Install PSM HTML5 Gateway using an RPM package

This topic describes how to install the PSM HTML5 gateway using an RPM package.

Software prerequisites

Red Hat Enterprise Linux 7.x versions, and CentOS 7.x versions

Required libraries:

  • libpng

  • libjpeg

  • libcairo

  • OpenSSL v1.0.x

  • Java

  • Java Developer

The libraries must be installed with yum:

 
yum install cairo libpng libjpeg java java-devel openssl

Install the HTML5 Gateway

This section describes how to install the PSM HTML5 Gateway.

Hardening

This section describes hardening for each component and connection. Before you begin, complete Install the HTML5 Gateway.

Hardening includes:

  • Disabling unused file systems
  • Ensuring permissions on warning banners
  • Restricting core dumps
  • Configuring ASLR if it is enabled
  • Removing legacy services
  • Disabling unnecessary services from the startup
  • Setting daemon umask
  • Ensuring that the audit service is enabled on the OS
  • Configuring and restricting cron
  • Configuring PAM
  • Ensuring default umasks
  • Reviewing the system to determine that various file permissions and user and group permissions are properly configured
  • Ensuring file permissions on SSHD
 

Hardening is specified during Deploy the HTML5 service.

Post-installation configuration

After installation, configure the HTML5 Gateway. For details, see Secure Access with an HTML5 Gateway.

Load balancing

The PSM HTML5 gateway can be load balanced as you would load balance any other web server (or the PVWA).

You can deploy farms of HTML5 gateway servers behind a load balancer. Then when adding a configured PSM Gateway server, use the relevant farm's Virtual IP (VIP) in the Address parameter. For details, see Add PSM HTML5 Gateway server.

You can perform a health check on the servers. For details, see Health Check.

Upgrade the PSM HTML5 Gateway

Upgrade the Tomcat web service

Before you begin

Check your Tomcat version:

  1. On the HTML5 Gateway machine, go to CATALINA_HOME.

     
    cd /opt/tomcat
  2. Run the following command:

     
    java -cp lib/catalina.jar org.apache.catalina.util.ServerInfo
  3. Check Server version: Apache Tomcat.

  4. If Tomcat version is prior to 8.5.56 or prior to 9.0.36, you must update Tomcat to the latest 8.5 or 9.0 version.

Upgrade Tomcat

 

If you upgrade from version 8.x to 9.x, you must update the Java version to 8 or higher.

  1. Download a new version of Tomcat to the /opt directory.

     
    • We recommend deploying Tomcat manually.

    • The yum repository does not always contain the latest Tomcat version.

    • The PSM HTML5 Gateway supports Tomcat v.8.5 or v.9.

  2. Stop the Tomcat and PSMGW services.

     
    service tomcat stop
    /etc/init.d/guacd stop
  3. Set CATALINA_HOME to be the root folder for Tomcat.

    In the examples below, we use /opt/tomcat as the root folder.

     
    export CATALINA_HOME=/opt/tomcat

     

     

    All scripts assume that /opt/tomcat is the root folder. If you use a different root folder, you must change these scripts.

  4. Rename the old Tomcat home directory and extract the Tomcat archive.

     
    cd /opt
    mv tomcat tomcat_<old_version>
    tar -xvf apache-tomcat-<version>.tar.gz
    mv apache-tomcat-<version> tomcat
  5. Run the following commands to configure Tomcat to run as a low privileged user/group.

    • Set tomcat permissions

       
      chmod 755 /opt/tomcat
    • Set up ownership

       
      chown -R tomcat:tomcat $CATALINA_HOME
    • Set permissions for the Tomcat server configuration file

       
      chmod 600 $CATALINA_HOME/conf/server.xml
  6. Secure the connection between the end user and Tomcat.

    • Find the Keystore that was generated in the installation procedure

       
      grep "keystoreFile=" /opt/tomcat_<old_version>/conf/server.xml

       

       

      If the output includes a folder under tomcat home, it is now under the backed-up folder.

      For example, if the output is keystoreFile="/opt/tomcat/keystore", the Keystore is actually under /opt/tomcat_<old_version>/keystore.

      In this case, you must copy the following items to the new location. For example:

      • mv /opt/tomcat_<old_version>/keystore /opt/tomcat/keystore

      • mv /opt/tomcat_<old_version>/cert.crt /opt/tomcat/cert.crt

      • mv /opt/tomcat_<old_version>/key.pem /opt/tomcat/key.pem

    • Configure Tomcat to work with SSL and the Keystore you found in the previous step

      • Copy the connector section from the server.xml under the old tomcat home to $CATALINA_HOME/conf/server.xml

         
        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS" keystoreFile="<generated keystore path>" keystorePass="<generated keystore password>"
        />
      • Delete any additional connector sections in $CATALINA_HOME/conf/server.xml.

    • Move the guac.war file to the new Tomcat

       
      mv /opt/tomcat_<old_version>/webapps/guac.war /opt/tomcat/webapps/
  7. Start the Tomcat and PSMGW services.

     
    service tomcat start
    /etc/init.d/guacd start
  8. Secure the Tomcat server, as described in Hardening.

  9. Secure the connection between the end user and Tomcat, as described in Hardening.