System Administration

System Administration information

Overview

 IWA can allow for “silent authentication” using the current users credentials.

Prerequisites

LDAP users have been successfully populated from AD; if not please refer to the AD Configuration Guide.

Quick reference

  1. setspn -U -S HTTP/%noodle.domain.tld@DOMAIN.TLD %service_account
  2. Add Noodle to "Microsoft Internet Explorer > Tools > Internet Options > Security > Local intranet > Sites > Advanced"

Supported configurations

Browsers

Microsoft Internet Explorer, Mozilla Firefox, Google Chrome
Note: Microsoft Edge does not support this feature.

Protocols

Kerberos in SPNEGO in GSS-API (RFC 2478)
Note: NTLM, and NegoExts are not supported.

Endpoints

AD, Azure, and F5
Note: Others may work but have not been tested

Server configuration

Define the appropriate SPN for the account which Noodle is using to bind to LDAP.

  • Within the AD Users and Groups snap-in Navigate to Noodle’s service (admin) account and set the follow attribute:
    1. servicePrincipalName = HTTP/%noodle_url
    2. Apply the change
  • This may also be set via command line:
    1. setspn -U -S HTTP/%noodle.domain.tld@DOMAIN.TLD %service_account
  • For Windows server 2008R2 or older command line instead use
    1. setspn -A HTTP/%noodle.domain.tld %service_account

Note:

  • Logins from the AD Kerberos Server itself are not supported because Windows will attempt NTLM.
  • For local installs, non-primary domains can be used with IWA by placing “IgnoreIWADomain = true” into intranet.conf 

Browser configuration

The next step in enabling IWA requires browser configurations to attempt authentication with the Noodle intranet website.

Once the configuration is in place users will need to access Noodle via the SPNEGO.po URL (ie. https://yourNoodle.tld/SPNEGO.po).

The following section of this guide explains this process.

Microsoft Internet Explorer & Google Chrome

Both of these browsers are configured with Microsoft Internet Explorer in "Tools > Internet Options > Security > Local intranet". 

Note:  If a non-default level is in use be sure “Automatic logon only in Intranet zone” is selected in "the Custom Level".

Next we will need to add the URL of your Noodle instance in "Sites > Advanced".

Mozilla Firefox

Enter “about:config” in the address bar, press “Enter”, and click “I Accept the Risk” when prompted.

Next, search for “auth.trusted”, enter your Noodle URL in the attribute entitled “network.negotiate-auth.trusted-uris” and select OK.

At this point IWA should be fully operational for your Noodle Intranet site!

Overview

SAML authentication can allow for Single Sign-On (SSO).  This guide outlines the steps involved for implementation of Noodle as a SAML Service Provider (SP) and offers general configuration parameters required by your SAML idP.  Noodle users are often being populated via AD; for more information on this setup please refer to the document.

Noodle Prerequisites

If Active Directory (AD) is being used, LDAP users should have already been populated within Noodle.

Supported Identity Providers (idP)

Onelogin, Okta, Azure

Note: Vialect will provide best effort support to integrate with other idP solutions.

Noodle Configuration & Access

Once navigating to the SAML configuration section in Noodle (via “System Tools > Settings > Single Sign-On”), your Noodle instance will require only two pieces of information about your SAML idP:

Note:  Both of these items (post URL & SHA1 fingerprint) will be supplied by your idP vendor.

Essentially, your idP will provide an XML file which contains input for both of the required fields mentioned above.  However, the certificate sometimes is in the incorrect format and may need to be converted into a SHA-1 Fingerprint.

There are some online SAML tools that may prove helpful in order to calculate the SHA-1 fingerprint:

  1. Format a X.509 Certificate - Convert the certificate into a suitable format
  2. Calculate Fingerprint - Use the formatted certificate to calculate a fingerprint
Optional: For non-managed users there is also an option to save the account details within the browser itself, by enabling "Noodle > System Tools > Settings > User Settings > Remember my login information".  The user will be asked to login again if they ever actually click the “Logout” link within Noodle.

Once this information has been saved in Noodle you are ready to move onto configuring the idP with the necessary information about the SP, Noodle.

Defining a Service Provider with your idP

The primary information that your idP will be looking for is how to construct the SAML Response and where to send it once the idP has successfully verified the SAML Request.  

As mentioned earlier in this document the URL for sending a SAML response is http://yourNoodle.tld/SAML.po which will be defined as a Web App if asked.

There are several other parameters that may required when defining how your idP will construct the SAML response being sent to Noodle.

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted
  • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

For further information, please refer to your idP’s documentation or contact techsupport@vialect.com.

postgresql.conf ships with quite modest defaults so be sure to august it for anything more than light use. We recommend for ~4k users;

  • Available Memory = System Memory - OS (1GB for Windows) - Java (100 to 512)
  • effective_cache_size = Available Memory / 2
  • shared_buffers  = effective_cache_size / 4
  • max_locks_per_transaction = 512
  • max_connections =  60
  • checkpoint_segments 30
  • log_min_duration_statement = 10000
  • log_line_prefix =  ''%m: ''

There is a convenient config creator here.

The first encrypted request after starting Noodle can be 3 orders of magnitude slower than normal due to random entropy pool depletion. If your server suffers from this issue (most EC2 servers) you can verify by checking the pool size:

cd /proc/sys/kernel/random/ && cat poolsize entropy_avail

There are at least 3 solutions to a depleted pool:

1 Hardware

Some hardware includes random generators (like the rdrand CPU flag):

cat /proc/cpuinfo | grep -i rdrand | wc -l

You can enable its use with:

Debian/Ubuntu

apt install rng-tools
systemctl start rng-tools.service
systemctl enable rng-tools.service

Fedora/RedHat

yum install rng-tools
systemctl start rngd.service
systemctl enable rngd.service

2 urandom

If you don't have a hardware generator or you don't trust it you can edit /opt/Noodle/multiserver to use:

-Djava.security.egd=file:///dev/urandom

Or edit java.security in $JRE8/lib/security or $JRE9/conf/security to use:

securerandom.source=file:/dev/urandom

3 haveged

For higher throughput and lower CPU usage than urandom haveged can be used but it can still block:

Debian/Ubuntu

apt install haveged
systemctl start haveged.service
systemctl enable haveged.service

Fedora/RedHat

yum install haveged
systemctl start haveged.service
systemctl enable haveged.service

Export your Certificate.

#convert IIS to Tomcat
keytool -importkeystore -srckeystore file.pfx -srcstoretype pkcs12 -destkeystore file.jks -deststoretype JKS
#look up the alias
keytool -storepass 123456 -list -keystore file.jks
# rename the alias for SNI
keytool -storepass 123456 -changealias -keystore file.jks -alias automd5 -destalias domain.tld

Optional:

#import the root from https://certs.godaddy.com/repository
keytool -storepass 123456 -keystore file.jks -importcert -file gdroot-g2.crt -alias root
#import the chain
keytool -storepass 123456 -keystore file.jks -importcert -file gdig2.crt -alias chain

#Helpers
yum install -y epel-release bc ntp.x86_64 screen tree catdoc id3lib html2text unrtf p7zip-plugins.x86_64  libjpeg-turbo.x86_64 poppler-utils unzip.x86_64 netpbm-progs.x86_64 perl-Image-ExifTool.noarch postgresql-server.x86_64 postgresql-contrib.x86_64;
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm;
yum install -y ffmpeg;
newcfg (){
	F="$1"
	chown --reference="$F" "$F".new
	chmod --reference="$F" "$F".new
	mv -f "$F".new "$F"
}
 
#PostgreSQL
/usr/bin/postgresql-setup initdb
chkconfig  --level 235 postgresql on
TMP=/var/lib/pgsql/data/pg_hba.conf
cp $TMP $TMP.original
cat $TMP | grep -vP "^ *host.*127" > $TMP.new
echo -e "host\tall\tall\t127.0.0.1/32\tpassword" >> $TMP.new
newcfg $TMP
TMP=/var/lib/pgsql/data/postgresql.conf
cp $TMP $TMP.original
MT=$(cat /proc/meminfo | grep MemTotal | perl -pe 's/^[^ ]* *([0-9]+) *kB$/$1\/1000/g');
#java+linux=(512+256)
ECS=$(echo "($MT-(512+256))/2" | bc);
SB=$(echo "($MT-(512+256))/4" | bc);
cat $TMP | perl -pe 's/^#?(effective_cache_size)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = '$ECS'MB$2/g' \
| perl -pe 's/^#?(shared_buffers)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = '$SB'MB$2/g' \
| perl -pe 's/^#?(max_locks_per_transaction)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 512$2/g' \
| perl -pe 's/^#?(max_connections)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 60$2/g' \
| perl -pe 's/^#?(checkpoint_segments)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 30$2/g' \
| perl -pe 's/^#?(log_min_duration_statement)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 30000$2/g' \
| perl -pe 's/^#?(log_line_prefix)[ \t]*=[ \t]*[^#]+(#.*)?$/$1 = '\''%m: '\''\t\t$2/g' \
> $TMP.new
newcfg $TMP
service postgresql start
 
#java (get an updated url from java.sun.com)
cd /opt
wget 'http://javadl.oracle.com/webapps/download/AutoDL?BundleId=207765' -O jre.tar.gz
tar -zxf jre.tar.gz
rm -f jre.tar.gz
 
#Noodle (first take note of your available ram and java location)
wget somewhere/Noodle.tar.gz
tar -zxf ./Noodle.tar.gz
su postgres -c 'cd ~/;/usr/bin/psql -d postgres -U postgres --file /opt/Noodle/init.sql' 
cd ./Noodle
./configure
cp noodle.daemon /etc/init.d/noodle
chkconfig --add noodle
chkconfig --levels 235 noodle on
service noodle start

(see also latest version howto and version notes)

ssh root@my.server.tld
 
###########################################################
##postgres
yum install postgresql postgresql-server postgresql-server postgresql-contrib
chkconfig --level 235 postgresql on
service postgresql start
vim /var/lib/pgsql/data/pg_hba.conf
#    127.0.0.1/32 password
vim /var/lib/pgsql/data/postgresql.conf
#    maintenance_work_mem=128000
#    autovacuum = on
service postgresql restart
su postgres
pgsql -U postgres
CREATE LANGAUGE plpgsql;
CREATE DATABASE noodledb WITH ENCODING = 'UNICODE';
create user noodleuser with superuser password 'some long password';
GRANT ALL PRIVILEGES ON DATABASE noodledb to noodleuser;
\q
exit
 
###########################################################
##java (get an updated url from java.sun.com)
cd /opt
wget 'http://javadl.oracle.com/webapps/download/AutoDL?BundleId=207765' -O jre.tar.gz
tar -zxf jre.tar.gz
rm -f jre.tar.gz
 
###########################################################
##7z
#    you can use yum-priorities and rpmforge or you can do it from source
yum install p7zip p7zip-plugins
#    you might need to make a link from 7z to 7z[ar] for "which 7z" to work
 
###########################################################
##Noodle
wget somewhere/Noodle.tar.gz
tar -xvvf ./Noodle.tar.gz
cd ./noodle
#      take note of your available ram and java location
./configure

sudo -i
apt update
apt -y upgrade
apt -y dist-upgrade
apt install -y postgresql-contrib tree p7zip-full sysstat catdoc antiword html2text unrtf libid3-tools ffmpeg openjdk-8-jre poppler-utils unzip
cd /opt
tar -xf ./Noodle.tar.gz
cd ./Noodle
su postgres -c 'cd ~/;psql --file /opt/Noodle/init.sql'
./configure
mv noodle.daemon /etc/init.d/noodle
update-rc.d noodle defaults
service noodle start