Directions for installing and setting the components of the NET-POLICY management application. Some of this needs to be done on the management server, and some on the linux nodes to be managed. They'll be marked as "[server]" and "[clients]" respectively. ---------------------------------------------------------------------- INSTALLING THE PRE-REQUISITE SOFTWARE ---------------------------------------------------------------------- 0) Check the ERRATA document on our web site, to see if there have been any problems found since the last release. http://net-policy.sourceforge.net/ERRATA 1) Make sure the following software packages are installed on your system: a) [server] Apache with: mod_ssl (The information being sent over the web interface is highly sensitive). a username/password log in to cover the pages for the net-policy project pages.. b) [server] MySQL - Start the mysql server if not running. - Set up a user and password that has permission to do just about everything. We'll refer to this user/password later SQLUSER/SQLPASS. Section 6 of the mysql manual discusses setting up privliges for users. Here is a simple example : # mysql --user=root mysql mysql> GRANT ALL PRIVILEGES ON *.* TO SQLUSER@localhost IDENTIFIED BY 'SQLPASS' WITH GRANT OPTION; c) [server] MySQL++ - FYI, this requirement is likely to go away in the future, as we've found MySQL++ to be extremely flaky with respect to error handling. d) [server] Perl with the following modules (FYI, *s are available as redhat rpms): * mod_perl * DBI - Apache::DBI (optional, but increases speed) * DBD::mysql (mysql server must be running to install tests) - DBD::File (XXX: may not be needed anymore... ???) - CGI (comes with most recent versions of perl) For a few ways to figure out what perl modules you already have installed, visit this URL: http://www.cpan.org/misc/cpan-faq.html#How_installed_modules To install via perl instead of RPMs (as root): # perl -MCPAN -e shell cpan> o conf prerequisites_policy ask cpan> install e) [server] libsmi ( ftp://ftp.ibr.cs.tu-bs.de/pub/local/libsmi/ ) f) [server] OpenSNMP - get version 0.3.5 or better from: http://opensnmp.sourceforge.net/ (and follow the INSTALL file for it for other prerequisites) 2) [client and server] net-snmp and the perl modules it provides. - get the Net-SNMP 5.0.7 source code (http://www.net-snmp.org/download/ ) or the main line source tree from cvs (http://www.net-snmp.org/cvs) Compile and install net-snmp: cd net-snmp ./configure --with-perl-modules --enable-shared make make install (as root) 3) [client] get the iptables source code (if you already have an existing iptables binary, get the source to match. 'iptables --version' should tell you what version your binary is. The source code is available from www.iptables.com. ---------------------------------------------------------------------- INSTALLING THE SOFTWARE ---------------------------------------------------------------------- 1) [server] Install the net-policy manager (this directory): 1a) [server] Install the software: ./configure make make install (as root) 1b) [server] Configure apache by editing it's httpd.conf file to include the following lines (replacing SQLUSER and SQLPASS with the values from step 1): # # keep database connections alive # PerlModule Apache::DBI # # the NET-POLICY configuration manager # SetHandler perl-script PerlHandler NetPolicy::htmlmanager PerlSetVar sql_user SQLUSER PerlSetVar sql_pass SQLPASS NOTE: it is highly recommended that you install mod_ssl and add appropriate access control and encryption to your apache web server for this interface. XXX: describe how to do this 2) [client] Install the np- versions of the Cerberus and PlutoPlus software. Get these from: http://sourceforge.net/project/showfiles.php?group_id=66232 2a) [client] building cerberus: REDHAT NOTE: you need to first link /usr/src/linux/configs/kernel-VERSION-i686.config to /usr/src/linux/.config for this to work: # ln -s /usr/src/linux/configs/kernel-VERSION-i686.config \ /usr/src/linux/config NOTE: when running configure use full paths for --with-iptables, and --with-linux-src. Don't use ../something_or_other. cd np-cerberus/net/ipsec ./configure --with-linux-src=/usr/src/linux \ --with-iptables=/path/to/iptables-src make make install (as root) load the modules on each client [upcoming releases will have installed rc.d scripts to do this automatically for you]: ./load 2b) [client] building np-plutoplus: cd np-plutoplus ./configure --with-cerberus=/usr/local/src/np-cerberus \ --with-iptables=/path/to/iptables-src make make install run it on each client: [make sure snmpd is running first and the appropriate SNMPv3 users have been created. See the Net-SNMP documentation for details on commands like: net-snmp-config --create-snmpv3-user np-plutoplus ---------------------------------------------------------------------- SETTING UP THE DATABASE ---------------------------------------------------------------------- [if you ever want to wipe out the Net-Policy data and start from scratch without reinstalling everything, just run these steps again, but add the -x flag to the np-setup script arguments in step 1 (this will make it remove the contents existing database first). 1) [server] Run "np-setup -u SQLUSER -p SQLPASS -M" This command will create a 'netpolicy' database in the mysql server and bunch of tables used by it. You should probably add some of the following arguments as well: -U USER Set the default SNMPv3 user to use when talking with clients. -A PASS Set the default SNMPv3 Authentication password to use. -X PASS Set the default SNMPv3 Privacy password to use. -P PASS Set the default SNMPv3 Authentication & Privacy password to use. (same as -A PASS -X PASS). These arguments allow you to set the default authentication mechanisms used by the SNMPv3 manager such as the default username, and passphrase(s). FYI, The -M flag above runs this: np-setupMIBtables -u SQLUSER -p SQLPASS ---------------------------------------------------------------------- RUNNING THE DAEMONS ---------------------------------------------------------------------- 1) [server] Copy Net-Policy image files to your html directory: $ cp html/net-policy.sm.jpg /images/ 2) [server] start the np-datad and np-distd daemons: np-datad -u SQLUSER -p SQLPASS & np-distd -u SQLUSER -p SQLPASS & [these should probably be given appropriate startup scripts] 3) go to your web page and do stuff! (see the tutorial for examples. Check http://net-policy.sourceforge.net/ for the most recent documentation) ---------------------------------------------------------------------- FINAL NOTES ---------------------------------------------------------------------- 1) If you are having shared library problems that look something like this: libnetsnmpagent.so.5: cannot open shared object file: No such file or directory make sure that the loader can find them. You can do this by adding the directory for the library to /etc/ld.so.conf, and then running ldconfig. The default directory for net-snmp is /usr/local/lib. # echo "/usr/local/lib" >> /etc/ld.so.conf # ldconfig All the pre-requisite software you have just installed might have their own library directories. BerkeleyDB and openssl are two packages, for example, that don't install libraries into standard paths.