fabasoft on linux - preparation guide for red hat ... on linux... · 4 installation of red hat...
Post on 04-May-2018
220 Views
Preview:
TRANSCRIPT
White Paper Fabasoft on Linux - Preparation Guide for Red Hat Enterprise
Linux
Fabasoft Folio 2017 R1
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 2
Copyright © Fabasoft R&D GmbH, Linz, Austria, 2018.
All rights reserved. All hardware and software names used are registered
trade names and/or registered trademarks of the respective manufacturers.
No rights to our software or our professional services, or results of our
professional services, or other protected rights can be based on the handing
over and presentation of these documents.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 3
Contents
1 Introduction _____________________________________________________________________________________ 4
2 Software Requirements _________________________________________________________________________ 4
3 Required Information ___________________________________________________________________________ 5
4 Installation of Red Hat Enterprise Linux _______________________________________________________ 5
4.1 Required Packages ________________________________________________________________________________ 5
4.2 Step by Step Guide ________________________________________________________________________________ 6
5 Red Hat Linux Tests ___________________________________________________________________________ 22
6 Kerberos Authentication ______________________________________________________________________ 22
6.1 Key Creation for Fabasoft Folio Backend Services _____________________________________________ 23
6.1.1 ADERPC Key Creation _______________________________________________________________________ 23
6.1.2 HTTP Key Creation __________________________________________________________________________ 27
6.2 Import of Keys on Linux Servers ________________________________________________________________ 27
6.3 Kerberos Tests __________________________________________________________________________________ 27
6.3.1 First test _____________________________________________________________________________________ 27
6.3.2 Second test _________________________________________________________________________________ 27
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 4
1 Introduction
This document describes the installation and preparation of Red Hat Enterprise Linux (x64) to run
Fabasoft Folio Services as there are:
Fabasoft Folio Backend Services,
Fabasoft Folio Web Services,
Fabasoft Folio Conversion Services, and
Fabasoft Folio AT Services.
Chapter 2 “Software Requirements” deals with assumed system environment and supported
platform as well as software the descriptions in this document are based on.
Chapter 3 “Required Information” lists information needed during the installation process.
Chapter 4 “Installation of Red Hat Enterprise Linux” describes the installation of Red Hat Enterprise
Linux on 64 bit architecture.
Chapter 5 “Red Hat Linux Tests” describes the tests, which have to be done after the installation of
Red Hat Enterprise Linux.
Chapter 6 “Kerberos Authentication” describes the necessary steps to prepare the environment to
use Kerberos authentication for Fabasoft Folio Services.
2 Software Requirements
System environments: All information contained in this document implicitly assumes a Red Hat
Linux environment.
Supported platforms: For detailed information on supported operating systems and software see
the software product information on the Fabasoft distribution media.
Make sure that the BIOS option to first try to start from CD-ROM is enabled.
This document assumes the utilization of a Microsoft Windows Active Directory domain controller
as Kerberos Key Distribution Centre (KDC).
General Linux knowledge is necessary to perform and maintain an installation as described in this
document.
Descriptions in this document are based on following software:
Third-party products for nodes running
Fabasoft Folio Backend Services (COO, MMC and gateway services):
o Red Hat Enterprise Linux 7.4 (x64)
Fabasoft Folio Web Services
o Red Hat Enterprise Linux 7.4 (x64)
o Oracle Java SE Runtime Environment 8 Update 161 (JRE)
Current version: http://www.oracle.com/technetwork/java/javase/downloads/index.html
Archive: http://www.oracle.com/technetwork/java/archive-139210.html
Fabasoft Folio Conversion Services
o Red Hat Enterprise Linux 7.4 (x64)
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 5
o Oracle Java SE Runtime Environment 8 Update 161 (JRE)
Current version: http://www.oracle.com/technetwork/java/javase/downloads/index.html
Archive: http://www.oracle.com/technetwork/java/archive-139210.html
o LibreOffice 5.4.5 (x64)
http://www.libreoffice.org
Fabasoft Folio AT Services
o Red Hat Enterprise Linux 7.4 (x64)
o Oracle Java SE Runtime Environment 8 Update 161 (JRE)
Current version: http://www.oracle.com/technetwork/java/javase/downloads/index.html
Archive: http://www.oracle.com/technetwork/java/archive-139210.html
3 Required Information
The following information is necessary during the installation and/or preparation of Red Hat
Enterprise Linux. Prepare this information before beginning the installation.
Name or IP address of the time server
IP address of the computer Red Hat Enterprise Linux is installed on
Host name of the computer Red Hat Enterprise Linux is installed on
IP address of the gateway server
IP address(es) of the DNS server(s)
Domain name
IP address of the domain controller
4 Installation of Red Hat Enterprise Linux
4.1 Required Packages
Make sure that the following packages are installed. In case of a “Desktop” installation, the bold
written packages have to be installed.
Package
Fabasoft
Folio
Backend
Services
Fabasoft
Folio Web
Services
Fabasoft
Folio
Conversion
Services
Fabasoft
Folio AT
Services
Other
Fabasoft
Folio
Services
openldap x x x x x
openssl x x x x x
gtk2 x x x x x
dos2unix x x x x x
xorg-x11-xinit x x x x x
libjpeg x x x x x
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 6
libpng x x x x x
libtiff x x x x x
alsa-lib x x x x x
libtool-ltdl x x x x x
httpd x x
unixODBC x x x x
xorg-x11-server-
Xvfb
x
mod_ssl x*
pam_ldap x
firefox x
Not on the Linux distribution media
Java Runtime
Environment
x x x x
LibreOffice (64-bit) x
Oracle Instant
Client (if Oracle is
used as RDBMS)
x
*(only if SSL enabled)
4.2 Step by Step Guide
To install Red Hat Enterprise Linux, perform the following steps:
1. Insert the installation CD number 1 of Red Hat Enterprise Linux into the CD-ROM drive. Restart
the computer.
2. After restarting, the installation setup of Red Hat Enterprise Linux starts.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 7
3. Press Enter to start the setup process.
4. First, it is possible to begin testing the CD media before actually starting the installation. Select
“Skip” to skip the CD test and press Enter.
Note: It is recommended to use original installation CDs from Red Hat. As these original CDs
are already tested the CD test need not to be performed. If own copies are used it is
recommended that the CD test is performed at least once. For further information about the
CD test consult the documentation of Red Hat.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 8
5. Now the mouse can be used to navigate. Click “Next” to continue.
6. Select the language that should be used during the installation process. To follow this
documentation, select “English (English)” and click “Next”.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 9
7. Select the appropriate keyboard connected to the system and click “Next”.
8. Select what type of devices your installation will involve and click “Next”.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 10
9. Specify the hostname (non fully qualified) of the computer and click “Configure Network” to
configure the network card of this computer. Afterwards click “Next”.
Note: If no network card has been installed or the network card is not recognized by the
installation program the network configuration screen is not displayed.
Select Method “Manual” and enter the IP address of the computer (Address field), the Prefix
(Netmask), Gateway and the DNS server(s) and click “Apply…”
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 11
10. Select the location to set the correct time zone. Click “Next” to continue the installation process.
11. Enter the password for the system administrator (root). Click “Next” to continue.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 12
12. Select Create custom layout and click “Next”.
13. Disk partitioning is dependent on the hardware.
We recommend using two partitions. One for the swap partition and one for the system
partition.
The size of the swap partition should be the size of the working memory of the computer. As it
is possible that the working memory of the computer is upgraded in the future it is
recommended to set the size of the swap partition to the maximum possible size of the
working memory of the computer.
Note: All Fabasoft Folio MMC Areas should be persisted on secure and fast storage systems,
such as, for instance, a SAN.
Use at least one dedicated partition to store the Fabasoft Folio MMC Areas.
14. To create a new partition click “Create”.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 13
15. Enter the Mount Point and the Size (MB). Do not change the other options.
16. Click “OK”.
Repeat the process for all the partitions that should be created.
In the File System Type list, click “swap” for the swap partition.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 14
17. After all necessary partitions have been created an overview is displayed.
18. When disk partitioning is finished, click “Next” to continue the installation process.
19. Now you can set the boot loader to be installed. Click “Next”.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 15
20. Select Desktop, and click “Next”.
21. The installation process continues. A progress bar indicates the progress of the installation
process.
22. Finally the installation process is finished. The computer has to be restarted.
Click “Reboot” to restart the system.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 16
After the system restarted and finished the initialization process a welcome screen is displayed.
There are a few more steps to take before the system is ready to use.
23. Click “Forward” to continue.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 17
24. The License Agreement is shown on the screen. Read the License Agreement carefully and click
Yes, I agree to the Licence Agreement. Click “Forward” to continue.
25. Click “Forward” to continue.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 18
26. It is not necessary to create a system user in this case. Click “Forward” to continue.
The following message is displayed:
Click “Yes” to continue.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 19
27. The date and time for the system have to be set. Set the date by selecting the current year,
month and day and set the time by selecting the current hour, minute and second.
28. Select Synchronize date and time over the network.
Select each of the default servers in the server list and click “Delete”. In the NTP Servers box,
click “Add” and type the name or the IP address of the time server to use”.
Setting the correct time server is important for Kerberos authentication.
Note: When Kerberos is used, it is mandatory that all servers within the Fabasoft Folio Domain
have their local clocks running narrowly in sync. This is usually accomplished using NTP
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 20
(Network time Protocol) and a time server. Note that an Active Directory domain controller
provides a NTP-compliant time server, against which the system clocks of all Linux machines
are synchronized.
29. Don’t enable Kdump. Click “Finish”.
30. The installation of Red Hat Enterprise Linux is now completed. The graphical login screen is
displayed.
31. Log on as user root.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 21
32. Open “Applications” > “System Tools” > “Terminal”.
The terminal is opened.
33. Make sure that the packages as described in chapter 4.1 “Required Packages” are installed.
After the installation process has finished, perform the following steps:
1. To set the hostname execute the following command:
# nano /etc/hosts.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 22
2. Change the line 127.0.0.1 <computer name> localhost.localdomain localhost
into 127.0.0.1 localhost.localdomain localhost
3. Add a second line: <IP address of the computer> <computer name>.<domain name> <computer name>
Note: Press “Tab” for the space between the entries in one line.
4. Press Ctrl + X and confirm with Y or Enter to save the changes made.
5. Make sure that SELinux is disabled.
5 Red Hat Linux Tests
To confirm, that the installation and configuration has been finished successfully, perform following
steps:
1. To display the hostname execute the following command: # hostname
This command should only display the hostname of the Linux server (e.g.: fscbackend).
2. To display the fully qualified domain name, execute the following command: # hostname -f
This command should display the hostname and the domain (e.g.: fscbackend.sub.comp.com).
3. localhost has to be resolved. Execute the following command: # ping localhost
Note: Press Ctrl + C to end the command ping.
4. localhost.localdomain has to be resolved. Execute the following command: # ping localhost.localdomain
Note: Press Ctrl + C to end the command ping.
5. ping <computer name> has to work. Execute the following command: # ping fscbackend
Note: Press Ctrl + C to end the command ping.
6. ping <computer name>.<domain name> has to work. Execute the following command: # ping fscbackend.sub.comp.com
Note: Press Ctrl + C to end the command ping.
The Red Hat Linux installation has been tested on hostname and domain.
6 Kerberos Authentication
On nodes intended for Fabasoft Folio Web Services, SPNEGO authentication for the Apache Web
Server as an extension module is provided. SPNEGO authentication allows single sign on via
Kerberos and Active Directory even from a Fabasoft Folio Web Client (similar and compatible to
integrated login on the Microsoft platform).
Additionally, configure /etc/krb5.conf to use the Active Directory domain as Kerberos realm and
its domain controller as Kerberos Key Distribution Centre.
To configure /etc/krb5.conf, perform the following steps:
1. Open the /etc/krb5.conf file in an editor.
2. Configure krb5.conf as follows.
Replace the values in <> with the appropriate values for the domain. In case of troubles consult
the Kerberos documentation.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 23
[libdefaults]
default_realm = <SUB.COMP.COM>
dns_fallback = false
forwardable = true
proxiable = true
[realms]
<SUB.COMP.COM> = {
kdc = <IP address of the Domain Controller>[:<port>, [options]]
admin_server = <IP address of the Domain Controller>[: <port>, [options]]
}
[domain_realm]
<.company.com> = <SUB.COMPANY.COM>
Note: Attend to entries written in uppercase (e.g. <SUB.COMP.COM>).
The Kerberos authentication has been configured basically on the newly installed server.
6.1 Key Creation for Fabasoft Folio Backend Services
6.1.1 ADERPC Key Creation
For each Linux server running kerberized Fabasoft Folio Services, a distinct ADERPC key has to be
exported.
To create an ADERPC key for Fabasoft Folio Backend Services, perform the following steps:
1. Log on to the primary Active Directory domain controller.
2. Open the MMC snap in „Active Directory Users and Computers” (dsa.msc).
3. Add a user with an arbitrary logon name of your choice for each Fabasoft Folio server.
A common prefix is recommended.
Example: ADERPC-fscbackend
4. Click “Next”.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 24
5. Select the User cannot change password and the Password never expires check boxes.
6. To create the user click “Next“.
A Kerberos user has been created.
7. Execute the following command: setspn -A ADERPC/<fqdn> <user account>
Example: setspn -A ADERPC/fscbackend.sub.comp.com ADERPC-fscbackend
8. On the “Delegation” tab of the user’s properties dialog box click Trust this user for delegation to
any service (Kerberos only).
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 25
9. On the „Account“ tab of the users’s properties dialog box click Use DES encryption types for this
account or select This account supports Kerberos AES 256 bit encryption.
DES-CBC-MD5:
AES256-SHA1:
Now a Kerberos key needs to be transferred to the according Linux computer. To export the key
from Active Directory, the ktpass utility is required.
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 26
Execute the following command:
ktpass -crypto <crypto-typ> -princ ADERPC/<fqdn>@<REALM> -ptype KRB5_NT_PRINCIPAL
-mapuser <user account> -pass <password of the user account> -out <filename>
Possible crypto types:
DES-CBC-MD5 (Active Directory 2000/2003)
AES256-SHA1 (Active Directory 2008/2008 R2)
Note:
AES support is limited by some combinations of Microsoft operating systems.
For details see the Microsoft TechNet article “Kerberos Enhancements”.
http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx
Example: ktpass -crypto DES-CBC-MD5 -princ ADERPC/fscbackend.sub.comp.com@SUB.COMP.COM -
ptype KRB5_NT_PRINCIPAL -mapuser ADERPC-fscbackend -pass <your password> -out
fscbackendADERPC.key
Via secure channel (e.g. using ssh) transfer the key file to the Linux server, where it needs to be
imported in the Kerberos key tab as described in chapter 6.2 “Import of Keys on Linux Servers”.
Note:
<REALM> is always all-upper-case.
It is imperative that <fqdn> matches the Linux server’s hostname in DNS and the entries in
Active Directory exactly, <fqdn> is also case-sensitive.
DNS entries for each Linux machine must exist for forward (type A) as well as for reverse (type
PTR) lookups.
The Active Directory user entries can be validated with “ADSI Edit”. Execute adsiedit.msc and
view the properties of the corresponding user. The attributes servicePrincipalName and
userPrincipalName shall look similar to the following example:
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 27
6.1.2 HTTP Key Creation
For each machine intended for Fabasoft Folio Web Services as well as all nodes running Fabasoft
Folio Web Management, a HTTP Kerberos key is required.
Perform the steps of chapter 6.1.1 ”ADERPC Key Creation” and replace “ADERPC” with “HTTP”.
Name the output file <hostname>HTTP.key, which would result in qavmlinuxrhelHTTP.key for our
example host.
6.2 Import of Keys on Linux Servers
First create a subdirectory fabasoft in /etc. In the terminal type:
mkdir /etc/fabasoft.
Run the utility /usr/kerberos/sbin/ktutil.
Execute the following commands:
Read the specified Kerberos key file (created on the Microsoft Windows Server and
subsequently transferred to the Linux machine) into the current key list. rkt /path/to/keyfile
Write that key into the Kerberos keytab file utilized by all Fabasoft Folio Services: wkt /etc/fabasoft/krb5.keytab
Do the same for the HTTP key. rkt /path/to/keyfile
wkt /etc/fabasoft/krb5.keytab
Type quit and press Enter to exit ktutil.
Note: The ownership and permissions of the file /etc/fabasoft/krb5.keytab need to be
changed to 644.
6.3 Kerberos Tests
If one of the tests fails it is necessary to fix the problem before Fabasoft Folio is installed.
6.3.1 First test
Execute the following command and enter the user’s password when prompted:
/usr/kerberos/bin/kinit <Microsoft Windows user>
If no error message is returned, view the ticket cache with the following command:
/usr/kerberos/bin/klist
Verify the output (the default principal must correspond to the provided user):
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <Microsoft Windows user>@<SUB.COMPANY.COM>
Valid starting Expires Service principal
11/15/04 09:16:36 11/16/04 19:16:38 krbtgt/<SUB.COMPANY.COM>@<SUB.COMPANY.COM>
6.3.2 Second test
Issue the following command to acquire a ticket using the key in the Kerberos key tab file instead of
an interactive password:
/usr/kerberos/bin/kinit –k –t /etc/fabasoft/krb5.keytab <principalname>
Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 28
Example: /usr/kerberos/bin/kinit –k –t /etc/fabasoft/krb5.keytab \
ADERPC/<hostname>.<sub.company.com>@<SUB.COMPANY.COM>
Note: ‘\’ denotes line continuation.
If no error message is returned, view the ticket cache with the following command:
/usr/kerberos/bin/klist
Verify the output (the default principal must correspond to the provided user):
Along the same lines, try the HTTP key.
/usr/kerberos/bin/kinit –k –t /etc/fabasoft/krb5.keytab \
HTTP/<hostname>.<sub.company.com>@<SUB.COMPANY.COM>
Note: ‘\’ denotes line continuation.
If no error message is returned, view the ticket cache with the following command:
/usr/kerberos/bin/klist
On any errors, please consult the extensive Kerberos documentation.
If no errors occur the installation and configuration of Kerberos has been successful.
top related