THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Installing OFBiz with MariaDB as the back end, behind an Apache httpd server, with SSL.
Step-by-step guide for Debian based Distributions
Get the Right Java
Install Java 8 (somehow - it is not the current version for your distro). I used [https://adoptopenjdk.net/ adoptjdk]. Set it as default
$ wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | sudo apt-key add -
$ sudo add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
$ sudo apt update
$ sudo apt install adoptopenjdk-8-openj9
$ sudo update-alternative java
BTW: I selected the [https://www.royvanrijn.com/blog/2018/05/openj9-jvm-shootout/ openj9 implementation], because its memory use profile is superior.
If you have other software that needs some other version of Java, you will need to setup the Java environment to suit - using JAVA_HOME and such appropriately.
Then the Latest OFBiz
Download the latest stable https://ofbiz.apache.org/download.html OFBiz from apache]. At the time of writing it was 17.12.04.
Unzip the OFBiz into somewhere like /var/www. cd into that directory.
$ cd /var/www
$ unzip ~/apache-ofbiz-17.12.04.zip
$ useradd -M -d /var/www/ofbiz ofbiz
$ ln -s apache-ofbiz-17.12.04 ofbiz
$ chown -R ofbiz.www-data ofbiz
$ cd ofbiz
Build and Configure
Run
$ gradle/init-gradle-wrapper.sh
Setup for SQL
I chose mariadb, mostly because it was required for other services I was already running on the server. Postgresql would be fine (or better), and I am sure the built in Derby is also fine for small installations.
I installed the client driver and copied the relevant piece into the gradle build system as follows:
$ sudo apt-get install libmariadb-java
$ mkdir -p framework/entity/lib/jdbc
$ cp /usr/share/java/mariadb-java-client.jar framework/entity/lib/jdbc
Edit the config to use mariadb, change driver references from com.mysql to org.mariadb.
Make sure the users and passwords match what you are going to put in the database below.
Change default delegators from using localderby to localmysql. Make your passwords in the localmysql, localmysqlolap and localmysqltenant sections match those in the mysql sql code that creates the databases below.
framework/entity/config/entityengine.xml
<delegator name="default" entity-model-reader="main" entity-group-reader="main" entity-eca-reader="main" distributed-cache-clear-enabled="false">
<group-map group-name="org.apache.ofbiz" datasource-name="localmysql"/>
<group-map group-name="org.apache.ofbiz.olap" datasource-name="localmysqlolap"/>
<group-map group-name="org.apache.ofbiz.tenant" datasource-name="localmysqltenant"/>
</delegator>
...
<datasource name="localmysql"
helper-class="org.apache.ofbiz.entity.datasource.GenericHelperDAO"
field-type-name="mysql"
...
<inline-jdbc
jdbc-driver="org.mariadb.jdbc.Driver"
jdbc-uri="jdbc:mysql://127.0.0.1:3306/ofbiz?autoReconnect=true&characterEncoding=UTF-8"
jdbc-username="ofbiz"
jdbc-password="ofbiz"
isolation-level="ReadCommitted"
pool-minsize="2"
...
</datasource>
<datasource name="localmysqlolap"
helper-class="org.apache.ofbiz.entity.datasource.GenericHelperDAO"
field-type-name="mysql"
...
<inline-jdbc
jdbc-driver="org.mariadb.jdbc.Driver"
jdbc-uri="jdbc:mysql://127.0.0.1:3306/ofbizolap?autoReconnect=true&characterEncoding=UTF-8"
jdbc-username="ofbizolap"
jdbc-password="ofbizolap"
isolation-level="ReadCommitted"
pool-minsize="2"
...
</datasource>
<datasource name="localmysqltenant"
helper-class="org.apache.ofbiz.entity.datasource.GenericHelperDAO"
field-type-name="mysql"
...
<inline-jdbc
jdbc-driver="org.mariadb.jdbc.Driver"
jdbc-uri="jdbc:mysql://127.0.0.1:3306/ofbiztenant?autoReconnect=true&characterEncoding=UTF-8"
jdbc-username="ofbiztenant"
jdbc-password="ofbiztenant"
isolation-level="ReadCommitted"
pool-minsize="2"
Setup your mariadb tables.
$ mysql -u root -p
mysql>create database ofbiz;
mysql>create database ofbizolap;
mysql>create database ofbiztenant;
mysql>use mysql;
mysql>select database();
mysql>create user ofbiz@localhost;
mysql>create user ofbizolap@localhost;
mysql>create user ofbiztenant@localhost;
mysql>set password for 'ofbiz'@'localhost' = PASSWORD("ofbiz");
mysql>set password for 'ofbizolap'@'localhost' = PASSWORD("ofbizolap");
mysql>set password for 'ofbiztenant'@'localhost' = PASSWORD("ofbiztenant");
mysql>grant all privileges on *.* to 'ofbiz'@localhost identified by 'ofbiz';
mysql>grant all privileges on *.* to 'ofbizolap'@localhost identified by 'ofbizolap';
mysql>grant all privileges on *.* to 'ofbiztenant'@localhost identified by 'ofbiztenant';
Seed the database
Then run gradle to seed the database. It is recommended to use the demo data, as there are lots of dependencies in various tables on having at least one record in some other seemingly unrelated table.
If you want the demo data, simply run
$ ./gradlew cleanAll loadAll
Here is the invocation to avoid having the demo data but still have an admin login:
$ ./gradlew "ofbiz --load-data readers=seed,seed-initial" loadAdminUserLogin -PuserLoginId=admin
Launch the server
Because I set this up on a cloud, I changed host-headers-allowed to match my domain so I could login remotely on my VM.
framework/security/config/security.properties
# -- no spaces after commas,no wildcard, can be extended of course...
host-headers-allowed=localhost,127.0.0.1,example.ca
$ ./gradlew ofbiz
Once this works, you may want to set this up as a systemd service <code>/etc/systemd/system/ofbizd.service</code>
[Unit]
Description=OFBiz Service Daemon
After=network.target auditd.service
[Service]
User=ofbiz
WorkingDirectory=/var/www/ofbiz
ExecStart=/var/www/ofbiz/gradlew ofbiz
ExecStop=/var/www/ofbiz/gradlew 'ofbiz --shutdown'
[Install]
WantedBy=multi-user.target
Now you can start the service in the systemd way:
$ sudo systemctl start ofbizd.service
You will also want to enable the service on reboot:
$ sudo systemctl enable ofbizd.service
Connect and Test Login
You should be able to login as admin at this point (default password is ofbiz): http://example.ca:8443/accounting.
This is using a self signed certificate that came with ofbiz, so you will need to accept it in your browser to proceed, but not to worry, in a bit we will be setting up a proper Let's Encrypt certificate.
Secure with SSL
We need to change a few things here. The strategy is to use apache for the SSL, and proxy using ajp on the ofbiz side.
First, disable ordinary http access for our site, since we are only using a proxy to ajp.
Disable http, https in OFBiz.
framework/webapp/config/url.properties
no.http=N
port.https.enabled=N
port.http=
service.http.parameters.require.encrypted=N
Enable Proxy service:
$ sudo a2enmod proxy
$ sudo a2enmod proxy_ajp
Here I create a regular (port 80) configuration, because I can then use certbot to create a modified version, and add redirection code to this, but you can skip this phase if you wish.
/etc/apache2/sites-available/example.conf
<VirtualHost *:80>
ServerName example.ca
DocumentRoot /var/www/ofbiz/
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
ProxyVia On
ProxyPreserveHost On
ProxyPass /.well-known !
ProxyPass "/" "ajp://localhost:8009/"
</VirtualHost>
Then enable the site with:
$ sudo a2ensite example
$ sudo service apache2 reload
Now we need to enable SSL:
Get a certificate from Let's Encrypt.
sudo certbot --apache certonly -n -d example.ca
Then we can redirect non-ssl(80) to the ssl(443),
Enabling SSL with LetsEncrypt certificates
And finally proxy port 443 to the ajp(8009) port:
/etc/apache2/sites-available/example-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.ca
DocumentRoot /var/www/ofbiz/
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
ProxyVia On
ProxyPreserveHost On
ProxyPass /.well-known !
ProxyPass "/" "ajp://localhost:8009/"
ServerAlias example.ca
SSLCertificateFile /etc/letsencrypt/live/example.ca/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.ca/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Then enable the secure site with:
$ sudo a2ensite example-le-ssl
$ sudo service apache2 reload
Lastly, we can enable redirects from our http port 80 site to the SSL side:
/etc/apache2/sites-available/example.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.ca
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
And reload once again and test.
$ sudo service apache2 reload
Secure Sockets Layer Connection
Now a connection looks like:
https://example.ca/webtools
Static Content
Have apache serve up static content directly, by not proxying it through Tomcat.
/etc/apache2/sites-available/example-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.ca
DocumentRoot /var/www/ofbiz/
ProxyRequests Off
ProxyVia On
ProxyPreserveHost On
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPass ajp://localhost:8009/
</Location>
<LocationMatch "^/(?!js|css|png|jpg|jpeg|gif)">
Require all granted
</LocationMatch>
ServerAlias example.ca
SSLCertificateFile /etc/letsencrypt/live/example.ca/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.ca/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Ready for Business
https://cwiki.apache.org/confluence/display/OFBENDUSER/Apache+OFBiz+Business+Setup+Guide
Related articles