Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Deployment

Carinet Responsibilities

Provision hardware and VMs

All machines

  • OS: Centos 5 64 bit
Software requirements

Install Apache web server on the web server VM.
All other software will be installed by city employees.

Security

Physical server security: Assumes data center is secured
OS kernel security: Assumes VMware installation has latest kernel updates/patches
Do not enable No SE Linux.

SSH Access

All access will be through ssh.
The city will provide public keys for those that will have root access.

All services shall be disabled unless otherwise requested.

This shall include the following:

  • NFS
  • FTP
  • incoming mail

The following services shall be enabled.

  • outgoing mail
  • SSH
  • firewall
Firewall Configuration

Web Server VM
Allow access from

  • ssh
  • port 80

Geo Server VM
Allow access from

  • ssh
  • port 8080 from web server

DB Server VM
Allow access from

  • ssh
  • port 5432 from web server
  • port 5432 from geo server
TCP Wrapper

Can we restrict port level access?

  • web
  1. Allow request from all host on port 80
  2. Allow ssh request from all
  3. Deny requests on all other ports
  • geo
  1. Allow request from web server on port 8080
  2. Allow ssh request from all
  3. Deny request from all other host on port 8080
  • db
  1. Allow request from web & geo server on port 5432
  2. Allow ssh request from all
  3. Deny request from all other host on port 5432

Packages/Modules: Barebones from VMware on all servers with firewall enabled and package manager(yum or Apt-get) installed

SFGov Responsibilites

Install application software including the following:

  • java virutal machine
  • tomcat
  • postresql

Set up appropriate new users, restricting root access

File system security: Umask settings, setting up appropriate file permissions
Password & Access security: Use of public/private keys, SSH tunnels.

Tests


  1. Connect to geoserver from city using ssh tunnel.
  • No labels