fabasoft on linux - preparation guide for red hat ... on linux... · 4 installation of red hat...

White Paper Fabasoft on Linux - Preparation Guide for Red Hat Enterprise

Linux

Fabasoft Folio 2017 R1

Fabasoft on Linux - Preparation Guide for Red Hat Enterprise Linux 2

Copyright © Fabasoft R&D GmbH, Linz, Austria, 2018.

All rights reserved. All hardware and software names used are registered

trade names and/or registered trademarks of the respective manufacturers.

No rights to our software or our professional services, or results of our

professional services, or other protected rights can be based on the handing

over and presentation of these documents.


Contents

1 Introduction _____________________________________________________________________________________ 4

2 Software Requirements _________________________________________________________________________ 4

3 Required Information ___________________________________________________________________________ 5

4 Installation of Red Hat Enterprise Linux _______________________________________________________ 5

4.1 Required Packages ________________________________________________________________________________ 5

4.2 Step by Step Guide ________________________________________________________________________________ 6

5 Red Hat Linux Tests ___________________________________________________________________________ 22

6 Kerberos Authentication ______________________________________________________________________ 22

6.1 Key Creation for Fabasoft Folio Backend Services _____________________________________________ 23

6.1.1 ADERPC Key Creation _______________________________________________________________________ 23

6.1.2 HTTP Key Creation __________________________________________________________________________ 27

6.2 Import of Keys on Linux Servers ________________________________________________________________ 27

6.3 Kerberos Tests __________________________________________________________________________________ 27

6.3.1 First test _____________________________________________________________________________________ 27

6.3.2 Second test _________________________________________________________________________________ 27


1 Introduction

This document describes the installation and preparation of Red Hat Enterprise Linux (x64) to run

Fabasoft Folio Services as there are:

Fabasoft Folio Backend Services,

Fabasoft Folio Web Services,

Fabasoft Folio Conversion Services, and

Fabasoft Folio AT Services.

Chapter 2 “Software Requirements” deals with assumed system environment and supported

platform as well as software the descriptions in this document are based on.

Chapter 3 “Required Information” lists information needed during the installation process.

Chapter 4 “Installation of Red Hat Enterprise Linux” describes the installation of Red Hat Enterprise

Linux on 64 bit architecture.

Chapter 5 “Red Hat Linux Tests” describes the tests, which have to be done after the installation of

Red Hat Enterprise Linux.

Chapter 6 “Kerberos Authentication” describes the necessary steps to prepare the environment to

use Kerberos authentication for Fabasoft Folio Services.

2 Software Requirements

System environments: All information contained in this document implicitly assumes a Red Hat

Linux environment.

Supported platforms: For detailed information on supported operating systems and software see

the software product information on the Fabasoft distribution media.

Make sure that the BIOS option to first try to start from CD-ROM is enabled.

This document assumes the utilization of a Microsoft Windows Active Directory domain controller

as Kerberos Key Distribution Centre (KDC).

General Linux knowledge is necessary to perform and maintain an installation as described in this

document.

Descriptions in this document are based on following software:

Third-party products for nodes running

Fabasoft Folio Backend Services (COO, MMC and gateway services):

o Red Hat Enterprise Linux 7.4 (x64)

Fabasoft Folio Web Services


o Oracle Java SE Runtime Environment 8 Update 161 (JRE)

Current version: http://www.oracle.com/technetwork/java/javase/downloads/index.html

Archive: http://www.oracle.com/technetwork/java/archive-139210.html

Fabasoft Folio Conversion Services


http://www.oracle.com/technetwork/java/javase/downloads/index.html

http://www.oracle.com/technetwork/java/archive-139210.html





o LibreOffice 5.4.5 (x64)

http://www.libreoffice.org

Fabasoft Folio AT Services





3 Required Information

The following information is necessary during the installation and/or preparation of Red Hat

Enterprise Linux. Prepare this information before beginning the installation.

Name or IP address of the time server

IP address of the computer Red Hat Enterprise Linux is installed on

Host name of the computer Red Hat Enterprise Linux is installed on

IP address of the gateway server

IP address(es) of the DNS server(s)

Domain name

IP address of the domain controller

4 Installation of Red Hat Enterprise Linux

4.1 Required Packages

Make sure that the following packages are installed. In case of a “Desktop” installation, the bold

written packages have to be installed.

Package

Fabasoft

Folio

Backend

Services

Fabasoft

Folio Web

Services

Fabasoft

Folio

Conversion

Services

Fabasoft

Folio AT

Services

Other

Fabasoft

Folio

Services

openldap x x x x x

openssl x x x x x

gtk2 x x x x x

dos2unix x x x x x

xorg-x11-xinit x x x x x

libjpeg x x x x x



http://www.libreoffice.org/




libpng x x x x x

libtiff x x x x x

alsa-lib x x x x x

libtool-ltdl x x x x x

httpd x x

unixODBC x x x x

xorg-x11-server-

Xvfb

x

mod_ssl x*

pam_ldap x

firefox x

Not on the Linux distribution media

Java Runtime

Environment

x x x x

LibreOffice (64-bit) x

Oracle Instant

Client (if Oracle is

used as RDBMS)

x

*(only if SSL enabled)

4.2 Step by Step Guide

To install Red Hat Enterprise Linux, perform the following steps:

1. Insert the installation CD number 1 of Red Hat Enterprise Linux into the CD-ROM drive. Restart

the computer.

2. After restarting, the installation setup of Red Hat Enterprise Linux starts.


3. Press Enter to start the setup process.

4. First, it is possible to begin testing the CD media before actually starting the installation. Select

“Skip” to skip the CD test and press Enter.

Note: It is recommended to use original installation CDs from Red Hat. As these original CDs

are already tested the CD test need not to be performed. If own copies are used it is

recommended that the CD test is performed at least once. For further information about the

CD test consult the documentation of Red Hat.


5. Now the mouse can be used to navigate. Click “Next” to continue.

6. Select the language that should be used during the installation process. To follow this

documentation, select “English (English)” and click “Next”.


7. Select the appropriate keyboard connected to the system and click “Next”.

8. Select what type of devices your installation will involve and click “Next”.


9. Specify the hostname (non fully qualified) of the computer and click “Configure Network” to

configure the network card of this computer. Afterwards click “Next”.

Note: If no network card has been installed or the network card is not recognized by the

installation program the network configuration screen is not displayed.

Select Method “Manual” and enter the IP address of the computer (Address field), the Prefix

(Netmask), Gateway and the DNS server(s) and click “Apply…”


10. Select the location to set the correct time zone. Click “Next” to continue the installation process.

11. Enter the password for the system administrator (root). Click “Next” to continue.


12. Select Create custom layout and click “Next”.

13. Disk partitioning is dependent on the hardware.

We recommend using two partitions. One for the swap partition and one for the system

partition.

The size of the swap partition should be the size of the working memory of the computer. As it

is possible that the working memory of the computer is upgraded in the future it is

recommended to set the size of the swap partition to the maximum possible size of the

working memory of the computer.

Note: All Fabasoft Folio MMC Areas should be persisted on secure and fast storage systems,

such as, for instance, a SAN.

Use at least one dedicated partition to store the Fabasoft Folio MMC Areas.

14. To create a new partition click “Create”.


15. Enter the Mount Point and the Size (MB). Do not change the other options.

16. Click “OK”.

Repeat the process for all the partitions that should be created.

In the File System Type list, click “swap” for the swap partition.


17. After all necessary partitions have been created an overview is displayed.

18. When disk partitioning is finished, click “Next” to continue the installation process.

19. Now you can set the boot loader to be installed. Click “Next”.


20. Select Desktop, and click “Next”.

21. The installation process continues. A progress bar indicates the progress of the installation

process.

22. Finally the installation process is finished. The computer has to be restarted.

Click “Reboot” to restart the system.


After the system restarted and finished the initialization process a welcome screen is displayed.

There are a few more steps to take before the system is ready to use.

23. Click “Forward” to continue.


24. The License Agreement is shown on the screen. Read the License Agreement carefully and click

Yes, I agree to the Licence Agreement. Click “Forward” to continue.

25. Click “Forward” to continue.


26. It is not necessary to create a system user in this case. Click “Forward” to continue.

The following message is displayed:

Click “Yes” to continue.


27. The date and time for the system have to be set. Set the date by selecting the current year,

month and day and set the time by selecting the current hour, minute and second.

28. Select Synchronize date and time over the network.

Select each of the default servers in the server list and click “Delete”. In the NTP Servers box,

click “Add” and type the name or the IP address of the time server to use”.

Setting the correct time server is important for Kerberos authentication.

Note: When Kerberos is used, it is mandatory that all servers within the Fabasoft Folio Domain

have their local clocks running narrowly in sync. This is usually accomplished using NTP


(Network time Protocol) and a time server. Note that an Active Directory domain controller

provides a NTP-compliant time server, against which the system clocks of all Linux machines

are synchronized.

29. Don’t enable Kdump. Click “Finish”.

30. The installation of Red Hat Enterprise Linux is now completed. The graphical login screen is

displayed.

31. Log on as user root.


32. Open “Applications” > “System Tools” > “Terminal”.

The terminal is opened.

33. Make sure that the packages as described in chapter 4.1 “Required Packages” are installed.

After the installation process has finished, perform the following steps:

1. To set the hostname execute the following command:

# nano /etc/hosts.


2. Change the line 127.0.0.1 <computer name> localhost.localdomain localhost

into 127.0.0.1 localhost.localdomain localhost

3. Add a second line: <IP address of the computer> <computer name>.<domain name> <computer name>

Note: Press “Tab” for the space between the entries in one line.

4. Press Ctrl + X and confirm with Y or Enter to save the changes made.

5. Make sure that SELinux is disabled.

5 Red Hat Linux Tests

To confirm, that the installation and configuration has been finished successfully, perform following

steps:

1. To display the hostname execute the following command: # hostname

This command should only display the hostname of the Linux server (e.g.: fscbackend).

2. To display the fully qualified domain name, execute the following command: # hostname -f

This command should display the hostname and the domain (e.g.: fscbackend.sub.comp.com).

3. localhost has to be resolved. Execute the following command: # ping localhost

Note: Press Ctrl + C to end the command ping.

4. localhost.localdomain has to be resolved. Execute the following command: # ping localhost.localdomain


5. ping <computer name> has to work. Execute the following command: # ping fscbackend


6. ping <computer name>.<domain name> has to work. Execute the following command: # ping fscbackend.sub.comp.com


The Red Hat Linux installation has been tested on hostname and domain.

6 Kerberos Authentication

On nodes intended for Fabasoft Folio Web Services, SPNEGO authentication for the Apache Web

Server as an extension module is provided. SPNEGO authentication allows single sign on via

Kerberos and Active Directory even from a Fabasoft Folio Web Client (similar and compatible to

integrated login on the Microsoft platform).

Additionally, configure /etc/krb5.conf to use the Active Directory domain as Kerberos realm and

its domain controller as Kerberos Key Distribution Centre.

To configure /etc/krb5.conf, perform the following steps:

1. Open the /etc/krb5.conf file in an editor.

2. Configure krb5.conf as follows.

Replace the values in <> with the appropriate values for the domain. In case of troubles consult

the Kerberos documentation.


[libdefaults]

default_realm = <SUB.COMP.COM>

dns_fallback = false

forwardable = true

proxiable = true

[realms]

<SUB.COMP.COM> = {

kdc = <IP address of the Domain Controller>[:<port>, [options]]

admin_server = <IP address of the Domain Controller>[: <port>, [options]]

}

[domain_realm]

<.company.com> = <SUB.COMPANY.COM>

Note: Attend to entries written in uppercase (e.g. <SUB.COMP.COM>).

The Kerberos authentication has been configured basically on the newly installed server.

6.1 Key Creation for Fabasoft Folio Backend Services

6.1.1 ADERPC Key Creation

For each Linux server running kerberized Fabasoft Folio Services, a distinct ADERPC key has to be

exported.

To create an ADERPC key for Fabasoft Folio Backend Services, perform the following steps:

1. Log on to the primary Active Directory domain controller.

2. Open the MMC snap in „Active Directory Users and Computers” (dsa.msc).

3. Add a user with an arbitrary logon name of your choice for each Fabasoft Folio server.

A common prefix is recommended.

Example: ADERPC-fscbackend

4. Click “Next”.


5. Select the User cannot change password and the Password never expires check boxes.

6. To create the user click “Next“.

A Kerberos user has been created.

7. Execute the following command: setspn -A ADERPC/<fqdn> <user account>

Example: setspn -A ADERPC/fscbackend.sub.comp.com ADERPC-fscbackend

8. On the “Delegation” tab of the user’s properties dialog box click Trust this user for delegation to

any service (Kerberos only).


9. On the „Account“ tab of the users’s properties dialog box click Use DES encryption types for this

account or select This account supports Kerberos AES 256 bit encryption.

DES-CBC-MD5:

AES256-SHA1:

Now a Kerberos key needs to be transferred to the according Linux computer. To export the key

from Active Directory, the ktpass utility is required.


Execute the following command:

ktpass -crypto <crypto-typ> -princ ADERPC/<fqdn>@<REALM> -ptype KRB5_NT_PRINCIPAL

-mapuser <user account> -pass <password of the user account> -out <filename>

Possible crypto types:

DES-CBC-MD5 (Active Directory 2000/2003)

AES256-SHA1 (Active Directory 2008/2008 R2)

Note:

AES support is limited by some combinations of Microsoft operating systems.

For details see the Microsoft TechNet article “Kerberos Enhancements”.

http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx

Example: ktpass -crypto DES-CBC-MD5 -princ ADERPC/[email protected] -

ptype KRB5_NT_PRINCIPAL -mapuser ADERPC-fscbackend -pass <your password> -out

fscbackendADERPC.key

Via secure channel (e.g. using ssh) transfer the key file to the Linux server, where it needs to be

imported in the Kerberos key tab as described in chapter 6.2 “Import of Keys on Linux Servers”.

Note:

<REALM> is always all-upper-case.

It is imperative that <fqdn> matches the Linux server’s hostname in DNS and the entries in

Active Directory exactly, <fqdn> is also case-sensitive.

DNS entries for each Linux machine must exist for forward (type A) as well as for reverse (type

PTR) lookups.

The Active Directory user entries can be validated with “ADSI Edit”. Execute adsiedit.msc and

view the properties of the corresponding user. The attributes servicePrincipalName and

userPrincipalName shall look similar to the following example:

http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx


6.1.2 HTTP Key Creation

For each machine intended for Fabasoft Folio Web Services as well as all nodes running Fabasoft

Folio Web Management, a HTTP Kerberos key is required.

Perform the steps of chapter 6.1.1 ”ADERPC Key Creation” and replace “ADERPC” with “HTTP”.

Name the output file <hostname>HTTP.key, which would result in qavmlinuxrhelHTTP.key for our

example host.

6.2 Import of Keys on Linux Servers

First create a subdirectory fabasoft in /etc. In the terminal type:

mkdir /etc/fabasoft.

Run the utility /usr/kerberos/sbin/ktutil.

Execute the following commands:

Read the specified Kerberos key file (created on the Microsoft Windows Server and

subsequently transferred to the Linux machine) into the current key list. rkt /path/to/keyfile

Write that key into the Kerberos keytab file utilized by all Fabasoft Folio Services: wkt /etc/fabasoft/krb5.keytab

Do the same for the HTTP key. rkt /path/to/keyfile

wkt /etc/fabasoft/krb5.keytab

Type quit and press Enter to exit ktutil.

Note: The ownership and permissions of the file /etc/fabasoft/krb5.keytab need to be

changed to 644.

6.3 Kerberos Tests

If one of the tests fails it is necessary to fix the problem before Fabasoft Folio is installed.

6.3.1 First test

Execute the following command and enter the user’s password when prompted:

/usr/kerberos/bin/kinit <Microsoft Windows user>

If no error message is returned, view the ticket cache with the following command:

/usr/kerberos/bin/klist

Verify the output (the default principal must correspond to the provided user):

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: <Microsoft Windows user>@<SUB.COMPANY.COM>

Valid starting Expires Service principal

11/15/04 09:16:36 11/16/04 19:16:38 krbtgt/<SUB.COMPANY.COM>@<SUB.COMPANY.COM>

6.3.2 Second test

Issue the following command to acquire a ticket using the key in the Kerberos key tab file instead of

an interactive password:

/usr/kerberos/bin/kinit –k –t /etc/fabasoft/krb5.keytab <principalname>


Example: /usr/kerberos/bin/kinit –k –t /etc/fabasoft/krb5.keytab \

ADERPC/<hostname>.<sub.company.com>@<SUB.COMPANY.COM>

Note: ‘\’ denotes line continuation.



Verify the output (the default principal must correspond to the provided user):

Along the same lines, try the HTTP key.

/usr/kerberos/bin/kinit –k –t /etc/fabasoft/krb5.keytab \

HTTP/<hostname>.<sub.company.com>@<SUB.COMPANY.COM>

Note: ‘\’ denotes line continuation.



On any errors, please consult the extensive Kerberos documentation.

If no errors occur the installation and configuration of Kerberos has been successful.

fabasoft on linux - preparation guide for red hat ... on linux... · 4 installation of red hat...

Documents