- Can be installed on a bare metal or virtual server
- 8GB drive
- 2GB RAM
- Option 1: Clean installation of CentOS Linux x86_64 7.6, select "minimal install" option during installation
- Option 2: Clean installation of CentOS Linux x86_64 8.2, select "minimal install" option during installation
- Option 3: Clean installation of Ubuntu Server LTS 18.04
- Option 4: Clean installation of Ubuntu Server LTS 20.04
- You need to know how to create and edit text files in Linux. For example, you can use vim editor. Here you can find a quick start guide on [how to use the Vim editor] (https://www.control-escape.com/linux/editing-vim.html).
CentOS 7
$ sudo yum update -y
CentOS 8
$ sudo dnf update -y
Ubuntu
$ sudo apt update
$ sudo apt upgrade -y
Reboot system
$ sudo reboot
$ sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
$ sudo reboot
To verify that SELinux is disabled, you can type:
$ sudo sestatus
SELinux status: disabled
Note: on production servers, usually after installation and verification, you need to re-enable SELinux and configure it accordingly.
To access the server from the network, ports 80 and 443 and port 22 (default port for connection via ssh) should be opened:
CentOS:
$ sudo firewall-cmd --zone=public --permanent --add-port=22/tcp
$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
$ sudo firewall-cmd --zone=public --permanent --add-port=443/tcp
$ sudo firewall-cmd --reload
Ubuntu:
$ sudo ufw allow 22
$ sudo ufw allow 80
$ sudo ufw allow 443
$ sudo ufw enable
CentOS:
$ sudo yum install git -y
Ubuntu (usually already installed):
$ sudo apt install git -y
CentOS 7:
$ sudo rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm
$ sudo yum install dotnet-sdk-5.0 -y
CentOS 8:
$ sudo dnf install dotnet-sdk-5.0 -y
Ubuntu 18.04:
$ wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb
$ sudo dpkg -i packages-microsoft-prod.deb
$ sudo apt update
$ sudo apt install dotnet-sdk-5.0 -y
Ubuntu 20.04:
$ wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
$ sudo dpkg -i packages-microsoft-prod.deb
$ sudo apt-get update
$ sudo apt install dotnet-sdk-5.0 -y
If the installation was successful, the output of the dotnet command will look something like this:
$ dotnet --version
5.0.201
CentOS 7:
$ sudo rpm -Uvh https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
$ sudo yum install mysql-server -y
CentOS 8:
$ sudo dnf install mysql-server -y
Ubuntu 18.04:
$ wget -c https://dev.mysql.com/get/mysql-apt-config_0.8.16-1_all.deb
$ sudo dpkg -i mysql-apt-config_0.8.16-1_all.deb
note: click "ok" to confirm the server installation
$ sudo apt update
$ sudo apt install mysql-server -y
during the installation you will be prompted to enter the mysql user password. Remember this password for future use.
Ubuntu 20.04:
$ sudo apt install mysql-server -y
CentOS 7:
$ sudo yum install epel-release -y
$ sudo yum install nginx -y
$ sudo systemctl enable nginx
CentOS 8:
$ sudo dnf install nginx -y
$ sudo systemctl enable nginx
Ubuntu:
$ sudo apt install nginx -y
CentOS:
$ sudo systemctl restart mysqld.service
$ sudo systemctl enable mysqld.service
Run the following command to check that the server is running and has the correct version:
$ mysql -V
mysql Ver 8.0.22 for Linux on x86_64 (MySQL Community Server - GPL)
MySQL expects that your new password should consist of at least 8 characters, contain uppercase and lowercase letters, numbers and special characters (do not forget the password you set, it will come in handy later). After a successful password change, the following questions are recommended to answer "Y":
[Note]:
-
In CentOS 7, the default root password can be found using
sudo grep "A temporary password" /var/log/mysqld.log
-
In CentOS 8, the root password is empty by default
-
In Ubuntu 18.04 the password was entered during installation of MySQL
-
In ubuntu 20.04 the password is empty after installation
$ sudo mysql_secure_installation
Depending on the version of linux, the output of commands may differ slightly. The following is an example for CentOs 7:
Enter password for user root:
The existing password for the user account root has expired. Please set a new password.
New password:
Re-enter new password:
Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
To verify that everything is correct, you can run
$ sudo mysql -h localhost -u root -p
After entering password, you will see MySQL console with a prompt:
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 8.0.22 MySQL Community Server - GPL
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
The following lines create a database db
, the user user
with the password <user_password>
. Сhange <user_password>
to a strong password, otherwise you may get a password validator error.
### CREATE DATABASE
mysql> CREATE DATABASE db;
### CREATE USER ACCOUNT
mysql> CREATE USER 'user'@'127.0.0.1' IDENTIFIED BY '<user_password>';
### GRANT PERMISSIONS ON DATABASE
mysql> GRANT ALL ON db.* TO 'user'@'127.0.0.1';
### RELOAD PRIVILEGES
mysql> FLUSH PRIVILEGES;
You should remember the user password, it will come in handy later.
To exit from the MySql console, press Ctrl+D.
$ sudo git clone https://github.com/HideezGroup/HES /opt/src/HES
$ cd /opt/src/HES/HES.Web/
$ sudo dotnet publish -c release -v d -o "/opt/HES" --runtime linux-x64 HES.Web.csproj
Note: Internet connection required to download NuGet packages
After a while (depending on the computer performance), the compilation process will be completed:
...
...
...
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:37.35
Note: Several warnings may be issued during compilation, this is ok.
Then you need to copy Crypto_linux.dll as follows:
$ sudo cp /opt/src/HES/HES.Web/Crypto_linux.dll /opt/HES/Crypto.dll
Copy appsettings.json to appsettings.Production.json
$ sudo cp /opt/HES/appsettings.json /opt/HES/appsettings.Production.json
Edit the file /opt/HES/appsettings.Production.json
{
"ConnectionStrings": {
"DefaultConnection": "server=127.0.0.1;port=3306;database=db;uid=user;pwd=<user_password>"
},
"EmailSender": {
"Host": "<smtp_host>",
"Port": "<smtp_port>",
"EnableSSL": true,
"UserName": "<email_address>",
"Password": "<email_password>"
},
"Fido2": {
"ServerDomain":"<your_domain_name>",
"ServerName": "HES",
"Origin": "https://<your_domain_name>",
"TimestampDriftTolerance": 300000,
"MDSAccessKey": null
},
"ServerSettings": {
"Name": "HES",
"Url": "https://<your_domain_name>"
},
...
Replace the following settings in this file with your own:
-
<user_password>
- Password for the user on MySQL server -
<smtp_host>
- Host name of your SMTP server (example:smtp.example.com
) -
<smtp_port>
- Port number of your SMTP server (example:123
) -
<email_address>
- Your email adress (example:user@example.com
) -
<email_password>
- Password to access the SMTP server (example:password
) -
<you_domain_name>
- you fully qualified domain name (FQDN) of your HES site (example:hideez.example.com
)
Important note: by default, .Net Core uses ports 5000 and 5001. Therefore, if only one domain is running on the server, port numbers can be skipped. But if it is supposed to run a few sites on one computer, then it is necessary to specify different ports for each site in json file. For example, for a site to listen to ports 6000 and 6001, after "AllowedHosts": "*" add the following (via comma) :
,
"Kestrel": {
"Endpoints": {
"Http": {
"Url": "http://localhost:6000"
},
"Https": {
"Url": "https://localhost:6001"
}
}
}
We prepared file for to start and manage the HES server
Copy file HES.service
to the /lib/systemd/system/
:
$ sudo cp /opt/src/HES/HES.Deploy/HES.service /lib/systemd/system/HES.service
Enabling autostart:
$ sudo systemctl enable HES.service
$ sudo systemctl restart HES.service
You can verify that HES server is running with the command:
$ sudo systemctl status HES
The output of the command should be something like this:
● HES.service - Hideez Enterprise Service
Loaded: loaded (/usr/lib/systemd/system/HES.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-03-25 09:05:04 UTC; 34s ago
Main PID: 2964 (HES.Web)
CGroup: /system.slice/HES.service
└─2964 /opt/HES/HES.Web
Mar 25 09:05:04 hesservertest systemd[1]: Started Hideez Enterprise Service.
To access your server from the local network as well as from the Internet, you have to configure a reverse proxy. We will use the Nginx server for this.
Note 1:
In production, you should take care of acquiring a certificate from a certificate authority. For a self-signed certificate, the browser will alert you that site has security issues.
Note 2:
When generating a certificate, answer a few simple questions, of which Common Name (CN) will be important - here be the name of your site, in our example it is hideez.example.com
$ sudo mkdir /etc/nginx/certs
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/certs/hes.key -out /etc/nginx/certs/hes.crt
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:hideez.example.com
Email Address []:.
$ sudo systemctl restart nginx
$ sudo systemctl status nginx
The output would be something like this:
* nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-01-25 08:22:56 UTC; 8min ago
Process: 1702 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 1700 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Process: 1699 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 1704 (nginx)
CGroup: /system.slice/nginx.service
+-1704 nginx: master process /usr/sbin/nginx
+-1705 nginx: worker process
Setup is complete. The server should be accessible in a browser at the address
(http://<you_domain_name>
).
You must use your domain name to access the HES server (e.g. 'http://hideez.example.com').
Warning! The CN (common name) of your certificate must match your domain.
Remember that if you use a self-signed certificate, you must enter the server name instead of the domain name. Otherwise, the SSL connection will not work
We prepared some Nginx configurations for different versions of Linux and placed them in the HES GitHub repository. You may just copy the corresponding file or you can review and edit it for your needs.
CentOS 7:
$ sudo cp /opt/src/HES/HES.Deploy/CentOS7/nginx.conf /etc/nginx/nginx.conf
CentOS 8:
$ sudo cp /opt/src/HES/HES.Deploy/CentOS8/nginx.conf /etc/nginx/nginx.conf
Ubuntu 18:
$ sudo cp /opt/src/HES/HES.Deploy/Ubuntu18/nginx.conf /etc/nginx/nginx.conf
Ubuntu 20:
$ sudo cp /opt/src/HES/HES.Deploy/Ubuntu20/nginx.conf /etc/nginx/nginx.conf
After saving the file, it is recommended to verify nginx settings:
$ sudo nginx -t
The output should be something like this:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Otherwise, you should carefully review the settings and correct the errors.
$ sudo systemctl restart nginx
$ sudo systemctl status nginx
* nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-01-25 11:23:46 UTC; 8s ago
Process: 13093 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 13091 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Process: 13089 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 13095 (nginx)
CGroup: /system.slice/nginx.service
+-13095 nginx: master process /usr/sbin/nginx
+-13096 nginx: worker process
If you plan to integrate your HES with AD you need to add AD Server's name and IP address to the /etc/hosts
file, for example:
192.168.10.75 ad.example.com
Note: the same name should be used on the HES properties page.
If you use self-signed certificates you need to disable certificate verification. For this edit the file
Ubuntu:
/etc/ldap/ldap.conf
CentOS:
/etc/openldap/ldap.conf
and add the following line:
TLS_REQCERT never
you will also need an openldaps library
CentOS 8:
sudo dnf -y install openldap-clients
After these steps, your server should be up and running. Go to the https://<you_domain_name>
in the browser and verify if the site is available.
Note: for a self-signed certificate, it should be a warning that your connection isn't private. Press Advanced/Proceed to ignore the warning.
$ sudo systemctl stop HES
$ cd /opt/src/HES
$ sudo git pull
The following command will create a copy of the database in file db.sql in your home directory:
$ sudo mysqldump -uroot -p<MySQL_root_password> db > ~/db.sql
change <MySQL_root_password>
with your real password
$ sudo mv /opt/HES /opt/HES.old
$ cd /opt/src/HES/HES.Web/
$ sudo dotnet publish -c release -v d -o "/opt/HES" --runtime linux-x64 HES.Web.csproj
$ sudo cp /opt/src/HES/HES.Web/Crypto_linux.dll /opt/HES/Crypto.dll
$ sudo cp /opt/HES.old/appsettings.Production.json /opt/HES/appsettings.Production.json
$ sudo systemctl restart HES
$ sudo systemctl status HES
● HES-hideez.example.com.service - Hideez Enterprise Service
Loaded: loaded (/usr/lib/systemd/system/HES-hideez.example.com.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-03-25 10:48:12 UTC; 16s ago
Main PID: 4657 (HES.Web)
CGroup: /system.slice/HES.service
└─4657 /opt/HES/HES.Web
Mar 25 10:48:12 hesservertest systemd[1]: Started Hideez Enterprise Service.
$ sudo systemctl stop HES
$ sudo mv /opt/HES.old /opt/HES
$ sudo mysql -uroot -p<MySQL_root_password> db < ~/db.sql
$ sudo systemctl start HES
change <MySQL_root_password>
with your real password
After checking that the update was successful and everything works fine, you can delete copies of the database and server:
$ sudo rm -rf /opt/HES.old
$ sudo rm ~/db.sql