How to Setup RatticDB Password Management Service on Ubuntu 16.04

RatticDB is an open source Django based password management service. The API provided by it is used for access by outside programs, and audit logs to ensure full accountability. There is also a "Change Queue" so as to track which passwords need to be changed and when.

1. Install Pre-requisite

Update your system and install all the pre-requisites including MySQL and Apache.

root@demohost:~# apt-get update
root@demohost:~# apt-get install apache2 php git gcc mysql-server python-setuptools gcc openssl libxml2 python-dev libxml2-dev libxslt1-dev zlib1g-dev libldap2-dev python-ldap python-mysqldb gettext apache2-dev libmysqlclient-dev libsasl2-dev python-dev libldap2-dev libssl-dev pyflakes
root@demohost:~# easy_install pip

Configure FQDN for your host by adding proper entry for host and domain name in /etc/hosts & /etc/hostname(Optional)

root@demohost:~# cat /etc/hosts
127.0.0.1 localhost
172.31.24.18 demohost.com demohost

root@demohost:~# cat /etc/hostname
demohost

Restart networking

root@demohost:~# service networking restart

Now check the FQDN of your host

root@demohost:~# hostname
demohost
root@demohost:~# hostname -f
demohost.com

2. Download RatticWeb

Download RatticWeb and install python required modules using pip.

root@demohost:~# cd /opt
root@demohost:/opt# mkdir apps
root@demohost:/opt# cd apps
root@demohost:/opt/apps# git clone https://github.com/tildaslash/RatticWeb.git
Cloning into 'RatticWeb'...
remote: Counting objects: 6192, done.
remote: Total 6192 (delta 0), reused 0 (delta 0), pack-reused 6192
Receiving objects: 100% (6192/6192), 1.63 MiB | 707.00 KiB/s, done.
Resolving deltas: 100% (3553/3553), done.
Checking connectivity... done.
root@demohost:/opt/apps# cd RatticWeb/
root@demohost:/opt/apps/RatticWeb# /usr/local/bin/pip install -r requirements-mysql.txt -r requirements-dev.txt

3. Create MySQL database/user

Create MySQL database/user and grant privileges.

root@demohost:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1807
Server version: 5.7.17-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database rattic CHARACTER SET utf8;
Query OK, 1 row affected (0.00 sec)

mysql> SET GLOBAL innodb_file_per_table = ON, innodb_file_format = Barracuda, innodb_large_prefix = ON;
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON rattic.* TO 'rattic'@'localhost' identified by 'somepassword';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

4. Configure RatticWeb

By default RatticWeb runs in debug mode using an SQLite database. To change this and configure the MySQL connection, create a /opt/apps/RatticWeb/conf/local.cfg file with the following contents.

root@demohost:~# cd /opt/apps/RatticWeb
root@demohost:/opt/apps/RatticWeb# vi conf/local.cfg

[ratticweb]
debug = False
secretkey = linoxide
hostname = demohost.com
[filepaths]
static = /opt/apps/RatticWeb/static
[database]
engine = django.db.backends.mysql
name = rattic
user = rattic
password = somepassword
host = localhost
port = 3306

Specify your timezone, password expiry days and hostname.

root@demohost:/opt/apps/RatticWeb# vim conf/defaults.cfg

timezone = Asia/Kolkata
passwordexpirydays = 90
hostname = demohost.com

5. Migrate RatticWeb

You may get the following error in migrations.

..................
..................
django.core.exceptions.ImproperlyConfigured:
For South support, customize the SOUTH_MIGRATION_MODULES setting
to point to the correct migrations module:

SOUTH_MIGRATION_MODULES = {
'kombu_transport_django': 'kombu.transport.django.south_migrations',
}

To correct this, copy the correct migration module.

root@demohost:# cd /usr/local/lib/python2.7/dist-packages
root@demohost:/usr/local/lib/python2.7/dist-packages# rm -rf kombu/transport/django/migrations djcelery/migrations
root@demohost:/usr/local/lib/python2.7/dist-packages# mv kombu/transport/django/south_migrations kombu/transport/django/migrations
root@demohost:/usr/local/lib/python2.7/dist-packages# mv djcelery/south_migrations djcelery/migrations

Now perform migration

root@demohost:# cd /opt/apps/RatticWeb/
root@demohost:/opt/apps/RatticWeb# ./manage.py syncdb --noinput
root@demohost:/opt/apps/RatticWeb# ./manage.py migrate [ create and setup the database ]
root@demohost:/opt/apps/RatticWeb# mkdir static
root@demohost:/opt/apps/RatticWeb#  ./manage.py collectstatic -c --noinput [ populate the static files directory ]
root@demohost:/opt/apps/RatticWeb# ./manage.py demosetup [ to create an initial user account ]

6. Compile/install mod_wsgi

Download and compile mod_wsgi. You need python-dev and apache2-dev for installing mod_wsgi. Both of these are installed in step1.

root@demohost:~# wget https://github.com/GrahamDumpleton/mod_wsgi/archive/develop.zip
root@demohost:~# unzip develop.zip
root@demohost:~# cd mod_wsgi-develop
root@demohost:~/mod_wsgi-develop#./configure --with-python=/usr/bin/python3.5
root@demohost:~/mod_wsgi-develop# make
root@demohost:~/mod_wsgi-develop# make install

root@demohost:~/mod_wsgi-develop# cd /etc/apache2/mods-available
root@demohost:/etc/apache2/mods-available# vi wsgi.load
LoadModule wsgi_module /usr/lib/apache2/modules/mod_wsgi.so

root@demohost:/etc/apache2/mods-available# cd /etc/apache2/mods-enabled
root@demohost:/etc/apache2/mods-enabled# ln -s ../mods-available/wsgi.load .

root@demohost:/etc/apache2/mods-enabled# service apache2 start

For more details on compiling mod_wsgi, check here.

7. Configure Apache

Create SSL certificate and key using OpenSSL.

root@demohost:~# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/demohost.com.key -out /etc/ssl/certs/demohost.com.crt

Edit apache’s default configuration file and change ServerName and ServerAlias. Make sure to redirect everything from http to https. Also edit default-ssl.conf and add SSL key/cert path, add Aliases and Directory configuration for RatticWeb.

root@demohost# vi /etc/apache2/sites-available/000-default.conf

ServerAdmin webmaster@demohost.com
DocumentRoot /var/www/html
ServerName demohost.com
ServerAlias demohost.com
Redirect permanent / https://demohost.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Now edit default-ssl.conf

root@demohost# vi /etc/apache2/sites-available/default-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@demohost.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/demohost.com.crt
SSLCertificateKeyFile /etc/ssl/private/demohost.com.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Alias /robots.txt /opt/apps/RatticWeb/static/robots.txt
Alias /favicon.ico /opt/apps/RatticWeb/static/favicon.ico

AliasMatch ^/([^/]*\.css) /opt/apps/RatticWeb/static/styles/$1
Alias /media/ /opt/apps/RatticWeb/media/
Alias /static/ /opt/apps/RatticWeb/static/

<Directory /opt/apps/RatticWeb/static>
Require all granted
</Directory>
<Directory /opt/apps/RatticWeb/media>
Require all granted
</Directory>
WSGIScriptAlias / /opt/apps/RatticWeb/ratticweb/wsgi.py
WSGIPassAuthorization On
WSGIDaemonProcess rattic processes=2 threads=25 home=/opt/apps/RatticWeb/ python-path=/opt/apps/RatticWeb display-name=%{GROUP}
WSGIProcessGroup rattic
<Directory /opt/apps/RatticWeb/ratticweb>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>
</IfModule>

Enable apache modules

root@demohost:~# sudo a2enmod wsgi
root@demohost:~# a2enmod rewrite
root@demohost:~# a2ensite default-ssl
root@demohost:~# a2enmod ssl
root@demohost:~# service apache2 restart

8. Configure Firewall

Adjust firewall rules to allow traffic to port no 80 and 443

For IPTABLES users

[root@demohost ~]# vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

[root@demohost ~]# iptables-save > /etc/iptables/rules.v4
[root@demohost ~]# service iptables-persistent restart

For UFW users

[root@demohost ~]# ufw allow 80/tcp
[root@demohost ~]# ufw allow 443/tcp
[root@demohost ~]# ufw reload

9. Access RatticDB

To access rattic, type https://FQDN_Or_IP_Address_Of_Your_Server

Login with default user-name as admin and password as rattic, you will be redirected to password dashboard. Change the default password for user admin.

Click "Profile" from left side-bar to view the admin profile page. Click "Change password"

Type in new password and click "Change Password"

Click "Staff management" and then "Add group"

Give a group name and submit.

Select "Staff management" and then hit "Add user". Fill up the user details and click "Submit"

To list users, select "Staff management", all users and groups will be listed.

That's all to Rattic-DB, you can now mange users/groups and password more securely and access it through secure API's

Conclusions:

We have installed and configured a very nice password management system i.e RatticDB. It has several advantages like simple to use, simple access control, audit logs for accountability, availability of API, encryption on file-system, can be setup with any database, manage changes with a change queue etc. There are other open source password managers are available like teampass, keypass, padlock which you can also consider for your requirements.