1. Navigate to the parent directory where the Red Hat JBoss Portal (JBoss Portal) Zip archive will be extracted.
   Before continuing, verify the chosen directory, and it's access permissions, meet organizational security and deployment requirements.
2. Unzip jboss-portal-[version].zip to extract the Zip archive contents to the directory.
   A command-line or GUI archive manager is suitable for this task, depending on the server environment.
   The jboss-portal-[version] directory is created with an installation of JBoss Portal in its default configuration.

1. Look for error messages in the log file

   After you start the server, view the log file in JPP_HOME/standalone/log/.
   Result:

   If the server started properly, there will be no errors, and you will see output similar to the following:
   ⁠

   Example 5.4. Example of a successful start-up

   14:36:32,632 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015874: JBoss Portal Platform 6.0.0.ER04.2 (AS 7.1.3.Final-redhat-4) started in 23519ms - Started 919 of 1041 services (116 services are passive or on-demand)
   

2. Browse to the Management Console.

   If the installation worked properly and your server is running, you should be able to access the Management Console by pointing your web browser at an address similar to http://YOUR_SERVER:9990/, replacing YOUR_SERVER with a valid value.
   Result:

   The front page of the Management Console appears.

Procedure 6.1. Manage Network Firewalls and JBoss EAP 6 to work together

1. Log into the Management Console.

   Log into the Management Console. By default, it runs on http://localhost:9990/console/.

2. Determine the socket bindings used by the socket binding group.

   1. Click the Configuration label at the top of the Management Console.
   2. Expand the General Configuration menu. Select the Socket Binding.
   3. The Socket Binding Declarations screen appears. Initially, the standard-sockets group is shown. Choose a different group by selecting it from the combo box on the right-hand side.

   Note

   If you use a standalone server, it has only one socket binding group.
   The list of socket names and ports is shown, eight values per page. You can go through the pages by using the arrow navigation below the table.

3. Determine the ports you need to open.

   Depending on the function of the particular port and the requirements of your environment, some ports may need to be opened on your firewall.

4. Configure your firewall to forward traffic to JBoss EAP 6.

   Perform these steps to configure your network firewall to allow traffic on the desired port.
   1. Log into your firewall machine and access a command prompt, as the root user.
   2. Issue the command system-config-firewall to launch the firewall configuration utility. A GUI or command-line utility launches, depending on the way you are logged into the firewall system. This task makes the assumption that you are logged in via SSH and using the command-line interface.
   3. Use the TAB key on your keyboard to navigate to the Customize button, and press the ENTER key. The Trusted Services screen appears.
   4. Do not change any values, but use the TAB key to navigate to the Forward button, and press ENTER to advanced to the next screen. The Other Ports screen appears.
   5. Use the TAB key to navigate to the <Add> button, and press ENTER. The Port and Protocol screen appears.
   6. Enter 5445 in the Port / Port Range field, then use the TAB key to move to the Protocol field, and enter tcp. Use the TAB key to navigate to the OK button, and press ENTER.
   7. Use the TAB key to navigate to the Forward button until you reach the Port Forwarding screen.
   8. Use the TAB key to navigate to the <Add> button, and press the ENTER key.
   9. Fill in the following values to set up port forwarding for port 5445.
      • Source interface: eth1
      • Protocol: tcp
      • Port / Port Range: 5445
      • Destination IP address: 10.1.1.2
      • Port / Port Range: 5445
      Use the TAB key to navigate to the OK button, and press ENTER.
   10. Use the TAB key to navigate to the Close button, and press ENTER.
   11. Use the TAB key to navigate to the OK button, and press ENTER. To apply the changes, read the warning and click Yes.

5. Configure a firewall on your JBoss EAP 6 host.

   Some organizations choose to configure a firewall on the JBoss EAP 6 server itself, and close all ports that are not necessary for its operation. See Section 6.1, “Network Ports Used By JBoss EAP 6” and determine which ports to open, then close the rest. The default configuration of Red Hat Enterprise Linux 6 closes all ports except 22 (used for Secure Shell (SSH) and 5353 (used for multicast DNS). While you are configuring ports, ensure you have physical access to your server so that you do not inadvertently lock yourself out.

Procedure 6.2. Configuring Firewall on Microsoft Windows using PowerShell

1. Switch off firewall for debug purpose to determine whether the current network behavior is related to the firewall configuration.

   Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "NetSh Advfirewall set allprofiles state off"'

2. Allow UDP connections on port 23364. For example:

   Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "NetSh Advfirewall firewall add rule name="UDP Port 23364" dir=in  action=allow protocol=UDP localport=23364"'
   Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "NetSh Advfirewall firewall add rule name="UDP Port 23364" dir=out action=allow protocol=UDP localport=23364"'

Procedure 6.3. Configure the Firewall on Red Hat Enterprise Linux 7 to Allow mod_cluster Advertising

• To allow mod_cluster advertising on Red Hat Enterprise Linux 7, you must enable the UDP port in the firewall as follows:

  firewall-cmd --permanent --zone=public --add-port=23364/udp

  Note

  224.0.1.105:23364 is the default address and port for mod_cluster balancer advertising UDP multicast.

Procedure 6.4. Create the Initial Administrative User for the Remote Management Interfaces

1. Run the add-user.sh or add-user.bat script.

   Change to the EAP_HOME/bin/ directory. Invoke the appropriate script for your operating system.

   Red Hat Enterprise Linux

   [user@host bin]$ ./add-user.sh

   Microsoft Windows Server

   C:\bin>  add-user.bat

2. Choose to add a Management user.

   Press ENTER to select the default option a to add a Management user.
   This user is added to the ManagementRealm and is authorized to perform management operations using the web-based Management Console or command-line based Management CLI. The other choice, b, adds a user to the ApplicationRealm, and provides no particular permissions. That realm is provided for use with applications.

3. Enter the desired username and password.

   When prompted, enter the username and password. You will be prompted to confirm the password.

4. Enter group information.

   Add the group or groups to which the user belongs. If the user belongs to multiple groups, enter a comma-separated list. Leave it blank if you do not want the user to belong to any groups.

5. Review the information and confirm.

   You are prompted to confirm the information. If you are satisfied, type yes.

6. Choose whether the user represents a remote JBoss EAP 6 server instance.

   Besides administrators, the other type of user which occasionally needs to be added to JBoss EAP 6 in the ManagementRealm is a user representing another instance of JBoss EAP 6, which must be able to authenticate to join a cluster as a member. The next prompt allows you to designate your added user for this purpose. If you select yes, you will be given a hashed secret value, representing the user's password, which would need to be added to a different configuration file. For the purposes of this task, answer no to this question.

7. Enter additional users.

   You can enter additional users if desired, by repeating the procedure. You can also add them at any time on a running system. Instead of choosing the default security realm, you can add users to other realms to fine-tune their authorizations.

8. Create users non-interactively.

   You can create users non-interactively, by passing in each parameter at the command line. This approach is not recommended on shared systems, because the passwords will be visible in log and history files. The syntax for the command, using the management realm, is:

   [user@host bin]$ ./add-user.sh username password

   To use the application realm, use the -a parameter.

   [user@host bin]$ ./add-user.sh -a username password

9. You can suppress the normal output of the add-user script by passing the --silent parameter. This applies only if the minimum parameters username and password have been specified. Error messages will still be shown.

Procedure 7.1. Setting the Root Password Through the Command-line

1. Open a terminal and execute the portal-setup.sh script.
   • For Linux, $JPP_HOME/bin/portal-setup.sh
   • For Microsoft Windows, %JPP_HOME%\bin\portal-setup.bat
2. Type a value for the root password when prompted and press Enter. Re-type the password and press Enter.
   The password is encrypted and stored in the $JPP_HOME/standalone/configuration/gatein/configuration.properties file.
3. Start JBoss Portal.
4. Open the Users Management interface and create the required accounts, including an Administrator account.

Procedure 7.2. Setting the Root Password Through the Web Interface

1. Once all configuration in this user guide has been completed, start JBoss Portal.
2. Open JBoss Portal in a browser.
3. In the Set Root Password page, type a Root password in the Password field, and repeat the same password in the Repeat password field.
4. Click Setup to set the Root password.
   To modify the Root password on subsequent occasions, use the portal administration interface for Users Management.

Procedure 7.3. Configuring the Java Content Repository (JCR)

1. Open JPP_DIST/standalone/configuration/standalone.xml in edit mode.
2. Bind the JCR datasource to JNDI under java:/jdbcjcr_portal.

   ​<datasource jndi-name="java:/jdbcjcr_portal" pool-name="JCRPortalDS" enabled="true" use-java-context="true">
   ​
   ​    <connection-url>jdbc:h2:file:${jboss.server.data.dir}/gatein/portal/jdbcjcr_portal;DB_CLOSE_DELAY=-1</connection-url>
   ​    <driver>h2</driver>
   ​
   ​    <security>
   ​        <user-name>sa</user-name>
   ​        <password>sa</password>
   ​    </security>
   ​
   ​</datasource>

3. If additional portals are deployed, additional datasources must be configured and bound in JNDI using a separate java:/jdbcjcr_PORTAL-NAME directive.
   Ensure the user has rights to create tables on jdbcjcr_portal, and to update them as they will automatically be created during the first startup.

Procedure 7.4. Configuring Identity Management (IDM)

1. Open JPP_DIST/standalone/configuration/standalone.xml in edit mode.
2. Bind the IDM datasource to JNDI under java:/jdbcidm_portal.

   ​<datasource jndi-name="java:/jdbcidm_portal" pool-name="JCRPortalDS" enabled="true" use-java-context="true">
   ​
   ​    <connection-url>jdbc:h2:file:${jboss.server.data.dir}/gatein/portal/jdbcjcr_portal;DB_CLOSE_DELAY=-1</connection-url>
   ​    <driver>h2</driver>
   ​
   ​    <security>
   ​        <user-name>sa</user-name>
   ​        <password>sa</password>
   ​    </security>
   ​
   ​</datasource>

3. If additional portals are deployed, additional datasources must be configured and bound in JNDI using a separate java:/jdbcjcr_PORTAL-NAME directive.
   Ensure the user has rights to create tables on jdbcjcr_portal, and to update them as they will automatically be created during the first startup.

Procedure 7.9. Configuring the SMTP Email Service

1. Open JPP_HOME/standalone/configuration/gatein/configuration.properties in edit mode.
2. Specify the Google Account information as indicated in the file.

   # EMail
   gatein.email.smtp.username=[user@gmail.com]
   gatein.email.smtp.password=[password|app-specific password]
   gatein.email.smtp.host=smtp.gmail.com
   gatein.email.smtp.port=465
   gatein.email.smtp.starttls.enable=true
   gatein.email.smtp.auth=true
   gatein.email.smtp.socketFactory.port=465
   gatein.email.smtp.socketFactory.class=javax.net.ssl.SSLSocketFactory

3. When provisioning the Email Service for a production environment, it is recommended to specify a corporate SMTP gateway and port for the smtp.host and smtp.port variables.
   If using a SMTP gateway over SSL, a certificate trust store containing the SMTP server public certificate is required. Depending on the key sizes, Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files are required for the Java Runtime Environment (JRE).

Procedure 7.10. Enabling Notifications about New User Registration

1. Configure an SMTP account.
2. Configure the following mandatory configuration items located in the PostRegistrationService part of the JPP_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/admin/admin-configuration.xml configuration file.

   sendMailAfterRegistration

   Boolean value that specifies whether an email notification is sent for new user registrations.

   The default value is false. If set to true, email notifications are sent when users join.

   mailTo

   Specifies the email address to which notifications are sent.

3. Configure optional parameters to customize the content of the notification emails:

   mailFrom

   Specifies the email address from which the notification email is sent.

   mailSubject

   Specifies the subject of the notification email.

   mailMessage

   Specifies the body of the notification email.

   The ${user.name}, ${user.firstName}, ${user.lastName} and ${user.email} macros can be used in the text to dynamically include the respective values in each notification email.

4. Test the configuration by restarting the server and registering a new user in the JBoss Portal user interface. An email is sent to the specified email address, notifying the recipient that a user has been registered to the portal.

Procedure 7.11. Enabling Notifications about Invalid Login Attempts

1. Configure an SMTP account.
2. Configure the following mandatory configuration items located in the InvalidLoginAttemptsService part of the JPP_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/admin/admin-configuration.xml configuration file.

   sendingMailsEnabled

   boolean value determining if e-mail notifications about invalid login attempts are enabled. It is false by default and needs to be changed to true for the e-mail notifications to be sent.

   mailTo

   Specifies the email address to which notifications are sent.

3. Configure optional parameters to customize the content and policies associated with notification emails:

   mailFrom

   Specifies the email address from which the notification email is sent.

   mailSubject

   Specifies the subject of the notification email.

   mailMessage

   Specifies the body of the notification email.

   The ${user.name}, ${user.firstName}, ${user.lastName} and ${user.email} macros can be used in the text to dynamically include the respective values in each notification email.

   numberOfFailedAttempts

   Specifies the number of invalid login attempts after which an email notification is sent. The default value is 3.

   invalidLoginPolicy

   Specifies the policy used to determine that invalid login attempts are coming from same source. The available values are

   SESSION - the default, indicating that invalid login attempts must originate from the same HTTP session.

   SESSION_AND_USER - indicates that invalid login attempts must originate from the same HTTP session, and contain the same user name.

   SERVER - indicates that invalid login attempts must come from the same remote server.

4. Test the configuration by restarting the server and attempting to login to JBoss Portal with invalid account credentials.
   Repeat the attempt for the number of times specified in the numberOfFailedAttempts parameter (the default is three attempts).
5. An email is sent to the specified email address, notifying the recipient that an invalid login attempt has been detected.

Procedure 7.12. To setup the loadbalancer server which uses Apache HTTPD+Mod_jk:

1. Install apache server and mod_jk module

   The package that contains Apache HTTP Server is known as httpd. To build and install mod_jk from source code use the package httpd-devel.

2. Setup apache to use mod_jk

   Copy the file mod-jk.conf to /etc/httpd/conf.d and append the following line to /etc/httpd/conf/httpd.conf to load the module.

   LoadModule jk_module modules/mod_jk.so
   

   File mod-jk.conf is as follows:

   
   # Where to find workers.properties
   JkWorkersFile workers.properties
   
   # Where to put jk logs
   JkLogFile /var/log/apache2/mod_jk.log
    
   # Set the jk log level [debug/error/info]
   JkLogLevel debug
    
   # Select the log format
   JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
    
   # JkOptions indicates to send SSK KEY SIZE
   JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
    
   # JkRequestLogFormat
   #JkRequestLogFormat "%w %V %T"
    
   JkMountFile uriworkermap.properties
    
   # Add shared memory.
   # This directive is present with 1.2.10 and
   # later versions of mod_jk, and is needed for load balancing to work properly
   JkShmFile /var/log/apache2/jk.shm
    
   # Add jkstatus for managing runtime data
   <Location> /jkstatus/>
   JkMount status
   </Location>
   

3. Setup Workers:

   Create workers.properties file in /etc/httpd/.

   Note

   The Balanced workers must have the same name as the name of jboss.node.name as shown in Section 7.7, “Clustering Configuration”. The example uses the names node1 and node2. The values for balanced workers in workers.properties file must also have the same name as node1 and node2.
   The file workers.properties is as follows:

   # Define list of workers that will be used for mapping requests
   worker.list=loadbalancer,status
    
   # modify the host as your host IP or DNS name
   worker.node1.port=8009
   worker.node1.host=192.168.210.101
   worker.node1.type=ajp13
   worker.node1.lbfactor=1
    
   ## modify the host as your host IP or DNS name
   worker.node2.port=8009
   worker.node2.host=192.168.210.102
   worker.node2.type=ajp13
   worker.node2.lbfactor=1
    
   # Load-balancing behaviour
   worker.loadbalancer.type=lb
   worker.loadbalancer.method=Session
   worker.loadbalancer.balance_workers=node1,node2
   worker.loadbalancer.sticky_session=1
    
   #worker.list=loadbalancer
   worker.status.type=status
   

   The file uriworkermap.properties is as follows:

   /portal=loadbalancer
   /portal/*=loadbalancer
   /eXo*=loadbalancer
   /eXoResources*/*=loadbalancer
   /exo*=loadbalancer
   /exo*/*=loadbalancer
   /web=loadbalancer
   /web/*=loadbalancer
   /integration=loadbalancer
   /integration/*=loadbalancer
   /dashboard=loadbalancer
   /dashboard/*=loadbalancer
   /rest=loadbalancer
   /rest/*=loadbalancer
   /jpp_branding_skin|/*=loadbalancer
   /jpp-branding-skin|/*=loadbalancer
   /jpp-branding-extension|/*=loadbalancer
   /status=status
   /status/*=status