RatticDB is an open source Django based password management service. The API provided by it is used for access by outside programs, and audit logs to ensure full accountability. There is also a "Change Queue" so as to track which passwords need to be changed and when.
1. Install Pre-requisite
Update your system and install all the pre-requisites including MySQL and Apache.
root@demohost:~# apt-get update root@demohost:~# apt-get install apache2 php git gcc mysql-server python-setuptools gcc openssl libxml2 python-dev libxml2-dev libxslt1-dev zlib1g-dev libldap2-dev python-ldap python-mysqldb gettext apache2-dev libmysqlclient-dev libsasl2-dev python-dev libldap2-dev libssl-dev pyflakes root@demohost:~# easy_install pip
Configure FQDN for your host by adding proper entry for host and domain name in /etc/hosts & /etc/hostname(Optional)
root@demohost:~# cat /etc/hosts 127.0.0.1 localhost 172.31.24.18 demohost.com demohost root@demohost:~# cat /etc/hostname demohost
Restart networking
root@demohost:~# service networking restart
Now check the FQDN of your host
root@demohost:~# hostname demohost root@demohost:~# hostname -f demohost.com
2. Download RatticWeb
Download RatticWeb and install python required modules using pip.
root@demohost:~# cd /opt root@demohost:/opt# mkdir apps root@demohost:/opt# cd apps root@demohost:/opt/apps# git clone https://github.com/tildaslash/RatticWeb.git Cloning into 'RatticWeb'... remote: Counting objects: 6192, done. remote: Total 6192 (delta 0), reused 0 (delta 0), pack-reused 6192 Receiving objects: 100% (6192/6192), 1.63 MiB | 707.00 KiB/s, done. Resolving deltas: 100% (3553/3553), done. Checking connectivity... done. root@demohost:/opt/apps# cd RatticWeb/ root@demohost:/opt/apps/RatticWeb# /usr/local/bin/pip install -r requirements-mysql.txt -r requirements-dev.txt
3. Create MySQL database/user
Create MySQL database/user and grant privileges.
root@demohost:~# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1807 Server version: 5.7.17-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database rattic CHARACTER SET utf8; Query OK, 1 row affected (0.00 sec) mysql> SET GLOBAL innodb_file_per_table = ON, innodb_file_format = Barracuda, innodb_large_prefix = ON; Query OK, 0 rows affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON rattic.* TO 'rattic'@'localhost' identified by 'somepassword'; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) mysql> exit Bye
4. Configure RatticWeb
By default RatticWeb runs in debug mode using an SQLite database. To change this and configure the MySQL connection, create a /opt/apps/RatticWeb/conf/local.cfg file with the following contents.
root@demohost:~# cd /opt/apps/RatticWeb root@demohost:/opt/apps/RatticWeb# vi conf/local.cfg [ratticweb] debug = False secretkey = linoxide hostname = demohost.com [filepaths] static = /opt/apps/RatticWeb/static [database] engine = django.db.backends.mysql name = rattic user = rattic password = somepassword host = localhost port = 3306
Specify your timezone, password expiry days and hostname.
root@demohost:/opt/apps/RatticWeb# vim conf/defaults.cfg timezone = Asia/Kolkata passwordexpirydays = 90 hostname = demohost.com
5. Migrate RatticWeb
You may get the following error in migrations.
..................
..................
django.core.exceptions.ImproperlyConfigured:
For South support, customize the SOUTH_MIGRATION_MODULES setting
to point to the correct migrations module:
SOUTH_MIGRATION_MODULES = {
'kombu_transport_django': 'kombu.transport.django.south_migrations',
}
To correct this, copy the correct migration module.
root@demohost:# cd /usr/local/lib/python2.7/dist-packages root@demohost:/usr/local/lib/python2.7/dist-packages# rm -rf kombu/transport/django/migrations djcelery/migrations root@demohost:/usr/local/lib/python2.7/dist-packages# mv kombu/transport/django/south_migrations kombu/transport/django/migrations root@demohost:/usr/local/lib/python2.7/dist-packages# mv djcelery/south_migrations djcelery/migrations
Now perform migration
root@demohost:# cd /opt/apps/RatticWeb/ root@demohost:/opt/apps/RatticWeb# ./manage.py syncdb --noinput root@demohost:/opt/apps/RatticWeb# ./manage.py migrate [ create and setup the database ] root@demohost:/opt/apps/RatticWeb# mkdir static root@demohost:/opt/apps/RatticWeb# ./manage.py collectstatic -c --noinput [ populate the static files directory ] root@demohost:/opt/apps/RatticWeb# ./manage.py demosetup [ to create an initial user account ]
6. Compile/install mod_wsgi
Download and compile mod_wsgi. You need python-dev and apache2-dev for installing mod_wsgi. Both of these are installed in step1.
root@demohost:~# wget https://github.com/GrahamDumpleton/mod_wsgi/archive/develop.zip root@demohost:~# unzip develop.zip root@demohost:~# cd mod_wsgi-develop root@demohost:~/mod_wsgi-develop#./configure --with-python=/usr/bin/python3.5 root@demohost:~/mod_wsgi-develop# make root@demohost:~/mod_wsgi-develop# make install root@demohost:~/mod_wsgi-develop# cd /etc/apache2/mods-available root@demohost:/etc/apache2/mods-available# vi wsgi.load LoadModule wsgi_module /usr/lib/apache2/modules/mod_wsgi.so root@demohost:/etc/apache2/mods-available# cd /etc/apache2/mods-enabled root@demohost:/etc/apache2/mods-enabled# ln -s ../mods-available/wsgi.load . root@demohost:/etc/apache2/mods-enabled# service apache2 start
For more details on compiling mod_wsgi, check here.
7. Configure Apache
Create SSL certificate and key using OpenSSL.
root@demohost:~# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/demohost.com.key -out /etc/ssl/certs/demohost.com.crt
Edit apache’s default configuration file and change ServerName and ServerAlias. Make sure to redirect everything from http to https. Also edit default-ssl.conf and add SSL key/cert path, add Aliases and Directory configuration for RatticWeb.
root@demohost# vi /etc/apache2/sites-available/000-default.conf
ServerAdmin webmaster@demohost.com
DocumentRoot /var/www/html
ServerName demohost.com
ServerAlias demohost.com
Redirect permanent / https://demohost.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Now edit default-ssl.conf
root@demohost# vi /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@demohost.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/demohost.com.crt
SSLCertificateKeyFile /etc/ssl/private/demohost.com.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Alias /robots.txt /opt/apps/RatticWeb/static/robots.txt
Alias /favicon.ico /opt/apps/RatticWeb/static/favicon.ico
AliasMatch ^/([^/]*\.css) /opt/apps/RatticWeb/static/styles/$1
Alias /media/ /opt/apps/RatticWeb/media/
Alias /static/ /opt/apps/RatticWeb/static/
<Directory /opt/apps/RatticWeb/static>
Require all granted
</Directory>
<Directory /opt/apps/RatticWeb/media>
Require all granted
</Directory>
WSGIScriptAlias / /opt/apps/RatticWeb/ratticweb/wsgi.py
WSGIPassAuthorization On
WSGIDaemonProcess rattic processes=2 threads=25 home=/opt/apps/RatticWeb/ python-path=/opt/apps/RatticWeb display-name=%{GROUP}
WSGIProcessGroup rattic
<Directory /opt/apps/RatticWeb/ratticweb>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>
</IfModule>
Enable apache modules
root@demohost:~# sudo a2enmod wsgi root@demohost:~# a2enmod rewrite root@demohost:~# a2ensite default-ssl root@demohost:~# a2enmod ssl root@demohost:~# service apache2 restart
8. Configure Firewall
Adjust firewall rules to allow traffic to port no 80 and 443
For IPTABLES users
[root@demohost ~]# vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT [root@demohost ~]# iptables-save > /etc/iptables/rules.v4 [root@demohost ~]# service iptables-persistent restart
For UFW users
[root@demohost ~]# ufw allow 80/tcp [root@demohost ~]# ufw allow 443/tcp [root@demohost ~]# ufw reload
9. Access RatticDB
To access rattic, type https://FQDN_Or_IP_Address_Of_Your_Server
Login with default user-name as admin and password as rattic, you will be redirected to password dashboard. Change the default password for user admin.
Click "Profile" from left side-bar to view the admin profile page. Click "Change password"
Type in new password and click "Change Password"
Click "Staff management" and then "Add group"
Give a group name and submit.
Select "Staff management" and then hit "Add user". Fill up the user details and click "Submit"
To list users, select "Staff management", all users and groups will be listed.
That's all to Rattic-DB, you can now mange users/groups and password more securely and access it through secure API's
Conclusions:
We have installed and configured a very nice password management system i.e RatticDB. It has several advantages like simple to use, simple access control, audit logs for accountability, availability of API, encryption on file-system, can be setup with any database, manage changes with a change queue etc. There are other open source password managers are available like teampass, keypass, padlock which you can also consider for your requirements.
Hi, i'm having problem when running 'make' in wsgi install, it fails.
and also on syncdb, it gets an error of integrity key.
and i have a question: why I can't just install libapache2-mod-wsgi?
Hi
John
You can do it using libapache2-mod-wsgi/libapache2-mod-wsgi-py3 OR by compiling from source depending on which python module in your system. First find out which python module is using by your system using python --version. If you compile from source make sure to uninstall libapache2-mod-wsgi/libapache2-mod-wsgi-py3 and then pass right python path in ./configure option like ./configure --with-python=/usr/bin/python3.5
Also, what error you get on syncdb ? Specify your OS type/version and error details.
Hi,
First off I would like to say thank you for making this guide. I am almost there however I am running into a problem when I try to connect to my server. It returns the following error in the log :
Traceback (most recent call last):
File "opt/apps/RatticWeb/ratticweb/wsgi.py", line 23, in
from django.core.wsgi import get_wsgi_application
ImportError: No module named 'django'
mod_wsgi (pid=1048): Target WSGI script 'opt/apps/RatticWeb/ratticweb/wsgi.py' cannot be loaded as a Python module.
mod_wsgi (pid=1048): Exception occurred processing WSGI script '/opt/apps/RatticWeb/ratticweb/wsgi.py'
Hi
Nick
I have also faced the same issue while configuring/validating the commands in this article. I did post a question to the github but ultimately, i corrected the error. This is due to mismatch in python modules being loaded by apache.
You can find the solution in this link https://github.com/tildaslash/RatticWeb/issues/460
Everything looked like it worked, but when I go to the web page, I get a 500 Internal Server Error.
Here's the apache log
[Thu Mar 02 10:31:17.208070 2017] [wsgi:error] [pid 1582:tid 140318972843776] [remote 192.168.212.50:51149] mod_wsgi (pid=1582): Exception occurred processing WSGI script '/opt/apps/RatticWeb/ratticweb/wsgi.py'.
[Thu Mar 02 10:31:17.208225 2017] [wsgi:error] [pid 1582:tid 140318972843776] [remote 192.168.212.50:51149] Traceback (most recent call last):
[Thu Mar 02 10:31:17.208267 2017] [wsgi:error] [pid 1582:tid 140318972843776] [remote 192.168.212.50:51149] File "/opt/apps/RatticWeb/ratticweb/wsgi.py", line 23, in
[Thu Mar 02 10:31:17.208276 2017] [wsgi:error] [pid 1582:tid 140318972843776] [remote 192.168.212.50:51149] from django.core.wsgi import get_wsgi_application
[Thu Mar 02 10:31:17.208305 2017] [wsgi:error] [pid 1582:tid 140318972843776] [remote 192.168.212.50:51149] ImportError: No module named 'django'
Not sure what to do.
Check the Python path in your system. Since you are getting this error in run time, it is possible that you have multiple python interfering with the package.
Tell your system which python to use by => alias python=python3.4
Also check the python path in default-ssl.conf.
Hello!
I’ve followed all the instructions that you have given, and the installation was successful, but when i try open the page - apache give me 400 error.
error.log is empty
How can i find and fix this?
Thank you for any help.
Oh, lol. It was very stuped mistake :D
I was ignored in local.cfg hostname. I was add hostname - and all worked.
glad to hear that it worked :-)
Hm. Now i have a new error.
I cannot create new password in ratticdb.
error.log:
2017-04-18 14:41:12,143 [ERROR] Internal Server Error: /account/
[Tue Apr 18 14:41:12.144307 2017] [wsgi:error] [pid 1544:tid 140474040301312] [remote 192.168.1.104:41416] Traceback (most recent call last):
[Tue Apr 18 14:41:12.144314 2017] [wsgi:error] [pid 1544:tid 140474040301312] [remote 192.168.1.104:41416] File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 112, in get_response
[Tue Apr 18 14:41:12.144319 2017] [wsgi:error] [pid 1544:tid 140474040301312] [remote 192.168.1.104:41416] response = wrapped_callback(request, *callback_args, **callback_kwargs)
Hi
Olga
Can you describe the account_apikey table from the database ?
Hi!
Thank you for answer :)
I'm not very experienced in mysql, sorry.
What do you mean?
This one?
SELECT * FROM account_apikey;
Empty set (0.00 sec)
Ok.
I was found answer for this problem too. We cannot save passwords without group.
I hope, my comments will help someone :)
Now last one :)
In infrastructure User [ Proxy Passbolt ] user cannot log in - mistake "Forbidden (403) CSRF verification failed. Request aborted."
Admin, or test user - does not matter, the error is same.
Proxy is nginx as frontend.
Withour proxi all ok (into local network).
Hellow,
when i try go /account (profile page), i get: 500 - Something went Splork!
In error log:
[raise errorclass, errorvalue
OperationalError: (1054, "Unknown column 'account_apikey.expires' in 'field list'")]
Migrate was without any mistake.
I got the same 500 error for /accounts page. Did anyone resolve it?