+ New Ticket

Articles in this section

Installing Aginity Premium on Linux

Avatar
Zhanna Bagata
  • Updated

Installing Aginity Premium consists of accessing and setting up an environment based on an Ubuntu O/S or Red Hat Enterprise Linux (RHEL). You can either do this on an existing Ubuntu Server or set up a Virtual Machine that will host the shared catalog database and Team application server.

If you have not yet done so download the software from here.

Once you register and download the software you can begin the installation process. Upon registration you the software will automatically download. The software should be titled aginity-team-<version#>-amd64.deb.

Pre-Requisites and Getting to a Server

Aginity Premium is installed on an Ubuntu or RHEL Server or Virtual Machine environment. The machine Ubuntu or RHEL is installed on must meet the following requirements

  1. Minimum 200 GB of disk workspace
  2. 4 CPU x 16GB RAM
  3. Running Ubuntu 18.04.2 LTS (Bionic Beaver) or RHEL version 8
  4. Must have network access to databases being connected to
  5. HTTPS certificate (company provided or self-signed)

Desktop requirements

  1. Chrome browser
  2. HTTPS access to the Team Server
Note

If you are trying to install an evaluation of the Aginity Team or just getting started 
there are several options for accessing a server environment in which to install the
Aginity Team server.
  1. You can ask your IT representative who is responsible for server infrastructure if there is a Ubuntu Linux server or VM available to use.
  2. You can install it locally for trial purposes using personal virtualization software such as Parallels or an open source equivalent like Oracle VirtualBox.

If you would prefer, we are happy to schedule a free install for you. Please click on the link below to schedule that install.

Click here to schedule an install with an Aginity Consultant

The Installation Process

The following steps should be executed in order

Step 1: SSH into the Linux server as root or you can also sudo to root once in with another that has administrative rights.

Note
In our case for documentation we are working with a Parallels Ubuntu 18.04 VM
and have an account called Parallels.
ssh <username>@<ip_address>

Step 2: SFTP the aginity-team-<version#>-amd64.deb file to the logged in users home directory. Below is a sample command to do that.

sftp <username>@<ip_address>
put aginity-team-<version#>-amd64.deb
exit

Step 3: Running the install

Issue the following command to initiate the install.

// on Ubuntu
sudo apt-get install aginity-team-<version#>-amd64.deb
// on RHEL
sudo yum install aginity-team-<version#>-amd64.rpm

This image below is what you should see after the install is complete.

Post Install 
Note
We will generate an encryption key to ensure all information for connections and 
your catalog are encrypted. 
The installation will automatically generate and store that key
on the /etc/aginity-team/service.conf file.

Step 4: Installing SSL certificate

You have a few options to add an SSL certificate to the application which are:

  1. Configuring Aginity Premium to use a keystore containing a certificate
  2. Importing an SSL certificate to default Aginity Premium's keystore
  3. Generating a self-signed certificate by executing a script provided as part of installation package

Configuring Aginity Premium to use external keystore

Note
Aginity Team supports keystore only in format PKCS12.

To add a keystore containing a certificate to be used by the application, you should set values of SERVICE_KEYSTORE_PATH, KEYSTORE_PASSWORD and CERTIFICATE_ALIAS in /etc/aginity-team/service.conf. Read section General Configuration Parameters to find more information about the 3 parameters.

Importing SSL certificate to default Aginity Premium keystore

If you already have an SSL certificate and an RSA private key used by the certificate then you may want to import the certificate to default Aginity Team’s keystore which is /etc/aginity-team/cacerts. Imported certificate has alias aginity_cert in the Aginity keystore. Aginity Team supports importing certificates in PEM, DER and PKCS12 formats.

Warning

We strongly recommend that you change the password of the Aginity Premium’s keystore right after installation of the application. Default Aginity Premium’s keystore password is changeit.

The procedure of changing keystore password is as follows:

  1. Change the store password:
# this will change Aginity keystore password
sudo /opt/aginity-team/jre/bin/keytool -storepasswd -keystore /etc/aginity-team/cacerts
Enter keystore password:  changeit
New keystore password:  *new password*
Re-enter new keystore password:  *new password*
  1. Set the value of KEYSTORE_PASSWORD in /etc/aginity-team/service.conf to new password.

To import SSL certificate run the following command:

# this will import certificate 
sudo /opt/aginity-team/bin/import-ssl-certificate.sh

Generating self-signed certificate

The SSL certificate generation can be called using

# this will generate certificate
sudo /opt/aginity-team/bin/ssl-certificate-gen.sh

You will be asked for the following information

  1. First and last name
  2. Name of organization unit
  3. Name of organization
  4. Name of City or Locality
  5. Name of State or Province
  6. Name of Country code
  7. Finally when asked to “Enter key password for <aginity_cert> (RETURN if same as keystore password): ” press RETURN
 

Configuring Aginity Premium Server

You can adapt Aginity Premium Server to your needs by changing settings in /etc/aginity-team/service.conf and /etc/aginity-team/application.yml configuration files.

The service.conf file contains settings of a linux service running Aginity Premium. It is in a plain text file format. Here are the parameters in the /etc/aginity-team/service.conf file:

General Configuration Parameters

SERVICE_KEYSTORE_PATH

The path to a keystore file in format PKCS12. Aginity Premium generates this file when you run /opt/aginity-team/bin/ssl-certificate-gen.sh. You can use your own keystore file by setting a path to the file by replacing default one.

Default: /etc/aginity-team/cacerts

KEYSTORE_PASSWORD

A password to the keystore file.

Default: changeit

CERTIFICATE_ALIAS

A keystore alias.

Default: aginity_cert

JVM_MEMORY_LIMIT

The value of JVM maximum heap size. The number has to be an integer. You should specify its value using one of the letters “m” or “M” for MB, or “g” or “G” for GB. Examples: 1024m, 1024MB, 12g, 12GB.

Default: 1024m

AGINITY_ENCRYPTION_KEY

The value of the encryption key which is used to encrypt H2 database used by the application. This value is generated by Aginity Team.

Note
We recommend that you copy the encryption key to a safe 
place as you may need it to recover Aginity Team Server using a database backup.

AGINITY_CONFIG_PATH

The path to the application configuration yml-file. Do not change its value.

Default: /etc/aginity-team/application.yml

DB_PATH

The path to a directory to deploy Aginity Team’s H2 database in.

Default: /var/lib/aginity-team/

Default: /var/lib/aginity-team

Configuring the YML Application File

Aginity Premium server can be customized through a number of settings of the /etc/aginity-team/application.yml file. It uses YAML format. Depending on your needs Aginity Team can be configured to use either embedded H2 database or PostgreSQL database server. You may want to change TCP port the server is accepting HTTP request on or integrate Aginity Team with external identity providers.

Note
YAML does not support tab characters for indentation. 
You should use spaces for that.

For the reason of backward compatibility, some settings in application.yml use parameter expansions. The basic form of parameter expansion is ${parameter:-}. The parameter is a key from /etc/aginity-team/service.conf. You can replace any ${parameter:-} with your custom value. There are default values for some parameters in the configuration file:

${parameter:-defaultValue}

If parameter is unset in /etc/aginity-team/service.conf, the expansion of defaultValue is substituted. Otherwise, the value of the parameter is substituted.

Webserver Options

Server Options

server:
port: ${SERVICE_PORT:-8080}
publicUrl: ${PUBLIC_URL:-'http://localhost:8080'}

server.port

TCP port Aginity Team uses to accept HTTP requests. You may want to setup Aginity Team to listen on 443 to simplify URL users should use to access Aginity Team. In this case, the server section looks like as follows:

Default: 8080

server:
  port: 443
  publicUrl: https://my.example.com

server.publicUrl

publicUrl is a URL of a server running the Aginity Team. It is a public URL available outside your corporate network.

publicUrl has the following format {scheme}://{host}:{port} where {scheme} can be either http or https, {host} is hostname of the server running Aginity Team, {port} is TCP port Aginity Team is using.

Default: http://localhost:8080

Catalog Database Options

Database Options

database:
# BEGIN H2 database configuration
  h2:
    dbFilePath: ${DB_PATH:-}
# END H2 database configuration
#
# BEGIN PostgreSQL configuration
#
# This section is commented out by default since only one type of database could be enabled
# to enable PostgreSQL, comment out the H2 database configuration section and uncomment the section below
#  postgres:
#    user: {user}
#    password: {password}
#    jdbcUrl: jdbc:postgresql://{host}:{port}/{database_name}
#    properties: # any properties specific to your JDBC driver:
#      ssl: true # connect using SSL. SSL support must be enabled on the database server side.
#      sslmode: require
#
# END PostgreSQL configuration

By default, Aginity Team installs an embedded H2 database to store application data. Another option is to use a PostgreSQL database. In this case, you have to deploy PostgreSQL server and create a database by yourself. Here is an example of the database section with enabled PostgreSQL database:

database:
# BEGIN H2 database configuration
#  h2:
#    dbFilePath: ${DB_PATH:-}
# END H2 database configuration
#
# BEGIN PostgreSQL configuration
#
  postgres:
    user: db_user
    password: db_passowd
    jdbcUrl: jdbc:postgresql://my.example.com:5432/aginity_team_database
    properties:
      ssl: true
      sslmode: require
#
# END PostgreSQL configuration

Note
Only one type of database could be enabled. To enable PostgreSQL, comment out the H2 database configuration section and uncomment the PostgreSQL configuration section.

database.h2.dbFilePath

The path to a directory to deploy Aginity Team’s H2 database in.

database.postgres.user

The database user.

database.postgres.password

The database user’s password.

database.postgres.jdbcUrl

The connection URL.

jdbcUrl has the following format jdbc:postgresql://{host}:{port}/{database_name} where {host} is the IP address or the hostname of the database server, {port} is TCP port the database server is listening, {database_name} is the name of Aginity Team database created by you.

database.postgres.properies

This section may contain any number of additional connection parameters which PostgreSQL JDBC driver supports. You can read about the jdbc driver parameters at jdbc.postgresql.org

Logging Options

logging Options

logging:
    pathToLogFile: ${PATH_TO_LOG_FILE:-/var/log/aginity-team}
    maxFilesCount: ${MAX_FILES_COUNT:-100MB}
    maxFileSize: ${MAX_FILE_SIZE:-1}

logging.pathToLogFile

The path to a directory to store application log files in.

Default: /var/log/aginity-team

logging.maxFilesCount

The maximum number of the log files the Aginity Team creates.

Default: 1

logging.maxFileSize

The maximum size of a log file. The number has to be an integer. You should specify its value using one of the letters ‘KB’, ‘MB’ or ‘GB’ after the number. Examples: 200KB, 35MB, 1GB.

Default: 100MB

Platform Options

This section is used to set up OAuth for the Snowflake databases. Please refer to the specific Snowflake section in the documentation Enabling Snowflake SSO.

Security Configuration Options

userDirectory Options

This section allows you to integrate Aginity Team with your LDAP system to import users, sync user information and delegate user authentication to LDAP server.

userDirectory: 
name: "LDAP Server"
    enabled: true
    serverSettings:
        host: ldapserver.example.com
        port: 389
        bindDN: cn=admin,dc=example,dc=com
        bindPassword: admin_password
        encryption: PLAIN
        verifyCertificates: false
        tlsOptions:
            trustStorePath: /path/to/trustStore/file
            trustStorePassword: my_password
            trustStoreType: PKCS12
    connectionRule:
        connectTimeout: 0
        responseTimeout: 0
    userSchema:
        baseDN: ou=users,dc=example,dc=com
        userFilter:
        usernameAttribute: uid
        firstNameAttribute: givenName
        lastNameAttribute: sn
        emailAttribute: mail
        searchScope: SUB_TREE
sync:
        interval: 60
    groupSchema:
        baseDN: ou=groups,dc=company,dc=com
        groupFilter: (objectClass=groupOfUniqueNames)
        nameAttribute: cn
        descriptionAttribute: description
        searchScope: SUB_TREE
    membershipSchema:
        type: GROUP_LISTS_USERS
        groupMembersAttribute: uniqueMember # in case of GROUP_LISTS_USERS     
        memberOfGroupsAttribute: memberOf # in case of USER_LISTS_GROUPS

userDirectory.name

A descriptive name of the LDAP connection.

userDirectory.enabled

Flag to indicate whether LDAP authentication is on or off.

userDirectory.serverSettings.host

The IP address or hostname of the LDAP server.

userDirectory.serverSettings.port

TCP port of the LDAP server.

userDirectory.serverSettings.bindDN

The distinguished name of the user that the application will use when connecting to the directory server. Example: cn=admin,dc=example,dc=com

userDirectory.serverSettings.bindPassword

The user password.

userDirectory.serverSettings.encryption

Type of connection encyption. Can be set to PLAIN, START_TLS or SIMPLE_TLS. START_TLS is preferred option. START_TLS begins as a plaintext connection over the standard LDAP port (389), and that connection is then upgraded to SSL/TLS.

userDirectory.serverSettings.verifyCertificates

If set to true, Aginity Team verifies the certificate used for SSLTLS connection to the LDAP server. A java truststore configured in userDirectory.serverSettings.tlsOptions is used to verify the certificate. If you use a self-signed certificate, you must import the certificate to the truststore before starting Aginity Team.

userDirectory.serverSettings.tlsOptions

Use this section to configure your java truststore that is used to verify the LDAP server certificate.

userDirectory.serverSettings.tlsOptions.trustStorePath

The path to the Java trust store where certificates are stored.

userDirectory.serverSettings.tlsOptions.trustStorePassword

The password to the java trust store.

userDirectory.serverSettings.tlsOptions.trustStoreType

The type of the trust store. The most common are JKS and PKCS12.

userDirectory.connectionRule.connectTimeout

Timeout in milliseconds for connection to LDAP server. 0 means no timeout.

userDirectory.connectionRule.responseTimeout

Timeout in milliseconds for response time from LDAP server. 0 means no timeout.

userDirectory.userSchema.baseDN

The root distinguished name (DN) to use when running queries against the directory server.

userDirectory.userSchema.userFilter

An LDAP search filter to be used when searching user objects from the LDAP server within the base DN. Example: “(&(objectCategory=Person)(sAMAccountName=*))”

userDirectory.userSchema.usernameAttribute

Defines which attributes on an LDAP user entry will be used as its username.

userDirectory.userSchema.firstNameAttribute

Defines which attributes on an LDAP user entry will be used as its first name.

userDirectory.userSchema.lastNameAttribute

Defines which attributes on an LDAP user entry will be used as its last name.

userDirectory.userSchema.emailAttribute

Defines which attributes on an LDAP user entry will be used as its email address.

userDirectory.userSchema.searchScope

Specify strategy to use when doing a search. Possible options: SUB_TREE (search request should be performed against the search base and all entries below), ONE (search request should be performed against entries that are immediate subordinates of the entry specified as the search base DN), BASE (search request should only be performed against the entry specified as the search base DN).

Sync settings

interval
The setting which the application will use as sync interval to send a request to User Directory server, in minutes.
Allowed values are from 10 minutes to 43200 (30 days).
The default value is 60 minutes.
 

Group Schema settings

baseDN
The root distinguished name (DN) to use when running queries against the directory server when searching for groups.
 
groupFilter
The filter to use when searching group objects. Example: "(&(objectCategory=Group))"
 
nameAttribute
The attribute field to use when loading the group's name.
 
descriptionAttribute
The attribute field to use when loading the group's description.
 
searchScope
Specify strategy to use when doing a search. Possible options: 
SUB_TREE (search request should be performed against the search base and all entries below),
ONE (search request should be performed against entries that are immediate subordinates of the entry specified as the search base DN),
BASE (search request should only be performed against the entry specified as the search base DN).
More info at https://ldapwiki.com/wiki/LDAP%20Search%20Scopes
 

Membership Schema settings

type

Membership strategy type to be used when matching users and groups from User Directory.
Possible values are: 
GROUP_LISTS_USERS: Specifies whether the group entry in User Directory lists the users that belong to it
USER_LISTS_GROUPS: Specifies whether the user entry in User Directory lists the groups that they belong to.

groupMembersAttribute

Required if type is GROUP_LISTS_USERS.
Groups's entry attribute name which specifies the users that belong to it.
Example: uniqueMember

memberOfGroupsAttribute

Required if type is USER_LISTS_GROUPS.
User's entry attribute name which specifies the groups that a user or a group belongs to. Example: memberOf

Starting Aginity Team Server

Prior to starting the Aginity Premium server you must create the administrator username and password.

You can do this by running the team-create-superuser script in the /opt/aginity/bin/ directory on the server.

 

# this will create a user with the administrator role
sudo /opt/aginity-team/bin/team-create-super-user.sh

Step 5: You are now ready to start Aginity Premium

We use the following commands to start Aginity Premium in the background and with logging turned on.

sudo systemctl start aginity-team

You can check if Aginity Premium is running by issuing this command

sudo systemctl status aginity-team

Accessing Aginity Premium for the First Time

Step 6: Step 6: Open browser and navigate to https://<ip or team server name>:<server port>/login. You will see the following image

Opening Amp

  • Enter credentials you used to create the administrator to enter the application.

Step 7: Register and Apply License Key

When you open the application it will ask you to register the software and then you will be asked to apply the license key.

Opening Amp

If it does not ask for the license key you can click on Help -> Register again and the license key box should pop open as shown below.

Opening Amp 
Note
It is imperative that all users be created with valid business email addresses.

Send the link to the team to any new user along with their username/password combination.

Stopping Aginity Premium Services

Log in as the team user and issue the following command

sudo systemctl stop aginity-team
# check to see if it is stopped Using
sudo systemctl status aginity-team

 

 

** Aginity, Inc.’s Provision of Scripts and Similar Materials at Help Desk Center. For the convenience of Aginity Amp™ clients, we provide code snippets, scripts and similar materials at this Help Desk Center. Such materials are reference materials provided for illustration purposes only. These are intended to serve as an example for self-service clients and are generally geared to respond to common questions asked by similar clients. Such materials constitute Aginity’s intellectual property. Aginity Amp clients and their authorized users are permitted to use these materials in connection with their software license and/or subscription of Aginity Amp. Nothing herein shall limit Aginity’s right to use, develop, enhance, modify or market any of these materials as part of its business. These materials are not formally supported by Aginity or its affiliates. Usage of these materials does not guarantee any specific results, uptime, performance or error-free operation. Aginity disclaims all warranties of any kind, whether express, implied, statutory or otherwise, including any implied warranty of merchantability or fitness for a particular purpose.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles