Solr Installations
As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.
Solr can be used to index Endpoint Privilege Management for Unix and Linux I/O logs to provide improved search capability. Indexing can be done on the I/O log files on the Endpoint Privilege Management for Unix and Linux log server.
Installation Considerations
Solr is installed in a user-defined directory, and logs to a second user-defined directory. The defaults are /opt/pbul-Solr and /var/log/Solr.
Supported Platforms
Solr is supported on various Linux, AIX, HPUX and Solaris platfoms.
For more information on the specific platforms supported, see the Endpoint Privilege Management for Unix and Linux Supported Platforms.
Solr Java Requirements
- Solr 4.1 (included)
- Java 1.6+ JRE or JDK
System Requirements
- Disk: pmul Solr 4.1: 18MB
- Disk: Java 1.7: 58MB
- RAM: Solr - 2GB dedicated
- RAM: Java 1.7 - 64MB
Unix/Linux Utilities
The Endpoint Privilege Management for Unix and Linux installer requires the following Unix and Linux utilities and built-in commands:
| awk | cut | getopt | ps | sort | unset |
| basename | date | grep | pwd | stty | vi |
| cat | diff | id | read | tar | wc |
| cd | dirname | kill | rm | tee | xargs |
| chmod | df | ls | rmdir | touch | |
| chown | echo | mkdir | sed | tr | |
| cksum | eval | more | set | trap | |
| clear | exec | mv | shift | umask | |
| cp | export | od | sleep | uname |
System File Modifications
AIX: /etc/inittab modified, backed up prior as inittab.bak.####.
SSL Certificates and Search Interface
Solr can be installed with either BeyondInsight, or BeyondInsight for Unix and Linux. At this time, Solr cannot work with both, and cannot be changed from working with one to working with the other.
Prerequisites when Installing with BeyondInsight
Obtain the BeyondInsight Cert and CA files by copying the certificates from the BeyondInsight Windows Server machine to the Solr host machine:
- Start the BeyondInsight Configuration Tool on the BeyondInsight Windows Server machine.
- Click Generate Certificate Zip in the BeyondInsight Configuration Tool.
- Select the output folder for the ZIP file and a password to apply to the exported .pfx file. This password is not used during the Solr install.
- Select a folder where you can securely copy the file, and move it to your Unix or Linux server where you are planning to install Solr.
Command Line Options
When installing with BeyondInsight, an installation menu can be used to specify all options. When installing with BeyondInsight for Unix and Linux, or with manually generated certificates, the -M option at a minimum must be specified on the command line. Other options are available both on the command line and via menu.
Options for Use with BeyondInsight
| -a rcsuser | Specify RCS Admin user. |
| -A file | Specify file containing rcs admin password. |
| -s | Configure local pb.settings. |
| -r | Re-install with BeyondInsight, without generating new certificates. |
Options for Use with BeyondInsight for Unix and Linux
| -M | Install via BeyondInsight for Unix and Linux (skip BeyondInsight registration and certficates). |
| -K |
Filename of SSL Server certificate PEM file containing the private key. May also contain the public certificate. |
| -k | Filename of SSL Server certificate PEM file containing public certificate. |
| -C |
Filename of any CA certificate PEM file containing the CA public certificate. May be used multiple time for multiple CA files. |
| -o | Fully qualified path for openssl. |
Command Options
| -b basedir | Set Solr installation base directory. |
| -p port | Set Solr/jetty port. |
| -j javahome | Set JAVA_HOME. |
| -u user | Set Solr user. |
| -c | If specified, create Solr user. |
| -I uid | If creating Solr user, specify the UID. |
| -G gid | If creating Solr user, specify the GID. |
| -i | Configure init script/SMF/inittab. |
| -l logdir | Specify Solr log directory. |
| a rcsuer | Specificy RCS Admin user. |
| s | Configure local pb.settings. |
| A file | Specify file containing the RCS admin password. |
| -P file | Specify file containing java keystore password. |
| M | Install via PBSMC (skip BI registration and certificates). |
| K |
Specify the filename of the SSL server certificate PEM file containing the private key. This may also contain the public key. |
| k |
Specify the filename of any CA certifcate PEM file contain the CA public certificate. This filename may be used multiple times for multiple CA files. |
| o | Specify the fully qualified path for openssl. |
| t tmpdir | Specify the TMPDIR directory for Solrinstall temporary files. |
| r | Re-install. |
| -q | Quiet mode. |
| -h | Display help. |
Installation
As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.
Solr is provided as a tarball named pmul-Solr_multiarch-{version}.tar.Z. As root:
- Make sure you have Java 1.6+ installed and know the home directory of Java.
- Create directory /opt/beyondtrust and cd to that directory.
- Extract the Solr installation files:
# gunzip -c pmul-Solr_multiarch-{version}.tar.Z | tar xvf - - Navigate to the install directory:
# cd powerbroker-Solr/v7.5/install
- Copy the file certificate.zip generated by BeyondInsight.
- Start the Solrinstall script with the following command; Solrinstall has no command line options:
# ./Solrinstall
The Solrinstall menu displays options similar to the following:
| Solr Installation Menu | ||
|---|---|---|
| Opt | Description | [Value] |
| 1 | Solr installation directory | [/opt/pbul-Solr] |
| 2 | Solr SSL port number | [8443] |
| 3 | JAVA_HOME environmental variable | [/usr/java/jre1.7.0_40] |
| 4 | Solr user | [Solr] |
| 5 | Create Solr user? | [yes] |
| 6 | Solr user UID | [] |
| 7 | Solr user GID | [] |
| 8 | Configure init? | [yes] |
| 9 | Solr log directory | [/var/log/Solr] |
| 10 | BeyondInsight certificate admin user name | [administrator]* |
| 11 | Configure local pb.settings with Solr | [no] |
| C to continue, X to exit | ||
| Please enter a menu option | ||
- During the install, you are prompted for the keystore password:
Enter a keystore password (minimum 6 characters).
This is a new password you must provide. Enter this password during the Post-Install when you import the Solr certificates using the BeyondInsight Configuration Tool.
For more information, see Prerequisites when Installing with BeyondInsight.
Menu Options
1. PowerBroker Solr installation directory
This is the directory where the Solr installation files are placed. The default value is /opt/pbul-Solr.
2. Solr port number
The port number to be used for the Solr service. The default is 8983.
3. JAVA_HOME environmental variable
The value of $JAVA_HOME. This is set if environmental variable $JAVA_HOME is set. Prior to installation, $JAVA_HOME/bin/java is tested for version compatibility.
4. Solr user
The non-root user that runs the Solr server. The default is Solr. If user Solr does not exist, the menu displays options 5, 6, and 7 specifying whether to create the Solr user, and optionally specifying the uid/gid. The Solr user requires bash shell in order to run the Solr (jetty) startup script.
8. Configure init (Linux/HP-UX; AIX uses inittab, Solaris 10+ uses SMF)
Solr startup and shutdown are accomplished via init. Selecting yes to this menu option configures init to startup and shutdown Solr.
9. Solr log directory
This is the directory where the Solr log files are placed. The default value is /var/log/Solr (Linux). Other operating systems may use /var/adm or /usr/adm rather than /var/log.
10. BeyondInsight Certificate Administrator user name
The BeyondInsight Admin user; admin user password is prompted for.
11. Configure local pb.settings with Solr
Answering yes configures the local pb.settings file with the Solr related keywords, configured for this Solr installation. The keywords are:
- Solrhost
- Solrport
- Solrcafile
- Solrclientkeyfile
- Solrclientcertfile
Post-Install when Installing with BeyondInsight
As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.
After Solrinstall has installed and started Solr, Solr is registered with BeyondInsight.
To give the Solr server a heartbeat, a script called pbrcsSolrupdate is launched at the Solr installation, and with each restart of Solr services (jetty), where a Solr asset update event is sent to BeyondInsight daily.
Follow the instructions as listed after a successful Solr install are displayed at the end of the installation.
In order for the log server and policy server hosts to communicate with this Solr server, for indexing Endpoint Privilege Management for Unix and Linux I/O log data, you must do the following:
- On your BeyondInsight Windows server, start the BeyondInsight Configuration Tool.
- Click Import Certificates to import the certificates created during the Solr install and grant privileges to the certificates for use by the Solr search.
- Enter the password that you provided when you created the Certificates ZIP file.
- Securely copy the following files from /opt/pbul-Solr/etc to a secure directory on the Endpoint Privilege Management for Unix and Linux policy server and log server hosts:
- Solr.<host>.client.pem
- Solr.<host>.ssl.CA.pem
A tarball (Solr.${shorthostname}.pbsettings.tar) is created with the certificate files and related settings, for convenient copying to other hosts. When the tarball is extracted from the root directory, the certificate files and Solr.pb.settings are placed in /etc/. The settings contained in /etc/Solr.pb.settings must be manually merged into /etc/pb.settings.
- In pb.settings of the policy server or log server hosts, add the following parameters:
Solrhost <host> Solrport 8443 Solrcafile <secure_directory>/Solr.<host>.ssl.CA.pem Solrclientkeyfile <secure_directory>/Solr.<host>.client.pem Solrclientcertfile <secure_directory>/Solr.<host>.client.pem
A tarball (Solr.${shorthostname}.pbsettings.tar) is created with the certificate files and related settings, for convenient copying to other hosts. When the tarball is extracted from the root directory, the certificate files and Solr.pb.settings are placed in /etc/. The settings contained in /etc/Solr.pb.settings must be manually merged into /etc/pb.settings.
Re-Installation when Installing with BeyondInsight
As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.
Starting with v9.4, when re-installing Solr, the installation script recognizes that certificates have already been generated, and the registration with BeyondInsight is skipped. This prevents regeneration of certificates by BeyondInsight. In the case where regeneration of certificates is desired, the certificates must be manually cleared from BeyondInsight, and removed from the etc directory of the Solr installation (default: /opt/pbul-Solr/etc).
Solr Uninstall
As root:
- Create directory /opt/beyondtrust and cd to that directory.
- Extract the Solr installation files:
# gunzip –c pmul-Solr_multiarch-{version}.tar.Z | tar xvf – - Navigate to the install directory:
# cd /opt/beyondtrust/powerbroker-Solr/v7.5/install
- Start the Solruninstall script with either of the following commands; Solruninstall has 1 command line option:
# ./Solruninstall
# ./Solruninstall –clean
