Skip to main content
Version: 7.0

Alma/Rocky/CentOS

info

Passwork installation instructions for OS:

  • CentOS 8 Stream, Alma Linux 8, Rocky Linux 8.
  • CentOS 9 Stream, Alma Linux 9, Rocky Linux 9.
danger

The instructions use switchable code blocks to separate commands according to the operating system versions.

1. Minimum system requirements

Passwork is not demanding on system resources, and the required number of servers depends on the number of active users, the volume of stored data, and system fault tolerance requirements.

Please review the full system requirements.

info

If the server has 2-4 GB of RAM, we recommend enabling a SWAP file.

2. Basic actions before installation

Obtain root privileges and update the local package database:

sudo -i 
dnf makecache

Install the Apache2 web server and the data transfer utility curl:

dnf install -y httpd unzip curl zip jq

Replace the DocumentRoot location in the Apache configuration:

sed -i 's|^DocumentRoot "/var/www/html"|DocumentRoot "/var/www"|' /etc/httpd/conf/httpd.conf

Start the httpd.service service:

systemctl start httpd.service

Enable the service to start automatically:

systemctl enable httpd.service

2.1 Installation and basic configuration of Firewalld

Install the dynamic firewall management service Firewalld:

dnf install firewalld -y

Start the firewalld.service service:

systemctl start firewalld.service

Enable the service to start automatically:

systemctl enable firewalld.service

Add the HTTPS protocol to the list of allowed services in the Firewalld configuration:

firewall-cmd --permanent --add-service=https

Apply changes to the Firewalld configuration:

firewall-cmd --reload

2.2 Disabling SELinux and rebooting the OS

Edit the configuration file /etc/selinux/config:

nano /etc/selinux/config

Change the SELINUX parameter value from enforcing to disabled:

SELINUX=disabled

Save changes (Ctrl+O) and exit (Ctrl+X). Reboot the system to apply SELinux changes:

reboot

3. PHP installation

Install the EPEL package (epel-release) and package management utilities yum (yum-utils):

dnf -y install epel-release yum-utils

Download and install the latest EPEL repository:

dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

Download and install the repository providing access to PHP versions:

dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm

Enable the PHP 8.3 module from the REMI repository:

dnf module enable php:remi-8.3

Install PHP and additional extensions:

dnf install -y php-cli php-fpm php-curl php-devel php-pear php-gd php-intl php-ldap php-bcmath php-mbstring php-mysqlnd php-opcache php-pgsql php-soap php-zip php-sqlite3 php-xml

Ensure the php-fpm service is running:

systemctl status php-fpm

Start and enable the service if it is stopped:

systemctl start php-fpm
systemctl enable php-fpm

3.1 Installing PHP MongoDB driver

Install the PHP MongoDB driver:

pecl install mongodb

Create a configuration file to load and enable PHP MongoDB:

echo "extension=mongodb.so" | tee /etc/php.d/20-mongodb.ini

4. MongoDB database installation

Create a file to add the MongoDB repository to the yum package manager:

nano /etc/yum.repos.d/mongodb-org-7.0.repo

Place the following content into the file:

[mongodb-org-7.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/7.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://pgp.mongodb.com/server-7.0.asc

Install MongoDB:

dnf install mongodb-org -y

Start the mongod.service service:

systemctl start mongod.service

Enable the service to start automatically:

systemctl enable mongod.service

5. Obtaining and configuring Passwork

Online

Obtain the script:

wget https://repos.passwork.pro/repository/linux/scripts/passwork.sh
danger

The Passwork installation script must not be located in the directory with the application server files.

Assign execution permissions to the script:

chmod +x passwork.sh

By default, the passwork.sh script will:

  • Create a hidden .script_env file in the current directory;
  • Create a passwork_archive directory for Passwork backups;
  • Obtain the latest available Passwork version, signature, and public key;
  • Install the previously obtained archive to /var/www/
info

To use a non-standard installation path, disable certificate verification, or change behavior, you can use script launch parameters.

Run the script:

sudo ./passwork.sh

On the first run, the script will request an API key and perform basic environment checks:

Example of script launch

Example of successful script execution:

Successful script execution
Offline

Obtain the script on another machine with Internet access:

wget https://repos.passwork.pro/repository/linux/scripts/passwork.sh
info

Or obtain the passwork.sh script manually using the link

danger

The Passwork installation script must not be located in the directory with the application server files.

Assign execution permissions to the script:

chmod +x passwork.sh

Before running passwork.sh, you need to:

  • Obtain Passwork version 7 from our Customer Portal (mandatory);
  • Place it in the launch directory or use the --input argument to specify the location (mandatory);
  • Obtain the archive signature and public key of Passwork (optional if using the --skip argument).

By default, the passwork.sh script will:

  • Create a passwork_archive directory for Passwork backups;
  • Extract the Passwork archive;
  • Install the previously obtained archive to /var/www/
info

To use a non-standard installation path, disable certificate verification, or change behavior, you can use script launch parameters.

After preparation, run the passwork.sh script:

sudo ./passwork.sh -offline

Example of successful offline script execution:

Successful offline script execution

6. Web server configuration for HTTPS protocol

info

To ensure correct operation, it is necessary to use the HTTPS protocol. Using HTTP will lead to errors.

6.1 Generating self-signed SSL certificate

Install the SSL module for Apache2:

dnf install mod_ssl -y

Create a new directory to store the private key and certificate:

mkdir /etc/ssl/private

Generate a self-signed X.509 certificate for Apache2 using OpenSSL:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj '/CN=your.domain.name' -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
danger

In the Common Name (CN) field, it is important to specify your server's IP address or hostname, as your certificate must match the domain (or IP address) of the website.

Generate Diffie-Hellman parameters with a key length of 2048:

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Add Diffie-Hellman parameters to the self-signed certificate:

cat /etc/ssl/certs/dhparam.pem | tee -a /etc/ssl/certs/apache-selfsigned.crt

Set root user permissions to protect the private key and certificate:

chmod 700 /etc/ssl/private

6.2 Virtual host configuration for HTTPS access

danger

Before configuring the web server with SSL termination enabled, it is recommended to review the configuration features.

Open the configuration file to set up the HTTPS protocol:

nano /etc/httpd/conf.d/ssl.conf

Find the section starting with <VirtualHost _default_:443> and make the following changes:

  • Uncomment the DocumentRoot line and change the path to the Passwork root directory /var/www/public;
  • Uncomment the ServerName line and change www.example.com to the server's IP address or domain (depending on the value specified in the certificate's Common Name):
DocumentRoot /var/www/public
ServerName passwork:443
  • Add a <Directory> directive after ServerName:
<Directory /var/www/public>
Options +FollowSymLinks -Indexes -MultiViews
AllowOverride FileInfo
Require all granted
</Directory>
  • Update the paths to the certificate files generated earlier:
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
  • Change the .php file handler to proxy requests to the php-fpm socket:
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost/"
</FilesMatch>
  • Verify that the SSL Virtual Host Context block matches the example:
<VirtualHost _default_:443>

DocumentRoot "/var/www/public"
ServerName passwork:443

<Directory /var/www/public>
Options +FollowSymLinks -Indexes -MultiViews
AllowOverride FileInfo
Require all granted
</Directory>

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost/"
</FilesMatch>

BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
danger

Important: copying and pasting the example above into the configuration file will cause errors because the example shows only a fragment of the block, not the full configuration file.

Restart services:

systemctl restart php-fpm
systemctl restart httpd

7. Completing checklist

When first connecting to Passwork, you need to complete a parameter checklist, during which the following will be performed:

  • Checking necessary parameters
  • Connecting to the MongoDB database
danger

Change the MongoDB connection to the address — mongodb://localhost:27017

  • Randomly generated key for encrypting data in MongoDB
  • License key verification

After completing the checklist, you will be prompted to create the first user in Passwork, where you need to specify a login, password, and email address for sending notifications.

info

Additional component parameters, security settings, and Passwork system configurations are available in the advanced settings section.