Actions overview

That guide provides instructions on how to set up WebADM in High Availability mode. This documentation is a continuation of the WebADM Standalone installation guide. If you are installing your primary WebADM server, please refer to the WebADM Standalone installation guide before following this one. For High Availability and Failover setups, an enterprise or TRIAL license required.

The WebADM cluster installation and failover setup consists of:

  • Download the packages;
  • Install the packages;
  • Set up your chosen DBMS in a master-master configuration;
  • Adapt the WebADM configuration files on the primary node;
  • Run the WebADM setup script on the secondary node;
  • Start the WebADM services and log in to the WebADM Administrator portal.

The previously listed actions will provide a Cluster and Failover installation of your WebADM infrastructure.

Architecture overview

Below are the DNS names and IP addresses to be used in the standalone and HA guides:

Details Hostnames IP Addresses
WebADM Server 1 webadm1.rcdevsdocs.com 192.168.4.160/24
WebADM Server 2 webadm2.rcdevsdocs.com 192.168.4.161/24
SQL Server 1 webadm1.rcdevsdocs.com 192.168.4.160/24
SQL Server 2 webadm2.rcdevsdocs.com 192.168.4.161/24
Session Server 1 webadm1.rcdevsdocs.com 192.168.4.160/24
Session Server 2 webadm2.rcdevsdocs.com 192.168.4.161/24
PKI Server 1 webadm1.rcdevsdocs.com 192.168.4.160/24
PKI Server 2 webadm2.rcdevsdocs.com 192.168.4.161/24
Active Directory DC 1 ad1.rcdevsdocs.com 192.168.4.163/24
Active Directory DC 2 ad2.rcdevsdocs.com 192.168.4.164/24
WAProxy Server 1 waproxy1.rcdevsdocs.com 172.16.0.10/24
WAProxy Server 2 waproxy2.rcdevsdocs.com 172.16.0.11/24
Proxy Server 1 proxy1.rcdevsdocs.com 172.16.0.12/24
Proxy Server 2 proxy2.rcdevsdocs.com 172.16.0.13/24
SMTP Cluster mail.rcdevs.com 146.59.204.189

Downloading packages

The self-installer package can be downloaded from the RCDevs website in the Download section. Download the webadm_all_in_one package.
If you are using an RPM/Debian repository, the download will be done using the apt install or dnf install command, depending on your distribution.

Packages Installation

Through Repositories

After repository configuration you can execute the following command install WebADM and its dependencies.

RPM repository

[root@webadm1 ~]# dnf install webadm_all_in_one -y

Debian repository

[root@webadm1 ~]# apt install webadm-all-in-one -y

Output:

RCDevs Enterprise Linux Repository                              16 kB/s | 171 kB     00:10    
Dependencies resolved.
===========================================================================================================================================================================
 Package                                         Architecture                         Version                                   Repository                            Size
===========================================================================================================================================================================
Installing:
 webadm_all_in_one                               noarch                               1.0.1-0                                   rcdevs                               2.0 k
Installing dependencies:
 openid                                          noarch                               1.6.4-2                                   rcdevs                                11 M
 openotp                                         noarch                               2.2.17-1                                  rcdevs                                14 M
 pwreset                                         noarch                               1.3.4-2                                   rcdevs                               1.3 M
 selfdesk                                        noarch                               1.4.4-3                                   rcdevs                               2.5 M
 selfreg                                         noarch                               1.4.2-3                                   rcdevs                               4.2 M
 smshub                                          noarch                               1.3.1-1                                   rcdevs                               1.5 M
 spankey                                         noarch                               2.1.4-2                                   rcdevs                                13 M
 webadm                                          x86_64                               2.3.17-3                                  rcdevs                               156 M

Transaction Summary
===========================================================================================================================================================================
Install  9 Packages

Total download size: 203 M
Installed size: 382 M
Downloading Packages:
(1/9): pwreset-1.3.4-2.noarch.rpm                                                                                                          244 kB/s | 1.3 MB     00:05    
(2/9): openid-1.6.4-2.noarch.rpm                                                                                                           1.9 MB/s |  11 MB     00:05    
(3/9): selfdesk-1.4.4-3.noarch.rpm                                                                                                          10 MB/s | 2.5 MB     00:00    
(4/9): selfreg-1.4.2-3.noarch.rpm                                                                                                           29 MB/s | 4.2 MB     00:00    
(5/9): smshub-1.3.1-1.noarch.rpm                                                                                                           8.2 MB/s | 1.5 MB     00:00    
(6/9): openotp-2.2.17-1.noarch.rpm                                                                                                         2.2 MB/s |  14 MB     00:06    
(7/9): webadm_all_in_one-1.0.1-0.noarch.rpm                                                                                                 20 kB/s | 2.0 kB     00:00    
(8/9): spankey-2.1.4-2.noarch.rpm                                                                                                           14 MB/s |  13 MB     00:00    
(9/9): webadm-2.3.17-3.x86_64.rpm                                                                                                           28 MB/s | 156 MB     00:05    
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                       18 MB/s | 203 MB     00:11     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                   1/1 
  Running scriptlet: webadm-2.3.17-3.x86_64                                                                                                                            1/9 
  Installing       : webadm-2.3.17-3.x86_64                                                                                                                            1/9 
  Running scriptlet: webadm-2.3.17-3.x86_64                                                                                                                            1/9 
Please run /opt/webadm/bin/setup.

  Running scriptlet: openid-1.6.4-2.noarch                                                                                                                             2/9 
  Installing       : openid-1.6.4-2.noarch                                                                                                                             2/9 
  Running scriptlet: openid-1.6.4-2.noarch                                                                                                                             2/9 
  Running scriptlet: openotp-2.2.17-1.noarch                                                                                                                           3/9 
  Installing       : openotp-2.2.17-1.noarch                                                                                                                           3/9 
  Running scriptlet: openotp-2.2.17-1.noarch                                                                                                                           3/9 
  Running scriptlet: pwreset-1.3.4-2.noarch                                                                                                                            4/9 
  Installing       : pwreset-1.3.4-2.noarch                                                                                                                            4/9 
  Running scriptlet: pwreset-1.3.4-2.noarch                                                                                                                            4/9 
  Running scriptlet: selfdesk-1.4.4-3.noarch                                                                                                                           5/9 
  Installing       : selfdesk-1.4.4-3.noarch                                                                                                                           5/9 
  Running scriptlet: selfdesk-1.4.4-3.noarch                                                                                                                           5/9 
  Running scriptlet: selfreg-1.4.2-3.noarch                                                                                                                            6/9 
  Installing       : selfreg-1.4.2-3.noarch                                                                                                                            6/9 
  Running scriptlet: selfreg-1.4.2-3.noarch                                                                                                                            6/9 
  Running scriptlet: smshub-1.3.1-1.noarch                                                                                                                             7/9 
  Installing       : smshub-1.3.1-1.noarch                                                                                                                             7/9 
  Running scriptlet: smshub-1.3.1-1.noarch                                                                                                                             7/9 
  Running scriptlet: spankey-2.1.4-2.noarch                                                                                                                            8/9 
  Installing       : spankey-2.1.4-2.noarch                                                                                                                            8/9 
  Running scriptlet: spankey-2.1.4-2.noarch                                                                                                                            8/9 
  Installing       : webadm_all_in_one-1.0.1-0.noarch                                                                                                                  9/9 
  Verifying        : openid-1.6.4-2.noarch                                                                                                                             1/9 
  Verifying        : openotp-2.2.17-1.noarch                                                                                                                           2/9 
  Verifying        : pwreset-1.3.4-2.noarch                                                                                                                            3/9 
  Verifying        : selfdesk-1.4.4-3.noarch                                                                                                                           4/9 
  Verifying        : selfreg-1.4.2-3.noarch                                                                                                                            5/9 
  Verifying        : smshub-1.3.1-1.noarch                                                                                                                             6/9 
  Verifying        : spankey-2.1.4-2.noarch                                                                                                                            7/9 
  Verifying        : webadm-2.3.17-3.x86_64                                                                                                                            8/9 
  Verifying        : webadm_all_in_one-1.0.1-0.noarch                                                                                                                  9/9 

Installed:
  openid-1.6.4-2.noarch     openotp-2.2.17-1.noarch    pwreset-1.3.4-2.noarch              selfdesk-1.4.4-3.noarch    selfreg-1.4.2-3.noarch    smshub-1.3.1-1.noarch   
  spankey-2.1.4-2.noarch    webadm-2.3.17-3.x86_64     webadm_all_in_one-1.0.1-0.noarch   

Complete!

All the listed packages above have been installed successfully. You can continue with the WebADM setup script.

Using the Self-Installer

You first need to download and install the WebADM all-in-one software package. You can download the latest package on the RCDevs Website. Download and copy the WebADM-all-in-one self-installer package to your server.
You can copy the downloaded package to the server with WinSCP or SCP.

Then connect via SSH to your server, uncompress and run the self-installer package with:

[root@webadm1 tmp]# gunzip webadm-all-in-one-2.3.x.sh.gz
[root@webadm1 tmp]# sh webadm_all_in_one-2.3.x-x64.sh 
WebADM v2.3.x (x64 bit) Self Installer
Copyright (c) 2010-2024 RCDevs Security SA All rights reserved.

Install WebADM in '/opt/webadm' (y/n)? y
Extracting files, please wait... Ok
Removing temporary files... Ok
Run WebADM setup script now (y/n)? n

Packages are now installed.

Set up your chosen DBMS in a master-master configuration;

WebADM requires master-master replication for its SQL databases. In the WebADM Standalone Installation documentation, we used a MariaDB server. We will set up the MariaDB server on the secondary node and configure the master-master replication. SQL databases can also be installed and configured on dedicated servers if required.

The setup of the SQL DBMS consist of:

  • Installing the MariaDB server;
  • Running the mysql_secure_installation script for MySQL/MariaDB (secondary node only);
  • Adapt mariadb configuration files (primary and secondary nodes);
  • Creating a database for WebADM (secondary node only);
  • Creating users/hosts associations and their passwords for WebADM to connect to the SQL databases (primary and secondary nodes);
  • Granting privileges to the SQL users on the databases (primary and secondary nodes);
  • Enable the replications (primary and secondary nodes);
  • Check replications (primary and secondary nodes);

Installation of MariaDB server

Install with Debian repository:

root@webadm:~# apt install mariadb-server

Install with yum repository:

root@webadm:~# dnf install mariadb-server

Enable and start the MariaDB service

Then enable, start mariadb service, and execute built-in script to secure installation:

root@webadm:~# systemctl enable mariadb
root@webadm:~# systemctl start mariadb

Running the mysql_secure_installation script

root@webadm:~# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Adapt MariaDB server configuration file (primary and secondary nodes)

According to your OS distribution, locate your MariaDB server configuration file to prepare it for master-master replication. For RHEL-based operating systems, the configuration file is located in:

/etc/my.cnf.d/mariadb-server.cnf

Let's adapt it on the primary node first:

[root@webadm1 ~]# vi /etc/my.cnf.d/server.cnf
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#

# this is read by the standalone daemon and embedded servers
[server]

# this is only for the mysqld standalone daemon
[mysqld]
bind-address    = 0.0.0.0

# Note: Set "server-id" to 1 for Node 1.
server-id       = 1
replicate-same-server-id = 0

# Note: Set "auto-increment-increment" to 2 because we are setting up 2 nodes.
auto-increment-increment = 2

# Note: Set "auto-increment-offset" to 1 for node 1.
auto-increment-offset = 1
replicate-do-db = webadm
log_bin         = mariadb-bin
log-basename    = mariadb
binlog-do-db    = webadm
log-slave-updates
relay-log = /var/lib/mysql/slave-relay.log
relay-log-index = /var/lib/mysql/slave-relay-log.index
expire_logs_days = 90

# this is only for embedded server
[embedded]

# This group is only read by MariaDB-5.5 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mysqld-5.5]

# These two groups are only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]

[mariadb-5.5]

Let's adapt it on the secondary node now:

[root@webadm2 ~]# vi /etc/my.cnf.d/server.cnf
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#

# this is read by the standalone daemon and embedded servers
[server]

# this is only for the mysqld standalone daemon
[mysqld]
bind-address    = 0.0.0.0

# Note: Set "server-id" to 2 for node 2.
server-id       = 2
replicate-same-server-id = 0

# Note: Set "auto-increment-increment" to 2 because we are setting up 2 nodes.
auto-increment-increment = 2

# Note: Set "auto-increment-offset" to 2 for node 2.
auto-increment-offset = 2
replicate-do-db = webadm
log_bin         = mariadb-bin
log-basename    = mariadb
binlog-do-db    = webadm
log-slave-updates
relay-log = /var/lib/mysql/slave-relay.log
relay-log-index = /var/lib/mysql/slave-relay-log.index
expire_logs_days = 90

# this is only for embedded server
[embedded]

# This group is only read by MariaDB-5.5 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mysqld-5.5]

# These two groups are only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]

[mariadb-5.5]

We now have to restart the MariaDB service on all nodes

[root@webadm1 ~]# systemctl restart mariadb
[root@webadm1 ~]# systemctl status mariadb

Create the WebADM database, user/password/host association and grant permissions

Except for the CREATE DATABASE webadm command, all the following command needs to be executed on both MariaDB servers. (The database creation has already been done through the WebADM Standalone installation guide).

[root@webadm1 ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.5.22-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
MariaDB [(none)]> CREATE DATABASE webadm;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> CREATE USER 'webadm'@'webadm1.rcdevsdocs.com' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE USER 'webadm'@'webadm2.rcdevsdocs.com' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON webadm.* to 'webadm'@'webadm1.rcdevsdocs.com';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON webadm.* to 'webadm'@'webadm2.rcdevsdocs.com';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT REPLICATION SLAVE ON *.* TO 'webadm'@'webadm1.rcdevsdocs.com';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT REPLICATION SLAVE ON *.* TO 'webadm'@'webadm2.rcdevsdocs.com';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> STOP SLAVE;
Query OK, 0 rows affected, 1 warning (0.00 sec)

Your users/hosts association and prilvieges has been configured.

Configure replication between the 2 nodes

Execute the SHOW MASTER STATUS command on each node to retrieve the MASTER_LOG_FILE name and MASTER_LOG_POS values required for SQL replication.

MariaDB [(none)]> SHOW MASTER STATUS;
+--------------------+----------+--------------+------------------+
| File               | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+--------------------+----------+--------------+------------------+
| mariadb-bin.000001 |     2215 | webadm       |                  |
+--------------------+----------+--------------+------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> 
MariaDB [(none)]> SHOW MASTER STATUS;
+--------------------+----------+--------------+------------------+
| File               | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+--------------------+----------+--------------+------------------+
| mariadb-bin.000002 |     1251 | webadm       |                  |
+--------------------+----------+--------------+------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> 

Let’s start with the the secondary node and replace the MASTER_LOG_FILE name and the MASTER_LOG_POS values with the values of SHOW MASTER STATUS from the primary node.

MariaDB [(none)]> CHANGE MASTER TO MASTER_HOST = 'webadm1.support.rcdevs.com', MASTER_USER = 'webadm', MASTER_PASSWORD = 'password', MASTER_LOG_FILE = 'mariadb-bin.000001', MASTER_LOG_POS = 2215;
Query OK, 0 rows affected (0.01 sec)

Let’s continue with the the primary node and replace the MASTER_LOG_FILE name and the MASTER_LOG_POS values with the values of SHOW MASTER STATUS from the secondary node.

MariaDB [(none)]> CHANGE MASTER TO MASTER_HOST = 'webadm2.support.rcdevs.com', MASTER_USER = 'webadm', MASTER_PASSWORD = 'password', MASTER_LOG_FILE = 'mariadb-bin.000002', MASTER_LOG_POS = 1251;
Query OK, 0 rows affected (0.01 sec)

Execute now the following command on the 2 nodes:

MariaDB [(none)]> START SLAVE;

SQL replication is done.

Check the MariaDB replication status

The replication status can be checked with the following command executed on each node:

MariaDB [(none)]> SHOW SLAVE STATUS \G
*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: webadm2.rcdevsdocs.com
                  Master_User: webadm
                  Master_Port: 3306
                Connect_Retry: 60
              Master_Log_File: mariadb-bin.000001
          Read_Master_Log_Pos: 2215
               Relay_Log_File: slave-relay.000002
                Relay_Log_Pos: 531
        Relay_Master_Log_File: mariadb-bin.000001
             Slave_IO_Running: Yes
            Slave_SQL_Running: Yes
              Replicate_Do_DB: webadm
          Replicate_Ignore_DB: 
           Replicate_Do_Table: 
       Replicate_Ignore_Table: 
      Replicate_Wild_Do_Table: 
  Replicate_Wild_Ignore_Table: 
                   Last_Errno: 0
                   Last_Error: 
                 Skip_Counter: 0
          Exec_Master_Log_Pos: 2215
              Relay_Log_Space: 821
              Until_Condition: None
               Until_Log_File: 
                Until_Log_Pos: 0
           Master_SSL_Allowed: No
           Master_SSL_CA_File: 
           Master_SSL_CA_Path: 
              Master_SSL_Cert: 
            Master_SSL_Cipher: 
               Master_SSL_Key: 
        Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
                Last_IO_Errno: 0
                Last_IO_Error: 
               Last_SQL_Errno: 0
               Last_SQL_Error: 
  Replicate_Ignore_Server_Ids: 
             Master_Server_Id: 1
1 row in set (0.00 sec)
MariaDB [(none)]> SHOW SLAVE STATUS \G
*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: webadm1.rcdevsdocs.com
                  Master_User: webadm
                  Master_Port: 3306
                Connect_Retry: 60
              Master_Log_File: mariadb-bin.000001
          Read_Master_Log_Pos: 2215
               Relay_Log_File: slave-relay.000002
                Relay_Log_Pos: 531
        Relay_Master_Log_File: mariadb-bin.000001
             Slave_IO_Running: Yes
            Slave_SQL_Running: Yes
              Replicate_Do_DB: webadm
          Replicate_Ignore_DB: 
           Replicate_Do_Table: 
       Replicate_Ignore_Table: 
      Replicate_Wild_Do_Table: 
  Replicate_Wild_Ignore_Table: 
                   Last_Errno: 0
                   Last_Error: 
                 Skip_Counter: 0
          Exec_Master_Log_Pos: 2215
              Relay_Log_Space: 821
              Until_Condition: None
               Until_Log_File: 
                Until_Log_Pos: 0
           Master_SSL_Allowed: No
           Master_SSL_CA_File: 
           Master_SSL_CA_Path: 
              Master_SSL_Cert: 
            Master_SSL_Cipher: 
               Master_SSL_Key: 
        Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
                Last_IO_Errno: 0
                Last_IO_Error: 
               Last_SQL_Errno: 0
               Last_SQL_Error: 
  Replicate_Ignore_Server_Ids: 
             Master_Server_Id: 2
1 row in set (0.01 sec)

Adapt the WebADM configuration files (primary node only)

To configure WebADM failover to external services (LDAP, SQL, SMTP, etc.), manually edit the /opt/webadm/conf/servers.xml file and declare the necessary connectors. Failover for all services is managed by the Watchd component, which performs periodic TCP checks and optionally authenticates services to ensure they are reachable.

We are modifying the configuration files on the primary host because they will be copied over SSH during the WebADM setup on the secondary node. This file will be distributed across all nodes in your WebADM cluster. Use IP addresses or DNS names instead of localhost declarations to avoid editing this file on the secondary nodes.

servers.xml

Below is an example of a servers.xml file configured for failover:

<?xml version="1.0" encoding="UTF-8" ?>

<Servers>

<!--
******************************************
***  WebADM Remote Server Connections  ***
******************************************

You can configure multiple instances for each of the following servers.
At login, WebADM will try to connect the configured servers in the same
order they appear in this file and uses the first one it successfully
establishes the connection to. If the server connection goes down, it
will automatically fail over to the next configured server.

Any special characters must be encoded in XML compliant format.
At least one LDAP server and one SQL server is required to run WebADM.
Supported servers: OpenLDAP, Active Directory, Novell eDirectory, 389.

Allowed LDAP parameters are:
 - name: server friendly name
 - host: server hostname or IP address
 - port: LDAP port number
   default and TLS: 389
   default SSL: 636
 - encryption: connection type
   allowed type are NONE, SSL and TLS
   default: 'NONE'
 - ca_file: Trusted CA for SSL and TLS
 - cert_file: client certificate file
 - key_file: client certificate key
-->

<LdapServer name="AD 1"
        host="ad1.rcdevsdocs.com"
        port="389"
        encryption="TLS"
        ca_file="" />

<LdapServer name="AD 2"
        host="ad2.rcdevsdocs.com"
        port="389"
        encryption="TLS"
        ca_file="" />

<!--
SQL servers are used for logs; message localizations and inventories.
Supported servers: MySQL5, MySQL8, PostgreSQL, MSSQL, Sybase, Oracle, SQLite.

Allowed SQL parameters are:
 - type: MySQL5, MySQL8, MariaDB, PostgreSQL, MSSQL, SQLite.
 - name: server friendly name
 - host: server hostname or IP address
 - port: SQL port number (depends on server type)
 - user: database user
 - password: database password
 - database: database name
 - charset: character set (use latin1 if you get unicode issues)
 - encryption: connection type allowed type are NONE, SSL and TLS
 - ca_file Trusted CA for SSL and TLS
 - cert_file: client certificate file
 - key_file: client certificate key

With SQLite, only the 'database' must be set and other parameters are
ignored. The database is the full path to an SQLite DB file where WebADM
has full write access.

With Oracle, you can optionally use TNS names. If the 'tnsname' is set
then the 'host' and 'port' parameters are ignored and a tnsnames.ora
file must exist under the conf/ directory.
-->

<SqlServer name="SQL Server 1"
        type="MariaDB"
        host="webadm1.rcdevsdocs.com"
        user="webadm"
        password="password"
        database="webadm"
        encryption="NONE" />

<SqlServer name="SQL Server 2"
        type="MariaDB"
        host="webadm2.rcdevsdocs.com"
        user="webadm"
        password="password"
        database="webadm"
        encryption="NONE" />

<!--
A session server is required for storing/sharing persistent memory data
on your WebADM server(s). You must specify two servers with clustering.
The session server is based on Redis6 which is included in WebADM.
With WebADM >= 2.1.5, TLS encryption is used by default on port 4000!
-->

<SessionServer name="Session Server 1"
        host="webadm1.rcdevsdocs.com"
        port="4000"
        secret="my_secret" />
        
<SessionServer name="Session Server 2"
        host="webadm2.rcdevsdocs.com"
        port="4000"
        secret="my_secret" />        

<!--
A PKI server (or CA) is required for signing user certificates.
The RSign PKI server is included in WebADM. So you can keep the
default settings here.
-->

<PkiServer name="PKI Server 1"
        host="webadm1.rcdevsdocs.com"
        port="5000"
        secret="my_secret" />

<PkiServer name="PKI Server 2"
        host="webadm2.rcdevsdocs.com"
        port="5000"
        secret="my_secret" />
<!--
HTTP proxy servers can be used by WebADM for connecting
remote Web services and version checking.
-->

<ProxyServer name="HTTP Proxy 1"
        host="proxy1.rcdevsdocs.com"
        port="8080"
        user=""
        password=""
        ca_file="" />

<ProxyServer name="HTTP Proxy 2"
        host="proxy2.rcdevsdocs.com"
        port="8080"
        user=""
        password=""
        ca_file="" />

<!--
SMTP mail servers can be used by WebADM for sending emails.
If no server is specified, WebADM will use the local mailer
in /usb/sbin/sendmail to send emails.
-->


<MailServer name="SMTP Server"
        host="mail.rcdevs.com"
        port="25"
        user=""
        password=""
        encryption="NONE"
        ca_file="" />

</Servers>

rsignd.conf

Rsignd is the PKI service running with WebADM. The configuration for Rsignd is located in /opt/webadm/conf/rsignd.conf on all nodes.

The rsignd.conf file must be configured on all WebADM servers in a Master/Master installation, and the secret must match what is configured in the PKI section of servers.xml.

# Log file
logfile /opt/webadm/logs/rsignd.log
pidfile /opt/webadm/temp/rsignd.pid

# Default validity period for new certificates (in days)
# The CSR signing requests may set the validity period.
user_cert_validity 365
client_cert_validity 1825
server_cert_validity 3650

# Certificate and key used for the SSL listener
rsignd_cert /opt/webadm/pki/webadm.crt
rsignd_key /opt/webadm/pki/webadm.key

# Path CA certificate files and serial
ca_cert /opt/webadm/pki/ca/ca.crt
ca_key /opt/webadm/pki/ca/ca.key
ca_serial /opt/webadm/pki/ca/serial

# Serial number format (hex or dec)
serial_format hex

# Set to yes if the CA or rsignd private keys requires a decryption password.
# PEM passwords will be prompted at WebADM startup.
ca_password no
rsignd_password no

# HSM certificate authority (CA)
# The HSM model and PIN code are configured in webadm.conf.
hsm_ca no
hsm_keyid 0

#
# Directory or file containing trusted CA certificates (in PEM format)
# After adding a new certificate, type a "make" in the "trusted_ca_path" 
# to rebuild certificate's hash.
# This is needed for rsignd to read the trusted CA certificates.
# Comment "trusted_path" to disable rsignd certificate's trust restrictions.
trusted_path /opt/webadm/pki/trusted

#
# Client sections
#
# Declare here the Rsign clients with IP addresses or hostnames.
# In cluster mode, the client WebADM server(s) must be defined here!

client {
       hostname webadm1.rcdevsdocs.com
       secret my_secret
}

client {
       hostname webadm2.rcdevsdocs.com
       secret my_secret
}

The PKI client on the primary node is declared by default during the WebADM setup script. The hostname values configured here for PKI clients must be used in the PKI section of servers.xml.
Here, I added webadm2.rcdevsdocs.com as the Rsignd client, which is the secondary WebADM node that we will configure later in this documentation. The master node is declared by default during the master setup, but probably with the localhost value. Adapt it to use DNS names or IP addresses.

Alternatively, the CA Key can be stored on an HSM and used for each certificate signing request. First, configure your HSM with WebADM in webadm.conf, then program the HSM with your CA key (located in the /opt/webadm/pki/ca/ folder) and provide the hsm_keyid value in rsignd.conf. Set the hsm_ca setting to yes. WebADM supports MirKey HSM, SmartCard HSM, and PKCS11 standard HSMs.

webadm.conf

The configuration file we are focusing on now is /opt/webadm/conf/webadm.conf. This file was configured during the standalone setup. After setting up the primary node, mandatory parameters have already been configured in that file. The only modification we are going to perform here is for the WAProxy server IPs, as I plan to publish web applications, web services, and HTTPS endpoints through it.

#
# WebADM Server Configuration
#
# Administrator Portal's authentication method.
# - PKI: Requires client certificate and login password.
# - UID: Requires domain name, login name and password.
# - DN: Requires login DN and password.
# - OTP: Like UID with an OTP challenge.
# - U2F: Like UID with a FIDO-U2F challenge.
# - MFA: Like UID with both OTP and FIDO-U2F challenge.
# Using certificates is the most secure login method. To use certificate login,
# you must log in WebADM and create a login certificate for your administrators.
# The UID mode requires a WebADM domain to exist and have its User Search Base
# set to the subtree where are located the administrator users. When using UID
# and if there is no domain existing in WebADM, the login mode is automatically
# forced to DN. You will also need to log in with the full user DN and set up
# a WebADM domain to be able to use the UID login mode.admin_auth UID
admin_auth UID

# Show the registered domain list when admin_auth is set to UID, OTP or U2F.
# And set a default admin login domain when auth_mode is set to these methods.
list_domains Yes
#default_domain "Default"

# Manager API's authentication method. Only UID, PKI and DN are supported here.
# If you set the admin_auth with multi-factor (PKI, OTP or U2F), then you must
# either use manager_auth PKI or UID with a list of allowed client IPs.
#manager_auth UID
#manager_clients "192.168.0.10","192.168.0.11"

# User level changes the level of feature and configuration for all applications.
# WebADM proposes three levels: Beginner, Intermediate and Expert. The default
# level (Expert) is recommended as it provides access to all the RCDevs features.
#user_level Expert

# If your LDAP directory is setup with a base DN (ex. dc=mydomain,dc=com on AD),
# you can optionally set the base_treebase suffix and omit the suffix in other
# LDAP configurations like proxy_user, super_admins and containers.
ldap_treebase "dc=rcdevsdocs,dc=com"

# The proxy user is used by WebADM for accessing LDAP objects over which the
# admin user does not have read permissions or out of an admin session.
# The proxy user should have read permissions on the whole LDAP tree,
# and write permissions on the users/groups used by the WebApps and WebSrvs.
# The use of a proxy user is required for WebApps and WebSrvs.
# With ActiveDirectory, you can use any Domain Administrator DN as a proxy user,
# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.
proxy_user "CN=svc_webadm,cn=Users"
proxy_password "my_password"

# Super administrators have extended WebADM privileges such as setup permissions,
# additional operations and unlimited access to any LDAP encrypted data. Access
# restriction configured in the WebADM OptionSets do not apply to super admins.
# You can set a list of individual LDAP users or LDAP groups here.
# With ActiveDirectory, your administrator account should be is something like
# cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample
# super_admins group on the second line with an existing security group.
super_admins "cn=grp_webadm_admins,cn=Users"

# LDAP objectclasses
container_oclasses      "container", "organizationalUnit", "organization", "domain", "locality", "country", \
                        "openldaprootdse", "treeroot"
# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.
# If your super admin user user does not have one of the following objectclasses,
# add one of its objectclasses to the list.
user_oclasses           "user", "account", "person", "inetOrgPerson", "posixAccount"
group_oclasses          "group", "groupOfNames", "groupOfUniqueNames", "dynamicGroup", "posixGroup"

# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the
# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.
webadm_account_oclasses "webadmAccount"
webadm_group_oclasses   "webadmGroup"
webadm_config_oclasses  "webadmConfig"

# LDAP attributes
certificate_attrs       "userCertificate"
password_attrs          "userPassword", "unicodePwd", "sambaNTPassword"
uid_attrs               "uid", "samAccountName", "userPrincipalName"
member_attrs            "member", "uniqueMember"
memberof_attrs          "memberOf", "groupMembership"
memberuid_attrs         "memberUid"
language_attrs          "preferredLanguage"
mobile_attrs            "mobile"
mail_attrs              "mail"
webadm_data_attrs       "webadmData"
webadm_settings_attrs   "webadmSettings"
webadm_type_attrs       "webadmType"
webadm_voice_attrs      "webadmVoice"


# Set the LDAP container required by WebADM to store its configuration objects.
config_container "ou=webadms"

# You can alternatively configure each configuration container independently.
#domains_container "cn=Domains,cn=WebADM"
#clients_container "cn=Clients,cn=WebADM"
#devices_container "cn=Devices,cn=WebADM"
#webapps_container "cn=WebApps,cn=WebADM"
#websrvs_container "cn=WebSrvs,cn=WebADM"
#adminroles_container "cn=AdminRoles,cn=WebADM"
#optionsets_container "cn=OptionSets,cn=WebADM"
#mountpoints_container "cn=MountPoints,cn=WebADM"

# You can set here the timeout (in seconds) of a WebADM session.
# Web sessions will be closed after this period of inactivity.
# The Manager Interface cookie-based sessions are disabled by default.
# admin_session and manager_session can be set in the form 'shared:900'
# in order to force sessions to be stored in the Session Servers instead of SHM.
admin_session 3600
manager_session 0
webapps_session 600

# You can set here the WebADM internal cache timeout. A normal value is one hour.
cache_timeout 3600

# Application languages
languages "EN","FR","DE","HU","ES","IT","FI","JP"

# WebADM encrypts LDAP user data, sensitive configurations and user sessions with
# AES-256. The encryption key(s) must be 256bit base64-encoded random binary data.
# Use the command 'openssl rand -base64 32' to generate a new encryption key.
# Warning: If you change the encryption key, any encrypted data will become invalid!
# You can set several encryption keys for key rollout. All the defined keys are used
# for decrypting data. And the first defined key is used to (re-)encrypt data.
# Two encryption modes are supported:
# Standard: AES-256-CBC (default)
# Advanced: AES-256-CBC with per-object encryption (stronger)

encrypt_data yes
encrypt_mode Standard
encrypt_hsm  No
encrypt_key  "cq19TEHgHLQuO09DXzjOw30rrQDLsPkT3NiL6l3BH2w="


# Hardware Cryptographic Module
#hsm_driver "/usr/local/lib/libsofthsm2.so"
#hsm_slot 274906134
#hsm_key "TestKey"
#hsm_pin 12345678

# The data store defines which back-end is used for storing user data and settings.
# By default WebADM stores any user and group metadata in the LDAP objects. By setting
# the data_store to SQL, these metadata are stored in a dedicated SQL table.
# LDAP remains the preferred option because it maximizes the system consistency.
# SQL should be used only if you need read-only LDAP access for the proxy_user.
data_store LDAP

# The record store defines which back-end is used to store SpanKey records.
# Choose SQL to store records in the database and NAS to store on a shared NAS folder.
# With NAS, the store_path must be configured and accessible from all cluster nodes.
record_store SQL
#record_path "/mnt/records"

# The group mode defines how WebADM will handle LDAP groups.
# - Direct mode: WebADM finds user groups using the memberof_attrs defined above.
#   In this case, the group membership is defined in the LDAP user objects.
# - Indirect mode: WebADM finds user groups by searching group objects which contain
#   the user DN as part of the member_attrs.
# - Auto: Both direct and indirect groups are used.
# - Disabled: All LDAP group features are disabled in WebADM.
# By default (when group_mode is not specified) WebADM handles both group modes.
group_mode Auto

# LDAP cache increases a lot of performances under high server loads. The cache limits
# the number of LDAP requests by storing resolved user DN and group settings. When
# enabled, results are cached for 300 secs.
ldap_cache Yes

# LDAP routing enables LDAP request load-balancing when multiple LDAP servers are
# configured in servers.xml. You should enable this feature only if the LDAP server
# load becomes a bottleneck due to a big amount of users (ex. more than 10000 users).
#ldap_routing No

# You can optionally disable some features if you run multiple WebADM servers with
# different purposes. For example, if you don't want to provide admin portal on an
# Internet-exposed WebApps and WebSrvs server.
# By default, all the functionalities are enabled.
enable_admin Yes
enable_manager Yes
enable_webapps Yes
enable_websrvs Yes

# Enable syslog reporting (disabled by default). When enable, system logs are sent
# to both the WebADM log files and syslog.
#log_debug No
#log_mixsql No
#log_syslog No
#syslog_facility LOG_USER
#syslog_format CEF

# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email
# or alert_mobile is defined, the alerts are also sent by email/SMS.
alert_email "alert@rcdevsdocs.com"
alert_mobile "+33 12345678"

# Protect WebADM against bruteforce attacks on the WebApps by blacklisting source IPs
# for 20 seconds after 5 failed login attempts.
ip_blacklist Yes

# You can publish WebADM applications and OpenOTP mobile endpoint over Internet using
# a reverse proxy (WAF) or RCDevs WebADM Publishing Server (WAProxy).
# Set the IP address(es) of your reverse-proxy or WAProxy server(s). WebADM expects
# the HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers from reverse proxies!
# Use 'waproxy_proxies' ONLY if you are using RCDevs WAProxy as reverse-proxy!
#reverse_proxies "192.168.0.100", "192.168.0.101"
waproxy_proxies "172.16.0.10", "172.16.0.11"
# The 'public_hostname' is mandatory to let WebADM know your public endpoints' URLs.
# Use the public DNS name of your reverse proxy or WAProxy server without a scheme.
# The setting used to be named 'waproxy_pubaddr' in WebADM versions before v2.3.12.
public_hostname "otp.rcdevsdocs.com"

# Check for new product versions and license updates on RCDevs' website.
# These features require outbound Internet access from the server.
cloud_services yes

# WebApps theme (default or flat)
# Comment the following line to disable the default theme.
webapps_theme "default"

# End-user message templates
# The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME%
# Additional variables are available depending on the context: %APPNAME%, %APPID%, %TIMEOUT%, %EXPIRES%
app_unlock_subject "Unlocked access to %APPNAME%"
app_unlock_message "Hello %USERNAME%,\r\n\r\nYou have a one-time access to the %APPNAME%.\r\nYour access will automatically expire %EXPIRES%."
ldap_expire_subject "Login password near expiration"
ldap_expire_message "Hello %USERNAME%,\r\n\r\nYour login password will expire %EXPIRES%.\r\nPlease reset your password before expiration!\r\n\r\nRegards"
cert_expire_subject "Login certificate near expiration"
cert_expire_message "Hello %USERNAME%,\r\n\r\nYour login certificate will expire %EXPIRES%.\r\nPlease renew your certificate before expiration!\r\n\r\nRegards"
access_sign_subject "Agreement signature required for %CLIENT%"
access_sign_message "Hello %USERNAME%,\r\n\r\nPlease sign the agreement in order to access %CLIENT%.\r\nThe signature request expire %EXPIRES%."
no_badgeout_subject "Forgot badge-out %EXPIRES%"
no_badgeout_message "Hello %USERNAME%,\r\n\r\nYou did not badge-out since %EXPIRES%.\r\nPlease do not forget to badge out today!\r\n\r\nRegards"
no_badgein_subject "Badging required for %CLIENT%"
no_badgein_message "Hello %USERNAME%,\r\n\r\nYou tried to login to %CLIENT% without badging.\r\nPlease badge-in and retry!\r\n\r\nRegards"

# Personalization options
# You can customize your organization name, logo file and website URL.
# The logo file must be PNG image with size 100x50 pixels.
org_name "RCDevs Support"
org_logo "rcdevs.png"
org_site "https://www.rcdevs.com/"
org_from "noreply@rcdevsdocs.com"

# Misc options
#treeview_width 300
#treeview_items 3000
#default_portal Admin
#ldap_uidcase No
ntp_server "ntp.rcdevsdocs.com"

Once you configured all settings you need, it is time to start WebADM services.

WebADM setup script (secondary node only)

Once the configurations files are fully adapted on the primary node, you can run the WebADM setup script on the secondary node.
To set up the secondary node, the WebADM service on the primary node must be started.
Each secondaries nodes must be able to access to the Master on port TCP 5000 (Rsignd service) and declared in the /opt/webadm/conf/rsignd.conf of the master. If these requirements are not met, the slave setup will fail.

[root@webadm2 tmp]# /opt/webadm/bin/setup slave

RCDEVS WEBADM LICENSE AGREEMENT 

RCDevs WebADM Server ("WebADM")
Copyright (c) 2010-2023 RCDevs Security SA, All rights reserved.

IMPORTANT: READ CAREFULLY: By using, copying or distributing the Software
Product you accept all the following terms and conditions of the present
WebADM License Agreement ("Agreement"). 
If you do not agree, do not install and use the Software Product.

WebADM includes additional software products provided by RCDevs SA under
freeware and commercial licenses. These additional software are installed
under the "/opt/webadm/webapps" and "/opt/webadm/websrvs" directories. 
This Agreement is subject to all the terms and conditions of any such 
additional software license.

1. DEFINITIONS. "Software Product" means RCDevs Server with which the 
Agreement is provided which may include third party computer information
or software, including apache2, php, libmcrypt, libcurl, libgmp, redis, 
libxml2, libpng, libqrencode, openldap, openssl, apcu, unixodbc, geoip,
expat, hiredis, nghttp2, hiredis, libmaxmind, openscn libcouchbase 
unmodified software and libraries and related explanatory written 
materials ("Documentation"). "You" means you or any recipient that 
obtained a copy of the Software Product pursuant to the terms and 
conditions of the Agreement.

2. LICENSE. Subject to your compliance with the terms and conditions of
the Agreement, including, in particular, the provisions in Sections 3, 5
and 6 below, RCDevs hereby grants You a non-exclusive and royalty-free
license to use and distribute the Software Product solely for
non-commercial purposes in worldwide. You may:

a. download and install the Software Product on any computer in your
possession;

b. use the Software Product and any copy solely for a non-commercial
purposes;

c. make any original copies of the Software Product; and 

d. distribute any copy of the Software Product only in the form
originally furnished by RCDevs with no modifications or additions
whatsoever. If You have the slightest doubt that your copy of the
Software Product is not original, You must contact RCDevs for an 
original copy. 

3. OBLIGATIONS AND RESTRICTIONS ON LICENSE. The license granted in
Section 2 is subject to the following obligations and restrictions:

a. The Software Product and copies are to be used only for non-commercial
purposes. Prohibited commercial purposes include, but are not limited to:


I agree with RCDevs WebADM terms and conditions (Yes/No): ^[[A^C
[root@webadm2 tmp]# /opt/webadm/bin/setup slave
Checking system architecture...Ok
RCDEVS WEBADM LICENSE AGREEMENT 

RCDevs WebADM Server ("WebADM")
Copyright (c) 2010-2023 RCDevs Security SA, All rights reserved.

IMPORTANT: READ CAREFULLY: By using, copying or distributing the Software
Product you accept all the following terms and conditions of the present
WebADM License Agreement ("Agreement"). 
If you do not agree, do not install and use the Software Product.

WebADM includes additional software products provided by RCDevs SA under
freeware and commercial licenses. These additional software are installed
under the "/opt/webadm/webapps" and "/opt/webadm/websrvs" directories. 
This Agreement is subject to all the terms and conditions of any such 
additional software license.

1. DEFINITIONS. "Software Product" means RCDevs Server with which the 
Agreement is provided which may include third party computer information
or software, including apache2, php, libmcrypt, libcurl, libgmp, redis, 
libxml2, libpng, libqrencode, openldap, openssl, apcu, unixodbc, geoip,
expat, hiredis, nghttp2, hiredis, libmaxmind, openscn libcouchbase 
unmodified software and libraries and related explanatory written 
materials ("Documentation"). "You" means you or any recipient that 
obtained a copy of the Software Product pursuant to the terms and 
conditions of the Agreement.

2. LICENSE. Subject to your compliance with the terms and conditions of
the Agreement, including, in particular, the provisions in Sections 3, 5
and 6 below, RCDevs hereby grants You a non-exclusive and royalty-free
license to use and distribute the Software Product solely for
non-commercial purposes in worldwide. You may:

a. download and install the Software Product on any computer in your
possession;

b. use the Software Product and any copy solely for a non-commercial
purposes;

c. make any original copies of the Software Product; and 

d. distribute any copy of the Software Product only in the form
originally furnished by RCDevs with no modifications or additions
whatsoever. If You have the slightest doubt that your copy of the
Software Product is not original, You must contact RCDevs for an 
original copy. 

3. OBLIGATIONS AND RESTRICTIONS ON LICENSE. The license granted in
Section 2 is subject to the following obligations and restrictions:

a. The Software Product and copies are to be used only for non-commercial
purposes. Prohibited commercial purposes include, but are not limited to:

   (i) Selling, licensing or renting the Software Product to third
   parties for a fee (by payment of money or otherwise, whether direct or
   indirect);
   
   (ii) Using the Software Product to provide services or products to
   others for which you are compensated in any manner (by payment of
   money or otherwise, whether direct or indirect), including, without
   limitation,providing support or maintenance for the Software Product;
   
   (iii) Using the Software Product to develop a similar application on
   any platform for commercial distribution.
 
You shall use your best efforts to promptly notify RCDevs upon learning
of any violation of the above commercial restrictions.

b. RCDevs, in its sole and absolute discretion, may have included a
portion of the source code or online documentation of the Software.
Except for any such portions, YOU SHALL NOT MODIFY, REVERSE ENGINEER, 
DECOMPILE, DISASSEMBLE, OR OTHERWISE ATTEMPT TO DISCOVER THE SOURCE CODE
OF THE SOFTWARE PRODUCT, except to the extent this restriction is 
prohibited by applicable law. Further, You may not create derivate works
of or based on the Software Product.

c. Any copy of the Software Product that you make must conspicuously and
appropriately reproduce and contain RCDevs's copyright and other
proprietary notices that appear on or in the Software Product (see
Software Product for examples of such notices) and disclaimer of
warranty; keep intact the Agreement and all notices that refer to the
Agreement and any absence of warranty; and give any other recipients of
the Software Product a copy of the Agreement. 

d. As used in this Agreement, the term "distribute" includes making the
Software Product available (either intentionally or unintentionally) to
third parties for copying or using. Each time You distribute the Software
Product or any original copy of the Software Product, You are responsible
for the recipient expressly agree to comply with the terms and conditions
of the Agreement. The recipient automatically receives the license to
use, copy or distribute the Software Product subject to these terms and
conditions. You may not impose any further restrictions on the
recipients' exercise of the rights granted herein.

e. RCDevs shall have no obligation to provide any maintenance, support,
upgrades or new releases of the Software Product.

4. INTELLECTUAL PROPERTY OWNERSHIP, RESERVATION OF RIGHTS. Title,
copyright, ownership rights, and any other intellectual property rights
in and to the Software Product, including its Documentation, and each
copy thereof are and shall remain the only and absolute property of
RCDevs. Except as expressly stated herein, the Agreement does not grant
You any intellectual property rights in the Software Product and all
rights not expressly granted are reserved by RCDevs.

5. WARRANTY DISCLAIMER. 
THE SOFTWARE PRODUCT IS LICENSED FREE OF CHARGE, AND THERE IS NO WARRANTY
OF ANY KIND FOR THE SOFTWARE PRODUCT.
RCDevs PROVIDE THE SOFTWARE PRODUCT "AS IS" WITH ALL FAULTS AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE,
TITLE, CUSTOM, ACCURACY OF INFORMATIONAL CONTENT, SYSTEM INTEGRATION OR
NON-INFRINGEMENT ARE DISCLAIMED. 

THE ENTIRE RISK AS TO THE RESULTS, QUALITY AND PERFORMANCE OF THE
SOFTWARE PRODUCT IS WITH YOU. SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU
(AND NOT RCDevs) ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.

6. LIMITATION OF LIABILITY. 
YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT IN NO EVENT WILL RCDevs BE
LIABLE FOR ANY DAMAGES, CLAIMS OR COSTS WHATSOEVER INCLUDING ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY
DAMAGES,INCLUDING BUT NOT LIMITED TO,DAMAGES FOR LOSS OF USE, DATA, OR
OTHER INTANGIBLE LOSSES, ARISING OUT OF, OR RELATED TO THE AGREEMENT OR
TO YOUR USE OR THE INABILITY TO USE THE SOFTWARE PRODUCT OR
DOCUMENTATION, EVEN IF RCDevs HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
LOSS, DAMAGES OR CLAIMS.

7. TERMINATION. The license granted hereunder is effective until 
terminated by RCDevs, in its sole discretion, after notification.
You may terminate the Agreement at any time by uninstalling and
destroying all copies of the Software Product in your possession 
or control. 
This license will terminate automatically if you fail to comply with the
terms and conditions of the Agreement above. Upon such termination, you
must destroy all copies of the Software Product. 

The provisions of Section 5 and 6 shall survive the termination of the
Agreement.

8. APPLICABLE LAW AND GENERAL PROVISIONS. The Agreement will be governed
by and construed in accordance with the Luxembourg law and submitted to
the Luxembourg competent courts.

The URL-link of any open-source files and libraries relating to the
Software Product is located in the file docs/licenses.txt.

If you have any questions, notices or information relating to the
Agreement, please use the address and contact information included with
the Software Product or via the web at http://www.rcdevs.com/.
I agree with RCDevs WebADM terms and conditions (Yes/No): yes
Enter the master PKI server address: webadm1.rcdevsdocs.com
Enter the master PKI server port [5000]: 5000
Enter the master PKI server secret: secret_configured_on_master
Testing PKI server connection... Ok
Retrieving PKI CA certificate...Ok
Reading organization name from CA certificate... 
Generating SSL private key... Ok
Creating SSL certificate request... Ok
Signing SSL certificate with PKI server... Ok

Certificate and key of the slave node has been generated and signed by Rsignd (WebADM CA).

Do you want to get configuration from master using SSH (y/n)?
SSH user must have access to /opt/webadm/conf folder of master server!

At this step, you have the possibilities to download the configuration by establishing an ssh connection to the master. WebADM configuration files are under root account permissions, then you need to provide root credentials of your master node to download files. If you don't have root credentials, then you must manually copy the folowing files from the master on the slaves at the same location:

- /opt/webadm/conf/servers.xml
- /opt/webadm/conf/webadm.conf
- /opt/webadm/conf/rsignd.conf
- /opt/webadm/conf/objects.xml
- /opt/webadm/conf/license.key
- /opt/webadm/pki/ca/ca.crt
- /opt/webadm/pki/ca/ca.key
- /opt/webadm/pki/ca/serial

If you choose yes, then SSH info are asked:

Please enter y or n: y
Enter the SSH username: root
Enter the SSH port: 22
Warning: Permanently added 'webadm1.rcdevsdocs.com' (ECDSA) 
to the list of known hosts.
Password: 
license.key 	100%  992      1.4MB/s   00:00    
servers.xml		100%  4739     8.7MB/s   00:00    
webadm.conf     100%  11KB    20.3MB/s   00:00    
objects.xml     100%  14KB    24.9MB/s   00:00    
rsignd.conf     100%  992      1.4MB/s   00:00    
ca.crt			100%  4739     8.7MB/s   00:00    
ca.key			100%  11KB     2.3MB/s   00:00    
serial			100%  14KB    24.9MB/s   00:00    
Setting file permissions... Ok
Adding systemd service... Ok
Adding logrotate scripts... Ok
WebADM has successfully been setup.

If you choose no, you will need to manually copy the required files listed below.

Please enter y or n: n
Setting file permissions... Ok
Adding systemd service... Ok
Adding logrotate scripts... Ok
WebADM has successfully been setup.

In order to finish the configuration of the cluster, please intall to the current server the following configuration files from master:
- /opt/webadm/conf/servers.xml
- /opt/webadm/conf/webadm.conf
- /opt/webadm/conf/rsignd.conf
- /opt/webadm/conf/objects.xml
- /opt/webadm/conf/license.key
- /opt/webadm/pki/ca/ca.crt
- /opt/webadm/pki/ca/ca.key
- /opt/webadm/pki/ca/serial

Your secondary WebADM server is now configured, and services can be started. You can start services either with systemctl or using the WebADM startup script:

systemctl start webadm
/opt/webadm/bin/webadm start

We are done with the secondary node configuration.