Installing with Ubuntu and mySQL

This example is based on an instance of Ubuntu “Karmic Koala” 9.10. The desktop version of Ubuntu has been deliberately chosen over the server instance because of the graphical software and database management tools. Linux purists should be able to repeat this installation in a text-based environment if they so desire.

This example assumes that Ubuntu desktop has been successfully installed and the user “tomorrow” has been created with an appropriate password. It is also assumed that Ubuntu has been fully updated.

Installing Java and mySQL

Your system is required to have a database and Java installed. The following steps installs JDK 6 and the mySQL database along with the required drivers and a management console for mySQL.

Log in as “tomorrow” and select System->Administration->Synaptic Package Manager.

When prompted for your password enter it then:

Search for “sun-java6-jdk” and mark it for installation if it is not already installed.

Note: As of version 10 of Ubuntu Linux, Sun Java has been moved to the partner repository.

So, to obtain Sun java on these versions, enter the following commands:

sudo add-apt-repository “deb http://archive.canonical.com/ lucid partner”
sudo apt-get update
sudo apt-get install sun-java6-jdk

Search for “mysql-server” and mark it for installation if it is not already installed.

Search for “gmysqlcc” and mark it for installation if it is not already installed (this is a graphical user interface to mySQL).

Search for “libmysql-java” and mark it for installation if it is not already installed (this is the mySQL JDBC driver).

Once they are all selected, click on apply. Follow the prompts to enable the package manager to download and install the products.

During installation of mySQL, you will be asked for a root password, this is a password different to the “root” user for the operating system. Select a suitably strong password. You will need this later during the mySQL configuration.

Allowing “root” access for the installation

The next step in the install is to go against all of the advice of Linux sages and allow “root” login to the desktop. Ubuntu does not allow root access by default, but you need this capability to set the appliance to auto-start the servers and give them access to the protected TCP/IP ports below 1024 (specifically 80 and 443).

To do this, open a terminal window (Applications->Accessories->Terminal) and type:

sudo passwd root

This will prompt you first for your own password, then twice for a root (UNIX) password. Enter a password that is easy to remember, as you will remove it later in this section.Note: Earlier versions of Ubuntu prevent the root user from logging in to the graphical environment. If you are using one of these versions, you will need to allow root access by selecting:

System->Administration->Login Window

You will be prompted for your password, then (after a sometimes LONG wait) the Login Window Preferences window will be presented. On the Security tab, check the box labeled Allow local system administrator login and click on Close.

“root” login is now possible. Log out the tomorrow” user.

Getting the software ready

Login as root (ignore any warning about being a privileged user) and prepare to install the software under the folder /opt/local.

Download and unzip (Right click and select ‘Extract Here”) the distribution file (Tomorrow Software Server x.x.x.zip) in the /opt/local folder (create the local folder if necessary).

Next open a terminal window and create a symbolic link to the distribution as follows:

cd /opt/local
ln -s Tomorrow-Software-Server-x.x.x

The above is an example. You should replace x.x.x with your version number.

Setting the software to auto-start

Right click the file tomorrow.sh in /opt/local/Tomorrow/server/bin, select Properties, then the Permissions tab and make sure Execute is selected.

Copy the file tomorrowstart from /opt/local/Tomorrow/server/bin to /etc/init.d.

Right click the file, select Properties, then the Permissions tab and once again make sure Execute is selected.

Then enter the following commands in a terminal window (logged in as root).

cd /etc/init.d
update-rc.d tomorrowstart defaults

Note: On non-Debian based systems (such as RHEL) the commands to set up auto-start are instead:

cd /etc/init.d
chkconfig –-add tomorrowstart

Configuring mySQL

For this part, you will need the root password for mySQL that was set during the mySQL installation. The first step is to open a terminal window and connect to your MySQL server:

mysql -u root -p

Enter the root password when prompted to get to the mySQL command prompt.

The first step is to set permissions for the local machine to access all databases. Start by connecting to the administrative database as follows:

use mysql;

Note that at the mySQL prompt, you can type parts of a command over multiple lines by pressing enter. It will not be executed until you include a semicolon to indicate that the command is complete.

To give localhost permission to access all local databases, enter the following command:

insert into host(host, db, select_priv, insert_priv, update_priv, delete_priv, create_priv, drop_priv) values(’localhost’,'%’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’);

The “%” sign used in this statement is a wildcard for all databases.

If you are setting up a central database for multiple hosts to share, you may wish to insert an entry for each additional host with access.

You can optionally choose to set up strong user security as well, but for most cases the one root user with a strong password will suffice.

Exit the mySQL command line by typing:

quit

You can now create any required databases from the terminal window using the following command: mysqladmin -u root -p create [database name]. For example, to create the commonly used HISTORY database, type:

mysqladmin -u root -p create HISTORY

After the prompt for the mySQL root password the database will be created.

Installing the JDBC driver

Next you must install the JDBC driver into the server installations. Do this by copying the file /usr/share/java/mysql-connector-javax.x.x.jar to the jdbc/mysql folder of the Composable Architecture Platform Server. The folders are found at:

/opt/local/Tomorrow/server/lib//ext/jdbc/

You will have to create the mysql subfolder before copying, then reboot the server to pick up all of the changes.

Verifying the installation

After the reboot, log back into the server as root. Type the following command:

netstat –tl

You will see a list of ports that are currently listening.

ubuntu@ip-172-31-23-9:~$ sudo netstat -tl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp        0      0 *:ssh         *:*             LISTEN
tcp6       0      0 [::]:9090     [::]:*          LISTEN
tcp6       0      0 [::]:9990     [::]:*          LISTEN
tcp6       0      0 [::]:9930     [::]:*          LISTEN
tcp6       0      0 [::]:9932     [::]:*          LISTEN
tcp6       0      0 [::]:9933     [::]:*          LISTEN
tcp6       0      0 [::]:9935     [::]:*          LISTEN
tcp6       0      0 [::]:http-alt [::]:*          LISTEN
tcp6       0      0 [::]:http     [::]:*          LISTEN
tcp6       0      0 [::]:ssh      [::]:*          LISTEN
tcp6       0      0 [::]:9944     [::]:*          LISTEN
tcp6       0      0 [::]:https    [::]:*          LISTEN

Provided all of the correct ports are listening as shown, start the Firefox browser.

Accessing the console

To access the console, point the browser to http://localhost/console

You will be presented with the normal Composable Architecture Platform console screen. Log in as admin with the password admin.

Configuring the mySQL driver in the console

Once you are connected to the console, updating the mySQL database connector password is required. The settings should be as follows:

• Driver Class: com.mysql.jdbc.Driver

• Description: mySQL Driver

• URL prefix: jdbc:mysql://127.0.0.1/

• User ID: root

• Password: [Your mySQL root password]

In the list of Composable Architecture Platform servers, click on Servers. It should show green status and be started.

To test the appliance, update the host setting/file on a separate system to point the protected server URL to the IP address of the appliance. Then access the protected server in a browser using that same URL. The site should function as normal.

Giving the “tomorrow” user permission to modify and manage files

You have now completed the setup and installation, and there is no longer any need to have root access on the system. You can log out and log in as “tomorrow” to complete this section.

From time to time you may wish to look at files or change configurations. However, the files used by the appliance are owned by root, so you will need to use this little trick:

Press Alt-F2 and at the command line type:

gksudo nautilus

After entering your password, a file browser will open that essentially has root privileges. You can now use this to browse for the files you wish to view or maintain without the need to log in specifically as root.

Installing a valid SSL certificate

Since the built in forwarding proxy is generally placed as a frontline component, it must serve up the proper SSL certificate for the site. Depending on the Certificate Authority you are using to obtain your certificate, instructions may vary slightly. The underlying application server used by the built in forwarding proxy is “Jetty”, and excellent, but very generic, instructions for how to install a certificate can be found on their website.

As an example, here are the instructions based on a certificate obtained from RapidSSL, using the popular openssl program to manage our certificates and then the keytool from the Sun JRE to import the certificate into a keystore for Jetty to use.

Note: These instructions are generic and apply to all operating systems. OpenSSL is available as a free download for many platforms including Linux and Windows.

To make these instructions work on non-linux platforms, you may have to add path variables or make other changes to ensure that you can execute the relevant programs.

Converting from .key and .crt files to a PKCS12 certificate

Convert the key and crt file returned by RapidSSL into a .pkcs12 file using the following command (replacing my_ssl_com.* with appropriate file names):

openssl pkcs12 -inkey my_ssl_com.key -in my_ssl_com.crt -export -out my_ssl_com.pkcs12

Supply an easy to remember password.

Importing a PKCS12 certificate into a Jetty keystore

Change directory to /opt/local/Tomorrow/server/lib and execute the following command (supply the proper path to the my_ssl_com.pkcs12 file or copy it temporarily into the same folder):

keytool -importkeystore -srckeystore my_ssl_com.pkcs12 -srcstoretype pkcs12 -srcstorepass [your password} -destkeystore keystore          -deststoretype jks -deststorepass [your password]

When supplying passwords, make them the same as the password used in the previous step.

Installing the keystore

You will have a new file named keystore, copy this to /opt/local/Tomorrow/server/etc replacing the existing file.

Obfuscating the passwords

If your server is in an unsecured location or many people have access to it physically, you may wish to obfuscate the password so that it is not readily readable from the configuration files. You can do this by using the following command:

java -classpath jetty-util-7.6.3.v20120416.jar: jetty-http-7.6.3.v20120416.jar org.eclipse.jetty.http.security.Password [your password]

You will be provided with an obfuscated password.

Changing the configuration to accept the certificate

Edit the file /opt/local/Tomorrow/server/etc/jetty-ssl-context.xml and edit the sslContextFactory values for KeyStorePassword, KeyManagerPassword and TrustStorePassword to the password you entered in step 1 (or obtained in the optional step 4).

Note: To set an obfuscated password in this step, it must begin with “OBF:”. To set a clear text password, simply enter it.

Managing Cipher Suite selection via Excludes / Includes list

If a vulnerability is discovered in the cipher suites used by Jetty, or if specific cipher suites are considered too weak, you have the ability to exclude them during Jetty startup. Similarly, you can also include cipher suites that you do require that are not enabled by default. Jetty provides a mechanism that lets you enable and disable the cipher suites for a specific SSL connector during Jetty startup.

The Jetty SslContextFactory is responsible for:

• Managing Keystore Access

• Truststore Access

• Managing Protocol selection via Excludes / Includes list

• Managing Cipher Suite selection via Excludes / Includes list

• Managing order of Ciphers offered (important for TLS/1.2 and HTTP/2 support)

• and other properties…

The Jetty SSL ContextFactory configuration can be changed by editing the jetty-ssl-context.xml file found in subfolder server/etc.

More information about Jetty SslContextFactory can be found here:

https://www.eclipse.org/jetty/documentation/jetty-9/index.html#configuring-sslcontextfactory

Verifying the SSL security level

If you are concerned about the level of SSL protection afforded by your site, you can perform an online scan of your site. The following websites provide an online report of the analysis and configuration of any SSL web server on the public Internet.

• https://observatory.mozilla.org/

• https://www.ssllabs.com/ssltest/

Please note: Receiving a low score is not necessarily a bad thing. It depends on what your site is being used for and who is using it. Often a vulnerability will be flagged due to the possibility that the end user may be using a really old browser that is unable to select a high-end cipher. If you know what infrastructure your users are using and what browsers they have deployed, that may negate some of the cipher selection process.

Disabling “root” access

You can disable the “root” login using the following command:

sudo passwd -l root

You can subsequently undo this action by typing:

sudo passwd -u root