Install Security Provider
IMPORTANT:
If user wants to install FTASecurity and DataView or DataFlowML on the same machine, then in order to protect the log files, it is strongly recommended to use a different non-root user account for installing FTASecurity and DataView or DataFlowML. This ensures security and that no sensitive information is exposed to external components beyond trust boundaries.
NOTE:
If the FTASecurity Provider is already installed with other FTA Application, it is recommended to use the existing FTASecurity.
Install the Security Provider and configure it to run as a systemd/systemctl service. To do this user need to set up a service account for managing the application and the service.
- Ensure that the unzip utility is installed:For CentOS and RHEL:$ sudo yum install unzip
- For SUSE:$ sudo zypper install unzip
- Execute the following command to create the fta-security Group:$ sudo groupadd -r fta-security
- Execute the following command to create the fta-security user account:$ sudo useradd -r -g fta-security -d /opt/rockwell/fta-security -s /bin/bash fta-security
- Execute the following command to create a password for the ‘fta-security’ user:$ sudo passwd fta-security
- Provide a new password for the ‘fta-security’ user.
- Execute the following command to create a new home directory for the application:$ sudo mkdir -p /opt/rockwell/fta-security
- Execute the following commands to change the permissions and ownership for the fta-security folder:$ sudo chmod 0750 /opt/rockwell/fta-security$ sudo chown fta-security:fta-security /opt/rockwell/fta-security
- Change the directory path to the <Installation Directory>/FTASecurity folder:$ cd <Installation Directory>/FTASecurity
- Copy the package for the Security Provider to the /opt/rockwell directory, so that it is available to the fta-security user.$ sudo cp FTASecurity-<Version>.zip /opt/rockwell
- Change the directory path to the /opt/rockwell folder:$ cd /opt/rockwell
- Unzip the Analytics Security Provider ZIP files in the following folders:
- fta-security$ sudo unzip FTASecurity-<Version>.zip FTASecurity/systemd/fta-security
- fta-security.conf$ sudo unzip FTASecurity-<Version>.zip FTASecurity/systemd/fta-security.conf
- fta-security.service$ sudo unzip FTASecurity-<Version>.zip FTASecurity/systemd/fta-security.service
- Execute the command to copy the fta-security file to the /etc/sudoers.d folder:$ sudo cp FTASecurity/systemd/fta-security /etc/sudoers.d
- Execute the command to provide access permissions to the fta-security file:$ sudo chmod 440 /etc/sudoers.d/fta-security
- Execute the following command to create a folder called ‘fta-security’ in the etc folder:$ sudo mkdir /etc/fta-security
- Execute the following command to copy the fta-security.conf file to the /etc/fta-security folder:$ sudo cp FTASecurity/systemd/fta-security.conf /etc/fta-security/
- Execute the following command to copy the fta-security.service file to the /etc/systemd/system folder:$ sudo cp FTASecurity/systemd/fta-security.service /etc/systemd/system/
- To run Analytics Security Provider as a service, execute the following command to switch to the ‘fta-security’ user:$ sudo su - fta-securityNOTE:The current working directory is /opt/rockwell/fta-security. A copy of the package file should be in the directory.
- Execute the following command to set the umask for the account to restrict access to configuration and log files to the fta-security account. User can do this by creating a bash profile:$ echo umask 0022 >./.bash_profileNOTE:The default umask is 0002, that the new files are created with read access to all users on the system. User don't want configuration or log files to be accessed by any user other than the fta-security user.
- Run the umask as the bash profile will not take effect until the next login:$ umask 0022
- Unzip the FTASecurity.<Version>.zip file:$ unzip ../FTASecurity-<Version>.zip
- Execute the following command to move the contents to the current directory:$ mv FTASecurity/* .TIP:Copy the above command “$ mv FTASecurity/* ." along with a period.
- Execute the following command to remove the FTASecurity file:$ rm -rf FTASecurity
- Execute the following command to change the access permissions to file system objects:$ chmod -R +x `find . -type f -printf "%p\n" | grep \.sh$`TIP:Copy the above command along with the space and the special characters.
- Execute the following command to start the Analytics Security Provider service:$ sudo /bin/systemctl start fta-security.service
- Execute the following command to enable the Analytics Security Provider service:$ sudo /bin/systemctl enable fta-security.service
- Execute the following command to check the status of the Analytics Security Provider service:$ sudo /bin/systemctl status fta-security.service
- Execute the following command to exit or logout as the fta-security user:-bash-4.2$ exit
Provide Feedback