Build a Windows Server for Fip

Build a Windows Server for Fip

Contents


Linux


1. Load modules
  • Ubuntu

This is valid for all 16.xx, 18.xx and 20.xx versions

You MUST update and upgrade before installing anything else

As root or sudo :

apt -y update                
apt -y upgrade               

Then install these as root or sudo : (apt will check first if already installed)

apt -y install tcsh           
apt -y install zip            
apt -y install unzip          
apt -y install perl           
apt -y install net-tools      
apt -y install openssh-server 
apt -y install openssl        
apt -y install imagemagick    
apt -y install ghostscript    
apt -y install ntpdate        
apt -y install apache2        
apt -y install tcpdump        
apt -y install traceroute     
apt -y install systemd        
apt -y install icinga2        
apt -y install file           
  • Centos/RedHat 8

Centos 8 uses dnf NOT yum

  • ImageMagick is renamed GraphicsMagick
  • ntpdate is replaced by crony
  • sshpass will (probably) need to be downloaded, built and loaded manually

We suggest you use Centos 8 if you are NOT going to subscribe to RedHat maintenance as much of the doc and extras are behind the paywall

You MUST upgrade before installing anything else

As root or sudo :

dnf -y upgrade

Then run these as root or sudo : (dnf will check first if already installed)

dnf -y install tcsh
dnf -y install zip
dnf -y install unzip
dnf -y install perl
dnf -y install openssl
dnf -y install httpd
dnf -y install mod_ssl
dnf -y install file
dnf -y install crony
dnf -y install sshpass
dnf -y install systemd
dnf -y install psmisc
dnf -y install network-scripts
dnf -y install curl
dnf -y install traceroute
dnf -y install tcpdump
dnf -y install ftp
dnf -y install GraphicsMagick
dnf -y install ghostscript
  • Centos/RedHat 6+7

You MUST upgrade before installing anything else

As root or sudo :

yum -y upgrade

Then run these as root or sudo : (yum will check first if already installed)

yum -y install tcsh
yum -y install zip
yum -y install unzip
yum -y install perl
yum -y install openssl
yum -y install httpd
yum -y install mod_ssl
yum -y install file
yum -y install ntpdate
yum -y install sshpass
yum -y install systemd
yum -y install psmisc
yum -y install network-scripts
yum -y install curl
yum -y install traceroute
yum -y install tcpdump
yum -y install ftp
yum -y install ImageMagick
yum -y install ghostscript

2. Security and Environment

All this section will be using root or sudo

  • add root passwd

If the instance is a virtual instance, use the AWS/GCP/DigitalOcean/whatever CONSOLE until you add a root password and also allow SSH access inbound.

  • locale

if needed

List all

locale -a

List current

localectl status

make sure UTF8 version of your country/language locale exists and is current (normally en_US.utf8 or en_GB.utf8 or en_CA.utf8)

to set, for example:

localectl set-locale LANG=en_US.utf8

to check:

localectl status

On Ubuntu, install/manage all locales via the UI or, if using the command line:

apt-get install language-pack-eu
dpkg-reconfigure locales
  • FireWall (iptables, netplan, firewall-cmd etc)

FIP requires following incoming ports open

TCP 22 for ssh
TCP 20/21 and hihports for ftp
TCP 80  for http/apache
TCP 443 for https/apache
UDP 9001-9009 for fipnet (note UDP)
TCP 9140-9149 for fipbalance
  • /etc/hosts

check/all any/all ip addresses and hostnames of FIP servers

  • /etc/resolve.conf

check/add nameserver addresses

  • nsswitch.conf

check it exists and that hosts is set correctly for your environment

hosts   files dns
  • crontab -e

If you do NOT wish to automatically upgrade everynight, leave the apt/yum/dnf commented out

# UBUNTU and CENTOS 6/7 ................
# time 
2 0 * * * /usr/sbin/ntpdate 0.centos.pool.ntp.org
# UBUNTU  ..............................
#5 7 * * * /usr/bin/apt -y update && /usr/bin/apt -y upgrade
# CENTOS 6/7 ...........................
# upgrade
#5 7 * * * /usr/bin/yum -y update
# CENTOS 8 .............................
# upgrade
#5 7 * * * /usr/bin/dnf -y update
  • perl

Fip requires perl to be /perl/bin/perl

mkdir -p /perl/bin
which perl
ln -s `which perl` /perl/bin
ls -l /perl/bin

/perl/bin/perl -v
  • add fip user
which tcsh
mkdir /fip
useradd -d /home/fip -m -s /usr/bin/tcsh fip
or
usermod -s /usr/bin/tcsh fip
passwd fip
  • lock down ssh

Make a copy of /etc/ssh/sshd_config and edit acordingly : Other Users/logins should be added if required - fip is the only necessary one Make sure to comment out lines with the same keywords further down the file

Be very careful editing this file as you can lock yourself out completely very easily .. and you have to trash the instance and restart !

PermitRootLogin no
AllowUsers fip fipdata
X11Forwarding no
PermitTunnel no

restart

systemctl status sshd.service
systemctl restart sshd.service
systemctl status sshd.service
  • fstab - check for noAtime

Fip requires the access time, Atime, to be tracked on all files/folders. If not Fip will run the system at 100% !

more /etc/fstab and if the option 'noatime' is on ANY disk you want Fip to poll,

- copy /etc/fstab
- edit /etc/fstab
- remove the 'noatime' option from that disk
- reboot to check

  • selinux off

turn it off if client will accept

check status

which sestatus
/sbin/sestatus

change status

vi /etc/selinux/config
SELINUX=disabled
##SELINUX=enforcing

...and ++++ REBOOT ++++

  • selinux on

if selinux must remain on

semanage fcontext -a -t system_u "/fip"
semanage fcontext -a -t object_r "/fip"
semanage fcontext -a -t httpd_sys_content_t "/fip(/.*)?"
semanage fcontext -a -t httpd_sys_script_exec_t "/fip/bin(/.*)?"
semanage fcontext -a -t httpd_sys_script_exec_t "/fip/local(/.*)?"
semanage fcontext -a -t httpd_sys_script_exec_t "/fip/web(/.*)?"
restorecon -R -v /fip
semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/nono(/.*)?"
restorecon -R -v /var/www/html/nono
semanage fcontext -a -t httpd_sys_script_exec_t "/perl/bin(/.*)?"
restorecon -R -v /perl/bin

is cgi enabled for http access?

getsebool -a | grep http

should yield

httpd_enable_cgi -> on

if not, run

setsebool -P  httpd_enable_cgi 1

Then

chcon -R -t httpd_sys_rw_content_t /fip
chcon -R -t httpd_sys_script_exec_t /fip/bin
chcon -R -t httpd_sys_script_exec_t /fip/local
chcon -R -t httpd_sys_script_exec_t /fip/web/fip-cgi
chcon -R -t httpd_sys_content_t /fip/help
chcon -R -t httpd_sys_content_t /fip/info
chcon -R -t httpd_sys_content_t /fip/sfftables
chcon -R -t httpd_sys_content_t /fip/tables
chcon -R -t httpd_sys_content_t /fip/zsav
chcon -R -t httpd_sys_script_exec_t /perl/bin

Windows

1. Security and Environment
  • Administrative account

For Windows 10 you MUST run Explorer and CMD in Administrator mode by right-clicking and selecting : Run as Administrator

  • Explorer settings

Windows Explorer hides certain files and extensions by default. During the Fingerpost Installation process, you must be able to verify that certain files have the correct extensions. Use Folder Options/View tab in Windows Explorer and ensure that you:

  • Show hidden files, folders and drives
  • Click off Hide file extensions for known file types

During the installation process, you must edit certain Fingerpost parameter files using Notepad. When you save a file with Notepad, ensure that you put quotes on either side of the file name e.g. “NTM.FIP” when saving the file to ensure that Notepad does not add the .txt extension to the file.

  • Environment Variables

Specify a path to the D:\Fip\bin folder by adding it to the environment variable PATH

  1. On the Windows 10 Desktop, navigate to Control Panel > System and Security > System
  2. Select Advanced system settings
  3. Select Environment Variables and under Systems Variables find the Path Variable, click on Edit and add 2 new paths: D:\fip\bin and D\fip\local. Click on OK three times to close the Systems Properties dialog.
  • Stop Index Server tracking on the Fip drive

Make sure Index server tracking is off by opening an Explorer and :

  • Right-click on FIP on drive D
  • Select Properties
  • Click on Advanced under General
  • Make sure the check box is clear for "Allow files in this folder to have contents indexed in addition to the file properties" and click OK
  • If you changed it, click on APPLY on the main menu and, if asked to confirm Attribute Change, Apply the changes to this folder, subfolders and files
2. Perl
  • Install Strawberry Perl

ActivePerl now requires a license

Using Explorer, Double click on the dowloaded StrawBerryPerl Msi

  • NOTE - You MUST manually change path in text box to root of fipdrive (for example, D:)

change:

    C:\Strawberry

to

    (fipdrive):\

click "Next", click "Install", Deselect "Read me", click "Finish"

This will create \perl\bin containing perl.exe needed for all FIP cgis - ON THE SAME DRIVE AS /fip

It will also automatically write paths to Environment variables

Check/update System Environment variables

Click : Windows Button -> Run -> system
    select Environment Variables

CHECK Strawberry Perl path exists and is on the FipDrive

OPTIONALLY if Fip w4 admin uses Apache

Check that fip.conf file for Apache contains SetEnv PERL5LIB (fipdrive):/fip/web/fip-cgi

if not, add and re-start Apache

  • CHECKS - Test perl

Open a NEW CMD window (NOT an existing one started before changing/checking the Environment variables) and navigate to the FipDrive eg D:

Type 'set' Check the PATH env includes the correct path for Strawberry Perl

Type perl -v

This should respond with a banner of a few lines such as :

    This is perl 5, version 26, subversion 1 (v5.26.1) built for x86_64-linux-gnu-thread-multi
    (with 67 registered patches, see perl -V for more detail)

Type \perl\bin\perl -v

This should respond with the same banner

  • Cleanup

Create /fip/zsav/Strawberry on the FipDrive

Move these files + folders in the Top Level '\' to /fip/zsav/Strawberry

    \DISTRIBUTIONS.txt
    \README.txt
    \relocation.txt
    \c
    \cpan
    \licenses
    \win32

REBOOT

3. Apache (optional)

The apache install program may be found either in the Release Media under the folder fip/3rdParty or can be downloaded from www.apache.org

  • Run the Apache.xxx.msi

As each Apache install is different, please refer to their documentation.

Depending on the version of Apache, either Copy fip.conf to the \ApacheXX\conf\extra folder or edit the http.conf in \ApacheXX\conf file, adding

Alias /fip-pages/ "/fip/web/pages/"
ScriptAlias /fip-cgi/ "/fip/web/fip-cgi/"

In some versions of Apache, you may have to also add

<Directory "/fip/web/fip-cgi"> 
  AllowOverride None
  Options ExecCGI
  Order allow,deny
  Allow from all
</Directory>
  • Install OpenSSL - OPTIONAL - pls check beforehand if this is required

If your are installing on a NEW SERVER ONLY, you will need to add the OpenSSL layer. This comprises of two 'exe' files which need to be installed

THIS NEEDS TO BE DONE ONCE ONLY – there is no need to re-install on every Fip build.

Microsoft Visual C++ 2008 Redistributable Package

  • vcredit_x86.exe

Win32 OpenSSL v0.9.8l Light

  • Win32OpenSSL_Light-0_9_8l.exe

Open an Explorer window, navigate to your installation folder and double click on vcredit_x86.exe to run/install

Then double click on Win32OpenSSL_Light-0_9_8l.exe to run/install

In both cases, please accept all default settings for any prompts.


Install and Configure FIP - linux

1. Requirements
  • latest FIP binaries
  • FingerPost license
  • tar or zip of FIP parameter files (if moving from an already existing FIP server)
2. Install
  • sym link

    The FIP system must by under /fip

    So if the fip binaries and tables are phsyically anywhere else on the disk create symbolic link from /fip. For example:

    ln -s /home/fip fip
    chown -R fip:fip /fip
  • unzip FIP binaries and parameter files

at this point there should be:

/fip/bin
/fip/fix
/fip/tables
/fip/sfftables
/fip/local
/fip/web

... but no temporary directories (such as /fip/spool/* or /fip/x, etc) yet

  • licence

Copy FIP license to /fip/fix. License should file be named "fiplick" with hostname extension, for example

fiplick.fip01

If you don't yet have a license you can generate a temporary one HERE

  • ipmgr

Run

/fip/bin/ipmgr -install
  • creates temp and working directories
  • checks license

Any errors, doublecheck: hostname, ip address, name of fiplick file in /fip/fix

3. Tuning
  • Parameter files with hostnames

in /fip/tables/sys replace old hostname(s) with new hostname(s) in:

  REDUN
  BALANCE
  DEST_REDUN
  TABLES_HOSTS

in tables/route grep all files with lines beginning:

  %SZ:
or
  SZ:

...and replace hostname(s)

4. Apache on Ubuntu
  • Requirements
    • 50-fipsite.conf
    • index.html (fip version for fip w4)

  • general conf files

in /etc/apache2/envvars make 'fip' user and group

export APACHE_RUN_USER=fip
export APACHE_RUN_GROUP=fip

in /etc/apache2/ports.conf check that it has both ports 443 and 80

Listen 80
<IfModule ssl_module>
    Listen 443
</IfModule>
<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

  • add mods

Run:

a2enmod cgi
a2enmod mime
a2enmod ssl
a2enmod rewrite

  • fip conf file

in /etc/apache2/sites-available add 50-fipsite.conf file

vi /etc/apache2/sites-available/50-fipsite.conf and change ServerName under port 80 and port 443

    ServerName yourserver

  • SSL certificates

copy (or create) SSL certificate and key files and place in /fip/tables/cert (see openssl doc for self-signed certs if you have none)


  • DocumentRoot

create DocumentRoot directory and copy over index.html

mkdir /var/www/html/nono 
cp /fip/web/setup/index.html /var/www/html/nono

  • Test

Run and check for errors:

apachectl -S

if OK re-start and test from browser

apachectl stop ; apachectl start

  • Startup

set to start automatically

systemctl enable apache2
      Synchronizing state of apache2.service with SysV service script with /lib/systemd/systemd-sysv-install.
      Executing: /lib/systemd/systemd-sysv-install enable apache2
systemctl daemon-reload
systemctl restart apache2
systemctl status apache2
4. Apache on Centos
  • Requirements
    • 50-centos7.generic.conf
    • index.html (fip version for fip w4)

  • general conf file

apache is under /etc/httpd

cd /etc/httpd

http.conf - copy original and modify

conf/httpd.conf conf/httpd.(date)
vi conf/httpd.conf

in conf/http.conf change user and group to fip

    #User apache
    #Group apache
    User fip
    Group fip

...and add .pl to "AddHandler cgi-script" line

    AddHandler cgi-script .api .pl

...and check that this line is NOT commented out:

    IncludeOptional conf.d/*.conf

...and add ports 80 and - if using https - port 443

    Port 80
    Port 443
  • fip conf file copy generic file from /fip/local, rename and edit
    cp /fip/local/50-centos7.generic.conf /etc/httpd/conf.d/50-centos7.NAME.conf
    vi conf.d/50-centos7.NAME.conf

change instances of ServerName to hostname

    ServerName yourserver

  • SSL certificates

copy (or create) SSL certificate and key files and place in /fip/tables/cert (see openssl doc for self-signed certs if you have none)


  • DocumentRoot

create DocumentRoot directory and copy over index.html

mkdir /var/www/html/nono
cp /fip/web/setup/index.html /var/www/html/nono

  • Test

Run and check for errors:

apachectl -S

if OK re-start and test from browser

systemctl enable httpd.service
systemctl stop httpd.service
systemctl start httpd.service
systemctl status httpd.service

5. FIP startup

Required files in /fip/local:

  • fipSYSD.service
  • fipSYSDstart
  • fipSYSDstop
  • rc.fip

Run and note if graphical or multi-user

systemctl get-default

...then vi fipSYSD.service and make sure last parameter matches 'systemctl get-default'

Put fipSYSD.service in place and install

cp /fip/local/fipSYSD.service /etc/systemd/system
chmod 664 /etc/systemd/system/fipSYSD.service

systemctl enable fipSYSD
systemctl daemon-reload
systemctl status fipSYSD

test by reboot


FIP for Windows

1. Requirements
  • latest FIP binaries
  • FingerPost license
  • zip of FIP parameter files (if moving from an already existing FIP server)
2. Install
  • Create the top fip folder, using a CMD window on the drive chosen

If the software is to be on the 'D' drive, on the ‘D’ drive, Create the ‘fip’ folder

C:>D:
D:>mkdir \fip
  • Unzip binaries and parameter files in a temporary folder

Move the binaries from bWin2k.bins.(date).zip so they are the folder

d:\fip\bin

There should be no subfolders under \fip\bin.

Move the parameter files from Fip.(yourcode).(date).zip to

d:\fip

These subfolders are named

d:\fip\fix
d:\fip\help
d:\fip\info
d:\fip\install
d:\fip\local
d:\fip\tables
d:\fip\web

Move the parameter files from Fip.3rdparty.(date).zip to

d:\fip\3rdParty
3. Build

Navigate to D:\fip\bin

D:
cd \fip\bin

Then run

ipmgr -install

...and check that the Fip Licence is correct

4. Install the service

In a CMD window, navigate to \fip\bin on the correct drive and run

ipntsvce –install

Navigate to Start Menu->Windows Administrative Tools->Services

Locate the Fip Comms Manager Service, right click on it and select Properties

If needed: In the Properties window change under the Log On tab change Log on as: from "Local System account" to whichever account will have admin access to read/write files on remote drives

In the Properties window in the General tab change Startup type: to Automatic

Also in the Properties window under Service status: select Start

A message should confirm that the service installed correctly. Any errors should be noted and reported.

In a CMD window run ip (FIP command line interface)

d:\fip\bin\ip

...and check to see if processes have started

s all

...and check for errors

f
5. Nightly Maintenance

In Scheduled tasks, the D:\Fip\local\zapfiplog.cmd script should be set to run every night.

Navigate to Start Menu->Windows Administrative Tools->Task Scheduler

Under Actions select Create Basic Task, and in Basic Task Wizard enter:

  • Name: fip maintenance
  • Description: (optional)
    • Next
  • When do you want the task to start?
  • Daily
    • Next
  • Choose a start time, for example
  • 23:55
    • Next
  • Action:
  • Start a program
    • Next
  • Program/script:
  • D:\fip\local\zapfiplog.cmd
    • Next
  • Check the Open Properties dialog for this task when I Finish
  • Check values and select
  • Finish

In fip maintenance Properties window select Changer User or Group to whichever logon is set for the FIP Comms Manager service

Also select Run whether user is logged on or not

Click OK