This article will guide you on installing/setup of WebPasswordsafe v1.3 (WPS) on CentOS7/RHEL7. This is a Password safe vault/manager which has got many enterprise features which includes but not limited to authentication via RSA token and also very good auditing facilities which includes the below and many more access control features.
- Users/Groups Reports
- Password Access/Expiration/Permissions Reports
- Current Passwords Export
The Prerequisites are as follows.
- Java JDK8 or later with JCE (** Version 9 is NOT compatible with WPS 1.3 **)
- Tomcat 7.0.92 or later
- MariaDB-server 10.1.37 or later
- mysql-connector-java 5.1.25 or later
1) Java Install
Now lets start with installing Java if you haven’t got it installed otherwise skip. Download java package into “/opt” directory
# cd /opt
# wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "https://download.oracle.com/otn-pub/java/jdk/8u192-b12/750e1c8617c5452694857ad95c3ee230/jdk-8u192-linux-x64.tar.gz"
# tar zxvf jdk-8u192-linux-x64.tar.gz
Now configure Java using --alternatives
config
# alternatives --install /usr/bin/java java /opt/jdk1.8.0_192/bin/java 2
Select the newly installed Java version.
# alternatives --config java
There is 1 program that provides 'java'.
Selection Command
-----------------------------------------------
*+ 1 /opt/jdk1.8.0_192/bin/java
Enter to keep the current selection[+], or type selection number: 1
Now go ahead and configure javac and jar command paths
# alternatives --install /usr/bin/jar jar /opt/jdk1.8.0_192/bin/jar 2
# alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_192/bin/javac 2
# alternatives --set jar /opt/jdk1.8.0_192/bin/jar
# alternatives --set javac /opt/jdk1.8.0_192/bin/javac
Now if you run java version it should give you the installed version
# java -version
java version "1.8.0_192"
Java(TM) SE Runtime Environment (build 1.8.0_192-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.192-b12, mixed mode)
2) Tomcat Install
# useradd -u 5007 -s /sbin/nologin -c "Tomcat" _tomcat
# wget http://www-us.apache.org/dist/tomcat/tomcat-7/v7.0.92/bin/apache-tomcat-7.0.92.tar.gz
# tar zxvf apache-tomcat-7.0.92.tar.gz -C /opt/
Create a softlink to a generic tomcat folder
# ln -s /opt/apache-tomcat-7.0.92 /opt/tomcat
Create a cataline_home base config and sub directories
# mkdir -p /opt/webpasswordsafe/catalina_base
# cd webpasswordsafe/catalina_base
# mkdir bin conf logs webapps work temp
# chown _tomcat logs webapps work temp
Now we will create a config file where Java Home base will be set
# vi /opt/webpasswordsafe/catalina_base/bin/setenv.sh
JAVA_HOME=/opt/jdk1.8.0_192
Copy the server.xml and web.xml files to cataline_base directory and then set right ownership for the files
# cp /opt/apache-tomcat-7.0.92/conf/server.xml /opt/webpasswordsafe/catalina_base/conf/
# cp /opt/apache-tomcat-7.0.92/conf/web.xml /opt/webpasswordsafe/catalina_base/conf/
# chmod -R 644 /opt/webpasswordsafe/catalina_base/conf/*
# chown -R _tomcat._tomcat /opt/webpasswordsafe/catalina_base/
Lets create the init file for Tomcat to work with WPS
# vi /etc/init.d/wps
#!/bin/bash
#
# Init file for buildserver tomcat
#
# chkconfig: 35 99 10
# description: BuildServer Tomcat
#
# source function library
. /etc/rc.d/init.d/functions
RETVAL=0
prog="tomcat manager for password"
SVC_SCRIPT=/opt/tomcat/bin/catalina.sh
SVC_START_ARGS="start"
SVC_STOP_ARGS="stop"
SVC_USER="_tomcat"
ECHO=/bin/echo
SUDO=/usr/bin/sudo
RUNUSER=/sbin/runuser
# All Configs and Apps are deployed in this directory
export CATALINA_BASE=/opt/webpasswordsafe/catalina_base
# Tomcat Install directory
export CATALINA_HOME=/opt/tomcat
start()
{
$ECHO -n $"Starting $prog: "
# Use runuser instead of daemon()
$RUNUSER -s /bin/bash -m -c "$SVC_SCRIPT $SVC_START_ARGS" "$SVC_USER" && success || failure
RETVAL=$?
}
stop()
{
$ECHO -n $"Stopping $prog: "
$SVC_SCRIPT $SVC_STOP_ARGS && success || failure
RETVAL=$?
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart}"
RETVAL=1
esac
exit $RETVAL
Make it executable and enable the service at runtime.
# chmod +x /etc/init.d/wps
# systemctl enable wps
Now start wps service
# systemctl start wps
Verify the status
# systemctl status wps
Output:
# systemctl status wps
● wps.service - SYSV: BuildServer Tomcat
Loaded: loaded (/etc/rc.d/init.d/wps; bad; vendor preset: disabled)
Active: active (running) since Fri 2018-12-21 10:09:38 GMT; 3 days ago
Docs: man:systemd-sysv-generator(8)
Process: 7600 ExecStart=/etc/rc.d/init.d/wps start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/wps.service
└─7651 /opt/jdk1.8.0_192/bin/java -Dnop -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Dignore.endorsed.dirs= -classpath /opt/tomcat/b...
Dec 21 10:09:37 wps01.off.local systemd[1]: Starting SYSV: BuildServer Tomcat...
Dec 21 10:09:37 wps01.off.local runuser[7620]: pam_unix(runuser:session): session opened for user _tomcat by (uid=0)
Log File location in-case any issues
# /opt/webpasswordsafe/catalina_base/logs/catalina.out
This step also requires you to download and configure MariaDB and its connector for JavaAPI.
3) MariaDB Install
Follow this guide for MariaDB server Install and Setup
3(a) Java connector config for mysql
After MariaDB setup is completed, please proceed with mysql-connector setup and config
# yum -y install mysql-connector-java
Copy Mysql_connector to Tomcat directory
# cp /usr/share/java/mysql-connector-java.jar /opt/apache-tomcat-7.0.92/lib/
3(b) MariaDB config for WPS
Now create the the database needed with the required permissions.
Generate a random password for the db creation
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n24 | head -n1
Output:
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n24 | head -n1
o9ApgSiBjUV8ZvSDm6sFCv3Y -- Use the generated 'PASSWORD' for db connection
Login into MariaDB and runthe following commands
# mysql -u root -p
mysql> create database webpasswordsafe;
mysql> create user wps@localhost identified by 'PASSWORD';
mysql> grant all privileges on webpasswordsafe.* to wps@localhost;
mysql> grant usage on webpasswordsafe.* to wps@localhost;
mysql> flush privileges;
mysql> exit
4) WPS config
Now the last part of WPS setup. Stop Tomcat WPS daemon if its running and download the war file for WPS and rename it
# systemctl stop wps
# cd /opt/webpasswordsafe/catalina_base/webapps/
# wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/webpasswordsafe/webpasswordsafe-sample-1.3.war
# mv webpasswordsafe-sample-1.3.war wps.war
Restart and check Tomcat WPS service status for any errors
# systemctl start wps && systemctl status wps
Lets configure WPS so that it can connect to the db. Add/amend the below lines in “/WEB-INF/encryption.properties”
# vi /opt/webpasswordsafe/catalina_base/webapps/wps/WEB-INF/encryption.properties
# set db user key
jdbc.username=wps
jdbc.password=PASSWORD
# MySQL/MariaDB settings
hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialect
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://localhost:3306/webpasswordsafe
jdbc.validationQuery=select 1
Restart the Tomcat WPS daemon and you should be done now.
# systemctl restart wps && systemctl status wps
That’s it you should now have a fully working WPS setup at the below URL and start pushing your SUPER Secret stuff into it !!
(http://your-hostname-or-ip:8080/wps/)
Default Credentials:
Username: admin
Password: admin
If you are using this is Production, its best to secure it. Follow this guide to enable https on WPS.
Please do let us know if you come across any issues and we will try to help resolve as soon as we can.