Configuring Secure64 x86 Support



A note on Ports

ProVision uses port 22 to communicate with and configure Secure64 infrastructure - please ensure that this is addressed in any ACLs/firewalls

ProVision also uses port 53 to do zone checks if the DNS Module is enabled and in use. Please ensure that your Secure64 infrastructure is configured to accept DNS lookups from the ProVision server


The Secure64 x86 Authoritative server version installed may be 3.x (Secure OS) or 6.x EL (Enterprise Linux, available for Red Hat or Oracle Enterprise Linux deployments).  Separate installation instruction callouts are provided where differences exist between the 3.x S and 6.x Secure64 Authority Server versions. 

Configuring Secure64 x86 Authority Server

  1. Using the terminal, SSH to the desired S64 x86 server. All the configurations and zones will be pushed in /srv/knot/6c/
  2. Create new user "provision"

    sudo useradd provision
    sudo passwd provision
  3. Create a directory called "6c" that will be used for the ProVision exports and set the permissions, so that we can push the configurations:

    For 3.x Secure OS
    sudo mkdir --mode=u+rwx,g+wrs,o-rwx /srv/knot/6c
    sudo chown provision.knot /srv/knot/6c
    For 6.x EL (Enterprise Linux)
    sudo mkdir --mode=u+rwx,g+wrs,o-rwx /var/lib/knot/6c
    sudo chown provision.knot /var/lib/knot/6c
  4. In order to properly reload the server without asking for a password from ProVision, we must edit the sudoers file to let the user "provision" execute "sudo knotc reload" after push. So, add the following line at the end of /etc/sudoers:

    provision ALL=(ALL) NOPASSWD: /sbin/knotc reload
  5. Add knot to be inside the "provision" group by editing the /etc/group as follows:

    For All Versions
    provision:x:120:knot
  6. Add provision to be a part of the knot group (in case knot replaces a zone), so that Provision is able to replace it again on push. So, we must once again edit /etc/group, as follows:

    For All Versions
    knot:x:119:provision
  7. Configure ProVision in the S64 server and add the include directive in /etc/knot/knot.conf:

    For 3.x Secure OS
    include: /srv/knot/6c/6c_knot.conf

    6.x EL Versions

    For the 6.x versions of Secure64 Authority, which deploy on Red Hat or Oracle Enterprise Linux, Secure64 recommends storing zone files and 6connect data under the directory /var/lib/knot instead of /srv/knot. This configuration is more consistent with Enterprise Linux scheme for application data.

    For 6.x EL Versions
    include: /var/lib/knot/6c/6c_knot.conf


  8. Open the ProVision UI and navigate to the DNS section to add the S64x86 server. While adding server settings, you must verify that Post Command is set to “sudo knotc reload” and the configuration path is set to:
    1. Configuration path for 3.x:  “/srv/knot/6c/6c_knot.conf”
    2. Configuration path for 6.x EL: "/var/lib/knot/6c/6c_knot.conf"
  9. An example server configuration for the S64 x86 server is shown below:


For 3.x:

For 6.x EL:

Remote Directory should be set to "/var/lib/knot/6c/" and

Knot Conf Path set to "/var/lib/knot/6c/6c_knot.conf"

 


OTHER Record Types

When working with DNS Zones and Records, additional record types may be manually added by selecting "Other" when adding a new record.

S64 DNS users can use record type "Other" to add "SYNTH"  or "TYPE65464" type records similar to the format below:


$ORIGIN 30 IN TYPE65464 ${p4} PTR ${a4}.pool.example.com.
$ORIGIN 600 IN TYPE65464 ${a4} A ${a4}
$ORIGIN TYPE65464 ${p6} PTR user${a6}.my.example.com.
$ORIGIN 5 IN SYNTH user${a6} AAAA ${a6}
$ORIGIN IN SYNTH nptr-${u} NAPTR 10 20 "A" "" "" srv-${u}
$ORIGIN IN SYNTH srv-${u} SRV 10 20 1234 srv-addr-${u}


However, arbitrary / other record types are unable to be validated, so use with care!

  • No labels