Provide Secure Backend for PPT (Linux)
Prerequisites
These are the prerequisites:
Install the required Java JDK version (please refer to PoolParty System Requirements
PoolParty installed
Have valid certificates in place (.crt or .pem).
Either for both services
*.domain.org
, or,One for
poolparty.domain.org
and one forpoolparty-keycloak.domain.org
.
In our example we use one certificate (/opt/poolparty/certs/domain.org.crt
, /opt/poolparty/certs/domain.org.key
) and have PoolParty installed in the /opt/poolparty
folder.
Optional: Create a Self-Signed Certificate
Create an
/opt/poolparty/certs
folder.Run the following command to create a self-signed certificate:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt
Create a Java Keystore (.JKS)
Keycloak and PoolParty use a Java keystore to secure traffic.
Convert your certificate in PEM format (.crt + .key) into PKCS#12 format by executing the following command:
openssl pkcs12 -export -in domain.org.crt -inkey domain.org.key -out domain.org.p12
In our example, we import both certificates into one keystore.
[user@server /opt/poolparty/certs]~ : keytool -importkeystore -srckeystore domain.org.p12 -srcstoretype pkcs12 -destkeystore poolparty.jks -deststoretype JKS # Enter a secure password as the keystore password
Adjust the Keycloak Installation
To adjust the Keycloak Installation, do the following:
Make sure everything is stopped with /opt/poolparty/bin/poolparty stop.
Make sure the following properties are part of
/opt/poolparty/auth_service/keycloak/conf/keycloak.conf
.https-port=8181
#http-port
(comment it out)https-key-store-file=/opt/poolparty/certs/poolparty.jks
https-key-store-password=password
proxy=reencrypt
(if you run a proxy in front of Keycloak.)hostname=poolparty-keycloak.domain.org
#http-enabled=true
(comment it out)
Run /opt/poolparty/auth_service/keycloak/bin/kc.sh build.
Run /opt/poolparty/auth_service/keycloak/bin/kc.sh start to check if it starts without any errors.
If it started without any error (no console output for 1-2 minutes), make the startup executable:
Make a backup of
/opt/poolparty/bin/poolparty
with cp /opt/poolparty/bin/poolparty /opt/poolparty/bin/poolparty.bak.Replace the following line:
nohup ${POOLPARTY_HOME}/auth_service/keycloak/bin/kc.sh start-dev --http-enabled=true --https-key-store-password=secret --hostname-strict=false --http-relative-path /auth --db-pool-initial-size 99 >/dev/null 2>&1 &
with
nohup ${POOLPARTY_HOME}/auth_service/keycloak/bin/kc.sh start --http-relative-path /auth --db-pool-initial-size 99 >/dev/null 2>&1 &
Adjust the PoolParty Installation
To adjust the PoolParty installation, do the following:
Make sure everything is stopped with /opt/poolparty/bin/poolparty stop.
In the
/opt/poolparty/config/keycloak
folder, change theauth-server-url
tohttps://poolparty-keycloak.domain.org/auth/
in each{admin,ppgs,ppx,ppt}-keycloak.json
file.Change the following properties in
/opt/poolparty/config/poolparty.properties
:ppt-url
tohttps://poolparty.domain.org/PoolParty
.If not installed with this domain, also change the baseURIs for the following:
Scheme
Vocabulary
User
Add the following lines to the Tomcat Connector that you are using in
/opt/poolparty/tomcat/conf/server.xml
:secure="true"
scheme="https"
SSLEnabled="true"
keystoreFile="/opt/poolparty/certs/poolparty.jks"
keystorePass="password"
keystoreType="PKCS12"
Import Certificate into JRE cacerts
Execute the following command:
keytool -import -alias tomcat -file /opt/poolparty/certs/domain.org.crt -keystore $JAVA_HOME/lib/security/cacerts
Start PoolParty.