This documentation assumes that you already have access to a PostgreSQL server or hosted PostgreSQL database, and that Guacamole has already been installed using Glyptodon Enterprise. If you do not already a PostgreSQL server ready, please set up a PostgreSQL instance before proceeding. If you do not already have Guacamole installed, please see the installation instructions.
Installing PostgreSQL support for Guacamole
Glyptodon Enterprise packages Guacamole’s PostgreSQL support within the glyptodon-guacamole-auth-jdbc-postgresql package. This package must be installed before creating Guacamole’s database within PostgreSQL, as it includes the SQL scripts necessary for doing so:
Creating and initializing the Guacamole database
If you haven’t already done so, a database specific to Guacamole needs to be created within PostgreSQL. The database can be called anything you like; all that matters is that the database be dedicated to Guacamole, and not shared by different applications:
Guacamole will not automatically initialize the database with the required schema. You will need to do this yourself using the SQL scripts provided with the glyptodon-guacamole-auth-jdbc-postgresql package, which are located within the
|Creates all tables and indexes which are required for the PostgreSQL authentication extension to function.|
|Creates a default administrative user, “guacadmin”, with password “guacadmin”. These credentials will need to be changed once PostgreSQL authentication is confirmed to be working.|
The above scripts must be run in sequence, as it is the first script which actually creates the database schema. The second script, which defines a default administrative user, can only successfully run if the tables created by the first script exist. The simplest way to run both scripts in sequence is to concatenate them:
Alternatively, the scripts can be run individually, as long as the order is correct:
Connecting Guacamole to PostgreSQL
To execute queries against the database, Guacamole will need its own database user with sufficient privileges. Because Guacamole does not automatically apply or update its own schema, the required privileges are minimal, dealing only with creation and maintenance of data within already-defined tables and indexes:
Guacamole’s main configuration file,
/etc/guacamole/guacamole.properties, must now be modified to specify the credentials of the PostgreSQL user and to point the PostgreSQL database:
guacamole.properties file provided with Glyptodon Enterprise is organized into sections documented with blocks of comments and example properties. The first section which must be modified is marked “JDBC-1” and defines the TCP connection information for the database in use. Uncomment the postgresql-hostname and postgresql-port properties, modifying their values to point to your PostgreSQL server:
The “JDBC-2” section, which defines the database name and associated credentials, must also be modified to specify the correct database name, username, and password. These values are given with the postgresql-database, postgresql-username, and postgresql-password properties respectively:
Guacamole will generally only load new extensions and reread
guacamole.properties during the startup process. To apply the configuration changes, Guacamole (and thus Tomcat) must be restarted:
If you are using SELinux (the default on both CentOS and RHEL), you must also configure SELinux to allow Tomcat to connect to the database over the network:
To make sure everything is working as expected, you should also visit your Guacamole instance with a web browser (most likely at
http://HOSTNAME:8080/guacamole/, where “HOSTNAME” is the hostname or IP address of your server). If all is working correctly, you should see a login screen with a username/password prompt, and you will be able to log in using the default account created with the
If Guacamole is not accessible after the Tomcat service has been restarted, verify that you have indeed configured SELinux to allow Tomcat to connect to the database and check the SELinux audit logs (
/var/log/audit/audit.log) for AVC denials.
Once you have verified that you can log in successfully, you should immediately change the password, as keeping default accounts unchanged is dangerous. While logged into Guacamole, you can access the built-in password changing interface by clicking on your username in the upper-right corner of the screen and selecting “Settings”.