Awhile back, I posted “Request Tracker Installation (Part 1 of 2),” which provided information and additional links concerning Request Tracker (RT). As a reminder, RT is an enterprise-grade ticketing system which allows for the checking of the status of various tasks including when the tasks were requested, who requested the tasks and why, when the tasks were completed, prioritizing, etc. I delayed the second part of the post, which was to step through installation of RT, until I could add some background information. I wanted to walk through implementing secure open source software such as Apache, PHP, MySQL, OpenSSL, and ModSecurity. No small task. It is all about integration both in terms of security and the power that a software package like RT can provide your organization. That is why I selected the image on the left of all these various open source software symbols for this post on RT.
If you are going to be using RT, you need to get the “RT Essentials” book written by Jesse Vincent, Robert Spier, Dave Rolsky, Darren Chamberlain, and Richard Foley. It is a good reference and a quick read. For up-to-date information, see the RT Wiki and the Best Practical Solutions blog site.
Prerequisites
To start, please review the following posts:
- An Apache Implementation
- Apache and OpenSSL
- PHP Implementation
- Introduction to MySQL
- Setting Up and Securing MySQL: References
- Implementing a Web Application Firewall with ModSecurity
Install Software
With Apache, MySQL, PHP, OpenSSL, and ModSecurity installed, we are now ready to focus on software packages required by RT.
1. Installing expat.
Different operating systems will vary on whether expat, the XML parser, is installed. Expat is needed to complete the cpan install for XML::RSS. Check your particular operating system.
root# cd /usr/local/src /usr/local/src root# wget http://downloads.sourceforge.net/expat/expat-2.0.1.tar.gz /usr/local/src root# tar xzf expat-2.0.1.tar.gz /usr/local/src root# cd expat-2.0.1 /usr/local/src/expat-2.0.1 root# ./configure /usr/local/src/expat-2.0.1 root# make /usr/local/src/expat-2.0.1 root# make check /usr/local/src/expat-2.0.1 root# make install |
2. Install FastCGI
For RT, you can install mod_perl or mod_fastcgi. In this posting, we are going to walks through the installation of FastCGI. Information concerning mod_perl will be provided below so the reader can chose what fits best in their environment. FastCGI is much simpler to install and allows the core Apache process to stay small in size. With FastCGI, RT runs as a separate process from Apache allowing RT to be stopped and restarted without affecting the Apache server. In general, FastCGI programs are easier to manage.
The Apache module mod_fastcgi allows a web server to run CGI scripts via a separate, persistent program. PHP comes with FastCGI support compiled in by default, so nothing needs to be done to the PHP installation.
You can have the Apache program call FastCGI, and have it run as the same user as the Apache server or use suexec to have FastCGI switch to a different user. Under some operating systems, suexec may not get compiled and installed when installing Apache. Check if suexec is installed, and if not go back to the Apache source, compile it, and install it. Initially, we are not going to use the suexec program. Instead we will create the group “rt”, add user httpd to group rt, and set permissions that way. You may choose later to use suexec.
root# ls -la /usr/local/apache/bin/suexec ls: /usr/local/apache/bin/suexec: No such file or directory root# cd /usr/local/src/httpd-2.2.8 /usr/local/src/httpd-2.2.8 root# make suexec /usr/local/src/httpd-2.2.8 root# cp ./support/suexec /usr/local/apache/bin/suexec |
Now, we are ready to get mod_fastcgi installed.
root# cd /usr/local/src /usr/local/src root# wget http://www.fastcgi.com/dist/mod_fastcgi-2.4.6.tar.gz /usr/local/src root# tar xzf mod_fastcgi-2.4.6.tar.gz /usr/local/src root# cd mod_fastcgi-2.4.6 /usr/local/src/mod_fastcgi-2.4.6 root# cp Makefile.AP2 Makefile /usr/local/src/mod_fastcgi-2.4.6 root# make top_dir=/usr/local/apache /usr/local/src/mod_fastcgi-2.4.6 root# make top_dir=/usr/local/apache install /usr/local/src/mod_fastcgi-2.4.6 root# /usr/local/apache/bin/apachectl stop /usr/local/src/mod_fastcgi-2.4.6 root# vi /usr/local/apache/conf/httpd.conf |
Add the following lines to the Apache httpd.conf file:
# Load the mod_fastcgi module. LoadModule fastcgi_module modules/mod_fastcgi.so |
Check if installation and configuration is working.
/usr/local/src/mod_fastcgi-2.4.6 root# /usr/local/apache/bin/apachectl configtest Syntax OK /usr/local/src/mod_fastcgi-2.4.6 root# /usr/local/apache/bin/apachectl start /usr/local/src/mod_fastcgi-2.4.6 root# cat /var/www/logs/error_log | grep -i fastcgi [Fri Aug 01 12:17:22 2008] [notice] FastCGI: process manager initialized (pid 15221) [Fri Aug 01 12:17:22 2008] [notice] Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a mod_fastcgi/2.4.6 configured -- resuming normal operations |
For in depth coverage of mod_perl, Stas Bekman and Eric Cholet have written the book, “Practical mod_perl.” They have made the complete book available online in both HTML and PDF format under the Creative Commons Attributes Share-Alike License. Stas Bekman and Jim Brandt have also written the “mod_perl2 User’s Guide Book” where 50% of the book’s proceeds go to The Perl Foundation.
If you are installing under Mac OS X, mod_perl may complain about Perl 5.8.8 being built without threads and you will get a message about building perl with -Duserthreads. If you are determined to use mod_perl, consider dropping back to Apache 1.3.x and using mod_perl 1.x. While Apache 1.3.x is legacy code, and I tend to want to use the code that is being actively developed, there is an argument for using Apache 1.3.x. One major feature of Apache 2.x is threading. On Windows, where most basic libraries are and must be threadsafe, Apache 2 is really the only choice. Earlier Mac OS X releases did not include a completely thread-safe libc, so threading is still not fully supported in Perl. This is why the Perl version that comes with Mac OS X is not compiled to use threads. To use Apache2.x, Perl will need to be configured to use threads. The code is available from the Perl web site.
Rather than getting bogged down in compiling Perl to use thread, we will move ahead and use FastCGI. By the time this post, I will have worked on getting RT installed under Linux, Mac OS X, and FreeBSD. Figuring out what software works best in a multi OS environment can be challenging.
3. Configure RT
Let us start by adding the group RT. Under many operating systems, this would be done with the simple command “groupadd rt.” Things are always more interesting under Mac OS X, where you would have to first look at what group ids (gid), choose an unused gid, and then create the rt group using that gid. Under Mac OS X Leopard, group rt would be created with the commands:
root# dscl . list /groups PrimaryGroupID | sort -k 2,2 -n root# dscl . create /groups/rt gid gid-of-rt root# dscl . create /groups/rt passwd '*' root# dscl . read /groups/rt AppleMetaNodeLocation: /Local/Default Password: * PrimaryGroupID: gid-of-rt RecordName: rt RecordType: dsRecTypeNative:groups |
RT’s primary maintenance and documentation site is http://www.bestpractical.com. Documentation can be found at the Best Practical Solutions RT Wiki located at http://wiki.bestpractical.com/. The latest TAR/GZ is located at http://download.bestpractical.com/pub/rt/release/rt.tar.gz. The lack of any version numbers means the version can be updated at any time. The latest version, as of this writing, is 3.8.0.
The following are the steps for downloading and configuring RT:
root# cd /usr/local/src /usr/local/src root# wget http://download.bestpractical.com/pub/rt/release/rt.tar.gz /usr/local/src root# tar xzf rt.tar.gz /usr/local/src root# cd rt-3.8.0 /usr/local/src/rt-3.6.5 root# ./configure \ --with-web-user="httpd" \ --with-web-group="httpd" \ --with-rt-user="httpd" \ --with-rt-group="rt" |
4. Install Apache::TEST
Perl module Apache::TEST will not allow you to run the test check as root. You can download the module separately as a non root user and after configuring, compiling, and testing the program, you install it as root.
root# su - goofy ~$ cd src ~/src goofy$ wget http://search.cpan.org/CPAN/authors/id/P/PH/PHRED/Apache-Test-1.30.tar.gz ~/src goofy$ tar xzf Apache-Test-1.30.tar.gz ~/src goofy$ cd Apache-Test-1.30 ~/src goofy$ perl Makefile.PL ~/src goofy$ make ~/src goofy$ make test ~/src goofy$ sudo su root root# make instal |
5. Run fixdeps Command and Install Perl Modules
Now you are ready to utilize the fixedeps utility that comes with RT to install required Perl modules. There is also the testdeps utility to test if all dependencies are installed and RT is ready to be installed. You may need to run fixdeps multiple times before testdeps reports that you have all required software packages. The first time through, it can take awhile (depending on your installation). Be aware that some perl modules may need to be installed manually. It various depending on OS and your environment. You will be able to tell which modules need manual installation by the final message provided by the fixdeps program.
root# cd /usr/local/src/rt-3.8.0 /usr/local/src/rt-3.8.0 root# make fixdeps /usr/local/src/rt-3.8.0 root# make fixdeps /usr/local/src/rt-3.8.0 root# make testdeps |
6. Install RT
The final installation of RT is the easy part.
/usr/local/src/rt-3.8.0 root# make install |
7. Configure RT_SiteConfig.pm
We now will configure /opt/rt3/etc/RT_SiteConfig.pm. In the next step a database user and a database will be setup. We are only adding those values to the configuration file in this step. I am going to set up a hostname (rt.securitymonks.com) for my current machine. Please do not copy blindly. Change this to your environment. We will create the hostname so it only exists locally by adding an entry into the machines /etc/hosts file. Right now, I am only going to access the Apache server from this machine. In other words, the client and server will be on the same box.
/usr/local/src/rt-3.8.0 root# vi /etc/hosts |
Add the following line, adapting it to your organization:
/usr/local/src/rt-3.8.0 root# vi /etc/hosts ## 127.0.0.1 localhost 10.1.218.202 rt.securitymonks.com |
We are now ready to modify the RT_SiteConfig.pm file.
/usr/local/src/rt-3.8.0 root# vi /opt/rt3/etc/RT_SiteConfig.pm |
At minimum, add the following linesto /opt/rt3/etc/RT_SiteConfig.pm:
Set($rtname, 'BRORT'); Set($Organization, 'securitymonks'); Set($CorrespondAddress , 'john@securitymonks.com'); Set($CommentAddress , 'john@securitymonks.com'); Set($Timezone , 'US/Eastern'); # obviously choose what suits you # THE DATABASE: Set($DatabaseType, 'mysql'); # e.g. Pg or mysql # These are the settings we used above when creating the RT database, # you MUST set these to what you chose in the section above. Set($DatabaseUser , 'rtuser'); Set($DatabasePassword , 'secret'); Set($DatabaseName , 'rtdb'); # THE WEBSERVER: Set($WebPath , ''); Set($WebBaseURL , 'https://rt.securitymonks.com'); # Logging Set($LogToSyslog, ''); Set($LogToFile, 'debug'); Set($LogDir, '/opt/rt3/var/log'); Set($LogToFileNamed, "rt.log"); |
8. Initialize the Database
RT needs to create the rtdb database, the rt db users, and initialize some tables. This can be done with the command initialize-database, which should be run only once.
/usr/local/src/rt-3.8.0 root# make initialize-database /usr/local/bin/perl sbin/rt-setup-database --action init --dba root --prompt-for-dba-password In order to create or update your RT database, this script needs to connect to your mysql instance on localhost as root. Please specify that user's database password below. If the user has no database password, just press return. Password: Working with: Type: mysql Host: localhost Name: rtdb User: rtuser DBA: root Now creating a mysql database rtdb for RT. Done. Now populating database schema. Done. Now inserting database ACLs Granting access to rtuser@'localhost' on rtdb. Done. Now inserting RT core system objects Done. Now inserting data Done inserting data Done. |
Check the MySQL database out.
/usr/local/src/rt-3.8.0 root# mysql -u rtuser -p mysql> use rtdb; |
9. Modify Apache Configuration File
Edit the /usr/local/apache/conf/httpd.conf file.
/usr/local/src/rt-3.8.0 root# /usr/local/apache/bin/apachectl stop /usr/local/src/rt-3.8.0 root# vi /usr/local/apache/conf/httpd.conf |
We are going to have the RT server run under our secure web server. Find the “<virtualhost _default_:443>” line, change it to “<virtualhost 10.1.218.202:443>“. Add the following lines to that section (adjusting to your environment):
ServerName rt.securitymonks.com
DocumentRoot /opt/rt3/share/html
ErrorLog /usr/local/apache/logs/rt.error
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog /usr/local/apache/logs/rt.access_log combined
AddHandler fastcgi-script fcgi
ScriptAlias / /opt/rt3/bin/mason_handler.fcgi/
|
Add the user the Apache server runs as (httpd by default), to the RT group. For non Mac OS X, modify group membership by editing the file /etc/group (vi /etc/group). Mac OS X users need to user the dscl command.
root# dscl . append /groups/rt GroupMembership httpd root# dscl . read /groups/rt |
Change the group and permission on the log area if you have told RT to log to /opt/rt3/var/log.
root# chgrp rt /opt/rt3/var/log root# chmod g+w /opt/rt3/var/log |
Test the configuration of the file, and if everything checks out start up Apache.
/usr/local/src/rt-3.8.0 root# /usr/local/apache/bin/apachectl configtest Syntax OK /usr/local/src/rt-3.8.0 root# /usr/local/apache/bin/apachectl start |
Remember there are now three files to check for problems with RT.
- /opt/rt3/var/log/rt.log
- /usr/local/apache/logs/rt.error
- /usr/local/apache/logs/rt.access_log
There are many configuration operations. The options chosen in this post represents only the minimal to get RT running. Please see the RT Wiki’s FastCGIConfiguration page for additional information.
10. Access RT and Change the Default Password
Now it is time to log in and change the default password. Using the entry we made in our /etc/hosts file, we can now access the site by going to https://rt.securitymonks.com. This URL should be different for your site. You will see a login screen similar to the image on the left.
Log in using the username “root” and password “password“. Once logged in, you will see the screen similar to the image below (click on the image if you need to enlarge):
Over on the left menu bar, select “Configuration.” That will bring you to the “RT Administration” screen:
Select, “Users.” That will bring you to the “Select a user” screen:
Select the user “root,” which will bring you to the “Modify the user root” screen. If you look at the lower left of the screen, there is a “Access Control area.” There is a place to enter “New Password.” Do so. The screen looks like:
Make sure to hit the “Save Changes” button at the bottom of the screen. With a working copy of RT, you are not ready to start adjusting configurations and working with the program. For additional information, Please check out the “RT Essentials” and the RT Wiki and the Best Practical Solutions blog site. Look for future posts to build upon the RT installation and database.
[...] on my previous posts, “Request Tracker Installation (Part 1 of 2)” and “Request Tracker Installation (Part 2 of 2),” today we are going to discuss how to get programs interacting with Best Practical’s [...]