Jump to content

Step by Step Tutorial for installing Eset Remote Administrator & Mobile device connector on a VPS (OpenVZ) with Ubuntu 16.04 64bit with letsencrypt


Recommended Posts

Disclaimers:

Some information has been copied from other forums

I have not tested that renewal of letsencrypt certificate using the bash file is accepted by era and mdc

Suggested configuration for solely running ESET ERA and MDC is 4 cores and 2 GB ram, anything lower runs abysmally slow.

I am currently using this configuration on woothosting (cheapest that I could find)

All commands are assuming clean vps instance as root user with no other applications to be running or to be run in future.

Some components installed may be of no use. I don't know enought to remove them.

Please substitute domain names and passwords with your own.

Please feel to post corrections or better methods of doing what I have already done.

Text in code boxes is to be added/edited in the file opened.

Text in Red are comments to be read carefully

 

Start

sudo apt-get update && apt-get upgrade && apt-get install software-properties-common python-software-properties unixodbc xvfb cifs-utils libqtwebkit4 krb5-user winbind ldap-utils libsasl2-modules-gssapi-mit snmp samba mysql-server nano aptitude default-jdk tomcat7  tomcat7-docs tomcat7-admin
 
 
To Let Tomcat be the ONLY app on the server and use port 80 and 443
-------------------------------------------------------
 
apt-get remove apache2  ((or any other web server like nginx))
nano /etc/default/tomcat7
 
AUTHBIND=yes
 
 
sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
sudo chown tomcat7 /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 500 /etc/authbind/byport/443
sudo chown tomcat7 /etc/authbind/byport/443
 
-------------------------------------------------------
 
 
 
 
Letsencrypt
-------------------------------------------------------
 
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo service apache2 stop
sudo certbot certonly --text --agree-tos --email email@gmail.com --standalone --expand --renew-by-default --manual-public-ip-logging-ok --preferred-challenges http-01 -d domain.com
sudo service apache2 start
sudo mkdir /etc/tomcatcertificate
cd /etc/tomcatcertificate
 
((Bash script for automatic renewal of https certificate from letsencrypt -- untested))
nano letsencrypt.sh
 
#!/bin/bash
cd /etc/tomcatcertificate
echo " -- Cleaning -- "
sudo rm request.csr
sudo rm *.pem
 
echo " -- Stop Services -- "
sudo iptables-save > /etc/iptables.backup
sudo iptables -F -t nat
sudo service tomcat7 stop
sudo service apache2 stop
 
echo " -- Delete Keystore -- "
sudo rm /usr/share/tomcat7/.keystore
 
echo " -- Recreate Keystore -- "
sudo keytool -genkey -noprompt -alias tomcat -dname "CN="domain.com", OU="", O="", L="", S="", C=""" -keystore /usr/share/tomcat7/.keystore -storepass "password" -KeySize 2048 -keypass "password" -keyalg RSA
 
sudo keytool -list -keystore /usr/share/tomcat7/.keystore -v -storepass "password" > key.check
 
echo " -- Build CSR -- "
sudo keytool -certreq -alias tomcat -file request.csr -keystore /usr/share/tomcat7/.keystore -storepass "password"
 
echo " -- Request Certificate -- "
sudo certbot certonly --csr ./request.csr --text --agree-tos --email name@gmail.com --standalone --expand --renew-by-default --manual-public-ip-logging-ok --preferred-challenges http-01 -d domain.com
certbot certonly --standalone -d domain.com -n
 
echo " -- import Certificate -- "
sudo keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /usr/share/tomcat7/.keystore -storepass "password"
sudo openssl pkcs12 -inkey /etc/letsencrypt/live/domain.com/privkey.pem -in /etc/letsencrypt/live/domain.com/fullchain.pem -export -out /etc/letsencrypt/live/domain.com/certificate.pfx -password pass:password
 
echo " -- Restart services -- "
sudo service tomcat7 start
sudo service apache2 start
sudo iptables-restore < /etc/iptables.backup
sudo rm /etc/iptables.backup
 
echo " -- Cleaning -- "
sudo rm request.csr
sudo rm *.pem
 
echo " -- Script Finish -- "
 
 
sudo chmod +x letsencrypt.sh
 
((as "root" run :))
crontab -e
 
0 2 */15 * * /etc/tomcatcertificate/letsencrypt.sh
 
sudo /etc/tomcatcertificate/letsencrypt.sh
 
sudo nano /etc/tomcat7/server.xml
 
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS" KeystoreFile="/usr/share/tomcat7/.keystore" KeystorePass="password" />
 
((
change port 8080 to 80 at <Connector port="80" protocol="HTTP/1.1"
change port 8443 to 443 at redirectPort="8443" />
Change port 8443 to 443 at <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
if required -- if server to be dedicated entirely to era and you don't want to deal with port nos. in URL))
-------------------------------------------------------
 
 
 
 
Add Admin user to tomcat GUI (optional)
-------------------------------------------------------
nano /etc/tomcat7/tomcat-users.xml
 
user username="admin" password="password" roles="manager-gui,admin-gui"/>
 
sudo service tomcat7 restart
-------------------------------------------------------
 
 
 
 
ODBC
-------------------------------------------------------
cd /opt
tar xvzf mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit.tar.gz
cd mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit/lib
cp * /usr/lib/x86_64-linux-gnu/odbc/
 
nano /etc/odbcinst.ini
 
[MySQL]
Description = ODBC for MySQL
Driver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc5a.so
Setup = /usr/lib/x86_64-linux-gnu/odbc/libodbcmyS.so
FileUsage = 1
 
 
sudo odbcinst -i -d -f /etc/odbcinst.ini
-------------------------------------------------------
 
 
 
Configuration of MySQL
-------------------------------------------------------
 
sudo nano /etc/mysql/my.cnf
((if the file is not present, try /etc/my.cnf))
 
((Find the following configuration in the [mysqld] section of the my.cnf file and modify the values. (If the parameters are not present in the file, add them to the [mysqld] section ) after the last existing lines in the file:))
 
[mysqld]
max_allowed_packet=33M
innodb_log_file_size=100M
innodb_log_files_in_group=2
 
 
((Save and close the file and enter the following command to restart the MySQL server and apply the configuration (in some cases, the service name is mysqld):))
 
sudo service mysql restart
 
((Run the following command to set up MySQL including privileges and password (this is optional and may not work for some Linux distributions):))
 
/usr/bin/mysql_secure_installation
 
((Enter the following command to check whether the MySQL server is running:))
 
sudo netstat -tap | grep mysql
 
((If the MySQL server is running, the following line will be displayed. Note that the process identifier - PID (7668 in the example below) will be different:
 
tcp 0 0 localhost:mysql *:* LISTEN 7668/mysqld))
-------------------------------------------------------
 
 
 
Install ESET
-------------------------------------------------------
 
cd /opt
chmod +x *.sh
 
sudo cp era.war /var/lib/tomcat7/webapps/
service tomcat7 restart
 
-----------------------------------------------------------
sudo ./server-linux-x86_64.sh \
--skip-license \
--db-driver=MySQL \
--db-hostname=127.0.0.1 \
--db-port=3306 \
--db-admin-username=root \
--db-admin-password=password \
--server-root-password=password \
--db-user-username=root \
--db-user-password=password \
--cert-hostname="domain.com"
 

((wait 2 minutes to let the server start, repeat commands if cannot connect to db or other errors after 2 mins break or reboot the vps and check whether era server is running by entering : service era* status )) 

 
 
sudo ./agent-linux-x86_64.sh \
--skip-license \
--webconsole-port=2223 \
--webconsole-user=Administrator \
--webconsole-password=password \
--hostname=domain.com \
--port=2222
 
-----------------------------------------------------------
 
 
sudo ./mdmcore-linux-x86_64.sh \
--https-cert-path="/etc/letsencrypt/live/domain.com/certificate.pfx" \
--https-cert-password="password" \
--port=2222 \
--db-type="MySQL" \
--db-driver="MySQL" \
--db-admin-username="root" \
--db-admin-password=password \
--db-user-username="root" \
--db-user-password=password \
--db-hostname="127.0.0.1" \
--webconsole-password=password \
--hostname=domain.com \
--mdm-hostname=domain.com
 
-----------------------------------------------------------
 
 
 
To Make ERA the default app in Tomcat so that directly typing the domain will launch ERA and you will not have to enter /era at the end of the domain to access era
-----------------------------------------------------------
 
 
cd /var/lib/tomcat7/webapps/
rm -r ROOT
rm -r era
mv era.war ROOT.war
service tomcat7 restart
 
-----------------------------------------------------------
 
 
 
 
 
To redirect all http traffic from tomcat to https
-----------------------------------------------------------
 
 
nano  /etc/tomcat7/web.xml
((Add below configuration but make sure to add it after all the servlet mapping tags.))
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
service tomcat7 restart
 
enter https://domain.com:9980 in your web browser to check MDM server is up
enter domain.com in your web browser and login using the webconsole password that you have set earlier.
 
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...