Deployment
Carinet Responsibilities
Provision hardware and VMs
All machines
- OS: Centos 5 64 bit
Software requirements
Install Apache web server on the web server VM.
All other software will be installed by city employees.
Security
Physical server security: Assumes data center is secured
OS kernel security: Assumes VMware installation has latest kernel updates/patches
Do not enable No SE Linux.
SSH Access
All access will be through ssh.
The city will provide public keys for those that will have root access.
All services shall be disabled unless otherwise requested.
This shall include the following:
- NFS
- FTP
- incoming mail
The following services shall be enabled.
- outgoing mail
- SSH
- firewall
Firewall Configuration
Web Server VM
Allow access from
- ssh
- port 80
Geo Server VM
Allow access from
- ssh
- port 8080 from web server
DB Server VM
Allow access from
- ssh
- port 5432 from web server
- port 5432 from geo server
TCP Wrapper
Can we restrict port level access?
- web
- Allow request from all host on port 80
- Allow ssh request from all
- Deny requests on all other ports
- geo
- Allow request from web server on port 8080
- Allow ssh request from all
- Deny request from all other host on port 8080
- db
- Allow request from web & geo server on port 5432
- Allow ssh request from all
- Deny request from all other host on port 5432
Packages/Modules: Barebones from VMware on all servers with firewall enabled and package manager(yum or Apt-get) installed
SFGov Responsibilites
Install application software including the following:
- java virutal machine
- tomcat
- postresql
Set up appropriate new users, restricting root access
File system security: Umask settings, setting up appropriate file permissions
Password & Access security: Use of public/private keys, SSH tunnels.
Tests
- Connect to geoserver from city using ssh tunnel.
Add Comment