Directions for installing and setting the components of the NET-POLICY management application. Some of this needs to be done on the management server, and some on the linux nodes to be managed. They'll be marked as "[server]" and "[clients]" respectively. ---------------------------------------------------------------------- INSTALLING THE PRE-REQUISITE SOFTWARE ---------------------------------------------------------------------- 0) Check the ERRATA document on our web site, to see if there have been any problems found since the last release. 1) Make sure the following software packages are installed on your system: a) [server] Apache with: mod_ssl (The information being sent over the web interface is highly sensitive). a username/password log in to cover the pages for the net-policy project pages.. b) [server] MySQL - Start the mysql server if not running. - Set up a user and password that has permission to do just about everything. We'll refer to this user/password later SQLUSER/SQLPASS. Section 6 of the mysql manual discusses setting up privliges for users. Here is a simple example : # mysql --user=root mysql mysql> GRANT ALL PRIVILEGES ON *.* TO SQLUSER@localhost IDENTIFIED BY 'SQLPASS' WITH GRANT OPTION; c) [server] MySQL++ - FYI, this requirement is likely to go away in the future, as we've found MySQL++ to be extremely flaky with respect to error handling. d) [server] Perl with the following modules (FYI, *s are available as redhat rpms): * mod_perl * DBI - Apache::DBI (optional, but increases speed) * DBD::mysql (mysql server must be running to install tests) - DBD::File (XXX: may not be needed anymore... ???) - CGI (comes with most recent versions of perl) For a few ways to figure out what perl modules you already have installed, visit this URL: To install via perl instead of RPMs (as root): # perl -MCPAN -e shell cpan> o conf prerequisites_policy ask cpan> install e) [server] libsmi ( ) f) [server] OpenSNMP - get version 0.3.5 or better from: (and follow the INSTALL file for it for other prerequisites) 2) [client and server] net-snmp and the perl modules it provides. - get the Net-SNMP 5.0.7 source code ( ) or the main line source tree from cvs ( Compile and install net-snmp: cd net-snmp ./configure --with-perl-modules --enable-shared make make install (as root) 3) [client] get the iptables source code (if you already have an existing iptables binary, get the source to match. 'iptables --version' should tell you what version your binary is. The source code is available from ---------------------------------------------------------------------- INSTALLING THE SOFTWARE ---------------------------------------------------------------------- 1) [server] Install the net-policy manager (this directory): 1a) [server] Install the software: ./configure make make install (as root) 1b) [server] Configure apache by editing it's httpd.conf file to include the following lines (replacing SQLUSER and SQLPASS with the values from step 1): # # keep database connections alive # PerlModule Apache::DBI # # the NET-POLICY configuration manager # SetHandler perl-script PerlHandler NetPolicy::htmlmanager PerlSetVar sql_user SQLUSER PerlSetVar sql_pass SQLPASS NOTE: it is highly recommended that you install mod_ssl and add appropriate access control and encryption to your apache web server for this interface. XXX: describe how to do this 2) [client] Install the np- versions of the Cerberus and PlutoPlus software. Get these from: 2a) [client] building cerberus: REDHAT NOTE: you need to first link /usr/src/linux/configs/kernel-VERSION-i686.config to /usr/src/linux/.config for this to work: # ln -s /usr/src/linux/configs/kernel-VERSION-i686.config \ /usr/src/linux/config NOTE: when running configure use full paths for --with-iptables, and --with-linux-src. Don't use ../something_or_other. cd np-cerberus/net/ipsec ./configure --with-linux-src=/usr/src/linux \ --with-iptables=/path/to/iptables-src make make install (as root) load the modules on each client [upcoming releases will have installed rc.d scripts to do this automatically for you]: ./load 2b) [client] building np-plutoplus: cd np-plutoplus ./configure --with-cerberus=/usr/local/src/np-cerberus \ --with-iptables=/path/to/iptables-src make make install run it on each client: [make sure snmpd is running first and the appropriate SNMPv3 users have been created. See the Net-SNMP documentation for details on commands like: net-snmp-config --create-snmpv3-user np-plutoplus ---------------------------------------------------------------------- SETTING UP THE DATABASE ---------------------------------------------------------------------- [if you ever want to wipe out the Net-Policy data and start from scratch without reinstalling everything, just run these steps again, but add the -x flag to the np-setup script arguments in step 1 (this will make it remove the contents existing database first). 1) [server] Run "np-setup -u SQLUSER -p SQLPASS -M" This command will create a 'netpolicy' database in the mysql server and bunch of tables used by it. You should probably add some of the following arguments as well: -U USER Set the default SNMPv3 user to use when talking with clients. -A PASS Set the default SNMPv3 Authentication password to use. -X PASS Set the default SNMPv3 Privacy password to use. -P PASS Set the default SNMPv3 Authentication & Privacy password to use. (same as -A PASS -X PASS). These arguments allow you to set the default authentication mechanisms used by the SNMPv3 manager such as the default username, and passphrase(s). FYI, The -M flag above runs this: np-setupMIBtables -u SQLUSER -p SQLPASS ---------------------------------------------------------------------- RUNNING THE DAEMONS ---------------------------------------------------------------------- 1) [server] Copy Net-Policy image files to your html directory: $ cp html/ /images/ 2) [server] start the np-datad and np-distd daemons: np-datad -u SQLUSER -p SQLPASS & np-distd -u SQLUSER -p SQLPASS & [these should probably be given appropriate startup scripts] 3) go to your web page and do stuff! (see the tutorial for examples. Check for the most recent documentation) ---------------------------------------------------------------------- FINAL NOTES ---------------------------------------------------------------------- 1) If you are having shared library problems that look something like this: cannot open shared object file: No such file or directory make sure that the loader can find them. You can do this by adding the directory for the library to /etc/, and then running ldconfig. The default directory for net-snmp is /usr/local/lib. # echo "/usr/local/lib" >> /etc/ # ldconfig All the pre-requisite software you have just installed might have their own library directories. BerkeleyDB and openssl are two packages, for example, that don't install libraries into standard paths.