questions & answers and store them in MySQL securely.
First let's run updates and install them before starting so you get all the latest version of the tools below
sudo apt-get -y update && sudo apt-get -y upgrade
sudo apt-get install -y php libapache2-mod-php
sudo apt-get install -y tomcat9 tomcat9-docs tomcat9-examples tomcat9-admin
Add roles and a user to tomcat in order to install .war files trough the browser later on: Edit /etc/tomcat9/tomcat-users.xml and add the following as children of tomcat-users. I added mine at the bottom before the ></tomcat-users>
sudo vi /etc/tomcat9/tomcat-users.xml
`<role rolename="manager-gui"/>`
`<role rolename="admin-gui"/>`
`<role rolename="manager-script"/>`
`<user username="YourUsernameChange" password="YourPasswordChange" roles="manager-gui,admin-gui,manager-script"/>`
Restart tomcat for changes to take effect
sudo service tomcat9 restart
If you wish to monitor the log file for errors
tail -f /var/log/tomcat9/catalina.yyyy-mm-dd.log
Note: Restarting didn't take very long at all, so this was not a required step. However, if you disagree or wish to install this, so be it. Leaving for posterity. You can install haveged entropy gathering daemon to greatly reduce tomcat startup delays, but this is not required:
sudo apt-get install -y haveged
Note: version 14 would not install for 22.04, so I used version 17
sudo apt install openjdk-17-jre-headless
sudo apt install -y mysql-server
Run a MySQL Security Script to harden security for MySql
sudo mysql_secure_installation
TIP: Don't forget to store/save your password in your favorite password manager app. Bitwarden is free and OpenSource!
Click this link for more information on this MySQL security hardening process https://mariadb.com/kb/en/mysql_secure_installation/
I needed to secure my root account locally with a password
sudo mysql -u root
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '<passwordhere>';
Now when you login, you will need to use the command:
sudo mysql -u root -p
And then enter your root password.
Now create your pwm database for use:
CREATE DATABASE pwm;
CREATE USER 'pwm'@'localhost' IDENTIFIED WITH caching_sha2_password BY '<passwordhere>';
use pwm;
GRANT ALL ON pwm.* TO 'pwm'@'localhost';
flush privileges;
quit
TIP: Don't forget to store/save your password in your favorite password manager app. Bitwarden is free and OpenSource!
I did not setup backups, but you can by referencing the original build document.
Install PWM via the command line. I'm much more comfortable with the command line and it was easier this way for me.
For example, upload the file to /root
cd /root
Download the file
wget https://github.com/pwm-project/pwm/releases/download/v2_0_6/pwm-2.0.6.war
Put the file in the right location for tomcat, and rename in the process
sudo cp -v ./pwm-2.0.6.war /var/lib/tomcat9/webapps/pwm.war
Restart tomcat
sudo service tomcat9 restart
Monitor the log file for errors / information
tail -f /var/log/tomcat9/catalina.yyyy-mm-dd.log
If you go to your pwm website a this point you will get a 5083 ERROR_ENVIRONMENT_ERROR (application path is not specified) on the site, please follow next step
http://server-ip:8080/pwm/
Create a folder for pwm to store config files and add it's path to pwm.
Create a folder somewhere and make 'tomcat' the owner
sudo mkdir /var/lib/tomcat9/pwm-data/
sudo chown tomcat:tomcat /var/lib/tomcat9/pwm-data/
If you create a folder outside of /home (for example: /var/lib/tomcat9/pwm-data) you need to make changes in tomcat9 service file as follows. (Credit Bruce Wood. https://groups.google.com/d/embed/msg/pwm-general/_G8t6p-ygis/uOE2TwfgBQAJ)
sudo vi /lib/systemd/system/tomcat9.service
under
[Service]
# Configuration
add:
Environment="PWM_APPLICATIONPATH=/var/lib/tomcat9/pwm-data/"
under
[Service]
# Security
add:
ReadWritePaths=/var/lib/tomcat9/pwm-data/
Than you need to reload the dameon.
sudo systemctl daemon-reload
Make sure tomcat is enabled
sudo systemctl enable --now tomcat9
Restart the service
sudo service tomcat9 restart
Monitor the log file (specifically for pwm.war)
tail -f /var/log/tomcat9/catalina.2024-04-24.log | grep pwm.war
Tell pwm about the newly created folder
`sudo vi /etc/default/tomcat9`
and add in the top line below then save it
`PWM_APPLICATIONPATH=/var/lib/tomcat9/pwm-data/`
Note: If you called the war file something other than pwm.war, then you need to change the line above to reflect that.
If you rename the war for example to password.war, then your line would be:
PASSWORD_APPLICATIONPATH=/home/YourHomeFolder/pwm-data
Restart tomcat9 for the changes to take effect
`sudo service tomcat9 restart`
Now go to http://server-ip:8080/pwm/
Configure pwm....
These steps are still a work in progress, as I did not get any pictures of the "wizard" the first time I ran this.
There are some good configurable parameters, which I will add later on.
The main configuration file is on the server located here:
/var/lib/tomcat9/pwm-data/PwmConfiguration.xml
To secure follow the Tomcat9 instructions below
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
I have further notes which I will add in a more logical way, but this document is a good start for Ubuntu 22.04 LTS.
It works great hooked into our AD.
The only wrinkle is occasionally a lack of information when there is an error. For example, I tried to change a password and it errored by telling my that the password didn't meet the complexity requirements. It did meet the requirements, and the PWM page listed out the requirements, but what I learned later was that the Group Policy also has a minimum number of days requirement for you to have the password, and that wasn't listed. So the error was accurate, but it took a while to track down.
Scott Milewski