Installation Guides
Kron PAM 3.8.* Mobile App Serv...
The steps for Kron PAM Server (within the Secure Zone) and Kron PAM Mobile App Server (on the DMZ)
1\) ((pam)) all required pam services (including auth ) should be started and the mobile api service should be stopped on 10 10 0 1 (pam server) docker compose f /pam/docker mgmt/docker compose yml down docker compose f /pam/docker mgmt/docker compose yml up d docker compose f /pam/docker mgmt/docker compose yml down mobile api 2\) ((dmz)) all required pam services (including auth ) should be stopped and the mobile api service should be started on 10 10 0 2 10 10 0 2 (mobile app server) docker compose f /pam/docker mgmt/docker compose yml down docker compose f /pam/docker mgmt/docker compose yml up mobile api d 3\) ((pam)) on the system configuration man page of the kron pam web gui (10 10 0 1) , mobile tomcat url should be set with kron pam mobile app server’s info (e g , https // 10 10 0 2 10 10 0 2 9443/mobile api/rest ) 4\) ((pam)) the following jobs related to push notification system should be defined on the kron pam web gui (10 10 0 1) scpolicynotifierjob, sendpushmessagejob 5\) ((dmz)) the following lines should be changed on env file on 10 10 0 2 10 10 0 2 vi /pam/docker mgmt/ env pam cert file store type=rsa ====> pam cert file store type=jks host gateway= 10 10 0 2 10 10 0 2 ====> host gateway= 10 10 0 1 app int spring boot admin url=https //kron commons aggregator 8443 ====> app int spring boot admin url="" 6\) ((dmz)) the following docker compose yml configuration should be used on 10 10 0 2 10 10 0 2 under /pam/docker mgmt/ networks default driver bridge kron network name kron network # creates this named network if it doesn’t already exist driver bridge services \# pam services mobile api extends service mobile api file docker compose pam yml 7\) ((dmz)) the following docker compose base pam yml configuration should be used on 10 10 0 2 10 10 0 2 under /pam/docker mgmt/ x pam common directories \&pam common directories config repo dir ${app int config repo dir} log config file path ${app int log config file path} license path ${app int license path}/${license file name} security config path ${app int security config path} x pam common variables \&pam common variables << pam common directories instance name ${instance name} tz ${time zone} spring profiles active ${active spring profiles} \# config server environment values \### \###change this config server uri \### config server uri https //10 10 0 1 8001 config user aioc config password aioc \# ssl environment values ssl enable true ssl key store type pkcs12 key alias aioc key store file ${app int certs path}/aioc jks trust store file ${app int certs path}/aioc p12 \#kron common service urls spring boot admin url ${app int spring boot admin url} \# pam pam url ${app int pam application url} \# mobile app mobile api ssl enable ${pam mobile api ssl enable} mobile api ssl key store file ${app int pam certs path}/${pam cert file} mobile api ssl alias ${pam cert file alias} mobile api ssl store type ${pam cert file store type} mobile api ssl store password ${pam cert file store password} mobile api ssl password ${pam cert file password} x pam db variables \&pam common db variables << pam common variables db url ${pam db url} db username ${pam db username} db password ${pam db password} db schema ${pam db schema} db driver org postgresql driver base url ${app int pam application url} x healthcheck java \&healthcheck java test java cp /app/libs/kron runtime tools com kron tools runtime healthcheck https //localhost 8443/actuator/health || exit 1 interval 6s retries 20 start period 8s timeout 5s x deploy resource \&deploy resource resources limits cpus "0 70" memory ${container memory} reservations cpus "0 50" memory ${min memory} services mobile api image dockerhub kron com tr/pam/mobile api 3 8 0 container name mobile api environment pam common db variables deploy deploy resource profiles \ pam ports \ "${pam mobile api port} 8443" volumes \ ${config repo directory} ${app int config repo dir} \ ${log4j2 path} ${app int log config file path} \ ${application certs directory} ${app int certs path} \ ${pam certs directory} ${app int pam certs path} \ ${database certs directory} ${app int db certs path} \ ${security files directory} ${app int security config path} \ ${log directory path} ${app int log directory path} \ ${cold log directory path} ${app int cold log directory path} \ ${license file directory} ${app int license path} healthcheck healthcheck java restart on failure 5 dns \ ${dns f} extra hosts \ "host docker internal ${host gateway}" \ ""{pam instance name of 10 10 0 1} 10 10 0 1" networks \ kron network \### \###change this extra hosts e g , “pam 01 10 10 0 1” \### networks kron network name kron network # creates this named network if it doesn’t already exist driver bridge 8\) ((dmz)) if the customer has their own valid certificate for mobile service if the customer uses its own certificate for accessing mobile url, the certificate should be uploaded to /pam/gui/conf/cert (e g , kron com tr jks ) note that, the purpose of using this certificate is different from the self signed certificate to access a specific docker service on the kron pam server · put the jks (e g kron com tr jks ) file to /pam/gui/conf/cert on 10 10 0 2 10 10 0 2 · edit the following lines of mobile api default properties located under /pam/docker mgmt/config repo/ on 10 10 0 2 10 10 0 2 server ssl key alias=${mobile api ssl alias {customer’s alias name} } server ssl key store=${mobile api ssl key store\ file /app/mobile certs/ {customer’s jks file name} } server ssl key store type=${mobile api ssl store type\ jks} server ssl key store password=${mobile api ssl store password {customer’s store password} } server ssl key password=${mobile api ssl password {customer’s ssl password} } e g server ssl key alias=${mobile api ssl alias kron } server ssl key store=${mobile api ssl key store file /app/mobile certs/kron com tr jks } server ssl key store type=${mobile api ssl store type jks } server ssl key store password=${mobile api ssl store password kr10ipsla } server ssl key password=${mobile api ssl password kr10ipsla } 9\) ((pam)) using the rsa key pair created with the aioc alias, the environment configurations (kron commons config) in the docker container on the kron pam server can be accessed by the kron pam mobile app server for this, instead of using the customer's existing key pair, a self signed certificate is used this rsa key pair is stored in different formats and keystore files (pkcs#12 and jks) but with the same alias ( aioc ) the jks and p12 files located at /pam/docker mgmt/cert should be recreated with keytool commands, in this scenario (if the kron pam server and kron pam mobile app server are installed on the same server, these files should stand as is) listing the certificates’ configurations on 10 10 0 1 jks sudo keytool list v keystore /pam/docker mgmt/cert/ aioc jks storepass krondev10 p12 sudo keytool list v keystore /pam/docker mgmt/cert/ aioc p12 storepass krondev10 storetype pkcs12 deleting the certificates’ configurations on 10 10 0 1 jks sudo keytool delete alias aioc keystore /pam/docker mgmt/cert/ aioc jks storepass krondev10 p12 sudo keytool delete alias aioc keystore /pam/docker mgmt/cert/ aioc p12 storepass krondev10 deleting the certificate files (take the backup for these files) on 10 10 0 1 jks rm rf /pam/docker mgmt/cert/ aioc jks p12 rm rf /pam/docker mgmt/cert/ aioc p12 creating the certificate files and configurations on 10 10 0 1 jks sudo keytool \ genkeypair alias aioc keyalg rsa keysize 2048 \ dname "cn=localhost,ou=kron,o=kron,c=tr" \ ext "san\ c=dns\ localhost,dns\ kron commons alfred,dns\ kron commons auth,dns\ kron commons license,dns\ kron commons network,dns\ kron commons notification,dns\ kron commons config,ip 127 0 0 1 ,ip 10 10 0 1 ,ip 10 10 0 2 10 10 0 2 " \ storepass krondev10 keypass krondev10 keystore /pam/docker mgmt/cert/ aioc jks validity 3650 p12 sudo keytool \ genkeypair alias aioc keyalg rsa keysize 2048 \ storetype pkcs12 dname "cn=localhost,ou=kron,o=kron,c=tr" \ ext "san\ c=dns\ localhost,dns\ kron commons alfred,dns\ kron commons auth,dns\ kron commons license,dns\ kron commons network,dns\ kron commons notification,dns\ kron commons config,ip 127 0 0 1 ,ip 10 10 0 1 ,ip 10 10 0 2 10 10 0 2 " \ storepass krondev10 keypass krondev10 keystore /pam/docker mgmt/cert/ aioc p12 validity 3650 10\) ((pam)) the following keytool command should be executed to import certificate on 10 10 0 1 yes | sudo keytool \ importkeystore srckeystore /pam/docker mgmt/cert/ aioc jks srcstorepass krondev10 destkeystore /pam/docker mgmt/cert/ aioc p12 deststoretype pkcs12 storepass krondev10 11\) ((pam)) the ownership and mode configurations should be changed for these files on 10 10 0 1 sudo chown pamuser\ pam group /pam/docker mgmt/cert/ aioc jks /pam/docker mgmt/cert/ aioc p12 sudo chmod 750 /pam/docker mgmt/cert/ aioc jks /pam/docker mgmt/cert/ aioc p12 12\) ((pam)) all of the docker services on the kron pam server should be restarted, and the mobile api service should be stopped on 10 10 0 1 docker compose f /pam/docker mgmt/docker compose yml down docker compose f /pam/docker mgmt/docker compose yml up d docker compose f /pam/docker mgmt/docker compose yml down mobile api 13\) ((pam)) the certificate files (jks and p12) created in the 9th step ( 10 10 0 1 ) should be transferred to kron pam mobile app server ( 10 10 0 2 10 10 0 2 ) note that, jks and p12 files should be identical on both environments to check this, the following commands should be run on both environments sha256sum /pam/docker mgmt/cert/aioc p12 sha256sum /pam/docker mgmt/cert/aioc jks ! if the files are not identical due to the 3rd party ssh/sftp tool (e g mobaxterm) usage, sshpass command can be used for file transfer sshpass p ‘your password’ rsync avz /pam/docker mgmt/cert/ aioc p12 pamuser @ 10 10 0 2 10 10 0 2 /pam/docker mgmt/cert sshpass p ‘your password’ rsync avz /pam/docker mgmt/cert/ aioc jks pamuser @ 10 10 0 2 10 10 0 2 /pam/docker mgmt/cert 14\) ((dmz)) after the file transfer from kron pam server to kron pam mobile app server, ownership and mode configurations should be changed for these files on 10 10 0 2 10 10 0 2 sudo chown pamuser\ pam group /pam/docker mgmt/cert/ aioc jks /pam/docker mgmt/cert/ aioc p12 sudo chmod 750 /pam/docker mgmt/cert/ aioc jks /pam/docker mgmt/cert/ aioc p12 15\) ((dmz)) lastly, all of the docker services on the kron pam mobile app server should be stopped and the mobile api service should be started on 10 10 0 2 10 10 0 2 docker compose f /pam/docker mgmt/docker compose yml down docker compose f /pam/docker mgmt/docker compose yml up mobile api d