CentOS 7

Before You Begin

Ensure that System Requirements have been met prior to proceeding with the CentOS Configuration Guide.

Install Requirements

1) Upgrade your current packages


Upgrade your current packages.


yum update

2) Install Required Packages

PHP

All installations of ProVision require at least PHP 5.6 (and related extensions). CentOS 7 comes with PHP 5.4 by default. You can either add a repository which provides PHP 5.6 or install PHP manually.

The Webtatic and Remi repos both have versions of PHP which are newer than those in the official repos. For this example, we'll be using Webtatic

Add the repository:

  rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

Install PHP and extensions:

PHP5 / Apache2 / extensions

  • httpd 
  • php56w 
  • php56w-opcache 
  • php56w-mysqlnd 
  • php56w-pdo 
  • php56w-ldap 
  • php56w-pecl-memcache 
  • php56w-bcmath 
  • php56w-devel 
  • php56w-pear 
  • php56w-cli

Development tools for pecl / additional system packages:

  • curl 
  • openssl 
  • memcached 
  • mod_ssl


yum install httpd php56w php56w-opcache php56w-mysqlnd php56w-pdo php56w-ldap php56w-pecl-memcache php56w-bcmath php56w-devel php56w-pear php56w-cli curl openssl memcached mod_ssl


MySQL

Install MySQL/ MariaDB to use a local database.

MySQL is included with most CentOS installs, check for it with:

yum list installed | grep mysql

 

If it is not installed:

   rpm -Uvh http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
   yum install mysql-server
   service mysqld start
   chkconfig mysqld on
 Set the MySQL root password:


    /usr/bin/mysqladmin -u root password 'new-password'

If you prefer to install MariaDB:

   yum install mariadb-server mariadb
   systemctl start mariadb 
   
Set the root password, as currently it is not set, just hit ENTER on the current password:


mysql_secure_installation
   Set so that it starts on boot:


systemctl enable mariadb.service


DNS and Additional Utilities

5. Install the DNS and other remaining utilities:
  • curl
  • openssl
  • nmap
  • bind-utils
  • bind
  • expect
  • wget 
  • bzip2 


    yum install curl openssl nmap bind-utils bind expect wget bzip2

DNSSEC-Tools

Install and Compile DNSSEC-Tools
  	yum groupinstall 'Development Tools'
    yum install openssl-devel perl-devel perl-CPAN
    cd /usr/src
    wget https://www.dnssec-tools.org/download/dnssec-tools-2.2.tar.gz
    tar -xzf dnssec-tools-2.2.tar.gz
    ./configure
    make
    make install
 

3) Configuring the requirements:

SSL

1. Self signed certificates in CentOS 7 by default have been already installed.

If you want to change it, follow the steps below:

Note: For production install, it is HIGHLY RECOMMENDED to use organization signed certs

 

 Generate private key, CSR, and temporary key if one hasn't been provided.


   openssl genrsa -out ca.key 1024
   openssl req -new -key ca.key -out ca.csr
   openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Copy the files to the correct locations 
   cp ca.crt /etc/pki/tls/certs
   cp ca.key /etc/pki/tls/private/ca.key
   cp ca.csr /etc/pki/tls/private/ca.csr
  
   Make sure that you copy the files and do not move them if SELinux is enabled (which it is by default)
 
Edit the apache ssl config and put in the appropriate options:
 (shown using the vi editor, though you may use the editor of your choice)


vi /etc/httpd/conf.d/ssl.conf

Find the lines that start with SSHCertificateFile and change them to be like:
SSLCertificateFile /etc/pki/tls/certs/ca.crt 
SSLCertificateKeyFile /etc/pki/tls/private/ca.key 

Then restart.


/etc/init.d/httpd restart
Add 443 virtual hosts as needed in httpd.conf. 
 

Apache

Allow overwrites in the apache vhosts  


sed -i 's/AllowOverride None/AllowOverride All/g' /etc/httpd/conf/httpd.conf
Start Apache and make it start on boot
    systemctl start httpd.service
    systemctl enable httpd.service

Please note that mod_rewrite is required! If it is not enabled in Apache, key elements will not work as expected.

 MySQL

Set the MySQL Configuration:


mysql -p -e "SET GLOBAL sql_mode='NO_ENGINE_SUBSTITUTION';SET SESSION sql_mode='NO_ENGINE_SUBSTITUTION';"

Then enter the MySQL root password when prompted.


4) Optional configurations:

Configure SELinux

SELinux is a very powerful method of securing the CentOS environment, but it is not "turn key" and requires expertise to configure it correctly. If you do not know how to configure SELinux, please do not use it. A badly configured SELinux install will not work well and result in frustration. If you have any questions or concerns about this - please contact 6connect Support at support@6connect.com.

Please remember - if you change the IP address of the your server, then you will need to update SELinux functions accordingly


Most CentOS install have SELinux enabled by default.  One of its protections is to not allow   httpd daemon to make network connections, we need to disable this for license checks.

   To view the SELinux configuration for http:


/usr/sbin/getsebool -a | grep httpd
   To turn protection off for the httpd daemon for creating network connections:


 /usr/sbin/setsebool -P httpd_can_network_connect 1

Configure IPTables

IPTables is enabled by default on CentOS.  Add a new rule to allow 443 from anywhere.  Make sure that this rule is in the chain BEFORE any blanket reject rule:

 

To list all current IPTable rules:


iptables -L


To add a rule for 443:


/sbin/iptables  RH-Firewall-1-INPUT -I 5 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT


    The -I 5 is what adds the rule to the 5th chain position.  You might need to change this depending on existing rules.  Look at what rules are there before running.


To save the new config:


/etc/rc.d/init.d/iptables save

OR (some versions of centOS have different iptables names, so the above won't work) 


vi /etc/sysconfig/iptables


With the file open for editing, add:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT


Once complete - restart the iptables service:

/etc/init.d/iptables restart
Customers can alter this post install to allow only their IP space, plus the 6connect management space.

Radius (Optional)

This section only needs to be followed if the customer will be using Radius for authentication.

Install radius module:

 
    pecl install radius
    echo extension=radius.so > /etc/php.d/radius.ini
 

SSH

Install ssh module:
 
    yum install libssh2-devel
    pecl install -f ssh2
    echo extension=ssh2.so > /etc/php.d/ssh2.ini
 

5) Install 6connect ProVision Software:

1. Remove the current contents in the ProVision web folder (currently the www root) and after extract the archive contents (where 5.x.x is the version number for the build):

 tar -xf productionBuild-5.x.x-php5.6.tar -C /var/www/html

2. Change the permissions to be the web user permissions

chown -R apache.apache /var/www/html

3. If enabled SELinux you must execute the following command:

chcon -R -t httpd_sys_rw_content_t /var/www/html

chcon -R -t httpd_sys_rw_content_t /tmp

 You must also execute the same command for the 6c secure path created from configSecureKeys.sh

4. Go to http://﹤web root﹥/install/configTest.php.  Follow the provided instructions, correcting any configuration errors if they occur. Once all steps are completed, you are ready to use your ProVision instance!