3.3. Installing on RHEL or CentOS v7 (64bit)

The LinOTP components are available via rpm repositories. You can use this method to install the LinOTP server on Red Hat Enterprise Linux / CentOS 7 (64bit). The package architecture is modular. The LinOTP server package doesn’t contain drivers or configuration files for databases or web servers, but there are several packages which provide these additions.

The repositories are hosted on linotp.org.

Download a package to install the necessary yum repositories:

yum localinstall http://linotp.org/rpm/el7/linotp/x86_64/Packages/LinOTP_repos-1.1-1.el7.x86_64.rpm

This package contains the following repositories in /etc/yum.repos.d/linotp.repo:

[linotp]
name=KeyIdentity LinOTP Packages for Enterprise Linux 7 - $basearch
baseurl=http://linotp.org/rpm/el7/linotp/x86_64
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LINOTP-7

[linotp-dependencies]
name=KeyIdentity LinOTP Packages required for Enterprise Linux 7
baseurl=http://linotp.org/rpm/el7/dependencies/x86_64
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LINOTP-7

These repositories provide the LinOTP server software (linotp) and packages build by KeyIdentity with software from other open source projects which are dependencies needed by LinOTP (linotp-dependencies).

Furthermore some packages are needed from EPEL (Extra Packages for Enterprise Linux) which is maintained by Fedora and has to be enabled for a successfull LinOTP installation:

https://fedoraproject.org/wiki/EPEL

Activate EPEL on the system:

yum install epel-release.noarch

If you don’t want to enable EPEL, KeyIdentity provides a repository for support customers which contains all packages from EPEL for your LinOTP installation. This ensures that you get a consistent repository maintained by KeyIdentity. The packages from the enterprise repository are signed with the LinOTP GPG key. Please contact KeyIdentity to receive further information:

https://www.keyidentity.com/about/contact-us/

The use of SELinux is supported, you can use the default setting (enforcing). The SELinux configuration for LinOTP is provided by the package LinOTP_apache (see below). In case you don’t want to use this package please apply following rules:

semanage fcontext -a -t httpd_sys_content_t "/etc/linotp2(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/etc/linotp2/data(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/log/linotp(/.*)?"
restorecon -Rv /etc/linotp2/
restorecon -Rv /var/log/linotp
setsebool -P httpd_can_network_connect_db on
setsebool -P httpd_can_connect_ldap on

Before you start the installation, please make sure the network setup for the server is accurate and the server name is resolved correctly.

Note

The desired database is not installed automatically with the LinOTP package.

In case you would like to use MariaDB as LinOTP database, you can install the database on the same or a remote server:

yum update
yum install mariadb-server

The LinOTP packages can be installed by:

yum install LinOTP                  # contains LinOTP core, useridresolver
                                    # and smsprovider
yum install LinOTP_mariadb          # installs the mariadb client, drivers
                                    # and a setup script

Note

With the package LinOTP_mariadb you’ll get the script linotp-create-mariadb which can be used to create a database and if not present a new encryption key.

Instead of MariaDB you can also use PostgreSQL or Oracle as your token database. For PostgreSQL you can install another package:

yum install LinOTP_postgresql

Note

This package contains only the client and the driver for PostgreSQL but not the PostgreSQL server. You can install it by executing

yum install postgresql-server

The PostgreSQL server must allow password authentication. Please consult the PostgreSQL documentation for further information: https://www.postgresql.org/docs/

To use Oracle as your token database please contact KeyIdentity:

https://www.keyidentity.com/about/contact-us/

For support customers KeyIdentity provides installation instructions for the oracle client and a RPM package which contain the necessary drivers.

You can also create the token database manually as described in section Setup token database.

In case you like to use databases as UserIdResolvers, you also have to install the LinOTP packages for the databases mentioned above. For more details about UserIdResolvers please see UserIdResolvers and Realms - The Concepts.

During installation of the LinOTP package you’ll get a fixed version of the package python-repoze-who from the LinOTP repositories. For further system updates you have to lock this package:

yum install yum-plugin-versionlock
yum versionlock python-repoze-who

For integration with Apache you can use a separate package which provides examples of configuration files for the ssl and the wsgi configuration:

yum install LinOTP_apache

Please use the template ssl_linotp.conf.template to adapt or create your Apache configuration. To create a config file wsgi_linotp.conf from wsgi_linotp.conf.template is no longer necessary since LinOTP 2.8.1.3. The template is located in /etc/httpd/conf.d. The entries in ssl_linotp.conf.template for the SSL certificate files of course should be changed to guarantee a secure service because they point to a default configuration.

For the first login to LinOTP please use following credentials:

admin/Tio1LApw

You can change the login credentials as follows:

htdigest /etc/linotp2/admins "LinOTP2 admin area" admin

The python package python-ldap which will be used when your users are located in an LDAP or Active Directory is installed automatically as a requirement of the LinOTP package.