Install Sec@GW

Install Operating system

• Supported OS versions: EL9
• Select minimal software packages.
• Create /server partition that has appropriate amount of diskspace, most of data is saved on this partition.

Install the Sec@GW software

Create a pre-configuration

You must have certain configuration values at hand to create the pre-configuration. Copy and paste the below tables into, for example, a Notepad file and fill in the value data.

Table 1 Required values

Table 2 Optional values

1. To get values from environment, run the following commands.

   <node_nmask> and <nodeip> and <node_interface>

   ifconfig

   <node_gw>

   route -n

   <dns_server_ip> and <dns_server_ip2>

   cat /etc/resolv.conf

   NOTE. If there is only one name server available, enter the same IP address for both ip1 and ip2.

Install the software

NOTE 1. The installation script changes the hostname. If you want to keep the same name, write it down so that you can change it back after installation.

NOTE 2. The installation script changes what processes start on server restart. If you need other services to start on restart, after installation.

1. Update all packages:

   yum update -y

2. Check that correct packages are installed

   yum install -y --skip-broken cronie-anacron apr apr-util attr audit aide audit-libs basesystem bash bc binutils bzip2 bzip2-devel bzip2-libs chkconfig coreutils cpio cpp cracklib cracklib-dicts crontabs dbus dbus-devel dbus-glib dbus-libs python3-dbus device-mapper device-mapper-multipath diffstat diffutils dmidecode dos2unix dosfstools e2fsprogs e2fsprogs-devel e2fsprogs-libs ed elfutils elfutils-libelf elfutils-libelf-devel elfutils-libs ethtool expat expat-devel file filesystem findutils fontconfig-devel gawk gcc gdbm gdbm-devel glib2 glib2-devel glibc glibc-common glibc-devel glibc-headers gmp gmp-devel gnupg2 grep gzip hdparm info initscripts iproute iptables iptstate iputils irqbalance kbd kernel kernel-headers keyutils-libs keyutils-libs-devel kpartx krb5-devel krb5-libs krb5-workstation less libpng-devel logrotate lsof lvm2 mailcap make man-db man-pages mcstrans mdadm microcode_ctl kmod nano ncurses ncurses-devel net-tools nspr nspr-devel nss nss-devel openssh openssh-clients openssh-server openssl openssl-devel pam pam-devel passwd patch pcre perl-DBD-MySQL perl-devel perl-ExtUtils-MakeMaker perl-ExtUtils-ParseXS perl-Test-Harness policycoreutils popt postfix procps-ng psmisc python3 python3-iniparse python3-dateutil readline readline-devel redhat-logos redhat-rpm-config rootfiles rpm rpm-build rpm-devel rpm-libs python3-rpm rsync sed setup shadow-utils sqlite sqlite-devel sudo symlinks sysstat tar tcpdump telnet time tmpwatch traceroute tree tzdata systemd unzip usermode util-linux vim-common vim-minimal wget which yum zip zlib zlib-devel expect httpd mod_ssl mariadb perl postfix wget bind-utils gd gcc-c++ perl-libwww-perl libstdc++ fontconfig-devel libpng-devel liberation-serif-fonts selinux-policy selinux-policy-targeted setroubleshoot-server perl-XML-LibXML rng-tools lzop rsyslog-gnutls perl-JSON setools-console checkpolicy libgpg-error-devel perl-Module-Build python3-lxml gd-devel perl-Locale-Codes perl-Sys-Syslog mariadb-server mariadb-devel mariadb-connector-c-devel mod_security libgcrypt libgcrypt-devel libsysfs libdb-devel libfontenc ttmkfdir xorg-x11-font-utils xorg-x11-fonts-Type1 xorg-x11-fonts-75dpi ghostscript rsync-daemon qpdf-libs qpdf mariadb-server-utils lzo glibc-langpack-en glibc-langpack-fi glibc-langpack-sv glibc-langpack-nb glibc-langpack-da glibc-langpack-ru glibc-langpack-et glibc-langpack-lv glibc-langpack-lt glibc-langpack-de ipcalc libnsl2

3. Download Sec@GW installation packages to the server:

   wget https://193.184.14.151/el9/SecAtGW-cdrom-3.16.0-1.el9.noarch.rpm --no-check-certificate
   wget https://193.184.14.151/el9/SecAtGW-perl_modules-3.16.0-1.el9.noarch.rpm --no-check-certificate

4. Install the SecAtGW-perl_modules and SecAtGW-cdrom RPM packages:

   rpm -ivh SecAtGW-perl_modules* SecAtGW-cdrom*

5. Run the software installer script:

   cd /root/cdrom/; chmod 750 -R *; perl install.pl

   General Settings
   =========================
   Enter total number of nodes: 1
   Enter node (1 or 2): 1
   Enter company name: <company>
   Enter FQDN: <fqdn>
   Enter maildomains: <maildomains>
   Enter Gateway IP: <node_gw>
   Enter cluster ip: <node_ip>
   Enter this server's node ip: <node_ip>
   Enter this server's local ip: 127.0.0.1
   Enter node netmask: <node_nmask>
   Enter local netmask: 255.255.255.0
   Enter primary DNS server IP: <dns_server_ip>
   Enter secondary DNS server IP: <dns_server_ip2>
   Enter SMTP gateway: <smtp_gw_ip>
   Enter Master interface (ex. ens3:0 or eth0:0): <node_interface>
   Enter node interface (ex. ens9 or eth1): lo
   Enter master instance (ex. deltagon): <instance>
   STIV instance(0 or 1): <0 if not installing TL IV environment>
   
   Add xxx.xxx.xxx.xxx nftables for SSH? (Type yes to add xxx.xxx.xxx.xxx OR give IP-address OR press ENTER for nothing):
   
   S/MIME & SSL Settings
   =========================
   Enter country code XX (ex. FI):
   Enter state or providence (ex. Uusimaa):
   Enter city:
   Enter unit (ex IT):
   Enter email: leave blank by pressing enter
   
   Run system hardening y/n: y
   Install CRM y/n: n
   Enable IPv6 support y/n: n
   

6. Before the first reboot, complete the following steps.

• Check /etc/NetworkManager/system-connections/ that your configurations for network interface are correct.

• If the server is running AWS Firewall, AWS tools need to be enabled, go through the following steps.

  Add following 2 lines to /etc/sysconfig/nftables.conf

  #AWS cloud processes
  add rule filter OUTPUT ip daddr 169.254.169.254 tcp dport 80 meta skuid root ct state new accept

  Enable needed services for AWS

  systemctl enable cloud-config
  systemctl enable cloud-final
  systemctl enable cloud-init-local
  systemctl enable cloud-init

• If the server is running Azure Firewall, Azure tools need to be enabled, go through the following changes.

  Add following 2 lines to /etc/sysconfig/nftables.conf

  #Azure cloud processes
  add rule filter OUTPUT ip daddr 168.63.129.16 tcp dport {80,443,32526} ct state new accept

  Enable needed services for Azure

  systemctl enable waagent
  systemctl enable waagent-network-setup

1. Reboot the server:

   reboot

2. Create a new instance:

   /root/cdrom/install_instance.pl

Step result:

Do you want to reboot now (1 or 0): 1

1. Run the following script after server has restarted to finish the installation.

   /root/cdrom/after_install.pl

Step result:

Do you want to reboot now (1 or 0): 1

1. After the installation was successfully completed, remove the installation media by running the following command.

   rm -f SecAtGW-cdrom-*.rpm SecAtGW-perl_modules-*.rpm

   Note. If amavisd_init.out.sh does not start after the installation process, configure myhostname to match your <fqdn> value on /etc/amavisd.out.conf.

   $myhostname = '<fqdn>';

   Tip. If you want that D-Center runs on a different IP address than the other Sec@GW components, run the following commands.

   nmcli con mod <interface_adapter> +ipv4.addresses <new_dcenter_IP_address>/<dcenter_netmask>
   nmcli connection reload
   nmcli device reapply <interface_adapter>
   perl /opt/Sec@GW/admin_tools/lib/dcenteraddresschange.pl <instance> <new_dcenter_IP_address> <dcenter_port>

   The port number is usually 443. If you changed the D-Center IP address by doing the previous changes, you must make the corresponding changes to nftables.

   nano /etc/opt/Sec@GW/nftables/instance-rules/global_https_rules
   
   add rule filter INPUT ip saddr 0/0 ip daddr <new_dcenter_IP_address> tcp dport <dcenter_port> ct state new,established accept

   Check from /etc/httpd/conf.d/<instance>_admin.conf that there is “Allow from” only from necessary networks.

   Afterwards restart both nftables and httpd.

What's next?

After you installed Sec@GW, you can move on to install Secure Mail 2024.