Docs‎ > ‎Espresso Appliance‎ > ‎

Configuring and Securing the Stack

This page explains how to install the Espresso Appliance into a Production environment.  This presumes moderate System Administrator experience, and some level of Unix shell.

 


Elements of the stack

Item
Vendor
Version
Operating System CentOS x64 6.5
Web Server Apache 2.2.15.30
Java Servlet Container Apache Tomcat 7.0.53
Java Virtual Machine Oracle 1.7.0_75
Database mysql 5.6.23
Simple Net Management Protocol net-snmp 5.5.49
screen CentOS 4.0.3.16
wget CentOS 1.12.1.11
tcpdump CentOS 4.0.0-3.20090921

Logins

 
Credential
User
Password
Login root espresso123
Login tomcat espresso123
mysql root espresso123
mysql espresso_admin espresso123
http://xxx.xxx.xxx.xxx sa Password1
http://xxx.xxx.xxx.xxx admin Password1


Networking Details


Hostname /etc/sysconfig/network replace "espresso" on line 2 with new host name
HOSTNAME=espresso
/usr/share/espresso/tomcat/bin/setenv.sh replace "espresso" on line 3 with new host name
CATALINA_OPTS="${CATALINA_OPTS} -Djava.rmi.server.hostname=espresso"
DNS /etc/resolv.conf

Replace 192.168.167.2 with your preferred name server(s)

http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm ONLY IF you are using a static IP address in /etc/sysconfig/network-scripts/ifcfg-eth0, otherwise the contents of /etc/resolv.conf are automatically updated by dhcp

NTP /etc/ntp.conf Replace server 0.amazon.pool.ntp.org iburst with your preferred time synchronization server(s)
Default Gateway /etc/sysconfig/network Removed leading “#”
GATEWAY=xxx.xxx.xxx.xxx
DHCP /etc/sysconfig/network-scripts/ifcfg-eth0

Change
BOOTPROTO=static

Remove “#” and replace with your preferred values:

# for static IP
#IPADDR=192.168.1.240
#PREFIX=24
#GATEWAY=192.168.1.1
#DNS1=192.168.1.10
#DOMAIN=localdomain
#DEFROUTE=yes

iptables /etc/sysconfig/iptables

Keep ports 443 open for https traffic, optionally close all other ports:

sudo iptables --flush -t nat
sudo service iptables save
sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
sudo service iptables save 
sudo chkconfig iptables on



To examine CentOS firewall rules:

sudo iptables -L INPUT --line-numbers

Chain INPUT (policy ACCEPT)

num  target     prot opt source               destination      

1    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql 

2    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 

3    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 

sudo iptables -D INPUT 1 (to disable mysql port 3306 incoming requests)
sudo iptables -D INPUT 2 (to disable http port 80 incoming requests)
sudo service iptables save 

(This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as/etc/sysconfig/iptables.save.)


Optional Outbound Firewall open to external database host:

The Destination Host should be the name or IP address of your database server.
The Destination Port should be the port number for your database.
Database    Default Port number
MS SQL Server 1433
mysql 3306
Oracle SQL*Net Listener 1521



To change from a dhcp address to a static ip address:

  • Configure network interface connection eth0

sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0                          # Device name
ONBOOT=yes                         # Service starts at boot time.
NM_CONTROLLED=no          # Settings are not controlled by the Network Manager service.
BOOTPROTO=none               # This device does not receive network settings from any dhcp service on the network.
TYPE=Ethernet
IPADDR=192.168.1.44           # IP address for this device (replace with yours)
NETMASK=255.255.255.0     # Subnet Mask (replace with yours)
GATEWAY=192.168.1.1        # IP Address to access the Internet (usually it's a Router) (replace with yours)
DNS1=192.168.1.10              # IP Address of the machine hosting the DNS on the LAN. (replace with yours)
DNS2=192.168.1.11              # replace with yours if you have a backup DNS server
DEFROUTE=yes                   # set a default route persistently
IPV6INIT=no                          # ipv6 is not enabled on this server machine.
USERCTL=no                       # Except for root user, users can't alter network setting for this device. 

  • Configure Default Gateway

sudo vi /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=espresso.domain.com  # replace with yours

  • Restart Network Interface

sudo service network restart 

  • Configure DNS Server

sudo vi /etc/resolv.conf

search domain.com        # replace with yours
nameserver 8.8.8.8      # Google or replace with your nameserver ip
nameserver 8.8.4.4       # Google or replace with your nameserver ip

  • To test network changes:

sudo rm ‐f /etc/udev/rules.d/70-persistent-net.rules
sudo /etc/init.d/network restart
sudo ifconfig eth0
sudo route –n
ping www.google.com
sudo reboot



Apache web server

httpd is only used for port forwarding to Apache Tomcat servlet container and ssl security certificates 


Web Server Name /etc/httpd/conf/httpd.conf Change host name on line 277
ServerName espresso
SSLCertificateKeyFile /etc/httpd/conf.d/ssl.conf  Replace with your company's SSL certificate key file: /etc/pki/tls/certs/espresso.key 

sudo chcon unconfined_u:object_r:httpd_config_t:s0
 
/etc/pki/tls/certs/espresso.key
sudo chmod 600 /etc/pki/tls/certs/espresso.key
sudo openssl rsa -in /etc/pki/tls/certs/espresso.key -check

SSLCertificateFile /etc/httpd/conf.d/ssl.conf Replace with your company's SSL certificate file: /etc/pki/tls/certs/espresso.crt 
chcon unconfined_u:object_r:httpd_config_t:s0
 
/etc/pki/tls/certs/espresso.crt
chmod 600 /etc/pki/tls/certs/espresso.crt
openssl x509 -in /etc/pki/tls/certs/espresso.crt -text -noout
SSLCertificateChainFile /etc/httpd/conf.d/ssl.conf Replace with your company's SSL Certificate Authority Intermediate Bundle certificate file: /etc/pki/tls/certs/server-chain.crt
sudo chcon unconfined_u:object_r:httpd_config_t:s0
 
/etc/pki/tls/certs/server-chain.crt
sudo chmod 600 /etc/pki/tls/certs/server-chain.crt
sudo openssl x509 -in /etc/pki/tls/certs/server-chain.crt -text -noout

To test your Appliance's website security:

  • From within the appliance:
    • sudo /usr/bin/openssl  s_client­  -connect  localhost:443
  • From your PC via a browser outside the appliance:
    • http://www.sslshopper.com/ssl-checker.html#hostname=<dns name of your espresso logic appliance>
    • https://www.ssllabs.com/ssltest/analyze.html?d=<dns name of your espresso logic appliance>

Apache http web server Operational Information

Log Files /etc/httpd/logs access.log
error.log
espresso.error.log
espresso.log
ssl_access.log
ssl_error.log
ssl_request.log 
Service
start/stop/status/restart
/etc/init.d/httpd sudo service httpd start
sudo service httpd stop
sudo service httpd status
sudo service httpd restart
Start service on boot /etc/init.d/httpd sudo chkconfig httpd on


Tomcat Servlet Container

All files under /opt/tomcat are owned by user “tomcat”, so operate on them as use “tomcat” and not user “root”
Server Root /usr/share/espresso/tomcat  
Service start/stop/status/restart /etc/init.d/espresso sudo service espresso start
sudo service espresso stop
sudo service espresso status
sudo service espresso restart
Start service on boot /etc/init.d/espresso sudo chkconfig espresso on
Log files /usr/share/espresso/tomcat/logs catalina.2014-04-26.log
catalina.2014-04-28.log
catalina.out
espresso.2014-04-26.log
espresso.2014-04-28.log
host-manager.2014-04-26.log
host-manager.2014-04-28.log
localhost.2014-04-26.log
localhost.2014-04-28.log
localhost_access_log.2014-04-26.txt
localhost_access_log.2014-04-28.txt
manager.2014-04-26.log
manager.2014-04-28.log
tomcat-initd.log 
AJP Connector from Apache http web server /usr/share/espresso/tomcat/conf/server.xml AJP 1.3 Connector on port 8009
Apache JMX jconsole debugging / health monitoring /usr/share/espresso/tomcat/conf/server.xml Ports: rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002"
JMX debugging and health monitoring access /usr/share/espresso/tomcat/conf/jmxremote.access monitorRole readonly
controlRole readwrite
(sudo chmod 400 jmxremote.access)
JMX debugging and health monitoring access /usr/share/espresso/conf/jmxremote.password monitorRole espresso123
controlRole espresso123
(sudo chmod 400 jmxremote.password)
 JMX debugging and health monitoring access  /usr/share/espresso/tomcat/bin/setenv.sh  replace "espresso" on line 3 with new host name
CATALINA_OPTS="${CATALINA_OPTS} -Djava.rmi.server.hostname=espresso"
Webserver favicon /usr/share/espresso/tomcat/webapps/ROOT/favicon.ico Replace if desired with your corporate icon
Log level content control /usr/share/espresso/tomcat/webapps/ROOT/WEB-INF/classes/logging.properties Currently set to WARNING
A handler's log level threshold can be set using SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL. You can also target specific packages to collect logging from and specify a level. 

  


MySQL Database


Mysql home    
Allow large packets /etc/my.cnf max_allowed_packet=20485760
Default listening port /etc/my.cnf Port=3306
Error log /var/log/mysqld.log  
mysql command line /usr/bin/mysql sudo mysql -h localhost --user espresso_admin –pespresso123
Espresso database   espresso_admin
Mysql database files /var/lib/mysql auto.cnf
espresso_admin
espresso.pid
ibdata1
ib_logfile0
ib_logfile1
mysql
mysql.sock
performance_schema
RPM_UPGRADE_HISTORY
RPM_UPGRADE_MARKER-LAST
test 


Remote Access 

/home/tomcat/.bash_profile Calls /home/tomcat/prompt.settings
/home/tomcat/prompt.settings Sets prompt to ip address
/etc/rc.local Calls /usr/share/espresso/bin/espresso-login.sh during boot
/usr/share/espresso/bin/espresso-login.sh Sets the login banner with greeting and getting started instructions
We enabled RSA ssh key for user tomcat

su – tomcat
cd /home/tomcat/.ssh
chmod –R 700 /home/tomcat/.ssh
restorecon -R /home/tomcat/.ssh
touch /home/tomcat/.ssh/authorized_keys
chmod 600 /home/tomcat/.ssh/authorized_keys

You can replace the existing contents of /home/tomcat/.ssh/authorized_keys with your keys or remove /home/tomcat/.ssh completely. If ssh remote access is not needed or desired (for security concerns) then you can:

sudo service sshd stop
sudo chkconfig sshd off
sudo rpm –e sshd


Optional Health Monitoring

Tomcat JMX Monitoring

TCP

10001

###.###.###.##/32

Tomcat JMX Monitoring

TCP

10002

###.###.###.##/32

NTP (drift Monitoring)

UDP

123

###.###.###.##/32

SNMP OS Health Monitoring

UDP

161

###.###.###.##/32

ICMP (simple heath monitoring)


all

###.###.###.##/32

  MySQL          TCP  3306  ###.###.###.##/32

sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 10001 -j ACCEPT
sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 10002 -j ACCEPT
sudo iptables -A INPUT -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
sudo iptables -A INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT sudo iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT sudo iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT sudo service iptables save 
sudo chkconfig iptables on
sudo service iptables restart sudo service network restart

(make sure all of the rules are in place as expected. For example, insure that port 443 is still open for Espresso Logic to operate properly.)
sudo iptables -L INPUT --line-numbers


VMware Tools Installation Process

  • Start the Espresso Logic Virtual Machine Appliance in the VMware hypervisor
     (VMware Player, VMware Workstation, VMware Fusion ...)
  • Click VM in the virtual machine menu
  • Click Guest > Install/Upgrade VMware Tools 
  • Click OK.
  • Log into the appliance via the VMware console or start a PuTTY session and connect
  • Enter the following command:

/usr/share/espresso/bin/installVMwareTools.sh 

Optionally install a user friendly SSH and telnet client 

     PuTTY is an SSH and telnet client which you can download for free from here: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.63-installer.exe


    Appliance upgrade

    Use the following procedure to upgrade your Espresso appliance.  There are two ways to upgrade, as described below.  Also, see these notes.


    yum update

    The simplest approach utilizes the yum update:  
    1. Start the Virtual Machine
    2. Login (tomcat, espresso123)
    3. sudo yum update

    Update the war

    Recall that Espresso is packaged as a war file - the procedure below updates the war file in the CentOS machine.  
      1. Start the Virtual Machine
      2. Login (tomcat, espresso123)
      3. cd /usr/share/espresso/tomcat/webapps/
      4. wget <<url>>
        1. URL will be supplied by Espresso, something like https://s3-us-west-1.amazonaws.com/espressologic-public/Espresso-2.3.1743.war
      5. rm ROOT.war
      6. mv Espresso-2.2.1743.war ROOT.war



    Backups


    The following configuration would initiate a backup at 6:00am GMT daily

    sudo crontab -e

    #* * * * * command to be executed

    #- - - - -

    #| | | | |

    #| | | | +----- day of week (0 - 6) (Sunday=0)

    #| | | +------- month (1 - 12)

    #| | +--------- day of month (1 - 31)

    #| +----------- hour (0 - 23)

    #+------------- min (0 - 59)

    # remember this machine is in UTC timezone

    0 6 * * * /usr/share/espresso/upgrade/bin/backup.sh > /dev/null 2>&1

    This command will create a timestamped backup file under: /var/backup

    sudo ./backupDB.sh 

    ----- Getting admin database info
    AdminDatabaseHost is: localhost
    AdminDatabaseSchema is: espresso_admin
    AdminDatabaseUser is: espresso_admin
    Warning: Using a password on the command line interface can be insecure.
    schema version is 20141225
    ----- backup current espresso_admin database to: /var/backup/espresso_admin_2014-12-24-21-06_1238_20141225.sql
    Warning: Using a password on the command line interface can be insecure.

    Note: The EspressoLogic Appliance's disk drive will fill up if all of backups are copied here.  You should move the backup files off of the appliance  or make /var/backup a NFS mount point to a storage area within your network for proper disaster recovery.