ACC | Installing Adobe Campaign on Debian

Adobe Campaign, Marketing Automation
15 minutes read#administration #apache #certbot #debian #ssl

Psst! Listen up, fellow campaigners! Did you know that you can actually install Adobe Campaign Classic locally and it won’t cost you a penny? Of course, you won’t be able to run actual marketing campaigns with it, but you can use it as your personal development playground. It’s like having a sandbox, but for grown-ups. Go ahead, unleash your inner marketing genius and play around with Adobe Campaign to your heart’s content!

Before we dive into the setup process for Adobe Campaign, we need to install Debian Linux on VirtualBox or any other virtual machine platform. This will serve as our personal server running on the virtual machine, which we will later connect with the rich client.

The first step is to download the latest release from Adobe’s software distribution. If you do not have an account, you will need to create one. Once you are on the platform, navigate to the server utilities section where you can choose the latest version available for the Debian version that you have installed or plan to install on the virtual machine. In our case, we will download the latest installation files for Adobe Campaign for Debian 11.

First command to run in our freshly installed Debian 11 terminal is always for installing updates.

sudo apt update
sudo apt upgrade

But before somehow I did not see setting during the installation that the newly created user will belong to the sudo group. If the same happend to you during the installation run following command for your user if you all good skip it.

sudo adduser <username> sudo

If you are using VirtualBox, it is also necessary to install Guest Additions. Without these tools, you will not be able to share files with the virtual machine, and you will need to download the Adobe Campaign installation files separately. (Alternatively, you can download the rpm files directly from the Debian preinstalled browser.)

This action will autorun the process which will self install the necessary tools.

All the necessary files are available in the virtual machine, so we can proceed directly to the main event of this installation – running the package manager to install our beloved power marketing platform.

dpkg -i nlserver6-v7-XXXX-linux-2.6-amd64.deb

This will leave you with errors regarding dependencies that need to be installed

Selecting previously unselected package nlserver6-v7.
(Reading database ... 33880 files and directories currently installed.)
Preparing to unpack nlserver6-v7-9359-amd64_deb11.deb ...
Unpacking nlserver6-v7 (9359.0.0) ...
dpkg: dependency problems prevent configuration of nlserver6-v7:
 nlserver6-v7 depends on libc-ares2; however:
  Package libc-ares2 is not installed.
 nlserver6-v7 depends on libpcre16-3; however:
  Package libpcre16-3 is not installed.
 nlserver6-v7 depends on openjdk-11-jdk-headless; however:
  Package openjdk-11-jdk-headless is not installed.

And to install these missing dependecies run following command

apt-get install -f

With Adobe Campaign server installed now we also have install database engine. I have selected PosgtreSQL as it is Open Source and supported by Adobe Campaign

sudo apt install postgresql
Configure PosgreSQL

By default, PostgreSQL is configured to use the “peer” authentication method, which means that it will only allow users to log in if their system username matches their PostgreSQL username. To change this, you can edit the pg_hba.conf file, which is located in the /etc/postgresql/<version>/main/ directory.

Open the file in a text editor:

sudo nano /etc/postgresql/<version>/main/pg_hba.conf

Replace <version> with the version number of PostgreSQL installed on your system (e.g. 13).

Find the line that reads:

local   all             all                                     peer

And change “peer” to “md5”, like this:

local   all             all                                     md5

Save and close the file.

Restart PostgreSQL

Run the following command to restart the PostgreSQL service:

sudo systemctl restart postgresql
Issues with postgres user password

In case you are unable to create a new user or access the interactive terminal ‘psql‘, it may be because during the second installation of PostgreSQL, you were not prompted to set a password.

root@debian-2gb-fsn1-1:~# sudo -u postgres createuser --interactive
could not change directory to "/root": Permission denied
Enter name of role to add: accdbuser
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
createuser: error: could not connect to database template1: FATAL:  password authentication failed for user "postgres"

To fix this, you need to change the configuration for the local PostgreSQL authentication method and set the last column to “ident”. This means that PostgreSQL will use the operating system’s user authentication to verify the user’s identity. You can use this method to run all commands below and then change back the settings to “md5”.

Then you can change password by

sudo -u postgres psql
\password postgres

To quit interactive terminal type:

Add a new user

To add a new user in PostgreSQL, run the following command:

This will launch an interactive prompt where you can enter the name of the new user and specify whether it should be a superuser or not.

sudo -u postgres createuser --interactive

Now we will set user password by following commands if not already asked for it:

sudo -u postgres psql
 ALTER USER accdbuser PASSWORD 'accdbuser'
Create database

We will create database our database with following command:

sudo -u postgres createdb <database_name>
Create adobe campaign instance

With all set we can start to create our AC instance but first we need to switch to neolane user by:

sudo su - neolane

Now we can create our first AC instance configuration files.

nlserver config -verbose -addinstance:sandbox/*/eng

We have to change internal user password by running:

nlserver config -internalpassword

It comes with empty password, this by the default serverConf.xml configuration is not allowed, so when the prompts for the current password, we do not have to type anything and just press enter to the next step and set up the new password.

NOTE: if you ever forget the internal password you can reset it by removing attribute value from serverConf.xml, reload configuration and run the previous ‘nlserver config -internalpassword‘ command.

    <!-- XTK authentication mode 
         internalPassword :  Password of internal account 
         internalSecurityZone :  Authorized zone for the internal account Default: 'lan' -->
      <xtk internalPassword="<remove_my_forgotten_password>"

Reload configuration

nlserver config -reload
Enable services in instance configuration

Find your sandbox instance configuration under /usr/local/neolane/nl6/conf/ and change it as follows.

<?xml version='1.0'?>
    <dataStore hosts="*" lang="eng" uploadWhitelist="(?i).*\.(jpg|jpeg|png|favicon|xml|gif|bmp|txt|tab|csv|css|htm|html|zip|pdf|ppt|pptx|xls|xlsx|doc|docx|odt|p12|p8)">
      <dataSource name="default">
        <dbcnx encrypted="1" login="accdbuser:accdb" password="<pwd>"
               provider="PostgreSQL" server="localhost"/>
<!-- do not need mail server to run for now -->
  <mta autoStart="false" statServerAddress="">
        <IPAffinity name="default,mid.default,dev.default,test.default">
          <!--  For dev instances, if you need a default IP (not recommended), use address="" -->
          <IP address="" heloHost="" publicId="" weight=""/>

  <stat autoStart="true"/>
  <!-- we want to run after configuration is done if set to true we will produce error log for wfserver.log -->
  <wfserver autoStart="false"/>
  <inMail autoStart="false"/>
  <sms autoStart="false"/>
  <interactiond autoStart="false"/>

    <redirection IMSOrgId="" databaseId="" trackingPassword=""/>

  <securityZone name="public">
    <securityZone name="vpn">
      <!-- Add customer specifc IPs here, HTTPS access will be mandatory to login
      <subNetwork name="Cus1" mask="x.x.x.x/y"/>

We can run Adobe Campaign instance by following command

nlserver watchdog -svc -noconsole

Command above is one of the most used commands when working with Adobe Campaign application server from shell. You can mark it down somewhere for future reference.

Another helpful command to know is how to check which Adobe Campaign processes are currently running, based on your instance configuration. This is a useful way to monitor the health and performance of your Adobe Campaign instance.

nlserver pdump
neolane@debian:~$ nlserver pdump
20:13:56 >   Application server for Adobe Campaign Classic (7.3.3 build 9359@c636bf3 of 03/06/2023)
watchdog (126636) - 6.5 MB
syslogd@default (126585) - 26.0 MB
stat@nxp_sandbox (126609) - 42.2 MB
web@default (126610) - 259.6 MB
Notes for Virtual Machine installation

I was unable to connect to the Adobe Campaign server from my host operating system while using VM network settings set to NAT. After switching to Bridged networking mode, however, my virtual machine was able to appear as a separate physical device on my network, making it much easier to connect to and access from my host machine. However, I recognize that I may need to find a more permanent solution in the future since I will need to change connection details every time I start my server. If any of you have experience making NAT mode work, I would greatly appreciate your advice

As far as I know, the issue is not related to the firewall since Debian does not come with a default firewall installed. I have attempted to make it work with port forwarding, but this has not resolved the problem. Additionally, I have tried several solutions found on Stack Overflow, but unfortunately, none of them have worked for me.

To switch networkgin mode we need to open our Debian VM settings and hange Network adapter mode to the Bridged Adapter. That’s it we are all set, almost.

Next we have check the IP address of our virtual machine by running a command:

ip addr show

That will give us plenty of information, for us is relevant enp0s3 inet ip address, which from example below, is

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   inet scope host lo
      valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
   inet brd scope global dynamic enp0s3
      valid_lft 85605sec preferred_lft 85605sec
   inet6 fe80::a00:27ff:fe68:5410/64 scope link
      valid_lft forever preferred_lft forever

sing the rich client from our host environment. Be sure to download the correct version of the rich console client from the same software distribution page.

Integrating web server

If you are hosting your sandbox on a virtual private server (VPS), you need to integrate a web server with the Adobe Campaign application server before you can connect to and configure it. However, if you don’t need to upload files via the rich console, you can skip the web server integration step for your local sandbox on a virtual machine (VM).

  1. Install apache server
sudo apt install apache2

After apache is installed you can follow documentation found on the official Adobe Campaign pages. Can be found by searching “Integration into a Web server for Linux”

  1. Disable apache modes. It will ask you that you trying to disable essential modules and we need to force disbale them by adding -f at the end.
a2dismod auth_basic authn_file authz_default authz_user autoindex cgi dir env negotiation userdir -f
Mods explained you can skip if you are not interested
  • auth_basic: This module provides basic authentication for web pages and requires users to enter a username and password to access certain pages. Disabling this module could compromise the security of your web application by allowing unauthorized access to protected resources.
  • authn_file: This module allows you to authenticate users against a file-based authentication system. Disabling this module could prevent users from being able to authenticate, which could result in a degraded user experience or even a complete loss of functionality, depending on how your web application is designed.
  • authz_default: This module provides a default authorization scheme for your web application, allowing you to restrict access to certain resources based on various criteria. Disabling this module could result in unauthorized access to protected resources or even a complete loss of functionality, depending on how your web application is designed.
  • authz_user: This module allows you to control access to resources based on user authentication status. Disabling this module could result in unauthorized access to protected resources or even a complete loss of functionality, depending on how your web application is designed.
  • autoindex: This module provides directory indexing, which allows users to view the contents of a directory on the web server. Disabling this module could prevent users from being able to access certain resources or even a complete loss of functionality, depending on how your web application is designed.
  • cgi: This module allows you to run CGI scripts on the web server. Disabling this module could prevent users from being able to access certain resources or even a complete loss of functionality, depending on how your web application is designed.
  • dir: This module provides directory-based configuration options for Apache. Disabling this module could prevent users from being able to access certain resources or even a complete loss of functionality, depending on how your web application is designed.
  • env: This module provides environment-based configuration options for Apache. Disabling this module could prevent users from being able to access certain resources or even a complete loss of functionality, depending on how your web application is designed.
  • negotiation: This module allows Apache to perform content negotiation to determine the best representation of a resource to send to the client. Disabling this module could prevent users from being able to access certain resources or even a complete loss of functionality, depending on how your web application is designed.
  • userdir: This module allows users to have personal web directories on the server. Disabling this module could prevent users from being able to access their personal web directories or even a complete loss of functionality, depending on how your web application is designed.
  1. Create the file nlsrv.load in /etc/apache2/mods-available and insert the following content.

This step was at least from what I understood only for Debian 8 as in the official documentation. But without it I could not enable apache mod later.

LoadModule requesthandler24_module /usr/local/[INSTALL]/nl6/lib/
  1. Create symbolic link to apache neolane configuration into apache mods-available configuration folder (it is similar to shortcut in winodws, this will make sure when we update AC build the configuration stays up to date)
ln -s /usr/local/neolane/nl6/conf/apache_neolane.conf /etc/apache2/mods-available/nlsrv.conf
  1. Enable apache configuration
a2enmod nlsrv
  1. Edit apache envvars  /etc/apache2/envvars
# Added Neolane
if [ "$LD_LIBRARY_PATH" != "" ]; then export LD_LIBRARY_PATH="/usr/local/neolane/nl6/lib:$LD_LIBRARY_PATH"; else export LD_LIBRARY_PATH=/usr/local/neolane/nl6/lib; fi
export USERPATH=/usr/local/neolane
  1. Add Adobe Campaign users to the Apache user group
usermod neolane -G www-data
usermod www-data -G neolane
  1. Restart apache (good to know command)
sudo systemctl start apache2

Now the <domain>/r/test should work and give you something similar to

<redir status='OK' date='2023-05-09 18:13:37.604Z' build='9359' sha1='c636bf3' instance='sandbox' sourceIP='' host='' localHost='host'/>
Adding SSL certificates

Adobe Campaign by default wont let you connect over http. This can be changed in the instance configuration overriding the security zones settings. Take a look at the serverConfig.xml and you may find that http is only allowed when you are connecting from the localhost (same machine) all other zones allowHttp is set to false.

 <!-- Security zone 
       allowDebug :  Authorize debug mode for Web applications Default: false 
       allowEmptyPassword :  Authorize the user to use the application without a password Default: false 
       allowHTTP :  Authorize the use of HTTP for operator logon Default: false 
       allowSQLInjection :  Authorize the use of SQLDATA in expressions Default: false 
       allowUserPassword :  Authorize user/password session tokens Default: false 
       label :  Label Default: NewLabel() 
       name :  Internal name Default: NewName() 
       sessionTokenOnly :  Do not use the security token Default: false 
       showErrors :  Display error details Default: false -->
      <!-- subNetwork :  Sub-network 
         label :  Label Default: NewLabel() 
         mask :  Mask or address 
         name :  Internal name Default: NewName() 
         proxy :  Mask or address of (reverse) proxy used by this sub-network to access the instance. In this case, the 'X-Forwarded-For' header will be tested instead of this proxy. Default: -->
      <!-- securityZone :   

You can override main configuration settings by copying zones configuration to your instance configuration.

NOTE:It is not good practice to change serverConfig.xml unless the setting is used by all instances eg. enabling TLS protocol for email MTA server.

You can set the allowHTTP for public zone to true.

For SSL encryption, I recommend using Let’s Encrypt. It offers a free and reliable solution that is suitable for most websites. Let’s Encrypt certificates are recognized by major web browsers and can improve your website’s security and search engine rankings.

For Let’s Encrypt SSL certificates we need to install certbot first. Certbot is a free and open-source software tool that simplifies the process of obtaining and renewing SSL/TLS certificates from Let’s Encrypt, a certificate authority that provides free SSL/TLS certificates.

sudo apt-get install certbot python3-certbot-apache

Obtain Let’s Encrypt SSL certificates.

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email -d -d
  • sudo certbot: This command runs certbot, the tool used to obtain and install SSL/TLS certificates.
  • --apache: This option specifies that you want to use the Apache plugin for certbot, which automatically updates your Apache virtual host configuration files to use SSL/TLS.
  • --agree-tos: This option tells certbot to agree to the Let’s Encrypt Terms of Service.
  • --redirect: This option configures Apache to automatically redirect all HTTP traffic to HTTPS, ensuring that all traffic is encrypted.
  • --hsts: This option configures Apache to use HTTP Strict Transport Security (HSTS), which instructs web browsers to always use HTTPS when connecting to your website, even if the user types in “http://” in the address bar.
  • --staple-ocsp: This option enables OCSP stapling, which improves the performance and security of SSL/TLS by caching certificate validation information.
  • --email This option specifies the email address to be used for important account notifications and for renewing the SSL/TLS certificates before they expire.
  • -d -d These options specify the domain names for which you want to obtain SSL/TLS certificates. In this example, certbot will request certificates for both and

Certbot will add following configuration under /etc/apache/sites-available.

-rw-r--r-- 1 root root 1.5K May  7 11:26 000-default-le-ssl.conf

Change the certbot configuration:

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
          		#you can set your email as contact in case users come across any apache error
                #ServerAdmin webmaster@localhost
          		#do not need
         		#DocumentRoot /var/www/html
                #include  apache_neolane.conf @todo: test without it :)
                include /usr/local/neolane/nl6/conf/apache_neolane.conf

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on
                SSLCertificateFile     /etc/letsencrypt/live/
                SSLCertificateKeyFile  /etc/letsencrypt/live/
          		Include /etc/letsencrypt/options-ssl-apache.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Certbot –apache also enables the site configuration and reloads the apache configuration for you

Check if the SSL ceritificates are working

First instance configuration

If we are not accessing Adobe Campaign instance from the same network or VPN we have to at least for the configuration purpose change security zone for internal user to public so our login will not be rejected.

      <xtk internalPassword="pwd"
           internalSecurityZone="lan"/><!--  default seeting is 'lan' change it to 'public' only for configuration -->

Everytime we deploy new configuration and connect to that instance, the first login will lead us through the deployment wizard.

On the first step we select our DB engine and server host which is localhost and select to use existing database, we have created it already before.

Fill the connection strings for database set timezone settings (these cannot be changed after)

Last but not least is to select what packages we want to install. I have selected for now only Marketing campaigns (Campaign) as you can always return back to it and install more later. Also beware here you cannot remove these packages once they are installed.

Last step before installation of all packages we will have to set password for admin user. Which is second system user along with the internal.

Now you can close the window and login again as admin. Enjoy!

NOTE: admin user by default security zone is set to LAN so if we run our instance on virtual private server we should add another administrator user or change security zone of admin user.

I have not configured anything yet nor installed any additional packages. I will add to this article more information later.