How to install Landscape Server on FIPS-hardened machines

Landscape Documentation
1

At this time, any FIPS installations should use external authentication. For more information, see how to configure OIDC authentication and PAM authentication.

Contents:

  1. Install Landscape on a FIPS-hardened machine
  2. Install an SSL certificate with FIPS enabled
  3. Create a global administrator account
  4. Configure Postfix with FIPS enabled

Install Landscape on a FIPS-hardened machine

These steps are specific to Landscape 23.03.

Prerequisites

Landscape server requires:

  • add-apt-packages command line utility to add the PPA which contains the Landscape Server software
  • software-properties-common package to access add-apt-packages

They can be installed with:

sudo apt-get update && sudo apt-get install software-properties-common -y

Environment variables

The following environment variables will need to be set:

  • HOST_NAME: The host name you’re using for the Landscape installation
  • DOMAIN_NAME: The domain name you’re using for the Landscape installation
  • FQDN: A Fully Qualified Domain Name, composed of the two previous names

For example:

HOST_NAME=my-landscape-server
DOMAIN=example.com
FQDN=$HOST_NAME.$DOMAIN

Set the machine’s host name

To set the machine’s host name, run:

sudo hostnamectl set-hostname "$FQDN"

When Landscape Server is installed, it will read the machine’s host name and use it in the Apache configuration.

Install landscape-server-quickstart with FIPS enabled

To install landscape-server-quickstart with FIPS enabled:

  1. Add the repository for Landscape Server:

    sudo add-apt-repository {LANDSCAPE_PPA} -y
    • {LANDSCAPE_PPA}: The PPA for the specific Landscape installation you’re using. The PPA for Landscape Beta is: ppa:landscape/self-hosted-beta. The PPA for Landscape 23.03 is: ppa:landscape/self-hosted-23.03.

  2. Update packages and dependencies in your local system:

    sudo apt-get update

  3. Install landscape-server-quickstart with FIPS enabled:

    sudo DEBIAN_FRONTEND=noninteractive apt-get install landscape-server-quickstart -y
    • This installation takes approximately five minutes.

Install an SSL certificate with FIPS enabled

Install Certbot

To conform with FIPS, run the following code to install Certbot using the apt package manager:

sudo apt-get install certbot python3-certbot-apache -y

Certbot is a command line utility which makes acquiring and renewing SSL certificates from LetsEncrypt an easy, free and automated process. Certbot can be installed from either the apt or snap package manager. However, snap packages can include dependencies that don’t conform to FIPS because snap packages can specify their own versions of dependencies. To ensure FIPS compliance, use apt to install Certbot.

Get an SSL certificate from LetsEncrypt

If your Landscape instance has a public IP, and your FQDN resolves to that public IP, run the following code to get a valid SSL certificate from LetsEncrypt. Replace {EMAIL@ADDRESS.COM} with an email address where certificate renewal reminders can be sent.

sudo certbot --non-interactive --apache --no-redirect --agree-tos --email {EMAIL@ADDRESS.COM} --domains $FQDN

Create a global administrator account

At this point, visiting https://HOST_NAME.DOMAIN prompts you to create Landscape’s first Global Administrator account. To add administrators:

  1. Click Settings
  2. Set a valid outgoing email address in the System email address field
  3. Click Save

By default, the email address will be pre-filled with noreply@HOST_NAME.DOMAIN. You may want to change this to noreply@DOMAIN, or another valid email address.

Configure Postfix with FIPS enabled

These steps use SendGrid as an example email service provider that can be configured to work with Postfix. They may still generally apply to other email service providers, such as Mailjet, Amazon SES or Google.

Detailed information is available for Postfix in the Ubuntu Server documentation.

Set environment variables

To set the necessary environment variables, run the following code. Replace {API_KEY} with an API key from https://app.sendgrid.com/settings/api_keys.

SMTP_HOST='smtp.sendgrid.net'
SMTP_PORT='587'
SMTP_USERNAME='apikey' 
SMTP_PASSWORD='{API_KEY}'

Install Postfix

To install Postfix, run:

sudo DEBIAN_FRONTEND=noninteractive apt-get install -y postfix

Use Postconf to configure the /etc/postfix/main.cf file

  1. Configure the /etc/postfix/main.cf file with Postconf:

    sudo postconf -e myhostname="$FQDN"
sudo postconf -e mydomain="$DOMAIN"
sudo postconf -e myorigin="$DOMAIN"
sudo postconf -e masquerade_domains="$DOMAIN"
sudo postconf -e mydestination=localhost
sudo postconf -e default_transport=smtp
sudo postconf -e relay_transport=smtp
sudo postconf -e relayhost="[${SMTP_HOST}]:${SMTP_PORT}"
sudo postconf -e smtp_sasl_auth_enable=yes
sudo postconf -e smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd
sudo postconf -e smtp_sasl_security_options=noanonymous
sudo postconf -e header_size_limit=4096000`

    This code block includes the following values that must be changed:

    {SMTP_HOST}: The hostname or IP address of the SMTP server to which Postfix will relay outgoing emails
    {SMTP_PORT}: The port number on which the SMTP server is listening for incoming connections

  2. SendGrid requires TLS encryption when connecting on Port 587, so you must make the following additional configurations:

    sudo postconf -e smtp_use_tls=yes
sudo postconf -e smtp_tls_security_level=encrypt
sudo postconf -e smtp_sasl_tls_security_options=noanonymous

  3. Explicitly set the SMTP TLS fingerprint digest:

    sudo postconf -e smtp_tls_fingerprint_digest=sha256

    By default, Postfix uses MD5 hashes with the TLS for backward compatibility. In FIPS mode, the MD5 hashing function is not available. SHA-256 is a secure cryptographic hash function that can be used with FIPS.

Finish configuration

  1. Write /etc/postfix/sasl_passwd with the authentication credentials:

    sudo sh -c "echo \"[$SMTP_HOST]:$SMTP_PORT $SMTP_USERNAME:$SMTP_PASSWORD\" > /etc/postfix/sasl_passwd"

  2. Generate a hashed version of that file:

    sudo postmap /etc/postfix/sasl_passwd

  3. Remove /etc/postfix/sasl_passwd for security:

    sudo rm /etc/postfix/sasl_passwd

  4. Restart Postfix for these settings to take effect:

    sudo /etc/init.d/postfix restart

Once machines have been registered with Landscape, it is possible to use the remote script execution capability of Landscape to interact with all the machines you are managing. For example, you could run Pro Client commands to enable FIPS, FIPS updates, Livepatch and a number of other Ubuntu Pro entitlements.