2017-04-17 17:41:11

PWM Installation on Debian 16.04 Server and tomcat8

My place of work was looking for a way to allow user to set their own passwords. Generally no easy feat when starting from scratch.

Install Ubuntu Server 16.04 LTS

Disconnect ISO and Click Continue
Let's update our package lists and download some necessary utilities first:
sudo apt-get update
sudo apt-get install unzip
Unzip was the only one not installed by default on the server edition, rock on.

Installing Tomcat8

A better tutorial of this section is available here: Installing Apache Tomcat 8 on Ubuntu 16.04.
Let's start off by installing the Java Development Kit.
sudo apt-get install default-jdk
sudo apt-get install tomcat8

Alright, we are ready to start our Tomcat service
sudo service tomcat8 start
sudo service tomcat8 status

Status

sudo systemctl enable tomcat8

This tell this the system to start tomcat at boot.

Assuming your Ubuntu server allows port 8080 inbound, you should be able to access the Tomcat welcome page in your web browser:
http://your_server_IP_address:8080

Web
Alright! That's one step down!

Installing Apache

"You might be wondering why you need both Apache2 and Tomcat8. By default, Tomcat listens on alternate ports (8080 and 8443) and was not designed to run natively on privileged ports like 80 and 443. Instead, we will be using Apache2 to proxy a secure connection between the client and Tomcat. Additionally, we will configure Apache2 to redirect all unencrypted HTTP requests to HTTPS."
While this is technically not wrong, it's not the real reason for having both. The reason for tomcat is: The Apache Tomcat software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies."
Here's a snippet of the new config file used by the guide. I'll dissect this section a bit to provide some information feedback.

Config

At first I was confused as the file under the apache config folder didn't exist. I had talked around IRC for a bit and attempted to figure out why that was the case. After double checking the guide, you can see at the bottom he tells apache to use this new config file instead of the default one. To simply test how this works, I decided to tweak the virtual directory for now to simply redirect port 80 requests back to itself using its own hostname on port 8080, just to see if they 80 -> 8080 would work as I had anticipated it to.

 -listen on all IPs on this system for port 80 traffic
	#redirect to tomcat -a commentin the config file
	Redirect Permanent / http://pwm:8080 - The redirect rule to make sure any basic http traffic is redirected to the tomcat service
 -Closing line
As you can see I commented out all the SSL redirects, as I don't have the certificates ready just yet. However it will be easy to change once all those requirements are met.
Then

Sudo a2dissite 000-default
Sudo a2ensite tomcat
Sudo service apache2 reload

This basically tell apache to use our new config file.

Then
In a browser type in the hostname for http, this time you should get the tomcat page simply by navigating just to the hostname of your server, or whatever A records your have in DNS for this server.
Success the redirection worked as expected. Now it's time to backup this server as is! Better to be safe than sorry.

Installing MySQL

Well I'm assuming we will probably need to use such a feature, even if we don't it be nice to know the system is prepared to handle them if we do need to use them. So here goes.

sudo apt-get install mysql-server
sudo mysql_secure_installation

During the MySQL installation it asked to set a root password for MySQL.
MySQLRootPassword
This password can be changed once placed into production.
Once done login to my SQL and create the PWM database and user account.

Sudo mysql -user=root -password (SQL Password)
CREATE USER 'pwm'@'localhost' IDENTIFIED BY NEW_PWM_DB_PASSWORD;
CREATE DATABASE pwm;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP on pwm.* TO 'pwm'@'localhost';
FLUSH PRIVILEGES;

When creating the pwm user account password was set to: PWMMySQLUserPassword
If you messed something up here no worries!

Resetting SQL User password and permissions

GRANT USAGE ON pwm.* TO 'pwm'@'localhost' IDENTIFIED BY NEW_PASSWORD;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX on pwm.* TO 'pwm'@'localhost';
FLUSH PRIVILEGES;

As Noted the guide forgot to grant the INDEX permission, the PWM Web config will fail at testing database connection without it.

Installing PWM

*NOTE* DO NOT USE ANY OF THE FEB 09-2017 BUILDS as they are broken.
Config

Here's the catch since we installed tomcat from the Ubuntu repo, and not from an RPM file (the more proper way to do it) the location of the tomcat files is different than that provided in the guide. This if you attempt to complete the rm command you'll find the directory is not autocompleting because frankly it does not exist.

So where does it exist now? Good question, let's use the find command to find out. :P Pun intended.

Config
Ahhh there's that bugger! Soo.

Config

Config

Well he says that's it for PWM let's see if that's correct!

Config
Would ya look at that! Just look at it! Of course just note this is internal as of now.

I did a staging thing here, and did come across an issue with Apache redirect redirecting to the old server IP instead of going to tomcat. Double check your Apache rules and make sure they are proper.
I cut out most of my staging stuff (moving to a DMZ zone) as it's beyond the scope of this tutorial.
I did split DNS for my records, so was easy for me to navigate traffic internally vs externally. Again this will come down to your own knowledge of your own networks.

I had come across an asymmetric routing issue in my network, ensure you know you network paths to prevent this.

The final part now is going to be determining exactly what connections the PWM is going to need to do ldap password resets on. Which from quick review of the firewall via its full open rule all it may need is LDAPS. (Port 636 TCP)

Configuring PWM

PWM Guide
I noticed these command didn't give the results I expected, a little bit of research and I discovered the proper command to use. I ran the command to grant permissions on the User Accounts OU to the ORBIT/PWM account.
dsacls "ou=UsersNeedingPasswordChanges,dc=domain,dc=com" /I:S /G "DOMAIN\PWM:CA;Reset Password;user"
At the Next screen it requested a connection to the LDAP server, the default setting was set for 636, the port standards defines as LDAPS.

Configure and setup LDAPS; If you have LDAPS configured; good, if not make sure you have a Enterprise CA, or some sort of CA certificate valid for LDAPS use. Lots of info about how to do this online. This is beyond the scope of this guide.

Got LDAPs? Yes? Good, good, moving on.

The guide I was following mentioned importing the cert into the java store. I stuck with this option for the time being (for testing).

Remember just setting up localDB, until we can get into the main config and change it to start using the "remote" database *cough* localhost, this will temp use a DB instance provided natively.
When entering the LDAP Proxy Credentials, this is the one you granted password reset rights to earlier. And when entering the LDAP Login Root Context that was the OU specified as the first object in the dsacls command specified above.

When enrtering the test user account, I get a local DB issue.
Anyway, Clear the field and continue the wizard. (This at least means the permissions applied to the proxy user has enough rights to change users passwords.)

Config Password: ConfigPassword
This is for testing only, in production run set and store password securley.

Save config and let the tomcat application restart.

Not sure why the Application URL is blank \_(`>`)_/
You'll finally be greeted with the following login page!

Got into main config area, configured DB settings, with config set to localDB (LocalDB is separate from the MySQL instance installed in this guide and is some native DB provided by PWM and resides within the tomcat libraries.)

Thanks to terrible documentation, I forgot to add the java mysql drivers.

sudo apt-get install libmysql-java
sudo cp /usr/share/java/mysql-connector-java-5.1.38.jar /varlib/tomcat8/webapps/ROOT/WEB-INF/lib/

Copy driver to tomcat libraries directory.

may need to reboot, or restart services after this.
Logging in with account that resides within the admin group specified during initial configuration.

Since we used the localDB that already exists within tomcat lib, it asks us to set the security questions for this account. After answering the question the page kind of froze, so I re-entered the default URL and was logged in.

Now to config, click the down arrow next to the username on the upper right of the page, and select configuration editor, and enter the config password. Let's attempt to connect to the MySQL instance that's local to the server now that we've installed the missing java-mysql drivers.

Settings -> Database (Remote) -> Connection
Database Class:
com.mysql.jdbc.Driver

Database Connection String:
jdbc:mysql://localhost:3306/pwm

Database Username:
pwm

Database Password:
(enter PWM database password)

Database Vendor:
Other

Once that's done, don't forget to change the primary setting from LocalDB to Remote. Check out the services section of the administration page to view the status.

Final Staging

Now that we were able to successfully install and test PWM in our test environment. It's time to complete everything in production and then finish the final steps, this includes making the PWM webpage accessible from the interwebs. First thing we are going to need to do is protect the page with SSL, so we can feel safe when user are entering their passwords, and secret questions that they simply can't be intercepted by a communication network middle man.

SSL Certificate

This requires generating a CSR and having your public CA provider sign it. E.G. using Digicert with a wildcard cert.

Log into PWM, and run the following command to generate a private key and certificate request:
sudo openssl req -new -newkey rsa:2048 -nodes -keyout serverPrivKey.pem -out server.csr
Then on the Digicert website click on the existing order, then scroll down and click the "Get a Duplicate" button.

Enter the CSR info from the request file we just created on PWM. Then scroll down and process the request. It will state the cert will be available in a few minutes, be patient and refresh the page, scroll down and the duplicate certificate should be available for download.

Once the files have been downloaded extract them from the zip and copy them to the PWM server using SCP program.
"A typical Apache installation will involve configuration lines
like these in your  block:

SSLCertificateFile /your/path/to/star_your_domain.crt
SSLCertificateKeyFile /your/path/to/star_your_domain.key
SSLCertificateChainFile /your/path/to/DigiCertCA.crt"

Sooo

sudo cp serverPrivKey.pem /etc/apache2/ssl/
sudo cp ./certs/DigiCertCA.crt /etc/apache2/ssl/
sudo cp ./certs/your_wildcard_cert.crt /etc/apache2/ssl


Fun reading.

Now time to manage the Apache config file. So here's the apache virtual hosts, the basic idea is if you access the site via an internal record, it'll redirect to the internal record on https, which will redirect to the tomcat page, then the other virtual host records are the same but for the public domain records.

Apache Configuration File
vim /etc/apache2/sites-available/tomcat.conf I came across another issue after making these changes.
No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

FIX: sudo a2enmod proxy_http

After all this, I completed the config setup as posted above, but for production under the proper proxy redirect rules under the apache config, and using our wildcard, digicert certificate.

Next part of the staging is to create a NAT and Security rule to allow external users to access the password changing website.

This comes down to your own network knowledge again.

Once you figure out your NAT and security rules, your PWM page should be live.

 To Paraphrase to solution:
	1) PWM is a pain to setup.
	2) Lots of reading of poor documentation.
	3) My own doucmentation sucks cause it was hacked togeterh while attmpeting to learn and deploy this project.
	4) Google any errors along the way.
	5) PWM could still use a fair amount of work as password policies can be bypassed via the reset account and the forgotten password functionality as the reset account is not limited to the password polcies.


Posted by Aemilianus Kehler | Permanent link