Boundary Enterprise ( seft-managed ) - PoC - Boundary service status have error

Hello all,
I will build test Boundary Enterprise ( seft-managed ) - PoC but have error (code=exited, status=3), Can you help me fix it.
“sudo systemctl status boundary
● boundary.service - “HashiCorp Boundary - Identity-based access management for dynamic infrastructure”
Loaded: loaded (/lib/systemd/system/boundary.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Thu 2024-02-29 16:29:00 +07; 694ms ago
Docs: Documentation | Boundary | HashiCorp Developer
Process: 15735 ExecStart=/usr/bin/boundary server -config=/etc/boundary.d/controller.hcl (code=exited, status=3)
Main PID: 15735 (code=exited, status=3)”

file controller.hcl:
sudo vi /etc/boundary.d/controller.hcl

disable memory from being swapped to disk

disable_mlock = true

API listener configuration block

listener “tcp” {

Should be the address of the NIC that the controller server will be reached on

Use 0.0.0.0 to listen on all interfaces

address = “0.0.0.0:9200”

The purpose of this listener block

purpose = “api”

TLS Configuration

tls_disable = false
tls_cert_file = “/etc/boundary.d/tls/boundary-cert.pem”
tls_key_file = “/etc/boundary.d/tls/boundary-key.pem”

Uncomment to enable CORS for the Admin UI. Be sure to set the allowed origin(s)

to appropriate values.

#cors_enabled = true
#cors_allowed_origins = [“https://yourcorp.yourdomain.com”, “serve://boundary”]
}

Data-plane listener configuration block (used for worker coordination)

listener “tcp” {

Should be the IP of the NIC that the worker will connect on

address = “0.0.0.0:9201”

The purpose of this listener

purpose = “cluster”
}

Ops listener for operations like health checks for load balancers

listener “tcp” {

Should be the address of the interface where your external systems’

(eg: Load-Balancer and metrics collectors) will connect on.

address = “0.0.0.0:9203”

The purpose of this listener block

purpose = “ops”

tls_disable = false
tls_cert_file = “/etc/boundary.d/tls/boundary-cert.pem”
tls_key_file = “/etc/boundary.d/tls/boundary-key.pem”
}

Controller configuration block

controller {

This name attr must be unique across all controller instances if running in HA mode

name = “boundary-controller-1”
description = “Boundary controller number one”

This is the public hostname or IP where the workers can reach the

controller. This should typically be a load balancer address

public_cluster_addr = “https://x.x.x.x:9200

Enterprise license file, can also be the raw value or env:// value

license = “file:///etc/boundary.d/boundary.hclic”

After receiving a shutdown signal, Boundary will wait 10s before initiating the shutdown process.

graceful_shutdown_wait_duration = “10s”

Database URL for postgres. This is set in boundary.env and

#consumed via the “env://” notation.
database {
url = “postgresql://postgres:postgres@x.x.x.x:5432/boundary”
max_open_connections = 5
}
}

Events (logging) configuration. This

configures logging for ALL events to both

stderr and a file at /var/log/boundary/controller.log

events {
audit_enabled = true
sysevents_enabled = true
observations_enable = true
sink “stderr” {
name = “all-events”
description = “All events sent to stderr”
event_types = [““]
format = “cloudevents-json”
}
sink {
name = “file-sink”
description = “All events sent to a file”
event_types = [”
”]
format = “cloudevents-json”
file {
path = “/var/log/boundary”
file_name = “controller.log”
}
audit_config {
audit_filter_overrides {
sensitive = “redact”
secret = “redact”
}
}
}
}

Root KMS Key (managed by AWS KMS in this example)

Keep in mind that sensitive values are provided via ENV VARS

in this example, such as access_key and secret_key

Root KMS configuration block: this is the root key for Boundary

Use a production KMS such as AWS KMS in production installs

kms “aead” {
purpose = “root”
aead_type = “aes-gcm”
key = “sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung=”
key_id = “global_root”
}

Worker authorization KMS

Use a production KMS such as AWS KMS for production installs

This key is the same key used in the worker configuration

kms “aead” {
purpose = “worker-auth”
aead_type = “aes-gcm”
key = “8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ=”
key_id = “global_worker-auth”
}

Recovery KMS block: configures the recovery key for Boundary

Use a production KMS such as AWS KMS for production installs

kms “aead” {
purpose = “recovery”
aead_type = “aes-gcm”
key = “8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ=”
key_id = “global_recovery”

}

Please recommend option action fix it.
p/s: I build server local - on-premi

Thanks,
EP