Difference between revisions of "Installing Onepoint on CentOS 7 with Hashicorp Vault"

From Onepoint Systems Integration
Jump to: navigation, search
(Python)
 
(24 intermediate revisions by 2 users not shown)
Line 52: Line 52:
 
With the configuration in place, starting the server is simple, as shown below.
 
With the configuration in place, starting the server is simple, as shown below.
  
   $ vault server -config=config.hcl
+
   ]# vault server -config=config.hcl
  
 
[[file:6.png]]
 
[[file:6.png]]
Line 61: Line 61:
 
During initialization, the encryption keys are generated, unseal keys are created, and the initial root token is setup. To initialize Vault use vault operator init. This is an unauthenticated request, but it only works on brand new Vaults with no data.
 
During initialization, the encryption keys are generated, unseal keys are created, and the initial root token is setup. To initialize Vault use vault operator init. This is an unauthenticated request, but it only works on brand new Vaults with no data.
  
   $ vault operator init
+
   ]# vault operator init
 
[[file:7.png]]
 
[[file:7.png]]
  
Line 75: Line 75:
 
Begin unsealing the Vault
 
Begin unsealing the Vault
  
   $ vault operator unseal
+
   ]# vault operator unseal
 
[[file:8.png]]
 
[[file:8.png]]
  
Line 85: Line 85:
 
Authenticate as the initial root token (it was included in the output with the unseal keys)
 
Authenticate as the initial root token (it was included in the output with the unseal keys)
  
   $ vault login "root token"
+
   ]# vault login "root token"
  
 
[[file:9.png]]
 
[[file:9.png]]
 
  
 
== Enabling kv secret/ for storing credentials ==
 
== Enabling kv secret/ for storing credentials ==
Line 97: Line 96:
 
*For enabling a version 2 kv secrets engine on Hashicorp Vault, execute this command:
 
*For enabling a version 2 kv secrets engine on Hashicorp Vault, execute this command:
  
   $ vault secrets enable -version=2 -path=secret kv
+
   ]# vault secrets enable -version=2 -path=secret kv
 
[[file:10.png]]
 
[[file:10.png]]
  
 
*For enabling a version 1 kv secrets engine on Hashicorp Vault, execute this command:
 
*For enabling a version 1 kv secrets engine on Hashicorp Vault, execute this command:
  
   $ vault secrets enable -path=secret kv
+
   ]# vault secrets enable -path=secret kv
 
[[file:kv1.png]]
 
[[file:kv1.png]]
  
Line 113: Line 112:
 
In Hashicorp Vault, create a policy named secret-full, with the following code:
 
In Hashicorp Vault, create a policy named secret-full, with the following code:
  
   $ vi policy.hcl
+
   ]# vi policy.hcl
  
 
   path "secret/*" {
 
   path "secret/*" {
Line 119: Line 118:
 
   }
 
   }
  
   $ vault policy write secret-full policy.hcl
+
   ]# vault policy write secret-full policy.hcl
 
[[file:policy2.png]]
 
[[file:policy2.png]]
  
Line 129: Line 128:
  
 
1. Enable AppRole (if it isn't already enabled)
 
1. Enable AppRole (if it isn't already enabled)
   $ vault auth enable approle
+
   ]# vault auth enable approle
 
[[file:11.2.png]]
 
[[file:11.2.png]]
  
Line 136: Line 135:
 
   '''Note: In this guide, we are using secret-role as name of the role, but you can use a name of your choice. For this, all references to secret-role in this guide must be replaced for the new name.'''
 
   '''Note: In this guide, we are using secret-role as name of the role, but you can use a name of your choice. For this, all references to secret-role in this guide must be replaced for the new name.'''
  
   $ vault write auth/approle/role/secret-role \
+
   ]# vault write auth/approle/role/secret-role \
 
     token_ttl=20m \
 
     token_ttl=20m \
 
     token_max_ttl=30m \
 
     token_max_ttl=30m \
Line 143: Line 142:
  
 
3. Get the role ID for configuring Onepoint
 
3. Get the role ID for configuring Onepoint
   $ vault read auth/approle/role/secret-role/role-id
+
   ]# vault read auth/approle/role/secret-role/role-id
  
 
[[file:13.png]]
 
[[file:13.png]]
  
 
4. Generate a secret ID for configuring Onepoint
 
4. Generate a secret ID for configuring Onepoint
   $ vault write -f auth/approle/role/secret-role/secret-id
+
   ]# vault write -f auth/approle/role/secret-role/secret-id
  
 
[[file:14.png]]
 
[[file:14.png]]
Line 161: Line 160:
  
  
1. Installing MariaDB
+
1- First step access the mariadb download site.
 +
 
 +
  https://downloads.mariadb.org/mariadb/repositories/#distro=CentOS&distro_release=centos7-amd64--centos7&mirror=osuosl
 +
 
 +
2- Create a mariadb repository.
 +
 
 +
  ]# vi /etc/yum.repos.d/mariadb.repo
 +
 
 +
[[File:Mariadbrepo.png]]
 +
 
 +
 
 +
3- Copy and paste the data directly from the website into the repository created in the previous step.
 +
 
 +
[[File:Mariadbrepo2.png]]
 +
 
 +
 
 +
*Save repository.
 +
 
 +
 
 +
4- Installing MariaDB
  
   $ yum install mariadb-server mariadb
+
   ]# yum install MariaDB-server MariaDB-client
[[file:Dbinstall.png]]
+
[[File:Dbinstall2.png]]
  
  
2. Starting MariaDB service
+
5- Starting MariaDB service
  
   $ systemclt start mariadb
+
   ]# systemclt start mariadb
   $ systemctl enable mariadb
+
   ]# systemctl enable mariadb
   $ mysql
+
   ]# mysql
  
3. You also need to have a database created on MariaDB to host Onepoint. If you don't have one, you will need to create one. The default name is onepoint, but you can change it as you need, and then reflect the change in the database configuration part.
+
6- You also need to have a database created on MariaDB to host Onepoint. If you don't have one, you will need to create one. The default name is onepoint, but you can change it as you need, and then reflect the change in the database configuration part.
  
 
For creating the database, assuming the database name onepoint:
 
For creating the database, assuming the database name onepoint:
Line 179: Line 197:
 
   mysql> create database onepoint;
 
   mysql> create database onepoint;
 
[[file:startdb2.png]]
 
[[file:startdb2.png]]
 +
 +
7- You must give permission for user (root or other user you want to use for onepoint) log in with password into MariaDB.
 +
 +
If you want to use root user for connecting to the database, you only need to execute a GRANT command to set the password for it (by default, root user in MariaDB 10.4 or superior comes with invalid password for root user). In this case, execute this command:
 +
 +
  mysql> GRANT ALL ON *.* TO 'root'@'localhost' IDENTIFIED BY '<YOUR DESIRED PASSWORD>';
 +
[[File:Dbinstall3.png]]
 +
 +
If you want to use another user for connecting to the database, at first, you need to create it, with permissions for logging in with password. For example, if you want to use user *onepoint*, you can execute this command:
 +
 +
  mysql> GRANT ALL ON *.* TO 'onepoint'@'localhost' IDENTIFIED BY '<YOUR DESIRED PASSWORD>';
 +
[[File:Dbinstall4.png]]
 +
 +
Doing this, you need to use this user for connecting to Onepoint database, in all references for connecting to the database in this guide.
  
 
= Apache Web Server =
 
= Apache Web Server =
Line 220: Line 252:
 
*python-ldap
 
*python-ldap
 
*python-paramiko
 
*python-paramiko
 +
*python2-PyMySQL
 +
*python2-pymssql
  
 
You can install them running the following command:
 
You can install them running the following command:
  
   ]# yum install python-pip python-requests python-ldap python-paramiko
+
   ]# yum install python-pip python-requests python-ldap python-paramiko python2-pymssql python2-PyMySQL
[[file:installpython.png]]
+
[[file:installpython2.png]]
  
 
= Other Libraries =
 
= Other Libraries =
Line 250: Line 284:
 
*SSH Server
 
*SSH Server
 
*SSH Client
 
*SSH Client
 +
*SAMBA
  
 
You can install them running the following command:
 
You can install them running the following command:
  
   ]# yum install psutils psmisc telnet ssh
+
   ]# yum install psutils psmisc telnet ssh samba
[[file:Psutils.png]]
+
[[file:Psutils1.png]]
  
 
= Install Onepoint =
 
= Install Onepoint =
Line 322: Line 357:
 
[[File:Onepointsystempropertydefaultvaultbackend.jpg|frameless|1200px|Performing credential discovery]]
 
[[File:Onepointsystempropertydefaultvaultbackend.jpg|frameless|1200px|Performing credential discovery]]
  
= Give root permissions to group admin for Delegate, Managed, List and My credentials =
+
= Set root permissions for group admin on Delegate, Managed, List and My credentials =
  
 
== Root Permissions on Delegate Credentials ==
 
== Root Permissions on Delegate Credentials ==
Line 395: Line 430:
  
 
[[File:Hashicorpvaultrootpermissions15.jpg]]
 
[[File:Hashicorpvaultrootpermissions15.jpg]]
 +
 +
=Creating SSH key for onepoint user=
 +
 +
 +
  ]# passwd onepoint
 +
 +
[[file:Sshone.png]]
 +
 +
 +
  ]# ssh onepoint@localhost
 +
 +
[[file:Sshone2.png]]
 +
 +
 +
  ]$ ssh-keygen -t rsa -m PEM
 +
 +
[[File:Sshone3.png]]
 +
 +
 +
  ]$ ssh-copy-id onepoint@localhost
 +
 +
[[File:Sshone4.png]]
 +
 +
 +
  ]# passwd -d onepoint
 +
   
 +
[[File:Sshone5.png]]
  
 
= Configuring Onepoint Worker Daemon =
 
= Configuring Onepoint Worker Daemon =
  
 
Onepoint Worker is on /usr/share/onepoint/onepoint-worker. To configure it, set the credentials in /usr/share/onepoint/onepoint-worker/cfg/config.json, and put the startup script in the root's crontab. Like this:
 
Onepoint Worker is on /usr/share/onepoint/onepoint-worker. To configure it, set the credentials in /usr/share/onepoint/onepoint-worker/cfg/config.json, and put the startup script in the root's crontab. Like this:
   crontab -e
+
   ]# crontab -e
 
[[file:crontab1.png]]
 
[[file:crontab1.png]]
 
   
 
   

Latest revision as of 13:50, 15 June 2020

Introduction

This page is intended to follow the installation procedure for Onepoint with Hashicorp Vault. For other procedures, please check the page Onepoint Procedures

Other Required Repositores

The following repositories are required for installing Onepoint. Please, make sure they're enabled once installed (property enabled=1 in the respective /etc/yum.repos.d/REPONAME.repo repository file)

 ]# yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm

Remi123.png

Hashicorp Vault

Vault is a secret store that works as also a Vault Backend for Onepoint.

To install Vault, find the appropriate package for your system and download it. Vault is packaged as a zip archive

Installing Vault

1. To download the vault package on linux, use the command "WGET"

1.png


2.After downloading the file from the vault, unzip and install it.

2.png


3.After installing Vault, verify the installation worked by opening a new terminal session and checking that the vault binary is available. By executing vault, you should see help output similar to the following:

3.png


Configuring Vault

Vault is configured using HCL files. The configuration file for Vault is relatively simple:


5.png

ui - User Interface.

storage - This is the physical backend that Vault uses for storage.

listener - One or more listeners determine how Vault listens for API requests.

Starting the Server

With the configuration in place, starting the server is simple, as shown below.

 ]# vault server -config=config.hcl

6.png

Initializing the Vault

Initialization is the process configuring the Vault. This only happens once when the server is started against a new backend that has never been used with Vault before. When running in HA mode, this happens once per cluster, not per server.

During initialization, the encryption keys are generated, unseal keys are created, and the initial root token is setup. To initialize Vault use vault operator init. This is an unauthenticated request, but it only works on brand new Vaults with no data.

 ]# vault operator init

7.png


Initialization outputs two important pieces of information: the unseal keys and the initial root token. This is the only time ever that all of this data is known by Vault, and also the only time that the unseal keys should ever be so close together. For the purpose of this getting started guide, save all of these keys somewhere, and continue.

Seal/Unseal Vault

Every initialized Vault server starts in the sealed state. From the configuration, Vault can access the physical storage, but it can't read any of it because it doesn't know how to decrypt it. The process of teaching Vault how to decrypt the data is known as unsealing the Vault. Unsealing has to happen every time Vault starts,to remove the seal from the vault, you need 3 of the 5 keys that have been generated.

Begin unsealing the Vault

 ]# vault operator unseal

8.png

Continue with vault operator unseal to complete unsealing the Vault. To unseal the vault you must use three different unseal keys, the same key repeated will not work.

When the value for Sealed changes to false, the Vault is unsealed.

Vault Login

Authenticate as the initial root token (it was included in the output with the unseal keys)

 ]# vault login "root token"

9.png

Enabling kv secret/ for storing credentials

For Onepoint storing credentials on Hashicorp Vault, you must enable a version 1 or version 2 secrets engine on Hashicorp Vault. It must be created under secret/ path.

Choose one options below depending if you want/have a version 1 or version 2 kv secrets engine.

  • For enabling a version 2 kv secrets engine on Hashicorp Vault, execute this command:
 ]# vault secrets enable -version=2 -path=secret kv

10.png

  • For enabling a version 1 kv secrets engine on Hashicorp Vault, execute this command:
 ]# vault secrets enable -path=secret kv

Kv1.png

Later, when configuring Onepoint, you can specify KV version in the Onepoint backend configuration.

Create secret-full policy for full access to secrets

 Note: In this guide, we are using secret-full as name of the policy, but you can use a name of your choice. For this, all references to secret-full in this guide must be replaced for the new name.

In Hashicorp Vault, create a policy named secret-full, with the following code:

 ]# vi policy.hcl
 path "secret/*" {
   capabilities = ["create", "delete", "read", "update", "list"]
 }
 ]# vault policy write secret-full policy.hcl

Policy2.png

Enabling auth AppRole

For Onepoint logging on Hashicorp Vault, it must be enabled AppRole Authentication Backend on Hashicorp Vault. For more information about AppRole auth backend, see AppRole Auth Method

Logged on as the root token or a token with the root policy, perform the following steps:

1. Enable AppRole (if it isn't already enabled)

 ]# vault auth enable approle

11.2.png

2. Create a role on Vault with no secret_id_ttl nor secret_id_num_uses nor token_num_uses

 Note: In this guide, we are using secret-role as name of the role, but you can use a name of your choice. For this, all references to secret-role in this guide must be replaced for the new name.
 ]# vault write auth/approle/role/secret-role \
   token_ttl=20m \
   token_max_ttl=30m \
   policies="default,secret-full"

12.png

3. Get the role ID for configuring Onepoint

 ]# vault read auth/approle/role/secret-role/role-id

13.png

4. Generate a secret ID for configuring Onepoint

 ]# vault write -f auth/approle/role/secret-role/secret-id

14.png

5. Save role_id and secret_id catched on the previous two steps for configuring onepoint later.

MariaDB

First, make sure MariaDB - packages mariadb and mariadb-server - is installed on the system. If you want to use an external MariaDB database for the installation, this step is not required. You will need to create an empty database for installing Onepoint (for example, database onepoint)

 Tip: You shall make sure TCP/IP (bind-address) access is enabled for MariaDB / MySQL.


1- First step access the mariadb download site.

 https://downloads.mariadb.org/mariadb/repositories/#distro=CentOS&distro_release=centos7-amd64--centos7&mirror=osuosl

2- Create a mariadb repository.

 ]# vi /etc/yum.repos.d/mariadb.repo

Mariadbrepo.png


3- Copy and paste the data directly from the website into the repository created in the previous step.

Mariadbrepo2.png


  • Save repository.


4- Installing MariaDB

 ]# yum install MariaDB-server MariaDB-client

Dbinstall2.png


5- Starting MariaDB service

 ]# systemclt start mariadb
 ]# systemctl enable mariadb
 ]# mysql

6- You also need to have a database created on MariaDB to host Onepoint. If you don't have one, you will need to create one. The default name is onepoint, but you can change it as you need, and then reflect the change in the database configuration part.

For creating the database, assuming the database name onepoint:

 mysql> create database onepoint;

Startdb2.png

7- You must give permission for user (root or other user you want to use for onepoint) log in with password into MariaDB.

If you want to use root user for connecting to the database, you only need to execute a GRANT command to set the password for it (by default, root user in MariaDB 10.4 or superior comes with invalid password for root user). In this case, execute this command:

 mysql> GRANT ALL ON *.* TO 'root'@'localhost' IDENTIFIED BY '<YOUR DESIRED PASSWORD>';

Dbinstall3.png

If you want to use another user for connecting to the database, at first, you need to create it, with permissions for logging in with password. For example, if you want to use user *onepoint*, you can execute this command:

 mysql> GRANT ALL ON *.* TO 'onepoint'@'localhost' IDENTIFIED BY '<YOUR DESIRED PASSWORD>';

Dbinstall4.png

Doing this, you need to use this user for connecting to Onepoint database, in all references for connecting to the database in this guide.

Apache Web Server

You will need the Apache Web Server installed on the system for installing Onepoint You can install it running the following command:

 ]# yum install httpd

Httpd.png


 ]# systemctl enable httpd

Enablehtppd.png

PHP

You will need PHP 7.2 or higher to install Onepoint. You'll need to install the following packages:

  • php72-php
  • php72-php-common
  • php72-php-bz2
  • php72-php-curl
  • php72-php-ldap
  • php72-php-gd
  • php72-php-gmp
  • php72-php-imap
  • php72-php-mbstring
  • php72-php-mcrypt
  • php72-php-soap
  • php72-php-mysqlnd
  • php72-php-xml
  • php72-php-zip
  • php72-php-json

You can install them running the following command (once Remi is installed):

 ]# yum install php72-php php72-php-common php72-php-bz2 php72-php-curl php72-php-ldap php72-php-gd php72-php-gmp php72-php-imap php72-php-mbstring php72-php-mcrypt php72-php-soap php72-php-mysqlnd php72-php-xml php72-php-zip php72-php-json

Php72.png

Python

You will need Python 2.7. You'll need to install the following packages:

  • python
  • python-pip
  • python-requests
  • python-ldap
  • python-paramiko
  • python2-PyMySQL
  • python2-pymssql

You can install them running the following command:

 ]# yum install python-pip python-requests python-ldap python-paramiko python2-pymssql python2-PyMySQL

Installpython2.png

Other Libraries

You will need to install the following libraries:

1. You can install them running the following command:

 ]# yum install curl http://download-ib01.fedoraproject.org/pub/epel/6/x86_64/Packages/c/curlpp-0.7.3-5.el6.x86_64.rpm

Curlpp.png

    • libssh
    • json-c
    • json-cpp

2. You can install them running the following command:

 ]# yum install libssh json-c jsoncpp

Libssh.png

Other tools

  • psutils
  • psmisc
  • telnet (Client)
  • SSH Server
  • SSH Client
  • SAMBA

You can install them running the following command:

 ]# yum install psutils psmisc telnet ssh samba

Psutils1.png

Install Onepoint

Install the repository for your operating system version below. After this, install the onepoint package, through yum:

 ]# yum install http://repo.onepoint.net.br/yum/centos/repo/onepoint-repo-0.1-1centos.noarch.rpm

Reponpt.png


 ]# yum install onepoint

Installonpt.png

Configure Database Parameters

Database parameters are on /usr/share/onepoint/onepoint/application/config/database.php. Use your favorite text editor to specify them.

Databaseopt.png

If Database parameters are not configured correctly, there is no Onepoint to function properly.

Initialize Onepoint Database

Run the setup script, accessing;

 http://<HOSTNAME>/onepoint/ui/setup.

The hostname is the address of your repository configured in the previous step.


Exescript.png

Click execute install scripts.

Onepoint

After doing the aforementioned procedures, the screen below will appear;


Welcomeone.png


 USER: admin
 PASSWORD: password

Create a Vault Backend of class Hashicorp Vault and set it as default Vault Backend

 Note: In this guide, we are using hashicorp-vault as name of the vault backend, but you can use a name of your choice. For this, all references to hashicorp-vault in this guide must be replaced for the new name.

In Onepoint, you need to create a Vault Backend pointing to your Hashicorp Vault instance.

  • In Onepoint, go to Settings > Encrypt String for encrypting role_id (for role created previously) and save the resulting value (copy and paste)
  • Go to Settings > Encrypt String for encrypting secret_id (for role created previously) and save the resulting value (copy and paste)

Encrypt String.png

Encrypt String 2.png


  • In Onepoint, go to Settings > Backends
  • Click New for creating a backend
  • Select type Vault Backend and class Hashicorp Vault
  • In Parameters tab, set address to the Hashicorp Vault endpoint address, version to KV secrets engine version (1 or 2, depending on which version you installed / setup), mode to approle, encryption to full, and fill role_id and secret_id with the encrypted values generated in first step of this section.

Encrypt String 3.png Performing credential discovery

  • Set hashicorp-vault Vault Backend as default Vault Backend in Onepoint. For this, access Settings > System Properties, and search for the property called system.default.backend.vault. Edit it and set it to hashicorp-vault.

Performing credential discovery

Set root permissions for group admin on Delegate, Managed, List and My credentials

Root Permissions on Delegate Credentials

1. Go to Vault > Delegate Credentials

2. Select hashicorp-vault on the top-right corner of Delegate Credentials box

Hashicorpvaultrootpermissions0.jpg

3. On the top-right corner of Delegate Credentials box, click in the gear icon and click on Root Permissions. The permissions dialog will open.

Hashicorpvaultrootpermissions1.jpg

4. Add a permission for admin group (Onepoint Directory backend) with all permissions

Hashicorpvaultrootpermissions2.jpg

Hashicorpvaultrootpermissions3.jpg

Root Permissions on Managed Credentials

1. Go to Vault > Managed Credentials

2. Select hashicorp-vault on the top-right corner of Managed Credentials box

Hashicorpvaultrootpermissions4.jpg

3. On the top-right corner of Managed Credentials box, click in the gear icon and click on Root Permissions. The permissions dialog will open.

Hashicorpvaultrootpermissions5.jpg

4. Add a permission for admin group (Onepoint Directory backend) with all permissions

Hashicorpvaultrootpermissions6.jpg

Hashicorpvaultrootpermissions7.jpg

Root Permissions on Credentials Lists Credentials

1. Go to Vault > Credentials Lists

2. Select hashicorp-vault on the top-right corner of Lists Credentials box

Hashicorpvaultrootpermissions8.jpg

3. On the top-right corner of Lists Credentials box, click in the gear icon and click on Root Permissions. The permissions dialog will open.

Hashicorpvaultrootpermissions9.jpg

4. Add a permission for admin group (Onepoint Directory backend) with all permissions

Hashicorpvaultrootpermissions10.jpg

Hashicorpvaultrootpermissions11.jpg

Root Permissions on My Credentials

1. Go to Vault > My Credentials

2. Select hashicorp-vault on the top-right corner of My Credentials box

Hashicorpvaultrootpermissions12.jpg

3. On the top-right corner of My Credentials box, click in the gear icon and click on Root Permissions. The permissions dialog will open.

Hashicorpvaultrootpermissions13.jpg

4. Add a permission for admin group (Onepoint Directory backend) with all permissions

Hashicorpvaultrootpermissions14.jpg

Hashicorpvaultrootpermissions15.jpg

Creating SSH key for onepoint user

 ]# passwd onepoint

Sshone.png


 ]# ssh onepoint@localhost

Sshone2.png


 ]$ ssh-keygen -t rsa -m PEM

Sshone3.png


 ]$ ssh-copy-id onepoint@localhost

Sshone4.png


 ]# passwd -d onepoint
   

Sshone5.png

Configuring Onepoint Worker Daemon

Onepoint Worker is on /usr/share/onepoint/onepoint-worker. To configure it, set the credentials in /usr/share/onepoint/onepoint-worker/cfg/config.json, and put the startup script in the root's crontab. Like this:

 ]# crontab -e

Crontab1.png

 @reboot /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su-30

Crontab2.png

You can start the service manually using

 ]# /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su

Crontab3.png


And you can stop the service manually using

 ]# /usr/share/onepoint/onepoint-worker/stop-onepoint-worker

Crontab4.png

Finished

Now, Onepoint is ready. You can access it on http://<HOSTNAME>/onepoint

Links