Remote Admin GUI deployment

Owned by Sovann Huynh
Last updated: Jul 18, 2019 by Tran Tang
3 min read

Version History

VersionDateModified ByDescription of Modification
0.112/14/2018Paul TambelliniInitial version


Overview

Admin GUI can be deployed on a remote server separate from where the CONNECT ear is deployed. Most services within the Admin GUI have been coverted to use webservices to interact with the CONNECT ear allowing Admin GUI to interact over the internet and does not have to be included on the same server as CONNECT ear. This process has mostly been done in CONNECT 5.2.

  • On two different machines, start the application server. Both servers must have the mysql-connector-java jar deployed because the Admin GUI will have to write login information to where the Admin GUI war is deployed and all other services will write to the database that is deployed on the server containing the CONNECT ear. 
  • On one machine, deploy the 5.2 or above CONNECT ear because most of the web services have decoupled from the CONNECT ear in 5.2. 
  • On another machine, deploy the 5.2 or above Admin GUI war because most of the web services have decoupled from the CONNECT ear in 5.2.
  • Update exchangeInfo.xml in the properties directory of the server which hosts the CONNECT ear. Change every URL  from localhost to the ip address of machine which represents the localhost.  In order for Exchange Manager to be viewed by the Admin GUI, exchangeInfo.xml has to be pointed to the ip address of the CONNECT ear server. This must be done because when the Admin GUI looks upon the CONNECT ear server the exchangeinfo services will be pointed to the localhost which the Admin GUI will view as its own localhost and not the ip address where the information is currently being stored.
  • Update exchangeInfo.xml and internalExchangeInfo.xml in the properties directory of the server which hosts the CONNECT Admin GUI. Change localhost to the ip address of where the CONNECT ear is located. ExchangeInfo.xml is pointed to the ip address of the CONNECT ear server in order to ping the services. InternalExchangeInfo.xml has to be pointed to where the CONNECT ear is located to have the web services be able to interact. This must be done because when the Admin GUI looks upon the CONNECT ear server the internalexchangeinfo services and the exchangeinfo services will be pointed to the localhost which the Admin GUI will view as its own localhost and not the ip address where the information is currently being stored.
  • User Management which includes login information and account creation will not be converted to a web service at the moment but should be determined if any vulnerabilities exist.

Enable HTTPS on Admin GUI

To use https for the CONNECT Admin GUI by using self-signed certificates, two self-signed certificates have to be created. One created for the server, in this case, called server_public.cer. Also one created for the client which will be used by the browser to be verified by the server. The following keytool commands were used to create the keystores and truststores:

Generate test certificates 
[server]
keytool -v -genkey -keyalg RSA -keysize 2048 -keystore gateway.jks -keypass changeit -storepass changeit -validity 356 -alias gateway -dname "cn=localhost" -startdate -2d
keytool -v -export -rfc -alias gateway -file localhost.cer -keystore gateway.jks -keypass changeit -storepass changeit
keytool -v -import -keypass changeit -noprompt -trustcacerts -alias localhost -file localhost.cer -keystore cacerts.jks -storepass changeit

[client]
keytool -v -genkey -keyalg RSA -keysize 2048 -keystore client.jks -keypass changeit -storepass changeit -validity 356 -alias client -dname "cn=client" -startdate -2d
keytool -v -export -rfc -alias client -file client.cer -keystore client.jks -keypass changeit -storepass changeit
  1. Import client cert into the server
    1. Navigate to the wildfly server and import into its cacerts.jks
      1. keytool -v -import -keypass changeit -noprompt -trustcacerts -alias client_public -file client_public.cer -keystore cacerts.jks -storepass changeit
  2. Convert client JKS into PKCS12 so that it can be import into browser.
    1. keytool -v -importkeystore -srckeystore client.jks -srcalias client -destkeystore client.p12 -deststoretype PKCS12
  3. Import server public cert into browser Trust Store and client.p12 Please follow step below for each browser.

Chrome

Click on Settings, then on Advanced, then Manage Certificates, then click on the Personnel tab and then Import

Run through the certificate wizard, use client.p12 for File to Import, changeit for password in Private Key Protection and personnel for Certificate store.

Firefox

Select Options, Privacy & Security, View Certificates, Your Certificates, Import.

Import Select client.p12 then enter changeit for password.


.