3. Install the HDP Security Administration Server

Install the HDP Security Administration server on a Linux host with at least 2 GB memory available for the Web application and at least 10 GB of diskspace for HDP Security Administration logs.

	Note
	You can install the HDP Security Administration on a shared web application host. Before installing ensure that the following prerequisites have been met, see Prerequisites.

3.1. Installation Set Up

Perform the following steps on the HDP Security Administration host.

Log on to the host as root.
Copy the installation file and extract as follows:
1. Create a temporary directory, such as /tmp/xasecure:
```
mkdir /tmp/xasecure
```
2. Move the installation package to the temporary directory.
3. Move the MySQL Connector Jar file to the temporary directory. Download the JAR from here.
4. Extract the contents:
```
tar xvf $xasecureinstallation.tar
```
5. Go to the directory where you extracted the installation files:
```
cd /tmp/xasecure/xasecure-$name-$build-version
```
Open the install.properties file for editing.

Define the parameters for the MySQL database setup:

Table 2.1. MySQL Database Install Parameters

Parameter	Value	Description
`MYSQL_BIN`	mysql	Specify the command to invoke MySQL. For example, `mysql`. This command is used by the script to invoke MySQL and connect to the database server.
`MYSQL_CONNECTOR_JAR`	`$path-to-mysql-connector`	Specify the absolute path on the local host to the JDBC driver for MySQL including filename.^[a] For example, `/tmp/xasecure/mysql-connector-java.jar`
`db_root_password`	`$root-password`	The password for the root MySQL account. Used by the installation script to create the HDP SA database and database user.
`db_host`	`$mysql-host`	Host name of the system running MySQL server.
`db_user`	`$xadbuser`	Specify a name for the user account that the installer creates and is then used to write to the database.
`db_name`	`$dbname`	Specify a name for the database that Installer creates during installation.
`db_password`	`$dbpassword`	Specify a password for the `$xadbuser` account created by the installer during installation.
`audit_db_name`	`$auditdb`	Specify a name for the audit database created by the installer during installation.
`audit_db_user`	`$auditdbuser`	Specify a name for the audit database account created by the installer during installation.
`audit_db_password`	`$auditdbupw`	Specify the password for the audit database account that the installer sets during installation.
^[a]Download the JAR from here.

During installation, the script logs into the database, creates the HDP Security database named in the properties file, adds the user specified, and loads the MySQL tables.

	Warning
	DO NOT create the HDP Security database beforehand. If the database you specify already exists the HDP Security Administration tables are not added.

Define the HDP Security Administration Server URL, which is used Security Agents and users accessing the interface for Policies and Auditing:

Table 2.2. HDP Security Administration Server URL Parameters

Parameter	Value	Description
`policymgr_external_url`	`$url`	Specify the full URL to access the HDP Security Administration Web UI. For example, `http://pm-host:6080`.
`policymgr_http_enabled`	`$true-or-false`	Specify `true` to allow access to the HDP Security Administration Interface on HTTP or specify `false` to only allow HTTPS access to the interface.

In the JAVA_HOME parameter specify the path to the directory that contains the Java bin, for example:

#------------------------- JAVA CONFIG - BEGIN ----------------------------------

#
# Java Home path
# 
JAVA_HOME='/usr/lib/jvm/jre-1.7.0-openjdk.x86_64'

#------------------------- JAVA CONFIG - END ----------------------------------

Use the following parameters and values in all configurations:

Table 2.3. Required Settings (for future enhancements)

Parameter	Value	Description
`unix_user`	`xasecure`	Parameter and value required in all configurations.
`unix_group`	`xasecure`	Parameter and value required in all configurations.

Use one of the following sets of parameters to define the Authentication for the HDP Security Administration Web UI:

Web UI administrators that are manually defined in the HDP Security Administration Web UI:

Table 2.4. HDP Security Administration Web UI Local Authentication Parameter

Parameter	Value	Description
`remoteLoginEnabled`	`false`	Specify `false` to manage users in the HDP Security Administration Web UI.

Web UI administrators authenticated against an external Unix Server:

Table 2.5. External Unix System Users Authentication Parameters

Parameter	Value	Description
`authentication_method`	`UNIX`	Specify `UNIX` to allow users to sign in to the HDP Security Administration Web UI using their credentials from an external Unix Server.
`remoteLoginEnabled`	`true`	Specify `true` to enabled remote login.
`authServiceHostName`	`$usersync-hostname`	Specify the remote Unix host name^[a]
`authServicePort`	`$port`	Listening port of the Unix host where the UX-UserGroup Synchronizer will be installed, the default port is `5151`.
^[a]Requires installation of the UX-UserGroup Synchronizer.

	Note
	Requires installation of the User and Group Synchronizer Agent on the remote Unix Server.

The following is an example allowing HDP Sandbox users to access HDP Security Administration Web UI:

# ------- UNIX User CONFIG ----------------
#
unix_user=xasecure
unix_group=xasecure

#
# ------- UNIX User CONFIG  - END ----------------
#

#
# UNIX authentication service for Policy Manager
#
# PolicyManager can authenticate using UNIX username/password
# The UNIX server specified here as authServiceHostName needs to be installed with xasecure-unix-ugsync package.
# Once the service is installed on authServiceHostName, the UNIX username/password from the host <authServiceHostName> can be used to login into policy manager
#
# ** The installation of xasecure-unix-ugsync package can be installed after the policymanager installation is finished.
#
#LDAP|ACTIVE_DIRECTORY|UNIX|NONE
authentication_method=UNIX
remoteLoginEnabled=true
authServiceHostName=sandbox
authServicePort=5151

Web UI administrators authenticated against an external LDAP (either OpenLDAP or Active Directory service):

Table 2.6. External LDAP Service Authentication Parameters

Parameter	Value	Description
`authentication_method`	`LDAP`	Specify `LDAP` to allow users to sign in to the HDP Security Administration Web UI using their credentials from an external LDAP service.
`remoteLoginEnabled`	`true`	Specify `true` to enabled remote login.
`authServiceHostName`	`$usersync-hostname`	Specify the LDAP service host name or IP address.^[a]
`authServicePort`	`$port`	Listening port of the LDAP service, default port is `389`.
^[a]Requires installation of the UX-UserGroup Synchronizer.

The following is an example of the configuration parameters for OpenLDAP installed on HDP Sandbox:

# ------- UNIX User CONFIG ----------------
#
unix_user=xasecure
unix_group=xasecure

#
# ------- UNIX User CONFIG  - END ----------------
#

#
# UNIX authentication service for Policy Manager
#
# PolicyManager can authenticate using UNIX username/password
# The UNIX server specified here as authServiceHostName needs to be installed with xasecure-unix-ugsync package.
# Once the service is installed on authServiceHostName, the UNIX username/password from the host <authServiceHostName> can be used to login into policy manager
#
# ** The installation of xasecure-unix-ugsync package can be installed after the policymanager installation is finished.
#
#LDAP|ACTIVE_DIRECTORY|UNIX|NONE
authentication_method=LDAP
remoteLoginEnabled=true
authServiceHostName=sandbox
authServicePort=389

Save the install.properties file.

The following example shows the HDP Security Administration server install.properties for a system that does not allow remote login of Web UI administrators:

#
# This file provides list of deployment variables for the Policy Manager Web Application 
#
#------------------------- MYSQL CONFIG - BEGIN ----------------------------------

#
# The executable path to be used to invoke command-line MYSQL 
#
MYSQL_BIN='mysql'

#
# Location of mysql client library (please check the location of the jar file)
#
MYSQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar

#
# MYSQL password for the MYSQL root user-id
# **************************************************************************
# ** If the password is left empty or not-defined here, 
# ** it will be prompted to enter the password during installation process 
# **************************************************************************
#

db_root_password=hadoop
db_host=localhost

#
# MySQL UserId used for the XASecure schema
# 
db_name=xasecure
db_user=xaadmin
db_password=hadoop

#
# MySQL UserId for storing auditlog infromation
# 
# * audit_db can be same as the XASecure schema db
# * audit_db must exists in the same ${db_host} as xaserver database ${db_name} 
# * audit_user must be a different user than db_user (as audit user has access to only audit tables)
#
audit_db_name=xasecure
audit_db_user=xalogger
audit_db_password=hadoop

#------------------------- MYSQL CONFIG - END ----------------------------------

#
# ------- PolicyManager CONFIG ----------------
#

policymgr_external_url=http://localhost:6080
policymgr_http_enabled=true

#
# ------- PolicyManager CONFIG - END ---------------
#


#
# UNIX authentication service for Policy Manager
#
# PolicyManager can authenticate using UNIX username/password
# The UNIX server specified here as authServiceHostName needs to be installed with xasecure-unix-ugsync package.
# Once the service is installed on authServiceHostName, the UNIX username/password from the host <authServiceHostName> can be used to login into Policy Manager
#
# ** The installation of xasecure-unix-ugsync package can be installed after the policymanager installation is finished.
#

remoteLoginEnabled=false
authServiceHostName=
authServicePort=

#
# -----------------------------------------------------------
#

# ######  DO NOT MODIFY ANY VARIABLES BELOW #########################
#
# --- These deployment variables are not to be modified unless you understand the full impact of the changes
#
###################################################

app_home=$PWD/app
war_file=${PWD}/war/xa_portal.war
TMPFILE=$PWD/.fi_tmp
LOGFILE=$PWD/logfile
LOGFILES="$LOGFILE"

JAVA_BIN='java'
JAVA_VERSION_REQUIRED='1.7'
JAVA_ORACLE='Java(TM) SE Runtime Environment'

db_create_user_file=${PWD}/db/create_dev_user.sql
db_core_file=${PWD}/db/xa_core_db.sql
db_assert_file=${PWD}/db/reset_asset.sql

3.2. Run the HDP Security Administration Installation Script

After configuring the install.properties file, install the HDP Security Administration server as root:

Log on to the Linux system as root and go to the directory where you extracted the HDP Security Administration installation files:
```
cd /tmp/xasecure/xasecure-policymgr-$build-version
```
Run the installation script:
```
# ./install.sh
```

Once the install.sh execution is complete, the HDP Security Administration Web UI is accessible.

Using a web browser, go to the HDP Security Administration application at http://$policymgr_host:6080. If this is the first installation, sign in with the default account, admin\admin.

	Caution
	Change the `admin` user account password as soon as possible.

Legal notices