Solr Installations

Solr can be used to index Privilege Management for Unix and Linux I/O logs to provide improved search capability. Indexing can be done on the I/O log files on the Privilege Management for Unix and Linux log server.

Installation Considerations

Solr is installed in a user-defined directory, and logs to a second user-defined directory. The defaults are /opt/pbul-Solr and /var/log/Solr.

Supported Platforms

Solr is supported on various Linux, AIX, HPUX and Solaris platfoms.

For more information on the specific platforms supported, please see the Privilege Management for Unix and Linux ReadMe.

Solr Java Requirements

  • Solr 4.1 (included)
  • Java 1.6+ JRE or JDK

System Requirements

  • Disk: pmul Solr 4.1: 18MB
  • Disk: Java 1.7: 58MB
  • RAM: Solr - 2GB dedicated
  • RAM: Java 1.7 - 64MB

Unix/Linux Utilities

The Privilege Management for Unix and Linux installer requires the following Unix and Linux utilities and built-in commands:

awk cut getopt ps sort unset
basename date grep pwd stty vi
cat diff id read tar wc
cd dirname kill rm tee xargs
chmod df ls rmdir touch  
chown echo mkdir sed tr  
cksum eval more set trap  
clear exec mv shift umask  
cp export od sleep uname  

System File Modifications

AIX: /etc/inittab modified, backed up prior as inittab.bak.####.

SSL Certificates and Search Interface

Solr can be installed with either BeyondInsight, or BeyondInsight for Unix and Linux. At this time, Solr cannot work with both, and cannot be changed from working with one to working with the other.

Prerequisites when Installing with BeyondInsight

Obtain the BeyondInsight Cert and CA files by copying the certificates from the BeyondInsight Windows Server machine to the Solr host machine:

  1. Start the BeyondInsight Configuration Tool on the BeyondInsight Windows Server machine.

An image of the Generate Certificate Zip option in the BeyondInsight Configuration Tool.

  1. Click Generate Certificate Zip in the BeyondInsight Configuration Tool.

 

An image of the Zip File Info screen in the BeyondInsight Configuration Tool.

  1. Select the output folder for the ZIP file and a password to apply to the exported .pfx file. This password is not used during the Solr install.

 

  1. Select a folder where you can securely copy the file, and move it to your Unix or Linux server where you are planning to install Solr.

Command Line Options

When installing with BeyondInsight, an installation menu can be used to specify all options. When installing with BeyondInsight for Unix and Linux, or with manually generated certificates, the -M option at a minimum must be specified on the command line. Other options are available both on the command line and via menu.

Options for Use with BeyondInsight

-a rcsuser Specify RCS Admin user.
-A file Specify file containing rcs admin password.
-s Configure local pb.settings.
-r Re-install with BeyondInsight, without generating new certificates.

Options for Use with BeyondInsight for Unix and Linux

-M Install via BeyondInsight for Unix and Linux (skip BeyondInsight registration and certficates).
-K

Filename of SSL Server certificate PEM file containing the private key.

May also contain the public certificate.

-k Filename of SSL Server certificate PEM file containing public certificate.
-C

Filename of any CA certificate PEM file containing the CA public certificate.

May be used multiple time for multiple CA files.

-o Fully qualified path for openssl.

Command Options

-b basedir Set Solr installation base directory.
-p port Set Solr/jetty port.
-j javahome Set JAVA_HOME.
-u user Set Solr user.
-c If specified, create Solr user.
-I uid If creating Solr user, specify the UID.
-G gid If creating Solr user, specify the GID.
-i Configure init script/SMF/inittab.
-l logdir Specify Solr log directory.
a rcsuer Specificy RCS Admin user.
s Configure local pb.settings.
A file Specify file containing the RCS admin password.
-P file Specify file containing java keystore password.
M Install via PBSMC (skip BI registration and certificates).
K

Specify the filename of the SSL server certificate PEM file containing the private key.

This may also contain the public key.

k

Specify the filename of any CA certifcate PEM file contain the CA public certificate.

This filename may be used multiple times for multiple CA files.

o Specify the fully qualified path for openssl.
t tmpdir Specify the TMPDIR directory for Solrinstall temporary files.
r Re-install.
-q Quiet mode.
-h Display help.

Installation

Solr is provided as a tarball named pmul-Solr_multiarch-{version}.tar.Z. As root:

  1. Make sure you have Java 1.6+ installed and know the home directory of Java.
  2. Create directory /opt/beyondtrust and cd to that directory.
  3. Extract the Solr installation files:
    # gunzip -c pmul-Solr_multiarch-{version}.tar.Z | tar xvf -
  1. Navigate to the install directory:
    # cd powerbroker-Solr/v7.5/install
  2. Copy the file certificate.zip generated by BeyondInsight.
  1. Start the Solrinstall script with the following command; Solrinstall has no command line options:
    # ./Solrinstall

    The Solrinstall menu displays options similar to the following:

Solr Installation Menu
Opt Description [Value]
1 Solr installation directory [/opt/pbul-Solr]
2 Solr SSL port number [8443]
3 JAVA_HOME environmental variable [/usr/java/jre1.7.0_40]
4 Solr user [Solr]
5 Create Solr user? [yes]
6 Solr user UID []
7 Solr user GID []
8 Configure init? [yes]
9 Solr log directory [/var/log/Solr]
10 BeyondInsight certificate admin user name [administrator]*
11 Configure local pb.settings with Solr [no]
C to continue, X to exit
Please enter a menu option

 

  1. During the install, you are prompted for the keystore password:

    Enter a keystore password (minimum 6 characters).

This is a new password you must provide. Enter this password during the Post-Install when you import the Solr certificates using the BeyondInsight Configuration Tool.

For more information, please see Prerequisites when Installing with BeyondInsight.

Menu Options

1. PowerBroker Solr installation directory

This is the directory where the Solr installation files are placed. The default value is /opt/pbul-Solr.

2. Solr port number

The port number to be used for the Solr service. The default is 8983.

3. JAVA_HOME environmental variable

The value of $JAVA_HOME. This is set if environmental variable $JAVA_HOME is set. Prior to installation, $JAVA_HOME/bin/java is tested for version compatibility.

4. Solr user				

The non-root user that runs the Solr server. The default is Solr. If user Solr does not exist, the menu displays options 5, 6, and 7 specifying whether to create the Solr user, and optionally specifying the uid/gid. The Solr user requires bash shell in order to run the Solr (jetty) startup script.

8. Configure init (Linux/HP-UX; AIX uses inittab, Solaris 10+ uses SMF)

Solr startup and shutdown are accomplished via init. Selecting yes to this menu option configures init to startup and shutdown Solr.

9. Solr log directory

This is the directory where the Solr log files are placed. The default value is /var/log/Solr (Linux). Other operating systems may use /var/adm or /usr/adm rather than /var/log.

10. BeyondInsight Certificate Administrator user name

The BeyondInsight Admin user; admin user password is prompted for.

11. Configure local pb.settings with Solr

Answering yes configures the local pb.settings file with the Solr related keywords, configured for this Solr installation. The keywords are:

  • Solrhost
  • Solrport
  • Solrcafile
  • Solrclientkeyfile
  • Solrclientcertfile

Post-Install when Installing with BeyondInsight

After Solrinstall has installed and started Solr, Solr is registered with BeyondInsight.

To give the Solr server a heartbeat, a script called pbrcsSolrupdate is launched at the Solr installation, and with each restart of Solr services (jetty), where a Solr asset update event is sent to BeyondInsight daily.

Follow the instructions as listed after a successful Solr install are displayed at the end of the installation.

In order for the log server and policy server hosts to communicate with this Solr server, for indexing Privilege Management for Unix and Linux I/O log data, you must do the following:

  1. On your BeyondInsight Windows server, start the BeyondInsight Configuration Tool.

An image of the Import Certificates option in the BeyondInsight Configuration Tool.

  1. Click Import Certificates to import the certificates created during the Solr install and grant privileges to the certificates for use by the Solr search.

 

An image of the Zip File Info screen in the BeyondInsight Configuration Tool.

  1. Enter the password that you provided when you created the Certificates ZIP file.

 

  1. Securely copy the following files from /opt/pbul-Solr/etc to a secure directory on the Privilege Management for Unix and Linux policy server and log server hosts:
    • Solr.<host>.client.pem
    • Solr.<host>.ssl.CA.pem

A tarball (Solr.${shorthostname}.pbsettings.tar) is created with the certificate files and related settings, for convenient copying to other hosts. When the tarball is extracted from the root directory, the certificate files and Solr.pb.settings are placed in /etc/. The settings contained in /etc/Solr.pb.settings must be manually merged into /etc/pb.settings.

  1. In pb.settings of the policy server or log server hosts, add the following parameters:
    Solrhost <host>
    Solrport 8443
    Solrcafile <secure_directory>/Solr.<host>.ssl.CA.pem
    Solrclientkeyfile <secure_directory>/Solr.<host>.client.pem
    Solrclientcertfile <secure_directory>/Solr.<host>.client.pem

A tarball (Solr.${shorthostname}.pbsettings.tar) is created with the certificate files and related settings, for convenient copying to other hosts. When the tarball is extracted from the root directory, the certificate files and Solr.pb.settings are placed in /etc/. The settings contained in /etc/Solr.pb.settings must be manually merged into /etc/pb.settings.

Re-Installation when Installing with BeyondInsight

Starting with v9.4, when re-installing Solr, the installation script recognizes that certificates have already been generated, and the registration with BeyondInsight is skipped. This prevents regeneration of certificates by BeyondInsight. In the case where regeneration of certificates is desired, the certificates must be manually cleared from BeyondInsight, and removed from the etc directory of the Solr installation (default: /opt/pbul-Solr/etc).

Solr Uninstall

As root:

  1. Create directory /opt/beyondtrust and cd to that directory.
  2. Extract the Solr installation files:
    # gunzip –c pmul-Solr_multiarch-{version}.tar.Z | tar xvf –
  3. Navigate to the install directory:
    # cd /opt/beyondtrust/powerbroker-Solr/v7.5/install
  4. Start the Solruninstall script with either of the following commands; Solruninstall has 1 command line option:
    # ./Solruninstall
    # ./Solruninstall –clean