Installation of LDS from the Package

Introduction

Landscape Dedicated Server allows customers to run the Landscape systems management server onsite rather than as the hosted service already included in Ubuntu Advantage.

The Landscape Dedicated Server consists of five separate services:

  • Landscape app server
  • Landscape msg server
  • Landscape ping server
  • Landscape job handler
  • Landscape async frontend

Landscape app server

This is the web frontend UI that admins use. It runs on port 8080, but sits behind Apache, so is accessible at https://<server>/

Landscape msg server

This is the server that Landscape clients communicate with. It runs on port 8081, but sits behind Apache, so is accessible at https://<server>/message-server

Landscape ping server

This is a lightweight server that clients talk to. It runs on port 8082, but sits behind Apache, so is accessible at http://<server>/ping

Note: The ping server is accessed over HTTP not HTTPS.

Landscape job handler

This is part of the Ajax infrastructure, and must run on the same server as the app server.

Landscape async frontend

This is part of the Ajax infrastructure, and must run on the same server as the app server.

Landscape also depends on the following packages:

  • PostgreSQL 8.4
  • RabbitMQ 1.7.2
  • Postfix (or other SMTP mail server)
  • Apache httpd 2.x

Landscape requires access to a Postgresql 8.4 database server. This can be remote or local, and for small installations local is fine, but we recommend splitting the load over more than one machine for larger (? how many) client machines.

The Landscape Server sits behind the Apache httpd server. We rely on the httpd server's SSL implementation to secure communication between the Landscape client and the server, and also between the user's browser and the Landscape frontend.

SSL for Dummies

The Secure Socket Layer (SSL) uses a trust system. There are several root Certificate Authorities (CAs) that sign certificates, and the certificates you buy from an SSL certificate provider are signed indirectly by one of these root CAs. In order to be trusted by the browser, a certificate has to be signed by a CA that the browser knows about.

For example, Thawte signs the google.com certificate, and the Thawte CA certificate is trusted by browsers, so the HTTPS certificate from google.com is trusted by browsers.

SSL and Landscape

The Landscape team does not recommend providing unsecured access to the Landscape server. It is important that the client can verify the identity of the server. To this end, the client verifies that the CA of any SSL certificate presented by the Landscape server that it connects to, is known to the landscape-client

This means that it is not possible to use Landscape client with an self-signed SSL certificate, but it is possible to use Landscape with an SSL certificate signed by a self-signed CA.

If you already have a root-trusted CA signed certificate for your LDS installation, you can skip the next section.

Generating an SSL CA and Certificate for Landscape

Generating the correct SSL files for use with Landscape is a three step process:

1. Create your own Certificate Authority (CA) 2. Generate an SSL certificate signed by your new CA 3. Sign your newly created SSL certificate with your newly created CA

Create your own Certificate Authority (CA)

The OpenSSL Project provides a tool for generating CAs, which is supplied as part of the Ubuntu openssl package, CA.pl(1). This script resides in /usr/lib/ssl/misc/CA.pl. Out-of-the-box, CA.pl generates certificate files that expire in 365 days. To modify this, edit /etc/ssl/openssl.cnf and change the default_days = 365 line to a multiple of 365, e.g. 1095 for a three year life-span.

To generate your own CA use the following command:

At the prompts, enter appropriate information for your organization.

You will be prompted by the CA.pl script to complete various fields in your CA certificate. You do not need to fill in every field, but the Common Name field is required.

$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.................................++++++
.++++++
unable to write 'random state'
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Scotland
Locality Name (eg, city) []: Glasgow
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Canonical Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: Landscape Team
Email Address []: landscape-team@

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./landscapeCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            81:8e:d1:97:fb:37:a6:13
        Validity
            Not Before: Apr  6 09:59:48 2009 GMT
            Not After : Apr  4 09:59:48 2019 GMT
        Subject:
            countryName               = GB
            stateOrProvinceName       = Scotland
            organizationName          = Canonical Ltd
            commonName                = Landscape Team
            emailAddress              = landscape-team@
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3C:46:88:54:12:86:9C:32:B8:B3:A4:D6:F5:F3:45:F8:D4:58:C7:A1
            X509v3 Authority Key Identifier: 
                keyid:3C:46:88:54:12:86:9C:32:B8:B3:A4:D6:F5:F3:45:F8:D4:58:C7:A1
                DirName:/C=GB/ST=Scotland/O=Canonical Ltd/CN=Landscape Team/emailAddress=landscape-team@canonical.com
                serial:81:8E:D1:97:FB:37:A6:13

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Apr  4 09:59:48 2019 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'

You now have a certificate for you new Certificate Authority, which after you followed the example above is located in:

./demoCA/private/cakey.pem

Now you need to generate an SSL certificate.

Generate an SSL certificate

$ /usr/lib/ssl/misc/CA.pl -newreq-nodes
Generating a 1024 bit RSA private key
...++++++
.......++++++
unable to write 'random state'
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:<enter the hostname that this machine will be accessed as>
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

Note: The -newreq-nodes part of this command is critical, as it generates a certificate that doesn't need a password upon startup.

Sign your certificate

Now you can use your newly created Certificate Authority to sign your SSL certificate.

$ /usr/lib/ssl/misc/CA.pl -signreq
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            b0:d8:7c:2b:f7:bc:c8:97
        Validity
            Not Before: Apr  6 11:44:18 2009 GMT
            Not After : Apr  6 11:44:18 2010 GMT
        Subject:
            countryName               = GB
            stateOrProvinceName       = Scotland
            localityName              = Glasgow
            organizationName          = Canonical Ltd
            commonName                = <hostname>
            emailAddress              = <email adddress>
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                D6:3C:32:C0:00:3D:EA:F9:81:78:79:6B:BA:69:F1:B3:BA:3A:3F:47
            X509v3 Authority Key Identifier: 
                keyid:1F:DD:EC:F6:69:C7:02:BA:6A:A7:6E:D0:38:4A:1C:57:24:F3:8A:79

Certificate is to be certified until Apr  6 11:44:18 2010 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Signed certificate is in newcert.pem

You now have three crucial files.

  • newcert.pem: your new SSL certificate, signed by your own non-root trusted CA
  • newkey.pem: the private key for your new SSL certificate
  • demoCA/cacert.pem: the CA certificate

We recommend you rename these files and store them in /etc/ssl/certs

 $ sudo mv newcert.pem /etc/ssl/certs/<organisation name>.pem
 $ mv newkey.pem /etc/ssl/private/<organisation name>.key
 $ mv demoCA/cacert.pem /etc/ssl/certs/<organisation name_ca>.pem

Your must keep these files secure, in particular the CA file. Anybody with the CA file can sign certificates that masquerade as your server.

PostgreSQL

Database Users

Landscape requires two PostgreSQL users: "landscape" and "landscape_maintenance". These users have different permissions, and the names of the users are hard-coded into the Landscape schema.

The Landscape database setup script creates these users if they don't exist (if it can), and it generates random passwords for them. The passwords for these generated users are securely stored in /etc/landscape/server.conf.

If you install PostgreSQL on a different server from the Landscape servers, the following packages must be installed on the Database server:

  • postgresql-8.4
  • python-smartpm
  • postgresql-plpython-8.4

To install these packages use:

$ sudo apt-get install postgresql-8.4 python-smartpm postgresql-plpython-8.4

Landscape can use either "ident" authentication or password authentication. We do not recommend using "ident" authentication between servers.

You can create the two landscape users yourself with the following commands:

  $ sudo su postgres -c "createuser --no-createdb --no-createrole --no-superuser --pwprompt landscape"
  $ sudo su postgres -c "createuser --no-createdb --no-createrole --no-superuser --pwprompt landscape_maintenance"

If you do not create the users, the database setup script will attempt to create them automatically, and it assigns a random password to the users.

Configure PostgreSQL

To configure PostgreSQL for password authentication you'll need to enter this:

sudo vi /etc/postgresql/8.4/main/pg_hba.conf

And add the following line:

local all landscape,landscape_maintenance md5

For local database setups, the IP_Address/Netmask can be 127.0.0.1/32. For split database and Landscape server setups, configure it for your local network.

If you want to split the database and LDS servers you need to configure PostgreSQL to listen on network interfaces other than localhost.

$ vi /etc/postgresql/8.4/main/postgresql.conf

Modify  listen_addresses  to reflect the IP address or hostname that you want PostgreSQL to listen to, see the PostgreSQL documentation for further information.

If you want the setup-landscape-database script to work, you need to do one of two things:

  • Grant password authentication to the postgres user
  • Provide a username / password combination that can create users and databases.

After modifying the PostgreSQL configuration files, restart the service to apply the changes:

$ sudo /etc/init.d/postgresql-8.4 reload

Rabbit MQ

You must install RabbitMQ as a dependency of the landscape-server package.

We use RabbitMQ for interprocess communication in Landscape, and it must be configured correctly to allow the Landscape processes to communicate effectively.

 $ sudo rabbitmqctl add_user landscape landscape
 $ sudo rabbitmqctl add_vhost landscape
 $ sudo rabbitmqctl set_permissions -p landscape landscape "" ".*" ".*"

Install the Package

< insert screenshot of each stage of debconf with an explanation of the prompted-for information >

Setting up the Landscape database schema

<Running and troubleshooting the setup-landscape-database script>

Configuring Apache httpd

Landscape uses several Apache httpd modules:

  • proxy_http
  • rewrite
  • ssl
  • headers
  • deflate

To enable httpd modules on Ubuntu servers, use "a2enmod". Unfortunately each module requires to be enabled separately with a2enmod.

We recommend that you configure SSL and non-SSL virtualhosts on the machine, and have the non-SSL virtualhost only redirect users to the SSL-enabled hostname.

Sample Apache httpd configuration file

Please read the inline comments for configuration entries for this file.

NameVirtualHost *:80
<VirtualHost *:80>

    # This Hostname is the HTTP/1.1 hostname that users and Landscape clients will access
    # It must be the same as your SSL Certificate's CommonName
    # And the DNS Hostname for this machine
    # It is not recommended that you use an IP address here...
    ServerName <hostname>
    ServerAdmin webmaster@<hostname>
    ErrorLog /var/log/apache2/landscape.error-log
    CustomLog /var/log/apache2/landscape.access-log combined
    DocumentRoot /opt/canonical/landscape/apacheroot

    ErrorLog /var/log/apache2/landscape.local.error-log
    CustomLog /var/log/apache2/landscape.local.access-log combined

    # Set a Via header in outbound requests to the proxy, so proxied apps can
    # know who the actual client is
    ProxyVia on
    ProxyTimeout 10

    <Directory "/">
      Options +Indexes
      Order deny,allow
      Allow from all
      ErrorDocument 403 /static/offline/unauthorized.html
      ErrorDocument 404 /static/offline/notfound.html
    </Directory>

    Alias /packages /opt/canonical/landscape/packages
    Alias /static /opt/canonical/landscape/landscape/src/canonical/static

    <Directory "/opt/canonical/landscape/packages">
        Order allow,deny
        Allow from all
    </Directory>
    <Location "/packages">
        Order allow,deny
        Allow from all
    </Location>
   <Location "/icons">
        Order allow,deny
        Allow from all
   </Location>
   <Location "/ping">
        Order allow,deny
        Allow from all
    </Location>

    <Location "/message-system">
        Order allow,deny
        Allow from all 
    </Location>

    RewriteEngine On

   # The Landscape Ping Server runs on port 8082
    RewriteRule ^/ping$ http://localhost:8082/ping [P]

    RewriteCond %{REQUEST_URI} !/server-status
    RewriteCond %{REQUEST_URI} !/icons
    RewriteCond %{REQUEST_URI} !/static
    RewriteCond %{REQUEST_URI} !/packages
    RewriteCond %{REQUEST_URI} !/handle_messages
    RewriteCond %{REQUEST_URI} !/message-system

    # Replace the <hostname> with the DNS hostname for this machine.
    # If you change the port number that Apache is providing SSL on, you must change the 
    # port number 443 here.
    RewriteRule ^/(.*) https://<hostname>:443/$1 [R=permanent]
</VirtualHost>

<VirtualHost *:443>
    ServerName <hostname>
    ServerAdmin webmaster@<hostname>

    ErrorLog /var/log/apache2/landscape.error-log
    CustomLog /var/log/apache2/landscape.access-log combined

    DocumentRoot /opt/canonical/landscape/apacheroot

    SSLEngine On
    SSLCertificateFile <enter the path to your SSL .crt file>
    SSLCertificateKeyFile <enter the path to your SSL .key file>
    # If you have either an SSLCertificateChainFile or, a self-signed CA signed certificate
    # uncomment the line below.
    # SSLCertificateChainFile <enter the path to your SSL chain file or _ca.crt file>

    <Directory "/">
      Options -Indexes
      Order deny,allow
      Allow from all
      ErrorDocument 403 /static/offline/unauthorized.html
      ErrorDocument 404 /static/offline/notfound.html
    </Directory>

    <Location "/ajax">
      Order allow,deny
      Allow from all
    </Location>

   Alias /config /opt/canonical/landscape/apacheroot
   Alias /hash-id-databases /opt/canonical/landscape/hash-id-databases

    ProxyRequests off
    <Proxy *>
       Order deny,allow
       Allow from all
       ErrorDocument 403 /static/offline/unauthorized.html
       ErrorDocument 500 /static/offline/exception.html
       ErrorDocument 502 /static/offline/unplanned-offline.html
       ErrorDocument 503 /static/offline/unplanned-offline.html
    </Proxy>

    ProxyPass /robots.txt !
    ProxyPass /favicon.ico !
    ProxyPass /static !

    ProxyPreserveHost on

    RewriteEngine on
    RewriteRule ^/.*\+\+.* / [F]

    # We have two Landscape servers, one running on port 8080 and the other on
    # port 8081
    # Port 8080 is the Web-UI for users, port 8081 is the message server.

    # Replace the <hostname> with the DNS hostname for this machine.
    # If you change the port number that Apache is providing SSL on, you must change the 
    # port number 443 here.
    RewriteRule ^/message-system http://localhost:8081/++vh++https:<hostname>:443/++/message-system [P]

    RewriteRule ^/ajax http://localhost:9090/ [P]
    RewriteCond %{REQUEST_URI} !/robots.txt
    RewriteCond %{REQUEST_URI} !/favicon.ico
    RewriteCond %{REQUEST_URI} !/static
    RewriteCond %{REQUEST_URI} !/config
    RewriteCond %{REQUEST_URI} !/hash-id-databases

    # Replace the <hostname> with the DNS hostname for this machine.
    # If you change the port number that Apache is providing SSL on, you must change the 
    # port number 443 here.
    RewriteRule ^/(.*) http://localhost:8080/++vh++https:<hostname>:443/++/$1 [P]


    <Location /handle_messages>
      Order allow,deny
      Deny from all
    </Location>

    <Location /message-system>
      Order allow,deny
      Allow from all
    </Location>

    <Location />
        # Insert filter
        SetOutputFilter DEFLATE

        # Don't compress images or .debs
        SetEnvIfNoCase Request_URI \
        \.(?:gif|jpe?g|png|deb)$ no-gzip dont-vary

        # Make sure proxies don't deliver the wrong content
        Header append Vary User-Agent env=!dont-vary
    </Location>

</VirtualHost>

PAM Setup

If you want to use Pluggable Authentication Modules (PAM) to authenticate users in your new Landscape server you must create the file /etc/pam.d/landscape with the appropriate PAM configuration.

The simplest possible file is:

#%PAM-1.0
auth    required pam_permit.so
account required pam_permit.so

Do NOT use this PAM setup on a production environment

This allows any user to login without validating the password.

We have tested PAM authentication against an LDAP server running on Ubuntu, and against Windows AD authentication.

If you use PAM to authenticate, the user details stored in Landscape are associated with the PAM identity supplied.

For more information on PAM authentication see PAM Tutorial

Enable Landscape Services

Now you need to modify /etc/default/landscape-server:

 $ sudo vi /etc/default/landscape

And change all the start_ service entries to be "yes".

You can now either start all the services manually, or restart the machine.

After you install

Now that you've completed your Landscape installation you should create the initial user. If you plan to use PAM authentication, please set this up first.

Now visit https://<servername>/new-standalone-user. If you have configured PAM, then you need to visit https://<servername>/new-pam-user.

This creates an initial user in the system. This initial user is automatically added to the LDS "standalone" account.

Automatic Client Registration

If you visit

https://<servername>/account/standalone/edit you can set a registration password, which new clients must provide to the server when they register.

If this value is set, LDS automatically accepts new computer registrations.

You can register your first client with your new Landscape server.

$ sudo landscape-config --computer-title "My First Computer" --account-name standalone --registration-password <insert password here> --url https://<servername>/message-server --ping-url http://servername/ping

NOTE: The ping server uses an HTTP connection, not an HTTPS connection.

Your Landscape client should now register with Landscape, and initiate upload of client data, this takes some time.

Use Bootstrap.conf

The above assumes that your SSL certificate that is used by Apache is trusted by the underlying SSL implementation on the client. If this is not the case, you need to bootstrap the Landscape client with the CA from the server.

You can wget a copy of the Bootstrap configuration file from your LDS server...

 $ wget --no-check-certificate https://<myserver>/config/bootstrap.conf

This file contains something like:

[client]
account_name = standalone
url = https://<myserver>/message-system
ping_url = http://<myserver>/ping
ssl_public_key = base64:Q2VydGlmaWNhdGU6CiAgICBEYXRhOgogI
 CAgICAgIFZlcnNpb246IDMgKDB4MikKICAgICAgICBT
 ZXJpYWwgTnVtYmVyOgogICAgICAgICAgICBmYzoxM
 zoxYTpmZDowYTo1ZDozYzo2MwogICAgICAg
 ...

You can use this file to configure your client like this:

 $ sudo landscape-config \
    --computer-title "My Web Server" \
    --import bootstrap.conf

Configure Landscape to talk to UEC

See the Community Documentation

Upgrade the Package

http://www.postgresql.org/docs/8.4/static/backup.html

The Landscape database setup script which creates the schema also upgrades the schema to the newer format. This includes upgrades to any changed data.

Changes to support Landscape and UEC controllers on the same host

 To be completed 

I've got something else running on port 8080 (or 8081)

 To be completed 

My setup requires SMTP authentication

<Cover editing /opt/canonical/landscape/configs/standalone/site.zcml>

  • <mail:smtpMailer

    • name="landscape-smtp" hostname="localhost" port="25"

      username="<insert username>" password="<insert password>" />

LDS/InstallationElaineEdit (last edited 2018-03-01 16:27:48 by alexmoldovan)