Installing Onepoint on CentOS 7 with Hashicorp Vault

1. Introduction

This page is intended to follow the installation procedure for Onepoint with Hashicorp Vault. For other procedures, please check the page Onepoint Procedures

2. Other Required Repositores

The following repositories are required for installing Onepoint. Please, make sure they’re enabled once installed (property enabled=1 in the respective /etc/yum.repos.d/REPONAME.repo repository file)

 ]# yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm
Remi123.png

3. Hashicorp Vault

Vault is a secret store that works as also a Vault Backend for Onepoint.

To install Vault, find the appropriate package for your system and download it. Vault is packaged as a zip archive

3.1 Installing Vault

1. To download the vault package on linux, use the command “WGET”

1.png

2. After downloading the file from the vault, unzip and install it.

2.png

3. After installing Vault, verify the installation worked by opening a new terminal session and checking that the vault binary is available. By executing vault, you should see help output similar to the following:

3.png

3.2 Configuring Vault

Vault is configured using HCL files. The configuration file for Vault is relatively simple:

5.png

ui – User Interface.

storage – This is the physical backend that Vault uses for storage.

listener – One or more listeners determine how Vault listens for API requests.

3.3 Starting the Server

With the configuration in place, starting the server is simple, as shown below.

 ]# vault server -config=config.hcl
6.png

3.4 Initializing the Vault

Initialization is the process configuring the Vault. This only happens once when the server is started against a new backend that has never been used with Vault before. When running in HA mode, this happens once per cluster, not per server.

During initialization, the encryption keys are generated, unseal keys are created, and the initial root token is setup. To initialize Vault use vault operator init. This is an unauthenticated request, but it only works on brand new Vaults with no data.

 ]# vault operator init
7.png

Initialization outputs two important pieces of information: the unseal keys and the initial root token. This is the only time ever that all of this data is known by Vault, and also the only time that the unseal keys should ever be so close together. For the purpose of this getting started guide, save all of these keys somewhere, and continue.

3.5 Seal/Unseal Vault

Every initialized Vault server starts in the sealed state. From the configuration, Vault can access the physical storage, but it can’t read any of it because it doesn’t know how to decrypt it. The process of teaching Vault how to decrypt the data is known as unsealing the Vault. Unsealing has to happen every time Vault starts,to remove the seal from the vault, you need 3 of the 5 keys that have been generated.

Begin unsealing the Vault

 ]# vault operator unseal
8.png

Continue with vault operator unseal to complete unsealing the Vault. To unseal the vault you must use three different unseal keys, the same key repeated will not work.

When the value for Sealed changes to false, the Vault is unsealed.

3.6 Vault Login

Authenticate as the initial root token (it was included in the output with the unseal keys)

 ]# vault login "root token"
9.png

3.7 Enabling kv secret/ for storing credentials

For Onepoint storing credentials on Hashicorp Vault, you must enable a version 1 or version 2 secrets engine on Hashicorp Vault. It must be created under secret/ path.

Choose one options below depending if you want/have a version 1 or version 2 kv secrets engine.

  • For enabling a version 2 kv secrets engine on Hashicorp Vault, execute this command:
 ]# vault secrets enable -version=2 -path=secret kv
10.png
  • For enabling a version 1 kv secrets engine on Hashicorp Vault, execute this command:
 ]# vault secrets enable -path=secret kv

Later, when configuring Onepoint, you can specify KV version in the Onepoint backend configuration.

3.8 Create secret-full policy for full access to secrets

 Note: In this guide, we are using secret-full as name of the policy, but you can use a name of your choice. For this, all references to secret-full in this guide must be replaced for the new name.

In Hashicorp Vault, create a policy named secret-full, with the following code:

 ]# vi policy.hcl
 path "secret/*" {
   capabilities = ["create", "delete", "read", "update", "list"]
 }
 ]# vault policy write secret-full policy.hcl
Policy2.png

3.9 Enabling auth AppRole

For Onepoint logging on Hashicorp Vault, it must be enabled AppRole Authentication Backend on Hashicorp Vault. For more information about AppRole auth backend, see AppRole Auth Method

Logged on as the root token or a token with the root policy, perform the following steps:

1. Enable AppRole (if it isn’t already enabled)

 ]# vault auth enable approle
11.2.png

2. Create a role on Vault with no secret_id_ttl nor secret_id_num_uses nor token_num_uses

 Note: In this guide, we are using secret-role as name of the role, but you can use a name of your choice. For this, all references to secret-role in this guide must be replaced for the new name.
 ]# vault write auth/approle/role/secret-role \
   token_ttl=20m \
   token_max_ttl=30m \
   policies="default,secret-full"
12.png

3. Get the role ID for configuring Onepoint

 ]# vault read auth/approle/role/secret-role/role-id
13.png

4. Generate a secret ID for configuring Onepoint

 ]# vault write -f auth/approle/role/secret-role/secret-id
14.png

5. Save role_id and secret_id catched on the previous two steps for configuring onepoint later.

4. MariaDB

First, make sure MariaDB – packages mariadb and mariadb-server – is installed on the system. If you want to use an external MariaDB database for the installation, this step is not required. You will need to create an empty database for installing Onepoint (for example, database onepoint)

 Tip: You shall make sure TCP/IP (bind-address) access is enabled for MariaDB / MySQL.


1- First step access the mariadb download site.

 https://downloads.mariadb.org/mariadb/repositories/#distro=CentOS&distro_release=centos7-amd64--centos7&mirror=osuosl

2- Create a mariadb repository.

 ]# vi /etc/yum.repos.d/mariadb.repo
Mariadbrepo.png


3 – Copy and paste the data directly from the website into the repository created in the previous step.

Mariadbrepo2.png
  • Save repository.


4 – Installing MariaDB

 ]# yum install MariaDB-server MariaDB-client
Dbinstall2.png


5 – Starting MariaDB service

 ]# systemclt start mariadb
 ]# systemctl enable mariadb
 ]# mysql

6 – You also need to have a database created on MariaDB to host Onepoint. If you don’t have one, you will need to create one. The default name is onepoint, but you can change it as you need, and then reflect the change in the database configuration part.

For creating the database, assuming the database name onepoint:

 mysql> create database onepoint;
Startdb2.png

5. Apache Web Server

You will need the Apache Web Server installed on the system for installing Onepoint You can install it running the following command:

 ]# yum install httpd
Httpd.png
 ]# systemctl enable httpd
Enablehtppd.png

6. PHP

You will need PHP 7.2 or higher to install Onepoint. You’ll need to install the following packages:

  • php72-php
  • php72-php-common
  • php72-php-bz2
  • php72-php-curl
  • php72-php-ldap
  • php72-php-gd
  • php72-php-gmp
  • php72-php-imap
  • php72-php-mbstring
  • php72-php-mcrypt
  • php72-php-soap
  • php72-php-mysqlnd
  • php72-php-xml
  • php72-php-zip
  • php72-php-json

You can install them running the following command (once Remi is installed):

 ]# yum install php72-php php72-php-common php72-php-bz2 php72-php-curl php72-php-ldap php72-php-gd php72-php-gmp php72-php-imap php72-php-mbstring php72-php-mcrypt php72-php-soap php72-php-mysqlnd php72-php-xml php72-php-zip php72-php-json
Php72.png

7. Python

You will need Python 2.7. You’ll need to install the following packages:

  • python
  • python-pip
  • python-requests
  • python-ldap
  • python-paramiko

You can install them running the following command:

 ]# yum install python-pip python-requests python-ldap python-paramiko
Installpython.png

8. Other Libraries

You will need to install the following libraries:

1. You can install them running the following command:

 ]# yum install curl http://download-ib01.fedoraproject.org/pub/epel/6/x86_64/Packages/c/curlpp-0.7.3-5.el6.x86_64.rpm
Curlpp.png
  • libssh
  • json-c
  • json-cpp

2. You can install them running the following command:

 ]# yum install libssh json-c jsoncpp
Libssh.png

9. Other tools

  • psutils
  • psmisc
  • telnet (Client)
  • SSH Server
  • SSH Client
  • SAMBA

You can install them running the following command:

 ]# yum install psutils psmisc telnet ssh samba
Psutils1.png

10. Install Onepoint

Install the repository for your operating system version below. After this, install the onepoint package, through yum:

 ]# yum install http://repo.onepoint.net.br/yum/centos/repo/onepoint-repo-0.1-1centos.noarch.rpm
Reponpt.png
 ]# yum install onepoint
Installonpt.png

11. Configure Database Parameters

Database parameters are on /usr/share/onepoint/onepoint/application/config/database.php. Use your favorite text editor to specify them.

Databaseopt.png

If Database parameters are not configured correctly, there is no Onepoint to function properly.

12. Initialize Onepoint Database

Run the setup script, accessing;

 http://<HOSTNAME>/onepoint/ui/setup.

The hostname is the address of your repository configured in the previous step.

Exescript.png

Click execute install scripts.

12.1 Onepoint

After doing the aforementioned procedures, the screen below will appear;

Welcomeone.png
 USER: admin
 PASSWORD: password

13. Create a Vault Backend of class Hashicorp Vault and set it as default Vault Backend

 Note: In this guide, we are using hashicorp-vault as name of the vault backend, but you can use a name of your choice. For this, all references to hashicorp-vault in this guide must be replaced for the new name.

In Onepoint, you need to create a Vault Backend pointing to your Hashicorp Vault instance.

  • In Onepoint, go to Settings > Encrypt String for encrypting role_id (for role created previously) and save the resulting value (copy and paste)
  • Go to Settings > Encrypt String for encrypting secret_id (for role created previously) and save the resulting value (copy and paste)
Encrypt String.png
Encrypt String 2.png
  • In Onepoint, go to Settings > Backends
  • Click New for creating a backend
  • Select type Vault Backend and class Hashicorp Vault
  • In Parameters tab, set address to the Hashicorp Vault endpoint address, version to KV secrets engine version (1 or 2, depending on which version you installed / setup), mode to approleencryption to full, and fill role_id and secret_id with the encrypted values generated in first step of this section.
Encrypt String 3.png
Performing credential discovery
  • Set hashicorp-vault Vault Backend as default Vault Backend in Onepoint. For this, access Settings > System Properties, and search for the property called system.default.backend.vault. Edit it and set it to hashicorp-vault.
Performing credential discovery

14. Give root permissions to group admin for Delegate, Managed, List and My credentials

Root Permissions on Delegate Credentials

1. Go to Vault > Delegate Credentials

2. Select hashicorp-vault on the top-right corner of Delegate Credentials box

Hashicorpvaultrootpermissions0.jpg

3. On the top-right corner of Delegate Credentials box, click in the gear icon and click on Root Permissions. The permissions dialog will open.

Hashicorpvaultrootpermissions1.jpg

4. Add a permission for admin group (Onepoint Directory backend) with all permissions

Hashicorpvaultrootpermissions2.jpg
Hashicorpvaultrootpermissions3.jpg

14.2 Root Permissions on Managed Credentials

1. Go to Vault > Managed Credentials

2. Select hashicorp-vault on the top-right corner of Managed Credentials box

3. On the top-right corner of Managed Credentials box, click in the gear icon and click on Root Permissions. The permissions dialog will open.

Hashicorpvaultrootpermissions5.jpg

4. Add a permission for admin group (Onepoint Directory backend) with all permissions

Hashicorpvaultrootpermissions6.jpg
Hashicorpvaultrootpermissions7.jpg

14.3 Root Permissions on Credentials Lists Credentials

1. Go to Vault > Credentials Lists

2. Select hashicorp-vault on the top-right corner of Lists Credentials box

Hashicorpvaultrootpermissions8.jpg

3. On the top-right corner of Lists Credentials box, click in the gear icon and click on Root Permissions. The permissions dialog will open.

Hashicorpvaultrootpermissions9.jpg

4. Add a permission for admin group (Onepoint Directory backend) with all permissions

Hashicorpvaultrootpermissions10.jpg
Hashicorpvaultrootpermissions11.jpg

14.4 Root Permissions on My Credentials

1. Go to Vault > My Credentials

2. Select hashicorp-vault on the top-right corner of My Credentials box

Hashicorpvaultrootpermissions12.jpg

3. On the top-right corner of My Credentials box, click in the gear icon and click on Root Permissions. The permissions dialog will open.

4. Add a permission for admin group (Onepoint Directory backend) with all permissions

Hashicorpvaultrootpermissions14.jpg
Hashicorpvaultrootpermissions15.jpg

15. Creating SSH key for onepoint user

 ]# passwd onepoint
Sshone.png
 ]# ssh onepoint@localhost
Sshone2.png
 ]$ ssh-keygen -t rsa -m PEM
Sshone3.png
 ]$ ssh-copy-id onepoint@localhost
Sshone4.png
 ]# passwd -d onepoint
Sshone5.png

16. Configuring Onepoint Worker Daemon

Onepoint Worker is on /usr/share/onepoint/onepoint-worker. To configure it, set the credentials in /usr/share/onepoint/onepoint-worker/cfg/config.json, and put the startup script in the root’s crontab. Like this:

 ]# crontab -e
Crontab1.png
 @reboot /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su-30
Crontab2.png

You can start the service manually using

 ]# /usr/share/onepoint/onepoint-worker/start-onepoint-worker-su
Crontab3.png


And you can stop the service manually using

 ]# /usr/share/onepoint/onepoint-worker/stop-onepoint-worker
Crontab4.png

17. Finished

Now, Onepoint is ready. You can access it on http://<HOSTNAME>/onepoint

Links

×

Index