Difference between revisions of "Installing Onepoint on CentOS 7 with Hashicorp Vault"

From Onepoint Systems Integration
Jump to: navigation, search
(Create a Vault Backend of class Hashicorp Vault and set it as default Vault Backend)
Line 10: Line 10:
  
 
== Enabling kv secret/ for storing credentials ==
 
== Enabling kv secret/ for storing credentials ==
For Onepoint storing credentials on Hashicorp Vault, you must enable a version 1 or version 2 secrets engine on Hashicorp Vault.
+
For Onepoint storing credentials on Hashicorp Vault, you must enable a version 1 or version 2 secrets engine on Hashicorp Vault. It must be created under secret/ path.
  
 
Choose one options below depending if you want/have a version 1 or version 2 kv secrets engine.
 
Choose one options below depending if you want/have a version 1 or version 2 kv secrets engine.
 +
 +
*For enabling a version 2 kv secrets engine on Hashicorp Vault, execute this command:
 +
 +
  $ vault secrets enable -version=2 -path=secret kv
  
 
*For enabling a version 1 kv secrets engine on Hashicorp Vault, execute this command:
 
*For enabling a version 1 kv secrets engine on Hashicorp Vault, execute this command:
Line 18: Line 22:
 
   $ vault secrets enable -path=secret kv
 
   $ vault secrets enable -path=secret kv
  
*For enabling a version 2 kv secrets engine on Hashicorp Vault, execute this command:
+
Later, when configuring Onepoint, you can specify KV version in the Onepoint backend configuration.
 
 
  $ vault secrets enable -version=2 -path=secret kv
 
 
 
Later, when configuring onepoint, you can specify KV version in the Onepoint backend configuration.
 
  
 
== Create secret-full policy for full access to secrets ==
 
== Create secret-full policy for full access to secrets ==

Revision as of 16:06, 14 April 2020

Other Required Repositores

The following repositories are required for installing Onepoint. Please, make sure they're enabled once installed (property enabled=1 in the respective /etc/yum.repos.d/REPONAME.repo repository file)

Hashicorp Vault

Vault is a secret store that works as also a Vault Backend for Onepoint.

Enabling kv secret/ for storing credentials

For Onepoint storing credentials on Hashicorp Vault, you must enable a version 1 or version 2 secrets engine on Hashicorp Vault. It must be created under secret/ path.

Choose one options below depending if you want/have a version 1 or version 2 kv secrets engine.

  • For enabling a version 2 kv secrets engine on Hashicorp Vault, execute this command:
 $ vault secrets enable -version=2 -path=secret kv
  • For enabling a version 1 kv secrets engine on Hashicorp Vault, execute this command:
 $ vault secrets enable -path=secret kv

Later, when configuring Onepoint, you can specify KV version in the Onepoint backend configuration.

Create secret-full policy for full access to secrets

 Note: In this guide, we are using secret-full as name of the policy, but you can use a name of your choice. For this, all references to secret-full in this guide must be replaced for the new name.

In Hashicorp Vault, create a policy named secret-full, with the following code:

 path "secret/*" {
   capabilities = ["create", "delete", "read", "update", "list"]
 }

Enabling auth AppRole

For Onepoint logging on Hashicorp Vault, it must be enabled AppRole Authentication Backend on Hashicorp Vault. For more information about AppRole auth backend, see AppRole Auth Method

Logged on as the root token or a token with the root policy, perform the following steps:

  1. Enable AppRole (if it isn't already enabled)
 $ vault auth enable approle
  1. Create a role on Vault with no secret_id_ttl nor secret_id_num_uses nor token_num_uses
 Note: In this guide, we are using secret-role as name of the role, but you can use a name of your choice. For this, all references to secret-role in this guide must be replaced for the new name.
 $ vault write auth/approle/role/secret-role \
   token_ttl=20m \
   token_max_ttl=30m \
   policies="default,secret-full"
  1. Get the role ID for configuring Onepoint
 $ vault read auth/approle/role/secret-role/role-id
 role_id     db02de05-fa39-4855-059b-67221c5c2f63
  1. Generate a secret ID for configuring Onepoint
 $ vault write -f auth/approle/role/secret-role/secret-id
 secret_id               6a174c20-f6de-a53c-74d2-6018fcceff64
 secret_id_accessor      c454f7e5-996e-7230-6074-6ef26b7bcf86
  1. Save role_id and secret_id catched on the previous two steps for configuring onepoint later.

MariaDB

First, make sure MariaDB - packages mariadb and mariadb-server - is installed on the system. If you want to use an external MariaDB database for the installation, this step is not required. You will need to create an empty database for installing Onepoint (for example, database onepoint)

 Tip: You shall make sure TCP/IP (bind-address) access is enabled for MariaDB / MySQL.

You also need to have a database created on MariaDB to host Onepoint. If you don't have one, you will need to create one. The default name is onepoint, but you can change it as you need, and then reflect the change in the database configuration part.

For creating the database, assuming the database name onepoint:

 mysql> create database onepoint;

Apache Web Server

You will need the Apache Web Server installed on the system for installing Onepoint You can install it running the following command:

 ]# yum install httpd

PHP

You will need PHP 7.2 or higher to install Onepoint. You'll need to install the following packages:

  • php72-php
  • php72-php-common
  • php72-php-bz2
  • php72-php-curl
  • php72-php-ldap
  • php72-php-gd
  • php72-php-gmp
  • php72-php-imap
  • php72-php-mbstring
  • php72-php-mcrypt
  • php72-php-soap
  • php72-php-mysqlnd
  • php72-php-xml
  • php72-php-zip
  • php72-php-json

You can install them running the following command (once Remi is installed):

 ]# yum install php72-php php72-php-common php72-php-bz2 php72-php-curl php72-php-ldap php72-php-gd php72-php-gmp php72-php-imap php72-php-mbstring php72-php-mcrypt php72-php-soap php72-php-mysqlnd php72-php-xml php72-php-zip php72-php-json

Python

You will need Python 2.7. You'll need to install the following packages:

  • python
  • python-pip
  • python-requests
  • python-ldap
  • python-paramiko

You can install them running the following command:

 ]# yum install python-pip python-requests python-ldap python-paramiko

Other Libraries

You will need to install the following libraries:

You can install them running the following command:

 ]# yum install curl http://download-ib01.fedoraproject.org/pub/epel/6/x86_64/Packages/c/curlpp-0.7.3-5.el6.x86_64.rpm
    • libssh
    • json-c
    • json-cpp

You can install them running the following command:

 ]# yum install libssh json-c jsoncpp

Other tools

  • psutils
  • psmisc
  • telnet (Client)
  • SSH Server
  • SSH Client

You can install them running the following command:

 ]# yum install psutils psmisc telnet ssh

Install Onepoint

Install the repository for your operating system version below. After this, install the onepoint package, through yum:

 ]# yum install http://repo.onepoint.net.br/yum/centos/repo/onepoint-repo-0.1-1centos.noarch.rpm
 ]# yum install onepoint

Configure Database Parameters

Database parameters are on /usr/share/onepoint/onepoint/application/config/database.php. Use your favorite text editor to specify them.

Initialize Onepoint Database

Run the setup script, accessing http://<HOSTNAME>/onepoint/ui/setup.

Create a Vault Backend of class Hashicorp Vault and set it as default Vault Backend

 Note: In this guide, we are using hashicorp-vault as name of the vault backend, but you can use a name of your choice. For this, all references to hashicorp-vault in this guide must be replaced for the new name.

In Onepoint, you need to create a Vault Backend pointing to your Hashicorp Vault instance.

  • In Onepoint, go to Settings > Encrypt String for encrypting role_id (for role created previously) and save the resulting value (copy and paste)
  • Go to Settings > Encrypt String for encrypting secret_id (for role created previously) and save the resulting value (copy and paste)
  • In Onepoint, go to Settings > Backends
  • Click New for creating a backend
  • Select type Vault Backend and class Hashicorp Vault
  • In Parameters tab, set address to the Hashicorp Vault endpoint address, version to KV secrets engine version (1 or 2, depending on which version you installed / setup), mode to approle, encryption to full, and fill role_id and secret_id with the encrypted values generated in first step of this section.

Performing credential discovery

  • Set hashicorp-vault Vault Backend as default Vault Backend in Onepoint. For this, access Settings > System Properties, and search for the property called system.default.backend.vault. Edit it and set it to hashicorp-vault.

Performing credential discovery

Configuring Onepoint Worker Daemon

Onepoint Worker is on /usr/share/onepoint/onepoint-worker. To configure it, set the credentials in /usr/share/onepoint/onepoint-worker/cfg/config.json, and put the startup script in the root's crontab. Like this:

 @reboot /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su-30

You can start the service manually using

 ]# /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su

And you can stop the service manually using

 ]# /usr/share/onepoint/onepoint-worker/stop-onepoint-worker

Finished

Now, Onepoint is ready. You can access it on http://<HOSTNAME>/onepoint

Links