Setting up a local FortiSOAR offline repository and deploying FortiSOAR using the offline repository

This chapter describes the steps that you need to follow to set up a local FortiSOAR offline YUM repository and then use those repositories to deploy FortiSOAR.

Prerequisites

• Virtual machine with CentOS 7.0.0 or RHEL 7.0.0 with minimal install option.
• Access to update.cybersponse.com.
• Minimum disk size: 500 GB.

• Ensure that the SSL certificates that you are using for the offline repository are authorized by a Certificate Authority (CA). If however, you are using custom certificates such as open-source certificates, then you must ensure that you add these SSL certificates to the truststore of FortiSOAR and offline repository using the following command:
  cp <SSL_certificate>.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust update
  

Initial Configuration of the Offline YUM Repository VM

Installing Packages

1. Login as a root user:
   [user@localhost ~]# sudo su
2. Check whether update.cybersponse.com is reachable.
   
3. Install packages httpd, wget, rsync, and screen:
   [root@localhost ~]# yum install httpd

[root@localhost ~]# yum install wget

[root@localhost ~]# yum install rsync

[root@localhost ~]# yum install screen

Configuring the 'httpd' service

1. Create a directory named 'repos' in the “/” directory using the following command:
   [root@localhost ~]# mkdir /repos
   
2. Make the following edits in the /etc/httpd/conf/httpd.conf file:
   [root@localhost ~]# vi /etc/httpd/conf/httpd.conf
   1. Add the ‘/repos’ directory as DocumentRoot.
   2. Comment the “/var/www/html” line in DocumentRoot.
      
      
   3. Add the ‘/repos’ directory and required permissions in httpd.conf and comment or delete the existing “/var/www/” directory from httpd.conf as follows:
      
3. Move “/etc/httpd/conf.d/welcome.conf” to the home directory:
   [root@localhost ~]# mv /etc/httpd/conf.d/welcome.conf /home/
4. Change the SELinux security context to point to ‘/repos’:
   [root@localhost ~]# chcon -R -t httpd_sys_content_t ‘/repos’
5. Add firewall exception:
   [root@localhost ~]# sudo firewall-cmd --zone=public --permanent --add-service=https
[root@localhost ~]# sudo firewall-cmd --reload
   
6. Restart the 'httpd' service using the following command :
   [root@localhost ~]# systemctl restart httpd
   

Enabling SSL on httpd Service in Offline Repository

To enable SSL on Apache, do the following:

1. Install the 'mod_ssl' module for the Apache HTTP Server
   [root@localhost ~]# yum install mod_ssl
   
2. To enable SSL on the 'httpd' service, add the following lines to the /etc/httpd/conf.d/ssl.conf file:
   #Enabling SSL on httpd Service for offline repo
LoadModule ssl_module modules/mod_ssl.so
   
3. Check the default server certificate and server private key in the /etc/httpd/conf.d/ssl.conf file, and if required replace them.
   # Section Server Certificate
SSLCertificateFile "/<path_to_cert>/<ssl_Certificate>.crt"
# Section Server Private Key
SSLCertificateKeyFile "/<path_to_cert>/<ssl_Certificate>.key"
   
   
4. Restart and enable the 'httpd' service:
   [root@localhost ~]# systemctl restart httpd
[root@localhost ~]# systemctl enable httpd

Setting up the Offline Repository

1. To ensure that your ssh session does not timeout, run the screen command:
   [root@localhost ~]# screen –S repo
2. Download the setup-cyops-offline-yum-repo.sh script:
   wget --no-check-certificate
https://update.cybersponse.com/downloads/scripts/setup-cyops-offline-yum-repo.sh
   
3. Run the setup-cyops-offline-yum-repo.sh script as follows, where the release_version is FortiSOAR version that you want to syncronize:
   [root@localhost ~]# sh /root/setup-cyops-offline-yum-repo.sh <release_version>
   For example, to synchronize FortiSOAR version 7.0.2 use the following command:
   [root@localhost ~]# sh /root/setup-cyops-offline-yum-repo.sh 7.0.2
   Note: The setup-cyops-offline-yum-repo.sh script creates a user whose ID and password are set to yum. This ID is used to assign ownership to the content in the '/repos' directory.
4. Once the setup-cyops-offline-yum-repo.sh script completes its execution successfully, add an entry for update.cybersponse.com in the /etc/hosts file on the 'YUM' server (Offline Repository):
   
5. Add the ‘/repos/connectors/info’ directory to /etc/httpd/conf/httpd.conf.
   
   
6. The setup-cyops-offline-yum-repo.sh script synchronizes the repo. Therefore, if you want to resynchronize the repo, you must rerun the script. If you do not want to rerun the script manually, you can set up a cron job to perform this task. Use the following script to setup a cron job that will run daily at 00:00 hrsand synchronize the repo:
   #!/bin/sh
#write out current crontab
crontab -l > mycron
#echo new cron into cron file
echo "0 0 * * * sh /root/setup-cyops-offline-yum-repo.sh 7.0.2" >> mycron
#install new cron file
crontab mycron
rm mycron

   Note: You can change the time of running the cron job as per your convenience.

Deploying FortiSOAR using the Offline Repository

1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the screen command:
   [root@localhost ~]# screen –S repo
2. From version 7.0.2 onwards, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
   export custom_yum_url=<"custom_yum_url_name">
   For example, export custom_yum_url="offline-repo.fortisoar.in"
   
3. Download the installer for FortiSOAR 7.0.2 using the following command:
   [root@localhost ~]# wget https://<offline repo>/7.0.2/install-fortisoar-7.0.2.bin
   
4. To install FortiSOAR 7.0.2, run the following command as a root user:
   [root@localhost ~]# sh install-fortisoar-7.0.2.bin
5. Login as the 'csadmin' user to the FortiSOAR CLI and continue to configure FortiSOAR or Secure Message Exchange (SME) and add your FortiSOAR license. For more information, see the Deploying FortiSOAR chapter.

Upgrading FortiSOAR using the Offline Repository

1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the screen command:
   [root@localhost ~]# screen –S repo
2. From version 7.0.2 onwards, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
   export custom_yum_url=<"custom_yum_url_name">
   
3. Download the upgrade installer for FortiSOAR 7.0.2 using the following command:
   [root@localhost ~]# wget https://<offline repo>/7.0.2/upgrade-fortisoar-7.0.2.bin
4. To upgrade to FortiSOAR 7.0.2, run the following command as a root user:
   [root@localhost ~]# sh upgrade-fortisoar-7.0.2.bin

Troubleshooting

The 'httpd' service does not come up post configuration and after restart

If you have configured the 'httpd' service, and it does not come up during restart, then check whether the parameters specified are correct (Check Syntax) and do the following:

Resolution:

1. Check the status of the 'httpd' service using the following command:
   [root@localhost ~]# systemctl status httpd -l
   
   
2. Check the line number specified in the error logs that get displayed once you run the status check for the 'httpd' service, and correct it any syntactical errors:

Error 'cannot access '/repos' directory: No such file or directory is displayed while trying to change the SELinux security context

If you face the following error when you are trying to change the SELinux security context to point to the 'repos' directory while Configuring the 'httpd' service.

Resolution:

1. Create the 'repos' directory:
2. Run the following command to change the SELinux security context to point to 'repos':
   [root@localhost ~]# chcon -R -t httpd_sys_content_t ‘/repos’