NPKD Installation with Wildfly 14

This NPKD Installation guide covers how to install NPKD with Wildfly 14:

Set up Wildfly

Edit /opt/primekey/wildfly/bin/standalone.conf to increase the memory and force using 2048-bit DH keys
1. Increase the memory by setting JAVA_OPTS variable to
  CODE
```
JAVA_OPTS="-Xms2048m -Xmx2048m -XX:MetaspaceSize=192M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
```
2. Force use of 2048-bit DH keys in order to mitigate https://weakdh.org/ by adding the following line:
  CODE
```
JAVA_OPTS="$JAVA_OPTS -Djdk.tls.ephemeralDHKeySize=2048"
```
If an HSM is to be used, add the following patches Wildfly in the file /opt/primekey/wildfly/modules/system/layers/base/sun/jdk/main/module.xml after all paths.
CODE
```
    <path name="sun/security/pkcs11/wrapper"/>
```
Add the MariaDB Java Client mariadb-java-client-2.3.jar into Wildfly directory
Run as primekey

BASH
```
cp mariadb-java-client-2.3.jar /opt/primekey/wildfly/standalone/deployments/
```
Copy the keystore file as /opt/primekey/wildfly/standalone/configuration/keystore/keystore.jks and the trust store as /opt/primekey/wildfly/standalone/configuration/keystore/truststore.jks.
CODE
```
mkdir /opt/primekey/wildfly/standalone/configuration/keystore
cp truststore.jks keystore.jks /opt/primekey/wildfly/standalone/configuration/keystore/
```

Configure Wildfly

Start Wildfly
BASH
```
sudo systemctl restart wildfly
```
Start JBoss CLI on a different terminal to configure data source:
BASH
```
/opt/primekey/wildfly/bin/jboss-cli.sh --connect
```

Add a datasource as follows and make sure to use the right database name, username and password, and the correct date-source name as configured in /opt/primekey/npkd/conf/npkd_deploy.properties:

Run in JBoss CLI

XML

data-source add --name=npkdds --driver-name="mariadb-java-client.jar" --connection-url="jdbc:mysql://127.0.0.1:3306/npkddb" --jndi-name="java:/NpkdDS" --use-ccm=true --driver-class="org.mariadb.jdbc.Driver" --user-name="npkd" --password="npkd" --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql="select 1;"
:reload

If the data source was configured successfully, the output will be similar to:

CODE

"outcome" => "success"

Configure logging

CODE

/subsystem=logging/logger=se.primekey.npkd:add(level=INFO)
/subsystem=logging/logger=org.cesecore:add(level=INFO)

The logging level can be later changed if needed:

CODE

/subsystem=logging/logger=se.primekey.npkd:write-attribute(name=level, value=DEBUG)
/subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=DEBUG)

Remove existing TLS and HTTP configuration

CODE

/subsystem=undertow/server=default-server/http-listener=default:remove()
/subsystem=undertow/server=default-server/https-listener=https:remove()
/socket-binding-group=standard-sockets/socket-binding=http:remove()
/socket-binding-group=standard-sockets/socket-binding=https:remove()
:reload

Configure WildFly Remoting

CODE

/subsystem=remoting/http-connector=http-remoting-connector:remove
/subsystem=remoting/http-connector=http-remoting-connector:add(connector-ref="remoting",security-realm="ApplicationRealm")
/socket-binding-group=standard-sockets/socket-binding=remoting:add(port="4447")
/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting)
:reload

Add interfaces and sockets

CODE

/interface=http:add(inet-address="0.0.0.0")
/interface=httpspub:add(inet-address="0.0.0.0")
/interface=httpspriv:add(inet-address="0.0.0.0")
/socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")
/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442",interface="httpspub")
/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")
:reload

Configure TLS

CODE

/subsystem=elytron/key-store=httpsKS:add(path="keystore/keystore.jks",relative-to=jboss.server.config.dir,credential-reference={clear-text="serverpwd"},type=JKS)
/subsystem=elytron/key-store=httpsTS:add(path="keystore/truststore.jks",relative-to=jboss.server.config.dir,credential-reference={clear-text="changeit"},type=JKS)
/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text="serverpwd"})
/subsystem=elytron/trust-manager=httpsTM:add(key-store=httpsTS)
/subsystem=elytron/server-ssl-context=httpspub:add(key-manager=httpsKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.2"],trust-manager=httpsTM,need-client-auth=true,authentication-optional=false,want-client-auth=true)

Add HTTP(S) listeners:

CODE

/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding="http", redirect-socket="httpspriv")
/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding="httpspub", ssl-context="httpspub", max-parameters=2048)
/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding="httpspriv", ssl-context="httpspriv", max-parameters=2048)
:reload

Exit the JBoss CLI:
CODE
```
exit
```
Restart Wildfly
CODE
```
sudo systemctl restart wildfly
```
Connect to the JBoss CLI again to continue configuration
CODE
```
/opt/primekey/wildfly/bin/jboss-cli.sh --connect
```

Optionally increase the maximum Wildfly upload size (default is 10MB)

CODE

/subsystem=undertow/server=default-server/https-listener=httpspriv/:write-attribute(name=max-post-size,value=209715200)

Finalize Wildfly configuration with some important items:

CODE

/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)
/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)
/system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")
/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)
/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)
/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)
:reload

Since some transactions (like full listing download or rerunning revocation checks) can take a lot of time, default-timeout should be increased from default value 300 seconds. Recommended is half an hour.
CODE
```
/subsystem=transactions:write-attribute(name="default-timeout", value="1800")
```
Exit the CLI
CODE
```
exit
```
Restart Wildfly
CODE
```
sudo systemctl restart wildfly
```

Deploy NPKD

Edit /opt/primekey/npkd/conf/npkd_deploy.properties and set the following properties (please adjust the database properties if not using MariaDB)
CODE
```
datasource.jndi-name=NpkdDS
datasource.jndi-name-prefix=java:/
database.name=mysql
database.driver=org.mariadb.jdbc.Driver
```
Also set appserver.home as your Wildfly installation directory.
Deploy NPKD:
BASH
```
cd /opt/primekey/npkd
ant deploy-ear
```
Make sure that Wildfly deployed without errors
Restart Wildfly:
BASH
```
sudo systemctl restart wildfly
```

Verify that NPKD has deployed correctly:

BASH

tail -n20 /opt/primekey/wildfly/standalone/log/server.log | grep "npkd.ear"

Install your SuperAdmin certificate in the web browser.
Connect to NPKD in the web browser using the URL: https://localhost:8443/npkd
The first time you login to the system, the following message is shown: "Access Control Module is NOT initialized. Error accessing NPKD <SUBJECT DN> is not authorized to access the NPKD GUI". Click Register.
Confirm by clicking Yes in the pop-up window.
Re-load/refresh the browser.