Difference between revisions of "Installing Onepoint on CentOS 7 with Hashicorp Vault"

From Onepoint Systems Integration
Jump to: navigation, search
(Create a Vault Backend of class Hashicorp Vault and set it as default Vault Backend)
(Configuring Onepoint Worker Daemon)
Line 306: Line 306:
  
 
Onepoint Worker is on /usr/share/onepoint/onepoint-worker. To configure it, set the credentials in /usr/share/onepoint/onepoint-worker/cfg/config.json, and put the startup script in the root's crontab. Like this:
 
Onepoint Worker is on /usr/share/onepoint/onepoint-worker. To configure it, set the credentials in /usr/share/onepoint/onepoint-worker/cfg/config.json, and put the startup script in the root's crontab. Like this:
 
+
  crontab -e
 +
[[file:crontab1.png]]
 +
 
   @reboot /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su-30
 
   @reboot /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su-30
 +
[[file:Crontab2.png]]
  
 
You can start the service manually using
 
You can start the service manually using
  
 
   ]# /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su
 
   ]# /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su
 +
[[file:Crontab3.png]]
 +
  
 
And you can stop the service manually using
 
And you can stop the service manually using
  
 
   ]# /usr/share/onepoint/onepoint-worker/stop-onepoint-worker
 
   ]# /usr/share/onepoint/onepoint-worker/stop-onepoint-worker
 +
[[file:Crontab4.png]]
  
 
= Finished =
 
= Finished =

Revision as of 22:05, 26 April 2020

Other Required Repositores

The following repositories are required for installing Onepoint. Please, make sure they're enabled once installed (property enabled=1 in the respective /etc/yum.repos.d/REPONAME.repo repository file)

Hashicorp Vault

Vault is a secret store that works as also a Vault Backend for Onepoint.

To install Vault, find the appropriate package for your system and download it. Vault is packaged as a zip archive

Installing Vault

1. To download the vault package on linux, use the command "WGET"

1.png


2.After downloading the file from the vault, unzip and install it.

2.png


3.After installing Vault, verify the installation worked by opening a new terminal session and checking that the vault binary is available. By executing vault, you should see help output similar to the following:

3.png


Configuring Vault

Vault is configured using HCL files. The configuration file for Vault is relatively simple:


5.png

ui - User Interface.

storage - This is the physical backend that Vault uses for storage.

listener - One or more listeners determine how Vault listens for API requests.

Starting the Server

With the configuration in place, starting the server is simple, as shown below.

 $ vault server -config=config.hcl

6.png

Initializing the Vault

Initialization is the process configuring the Vault. This only happens once when the server is started against a new backend that has never been used with Vault before. When running in HA mode, this happens once per cluster, not per server.

During initialization, the encryption keys are generated, unseal keys are created, and the initial root token is setup. To initialize Vault use vault operator init. This is an unauthenticated request, but it only works on brand new Vaults with no data.

 $ vault operator init

7.png


Initialization outputs two important pieces of information: the unseal keys and the initial root token. This is the only time ever that all of this data is known by Vault, and also the only time that the unseal keys should ever be so close together. For the purpose of this getting started guide, save all of these keys somewhere, and continue.

Seal/Unseal Vault

Every initialized Vault server starts in the sealed state. From the configuration, Vault can access the physical storage, but it can't read any of it because it doesn't know how to decrypt it. The process of teaching Vault how to decrypt the data is known as unsealing the Vault. Unsealing has to happen every time Vault starts,to remove the seal from the vault, you need 3 of the 5 keys that have been generated.

Begin unsealing the Vault

 $ vault operator unseal

8.png

Continue with vault operator unseal to complete unsealing the Vault. To unseal the vault you must use three different unseal keys, the same key repeated will not work.

When the value for Sealed changes to false, the Vault is unsealed.

Vault Login

Authenticate as the initial root token (it was included in the output with the unseal keys)

 $ vault login "root token"

9.png


Enabling kv secret/ for storing credentials

For Onepoint storing credentials on Hashicorp Vault, you must enable a version 1 or version 2 secrets engine on Hashicorp Vault. It must be created under secret/ path.

Choose one options below depending if you want/have a version 1 or version 2 kv secrets engine.

  • For enabling a version 2 kv secrets engine on Hashicorp Vault, execute this command:
 $ vault secrets enable -version=2 -path=secret kv

10.png

  • For enabling a version 1 kv secrets engine on Hashicorp Vault, execute this command:
 $ vault secrets enable -path=secret kv


Later, when configuring Onepoint, you can specify KV version in the Onepoint backend configuration.

Create secret-full policy for full access to secrets

 Note: In this guide, we are using secret-full as name of the policy, but you can use a name of your choice. For this, all references to secret-full in this guide must be replaced for the new name.

In Hashicorp Vault, create a policy named secret-full, with the following code:

 path "secret/*" {
   capabilities = ["create", "delete", "read", "update", "list"]
 }

Enabling auth AppRole

For Onepoint logging on Hashicorp Vault, it must be enabled AppRole Authentication Backend on Hashicorp Vault. For more information about AppRole auth backend, see AppRole Auth Method

Logged on as the root token or a token with the root policy, perform the following steps:

1. Enable AppRole (if it isn't already enabled)

 $ vault auth enable approle

11.2.png

2. Create a role on Vault with no secret_id_ttl nor secret_id_num_uses nor token_num_uses

 Note: In this guide, we are using secret-role as name of the role, but you can use a name of your choice. For this, all references to secret-role in this guide must be replaced for the new name.
 $ vault write auth/approle/role/secret-role \
   token_ttl=20m \
   token_max_ttl=30m \
   policies="default,secret-full"

12.png

3. Get the role ID for configuring Onepoint

 $ vault read auth/approle/role/secret-role/role-id

13.png

4. Generate a secret ID for configuring Onepoint

 $ vault write -f auth/approle/role/secret-role/secret-id

14.png

5. Save role_id and secret_id catched on the previous two steps for configuring onepoint later.

MariaDB

First, make sure MariaDB - packages mariadb and mariadb-server - is installed on the system. If you want to use an external MariaDB database for the installation, this step is not required. You will need to create an empty database for installing Onepoint (for example, database onepoint)

 Tip: You shall make sure TCP/IP (bind-address) access is enabled for MariaDB / MySQL.


1. Installing MariaDB

 $ yum install mariadb-server mariadb

Dbinstall.png


2. Starting MariaDB service

 $ systemclt start mariadb
 $ mysql

3. You also need to have a database created on MariaDB to host Onepoint. If you don't have one, you will need to create one. The default name is onepoint, but you can change it as you need, and then reflect the change in the database configuration part.

For creating the database, assuming the database name onepoint:

 mysql> create database onepoint;

Startdb.png

Apache Web Server

You will need the Apache Web Server installed on the system for installing Onepoint You can install it running the following command:

 ]# yum install httpd

Httpd.png

PHP

You will need PHP 7.2 or higher to install Onepoint. You'll need to install the following packages:

  • php72-php
  • php72-php-common
  • php72-php-bz2
  • php72-php-curl
  • php72-php-ldap
  • php72-php-gd
  • php72-php-gmp
  • php72-php-imap
  • php72-php-mbstring
  • php72-php-mcrypt
  • php72-php-soap
  • php72-php-mysqlnd
  • php72-php-xml
  • php72-php-zip
  • php72-php-json

You can install them running the following command (once Remi is installed):

 ]# yum install php72-php php72-php-common php72-php-bz2 php72-php-curl php72-php-ldap php72-php-gd php72-php-gmp php72-php-imap php72-php-mbstring php72-php-mcrypt php72-php-soap php72-php-mysqlnd php72-php-xml php72-php-zip php72-php-json

Php72.png

Python

You will need Python 2.7. You'll need to install the following packages:

  • python
  • python-pip
  • python-requests
  • python-ldap
  • python-paramiko

You can install them running the following command:

 ]# yum install python-pip python-requests python-ldap python-paramiko

Installpython.png

Other Libraries

You will need to install the following libraries:

1. You can install them running the following command:

 ]# yum install curl http://download-ib01.fedoraproject.org/pub/epel/6/x86_64/Packages/c/curlpp-0.7.3-5.el6.x86_64.rpm

Curlpp.png

    • libssh
    • json-c
    • json-cpp

2. You can install them running the following command:

 ]# yum install libssh json-c jsoncpp

Libssh.png

Other tools

  • psutils
  • psmisc
  • telnet (Client)
  • SSH Server
  • SSH Client

You can install them running the following command:

 ]# yum install psutils psmisc telnet ssh

File:Psutils.png

Install Onepoint

Install the repository for your operating system version below. After this, install the onepoint package, through yum:

 ]# yum install http://repo.onepoint.net.br/yum/centos/repo/onepoint-repo-0.1-1centos.noarch.rpm

Reponpt.png


 ]# yum install onepoint

Installonpt.png

Configure Database Parameters

Database parameters are on /usr/share/onepoint/onepoint/application/config/database.php. Use your favorite text editor to specify them.

Databaseopt.png

If Database parameters are not configured correctly, there is no Onepoint to function properly.

Initialize Onepoint Database

Run the setup script, accessing;

 http://<HOSTNAME>/onepoint/ui/setup.

The hostname is the address of your repository configured in the previous step.


Exescript.png

Click execute install scripts.

Onepoint

After doing the aforementioned procedures, the screen below will appear;


Welcomeone.png


 USER: admin
 PASSWORD: password

Create a Vault Backend of class Hashicorp Vault and set it as default Vault Backend

 Note: In this guide, we are using hashicorp-vault as name of the vault backend, but you can use a name of your choice. For this, all references to hashicorp-vault in this guide must be replaced for the new name.

In Onepoint, you need to create a Vault Backend pointing to your Hashicorp Vault instance.

  • In Onepoint, go to Settings > Encrypt String for encrypting role_id (for role created previously) and save the resulting value (copy and paste)
  • Go to Settings > Encrypt String for encrypting secret_id (for role created previously) and save the resulting value (copy and paste)

Encrypt String.png

Encrypt String 2.png


  • In Onepoint, go to Settings > Backends
  • Click New for creating a backend
  • Select type Vault Backend and class Hashicorp Vault
  • In Parameters tab, set address to the Hashicorp Vault endpoint address, version to KV secrets engine version (1 or 2, depending on which version you installed / setup), mode to approle, encryption to full, and fill role_id and secret_id with the encrypted values generated in first step of this section.

Encrypt String 3.png Performing credential discovery

  • Set hashicorp-vault Vault Backend as default Vault Backend in Onepoint. For this, access Settings > System Properties, and search for the property called system.default.backend.vault. Edit it and set it to hashicorp-vault.

Performing credential discovery

Configuring Onepoint Worker Daemon

Onepoint Worker is on /usr/share/onepoint/onepoint-worker. To configure it, set the credentials in /usr/share/onepoint/onepoint-worker/cfg/config.json, and put the startup script in the root's crontab. Like this:

 crontab -e

Crontab1.png

 @reboot /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su-30

Crontab2.png

You can start the service manually using

 ]# /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su

Crontab3.png


And you can stop the service manually using

 ]# /usr/share/onepoint/onepoint-worker/stop-onepoint-worker

Crontab4.png

Finished

Now, Onepoint is ready. You can access it on http://<HOSTNAME>/onepoint

Links