Installation manual
- Petr Novák
- Pavel Novák
- Pavel Arnošt
Content
- 1 Content
- 2 Installation requirements
- 3 Installation of application
- 4 First start
- 5 Basic settings
- 6 Update of application
- 7 Installation of the CDR module (optional)
- 8 Installation of antivirus engines (optional)
- 8.1 Avast
- 8.2 BitDefender
- 8.3 ClamAV
- 8.4 ESET
- 8.5 FortiClient
- 8.6 Kaspersky
- 8.7 Sophos
- 8.8 Trellix
- 9 Custom SSL CA (optional)
- 10 Memory Shortage Diagnostics
Installation requirements
Supported operating systems
RHEL 7/CentOS 7
RHEL 8/CentOS 8 Stream/Rocky Linux 8
RHEL 9/CentOS 9 Stream/Rocky Linux 9
Only new installation of operating system without any additional applications is supported. For AWS Marketplace deployments the recommended system version is already pre-installed.
System requirements
Minimal
1 CPU
2 GiB RAM
1 GiB HDD for application + additional storage for files sent by the application.
Recommended
2 CPU
4 GiB RAM
1 GiB HDD for application + additional storage for files sent by the application.
Clarification
The requirements are for the SOFiE application only, for an average installation of up to a 100 users. For larger installations we recommend to double these values.
Additional installed components might have additional requirements (for example for ClamAV we recommend another + 1 GiB RAM and 1 CPU).
Default communication ports
Inbound:
http (80/tcp) - for Let’s Encrypt certificates
https (443/tcp) - for main application web interface
Outbound:
smtp (25/tcp) - for sending out e-mails, can be limited to smtp relay server’s address
http (80/tcp), https (443/tcp) - for downloading updates and license
ldap (389/tcp, 636/tcp) - for integration with Active Directory, can be limited to AD’s address
diagnostics (2222/tcp) - for allowing remote diagnostics, can be limited to recon.sonpo.io address
When installing and running behind an SSL inspection proxy (optional)
Copy the inspection’s certificate authority, for example CA.crt, into /etc/pki/ca-trust/source/anchors and run:
update-ca-trust extractInstallation of application
When deploying from AWS Marketplace, skip this chapter and continue with First start below.
Install required packages:
RHEL/CentOS 7 (deprecated):
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y curl tar ansible libsemanage-python policycoreutils-pythonRHEL/CentOS/Rocky 8:
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf install -y curl tar ansible python3-libsemanage python3-policycoreutilsRHEL/CentOS/Rocky 9 (recommended):
Download and run installation script:
After running the installation script you will be asked to fill these parameters:
After starting the installation with option 4, the script will install required packages and it will create and run application services. When the services are running, application will be available in user and administrator sections. If you chose installation without Let's Encrypt certificate, you will have to set up usage of different certificate for https connection(see Basic settings), or else the application will not be accessible, because it has HSTS enabled by default, only allowing access by https with a valid certificate.
External PostgreSQL database (optional)
Installation script automatically installs and configures local PostgreSQL instance that is dedicated to SOFiE application and is accessible only from local host.
External PostgreSQL instance can also be used, under following conditions:
PostgreSQL version 11 - 16
dedicated user and database for SOFiE are created manually (creation of external database and user is not supported by installation script)
pgcrypto extension is installed in SOFiE database
dedicated user is owner of SOFiE database
Connection properties must be manually configured in two files:
/etc/sofie/production.properties(for database migrations - in section “JDBC connection properties”)/etc/sofie/META-INF/microprofile-config.properties(for SOFiE application - in section “JDBC configuration”)
Syntax of JDBC URL with all possible parameters is described at PostgreSQL JDBC driver page:
Initializing the Driver | pgJDBC
First start
The application is started automatically after the installation. When deploying from AWS Marketplace the application is already pre-installed and is started right after deployment. After the application is started the user’s and administrator’s interface is available using web browser at the following addresses:
User section | https://<FQDN> |
Administrator section | https://<FQDN>/admin |
For the administrator to be able to log in to the web interface, he should proceed after the start with basic settings as described bellow, including setting administrator’s password.
Basic settings
The following steps need to be performed in the command line of the running application server.
To access the web interface there must be a working https certificate set up. If it is not working or we are deploying from the AWS Marketplace, run the following commands:
(optional) You can install your own certificate by overwriting files of generated self-signed certificate. Copy certificate file to “/etc/nginx/cert/certificate.crt” and private key file to “/etc/nginx/cert/private.key”:
Then restart nginx.
(up to version 2.2.7) Default administrator account is “admin” with password “sofieadmin”. We recommend changing this password after first login (Settings/Administrators). The administrator has to login to the admin section (/admin), not the user section.
(since version 2.2.8 + AWS) Default administrator account is “admin” with a random generated password. The administrator has to login to the admin section (/admin), not the user section. The password must be reset before a first login to a new random one, that will be shown once in the console, using the following command:
For the application to work correctly, you must also configure the SMTP server. This is done in the administrator’s web interface in Settings/Configuration/E-mail.
For further settings and correct setup of the application the administrator should read and make himself familiar with the Administrator manual.
Update of application
To be performed according to the instructions here: Upgrade notes (Instructions for upgrading to a new version)
Installation of the CDR module (optional)
Since version 2.3 the SOFiE application supports an optional internal module “Content Disarm and Reconstruction (CDR)“. The module enables conversion of supported file types (typically Office documents) into a safe format, specifically a PDF without active content. To be able to use the module, it must be installed first by performing the following steps:
After the installation the administrator can activate and configure the CDR module using the web interface, in the section Settings - Detection settings.
Installation of antivirus engines (optional)
You can configure paths to antivirus engines in “/etc/sofie/META-INF/microprofile-config.properties” section “# AV”
Avast
Supported version: Avast Business Antivirus for Linux
(https://www.avast.com/business/products/linux-antivirus#pc)
Manuál: https://repo.avcdn.net/linux-av/doc/avast-techdoc.pdfAdd Avast repository:
Import Avast GPG key:
Install Avast packages:
Download license file:
Copy license file to /etc/avast/license.avastlic:
If needed modify configuration in /etc/avast/*
Enable and start Avast service:
BitDefender
Supported version: Bitdefender Endpoint Security Tools 7.x (https://www.bitdefender.com/business/support/en/77209-157515-bitdefender-endpoint-security-tools-for-linux-quick-start-guide.html)
Create a new package in GravityZone portal/Network/Installation packages with settings:
Download package as “Kit (Intel, AMD x86 64-bit)”
Extract and run installation:
Run a test scan:
Create a server policy in GravityZone portal/Policies with settings:
Assign created policy to the server in GravityZone portal/Network.
ClamAV
Install ClamAV from epel repository
Change configuration in “/etc/clamd.d/scan.conf” :
Modify systemd file:
Run the ClamAV service :
ESET
Supported version: ESET File Security pro Linux 10
Download: https://www.eset.com/int/business/file-security-linux/download/ (Download CentOS/RedHat version.) Manual: https://help.eset.com/essl/10.2/en-US/, TL;DR:
Download file with configuration and import:
FortiClient
FortiClient Endpoint Management Server (FortiClient EMS) should already be installed.
Download FortiClient 7.x version. We download a headless linux version: forticlient_server_7.0.2.0063_x86_64.rpm
Install FortiClient:
Register FortiClient to EMS:
Check registration and licence:
In FortiClient EMS administration make these changes:
“Endpoints/Workgroups” create group for registered server.
“Endpoints/Group Assignment Rules” assign registered server to created group.
“Endpoint Profiles/Manage Profiles” create profile for registered server. Profile should contain these settings:
“Endpoint Policy and Components“ create policy for group containing registered server and assign created profile.
Kaspersky
Supported version: Kaspersky Endpoint Security 12 for Linux
Download: https://support.kaspersky.com/kes-for-linux/12.0 . Download RPM (x64). For example:
Install kaspersky antivirus:
Run configuration:
After installation turn off resident protection:
Change default scan options:
Import your license:
Sophos
! WARNING ! - Sophos cannot be installed on the same server as BitDefender.
Download: https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx .
Install sophos antivirus:
Set up during installation:
Turn off email notifications:
Trellix
Supported version: Trellix Command Line Scanner for Linux
(https://kcm.trellix.com/corporate/index?page=content&id=KB94726)
License is part of product “Trellix Protect Standard”Download product after filling license grant number and email address at https://www.trellix.com/en-us/downloads/my-products.html . Download “Command Line Scanner”/”Command Line Scanner for Linux 64-bit Version 7.0.3”
Downloaded file “cls-l64-703-l.tar.gz” copy to the server.
Extract the file and run the installer:
Download DAT files from https://update.nai.com/products/commonupdater/current/vscandat1000/dat/0000/ and extract them (number after “avvdat-” must be replaced by current one)
Download update script
Create cron job for update script
Custom SSL CA (optional)
Add a certificate authority to the system
RHEL:
Windows:
Memory Shortage Diagnostics
In some situations, a memory shortage may occur, which manifests as malfunctioning package processing and the following error in the application log of the worker (/opt/sofie-worker-distribution/logs/sofie.log):
If such a situation arises, the service is automatically terminated and restarted.
The cause is usually a too high limit on the maximum file size in one of the internal detection tools (DLP, Encrypted Content Detection, MIME). If reducing the maximum file size does not help and the situation occurs repeatedly, it is possible to activate memory content (heap) dumping for diagnostics. This can be achieved by creating a file:
with the following content:
The settings mentioned above activate saving a memory dump (heap dump) to disk at the specified path when memory is low. The target directory needs to have enough space, at least the size of the server's memory. If there is not enough space in the path /var/sofie/data/, it is possible to change the path to another in the HeapDumpPath parameter.
To reflect the configuration change, the worker needs to be restarted: