server installation

Wiki ▸ Server Installation

Biobank server installation

The server can be deployed on computers running Linux or MS Windows. However, up to now the server has only been tested and installed on computers running Linux (Ubuntu Server 16.04.3 LTS is recommended). The Biobank server is distributed as an Ubuntu package or as a tar archive. It should be installed under a special user account for better security.

The Biobank server runs as an application under JBoss (version 4.0.5 GA). Some precautions, listed below, should be taken when running the server.

Download

The most recent version can be downloaded from here:

• Biobank server v3.10.5 Ubuntu package

Requirements

A minimum of 2 GB or RAM memory is required to run the server. Up to now the server has been installed on stand alone servers and also on Virtual Machines.

Prior to deploying a server, the following software packages have to be installed:

1. Oracle Java SE Development Kit 6. Please see the instructions given below on how to configure Java on your Ubuntu. For other distributions please refer to it's documentation. Please do not use OpenJDK as the application will not work correctly.

2. MySQL Server version 5.1 or later. Install it with the following command:

   sudo apt-get install mysql-server
   

3. Perl. Install it with the following command:

   sudo apt-get install perl
   

4. Zip and Unzip. Install them with the following command:

   sudo apt-get install zip unzip
   

5. Apache - Apache is required to isolate the JBoss server from attacks.

   Use the following command to install the required packages:

   sudo apt-get install apache2 libapache2-mod-jk libapache2-mod-security2
   

Installation

1. Install Java by following the instructions on this page: Installing Java.

2. Install the required packages:

   sudo apt-get install perl libterm-readkey-perl zip unzip openssl

3. For security reasons, it is better to run JBoss as a non root user. To do this, create a jboss user account:

   sudo mkdir /opt/jboss
   sudo useradd --system -d /opt/jboss -s /bin/bash jboss

   Please use /opt/jboss as the home directory since the prebuilt package installs the files to this directory.

   You may wish to add the jboss user to the sudoers file:

   sudo usermod -aG sudo jboss

4. Download and install the Biobank server package:

   It can be downloded from here: https://biobank.cbsr.ualberta.ca/server/BioBank-v3.10.5/

   sudo dpkg -i biobank-server-<version>.deb

   where <version> matches the version of the file you downloaded.

   After the command completes your /opt/jboss directory will be populated with new files. Some of these files are scripts that need to be run to configure the server for your installation. More details are given below.

5. Move the JBoss startup script so that the server can be started as a service.

   sudo mv jboss-standalone.service /etc/systemd/system/
   sudo chown root:root /etc/systemd/system/jboss-standalone.service
   sudo systemctl daemon-reload

6. Enable the service to start on system startup:

   sudo systemctl enable jboss-standalone.service

7. Configure the MySQL server by following the instructions on this page: MySQL configuration.

8. Create a database on the MySQL server to be used by the Biobank server and create a user to access to the database. Grant all privileges on the biobank database to this user.

   For example, these commands create the database named biobank. Start the MySQL command line tool with this command:

   mysql -h <hostname> -uroot -p<password> mysql

   and create the database and add a user that can access the database.

   CREATE DATABASE biobank;
   CREATE USER 'biboank_user'@'localhost' IDENTIFIED BY 'biobank_pasword';
   GRANT ALL PRIVILEGES ON biobank.* TO 'biobank_user'@'localhost' WITH GRANT OPTION;

   biobank_user and biobank_pasword should be replaced with the username and password you would like to use in your configuration.

9. Configure time zone information on the MySQL server:

   mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -uroot -p mysql
   sudo service mysql restart

10. To create an SSL certificate see these instructions: SSL Certificate. To create a temporary certificate for testing see here: Temporary SSL Certificate.

11. Run the /opt/jboss/configure and you will be prompted with values to configure your server. You will be asked for the following:

    1. The host name for the MySQL server.

    2. The name of the database to be used by the Biobank server on the MySQL server. In the example given above the name of the database was biobank.

    3. The user name the Biobank server should use to communicate with the MySQL server.

    4. The password for the user name.

    5. The password for the Jboss Web Console and JMX Console. They will both use the same password.

    6. If the database has not been initialized you will prompted to do so.

12. Run the /opt/jboss/chkconfig script to test your configuration. The script runs a series of tests and outputs the results. Ensure all the tests pass. Once all the tests pass you can start the server.

13. Install and configure the Apache Web Server to front JBoss using these instructions.

14. Use iptables to limit the ports open to the world.

    First install the iptables-persistent Ubuntu package:

    sudo apt-get install iptables-persistent

    Then open port 443:

    sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
    sudo iptables-save > /etc/iptables/rules.v4
    sudo service iptables-persistent start

Start the biobank server with the command:

sudo systemctl start jboss-standalone.service

You can test that the server is running by opening the following URL in your browser:

https://_IP_or_DN_/biobank

Where _IP_or_DN_ is the IP address or domain name for your server. You should see a web page similar to the one shown below:

You can log into the JMX Console and JBoss Web Console by opening this URL in your browser:

https://_IP_or_DN_/

and selecting the appropriate link. The user name is bbadmin and the password is changeme.

Optional

The installation of the following packages is optional, but makes the server more secure if it's open to the world.

Chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit. Type the following command to install chkrootkit

$ sudo apt-get install chkrootkit

To look for rootkits, enter:

$ sudo chkrootkit

rkhunter

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications. Type the following command to install rkhunter:

$ sudo apt-get install rkhunter

Apply any updates:

$ sudo rkhunter --update

The following command option tells rkhunter to perform various checks on the local system:

$ sudo rkhunter --check

Lynis

Lynis is a security auditing for UNIX derivatives like Linux, macOS, BSD, and others. It performs an in-depth security scan and runs on the system itself.

See the installation instructions here: https://github.com/CISOfy/lynis

fail2ban

fail2ban is a great package that actively blocks suspicious activity as it occurs. From their wiki Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc... It does this by adding rules to iptables.

sudo apt-get install fail2ban

Logwatch

Log management is an area consisting mostly of search, log rotation / retention and reporting. Logwatch is an application that helps with simple log management by daily analyzing and reporting a short digest from activities taking place on your machine.

sudo apt-get install -y logwatch

Follow the instructions here to install.

The following entry can be used as a cron job:

00 02 * * * /usr/sbin/logwatch --output mail --mailto [email protected] --detail high