Deployment on client OS, using RPMs
1) Introduction
This document contains the deployment instructions for installing VeridiumID server. In the following sections, we will present in detail the installation procedure and present the packages that will be required during said procedure.
Packages can be downloaded from here:
1.1) Type of nodes
In the following lines we will use three specific terms to describe the virtual machines used during the deployment procedure:
Ansible/Deployment node
This node will be used as the central node from which the installation/configuration will take place.
Webapp node
This type of node will be used in order to deploy WEB layer packages (for example: web applications and load balancers).
Persistence node
This type of node will be used in order to deploy data layer packages (for example: database solutions, configuration managers).
2) Prerequisites - RPM installation
This section will provide the list of packages provided by VerdiumID and details regarding the installation procedure.
2.1) Requirements for VeridiumID
The following list of packages must be installed from official repositories in order to be able to use VeridiumID, the following command can be run as root:
yum -y install apr-devel openssl-devel libstdc++-devel curl unzip wget zlib zlib-devel nc openssh-clients perl rsync libtalloc perl-DBI
*On RHEL make sure subscription is activated
sudo subscription-manager repos --enable=rhel-7-server-rpms --enable=rhel-7-server-extras-rpms --enable=rhel-7-server-optional-rpms
The following requirements must be available on all nodes:
VeridiumID requires OpenJDK 8 latest release and rng-tools to provide entropy to the system.
CODEyum -y install java-1.8.0-openjdk yum -y install rng-tools systemctl enable rngd systemctl start rngdDisable IPv6 on all nodes
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1VeridiumID nodes must have SELinux DISABLED or permissive during the deployment; after the deployment, it can be turned back on.
setenforce 0
2.2.1) Layout RPMs
Packages can be found in veridium-installer-9.1.28.zip. Unzip this file and go to package folder. Transfer the RPMs to the machines, accordingly to below instructions.
VeridiumID provides layout packages that are in charge of creating the default paths on the operating system and users that will be necessary during the configuration phase.
All users, groups and default paths are created by installing the following packages. Please DO NOT CREATE veridiumid user, at is automatically created.
Package name | Install on node | Description |
|---|---|---|
veridiumid_veridium-layout-9.1.28-20231017.x86_64 | All nodes (Webapp, Persistence, Ansible) | Creates the veridiumid user and default paths |
veridiumid_veridium-layout-users-webapp-9.1.28-20231017.x86_64 | Webapp nodes | Creates the webapp users |
veridiumid_veridium-layout-users-persistance-9.1.28-20231017.x86_64 | Persistence nodes | Creates the persistance users |
veridiumid_python-3.6.8-20231017.x86_64 | All nodes (Webapp, Persistence, Ansible) | VeridiumID Python 3 package |
## WEBAPP
yum -y --disablerepo=* localinstall veridiumid_veridium-layout-9.1.28-20231017.x86_64.rpm veridiumid_veridium-layout-users-webapp-9.1.28-20231017.x86_64.rpm veridiumid_python-9.1.28-20231017.x86_64.rpm
## PERSISTENCE
yum -y --disablerepo=* localinstall veridiumid_veridium-layout-9.1.28-20231017.x86_64.rpm veridiumid_veridium-layout-users-persistance-9.1.28-20231017.x86_64.rpm veridiumid_python-3.6.8-20231017.x86_64.rpmAdd veridiumid user to sudoers on Webapp and Persistence
CODEadd the following line to /etc/sudoers, by running: visudo veridiumid ALL=(ALL) NOPASSWD: ALLPlease add the following rule, for logging for haproxy (as root) on Webapp nodes:
chcon -R -t httpd_sys_rw_content_t /vid-app/dyn/logs/haproxy
Also, you have to run the following command in order to permit rsyslog logging (as root):
semanage permissive -a syslogd_t
For the backup disk, after mounting it make sure that the directory has the correct permissions. To change permissions please run the following commands as root. These permissions will be granted after installing the packages
The default backup directory is the following: /vid-app
We recommend mounting the second disk on the path above. To mount a disk please use the following commands as root user:
CODEmount DISK_PATH /vid-app/dyn/backup chown -R veridiumid:veridiumid /vid-app/dyn/backup chmod -R 770 /vid-app/dyn/backupWhere DISK_PATH is the full path of the second disk connected to the machine, for example: /dev/sdb
Ensure that the Deployment node has SSH access to all other nodes using SSH keys and using the veridiumid user (the veridiumid user is created by above packages)
Veridiumid python contains the following packages (if it is not possible to install Veridium python)
Python-3.6.8, setuptools-40.0.0,dnspython-1.16.0,pem-20.1.0,python3-pythondialog-3.5.1,urllib3-1.25.9,ansible-2.9.10,ansible-vault-1.2.0,asn1crypto-1.4.0,bcrypt-3.2.0,cryptography-2.9.2,Jinja2-2.11.2,kazoo-2.1,MarkupSafe-1.1.1,paramiko-2.7.2,pexpect-4.8.0,ptyprocess-0.7.0,pycrypto-2.6.1,PyYAML-5.3.1,six-1.15.0,cffi-1.14.4,pycparser-2.20,pyparsing-2.4.7,gnureadline-8.0.0,pyOpenSSL-19.1.0,semantic_version-2.8.5,rpm-0.0.2,rpm-py-installer-1.1.0,pip-21.0.1,selinux-0.2.1,cassandra-driver-3.25.0,kafka-python-2.0.2,click-8.0.4,geomet-0.2.1.post1,importlib_metadata-4.8.3,typing_extensions-4.1.1,zipp-3.6.0,PyNaCl-1.5.0
After the layout packages have been installed, you can proceed to mount your second drive to /vid-app/dyn/backup
2.2.2) VeridiumID RPMs list
Package name | Target node | Description |
|---|---|---|
veridiumid_apache-tomcat-9.0.70-20231017.x86_64 | Webapp Node | Apache Tomcat server |
veridiumid_haproxy-2.6.13-20231017.x86_64 | HaProxy load balancer | |
veridiumid_shibboleth-idp-9.1.28-20231017.x86_64 | Shibboleth SAML Identity provider | |
veridiumid_vclibs-1.1-20231017.x86_64 | VeridiumID Visual Crypto library | |
veridiumid_4fidlibs-5.4.8-20231017.x86_64 | VeridiumID 4F biometric library | |
veridiumid_vfacelibs-4.1.3-20231017.x86_64 | VeridiumID Vface biometric library | |
veridiumid_ADS-9.1.28-20231017.x86_64 | VeridiumID Directory service integration | |
veridiumid_dmz-9.1.28-20231017.x86_64 | VeridiumID DMZ component | |
veridiumid_websec-9.1.28-20231017.x86_64 | VeridiumID Websec component | |
veridiumid_websecadmin-9.1.28-20231017.x86_64 | VeridiumID Administration Dashboard | |
veridiumid_statistics-9.1.28-20231017.x86_64 | VeridiumID Statistics module | |
veridiumid_fido-9.1.28-20231017.x86_64 | VeridiumID Fido component | |
veridiumid_freeradius-9.1.28-20231017.x86_64 | FreeRadius server | |
veridiumid_selfservice-9.1.28-20231017.x86_64 | VeridiumID Self Service Portal | |
veridiumid_notifications-9.1.28-20231017.x86_64 | VeridiumID Notifications component | |
veridiumid_opa-9.1.28-20231017.x86_64 | Open Policy Agent service | |
veridiumid_zookeeper-3.8.1-20231017.x86_64 | Persistance Node | Apache Zookeeper configuration manager server |
veridiumid_apache-cassandra-4.0.9-20231017.x86_64 | Apache Cassandra Database | |
veridiumid_kafka-2.11-20231017.x86_64 | Kafka server | |
veridiumid_data-retention-9.1.28-20231017.x86_64 | VeridiumID Data Retention module |
## WEBAPP
yum -y --disablerepo=* localinstall veridiumid_apache-tomcat-9.0.70-20231017.x86_64.rpm veridiumid_haproxy-2.6.13-20231017.x86_64.rpm veridiumid_shibboleth-idp-9.1.28-20231017.x86_64.rpm veridiumid_vclibs-1.1-20231017.x86_64.rpm veridiumid_4fidlibs-5.4.8-20231017.x86_64.rpm veridiumid_vfacelibs-4.1.3-20231017.x86_64.rpm veridiumid_ADS-9.1.28-20231017.x86_64.rpm veridiumid_dmz-9.1.28-20231017.x86_64.rpm veridiumid_websec-9.1.28-20231017.x86_64.rpm veridiumid_websecadmin-9.1.28-20231017.x86_64.rpm veridiumid_statistics-9.1.28-20231017.x86_64.rpm veridiumid_fido-9.1.28-20231017.x86_64.rpm veridiumid_freeradius-9.1.28-20231017.x86_64.rpm veridiumid_selfservice-9.1.28-20231017.x86_64.rpm veridiumid_notifications-9.1.28-20231017.x86_64.rpm veridiumid_opa-9.1.28-20231017.x86_64.rpm
## PERSISTENCE
yum -y --disablerepo=* localinstall veridiumid_zookeeper-3.8.1-20231017.x86_64.rpm veridiumid_apache-cassandra-4.0.9-20231017.x86_64.rpm veridiumid_kafka-2.11-20231017.x86_64.rpm veridiumid_data-retention-9.1.28-20231017.x86_64.rpm3) Ansible configuration
Download vid-ansible-8.2.7.zip, transfer over scp to Deployment Node and unzip in the deployment directory ( eg: /home/veridiumid directory)
After finishing the installation of the packages listed above on their designated nodes, connect on the Ansible node in order to start the configuration.
The following variable will be used during the following steps:
Variable | Description |
|---|---|
$ANSIBLE_PATH | The full path of the vid_ansible directory, where the Ansible scripts are located |
Where ANSIBLE_PATH=/home/veridiumid/vid_ansible
3.1) Create SSH for the veridiumid user
Login as the veridiumid user on the Ansible node and run the following command to generate a new SSH key:
ssh-keygenAfter the key has been generated copy the value of /home/veridiumid/.ssh/id_rsa.pub and add it to the /home/veridiumid/.ssh/authorized_keys file on all other nodes.
Test the SSH connectivity between the Ansible node and all other nodes.
3.2) Setup environment hosts
The environment hosts file describes the structure of the deployment. In this file, for each Ansible role, the user provides the IP address(es) of the node(s).
Moreover, in order to work properly, the inventory file requires a Python executable path, that needs to be included in the environment hosts file.
For our deployment, the default path is: /usr/bin/python3 (provided by the VeridiumID Python package).
To configure this file, edit the following: $ANSIBLE_PATH/environments_hosts/inventory
For multi-node deployments, you will also need to alter the IP addresses in $ANSIBLE_PATH/environments_hosts/inventory using the guiding information already there.
3.3) Ansible configuration file
No changes should be done in this file.
Ansible configuration file ($ANSIBLE_PATH/ansible.cfg) contains the following variables:
Variable | Default value | Description |
|---|---|---|
remote_user | veridiumid | The user that will be used by Ansible for SSH connections to target nodes |
private_key_file | ~/.ssh/id_rsa | Path to the SSH key used to connect to target nodes |
ask_pass | false | If the user will be asked for an SSH password when connecting to target nodes |
ask_sudo_pass | false | If the user will be asked for a password when using sudo commands |
library | library | Path to the folder from ANSIBLE_PATH containing proprietary VeridiumID python modules |
deprecation_warnings | false | Configuration used to disable deprecation log messages |
command_warnings | false | Configuration used to disable Ansible log command messages |
system_warnings | false | Configuration used to disable Ansible log of system warnings. |
display_skipped_hosts | false | Configuration used to disable Ansible log of skipped hosts |
remote_tmp | /tmp | Path of temporary folder used by Ansible |
vault_password_file | ./pass.txt | Path of password file that will be used for Ansible Vault encryptions |
callback_plugins | ./plugins/callback | Path to Ansible callbacks |
stdout_callback | skippy | Name of callback used for disabling log of tasks that are not executed by Ansible, during an inventory play |
fact_path | ~/Veridium/veridiumid-devops/veridium-devops/vid_ansible/ | This is not used |
3.4) Create the password file
In the list above we have set the value for vault_password_file. This file will be used for Ansible encryption functions of CA certificates.
To create this file, use the following command:
echo "PASSWORD" > $ANSIBLE_PATH/pass.txtWhere PASSWORD is a random password string selected for this installation.
3.5) Setup VeridiumID system configuration parameters
The default variable file used by Ansible is the following: $ANSIBLE_PATH/mandatory_vars.yml
Variable | Default value | Description |
|---|---|---|
HAPROXY_SNI | False | Set HAPROXY_SNI to False for Ports Deployment or to True for SNI deployment |
JAVA_HOME | /usr/java/jdk1.8.0_172-amd64 | The path of the installed JAVA version (example /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.x86_64/jre) |
DATACENTER_TAG | DC1 | The name used for the Cassandra |
HAPROXY_MODE | SECONDARY | SECONDARY should be used, PRIMARY is for internal tests |
REVERSE_PROXY | False | False should be used, true is for internal tests |
ROOT_ACCESS | False | If the root user will be used by the Ansible script |
DEFAULT_SERVICE | True | If we are using the default service: bash command example: service SERVICE_NAME stop/start |
PRIVILEGE_ESCALATION | True | If the user can gain root privileges |
ENVIRONMENT | test | The environment name (should be lower case) |
DOMAIN_NAME | The environment’s domain name (should be lower case) | |
LDAP_URL | ldap://127.0.0.1:389 | LDAP url - default value should be left, used is for internal tests |
LDAP_CREDENTIALS_PASSWORD | default | The LDAP user password default value should be left, used is for internal tests |
LDAP_SECURITY_PROTOCOL | plain | The LDAP security protocol default value should be left, used is for internal tests |
LDAP_CREDENTIALS_USERNAME | Administrator@test.local | The LDAP user default value should be left, used is for internal tests |
LDAP_BASE_DN | DC=test,DC=local | The LDAP connection’s base DN default value should be left, used is for internal tests |
TOMCAT_RAM | 2g | The memory limit for Tomcat service |
ZOOKEEPER_RAM | 2g | The memory limit for Zookeeper service |
CASSANDRA_RAM | 2g | The memory limit for Cassandra service |
KAKFA_RAM | 1g | The memory limit for Kafka service |
FIDO_RAM | 1g | The memory limit for Fido service |
SELFSERVICE_RAM | 1g | The memory limit for Self Service Portal service |
WEBSECADMIN_RAM | 1g | The memory limit for Admin Dashboard service |
NOTIFICATIONS_RAM | 1g | The memory limit for Notifications service |
STATISTICS_RAM | 256m | The memory limit for each of the six Statistics services |
DATA_RETENTION_RAM | 1g | The memory limit for Data Rentention service |
CA_DAYS | 3650 | Validity of the selfsigned CA certificate |
CA_COUNTRY | RO | Country parameter of the CA certificate |
CA_CITY | Bucharest | City parameter of the CA certificate |
CA_STATE | Bucharest | State parameter of the CA certificate |
CA_EMAIL | Email parameter of the CA certificate | |
CA_ORG_UNIT | VeridiumID | Organisation Unit parameter of the CA certificate |
CA_ORGANISATION | VeridiumID | Organisation parameter of the CA certificate |
CA_CN_NAME | {{ ENVIRONMENT }}-DC1-ROOT-CA-{{ CA_ORGANISATION }} | Common Name parameter of the CA certificate |
RPM_VERSION | 6.1.10 | Required for the Zookeeper Path where the JSON files will be uploaded |
*where red values from above should be updated with customer prefered values
3.6) HaProxy domain configuration
The Ansible role in charge of configuring HaProxy can add the client’s domain certificate during the configuration. To use an existing domain certificate please create the following directory path:
mkdir -p $ANSIBLE_PATH/group_files/DOMAIN_NAMEWhere DOMAIN_NAME is the name of the client’s domain (and is the value set during the last step).
In this directory please copy the private key and public certificate extracted from the domain certificate. Please set a new line in privateKey.pem. publicCert.pem should not have an empty line at the end of it.
The files must have the following names:
privateKey.pem
publicCert.pem
To extract the private key and public certificate from a PKCS12 certificate please run the following commands:
openssl pkcs12 -in domain.p12 -nocerts -nodes -out privateKey.pem
openssl pkcs12 -in domain.p12 -nokeys -out publicCert.pem
3.7) Ansible connectivity check
To check the connectivity between the Ansible nodes and the other nodes run the following command from the $ANSIBLE_PATH directory:
ansible -i $ANSIBLE_PATH/environments_hosts/inventory all -m ping4) Installation procedure
This section will provide the Ansible commands required to install VeridiumID.
4.1) Install procedure
veridiumid user should be allowed to have elevated privileges during the installation.
cd $ANSIBLE_PATH
./install_script.sh -e=@mandatory_vars.yml
Logs can be found here:
$ANSIBLE_PATH/vid_ansible/logsRecovery procedure for ansible configuration part:
Depending on the type of error, one of the following steps can be executed.
If the install_script.sh fails due to network issues, it can be executed once again and it will recover from the last failure point. ( the script can be execute with screen if installed on the OS.
If there is another issue, try to fix the error and rerun one more time (the script will try to install from the last failed step).
./install_script.sh -e=@mandatory_vars.yml If the error is due to a previous configuration step, try to do the recovery using steps 1, 2 & 3.
If you want to configure from scratch, do all the steps, (1,2,3)
remove file state.txt (the installation will be starting from the begging), logs folder, and some generated files from below:
rm -f $ANSIBLE_PATH/state.txt
rm -rf $ANSIBLE_PATH/logs
rm -f $ANSIBLE_PATH/group_files/dc1/*
sudo systemctl stop ver_* ##(on all nodes; do not execute this step at this moment, if you want to execute step2)
in some cases, if necessary, log in to Cassandra (persistence node) and run the below commands:
/opt/veridiumid/cassandra/bin/cqlsh --cqlshrc=/opt/veridiumid/cassandra/conf/veridiumid_cqlshrc --ssl -e 'drop keyspace veridium;'
####(even it received timeout, it should be deleted; check with the following command; the veridium keyspace should not exists)
/opt/veridiumid/cassandra/bin/cqlsh --cqlshrc=/opt/veridiumid/cassandra/conf/veridiumid_cqlshrc --ssl -e 'desc keyspaces;'
if necessary, if you want to regenerate CA, you should run (under node selected for CA in env hosts)
rm -rf /opt/veridiumid/CA