Operating System Installation and Configuration

Base Operating System Installation

Perform a minimal OS installation of a recent RHEL6/7 or derivative Linux distribution, using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.

The system should have IP connectivity, using a fixed IP address and a resolvable fully qualified domain name. For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).

Additionally, a local or remote MTA (e.g. Postfix or Sendmail) needs to be installed and configured so the system is capable of sending email.

Boot up the system and log in as the root user.

Enable Time Synchronization With NTP

We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). This can be achieved by installing the ntp package and enabling the NTP daemon:

[root@regserver install]# yum install ntp
[root@regserver install]# service ntpd start
[root@regserver install]# chkconfig ntpd on

Edit and update the configuration file /etc/ntp.conf, if necessary for your local environment.

Disable SELinux

The TeamDrive Registration Server currently can not be run when SELinux is enabled. Edit the file /etc/selinux/config and set SELINUX=disabled.

Reboot the system or change the SELinux enforcing mode at run time using the following command:

(CentOS 7)
[root@regserver install]# setenforce 0

Firewall Configuration

You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that must be reachable from the Internet are 80 (http) and 443 (https). Optionally, port 22 (SSH) can be opened to facilitate remote administration, but access to this port should be restricted to known and trusted IP addresses or networks only.

On a minimal installation, you can install and use the text-based firewall configuration utility to enable access to the following services:

  • SSH
  • Secure WWW (HTTPS)
  • WWW (HTTP)

To configure the firewall, you need to run the following commands:

[root@regserver install]# yum install system-config-firewall-tui \
newt-python
[root@regserver install]# system-config-firewall-tui

Follow the instructions to configure the firewall. Enable additional protections based on your local requirements or security policies.

You can check the result with iptables -L:

[root@regserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

In case of using an external company firewall enable the above ports for the incoming traffic. For outgoing communication please enable:

  • Secure WWW (Port 443 for HTTPS)
  • WWW (Port 80 for HTTP)
  • SMTP (Port 25 for sending mails using a public mail server; in case of using SSL-communication to the mail server, also Ports 465, 587)
  • DNS Lookup (Port 53 for DNS communication with a public DNS server)

Installing MySQL Server

The TeamDrive Registration Server requires a MySQL database to store its information. This document assumes that the MySQL instance runs on the same host as the Registration Server itself, connecting to it via the local socket file.

Alternatively, it’s possible to use an external MySQL Server. In this case, you need to make sure that this external MySQL instance is reachable via TCP from the Registration Server (usually via TCP port 3306) and that the teamdrive MySQL user is defined correctly (e.g. the MySQL username in the remote database would become teamdrive@regserver.yourdomain.com instead of teamdrive@localhost).

Most MySQL installations usually do not allow the root user to log in from a remote host. In this case the installation script is unable to create the dedicated teamdrive user automatically and you need to perform this step manually before performing the installation of the TeamDrive Registration Server databases.

Especially the correct definition of the host part is critical, as MySQL considers username@regserver and username@regserver.yourdomain.com as two different users.

Note

Since CentOS 7 MySQL is no longer in CentOS’s repositories and MariaDB has become the default database system offered. We recommend installing the mysql community server instead. If you are installing on CentOS 7 then perform the following steps by downloading the MySQL 8.0 repository, but install the latest 5.6 MySQL version by disabling the 8.0 repository (due to changes in MySQL 5.7 and later, these versions are currently not supported):

yum localinstall https://dev.mysql.com/get/mysql80-community-release-el7-1.noarch.rpm
yum-config-manager --disable mysql80-community
yum-config-manager --enable mysql56-community
yum install mysql-community-server

For reliablility and performance reasons, we recommend placing the MySQL data directory /var/lib/mysql on a dedicated file system or storage volume.

Please start the MySQL server and tell systemd to start the service automatically at boot:

[root@regserver ~ ]# systemctl start mysqld.service
[root@regserver ~ ]# systemctl enable mysqld.service

Run the secure installation script and follow the recommendations. Make sure to create a password for the MySQL root user and take note of it:

[root@regserver ~ ]# mysql_secure_installation

Securing the MySQL server deployment.

Enter password for user root:

The existing password for the user account root has expired. Please set
a new password.

...

Answer all question with Y for:

  • Remove anonymous users?
  • Disallow root login remotely?
  • Remove test database and access to it?
  • Reload privilege tables now?

MySQL is now up and running. It will be populated with the required databases and tables during the Registration Server installation process.

Apache Setup and Configuration

The TeamDrive Clients use the HTTP protocol to communicate with the Registration Server. The Registration Server’s Administraion Console is based on the PHP scripting language; both are served by the Apache HTTP server.

Install the Apache HTTP Server and the mod_ssl Apache module by running the following command:

yum install httpd mod_ssl

For security reasons, we also advise to disable the so-called “Server Signature” - a feature that adds a line containing the server version and virtual host name to server-generated pages (e.g. internal error documents, directory listings, etc). Change the configuration in /etc/httpd/conf/httpd.conf as follows:

ServerSignature Off

By default, the server version and operating system is also displayed in the Server response header field, e.g. Server: Apache/2.4.6 (CentOS). To suppress this output, we suggest to update the ServerTokens option as follows:

ServerTokens Prod

The TeamDrive Registration Server only requires a few Apache modules to be enabled. To reduce the memory footprint, please deactivate unnecessary modules in the apache configuration.

Apache 2.4 (CentOS 7)

In the directory: /etc/httpd/conf.modules.d comment out all modules in the following config files. Using the linux stream editor (sed) with the following regular expression will add a ‘#’ comment sign in each line starting with ‘LoadModule’:

sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-dav.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-lua.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/01-cgi.conf

Edit /etc/httpd/conf.modules.d/00-base.conf and leave only the following modules enabled by adding a ‘#’ comment in front of all other modules:

LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule headers_module modules/mod_headers.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule version_module modules/mod_version.so

Configure mod_ssl

In order to facilitate access to the Registration Server’s API and initial setup screens via SSL, the following needs to be added to the end of the default <VirtualHost> section in /etc/httpd/conf.d/ssl.conf:

Include conf.d/td-regserver.httpd.conf.ssl
</VirtualHost>

Note

The Apache HTTP Server package includes a self-signed SSL certificate for testing purposes. If you connect to the server using a web browser, it will likely raise an error about an untrusted/insecure connection. You should consider replacing this certificate with an appropriate one.

Follow the instructions provided by your certificate authority on how to obtain and install an SSL certificate for the Apache HTTP Server.

Verify your SSL configuration using the service from SSL Labs: https://www.ssllabs.com/ssltest/analyze.html and make sure that the “Handshake Simulation” is working for current platforms and browser. The following ssl parameters for the apache web server will create an A-rating and make sure that the handshake is working for current platforms and browser:

SSLProtocol all -SSLv2 -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

PHP and PEAR framework

The Registration Server’s Admin Console requires PHP and the PEAR framework to enable a few additional PHP packages which are not available in RPM format.

CentOS 7 will be shipped with a not longer supported PHP 5.4 version. PHP only supports version 7.x. To install the latest version 7 add the two additional Remi and EPEL repositories and enable PHP 7.3.

For CentOS 7:

yum -y install epel-release
yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
yum update

Please activate the PHP 7.3 version in the new repository:

yum-config-manager --enable remi-php73

If yum-config-manager can’t be found, install it with:

yum install yum-utils

Use the following commands to install the required PHP components:

yum install php php-pear php-mysqlnd.x86_64 php-mbstring
      yum install php-pear-MDB2-Driver-mysqli.noarch


pear channel-update pear.php.net
pear install HTTP_Request2 MDB2 MDB2_Driver_mysqli Log HTTP2

For compatibility reason for PHP 7.2 / 7.3 a newer MDB2 package is necessary:

pear upgrade MDB2-beta
pear install MDB2_Driver_mysqli-1.5.0b4

You can use pear list to get a list of installed PHP packages.

Finally, we need to change a few PHP-related configuration options. Please edit the /etc/php.ini file and change the following values:

expose_php = Off
max_execution_time = 900
max_input_time = 900
post_max_size = 55M
upload_max_filesize = 50M
memory_limit = 512M

Also uncomment and set the time zone setting according to your chosen time zone:

[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
date.timezone = Europe/Berlin

Now create the following directory for storing the PHP session data:

install -d -o apache -g apache /var/lib/php/session

Warning

Do not start the Apache HTTP Server until you have concluded the Registration Server installation and you are ready to proceed with the Registration Server Setup!