...
Info |
---|
After the container is built, you can execute (run) the Kiuwan container in debug mode by issuing the following command:
docker run --rm --name <my_container_name> \ -h <my_container_host_name> \ -v <server_host_mount_dir:container_mount_dir> \ -p <ssh_port_ext>:22 \ -d \ <image_name:version> |
Step 5.
...
(Optional) Making Kiuwan On Premise
...
running on HTTPS
In you need to execute Kiwuan On Premise over HTTPS protocol, please follow next steps.
Step 5.1 Create your KOP SSL configuration file
SSL configuration is currently done by creating a configuration file (ssl.custom) within ssl directory
There's a file (ssl.tpl) you can use as a template to configure your own settings.
- cd ssl
- Create ssl.custom file by copying the template file
- cp ssl.tpl ssl.custom
- Edit the properties of ssl.custom file and change default values
Property Name | Default value | Meaning |
---|---|---|
Commons | ||
SSL_O | Your Organization | |
SSL_LOCALITY | Your Locality | |
SSL_STATE | Your State | |
SSL_COUNTRY | Your Country | |
SSL_OU | Your Organization Unit | |
Keystore | ||
SSL_KS_PWD | Password for Keystore that will be created | |
Aliases | ||
SSL_ALIAS | wildfly | Alias of the Certificate to be created. |
HTTPS_PORT | 443 | HTTPS port |
Step 5.2 Create the Private key and Certificate Signing Request (CSR) for your server
- within ssl directory execute the script CreateKey_and_ReqCSR.sh
- this script generates the CSR file under ssl/certs
- that file is named <yourhost.yourdomain.com>.csr , according to $KIUWAN_HOST configuration property
- send CSR file to your CA (Certificate Authority)
- CA will send back to you two files:
- CA's Certificate file (IMPORTANT: rename it to ca.crt )
- your host's Certificate file : for example yourhost.yourdomain.com.crt
- copy received files to ssl/certs directory
Step 5.3 Create the Keystore and switch from HTTP to HTTPS
- within ssl directory execute the script TransferFilesToContainer.sh
- this script transfers your server's certificate, your private key and CA's certificate to KOP container
also, it transfers the script templates that will be used to create the keystore and to change the configuration from http to https
within ssl directory execute the script run_create_Keystore.sh
- this script executes (into the container) the script create_Keystore.sh (created from template create_Keystore.tpl)
- within ssl directory execute the script run_change_ToHTTPS.sh
- this script stops wildfly service and executes the script change_ToHTTPS.sh (created from template change_ToHTTPS.tpl), this script will create files with .rollback extension of modified ones
- then, it starts wildfly service
Step 5.4 Just in case you are using your own CA, make it valid to your browsers and Java
If the certificate is signed by your own Certification Authority, the browsers will not recognize it as a valid CA and you will get an error messages such as:
Your connection is not private
Attackers might be trying to steal your information from youthost.yourdomain.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
To solve this issue, you have to import your CA Certificate into your browser :
- In Chrome: Configuration >> Settings >> Advanced >> Manage certificates >> Import (ca.crt) into "Trusted root certification entity store"
Log in to the KOP container and execute next commands:
- cd /opt/jdk1.8.0_141/jre/lib/security/
- supervisorctl stop wildfly
- cp cacerts cacerts.bck.original
- keytool -import -noprompt -alias root -keystore cacerts -trustcacerts -file /<kiuwan_vol>/configurations/ssl/ca.crt -storepass changeit
- NOTE: change <kiuwan_vol> to the value of $KIUWAN_VOL (as configured in settings.custom)
- supervisorctl start wildfly
Then, log in to your docker server and make above changes persistent (i.e. to keep them after rebooting the container):
- docker commit <kop docker name> <kop docker image>
- NOTE: run 'docker ps' to get NAMES and IMAGE values of your KOP container
Rollback to HTTP
- Log in to your docker server and go to your installation directory ($KOP_INSTDIR)
- cd ssl
- execute the script run_rollback_HTTPS.sh
After execution, KOP will come back to configuration previous to the execution of run_change_ToHTTPS.sh script.
Step 6. Accessing Kiuwan On Premise
KOP URL
Once Kiuwan On Premise container is running, you can access it from a browser in the following URL:
http[s]://<KIUWAN_HOST>:<KIUWAN_PORT>/saas
where KIUWAN_HOST and KIUWAN_PORT match the values of those properties as configured in settings.custom
KOP built-in users
KOP comes with the following built-in users.
- kiuwanadmin (password: kiuwanadmin)
- access to Kiuwan "functional" administration modules such as Users, Applications and Model Management (see Admin Guide )
- log in as kiuwanadmin to create users of your KOP instance
- sysadmin (password: sysadmin)
- log in as sysadmin to access functionalities related to monitoring and tuning KOP execution
- sysadmin will give you access KOP sysconsole
KOP built-in users
KOP comes with the following built-in users.
- kiuwanadmin (password: kiuwanadmin)
- access to Kiuwan "functional" administration modules such as Users, Applications and Model Management (see Admin Guide )
- log in as kiuwanadmin to create users of your KOP instance
- sysadmin (password: sysadmin)
- log in as sysadmin to access functionalities related to monitoring and tuning KOP execution
- sysadmin will give you access KOP sysconsole
KOP URL
Once Kiuwan On Premise container is running, you can access it from a browser in the following URL:
http://<KIUWAN_HOST>:<KIUWAN_PORT>/saas
where KIUWAN_HOST and KIUWAN_PORT match the values of those properties as configured in settings.custom
Step 6. Making Kiuwan On Premise running on HTTPS
In you need to execute Kiwuan On Premise over HTTPS protocol, please follow next steps.
Step 6.1 Create your KOP SSL configuration file
SSL configuration is currently done by creating a configuration file (ssl.custom) within ssl directory
There's a file (ssl.tpl) you can use as a template to configure your own settings.
- cd ssl
- Create ssl.custom file by copying the template file
- cp ssl.tpl ssl.custom
- Edit the properties of ssl.custom file and change default values
Property Name | Default value | Meaning |
---|---|---|
Commons | ||
SSL_O | Your Organization | |
SSL_LOCALITY | Your Locality | |
SSL_STATE | Your State | |
SSL_COUNTRY | Your Country | |
SSL_OU | Your Organization Unit | |
Keystore | ||
SSL_KS_PWD | Password for Keystore that will be created | |
Aliases | ||
SSL_ALIAS | wildfly | Alias of the Certificate to be created. |
HTTPS_PORT | 443 | HTTPS port |
Step 6.2 Create the Private key and Certificate Signing Request (CSR) for your server
- within ssl directory execute the script CreateKey_and_ReqCSR.sh
- this script generates the CSR file under ssl/certs
- that file is named <yourhost.yourdomain.com>.csr , according to $KIUWAN_HOST configuration property
- send CSR file to your CA (Certificate Authority)
- CA will send back to you two files:
- CA's Certificate file (IMPORTANT: rename it to ca.crt )
- your host's Certificate file : for example yourhost.yourdomain.com.crt
- copy received files to ssl/certs directory
Step 6.3 Create the Keystore and switch from HTTP to HTTPS
- within ssl directory execute the script TransferFilesToContainer.sh
- this script transfers your server's certificate, your private key and CA's certificate to KOP container
also, it transfers the script templates that will be used to create the keystore and to change the configuration from http to https
within ssl directory execute the script run_create_Keystore.sh
- this script executes (into the container) the script create_Keystore.sh (created from template create_Keystore.tpl)
- within ssl directory execute the script run_change_ToHTTPS.sh
- this script stops wildfly service and executes the script change_ToHTTPS.sh (created from template change_ToHTTPS.tpl), this script will create files with .rollback extension of modified ones
- then, it starts wildfly service
Step 6.4 Just in case you are using your own CA, make it valid to your browsers and Java
If the certificate is signed by your own Certification Authority, the browsers will not recognize it as a valid CA and you will get an error messages such as:
Your connection is not private
Attackers might be trying to steal your information from youthost.yourdomain.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
To solve this issue, you have to import your CA Certificate into your browser :
- In Chrome: Configuration >> Settings >> Advanced >> Manage certificates >> Import (ca.crt) into "Trusted root certification entity store"
Log in to the KOP container and execute next commands:
- cd /opt/jdk1.8.0_141/jre/lib/security/
- supervisorctl stop wildfly
- cp cacerts cacerts.bck.original
- keytool -import -noprompt -alias root -keystore cacerts -trustcacerts -file /<kiuwan_vol>/configurations/ssl/ca.crt -storepass changeit
- NOTE: change <kiuwan_vol> to the value of $KIUWAN_VOL (as configured in settings.custom)
- supervisorctl start wildfly
Then, log in to your docker server and make above changes persistent (i.e. to keep them after rebooting the container):
- docker commit <kop docker name> <kop docker image>
- NOTE: run 'docker ps' to get NAMES and IMAGE values of your KOP container
Rollback to HTTP
- Log in to your docker server and go to your installation directory ($KOP_INSTDIR)
- cd ssl
- execute the script run_rollback_HTTPS.sh
After execution, KOP will come back to configuration previous to the execution of run_change_ToHTTPS.sh script.
Advanced Configuration
As above specified, settings.custom file allows you to specify most (but not all) configuration parameters.
...