Overview
This guide provides detailed instructions on how to install and configure WebADM within Docker containers.
The following components will be covered:
- Slapd
- MariaDB
- WebADM
- WAProxy
Before you start
All steps in this guide have been tested on CentOS 7/CentOS 8 with Docker version 19. However, they should work on any system running a modern version of Docker.
Before proceeding, ensure you have a working Docker installation. If you need assistance setting up Docker, refer to the Docker documentation.
The host machine should have two IP addresses configured to expose the containers to the external network.
Docker Setup
Bridge Network
We'll use a user-defined bridge network called net-webadm so that all internal containers can communicate using hostnames.
Create the network with the following command:
[root@mdcos ~]# docker network create --driver bridge net-webadm
Persistent storage
When using the '-v' parameter, you are creating persistent storage on the host machine, which is then mounted into the container. This prevents data loss when a container is recreated.
On CentOS hosts, persistent volumes are stored under /var/lib/docker/volumes. You can verify this with the following commands:
[root@mdcos ~]# docker volume inspect volume_name
[root@mdcos ~]# docker inspect container_name
External Network
Some containers may need to be accessible from outside the Docker network. To expose container ports, use the '-p' parameter. In this setup, two IP addresses (on the same interface) will be used for this purpose.
[root@mdcos ~]# ip address show ens192
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:28:38:78 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.176/24 brd 192.168.3.255 scope global noprefixroute ens192
valid_lft forever preferred_lft forever
inet 192.168.3.175/24 brd 192.168.3.255 scope global secondary noprefixroute ens192
valid_lft forever preferred_lft forever
inet6 fe80::127a:626d:5b55:cc77/64 scope link noprefixroute
valid_lft forever preferred_lft forever
MariaDB
First, download the rcdevs/mariadb image from the Docker repository:
[root@mdcos ~]# docker pull rcdevs/mariadb
Then, start the container using the following command:
[root@mdcos ~] # docker run -d --name webadm-db \
-e MYSQL_ROOT_PASSWORD=password \
-e MYSQL_DATABASE=webadm \
-e MYSQL_USER=webadm \
-e MYSQL_PASSWORD=webadm \
-v webadm_db:/var/lib/mysql \
--network net-webadm \
rcdevs/mariadb
You can set different values for all MYSQL variables, but remember to adjust them accordingly in the WebADM servers.xml file later.
Slapd
Next, download the rcdevs/slapd image from the Docker repository:
[root@mdcos ~]# docker pull rcdevs/slapd
Then, start the slapd container using the following command:
[root@mdcos ~]# docker run -d --name slapd \
-v slapd_conf:/opt/slapd/conf \
-v slapd_data:/opt/slapd/data \
--network net-webadm \
rcdevs/slapd
WebADM
With slapd and MariaDB installed, you're ready to install and configure WebADM. Start by downloading the WebADM container image:
[root@mdcos ~]# docker pull rcdevs/webadm
To make WebADM accessible externally, you'll need to publish certain ports. The admin page will be hosted on port 443 (port 80 is optional), and port 8443 is required for WebADM services.
In the example below, the host IP address 192.168.3.175 is used for external access. Adjust this according to your environment.
[root@mdcos ~]# docker run -d --name webadm1 \
-p 192.168.3.175:80:80 \
-p 192.168.3.175:443:443 \
-p 192.168.3.175:8443:8443 \
-v webadm1_conf:/opt/webadm/conf \
-v webadm1_pki:/opt/webadm/pki \
-v webadm1_logs:/opt/webadm/logs \
-v webadm1_temp:/opt/webadm/temp \
--network net-webadm \
rcdevs/webadm
After starting the container, check the logs to retrieve the link needed to generate the license. If you already have an enterprise license, place the license.key file in the conf/ folder before starting the WebADM container.
[root@mdcos ~]# docker logs webadm1
WebADM license file is missing. Please install an Enterprise or Freeware license file.
If you just upgraded, WebADM v2.0 now requires a license file even in Freeware mode.
Please point your Web browser to the URL below to get your license file.
After generation, WebADM will auto-install your new license and start.
https://cloud.rcdevs.com/freeware-license/?id=54fd536ce7350fc7
Visit the link to generate the license. Once the license is generated, WebADM will proceed with the installation.
If you are unable to generate the license in time, you can upload it later to the /opt/webadm/conf folder and restart WebADM.
If some services fail to start, don't worry—this will be addressed later.
[root@mdcos ~]# docker logs webadm1
https://cloud.rcdevs.com/freeware-license/?id=54fd536ce7350fc7
Waiting for license file to be generated................... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok
Found Freeware license (FREE_0123456789ABCDEF)
Licensed by RCDevs Security SA to Foo Bar
Licensed product(s): OpenOTP,SpanKey
Starting WebADM PKI service... Ok
Starting WebADM Session service... Ok
Starting WebADM Watchd service... Ok
Starting WebADM HTTP service... Ok
Checking server connections...
Connected LDAP server: ERROR (no server available)
Connected SQL server: ERROR (no server available)
Connected PKI server: PKI Server (127.0.0.1)
Connected Session server: Session Server1 (172.19.0.5)
WebADM configuration
Now it's time to configure WebADM using RCDevs Directory as the LDAP source. If you want to use a different LDAP source (e.g., Active Directory) or configure more complex scenarios, refer to the WebADM guides.
From the host, edit the webadm.conf file. In this example, it is mapped to /var/lib/docker/volumes/webadm1_conf/_data/webadm.conf
.
[root@mdcos ~]# vi /var/lib/docker/volumes/openotp_webadm1_conf/_data/webadm.conf
Set the default proxy_user and password as shown below:
proxy_user "cn=admin,o=root"
proxy_password "password"
Next, configure the SQL database and LDAP server IP to allow WebADM to connect to them. Edit the file located at /var/lib/docker/volumes/webadm1_conf/_data/servers.xml
.
Update the host parameter in the LDAP, SQL, and Session Server sections. Since all Docker containers are on the same bridge network, use the container hostname for LDAP and SQL DB.
For the Session Server, set it to localhost.
In this example, LDAP encryption is set to TLS.
<Servers>
<LdapServer name="LDAP Server1"
host="slapd"
port="389"
encryption="TLS"
ca_file="" />
<SqlServer name="SQL Server1"
type="mariadb"
host="webadm-db"
user="webadm"
password="webadm"
database="webadm"
encryption="NONE" />
<SessionServer name="Session Server1"
host="localhost"
port="4000"
secret="" />
<PkiServer name="PKI Server"
host="localhost"
port="5000"
secret="secret"
ca_file="" />
<LicenseServer name="License Server"
host="license.rcdevs.com"
port="7001"
ca_file="" />
</Servers>
After the configuration, restart the WebADM container to apply the changes.
[root@mdcos ~]# docker restart webadm1
Check WebADM container logs to make sure all connections are OK.
[root@mdcos ~]# docker logs webadm1
Starting WebADM PKI service... Ok
Starting WebADM Session service... Ok
Starting WebADM Watchd service... Ok
Starting WebADM HTTP service... Ok
Checking server connections...
Connected LDAP server: LDAP Server1 (172.19.0.3)
Connected SQL server: SQL Server1 (172.19.0.2)
Connected PKI server: PKI Server (127.0.0.1)
Connected Session server: Session Server1 (127.0.0.1)
Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
Checking Cloud service access... Ok
Docker mode enable. Waiting for signal to exit...
If everything worked correctly, we are ready to log in WebADM now.
In the first login, you need to enter the full user DN and the default password.
- User: cn=admin,o=root
- Pass: password
Go to https://your_webadm_ip
, then enter your credentials.
After login, it will say your setup "is not completely configured".
In order to finish that, click in created LDAP default containers and objects. Then logout and login again.
For the next login, you should only put admin as username.
If you see a message "No license slot error", that means you already used the same email address to request another license. You can fix that by just clicking in the unbind button at the end of license details.
Offline licenses are based on IP addresses used by WebADM. If you are using Swarm, you may not be able to assign static IPs to your containers and then that kind of license can not be used.
WAProxy (optional)
WAProxy allows you to expose WebADM services for general use without exposing the WebADM server itself. For more information, refer to the WebADM Publishing Proxy documentation.
To start, download the WAProxy container image:
[root@mdcos ~]# docker pull rcdevs/waproxy
For WAProxy, you'll need to expose ports 443 and 80 for external access. In this example, the host IP 192.168.3.176 is used. Adjust this to your environment.
[root@mdcos ~]# docker run -d --name waproxy \
-v waproxy_conf:/opt/waproxy/conf \
-p 192.168.3.176:80:80 \
-p 192.168.3.176:443:443 \
--network net-webadm \
rcdevs/waproxy