Skip to main content
Skip table of contents

NPKD Installation with Wildfly 10

This NPKD Installation guide covers how to install NPKD with Wildfly 10:

Set up Wildfly

  1. Edit /opt/primekey/wildfly/bin/standalone.conf to increase the memory and force using 2048-bit DH keys

    1. Increase the memory by setting JAVA_OPTS variable to

      CODE
      JAVA_OPTS="-Xms2048m -Xmx2048m -Djava.net.preferIPv4Stack=true"
    2. Force use of 2048-bit DH keys in order to mitigate https://weakdh.org/ by adding the following line:

      CODE
      JAVA_OPTS="$JAVA_OPTS -Djdk.tls.ephemeralDHKeySize=2048"
  2. If an HSM is to be used, add the following patches to Wildfly in the file /opt/primekey/wildfly/modules/system/layers/base/sun/jdk/main/module.xml after all paths.

    CODE
        <path name="sun/security/pkcs11"/>
        <path name="sun/security/pkcs11/wrapper"/>
  3. Add the MariaDB Java Client mariadb-java-client-1.5.2.jar into Wildfly directory

    Run as primekey

    BASH
    cp mariadb-java-client-1.5.2.jar /opt/primekey/wildfly/standalone/deployments/
    
  4. Copy the keystore file as /opt/primekey/wildfly/standalone/configuration/keystore/keystore.jks and the trust store as /opt/primekey/wildfly/standalone/configuration/keystore/truststore.jks.

    CODE
    mkdir /opt/primekey/wildfly/standalone/configuration/keystore
    cp truststore.jks keystore.jks /opt/primekey/wildfly/standalone/configuration/keystore/

Configure Wildfly

  1. Start Wildfly

    BASH
    sudo systemctl restart wildfly
  2. Start JBoss CLI on a different terminal to configure data source:

    BASH
    /opt/primekey/wildfly/bin/jboss-cli.sh --connect
  3. Add a datasource as follows and make sure to use the right database name, username and password, and the correct date-source name as configured in /opt/primekey/npkd/conf/npkd_deploy.properties:

    Run in JBoss CLI

    XML
    data-source add --name=npkdds --driver-name="mariadb-java-client.jar" --connection-url="jdbc:mysql://127.0.0.1:3306/npkddb" --jndi-name="java:/NpkdDS" --use-ccm=true --driver-class="org.mariadb.jdbc.Driver" --user-name="npkd" --password="npkd" --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql="select 1;"
    :reload

    If the data source was configured successfully, the output will be similar to:

    CODE
    "outcome" => "success"
  4. Configure Wildfly remoting

    CODE
    /subsystem=remoting/http-connector=http-remoting-connector:remove
    /subsystem=remoting/http-connector=http-remoting-connector:add(connector-ref="remoting",security-realm="ApplicationRealm")
    /socket-binding-group=standard-sockets/socket-binding=remoting:add(port="4447")
    /subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting)
    :reload
  5. Configure logging

    CODE
    /subsystem=logging/logger=se.primekey.npkd:add
    /subsystem=logging/logger=se.primekey.npkd:write-attribute(name=level, value=INFO)
    /subsystem=logging/logger=org.cesecore:add
    /subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=INFO)
  6. Remove existing TLS and HTTP configuration

    CODE
    /subsystem=undertow/server=default-server/http-listener=default:remove
    /subsystem=undertow/server=default-server/https-listener=https:remove
    /socket-binding-group=standard-sockets/socket-binding=http:remove
    /socket-binding-group=standard-sockets/socket-binding=https:remove
    :reload
  7. Configure TLS

    CODE
    /interface=http:add(inet-address="0.0.0.0")
    /interface=httpspub:add(inet-address="0.0.0.0")
    /interface=httpspriv:add(inet-address="0.0.0.0")
    /socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")
    /subsystem=undertow/server=default-server/http-listener=http:add(socket-binding=http)
    /subsystem=undertow/server=default-server/http-listener=http:write-attribute(name=redirect-socket, value="httpspriv")
    :reload
  8. Configure identities and socket bindings:

    CODE
    /core-service=management/security-realm=SSLRealm:add()
    /core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path="${jboss.server.config.dir}/keystore/keystore.jks", keystore-password="serverpwd", alias="localhost")
    /core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-path="${jboss.server.config.dir}/keystore/truststore.jks", keystore-password="changeit")
    /socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")
    /socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442", interface="httpspub")
  9. Exit the JBoss CLI:

    CODE
    exit
  10. Restart Wildfly

    CODE
    sudo systemctl restart wildfly
  11. Connect to the JBoss CLI again to continue configuration

    CODE
    /opt/primekey/wildfly/bin/jboss-cli.sh --connect
  12. Continue configuring TLS

    CODE
    /subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding=httpspriv, security-realm="SSLRealm", verify-client=REQUIRED)
    /subsystem=undertow/server=default-server/https-listener=httpspriv:write-attribute(name=max-parameters, value="2048")
    /subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding=httpspub, security-realm="SSLRealm")
    /subsystem=undertow/server=default-server/https-listener=httpspub:write-attribute(name=max-parameters, value="2048")
    :reload
  13. Optionally increase the maximum Wildfly upload size (default is 10MB)

    CODE
    /subsystem=undertow/server=default-server/https-listener=httpspriv/:write-attribute(name=max-post-size,value=209715200)
  14. Finalize Wildfly configuration with some important items:

    CODE
    /system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)
    /system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)
    /system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")
    /system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)
    /subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)
    /subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)
    :reload
  15. Since some transactions (like full listing download or rerunning revocation checks) can take a lot of time, default-timeout should be increased from default value 300 seconds. Recommended is half an hour.

    CODE
    /subsystem=transactions:write-attribute(name="default-timeout", value="1800")
  16. Exit the CLI

    CODE
    exit
  17. Restart Wildfly

    CODE
    sudo systemctl restart wildfly

Deploy NPKD

  1. Edit /opt/primekey/npkd/conf/npkd_deploy.properties and set the following properties (please adjust the database properties if not using MariaDB):

    CODE
    datasource.jndi-name=NpkdDS
    datasource.jndi-name-prefix=java:/
    database.name=mysql
    database.driver=org.mariadb.jdbc.Driver
  2. Deploy NPKD:

    BASH
    cd /opt/primekey/npkd
    ant deploy-ear

    Make sure that Wildfly deployed without errors

  3. Restart Jboss:

    BASH
    sudo systemctl restart wildfly
  4. Verify that NPKD has deployed correctly:

    BASH
    tail -n20 /opt/primekey/wildfly/standalone/log/server.log | grep "npkd.ear"
  5. Install your SuperAdmin certificate in the web browser.
  6. Connect to NPKD in the web browser using the URL: https://localhost:8443/npkd

  7. The first time you login to the system, the following message is shown: "Access Control Module is NOT initialized. Error accessing NPKD <SUBJECT DN> is not authorized to access the NPKD GUI". Click Register.
  8. Confirm by clicking Yes in the pop-up window.
  9. Re-load/refresh the browser.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.