Alma/Rocky/CentOS
Installing Passwork on following OS:
- CentOS 8 Stream, Alma Linux 8, Rocky Linux 8.
- CentOS 9 Stream, Alma Linux 9, Rocky Linux 9.
On this page you can switch between blocks of code to view the commands applicable to your version of the OS
1. Minimum system requirements
Passwork is not resource-heavy. How much disk space, RAM and CPU power you will need depends on the number of active users, the amount of stored data, and your requirements for fault-tolerance.
See the Technical requirements
If your server has 2-4 GB of RAM, we recommend enabling the SWAP file for libraries to compile properly.
2. Steps before installation
First, gain root access and update the local packages:
- shell
sudo -i
yum makecache
Then, install the Git version control package, Apache2 web-server and curl data transfer tool:
- bash
yum install git httpd curl -y
Run httpd.service:
- shell
systemctl start httpd.service
And enable autostart:
- shell
systemctl enable httpd.service
2.1 Installing and setting up Firewalld
Install the dynamically managed firewall Firewalld:
- shell
yum install firewalld -y
Run firewalld.service:
- shell
systemctl start firewalld.service
Enable autostart:
- shell
systemctl enable firewalld.service
Allow HTTP services in firewalld:
- shell
firewall-cmd --permanent --add-service=http
Allow HTTPS services in firewalld:
- shell
firewall-cmd --permanent --add-service=https
And apply the changes to firewalld:
- shell
firewall-cmd --reload
2.2 Disabling SELinux and restarting OS
Edit the /etc/selinux/config configuration file:
- shell
nano /etc/selinux/config
Change theSELINUX parameter from enforcing to disabled:
- shell
SELINUX=disabled
Save the changes (Ctrl+O) and exit the terminal (Ctrl+X). Then, restart your system to apply the changes to SELinux:
- shell
reboot
3. Installing PHP
Install the EPEL package and YUM package management tool:
yum -y install epel-release yum-utils
Download and install the latest EPEL repository:
- OS 8
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
OS 9
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
Download and install the repository for access to PHP versions:
- OS 8
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm
OS 9
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
Enable the PHP 8.2 modile from REMI repository:
dnf module enable php:remi-8.2
Install PHP and its extensions:
dnf install -y php php-json php-ldap php-xml php-bcmath php-mbstring php-curl gcc php-pear curl-devel openssl-devel pcre-devel php-devel php-mysql libtool pcre-devel php-pecl-psr
3.1 Installing a PHP MongoDB driver
Install a PHP MongoDB driver:
pecl install mongodb-1.21.0
Create configuration files for PHP MongoDB startup and activation:
echo "extension=mongodb.so" | tee /etc/php.d/20-mongodb.ini
3.2 Installing the PHP Phalcon extension
Install the PHP Phalcon extension:
dnf install php-phalcon -y
4. Installing MongoDB database
Create a file to add MongoDB into YUM package manager
nano /etc/yum.repos.d/mongodb-org-6.0.repo
Add the following lines into the file:
- OS 8
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://pgp.mongodb.com/server-6.0.asc
OS 9
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://pgp.mongodb.com/server-6.0.asc
Install MongoDB:
yum install mongodb-org -y
Run mongod.service:
- shell
systemctl start mongod.service
And enable autostart:
- shell
systemctl enable mongod.service
5. Managing and downloading the latest Passwork via Git
Go to /var/www/:
- shell
cd /var/www/
Add a global Git configuration pointing to the safe directory:
- shell
git config --global --add safe.directory /var/www
Initialize a Git repository at /var/www/:
- shell
git init
Add the remote Passwork repository:
- shell
git remote add origin https://passwork.download/passwork/passwork.git
Get the remote repository for your local sever:
- shell
git fetch
The system will ask for your credentials, which are listed on your Customer Portal page. If you can't access the customer portal, let us know.
Switch to the v6 branch with the latest Passwork version:
- shell
git checkout v6
Give apache owner privileges for the files and directories:
- shell
find /var/www/ -type d -exec chmod 755 {} \;
find /var/www/ -type f -exec chmod 644 {} \;
chown -R apache:apache /var/www/
6. Setting up Apache2 for HTTP access to Passwork
Open the virtual host configuration file for HTTP:
- shell
nano /etc/httpd/conf.d/non-ssl.conf
Edit the file so it looks as follows:
- shell
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/public
<Directory /var/www/public>
Options +FollowSymLinks -Indexes -MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog logs/error_log
TransferLog logs/access_log
LogLevel warn
</VirtualHost>
Restart the web server (httpd.service):
- shell
systemctl restart httpd.service
You can open http://passwork.local or http://127.0.0.1 to test your Passwork connection
7. Passwork parameter checklist
When you connect to Passwork for the first time, you will need to go over the checklist that includes:
- Automatic parameter checking
- Checking connection to MongoDB database
- Generating an encryption key for MongoDB
- License verification
After finishing the checklist, you will be offered to create the first Passwork user and set their login, password and email address for notifications.
This user is always local and the owner of Passwork by default, in case of assigning LDAP/SSO user an owner, it will automatically become local and you will not be able to authorise in Passwork
8. Setting up HTTPS connection
8.1 Generating a self-signed SSL certificate
Install a SSL module for Apache2:
- shell
yum install mod_ssl -y
Create a new directory to store the private key and the certificate in:
- shell
mkdir /etc/ssl/private
Use OpenSSL to generate a self-signed X.509 certificate for Apache2:
- shell
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj '/CN=your.domain.name' -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
Common Name (CN)— Specify the IP of your server or host. This field is important, as the certificate should match the domain or IP of your website;subjectAltName (SAN)— Alternative domain name or IP
Generate Diffie-Hellman parameters with the key length of 2048:
- shell
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Add Diffie-Hellman parameters to the self-signed certificate:
- shell
cat /etc/ssl/certs/dhparam.pem | tee -a /etc/ssl/certs/apache-selfsigned.crt
Give root access to the user to secure the private key and the certificate:
- shell
chmod 700 /etc/ssl/private
8.2 Configuring a virtual host to access Passwork via HTTPS
Open the virtual host configuration file for HTTPS connection:
- shell
nano /etc/httpd/conf.d/ssl.conf
Find the section that starts with <VirtualHost _default_:443> and edit it as follows:
- Uncomment the
DocumentRootline and change the path to Passwork's root folder/var/www/public - Uncomment the
ServerNameline and changewww.example.comto the IP or the domain of the server (it should match theCommon Nameof the certificate):
DocumentRoot /var/www/public
ServerName passwork.local:443
- Add the
<Directory>directive afterServerName:
<Directory /var/www/public>
Options +FollowSymLinks -Indexes -MultiViews
AllowOverride All
Require all granted
</Directory>
- Comment the
SSLProtocolandSSLCipherSuitelines:
# SSLProtocol all -SSLv2
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
- Update the paths to certificate files, which were generated earlier:
- shell
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
- After editing the file, check if the virtual host configuration file matches the example:
- shell
Listen 443
<VirtualHost _default_:443>
DocumentRoot /var/www/public
ServerName passwork.local:443
<Directory /var/www/public>
Options +FollowSymLinks -Indexes -MultiViews
AllowOverride All
Require all granted
</Directory>
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>
Restart the web server (httpd.service):
- bash
systemctl restart httpd.service
Check the HTTPS connection to Passwork using https://passwork.local
8.3 Setting up Passwork for work over HTTPS
When using a secure SSL connection (HTTPS), client browsers require certain flags to process Passwork data. These flags are called session.cookie_secure and disableSameSiteCookie.
If these flags are not set, browsers will not be able to establish connections and the connection will be rejected, which can lead to authorisation errors — "The session of this browser tab is out of date".
Enable the ;session.cookie_secure parameter in /etc/php.ini:
- bash
sed -i '/session.cookie_secure =/c session.cookie_secure = On' /etc/php.ini
Set the disableSameSiteCookie parameter in /var/www/app/config/config.ini to Off:
- bash
sed -i '/disableSameSiteCookie =/c disableSameSiteCookie = Off' /var/www/app/config/config.ini
Do not set these parameters or reset them to their original value if you change your mind about using SSL and work over the HTTP protocol.
9. Configure background tasks
Background tasks are tasks that are executed by the scheduler in the background. For example, LDAP synchronisation, loading favicons, and other tasks that are time-consuming, persistent, or resource-allocating.
See a guide on Background tasks.
10. Set up security
Before modifying security settings, we strongly recommend to make sure that Passwork is stable and works correctly, and to back up the files you are making changes to
Server security is an important part of ensuring the protection of valuable company data and resources. It is a process that requires planning and execution to ensure maximum protection against various threats.
Look through the overview of Security settings.