CentOS 6
Before You Begin
Ensure that System Requirements have been met prior to proceeding with the CentOS Configuration Guide.
Install Requirements
1) Upgrade your current packages
Upgrade your current packages.
2) Install Required Packages
PHP
All installations of ProVision require at least PHP 5.5 (and related extensions). CentOS 6 comes with PHP 5.3 by default. You can either add a repository which provides PHP 5.5 or install PHP manually.
The Webtatic and Remi repos both have versions of PHP which are newer than those in the official repos. For this example, we'll be using Webtatic
Add the repository:
| Code Block |
|---|
|
rpm -Uvh https://mirror.webtatic.com/yum/el6/latest.rpm |
Install:
| Expand |
|---|
PHP5 / Apache2 / extensions - httpd
- php55w
- php55w-opcache
- php55w-mysqlnd
- php55w-pdo
- php55w-ldap
- php55w-pecl-memcache
- php55w-bcmath
- php55w-devel
- php55w-pear
- php55w-cli
Development tools for pecl / additional system packages: - curl
- openssl
- memcached
- mod_ssl
|
| Code Block |
|---|
|
yum install httpd php55w php55w-opcache php55w-mysqlnd php55w-pdo php55w-ldap php55w-pecl-memcache php55w-bcmath php55w-devel php55w-pear php55w-cli curl openssl memcached mod_ssl |
MySQL
Install MySQL to use a local database.
MySQL is included with most CentOS installs, check for it with:
| Code Block |
|---|
|
yum list installed | grep mysql |
If it is not installed:
| Code Block |
|---|
|
yum install mysql-server service mysqld start chkconfig mysqld on |
Set the MySQL root password:
| Code Block |
|---|
|
/usr/bin/mysqladmin -u root password 'new-password' |
DNS and Additional Utilities
5. Install the DNS and other remaining utilities:
| Expand |
|---|
- curl
- openssl
- nmap
- bind-utils
- bind
- expect
|
| Code Block |
|---|
yum install curl openssl nmap bind-utils bind expect |
Install and Compile DNSSEC-Tools
| Code Block |
|---|
|
yum groupinstall 'Development Tools'
yum install openssl-devel perl-devel perl-CPAN
cd /usr/src
wget https://www.dnssec-tools.org/download/dnssec-tools-2.1.tar.gz
tar -xzf dnssec-tools-2.1.tar.gz
./configure
make
make install |
3) Configuring the requirements:
SSL
Self signed certificates in CentOS 6 by default have been already installed.
If you want to change it, follow the steps below:
| Info |
|---|
| Note: For production install, it is HIGHLY RECOMMENDED to use organization signed certs |
Generate private key, CSR, and temporary key if one hasn't been provided.
| Code Block |
|---|
|
openssl genrsa -out ca.key 1024 openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt |
Copy the files to the correct locations
| Code Block |
|---|
|
cp ca.crt /etc/pki/tls/certs cp ca.key /etc/pki/tls/private/ca.key cp ca.csr /etc/pki/tls/private/ca.csr |
| Note |
|---|
| Make sure that you copy the files and do not move them if SELinux is enabled (which it is by default) |
Edit the apache ssl config and put in the appropriate options:
(shown using the vi editor, though you may use the editor of your choice)
| Code Block |
|---|
|
vi /etc/httpd/conf.d/ssl.conf |
Find the lines that start with SSHCertificateFile and change them to be like:
| Code Block |
|---|
|
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key |
Then restart
| Code Block |
|---|
|
/etc/init.d/httpd restart |
Add 443 virtual hosts as needed in httpd.conf. Apache
Allow overwrites in the apache vhosts
| Code Block |
|---|
|
sed -i 's/AllowOverride None/AllowOverride All/g' /etc/httpd/conf/httpd.conf |
Start Apache and make it to start on boot
| Code Block |
|---|
|
chkconfig httpd on service httpd start |
| Note |
|---|
| title | mod rewrite REQUIRED |
|---|
|
Please note that mod_rewrite is required! If it is not enabled in Apache, key elements will not work as expected. |
MySQL
Set the MySQL Configuration:
| Code Block |
|---|
|
mysql -p -e "SET GLOBAL sql_mode='NO_ENGINE_SUBSTITUTION';SET SESSION sql_mode='NO_ENGINE_SUBSTITUTION';" |
then enter the MySQL root password when prompted.
4) Optional configurations:
| Note |
|---|
|
Please remember - if you change the IP address of the your server, then you will need to update SELinux functions accordingly |
Most CentOS install have SELinux enabled by default. One of its protections is to not allow httpd daemon to make network connections, we need to disable this for license checks.
To view the SELinux configuration for http:
| Code Block |
|---|
|
/usr/sbin/getsebool -a | grep httpd |
To turn protection off for the httpd daemon for creating network connections:
| Code Block |
|---|
|
/usr/sbin/setsebool -P httpd_can_network_connect 1 |
IPTables is enabled by default on CentOS. Add a new rule to allow 443 from anywhere. Make sure that this rule is in the chain BEFORE any blanket reject rule:
| Expand |
|---|
| title | If you are going to run iptables, click here |
|---|
|
To list all current IPTable rules: | Code Block |
|---|
| /etc/rc.d/init.d/iptables status |
To add a rule for 443: | Code Block |
|---|
| /sbin/iptables RH-Firewall-1-INPUT -I 5 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT |
| Note |
|---|
| | The -I 5 is what adds the rule to the 5th chain position. You might need to change this depending on existing rules. Look at what rules are there before running. |
To save the new config: | Code Block |
|---|
| /etc/rc.d/init.d/iptables save |
OR (some versions of centOS have different iptables names, so the above won't work) | Code Block |
|---|
| vi /etc/sysconfig/iptables |
With the file open for editing, add: | Code Block |
|---|
| -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT |
Once complete - restart the iptables service: | Code Block |
|---|
| /etc/init.d/iptables restart |
| Info |
|---|
| Customers can alter this post install to allow only their IP space, plus the 6connect management space. |
|
Radius (Optional)
This section only needs to be followed if the customer will be using Radius for authentication.
| Expand |
|---|
| title | If you are going to use radius authentication, click here. |
|---|
|
Install radius module: | Code Block |
|---|
pecl install radius echo extension=radius.so > /etc/php.d/radius.ini |
|
SSH
Install ssh module:
| Code Block |
|---|
|
yum install libssh2-devel pecl install -f ssh2 echo extension=ssh2.so > /etc/php.d/ssh2.ini |
Source Guardian
Install the Source Guardian php extension.
Download the loader and put it in the appropriate place.
Place the file in your php extension directory as specified in your php.ini
Note: The PHP cli binary path must be set in the ProVision software Admin section if is different from default. By default it is /usr/bin/php.
Add extension=ixed.x.x.y.y to your php.ini
| Code Block |
|---|
|
wget https://www.sourceguardian.com/loaders/download/loaders.linux-x86_64.tar.bz2
tar -xjf loaders.linux-x86_64.tar.bz2
cp -rpPf ixed.5.5.lin /usr/lib64/php/modules/
echo extension=ixed.5.5.lin > /etc/php.d/ixed.5.5.ini |
Reload the web server
| Code Block |
|---|
|
service httpd reload |
| Info |
|---|
| title | PRO TIP - Loader Assistant for Source Guardian |
|---|
|
If you have any issues with getting Source Guardian installed, and the instructions are not working in your case, please check out http://www.sourceguardian.com/loaders/download.php - this page allows you paste in the output of your phpinfo page and then it will tell you the steps that need to be taken for your particular use case. If you are still having issues, please contact 6connect at support@6connect.com so one of our engineers can assist you. |
4) Install 6connect ProVision Software:
1. Remove the current contents in the ProVision web folder (currently the www root) and after extract the archive contents:
| Code Block |
|---|
|
tar -xf productionBuild-5.1.2-php5.5.tar -C /var/www/html |
2. Change the permissions to be the web user permissions
chown -R apache.apache /var/www/html
3. Go to http://﹤web root﹥/configTest.php. If there are any configuration errors listed in red, other than in the Database and Configuration Files section, they must be corrected.
4. Run configDir.sh ﹤web user﹥ from the command line as root in the web root. This will setup the directories apache user needs read/write access to.
| Code Block |
|---|
|
cd /var/www/html /var/www/html/configDir.sh apache |
5. Create the default database and initial user in MySQL
6. Go to http://﹤web root﹥/configBootstrap.php. Fill in the requested information, noting any login credentials.
7. Create a secure directory and run configSecureKeys.sh ﹤web user﹥ ﹤path to secure directory﹥ from the command line as root. This sets up the secure directory where your key file for password management will be stored. The secure directory should be a location outside of the web root that is only accessible by appropriate users.
| Code Block |
|---|
|
mkdir /secure ./configSecureKeys.sh apache /secure |
8. Log in using the credentials that were generated in Step 6 and change your password!
