How to install Landscape Server on FIPS-compliant machines
At this time, any FIPS installations should use external authentication. For more information, see how to configure OIDC authentication and PAM authentication.
Contents:
- Install Landscape on a FIPS-compliant machine
- Install an SSL certificate with FIPS enabled
- Create a global administrator account
- Configure Postfix with FIPS enabled
Install Landscape on a FIPS-compliant machine
These steps are specific to Landscape 24.04.
Prerequisites
Landscape server requires:
add-apt-packages
command line utility to add the PPA which contains the Landscape Server softwaresoftware-properties-common
package to accessadd-apt-packages
They can be installed with:
sudo apt-get update && sudo apt-get install software-properties-common -y
Environment variables
The following environment variables will need to be set:
HOST_NAME
: The host name you’re using for the Landscape installationDOMAIN_NAME
: The domain name you’re using for the Landscape installationFQDN
: A Fully Qualified Domain Name, composed of the two previous names
For example:
HOST_NAME=my-landscape-server
DOMAIN=example.com
FQDN=$HOST_NAME.$DOMAIN
Set the machine’s host name
To set the machine’s host name, run:
sudo hostnamectl set-hostname "$FQDN"
When Landscape Server is installed, it will read the machine’s host name and use it in the Apache configuration.
Install landscape-server-quickstart
with FIPS enabled
To install landscape-server-quickstart
with FIPS enabled:
-
Add the repository for Landscape Server:
sudo add-apt-repository {LANDSCAPE_PPA} -y
{LANDSCAPE_PPA}
: The PPA for the specific Landscape installation you’re using. The PPA for the most recent Landscape LTS is:ppa:landscape/self-hosted-24.04
. The PPA for Landscape’s stable rolling release is:ppa:landscape/latest-stable
. We recommend using an LTS for production deployments.
-
Update packages and dependencies in your local system:
sudo apt-get update
-
Install
landscape-server-quickstart
with FIPS enabled:sudo DEBIAN_FRONTEND=noninteractive apt-get install landscape-server-quickstart -y
- This installation takes approximately five minutes.
Install an SSL certificate with FIPS enabled
Install Certbot
To conform with FIPS, run the following code to install Certbot using the apt
package manager:
sudo apt-get install certbot python3-certbot-apache -y
Certbot is a command line utility which makes acquiring and renewing SSL certificates from LetsEncrypt an easy, free and automated process. Certbot can be installed from either the apt
or snap
package manager. However, snap packages can include dependencies that don’t conform to FIPS because snap packages can specify their own versions of dependencies. To ensure FIPS compliance, use apt
to install Certbot.
Get an SSL certificate from LetsEncrypt
If your Landscape instance has a public IP, and your FQDN resolves to that public IP, run the following code to get a valid SSL certificate from LetsEncrypt. Replace {[email protected]}
with an email address where certificate renewal reminders can be sent.
sudo certbot --non-interactive --apache --no-redirect --agree-tos --email {[email protected]} --domains $FQDN
Create a global administrator account
At this point, visiting https://HOST_NAME.DOMAIN
prompts you to create Landscape’s first Global Administrator account. To add administrators:
- Click Settings
- Set a valid outgoing email address in the System email address field
- Click Save
By default, the email address will be pre-filled with noreply@HOST_NAME.DOMAIN. You may want to change this to noreply@DOMAIN, or another valid email address.
Configure Postfix with FIPS enabled
These steps use SendGrid as an example email service provider that can be configured to work with Postfix. They may still generally apply to other email service providers, such as Mailjet, Amazon SES or Google.
Detailed information is available for Postfix in the Ubuntu Server documentation.
Set environment variables
To set the necessary environment variables, run the following code. Replace {API_KEY}
with an API key from https://app.sendgrid.com/settings/api_keys
.
SMTP_HOST='smtp.sendgrid.net'
SMTP_PORT='587'
SMTP_USERNAME='apikey'
SMTP_PASSWORD='{API_KEY}'
Install Postfix
To install Postfix, run:
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y postfix
Use Postconf to configure the /etc/postfix/main.cf
file
-
Configure the
/etc/postfix/main.cf
file with Postconf:sudo postconf -e myhostname="$FQDN" sudo postconf -e mydomain="$DOMAIN" sudo postconf -e myorigin="$DOMAIN" sudo postconf -e masquerade_domains="$DOMAIN" sudo postconf -e mydestination=localhost sudo postconf -e default_transport=smtp sudo postconf -e relay_transport=smtp sudo postconf -e relayhost="[${SMTP_HOST}]:${SMTP_PORT}" sudo postconf -e smtp_sasl_auth_enable=yes sudo postconf -e smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd sudo postconf -e smtp_sasl_security_options=noanonymous sudo postconf -e header_size_limit=4096000`
This code block includes the following values that must be changed:
{SMTP_HOST}
: The hostname or IP address of the SMTP server to which Postfix will relay outgoing emails
{SMTP_PORT}
: The port number on which the SMTP server is listening for incoming connections -
SendGrid requires TLS encryption when connecting on Port 587, so you must make the following additional configurations:
sudo postconf -e smtp_use_tls=yes sudo postconf -e smtp_tls_security_level=encrypt sudo postconf -e smtp_sasl_tls_security_options=noanonymous
-
Explicitly set the SMTP TLS fingerprint digest:
sudo postconf -e smtp_tls_fingerprint_digest=sha256
By default, Postfix uses MD5 hashes with the TLS for backward compatibility. In FIPS mode, the MD5 hashing function is not available. SHA-256 is a secure cryptographic hash function that can be used with FIPS.
Finish configuration
-
Write
/etc/postfix/sasl_passwd
with the authentication credentials:sudo sh -c "echo \"[$SMTP_HOST]:$SMTP_PORT $SMTP_USERNAME:$SMTP_PASSWORD\" > /etc/postfix/sasl_passwd"
-
Generate a hashed version of that file:
sudo postmap /etc/postfix/sasl_passwd
-
Remove
/etc/postfix/sasl_passwd
for security:sudo rm /etc/postfix/sasl_passwd
-
Restart Postfix for these settings to take effect:
sudo /etc/init.d/postfix restart
Once machines have been registered with Landscape, it is possible to use the remote script execution capability of Landscape to interact with all the machines you are managing. For example, you could run Pro Client commands to enable FIPS, FIPS updates, Livepatch and a number of other Ubuntu Pro entitlements.