Linux Prerequisites
Learn about prerequisites for installing Oracle Communications Unified Assurance on Linux environments.
Operating System Install Type
Unified Assurance requires various components that are installed as part of the base operating system, and a "minimal" installation has been shown to be missing one or more important applications. Oracle Communications recommends using either a Base or Cloud installation type, depending on the operating system.
The following command can be used to update to a Base installation, as well as verify that all needed base packages have been installed:
yum groupinstall "Base"
FIPS 140-2 Compliance in Oracle Linux 8
Unified Assurance installed on Oracle Linux 8 supports FIPS 140-2 compliance. Customers installing Unified Assurance 6.0.4 must use Oracle Linux 8 and can optionally configure FIPs mode for Linux as described in "FIPS 140-2 Compliance in Oracle Linux 8" in Oracle Linux 8 Enhancing System Security.
Customers updating or upgrading to 6.0.4 can optionally remain on Linux 7, where FIPS compliance is not supported.
SELinux
The Unified Assurance installer uses the useradd tool to create the user assure1. By default, SELinux does not allow this user to have a home directory outside of /home. The following steps show you how to configure SELinux to allow /opt to be treated as a valid parent directory for home directories.
-
Install RPM containing the semanage tool:
yum install policycoreutils-python
-
Edit the semanage.conf file:
nano /etc/selinux/semanage.conf
Change the usepasswd setting from false to true:
usepasswd=true
Save the file.
-
Set /opt label to be the same as /home:
semanage fcontext -a -e /home /opt
-
Update the labels for /opt:
restorecon -R /opt
-
OPTIONAL: the following are needed on servers that will be running Docker:
yum install container-selinux selinux-policy-targeted
NTP
The Network Time Protocol (NTP) should be installed and configured on all servers that will be part of an environment. It is essential that all servers have the time synchronized to ensure proper functionality. Consult with your operating system documentation to determine the best NTP strategy for your organization.
DNS Entries
Before installing Unified Assurance, all servers must be able to communicate with one another using the Host FQDN entries and Web FQDN entry (or entries) from each server to each server.
This can be tested by doing the following:
- From the presentation servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.
- From the database servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.
- From the collection servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.
WARNING:
Environments should not be configured using /etc/hosts
entries or other manually configured local services. DNS is required for all functionality to work properly across all servers in an installation.
Ports
Unified Assurance uses several network ports for communication between components. These need to be opened bidirectionally through your local operating system firewall, network firewalls, and network access control lists (ACLs).
Open the following ports in firewalls:
-
To allow HTTP communication and cross server communication with the presentation servers:
-
Port TCP/80: Standard Web (HTTP)
-
Port TCP/443: Secure Web (HTTPS)
-
Port TCP/5671: RabbitMQ
-
Port TCP/5601: Kibana
-
-
To allow communication with the databases:
-
Port TCP/3306: MySQL (presentation server and database server)
-
Port TCP/7473, TCP/7687: Neo4j (database server)
-
Port TCP/8086: InfluxDB (database server)
-
Port TCP/9200: Elasticsearch (database server)
-
-
To support data collection:
-
Port UDP/161: SNMP Monitoring (all servers)
-
Port UDP/162: Trapd (collection servers)
-
Port UDP/514: Syslog (collection servers)
-
Port TCP/10080: WebHook Aggregator (collection servers)
-
-
To support database redundancy and file synchronization:
-
Port TCP/4369, TCP/25671: RabbitMQ (presentation servers)
-
Port TCP/8055, TCP/8056: Redundancy Wizard (presentation servers and database servers)
-
Port TCP/8873: Unison file synchronization (presentation servers)
-
Port TCP/9093: Kafka (InfluxDB redundancy on database servers)
-
-
To support Docker and microservices:
-
Port TCP/179: Kubernetes Calico BGP
-
Port TCP/2379: Kubernetes etcd client
-
Port TCP/2380: Kubernetes etcd peer
-
Port TCP/6443: Kubernetes API controlplane
-
Port UDP/8472: Flannel/VxLAN overlay network
-
Port TCP/10250: Kubernetes kubelet controlplane
-
Port TCP/10251: Kubernetes kube-scheduler
-
Port TCP/10252: Kubernetes kube-controller-manager
-
Port TCP/10255: Kubernetes kubelet API server for read-only access with no authentication
-
Port TCP/30000-30127: Kubernetes NodePort range for dynamic port assignment
-
-
To support Apache Pulsar:
-
Port TCP/2181: Pulsar ZooKeeper
-
Port TCP/3181: Pulsar BookKeeper
-
Port TCP/6550: Pulsar Broker
-
Port TCP/6551: Pulsar Broker TLS
-
Port TCP/8080: Pulsar Web Service
-
Port TCP/8443: Pulsar Web Service SSL
-
The following is an example of creating a Unified Assurance firewalld service:
-
Create the firewalld service file:
cat <<'EOM' >/etc/firewalld/services/ocua.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>OCUA</short> <description>Ports needed for OCUA</description> <port protocol="tcp" port="80"/> <port protocol="udp" port="161"/> <port protocol="udp" port="162"/> <port protocol="tcp" port="179"/> <port protocol="tcp" port="443"/> <port protocol="udp" port="514"/> <port protocol="tcp" port="2181"/> <port protocol="tcp" port="2379"/> <port protocol="tcp" port="2380"/> <port protocol="tcp" port="2424"/> <port protocol="tcp" port="2425"/> <port protocol="tcp" port="2426"/> <port protocol="tcp" port="2427"/> <port protocol="tcp" port="2428"/> <port protocol="tcp" port="2429"/> <port protocol="tcp" port="2430"/> <port protocol="tcp" port="2434"/> <port protocol="tcp" port="2486"/> <port protocol="tcp" port="2487"/> <port protocol="tcp" port="2488"/> <port protocol="tcp" port="2489"/> <port protocol="tcp" port="2490"/> <port protocol="tcp" port="3181"/> <port protocol="tcp" port="3306"/> <port protocol="tcp" port="4369"/> <port protocol="tcp" port="5601"/> <port protocol="tcp" port="5671"/> <port protocol="tcp" port="6443"/> <port protocol="tcp" port="6550"/> <port protocol="tcp" port="6551"/> <port protocol="tcp" port="7473"/> <port protocol="tcp" port="7687"/> <port protocol="tcp" port="8055"/> <port protocol="tcp" port="8056"/> <port protocol="tcp" port="8080"/> <port protocol="tcp" port="8086"/> <port protocol="tcp" port="8443"/> <port protocol="udp" port="8472"/> <port protocol="tcp" port="8873"/> <port protocol="tcp" port="9093"/> <port protocol="tcp" port="9200"/> <port protocol="tcp" port="10080"/> <port protocol="tcp" port="10250"/> <port protocol="tcp" port="10251"/> <port protocol="tcp" port="10252"/> <port protocol="tcp" port="10255"/> <port protocol="tcp" port="25671"/> <port protocol="tcp" port="30000-30127"/> </service> EOM
-
Enable the OCUA firewalld service:
firewall-cmd --zone=public --permanent --add-service=ocua
-
Reload firewalld:
firewall-cmd --reload
Proxy
Set the following environment variables:
https_proxy=PROXYSTRING
no_proxy=NOPROXYSTRING
- PROXYSTRING - The proxy connection string detailing the proxy server, user/pass, port, etc. For example: http://myproxy.example.com:3128/
- NOPROXYSTRING - Comma separated list of domains or IPs that should NOT be proxied such as .example.com, localhost,127.0.0.1,WEBFQDN, etc. This should at least be the server's local domain (e.g. example.com) to prevent proxied API requests between Unified Assurance servers.
These can be set in any of the following ways:
-
/etc/environment (used by non-interactive sessions like daemons; requires restart or relogin of user) for example:
https_proxy=PROXYSTRING no_proxy=NOPROXYSTRING
-
/etc/profile.d/proxy.sh (used by interactive sessions; file must be created; requires restart or relogin of user) for example:
export https_proxy=PROXYSTRING export no_proxy=NOPROXYSTRING