White Paper Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System Fabasoft Folio 2015 Update Rollup 2
Copyright Fabasoft R&D GmbH, Linz, Austria, 2015. All rights reserved. All hardware and software names used are registered trade names and/or registered trademarks of the respective manufacturers. No rights to our software or our professional services, or results of our professional services, or other protected rights can be based on the handing over and presentation of these documents. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 2
Contents 1 Introduction 4 2 Software Requirements 4 3 Required Information 5 4 Installation of CentOS 5 4.1 Required Packages 5 4.2 Step by Step Guide 6 5 CentOS Tests 21 6 Kerberos Authentication 22 6.1 Key Creation for Fabasoft Folio Backend Services 22 6.1.1 ADERPC Key Creation 22 6.1.2 HTTP Key Creation 26 6.2 Import of Keys on Linux Servers 26 6.3 Kerberos Tests 27 6.3.1 First test 27 6.3.2 Second test 27 Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 3
1 Introduction This document describes the installation and preparation of Community ENTerprise Operating System (CentOS) to run Fabasoft Folio Services as there are: Fabasoft Folio Backend Services, Fabasoft Folio Web Services, Fabasoft Folio Conversion Services, and Fabasoft Folio AT Services. Chapter 2 Software Requirements deals with assumed system environment and supported platform as well as software the descriptions in this document are based on. Chapter 3 Required Information lists information needed during the installation process. Chapter 4 Installation of CentOS describes the installation of CentOS on 64 bit architecture. Chapter 5 CentOS Tests describes the tests, which have to be done after the installation of CentOS. Chapter 6 Kerberos Authentication describes the necessary steps to prepare the environment to use Kerberos authentication for Fabasoft Folio Services. 2 Software Requirements System environments: All information contained in this document implicitly assumes a CentOS environment. Supported platforms: For detailed information on supported operating systems and software see the software product information on the Fabasoft distribution media. Make sure that the BIOS option to first try to start from CD-ROM is enabled. This document assumes the utilization of a Microsoft Windows Active Directory domain controller (Microsoft Windows Server 2003 Enterprise x64 Edition SP2) as Kerberos Key Distribution Centre (KDC). General Linux knowledge is necessary to perform and maintain an installation as described in this document. Descriptions in this document are based on following software: Third-party products for nodes running Fabasoft Folio Backend Services (COO, MMC and gateway services): o Community ENTerprise Operating System 6.6 (x64) Fabasoft Folio Web Services o Community ENTerprise Operating System 6.6 (x64) o Oracle Java SE Runtime Environment 8 Update 51 (JRE) Current version: http://www.oracle.com/technetwork/java/javase/downloads/index.html Archive: http://www.oracle.com/technetwork/java/archive-139210.html Fabasoft Folio Conversion Services o Community ENTerprise Operating System 6.6 (x64) o Oracle Java SE Runtime Environment 8 Update 51 (JRE) Current version: http://www.oracle.com/technetwork/java/javase/downloads/index.html Archive: http://www.oracle.com/technetwork/java/archive-139210.html Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 4
o LibreOffice 4.2.7 (x64) http://www.libreoffice.org Fabasoft Folio AT Services o Community ENTerprise Operating System 6.6 (x64) o Oracle Java SE Runtime Environment 8 Update 51 (JRE) Current version: http://www.oracle.com/technetwork/java/javase/downloads/index.html Archive: http://www.oracle.com/technetwork/java/archive-139210.html 3 Required Information The following information is necessary during the installation and/or preparation of CentOS. Prepare this information before beginning the installation. Name or IP address of the time server IP address of the computer CentOS is installed on Host name of the computer CentOS is installed on IP address of the gateway server IP address(es) of the DNS server(s) Domain name IP address of the domain controller 4 Installation of CentOS 4.1 Required Packages Make sure that the following packages are installed. In case of a Minimal Desktop installation, the bold written packages have to be installed. Package Fabasoft Folio Backend Services Fabasoft Folio Web Services Fabasoft Folio Conversion Services Fabasoft Folio AT Services Other Fabasoft Folio Services openldap x x x x x openssl x x x x x gtk2 x x x x x dos2unix x x x x x xorg-x11-xinit x x x x x libjpeg x x x x x libpng x x x x x libtiff x x x x x Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 5
alsa-lib x x x x x libtool-ltdl x x x x x httpd x x unixodbc x xorg-x11-server-xvfb x mod_ssl x* firefox x Not on the Linux distribution media Java Runtime Environment LibreOffice (64-bit) x x x x x Oracle Instant Client (if Oracle is used as RDBMS) x *(only if SSL enabled) 4.2 Step by Step Guide To install CentOS, perform the following steps: 1. Insert the installation DVD/CD of CentOS into the optical drive. Restart the computer. 2. After restarting, the installation setup of CentOS starts. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 6
3. Press the Enter key to start the setup process. 4. First, it is possible to begin testing the media before actually starting the installation. Select Skip to skip the media test and press the Enter key. Note: It is recommended to use an original installation medium from CentOS. As these original media are already tested. If own copies are used it is recommended that the media test is performed at least once. For further information about the media test consult the documentation of CentOS. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 7
5. Now the mouse can be used to navigate. Click Next to continue. 6. Select the language that should be used during the installation process. To follow this documentation, select English (English) and click Next. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 8
7. Select the appropriate keyboard connected to the system and click Next. 8. Select what type of devices your installation will involve and click Next. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 9
9. Specify the hostname (non fully qualified) of the computer and click Configure Network to configure the network card of this computer. Afterwards click Next. Note: If no network card has been installed or the network card is not recognized by the installation program the network configuration screen is not displayed. Select Method Manual and enter the IP address of the computer (Address field), the Prefix (Netmask), Gateway and the DNS server(s) and click Apply Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 10
10. Select the location to set the correct time zone. Click Next to continue the installation process. 11. Enter the password for the system administrator (root). Click Next to continue. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 11
12. Select Create custom layout and click Next. 13. Disk partitioning is dependent on the hardware. We recommend using two partitions. One for the swap partition and one for the system partition. The size of the swap partition should be the size of the working memory of the computer. As it is possible that the working memory of the computer is upgraded in the future it is recommended to set the size of the swap partition to the maximum possible size of the working memory of the computer. Note: All Fabasoft Folio MMC Areas should be persisted on secure and fast storage systems, such as, for instance, a SAN. Use at least one dedicated partition to store the Fabasoft Folio MMC Areas. 14. To create a new partition click Create. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 12
15. Enter the Mount Point and the Size (MB). Do not change the other options. 16. Click OK. Repeat the process for all the partitions that should be created. In the File System Type list, click swap for the swap partition. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 13
17. After all necessary partitions have been created an overview is displayed. 18. When disk partitioning is finished, click Next to continue the installation process. 19. Now you can set the boot loader to be installed. Click Next. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 14
20. Select Minimal Desktop, and click Next. 21. The installation process continues. A progress bar indicates the progress of the installation process. 22. Finally the installation process is finished. The computer has to be restarted. Click Reboot to restart the system. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 15
After the system restarted and finished the initialization process a welcome screen is displayed. There are a few more steps to take before the system is ready to use. 23. Click Forward to continue. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 16
24. The License Agreement is shown on the screen. Read the License Agreement carefully and click Yes, I agree to the Licence Agreement. Click Forward to continue. 25. It is not necessary to create a system user in this case. Click Forward to continue. Note: To continue without creating a user, click Use Network Login cancel the pop-up and click Forward. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 17
26. The date and time for the system have to be set. Set the date by selecting the current year, month and day and set the time by selecting the current hour, minute and second. 27. Select Synchronize date and time over the network. Select each of the default servers in the server list and click Delete. In the NTP Servers box, click Add and type the name or the IP address of the time server to use. Setting the correct time server is important for Kerberos authentication. Note: When Kerberos is used, it is mandatory that all servers within the Fabasoft Folio Domain Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 18
have their local clocks running narrowly in sync. This is usually accomplished using NTP (Network time Protocol) and a time server. Note that an Active Directory domain controller provides a NTP-compliant time server, against which the system clocks of all Linux machines are synchronized. 28. Don t enable Kdump. Click Finish. 29. The installation of CentOS is now completed. The graphical login screen is displayed. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 19
30. Log on as user root. 31. Open Applications > System Tools > Terminal. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 20
The terminal is opened. 32. Make sure that the packages as described in chapter 4.1 Required Packages are installed. After the installation process has finished, perform the following steps: 1. To set the hostname execute the following command: # nano /etc/hosts. 2. Change the line 127.0.0.1 <computer name> localhost.localdomain localhost into 127.0.0.1 localhost.localdomain localhost 3. Add a second line: <IP address of the computer> <computer name>.<domain name> Note: Press Tab for the space between the entries in one line. 4. Press Ctrl + X and confirm with Y or Enter to save the changes made. 5. Make sure that SELinux is disabled. 5 CentOS Tests <computer name> To confirm, that the installation and configuration has been finished successfully, perform following steps: 1. To display the hostname execute the following command: # hostname This command should only display the hostname of the Linux server (e.g.: fscbackend). 2. To display the fully qualified domain name, execute the following command: # hostname -f This command should display the hostname and the domain (e.g.: fscbackend.sub.comp.com). 3. localhost has to be resolved. Execute the following command: # ping localhost Note: Press Ctrl + C to end the command ping. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 21
4. localhost.localdomain has to be resolved. Execute the following command: # ping localhost.localdomain Note: Press Ctrl + C to end the command ping. 5. ping <computer name> has to work. Execute the following command: # ping fscbackend Note: Press Ctrl + C to end the command ping. 6. ping <computer name>.<domain name> has to work. Execute the following command: # ping fscbackend.sub.comp.com Note: Press Ctrl + C to end the command ping. The CentOS installation has been tested on hostname and domain. 6 Kerberos Authentication On nodes intended for Fabasoft Folio Web Services, SPNEGO authentication for the Apache Web Server as an extension module is provided. SPNEGO authentication allows single sign on via Kerberos and Active Directory even from a Fabasoft Folio Web Client (similar and compatible to integrated login on the Microsoft platform). Additionally, configure /etc/krb5.conf to use the Active Directory domain as Kerberos realm and its domain controller as Kerberos Key Distribution Centre. To configure /etc/krb5.conf, perform the following steps: 1. Open the /etc/krb5.conf file in an editor. 2. Configure krb5.conf as follows. Replace the values in <> with the appropriate values for the domain. In case of troubles consult the Kerberos documentation. [libdefaults] default_realm = <SUB.COMP.COM> dns_fallback = false forwardable = true proxiable = true [realms] <SUB.COMP.COM> = { kdc = <IP address of the Domain Controller>[:<port>, [options]] admin_server = <IP address of the Domain Controller>[: <port>, [options]] } [domain_realm] <.company.com> = <SUB.COMPANY.COM> Note: Attend to entries written in uppercase (e.g. <SUB.COMP.COM>). The Kerberos authentication has been configured basically on the newly installed server. 6.1 Key Creation for Fabasoft Folio Backend Services 6.1.1 ADERPC Key Creation For each Linux server running kerberized Fabasoft Folio Services, a distinct ADERPC key has to be exported. To create an ADERPC key for Fabasoft Folio Backend Services, perform the following steps: 1. Log on to the primary Active Directory domain controller. 2. Open the MMC snap in Active Directory Users and Computers (dsa.msc). 3. Add a user with an arbitrary logon name of your choice for each Fabasoft Folio Server. A common prefix is recommended. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 22
Example: ADERPC-fscbackend 4. Click Next. 5. Select the User cannot change password and the Password never expires check boxes. 6. To create the user click Next. A Kerberos user has been created. 7. Execute the following command: setspn -A ADERPC/<fqdn> <user account> Example: setspn -A ADERPC/fscbackend.sub.comp.com ADERPC-fscbackend Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 23
8. On the Delegation tab of the user s properties dialog box click Trust this user for delegation to any service (Kerberos only). 9. On the Account tab of the users s properties dialog box click Use DES encryption types for this account or select This account supports Kerberos AES 256 bit encryption. DES-CBC-MD5: Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 24
AES256-SHA1: Now a Kerberos key needs to be transferred to the according Linux computer. To export the key from Active Directory, the ktpass utility is required. Note: In case of a Windows Server 2003 Domain Controller Microsoft Windows 2003 Support Tools must be installed, which are located on the Microsoft Windows 2003 CD in the \support\tools\suptools.msi directory. The support tools must match version and language of the Microsoft Windows operating system installed on the domain controller. Execute the following command: ktpass -crypto <crypto-typ> -princ ADERPC/<fqdn>@<REALM> -ptype KRB5_NT_PRINCIPAL -mapuser <user account> -pass <password of the user account> -out <filename> Possible crypto types: DES-CBC-MD5 (Active Directory 2000/2003) AES256-SHA1 (Active Directory 2008/2008 R2) Note: AES support is limited by some combinations of Microsoft operating systems. For details see the Microsoft TechNet article Kerberos Enhancements. http://technet.microsoft.com/en-us/library/cc749438(ws.10).aspx Example: ktpass -crypto DES-CBC-MD5 -princ ADERPC/fscbackend.sub.comp.com@SUB.COMP.COM - ptype KRB5_NT_PRINCIPAL -mapuser ADERPC-fscbackend -pass <your password> -out fscbackendaderpc.key Via secure channel (e.g. using ssh) transfer the key file to the Linux server, where it needs to be imported in the Kerberos key tab as described in chapter 6.2 Import of Keys on Linux Servers. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 25
Note: <REALM> is always all-upper-case. It is imperative that <fqdn> matches the Linux server s hostname in DNS and the entries in Active Directory exactly, <fqdn> is also case-sensitive. DNS entries for each Linux machine must exist for forward (type A) as well as for reverse (type PTR) lookups. The Active Directory user entries can be validated with ADSI Edit. Execute adsiedit.msc and view the properties of the corresponding user. The attributes serviceprincipalname and userprincipalname shall look similar to the following example: 6.1.2 HTTP Key Creation For each machine intended for Fabasoft Folio Web Services as well as all nodes running Fabasoft Folio Web Management, a HTTP Kerberos key is required. Perform the steps of chapter 6.1.1 ADERPC Key Creation and replace ADERPC with HTTP. Name the output file <hostname>http.key, which would result in qavmlinuxrhelhttp.key for our example host. 6.2 Import of Keys on Linux Servers First create a subdirectory fabasoft in /etc. In the terminal type: mkdir /etc/fabasoft. Run the utility /usr/kerberos/sbin/ktutil. Execute the following commands: Read the specified Kerberos key file (created on the Microsoft Windows Server 2003 and subsequently transferred to the Linux machine) into the current key list. rkt /path/to/keyfile Write that key into the Kerberos keytab file utilized by all Fabasoft Folio Services: wkt /etc/fabasoft/krb5.keytab Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 26
Do the same for the HTTP key. rkt /path/to/keyfile wkt /etc/fabasoft/krb5.keytab Type quit and press Enter to exit ktutil. Note: The ownership and permissions of the file /etc/fabasoft/krb5.keytab need to be changed later on (user fscsrv, group fsc, permissions 0600). This can be done only after the basic Fabasoft Folio software packages have been installed as these packages will create all required users and groups. Do not create the user (or group) yourself! See white paper Installation of Fabasoft Folio Services on Linux. 6.3 Kerberos Tests If one of the tests fails it is necessary to fix the problem before Fabasoft Folio is installed. 6.3.1 First test Execute the following command and enter the user s password when prompted: /usr/kerberos/bin/kinit <Microsoft Windows user> If no error message is returned, view the ticket cache with the following command: /usr/kerberos/bin/klist Verify the output (the default principal must correspond to the provided user): Ticket cache: FILE:/tmp/krb5cc_0 Default principal: <Microsoft Windows user>@<sub.company.com> Valid starting Expires Service principal 11/15/04 09:16:36 11/16/04 19:16:38 krbtgt/<sub.company.com>@<sub.company.com> 6.3.2 Second test Issue the following command to acquire a ticket using the key in the Kerberos key tab file instead of an interactive password: /usr/kerberos/bin/kinit k t /etc/fabasoft/krb5.keytab <principalname> Example: /usr/kerberos/bin/kinit k t /etc/fabasoft/krb5.keytab \ ADERPC/<hostname>.<sub.company.com>@<SUB.COMPANY.COM> Note: \ denotes line continuation. If no error message is returned, view the ticket cache with the following command: /usr/kerberos/bin/klist Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 27
Verify the output (the default principal must correspond to the provided user): Along the same lines, try the HTTP key. /usr/kerberos/bin/kinit k t /etc/fabasoft/krb5.keytab \ HTTP/<hostname>.<sub.company.com>@<SUB.COMPANY.COM> Note: \ denotes line continuation. If no error message is returned, view the ticket cache with the following command: /usr/kerberos/bin/klist On any errors, please consult the extensive Kerberos documentation. If no errors occur the installation and configuration of Kerberos has been successful. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System 28