Step 8: Installing Jamf Pro

Jamf Pro Installation and Configuration Guide for Linux 11.23.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.23.0
ft:locale
en-US
vrm_version
11.23.0

  1. (Optional) Create a /tmp/jamf directory in which to temporarily store downloads, tools, and scripts for Jamf Pro by executing the following command:
    mkdir /tmp/jamf
  2. (Optional) Copy the ROOT.war file from the Jamf Pro manual download archive to the /tmp/jamf directory that you just created.
  3. Stop the Tomcat service by executing:
    sudo systemctl stop tomcat

    or

    sudo service tomcat stop
  4. Move the default Tomcat web app out of the way by executing:
    sudo mv /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/TOMCAT
  5. Copy the Jamf Pro web app archive to the Tomcat webapps directory by executing a command similar to the following:
    sudo cp /tmp/jamf/ROOT.war /opt/tomcat/webapps/
  6. Assign appropriate access to the ROOT.war by executing:
    sudo chown tomcat:tomcat /opt/tomcat/webapps/ROOT.war
sudo chmod 750 /opt/tomcat/webapps/ROOT.war
  7. Generate a keystore to enable SSL for Tomcat by executing a command similar to the following with the keypass, storepass, dname, and validity values customized for your environment:
    sudo keytool -genkey -alias tomcat -keyalg RSA -keypass
  "changeit" -storepass "changeit" -dname "CN=jamf.mycompany.com,
  OU=Jamf IT, O=Jamf, L=Minneapolis, ST=MN, C=US"
  -keystore /opt/tomcat/keystore -validity <numdays>

    Make sure to enter the following attributes as appropriate to your site:

    AttributeValueExample
    CN=Fully qualified domain name of the serverjamf.mycompany.com
    OU=Organizational unitJamf IT
    O=OrganizationJamf
    L=Location (city or office)Minneapolis
    ST=State, province, or countyMN
    C=Country or regionUS
  8. Back up the Tomcat server.xml configuration file by executing:
    sudo cp /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.bak
  9. Open the server.xml configuration file in a text editor with a command similar to:
    sudo vi /opt/tomcat/conf/server.xml
  10. Locate the following comment section in the file (note that this is the Connector on port 8443 not the Connector on port 8443 with HTTP/2 section):
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
        This connector uses the NIO implementation.
        ...
-->
  11. Replace the commented out (initial <!-- and trailing -->) Connector tag immediately following the comment (shown in "a" below) with the Connector tag text shown in "b" below:

    1. <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
     ...
-->
<!--<Connector port="8443" ...
  ...
/>
-->

    2. <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
           This connector uses the NIO implementation that requires the
           JSSE style configuration. When using the APR/native
           implementation, the OpenSSL style configuration is required
           as described in the APR/native documentation -->
<Connector URIEncoding="UTF-8"
           server="Apache Tomcat"
           port="8443"
           executor="tomcatThreadPool"
           SSLEnabled="true"
           maxPostSize="-1"
           scheme="https"
           protocol="org.apache.coyote.http11.Http11Nio2Protocol"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           secure="true">
  <SSLHostConfig sslProtocol="TLS"
                 protocols="TLSv1.2"
                 honorCipherOrder="true"
                 certificateVerification="none"
                 ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                          TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                          TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                          TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                          TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                          TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                          TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
                          TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                          TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                          TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" >
    <Certificate type="RSA"
                 certificateKeystoreFile="/opt/tomcat/keystore"
                 certificateKeystorePassword="changeit" />
  </SSLHostConfig>
</Connector>
  12. Before saving the file, ensure the keystorePass value is set to the value you used for storepass when creating the keystore.
  13. Save the server.xml file.
  14. Open the log4j2.xml file and change all of the log file paths from the following
    fileName="/Library/JSS/Logs/[filename].log"
filePattern="/Library/JSS/Logs/[filename].log.%i">

    to:

    fileName="/usr/local/jss/logs/[filename].log"
filePattern="/usr/local/jss/logs/[filename].log.%i">
  15. Start the tomcat service by executing:
    sudo systemctl start tomcat

    or

    sudo service tomcat start

    The Tomcat service will automatically unpack the ROOT.war file into a ROOT directory in the webapps directory.