Install the Guacamole Client

The Guacamole client is a Java-based web application which contains all

the Java and JavaScript code required for running the user interface of
Guacamole. It ultimately creates a web application which connects to the
guacd daemon running in the background using Guacamole protocol. In
the foreground, it renders the remote desktop interface using HTML5 on
the web browser to the authorized users.
Unlike the Guacamole server, the Guacamole client does not need to be
compiled and installed from source. A cross-platform Guacamole client
binary is available to download and install. Guacamole binary requires a
Java web server to run. In this tutorial, we will install Apache Tomcat 8
to run the Guacamole binary file.
Install Java 8 runtime on your server. Installing JDK is not required since
we do not need to compile any Java code.
yum -y install java-1.8.0-openjdk.x86_64

Create a new group and user for Tomcat installation. Running the
Tomcat server with an unprivileged user is recommended for security
reasons.
groupadd tomcat
useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat

Download the latest Tomcat server of version 8.5 from Apache mirror.
wget http://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.28/bin/apache-
tomcat-8.5.28.tar.gz

Extract the archive into /opt/tomcat directory.

mkdir /opt/tomcat
tar xvf apache-tomcat-8*.tar.gz -C /opt/tomcat --strip-components=1

Provide appropriate permissions and ownership to Tomcat server files.

cd /opt/tomcat
chgrp -R tomcat /opt/tomcat
chmod -R g+r conf
chmod g+x conf
chown -R tomcat webapps/ work/ temp/ logs/

Create a new systemd service file for managing the Tomcat server.
nano /etc/systemd/system/tomcat.service

Populate the file with the following configuration.

[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[Service]
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -
Djava.security.egd=file:/dev/./urandom'
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID
User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target

Start the Tomcat server and enable it to automatically start at boot time.
systemctl start tomcat
systemctl enable tomcat

You can check if Tomcat is running by going to http://your-server-

ip:8080 using your favorite web browser. You should see the default
Tomcat page. If you are getting an error, then make sure that port
"8080" is allowed in Security group rules.
Since we have installed the Tomcat server, download the Guacamole
client binary file using the following command.
wget
"http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/0.9.14
/binary/guacamole-0.9.14.war" -O guacamole-0.9.14.war

Move the Guacamole client file to the Tomcat's webapps directory.

mv guacamole-0.9.14.war /opt/tomcat/webapps/guacamole.war

Restart the Tomcat server.

systemctl restart tomcat

The Guacamole client is now installed on your server. You can check if
Guacamole client is working by going to http://your-server-
ip:8080/guacamole using your favorite browser. You should see the
Guacamole login interface. You will not be able to log in yet, as we have
not configured authentication yet.

Setting Up Authentication
The Guacamole client supports multiple authentication mechanisms
such as file-based auth, database auth, OAuth, and LDAP. In this section
of the tutorial, we will configure the database authentication using
MySQL database server.
MySQL database will be used to store the authentication and other data.
Since we do not require high performance and scalability
which ApasaraDB provides, we will install MySQL server on the same
ECS instance.
Install the MariaDB server, which is an open source fork of MySQL.
yum -y install mariadb mariadb-server

Start the MariaDB server and enable it to automatically start at boot

time.
systemctl start mariadb
systemctl enable mariadb

Set a password for the MySQL root user and secure the server instance
by removing the test database and user.
mysql_secure_installation

Now login to your MySQL shell using the root user and the password you
just created.
mysql -u root -p

Run the following queries to create a new database named guacdb along
with guacdb-user having full access to the database. Please change
StrongPassword to a very strong password.
CREATE DATABASE guacdb CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER 'guacdb-user'@'localhost' IDENTIFIED BY 'StrongPassword';
GRANT ALL PRIVILEGES ON guacdb.* TO 'guacdb-user'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Now that our database server is running, we need to install the MySQL
connector and Guacamole JDBC auth plugin. Create new directories to
store the plugins.
mkdir -p /etc/guacamole/{extensions,lib}

Download the MySQL connector extension from the MySQL site.

cd /tmp
wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-
5.1.45.tar.gz

Extract and move the MySQL connector into /etc/guacamole/lib.

tar xf mysql-connector-java-5.1.45.tar.gz
mv mysql-connector-java-5.*/mysql-connector-java-5.*.jar
/etc/guacamole/lib/
Download the Guacamole JDBC authentication extension from the
Apache Guacamole site.
cd /tmp
wget
"http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/0.9.14
/binary/guacamole-auth-jdbc-0.9.14.tar.gz" -O guacamole-auth-jdbc-
0.9.14.tar.gz

Extract the archive and move the extension to

/etc/guacamole/extensions directory.
tar xf guacamole-auth-jdbc-0.9.14.tar.gz
mv guacamole-auth-jdbc-0.9*/mysql/guacamole-auth-jdbc-mysql-0.9*.jar
/etc/guacamole/extensions/

Since we have already created the database and database user, we can
proceed to create the database schema and import the initial data. The
schema is shipped along with the JDBC extension.
Import the SQL schema and initial data into the guacdb database using
the following command. Provide the password of the MySQL root user
when prompted.
cd guacamole-auth-jdbc-0.9*/mysql/schema
cat *.sql | mysql -u root -p guacdb

Create a new configuration file for Apache Guacamole so it can override

the default configuration.
nano /etc/guacamole/guacamole.properties

Populate the file with the following configuration. Make sure to edit the
StrongPassword with the actual password of guacdb-user.
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacdb
mysql-username: guacdb-user
mysql-password: StrongPassword
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user: 0

Set GUACAMOLE_HOME environment variable so that the Guacamole

server can read the configuration file and the extensions.
echo "export GUACAMOLE_HOME=/etc/guacamole" >> ~/.bash_profile
source ~/.bash_profile

Disable SELinux as it causes errors when running Guacamole.

sed -i 's/enforcing/disabled/g' /etc/selinux/config
setenforce 0
Restart the Guacamole proxy daemon and Tomcat server so that the new
configuration can take effect.
systemctl restart guacd
systemctl restart tomcat

The Guacamole client authentication is now configured on your server.

You can check if you can log in by going to http://your-server-
ip:8080/guacamole using your favorite browser. Log in using the default
administrator user guacadmin and password guacadmin.