Anchor | ||||
---|---|---|---|---|
|
Tip |
---|
Insights installation scripts has been tested on below versions
Other OS flavors might have few issues with script which needs to be addressed individually. It is recommended that you run one script at a time. Only when each step is successful, you move to next step. |
Expand | |||||
---|---|---|---|---|---|
| |||||
Please check Software Hardware and open port information before starting installation Linux server - 64 bit - 24 GB RAM and 500 GB HDD (Two in number, one for databases and another for hosting applications and other tools)
|
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Expand | |||||
---|---|---|---|---|---|
| |||||
Steps for httpd configuration in RHEL Step 1: As httpd packages are already present in the server, install using the following commands
Step 2: Make change in the server-confing.json (location: $INSIGHTS_HOME/.InSights ) grafanaEndpoint "grafanaEndpoint": "http://ip:3000" to "grafanaEndpoint" : "http://ip/grafana" Step 3: Change grafana host in the uiConfig.json file in the location: TOMCAT_HOME/webapps/app/config "grafanaHost": "http://ip:3000", to "grafanaHost": "http://ip/grafana", Change Sevicehost in the uiConfig.json file in the location: TOMCAT_HOME/webapps/app/config "serviceHost": "ip:8080", to "serviceHost": "ip", Step 4: create a file file name custom.ini in the location /opt/grafana/conf add the following contents
Step 5: Restart Grafana Step 6: Restart Tomcat |
Expand | |||||
---|---|---|---|---|---|
| |||||
Install Apache2 httpd Step 1: sudo yum install httpd Step 2: sudo systemctl enable httpd.service Install Mod SSL Step 3: sudo yum install mod_ssl Create a New Certificate Step 4: sudo mkdir /etc/ssl/private Step 5: sudo chmod 700 /etc/ssl/private Step 6: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt Fill out the prompts appropriately. The most important line is the one that requests the The full list of prompts will look something like this:
Both of the files you created will be placed in the appropriate subdirectories of the While we are using OpenSSL, we should also create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients. We can do this by typing: Step 7: sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 This may take a few minutes, but when it’s done you will have a strong DH group at Since the version of Apache that ships with CentOS 7 does not include the Step 8: cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt Set Up the Certificate Step 9: sudo vi /etc/httpd/conf.d/ssl.conf Adjusting the VirtualHost DirectivesFirst, uncomment the Next, uncomment the File Contents: /etc/httpd/conf.d/ssl.conf
Next, find the File content : /etc/httpd/conf.d/ssl.conf
Find the File contents: /etc/httpd/conf.d/ssl.conf
Open httpd-vhosts.conf file and update section <VirtualHost *:443> <IfModule mod_proxy_ajp.c> and add following line (replace your application server host name ex 'https://insight.devops.com' ) Header set Access-Control-Allow-Origin '<hostname>'
We’re now done with the changes within the actual Setting Up Secure SSL ParametersThe choice of which config you use will depend largely on what you need to support. They both will provide great security. For our purposes, we can copy the provided settings in their entirety. We will just make two small changes. The other change we will make is to comment out the Paste in the settings from the site AFTER the end of the File Contents: /etc/httpd/conf.d/ssl.conf
When you are finished making these changes, you can save and close the file.
First, check your configuration file for syntax errors by typing: Step 11: sudo apachectl configtest As long as the output ends with Output
Step 13: Make change in the server-confing.json (location: /usr/INSIGHTS_HOME/.InSights ) grafanaEndpoint "grafanaEndpoint": "http://ip:3000" to "grafanaEndpoint" : "http://ip/grafana" Step 14: Change grafana host in the uiConfig.json file in the location: TOMCAT_HOME/webapps/app/config "grafanaHost": "http://ip:3000", to "grafanaHost": "http://ip/grafana", Change Sevicehost in the uiConfig.json file in the location: /opt/apache-tomcat/webapps/app/config "serviceHost": "ip:8080", to "serviceHost": "ip", Step 15: create a file file name custom.ini in the location /opt/grafana/conf add the following contents [server] Step 5: Restart Grafana Step 6: Restart Tomcat Step 16: Follow the steps mentioned here to establish a secure encrypted communication between Insights Application box and Neo4j database box |
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
Objective: Customer wants to have a secured encrypted communication between Insights Application box and Neo4j database box. Typically, on Insights Customer implementation, we have two boxes where Server-1 contains all Insights components except Neo4j database and Server-2 contains Neo4j database. Insights Application fetches data from Neo4j DB and displays in various screens of Insights UI and Insights Dashboards or Grafana also fetches data from Neo4j DB to display in the dashboards. Those database connections were not encrypted or HTTPS so far.
This document will help you to create HTTPS connection to Neo4j Database.
$neo4j-home> ls certificates -r-------- ... neo4j-selfsigned.key -rw-r--r-- ... neo4j-selfsigned.crt drwxr-xr-x ... revoked drwxr-xr-x ... trusted 5. Following properties should be uncommented, configured and set correctly inside neo4j.conf file to enable SSL access inside Neo4j. dbms.connectors.default_listen_address=0.0.0.0 dbms.connectors.default_advertised_address=<<hostname or IP address of Neo4j server using which Neo4j will be accessed>> # Bolt connector dbms.connector.bolt.enabled=true dbms.connector.bolt.tls_level=REQUIRED (This property has to be REQUIRED not OPTIONAL) dbms.connector.bolt.listen_address=0.0.0.0:7687 # HTTP Connector. There can be zero or one HTTP connectors. dbms.connector.http.enabled=false (We’ve disabled http access by setting this property false) dbms.connector.http.listen_address=0.0.0.0:7474 # HTTPS Connector. There can be zero or one HTTPS connectors. dbms.connector.https.enabled=true dbms.connector.https.listen_address=0.0.0.0:7473 #***************************************************************** # SSL system configuration #***************************************************************** bolt.ssl_policy=default https.ssl_policy=default #***************************************************************** # SSL policy configuration #***************************************************************** # Mandatory setting dbms.ssl.policy.default.base_directory=/opt/NEO4J_HOME/neo4j-Insights/certificates dbms.ssl.policy.default.allow_key_generation=false #dbms.ssl.policy.default.trust_all=false dbms.ssl.policy.default.private_key=/opt/NEO4J_HOME/neo4j-Insights/certificates/neo4j-selfsigned.key dbms.ssl.policy.default.public_certificate=/opt/NEO4J_HOME/neo4j-Insights/certificates/neo4j-selfsigned.crt dbms.ssl.policy.default.trusted_dir=/opt/NEO4J_HOME/neo4j-Insights/certificates/trusted dbms.ssl.policy.default.client_auth=NONE\ Note: For Neo4j version 3.5.8, we must provide full path of neo4j certificate and key files inside neo4j.conf file. It will not be able to understand absolute path here. Neo4j 4.4.1 can understand absolute path. For Neo4j 4.4.1 version:The 4.0 series of Neo4j has some key differences in how to configure SSL from 3.5. There is a directory of certificates per “connector” (bolt, HTTPS, cluster), and the config options have changed a bit.
dbms.ssl.policy.https.base_directory=https dbms.ssl.policy.https.client_auth=NONE NOTE: If you’re using certificates and SSL, you should strongly consider disabling HTTP access on port 7474 to your Neo4j instance. Neo4j Data Source Configuration inside Grafana:We need to create a secured Neo4j data source inside Grafana to showcase Panels and Dashboards. If you have an existing Neo4j data source already created inside Grafana, you can modify that by following steps or create a new secured Neo4j data source using following steps.
We need to provide this HTTPS url of Neo4j inside graph section of server-config.json file. PlatformService, PlatformDAL and PlatformEngine will be using this secured URL. Troubleshooting: Issue 1 We’ve faced following error when PlatformEngine tries to insert data into Neo4j using secured connection. t=2022-04-29 13:24:09 lvl=ERROR [pool-3-thread-6]:WebHookDataSubscriber.handleDelivery()100 :: message= toolName=GITLAB agentId=gitLab_jobs routingKey=IPW_gitLab_jobs Error while storing Webhook data javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching <HOST name of Neo4j box> found. at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:261) ~[PlatformEngine.jar:8.9] at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:296) ~[PlatformEngine.jar:8.9] at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.java:623) ~[PlatformEngine.jar:8.9] at org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:361) ~[PlatformEngine.jar:8.9] at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:259) ~[PlatformEngine.jar:8.9] ... 20 more Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST name of Neo4j box> found. at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:230) ~[?:1.8.0_312] Resolution: In order to resolve this issue we need to enter the value of Subject Alternative property inside openssl.cnf file. This issue is coming as ssl certificate file doesn’t contain Subject Alternative property and its value which should be the host name or IP address of Neo4j box in this case. When PlatformEngine is trying to validate the Neo4j certificate, it fails due to missing subject alternative property. Please complete following steps to remove this error.
[ subject_alt_name ] subjectAltName = DNS: <HOST name of Neo4j box> If you would like to add IP of Neo4j box, it’ll look like below inside openssl.cnf file. [ subject_alt_name ] subjectAltName = IP: <IP of Neo4j box>
sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -config openssl.cnf -extensions subject_alt_name -keyout /etc/ssl/private/neo4j-selfsigned.key -out /etc/ssl/certs/neo4j-selfsigned.crt
Issue 2 Error : 2023-02-07 14:10:39 DEBUG [EngineAggregatorModule]:modules.users.EngineUsersModule.createEngineStatusNode()46 DEBUG:: Engine version 2023-02-07 14:10:39 ERROR [EngineAggregatorModule]:core.util.SystemStatus.addSystemInformationInNeo4j()54 ERROR:: Neo4j Node not created javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetSolution : We need to add the neo4j certificate to the java trusted source in the server where Insights Engine is installed with the help of the following command.
Note: The default password for the keystore is ‘changeit’ we can verify the installed certs with the help of the following command. ./keytool -list -keystore /opt/jdklinux/jre/lib/security/cacerts -- to see list of install certificate Once you find the install certificate in the list , you can restart the engine and see the data is consumed to Neo4j. |
Top Section