Jump to content

Need help with ERA 6 on CentOS v6


StevePA
 Share

Recommended Posts

Greetings,

I have the eraserver and web console working perfectly but very confused by the documentation on what I need to do to get the Agent installed.

 

From the documentation, I need to create a certificate then install the Agent.   In the Web Console, I see there are already 3 certificates that are under the license manager... if I perform the steps in the guide to create a new one, I can no longer even get the eraserver service to start-up....

 

From the docs-

# ./Agent-Linux-x86_64.sh \
--skip-license \
--cert-path=/home/Admin/Desktop/agent.pfx \
--cert-auth-path=/home/Admin/Desktop/CA.der \
--cert-password=N3lluI4#2aCC \
--hostname=hostname \
--port=2222

 

Does this imply I need to create a user (such as "Admin" ?) as well as locate the pfx/der files for the certificates already in my easerver?  Also, where can I find the password for the cert?  It appears these three were generated during the installation process and trying to tamper with them only will make the easerver service fail to start..

 

Is there a more simple/straight-forward guide to installing this?  Also, how do I setup the connection parameters once this is done as I have about 80-100 clients running v5 of ESET that use credentials to obtain updates... am I going to need to upgrade them all to v6 to use the new v6 RAS?

 

Thanks in advance!

Link to comment
Share on other sites

I am still completely stuck on getting this to work...

 

When you install the server and web console, it produces 3 certs and 1 CA by default.  Every thread I've read says to use those since any new certs/ca's made seem to be broken at the moment...

 

So how do I figure out what the passphrase/cert-password is for the auto-generated Agent cert for installing the Agent on the server?  If this is the only one that allegedly works, then what is the passphrase it has chosen?

 

If I try to create new ones, the Agent will install but then wont work with error messages littering all over the internet saying to use the "canned" ones... but what is the passphrase/cert pass to try this?

 

Thanks

Link to comment
Share on other sites

Greetings,

I have the eraserver and web console working perfectly but very confused by the documentation on what I need to do to get the Agent installed.

 

From the documentation, I need to create a certificate then install the Agent.   In the Web Console, I see there are already 3 certificates that are under the license manager... if I perform the steps in the guide to create a new one, I can no longer even get the eraserver service to start-up....

 

From the docs-

# ./Agent-Linux-x86_64.sh \

--skip-license \

--cert-path=/home/Admin/Desktop/agent.pfx \

--cert-auth-path=/home/Admin/Desktop/CA.der \

--cert-password=N3lluI4#2aCC \

--hostname=hostname \

--port=2222

 

Does this imply I need to create a user (such as "Admin" ?) as well as locate the pfx/der files for the certificates already in my easerver?  Also, where can I find the password for the cert?  It appears these three were generated during the installation process and trying to tamper with them only will make the easerver service fail to start..

 

Is there a more simple/straight-forward guide to installing this?  Also, how do I setup the connection parameters once this is done as I have about 80-100 clients running v5 of ESET that use credentials to obtain updates... am I going to need to upgrade them all to v6 to use the new v6 RAS?

 

Thanks in advance!

 

I have made comment regarding documentation more visible to ESET team.

 

There is no guide (except for poor documentation) on how this new sistem actually works and no best practices to follow, you have to find it yourself, either on this forum or in ESET knowledgebase.

 

Regarding question on certificate location for Agent, either you will have to generate pair by yourself and then put in correct location/path (username is not important at all, it just shows bad practice to use user profile to store certificates, certificates have they place in Linux distributions), or leave it as I did, for era server installation to create self signed and omit cert location in Agent installation.

 

This is how I did install of ERA v6 on Ubuntu 14.04.2 LTS in test environment using their documentation.

 

 

apt-get install mysql-server-5.6

sudo nano /etc/mysql/my.cnf

max_allowed_packet=100M

 

sudo service mysql restart

apt-get install unixodbc libmyodbc

sudo nano /etc/odbcinst.ini

[myodbc_mysql]

Description     = ODBC for MySQL

Driver          = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc.so

Setup           = /usr/lib/x86_64-linux-gnu/odbc/libodbcmyS.so

UsageCount      = 1

 

sudo odbcinst -i -d -f /etc/odbcinst.ini

 

openssl version

 

chmod +x Server-Linux-x86_64-6.1.450.0.sh

 

sudo ./Server-Linux-x86_64-6.1.450.0.sh --skip-license --db-driver=myodbc_mysql --db-hostname=127.0.0.1 --dbport=3306 --db-admin-username=root --db-admin-password=password1 --server-root-password=eraadmin --db-user-username=era --db-user-password=password2 --cert-hostname="192.168.1.1;eset-era"

 

chmod +x Agent-Linux-x86_64-6.1.450.0.sh

 

sudo ./Agent-Linux-x86_64-6.1.450.0.sh --skip-license --hostname=192.168.1.1 --port=2222 --webconsole-hostname=192.168.1.1 --webconsole-port=2223 --webconsole-user=Administrator --webconsole-password=eraadmin

 

sudo apt-get install openjdk-7-jdk

sudo apt-get install tomcat7

 

sudo cp era.war /var/lib/tomcat7/webapps/

 

sudo keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/ssl/certs/java/era_web_console.keystore -storepass password -validity 360 -keysize 2048

 

sudo nano /var/lib/tomcat7/conf/server.xml

<Connector

 port="8443"

 maxThreads="150"

 scheme="https"

 secure="true"

 SSLEnabled="true"

 keystoreFile="/etc/ssl/certs/java/era_web_console.keystore"

 keystorePass="password3"

 clientAuth="false"

 keyAlias="tomcat" />

 

sudo service tomcat7 restart

 

chmod +x RDSensor-Linux-x86_64-1.0.728.0.sh

sudo ./RDSensor-Linux-x86_64-1.0.728.0.sh --skip-license

Edited by bbahes
Link to comment
Share on other sites

Thanks for the help bbahes!

 

I was still unable to get any cert + CA I would create using the web console to work under CentOS, so I finally dug deeper and found that you can specify the cert and CA passphrases, so I uninstalled and completely re-installed specifying the passphrase and the auto-made certs + CA's now work.  The Agent is now running fine on the server and setup kits made on the Web Console also now work properly too.

 

I'm also baffled that there is no Apache Proxy for Linux?   So if I want to make an update mirror, I need to drag a Windows box around... not to mention it using apache httpd?  That is just... ugh.

 

Lastly, we have several users that use OpenVPN.... they are all showing up as the openvpn server vs. their PC name.   So now 4 days of pulling my hair out and looks like this upgrade isn't ready for prime-time.

Link to comment
Share on other sites

Thanks for the help bbahes!

 

I was still unable to get any cert + CA I would create using the web console to work under CentOS, so I finally dug deeper and found that you can specify the cert and CA passphrases, so I uninstalled and completely re-installed specifying the passphrase and the auto-made certs + CA's now work.  The Agent is now running fine on the server and setup kits made on the Web Console also now work properly too.

 

I'm also baffled that there is no Apache Proxy for Linux?   So if I want to make an update mirror, I need to drag a Windows box around... not to mention it using apache httpd?  That is just... ugh.

 

Lastly, we have several users that use OpenVPN.... they are all showing up as the openvpn server vs. their PC name.   So now 4 days of pulling my hair out and looks like this upgrade isn't ready for prime-time.

 

Apache is open source web server that, if configured, can act as http proxy/cache server, and is available for any Linux distribution, so you don't have to use Windows box. You could install Apache on ERA server and point clients via Policy to that proxy, so in a way it looks like update mirror that was used in ERA v5...

 

Unfortunately, ESET did not include Apache for Linux in their ISO and not even on their International web site, so you are left to find out how to install it on CentOS distribution. Last time I read somewhere on this forum, they promised to fix that in next release, and include it as option in ERA installation. I have Ubuntu 14.04.2 LTS in my test environment. Since they have different package system you will have to use different commands than mine to install Apache, something like yum install httpd. But you better double check for CentOS 6.5 version.

Edited by bbahes
Link to comment
Share on other sites

Oh I am very well versed with apache httpd, which i why I think it's strange that the mirror is only available on Windows... when apache is almost "standard" on Linux.

 

But having Apache running on some different port for updates is simple enough, but where is the software that will automatically pull-down virus definition updates from ESET?  As well as create the delta-style files so clients know the delta for their definition version vs. current to know what files to pull down?  That is the part I need... obviously it will need to authenticate to ESET and mirror the definitions for multiple products.. (Linux, Windows, Mobile, Mac, etc.)....

Link to comment
Share on other sites

Oh I am very well versed with apache httpd, which i why I think it's strange that the mirror is only available on Windows... when apache is almost "standard" on Linux.

 

But having Apache running on some different port for updates is simple enough, but where is the software that will automatically pull-down virus definition updates from ESET?  As well as create the delta-style files so clients know the delta for their definition version vs. current to know what files to pull down?  That is the part I need... obviously it will need to authenticate to ESET and mirror the definitions for multiple products.. (Linux, Windows, Mobile, Mac, etc.)....

 

This is the part that I (and my guess, lots of other people here https://forum.eset.com/topic/4301-not-happy-with-era-6/) love most...there is no way to control what you download from ESET and what gets on clients! Client's, once successfully activated via ERA, on their own connect to ESET servers either directly through your internet gateway or trough proxy and update themselves.

 

ESET tried to alleviate situation and made two KB articles. Notice use of word "mirror" :)

 

"How do I set up a mirror server for ESET Remote Administrator using Apache HTTP Proxy? (6.x)"

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3637

 

"How do I configure an ESET Endpoint Security or ESET Endpoint Antivirus client to function as a Mirror server? (6.x)"

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3641

 

So you point your clients via Policy whether directly through gateway, proxy, or to mirror created on client and that's all you can do regarding updates. Hopefully clients will report they have updated...if not ERA will flush you with red warnings in dashboard. By the time they all report that they have updated, successfully I hope, new database is out and process starts all over again. Then in "panic" you use Task "feature" and push update task to clients to make sure they did update. Hopefully they got this task before they start already scheduled update task. If not, more red warnings in dashboard of failed task, and failed update...This is what I got in my test environment.

Edited by bbahes
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...