Alma/Rocky/CentOS

44min
Installing Passwork on following OS:
CentOS 8 Stream, Alma Linux 8, Rocky Linux 8.
CentOS 9 Stream, Alma Linux 9, Rocky Linux 9.
On this page you can switch between blocks of code to view the commands applicable to your version of the OS
1. Minimum system requirements
Passwork is not resource-heavy. How much disk space, RAM and CPU power you will need depends on the number of active users, the amount of stored data, and your requirements for fault-tolerance.
See the full system requirements﻿ 
If your server has 2-4 GB of RAM, we recommend enabling the SWAP file for libraries to compile properly.
﻿Enabling SWAP file on Linux﻿ 
2. Steps before installation
First, gain root access and update the local packages:
shell
sudo -i 
yum makecache
sudo -i 
yum makecache
﻿
Then, install web-server Apache2 and curl data transfer tool:
bash
yum install git httpd curl -y
yum install git httpd curl -y
﻿
Run httpd.service:
shell
systemctl start httpd.service
systemctl start httpd.service
﻿
And enable autostart:
shell
systemctl enable httpd.service
systemctl enable httpd.service
﻿
2.1 Installing and setting up Firewalld
Install the dynamically managed firewall Firewalld:
shell
yum install firewalld -y
yum install firewalld -y
﻿
Run firewalld.service:
shell
systemctl start firewalld.service
systemctl start firewalld.service
﻿
Enable autostart:
shell
systemctl enable firewalld.service
systemctl enable firewalld.service
﻿
Allow HTTP services in firewalld:
shell
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=http
﻿
Allow HTTPS services in firewalld:
shell
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=https
﻿
And apply the changes to firewalld:
shell
firewall-cmd --reload
firewall-cmd --reload
﻿
2.2 Disabling SELinux and restarting ОС
Edit the /etc/selinux/config configuration file:
shell
nano /etc/selinux/config
nano /etc/selinux/config
﻿
Change theSELINUX parameter from enforcing to disabled:
shell
SELINUX=disabled
SELINUX=disabled
﻿
Save the changes (Ctrl+O) and exit the terminal (Ctrl+X). Then, restart your system to apply the changes to SELinux:
shell
reboot
reboot
﻿
3. Installing PHP
Install the EPEL package and YUM package management tool:
Shell
yum -y install epel-release yum-utils
yum -y install epel-release yum-utils
﻿
Download and install the latest EPEL repository:
OS 8
OS 9
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
﻿
Download and install the repository for access to PHP versions:
OS 8
OS 9
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
﻿
Enable the PHP 8.3 modile from REMI repository:
Shell
dnf module enable php:remi-8.3
dnf module enable php:remi-8.3
﻿
Install PHP and its extensions:
Shell
dnf install -y php-cli php-fpm php-curl php-gd php-intl php-ldap php-bcmath php-mbstring php-pecl-mongodb php-mysqlnd php-opcache php-pgsql php-soap php-zip php-sqlite3 php-xml
dnf install -y php-cli php-fpm php-curl php-gd php-intl php-ldap php-bcmath php-mbstring php-pecl-mongodb php-mysqlnd php-opcache php-pgsql php-soap php-zip php-sqlite3 php-xml
﻿
3.1 Installing a PHP MongoDB driver
Install a PHP MongoDB driver:
Shell
pecl install mongodb
pecl install mongodb
﻿
Create configuration files for PHP MongoDB startup and activation:
Shell
echo "extension=mongodb.so" | tee /etc/php.d/20-mongodb.ini
echo "extension=mongodb.so" | tee /etc/php.d/20-mongodb.ini
﻿
3.2 Additional opcache configuration
Get the location of the opcache configuration file:
shell
opcache_path=$(php --ini | grep opcache | awk '{print $NF}' | sed 's/,//')
opcache_path=$(php --ini | grep opcache | awk '{print $NF}' | sed 's/,//')
﻿
Edit the configuration file:
shell
nano $opcache_path
nano $opcache_path
﻿
Add the following lines to the configuration file:
shell
opcache.memory_consumption=192
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=100000
opcache.validate_timestamps=0
opcache.revalidate_freq=0
opcache.preload=/var/www/config/preload.php
opcache.preload_user=apache
opcache.memory_consumption=192
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=100000
opcache.validate_timestamps=0
opcache.revalidate_freq=0
opcache.preload=/var/www/config/preload.php
opcache.preload_user=apache
﻿
﻿
4. Installing MongoDB database
Create a file to add MongoDB into YUM package manager
Shell
nano /etc/yum.repos.d/mongodb-org-6.0.repo
nano /etc/yum.repos.d/mongodb-org-6.0.repo
﻿
Add the following lines into the file:
OS 8
OS 9
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://pgp.mongodb.com/server-6.0.asc
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://pgp.mongodb.com/server-6.0.asc
﻿
Install MongoDB:
Shell
yum install mongodb-org -y
yum install mongodb-org -y
﻿
 Run mongod.service:
shell
systemctl start mongod.service
systemctl start mongod.service
﻿
And enable autostart:
shell
systemctl enable mongod.service
systemctl enable mongod.service
﻿
5. Obtaining a release candidate Passwork
Go to the Passwork customer portal and copy the certificate number for the Release Candidate:
﻿
Verify the available release candidate version of Passwork from the customer portal using the copied certificate number by query:
Shell
curl -X GET "https://portal.passwork.pro/api/version?rc=yes&apikey=CERTIFICATE" -w "\n"
curl -X GET "https://portal.passwork.pro/api/version?rc=yes&apikey=CERTIFICATE" -w "\n"
﻿
PowerShell
{"response":{"last-available-version":"xxxxxxxx"}}
{"response":{"last-available-version":"xxxxxxxx"}}
﻿
You need to make sure that a release candidate version of Passwork is available for downloading — 07xxxxxx
Get Passwork using a query:
Shell
curl -o "/var/www/passwork.zip" "https://portal.passwork.pro/api/download?rc=yes&apikey=CERTIFICATE"
curl -o "/var/www/passwork.zip" "https://portal.passwork.pro/api/download?rc=yes&apikey=CERTIFICATE"
﻿
Unzip the release candidate version of Passwork to a physical location:
shell
unzip /var/www/passwork.zip -d /var/www/
unzip /var/www/passwork.zip -d /var/www/
﻿
Give apache owner privileges for the files and directories:
shell
find /var/www/ -type d -exec chmod 755 {} \;
find /var/www/ -type f -exec chmod 644 {} \;
chown -R apache:apache /var/www/
find /var/www/ -type d -exec chmod 755 {} \;
find /var/www/ -type f -exec chmod 644 {} \;
chown -R apache:apache /var/www/
﻿
6. Setting up Apache2 for HTTP access to Passwork
Open the virtual host configuration file for HTTP:
shell
nano /etc/httpd/conf.d/non-ssl.conf
nano /etc/httpd/conf.d/non-ssl.conf
﻿
Edit the file so it looks as follows:
shell
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/public
    <Directory /var/www/public>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
    ErrorLog logs/error_log
    TransferLog logs/access_log
    LogLevel warn
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/public
    <Directory /var/www/public>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
    ErrorLog logs/error_log
    TransferLog logs/access_log
    LogLevel warn
</VirtualHost>
﻿
Restart the web server (httpd.service):
shell
systemctl restart httpd.service
systemctl restart httpd.service
﻿
You can open http://passwork.local or http://127.0.0.1 to test your Passwork connection
7. Passwork parameter checklist
When you connect to Passwork for the first time, you will need to go over the checklist that includes:
Automatic parameter checking
Checking connection to MongoDB database
Change the connection to MongoDB to the address — mongodb://localhost:27017
Generating an encryption key for MongoDB
License verification
After finishing the checklist, you will be offered to create the first Passwork user and set their login, password and email address for notifications.
This user is always local and the owner of Passwork by default, in case of assigning LDAP/SSO user an owner, it will automatically become local and you will not be able to authorise in Passwork
8. Setting up HTTPS connection
8.1 Generating a self-signed SSL certificate
Install a SSL module for Apache2:
shell
yum install mod_ssl -y
yum install mod_ssl -y
﻿
Create a new directory to store the private key and the certificate in:
shell
mkdir /etc/ssl/private
mkdir /etc/ssl/private
﻿
Use OpenSSL to generate a self-signed X.509 certificate for Apache2:
shell
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj '/CN=your.domain.name' -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj '/CN=your.domain.name' -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
﻿
Common Name (CN) — Specify the IP of your server or host. This field is important, as the certificate should match the domain or IP of your website;
subjectAltName (SAN) — Альтернативное имя домена или IP-адрес.
Generate Diffie-Hellman parameters with the key length of 2048:
shell
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
﻿
Add Diffie-Hellman parameters to the self-signed certificate:
shell
cat /etc/ssl/certs/dhparam.pem | tee -a /etc/ssl/certs/apache-selfsigned.crt
cat /etc/ssl/certs/dhparam.pem | tee -a /etc/ssl/certs/apache-selfsigned.crt
﻿
Give root access to the user to secure the private key and the certificate:
shell
chmod 700 /etc/ssl/private
chmod 700 /etc/ssl/private
﻿
8.2 Configuring a virtual host to access Passwork via HTTPS
Open the virtual host configuration file for HTTPS connection:
shell
nano /etc/httpd/conf.d/ssl.conf
nano /etc/httpd/conf.d/ssl.conf
﻿
Find the section that starts with <VirtualHost _default_:443> and edit it as follows:
Uncomment the DocumentRoot line and change the path to Passwork's root folder /var/www/public
Uncomment the ServerName line and change www.example.com to the IP or the domain of the server (it should match the Common Name of the certificate):
Shell
DocumentRoot /var/www/public
ServerName passwork.local:443
DocumentRoot /var/www/public
ServerName passwork.local:443
﻿
Add the <Directory> directive after ServerName:
Shell
<Directory /var/www/public>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
		Require all granted
</Directory>
<Directory /var/www/public>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
		Require all granted
</Directory>
﻿
Comment the SSLProtocol and SSLCipherSuite lines:
Shell
# SSLProtocol all -SSLv2
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
# SSLProtocol all -SSLv2
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
﻿
Update the paths to certificate files, which were generated earlier:
shell
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
﻿
After editing the file, check if the virtual host configuration file matches the example:
shell
Listen 443
<VirtualHost _default_:443>
    DocumentRoot /var/www/public
    ServerName passwork.local:443
    <Directory /var/www/public>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
		Require all granted
    </Directory>
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>
Listen 443
<VirtualHost _default_:443>
    DocumentRoot /var/www/public
    ServerName passwork.local:443
    <Directory /var/www/public>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
		Require all granted
    </Directory>
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>
﻿
Restart the web server (httpd.service):
bash
systemctl restart httpd.service
systemctl restart httpd.service
﻿
Check the HTTPS connection to Passwork using https://passwork.local﻿
8.3 Setting up Passwork for work over HTTPS
When using a secure SSL connection (HTTPS), client browsers require certain flags to process Passwork data.
If the session.cookie_secure flag is not set, browsers will not be able to establish a connection, which may result in authorization errors.
Enable the ;session.cookie_secure parameter in /etc/php.ini:
bash
sed -i '/session.cookie_secure =/c session.cookie_secure = On' /etc/php.ini
sed -i '/session.cookie_secure =/c session.cookie_secure = On' /etc/php.ini
﻿
Do not set this parameter or reset it to its original value if you change your mind about using SSL and work over the HTTP protocol.
9. Configure background tasks
Background tasks are tasks that are executed by the scheduler in the background. For example, LDAP synchronisation, loading favicons, and other tasks that are time-consuming, persistent, or resource-allocating.
See a guide on setting up background tasks﻿.
Updated 09 Mar 2025
Did this page help you?
Debian
Windows Server