Skip to main content

Provide Secure Backend for PPT (Linux)

Abstract

Provide Secure Backend for PPT (Linux)

Prerequisites

These are the prerequisites:

  • Install Java 11 JDK

  • PoolParty installed

  • Have valid certificates in place (.crt or .pem).

    • Either for both services *.domain.org, or,

    • One for poolparty.domain.org and one for poolparty-keycloak.domain.org.

In our example we use one certificate (/opt/poolparty/certs/domain.org.crt, /opt/poolparty/certs/domain.org.key) and have PoolParty installed in the /opt/poolparty folder.

Optional: Create a Self-Signed Certificate

  1. Create an /opt/poolparty/certs folder.

  2. Run the following command to create a self-signed certificate:

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt

Create a Java Keystore (.JKS)

Keycloak and PoolParty use a Java keystore to secure traffic.

  1. Convert your certificate in PEM format (.crt + .key) into PKCS#12 format by executing the following command:

    openssl pkcs12 -export -in domain.org.crt -inkey domain.org.key -out domain.org.p12

  2. In our example, we import both certificates into one keystore.

    [user@server /opt/poolparty/certs]~  :  keytool -importkeystore -srckeystore domain.org.p12 -srcstoretype pkcs12 -destkeystore poolparty.jks -deststoretype JKS # Enter a secure password as the keystore password

Adjust the Keycloak Installation

To adjust the Keycloak Installation, do the following:

  1. Make sure everything is stopped with /opt/poolparty/bin/poolparty stop.

  2. Make sure the following properties are part of /opt/poolparty/auth_service/keycloak/conf/keycloak.conf.

    • https-port=8181

    • #http-port (comment it out)

    • https-key-store-file=/opt/poolparty/certs/poolparty.jks

    • https-key-store-password=password

    • proxy=reencrypt (if you run a proxy in front of Keycloak.)

    • hostname=poolparty-keycloak.domain.org

    • #http-enabled=true (comment it out)

  3. Run /opt/poolparty/auth_service/keycloak/bin/kc.sh build.

  4. Run /opt/poolparty/auth_service/keycloak/bin/kc.sh start to check if it starts without any errors.

  5. If it started without any error (no console output for 1-2 minutes), make the startup executable:

    1. Make a backup of /opt/poolparty/bin/poolparty with cp /opt/poolparty/bin/poolparty /opt/poolparty/bin/poolparty.bak.

    2. Replace the following line:

      nohup ${POOLPARTY_HOME}/auth_service/keycloak/bin/kc.sh start-dev --http-enabled=true --https-key-store-password=secret --hostname-strict=false --http-relative-path /auth --db-pool-initial-size 99 >/dev/null 2>&1 &

      with

      nohup ${POOLPARTY_HOME}/auth_service/keycloak/bin/kc.sh start --http-relative-path /auth --db-pool-initial-size 99 >/dev/null 2>&1 &

Adjust the PoolParty Installation

To adjust the PoolParty installation, do the following:

  1. Make sure everything is stopped with /opt/poolparty/bin/poolparty stop.

  2. In the /opt/poolparty/config/keycloak folder, change the auth-server-url to https://poolparty-keycloak.domain.org/auth/ in each {admin,ppgs,ppx,ppt}-keycloak.json file.

  3. Change the following properties in /opt/poolparty/config/poolparty.properties:

    1. ppt-url to https://poolparty.domain.org/PoolParty.

    2. If not installed with this domain, also change the baseURIs for the following:

      1. Scheme

      2. Vocabulary

      3. User

  4. Add  the following lines to the Tomcat Connector that you are using in /opt/poolparty/tomcat/conf/server.xml:

    1. secure="true"

    2. scheme="https"

    3. SSLEnabled="true"

    4. keystoreFile="/opt/poolparty/certs/poolparty.jks"

    5. keystorePass="password"

    6. keystoreType="PKCS12"

Import Certificate into JRE cacerts

  1. Execute the following command:

    keytool -import -alias tomcat -file /opt/poolparty/certs/domain.org.crt -keystore $JAVA_HOME/lib/security/cacerts

  2. Start PoolParty.