标签： ejbca

ejbca手动安装(基于almalinux9.5)
ejbca手动安装(基于almalinux9.5)

手动安装的一个好处是使用hsm方便，可以安装hsm驱动，但是安装过程颇为繁锁
- 安装java环境
  “`
  dnf update
  dnf install java-17-openjdk java-17-openjdk-devel
  “`
- 下载ejbca源码
  
  下载WildFly 32.0
  https://www.wildfly.org/downloads/
  ejbca下载
  https://github.com/Keyfactor/ejbca-ce/releases
- 安装wildFly
  
  “`
  wget https://github.com/wildfly/wildfly/releases/download/32.0.1.Final/wildfly-32.0.1.Final.zip -O /tmp/wildfly-32.0.1.Final.zip
  unzip -q /tmp/wildfly-32.0.1.Final.zip -d /opt/
  ln -snf /opt/wildfly-32.0.1.Final /opt/wildfly
  sed -i '/.*org.jboss.resteasy.resteasy-crypto.*/d' /opt/wildfly/modules/system/layers/base/org/jboss/as/jaxrs/main/module.xml
  rm -rf /opt/wildfly/modules/system/layers/base/org/jboss/resteasy/resteasy-crypto/
  “`
  
  替换文件/opt/wildfly/bin/standalone.conf
  
  “`
  if [ "x $JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; then JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman" fi$
  
  if [ "xJAVA_OPTS" = "x" ]; then
  JAVA_OPTS="-Xms{{ HEAP_SIZE }}m -Xmx{{ HEAP_SIZE }}m"
  JAVA_OPTS=" $JAVA_OPTS -Dhttps.protocols=TLSv1.2,TLSv1.3" JAVA_OPTS="$ JAVA_OPTS -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3"
  JAVA_OPTS=" $JAVA_OPTS -Djava.net.preferIPv4Stack=true" JAVA_OPTS="$ JAVA_OPTS -Djboss.modules.system.pkgs= $JBOSS_MODULES_SYSTEM_PKGS" JAVA_OPTS="$ JAVA_OPTS -Djava.awt.headless=true"
  JAVA_OPTS=" $JAVA_OPTS -Djboss.tx.node.id={{ TX_NODE_ID }}" JAVA_OPTS="$ JAVA_OPTS -XX:+HeapDumpOnOutOfMemoryError"
  JAVA_OPTS=" $JAVA_OPTS -Djdk.tls.ephemeralDHKeySize=2048" else echo "JAVA_OPTS already set in environment; overriding default settings with values:$ JAVA_OPTS"
  fi
  
  “`
  
  “`
  echo -e "\nJAVA_OPTS=\"\ $JAVA_OPTS –add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED\"" >> /opt/wildfly/bin/standalone.conf sed -i -e 's/{{ HEAP_SIZE }}/2048/g' /opt/wildfly/bin/standalone.conf sed -i -e "s/{{ TX_NODE_ID }}/$ (od -A n -t d -N 1 /dev/urandom | tr -d ' ')/g" /opt/wildfly/bin/standalone.conf
  
  cp /opt/wildfly/docs/contrib/scripts/systemd/launch.sh /opt/wildfly/bin
  cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.service /etc/systemd/system
  mkdir /etc/wildfly
  cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.conf /etc/wildfly
  systemctl daemon-reload
  useradd -r -s /bin/false wildfly
  chown -R wildfly:wildfly /opt/wildfly-32.0.1.Final/
  systemctl start wildfly
  systemctl stop firewalld
  systemctl disable firewalld
  systemctl enable wildfly
  #开启remoting，否者ejbcli无法使用，既而ant runinstall无法执行
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=connector-ref,value=remoting)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447,interface=management)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting,enable-http2=true)'
  /opt/wildfly/bin/jboss-cli.sh –connect ':reload'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.ejbca:add(level=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.cesecore:add(level=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=com.keyfactor:add(level=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add(pattern="%h %t \"%r\" %s \"%{i,User-Agent}\"", relative-to=jboss.server.log.dir, directory=access-logs)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=io.undertow.accesslog:add(level=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/root-logger=ROOT:remove-handler(name=CONSOLE)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/console-handler=CONSOLE:remove()'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.cesecore.certificates.ocsp.logging.TransactionLogger:add(use-parent-handlers=false)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.cesecore.certificates.ocsp.logging.TransactionLogger:write-attribute(name=level, value=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/async-handler=ocsp-tx-async:add(queue-length="100")'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/async-handler=ocsp-tx-async:write-attribute(name=level, value=DEBUG)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/async-handler=ocsp-tx-async:write-attribute(name="overflow-action", value="BLOCK")'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.cesecore.certificates.ocsp.logging.TransactionLogger:add-handler(name=ocsp-tx-async)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/periodic-rotating-file-handler=ocsp-tx:add(autoflush=true, append=true, suffix=".yyyy-MM-dd", file={path=ocsp-tx.log,relative-to=jboss.server.log.dir})'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/async-handler=ocsp-tx-async:add-handler(name=ocsp-tx)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-interval,value=0)'
  
  “`
  配置https并使用3端口配置(默认是2端口)
  “`
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/http-listener=default:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=http:remove()’
  # Line 4 is not needed if Galleon was used
  #/opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/https-listener=https:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=https:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/interface=http:add(inet-address=”0.0.0.0″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/interface=httpspub:add(inet-address=”0.0.0.0″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/interface=httpspriv:add(inet-address=”0.0.0.0″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=http:add(port=”8080″,interface=”http”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port=”8442″,interface=”httpspub”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port=”8443″,interface=”httpspriv”)’
  
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/credential-store=defaultCS:add-alias(alias=httpsKeystorePassword, secret-value=”hetao1987″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/credential-store=defaultCS:add-alias(alias=httpsTruststorePassword, secret-value=”hetao1987″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/key-store=httpsKS:add(path=”keystore/keystore.p12″,relative-to=jboss.server.config.dir,credential-reference={store=defaultCS, alias=httpsKeystorePassword},type=PKCS12)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/key-store=httpsTS:add(path=”keystore/truststore.p12″,relative-to=jboss.server.config.dir,credential-reference={store=defaultCS, alias=httpsTruststorePassword},type=PKCS12)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm=”SunX509″,credential-reference={store=defaultCS, alias=httpsKeystorePassword})’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/trust-manager=httpsTM:add(key-store=httpsTS)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/server-ssl-context=httpspub:add(key-manager=httpsKM,protocols=[“TLSv1.3″,”TLSv1.2″],use-cipher-suites-order=false,cipher-suite-filter=”TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256″,cipher-suite-names=”TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=[“TLSv1.3″,”TLSv1.2″],use-cipher-suites-order=false,cipher-suite-filter=”TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256″,cipher-suite-names=”TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256″,trust-manager=httpsTM,need-client-auth=true)’
  
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding=”http”, redirect-socket=”httpspriv”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding=”httpspub”, ssl-context=”httpspub”, max-parameters=2048)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding=”httpspriv”, ssl-context=”httpspriv”, max-parameters=2048)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.catalina.connector.URI_ENCODING:add(value=”UTF-8″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.tomcat.util.http.Parameters.MAX_COUNT:add(value=2048)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/host=default-host/location=”\/”:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=handler/file=welcome-content:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  #rm -rf /opt/wildfly/welcome-content/
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=redirect-to-app:add(redirect=true,target=”/ejbca/adminweb/”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/host=default-host/filter-ref=redirect-to-app:add(priority=1,predicate=”method(GET) and not path-prefix(/ejbca,/crls,/certificates,/.well-known) and not equals({\%{LOCAL_PORT}, 4447})”)’
  
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=redirect-to-app:add(redirect=true,target=”/ejbca/adminweb/”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/host=default-host/filter-ref=redirect-to-app:add(priority=1,predicate=”method(GET) and not path-prefix(/ejbca,/crls,/certificates,/.well-known) and not equals({\%{LOCAL_PORT}, 4447})”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=crl-rewrite:add(target=”/ejbca/publicweb/crls/ ${1}”)’ /opt/wildfly/bin/jboss-cli.sh –connect “/subsystem=undertow/server=default-server/host=default-host/filter-ref=crl-rewrite:add(predicate=\”method(GET) and regex(‘/crls/(._)’)\”)” /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=certs-rewrite:add(target=”/ejbca/publicweb/certificates/$ {1}”)’
  /opt/wildfly/bin/jboss-cli.sh –connect “/subsystem=undertow/server=default-server/host=default-host/filter-ref=certs-rewrite:add(predicate=\”method(GET) and regex(‘/certificates/(.)’)\”)”
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=rewrite-ocsp:add(target=”/ejbca/publicweb/status/ocsp”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/host=default-host/filter-ref=rewrite-ocsp:add(predicate=”path(/ocsp) and method(GET,POST)”)’
  #/opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/trust-manager=httpsTM:write-attribute(name=ocsp, value={})’
  #/opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=ee/service=default-bindings:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘data-source remove –name=ExampleDS’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=distributable-web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=datasources/jdbc-driver=h2:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=security-manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.clustering.web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.security.manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=distributable-web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=datasources/jdbc-driver=h2:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=security-manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.clustering.web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.security.manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=distributable-web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=datasources/jdbc-driver=h2:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=security-manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.clustering.web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.security.manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/ajp-listener=ajp-listener:add(socket-binding=ajp, scheme=https, enabled=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  
  “`
  </p></li>
  <li><p>安装数据库
  
  “`
  dnf install mariadb maraidb-server
  mysql -u root -p
  CREATE DATABASE ejbca CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
  GRANT ALL PRIVILEGES ON ejbca.* TO ‘ejbca’@’%’ IDENTIFIED BY ‘ejbca’;
  quit
  “`
  
  “`
  echo '#!/bin/sh' > /usr/bin/wildfly_pass
  echo "echo '$(openssl rand -base64 24)'" >> /usr/bin/wildfly_pass
  chown wildfly:wildfly /usr/bin/wildfly_pass
  chmod 700 /usr/bin/wildfly_pass
  mkdir /opt/wildfly/standalone/configuration/keystore
  chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=elytron/credential-store=defaultCS:add(path=keystore/credentials, relative-to=jboss.server.config.dir, credential-reference={clear-text="{EXT}/usr/bin/wildfly_pass", type="COMMAND"}, create=true)'
  
  wget https://dlm.mariadb.com/3852266/Connectors/java/connector-java-3.4.1/mariadb-java-client-3.4.1.jar -O /opt/wildfly/standalone/deployments/mariadb-java-client.jar
  
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=elytron/credential-store=defaultCS:add-alias(alias=dbPassword, secret-value="ejbca")'
  /opt/wildfly/bin/jboss-cli.sh –connect 'data-source add –name=ejbcads –connection-url="jdbc:mysql://127.0.0.1:3306/ejbca?permitMysqlScheme" –jndi-name="java:/EjbcaDS" –use-ccm=true –driver-name="mariadb-java-client.jar" –driver-class="org.mariadb.jdbc.Driver" –user-name="ejbca" –credential-reference={store=defaultCS, alias=dbPassword} –validate-on-match=true –background-validation=false –prepared-statements-cache-size=50 –share-prepared-statements=true –min-pool-size=5 –max-pool-size=150 –pool-prefill=true –transaction-isolation=TRANSACTION_READ_COMMITTED –check-valid-connection-sql="select 1;"'
  /opt/wildfly/bin/jboss-cli.sh –connect ':reload'
  
  “`
- 安装ejbca
  
  “`
  export ejbca_home=/opt/ejbca
  # 用dnf安装的ant绑定了java11，会出现class file has wrong version 61.0, should be 55.0的错误
  wget https://downloads.apache.org/ant/binaries/apache-ant-1.10.15-bin.tar.gz -O apache-ant-1.10.15-bin.tar.gz
  tar -zxf apache-ant-1.10.15-bin.tar.gz
  mv apache-ant-1.10.15 /opt/
  cd /opt
  mv apache-ant-1.10.15 ant
  export PATH=$PATH:/opt/ant/bin
  ant -q clean deployear
  ant runinstall
  ant deploy-keystore
  systemctl restart wildfly
  “`
Views: 1
2024年12月29日
docker升级ejbca 8.3.2 到 9.0.0 版本
docker升级ejbca 8.3.2 到 9.0.0 版本

9.0.0版本不再支持旧版本的h2数据库，会出现“Unsupported database file version or invalid file header in file”错误信息，需要升级h2数据库版本。

升级h2数据库到2.0版本
- 停止并删除现有ejbca容器
- 安装21版本以上的openjdk
- 下载1.4版本的h2 jar包
  https://h2database.com/h2-2019-10-14.zip
- 启动h2数据库服务
  
  命令行窗口执行 java -jar bin\h2-1.4.200.jar
- 下载数据库
  
  进入ejbca的persistent目录，下载ejbcadb.*.db文件到本地
- 打开数据库
  
  浏览器打开localhost:8082/login.jsp
  输入数据库文件路径,我这里是jdbc:h2:C:\software\h2\data\ejbcadb，输入数据库名的时候不带任何后缀。
  用户名:sa,密码:sa
- 备份数据库到Sql
  
  sql命令窗口执行script to 'ejbcadb.sql'
- 关闭数据库连接，关闭数据库服务，删除数据库文件
- 下载2.3版本的h2数据库jar包
  
  https://github.com/h2database/h2database/releases
- 启动新版的数据库服务
  
  命令行窗口执行 java -jar java -jar h2-2.3.232.jar
- 启动h2数据库服务
- 创建数据库
  
  浏览器打开localhost:8082/login.jsp
  输入数据库文件路径,我这里是jdbc:h2:C:\software\h2\data\ejbcadb，输入数据库名的时候不带任何后缀。
  用户名:sa,密码:sa
  当输入的数据库不存在时会自动创建数据库
- 导入数据
  
  sql命令窗口执行runscript from 'ejbcadb.sql'
- 复制新建创的ejbcadb数据库到原位置
更新ejbca镜像版本
- 拉取新版本的ejbca
  
  docker pull keyfactor/ejbca-ce
- 启动容器
  
  docker compose -up -d
升级后除了版本号没发现有什么功能上的变化

Views: 9
2024年12月20日

标签： ejbca

ejbca手动安装(基于almalinux9.5)

ejbca手动安装(基于almalinux9.5)

docker升级ejbca 8.3.2 到 9.0.0 版本

docker升级ejbca 8.3.2 到 9.0.0 版本

升级h2数据库到2.0版本

更新ejbca镜像版本