Installation manual

Owned by Petr Novák
Last updated: Mar 28, 2024

Content

 

Installation requirements

Supported operating systems

  • RHEL 7/CentOS 7

  • RHEL 8/CentOS 8 Stream/Rocky Linux 8

  • RHEL 9/CentOS 9 Stream/Rocky Linux 9

Only new installation of operating system without any additional applications is supported. For AWS Marketplace deployments the recommended system version is already pre-installed.

System requirements

Minimal

  • 1 CPU

  • 2 GiB RAM

  • 1 GiB HDD for application + additional storage for files sent by the application.

  • 2 CPU

  • 4 GiB RAM

  • 1 GiB HDD for application + additional storage for files sent by the application.

Clarification

The requirements are for the SOFiE application only, for an average installation of up to a 100 users. For larger installations we recommend to double these values.

Additional installed components might have additional requirements (for example for ClamAV we recommend another + 1 GiB RAM and 1 CPU).

Default communication ports

  • Inbound:

    • http (80/tcp) - for Let’s Encrypt certificates

    • https (443/tcp) - for main application web interface

  • Outbound:

    • smtp (25/tcp) - for sending out e-mails, can be limited to smtp relay server’s address

    • http (80/tcp), https (443/tcp) - for downloading updates and license

    • ldap (389/tcp, 636/tcp) - for integration with Active Directory, can be limited to AD’s address

    • diagnostics (2222/tcp) - for allowing remote diagnostics, can be limited to recon.sonpo.io address

When installing and running behind an SSL inspection proxy (optional)

Copy the inspection’s certificate authority, for example CA.crt, into /etc/pki/ca-trust/source/anchors and run:

update-ca-trust extract

Installation of application

  • When deploying from AWS Marketplace, skip this chapter and continue with First start below.

  • Install required packages:

RHEL/CentOS 7 (deprecated):

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum install -y curl tar ansible libsemanage-python policycoreutils-python

RHEL/CentOS/Rocky 8:

dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm dnf install -y curl tar ansible python3-libsemanage python3-policycoreutils

RHEL/CentOS/Rocky 9 (recommended):

  • Download and run installation script:

  • After running the installation script you will be asked to fill these parameters:

  • After starting the installation with option 4, the script will install required packages and it will create and run application services. When the services are running, application will be available in user and administrator sections. If you chose installation without Let's Encrypt certificate, you will have to set up usage of different certificate for https connection(see Basic settings), or else the application will not be accessible, because it has HSTS enabled by default, only allowing access by https with a valid certificate.

External PostgreSQL database (optional)

Installation script automatically installs and configures local PostgreSQL instance that is dedicated to SOFiE application and is accessible only from local host.

External PostgreSQL instance can also be used, under following conditions:

  • PostgreSQL version 11 - 16

  • dedicated user and database for SOFiE are created manually (creation of external database and user is not supported by installation script)

  • pgcrypto extension is installed in SOFiE database

  • dedicated user is owner of SOFiE database

Connection properties must be manually configured in two files:

  • /etc/sofie/production.properties (for database migrations - in section “JDBC connection properties”)

  • /etc/sofie/META-INF/microprofile-config.properties (for SOFiE application - in section “JDBC configuration”)

Syntax of JDBC URL with all possible parameters is described at PostgreSQL JDBC driver page:

https://jdbc.postgresql.org/documentation/use/#connecting-to-the-database

First start

The application is started automatically after the installation. When deploying from AWS Marketplace the application is already pre-installed and is started right after deployment. After the application is started the user’s and administrator’s interface is available using web browser at the following addresses:

User section

https://<FQDN>

Administrator section

https://<FQDN>/admin

For the administrator to be able to log in to the web interface, he should proceed after the start with basic settings as described bellow, including setting administrator’s password.

Basic settings

  • The following steps need to be performed in the command line of the running application server.

  • To access the web interface there must be a working https certificate set up. If it is not working or we are deploying from the AWS Marketplace, run the following commands:

  • (optional) You can install your own certificate by overwriting files of generated self-signed certificate. Copy certificate file to “/etc/nginx/cert/certificate.crt” and private key file to “/etc/nginx/cert/private.key”:

    Then restart nginx.

  • (up to version 2.2.7) Default administrator account is “admin” with password “sofieadmin”. We recommend changing this password after first login (Settings/Administrators). The administrator has to login to the admin section (/admin), not the user section.

  • (since version 2.2.8 + AWS) Default administrator account is “admin” with a random generated password. The administrator has to login to the admin section (/admin), not the user section. The password must be reset before a first login to a new random one, that will be shown once in the console, using the following command:

  • For the application to work correctly, you must also configure the SMTP server. This is done in the administrator’s web interface in Settings/Configuration/E-mail.

  • For further settings and correct setup of the application the administrator should read and make himself familiar with the https://wikisonpo.atlassian.net/wiki/spaces/SPEN/pages/1069940737/Administrator+manual.

Update of application

To be performed according to the instructions here: https://wikisonpo.atlassian.net/wiki/spaces/SPEN/pages/2955509761

Installation of the CDR module (optional)

Since version 2.3 the SOFiE application supports an optional internal module “Content Disarm and Reconstruction (CDR)“. The module enables conversion of supported file types (typically Office documents) into a safe format, specifically a PDF without active content. To be able to use the module, it must be installed first by performing the following steps:

After the installation the administrator can activate and configure the CDR module using the web interface, in the section Settings - Detection settings.

Installation of antivirus engines (optional)

  • You can configure paths to antivirus engines in “/etc/sofie/META-INF/microprofile-config.properties” section “# AV”

Avast

  • Import Avast GPG key:

  • Install Avast packages:

  • Download license file:

  • Copy license file to /etc/avast/license.avastlic:

  • If needed modify configuration in /etc/avast/*

  • Enable and start Avast service:

BitDefender

  • Download package as Linux kit (64-bit)

  • Extract and run installation:

  • Run a test scan:

  • Create a server policy in GravityZone portal with settings:

  • Assign created policy to the server in GravityZone portal.

ClamAV

  • Install ClamAV from epel repository

  • Change configuration in “/etc/clamd.d/scan.conf” :

  • Modify systemd file:

  • Run the ClamAV service :

ESET

  • Download file with configuration and import:

FortiClient

  • FortiClient Endpoint Management Server (FortiClient EMS) should already be installed.

  • Download FortiClient 7.x version. We download a headless linux version: forticlient_server_7.0.2.0063_x86_64.rpm

  • Install FortiClient:

  • Register FortiClient to EMS:

  • Check registration and licence:

  • In FortiClient EMS administration make these changes:

    • “Endpoints/Workgroups” create group for registered server.

    • “Endpoints/Group Assignment Rules” assign registered server to created group.

    • “Endpoint Profiles/Manage Profiles” create profile for registered server. Profile should contain these settings:

    • “Endpoint Policy and Components“ create policy for group containing registered server and assign created profile.

Kaspersky

  • Install kaspersky antivirus:

  • Run configuration:

  • After installation turn off resident protection:

  • Change default scan options:

  • Import your license:

Sophos

  • Set up during installation:

  • Turn off email notifications:

Trellix

  • Download update script

  • Create cron job for update script

Custom SSL CA (optional)

Add a certificate authority to the system

RHEL:

Windows:

Memory Shortage Diagnostics

In some situations, a memory shortage may occur, which manifests as malfunctioning package processing and the following error in the application log of the worker (/opt/sofie-worker-distribution/logs/sofie.log):

If such a situation arises, the service is automatically terminated and restarted.

The cause is usually a too high limit on the maximum file size in one of the internal detection tools (DLP, Encrypted Content Detection, MIME). If reducing the maximum file size does not help and the situation occurs repeatedly, it is possible to activate memory content (heap) dumping for diagnostics. This can be achieved by creating a file:

with the following content:

The settings mentioned above activate saving a memory dump (heap dump) to disk at the specified path when memory is low. The target directory needs to have enough space, at least the size of the server's memory. If there is not enough space in the path /var/sofie/data/, it is possible to change the path to another in the HeapDumpPath parameter.

To reflect the configuration change, the worker needs to be restarted: