Issue¶
Purpose¶
The purpose of the issue server is to serve the issue tracking system, implemented with OTRS <https://www.otrs.com/> used by Wiki Triage and Wiki Support for handling requests going to the support@cacert.org mail address. Usage for other teams e.g. Arbitration (currently used occasionally), Organisation Assurance is planned in future.
Application Links¶
- OTRS URL
Administration¶
System Administration¶
Primary: Mario Lipinski
Secondary: Michael Tänzer
Application Administration¶
Application |
Administrator(s) |
---|---|
OTRS |
Contact¶
Additional People¶
Jan Dittberner and Dirk Astrath have sudo access on that machine too.
Basics¶
Logical Location¶
- IP Internet
- IP Intranet
- IP Internal
- MAC address
00:ff:8c:94:e1:c8
(eth0)
See also
See Network
Monitoring¶
- internal checks
DNS¶
Name |
Type |
Content |
---|---|---|
issue.cacert.org. |
IN A |
213.154.225.244 |
issue.intra.cacert.org. |
IN A |
172.16.2.28 |
issue.cacert.org. |
IN SSHFP |
2 1 FD9A5C79C4A9057B87AE8E639FD223B386AF4BDB |
issue.cacert.org. |
IN SSHFP |
1 1 3F55E52B51D142EF9D15EEAA9CA25B3AA30C7C6E |
See also
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
localnet |
local mail pickup in order to send out notifications via Emailout, incoming mail from Email |
80/tcp |
http |
ANY |
HTTP access to issue, redirects to HTTPS |
443/tcp |
https |
ANY |
HTTPS access to issue |
5666/tcp |
nrpe |
monitor |
remote monitoring service |
3306/tcp |
mysql |
local |
MySQL database for OTRS |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
openssh server |
ssh daemon for remote administration |
init script |
Apache httpd |
Webserver for OTRS |
init script
|
cron |
job scheduler |
init script |
rsyslog |
syslog daemon |
init script
|
MySQL |
MySQL database server for OTRS |
init script
|
Postfix |
SMTP server for local mail submission and for receiving mail directed to OTRS addresses |
init script
|
Puppet agent |
configuration management agent |
init script |
Nagios NRPE server |
remote monitoring service queried by Monitor |
init script
|
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
MySQL |
otrs |
database for OTRS |
Outbound network connections¶
DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
Emailout as SMTP relay
Email as SMTP submission relay (587, tcp) for specific addresses (see Postfix configuration below)
Puppet (tcp/8140) as Puppet master
Proxyout as HTTP proxy for APT
crl.cacert.org (rsync) for getting CRLs
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
- |
See also
Todo
setup ED25519 host key
Non-distribution packages and modifications¶
OTRS is installed from Debian packages but has been patched. The OTRS packages must not be updated from Debian packages without reapplying the patch.
/usr/share/otrs/Kernel/Output/HTML/Layout.pm
--- otrs_orig/Layout.pm 2015-01-11 03:13:29.049626928 +0000
+++ /usr/share/otrs/Kernel/Output/HTML/Layout.pm 2015-01-11 03:18:55.736035997 +0000
@@ -369,7 +369,21 @@
}
# locate template files
- $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
+ $Self->{TemplateDir}
+ = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
+ $Self->{StandardTemplateDir}
+ = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . 'Standard';
+
+ # Check if 'Standard' fallback exists
+ if ( !-e $Self->{StandardTemplateDir} ) {
+ $Self->{LogObject}->Log(
+ Priority => 'error',
+ Message =>
+ "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
+ );
+ $Self->FatalDie();
+ }
+
if ( !-e $Self->{TemplateDir} ) {
$Self->{LogObject}->Log(
Priority => 'error',
@@ -378,17 +392,9 @@
Default theme used instead.",
);
- # Set TemplateDir to 'Standard' as a fallback and check if it exists.
+ # Set TemplateDir to 'Standard' as a fallback.
$Theme = 'Standard';
- $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
- if ( !-e $Self->{TemplateDir} ) {
- $Self->{LogObject}->Log(
- Priority => 'error',
- Message =>
- "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
- );
- $Self->FatalDie();
- }
+ $Self->{TemplateDir} = $Self->{StandardTemplateDir};
}
# load sub layout files
@@ -531,7 +537,7 @@
$File = "$Self->{TemplateDir}/$Param{TemplateFile}.dtl";
}
else {
- $File = "$Self->{TemplateDir}/../Standard/$Param{TemplateFile}.dtl";
+ $File = "$Self->{StandardTemplateDir}/$Param{TemplateFile}.dtl";
}
if ( open my $TEMPLATEIN, '<', $File ) {
$TemplateString = do { local $/; <$TEMPLATEIN> };
Risk assessments on critical packages¶
Patching OTRS implies the danger of delayed security updates. The package is set on hold via echo otrs hold | dpkg --set-selections and must be updated explicitly. OTRS 3.1 is not supported by upstream anymore.
The used Apache httpd has a good reputation. OTRS is integrated into Apache httpd via mod_perl2.
Critical Configuration items¶
Keys and X.509 certificates¶
The following certificate and its corresponding private key is used by Apache httpd and Postfix:
Certificate for CN issue.cacert.org, see details in the certificate list
certificate in file /etc/ssl/certs/issue.cacert.org.pem
private key in file /etc/ssl/private/issue.cacert.org.key
Apache httpd configuration¶
/etc/apache2/sites-available/default
HTTP virtualhost configuration that redirects to HTTPS
/etc/apache2/sites-available/default-ssl
HTTPS virtualhost configuration, /cgi-bin/ is aliased to /usr/lib/cgi-bin/ which contains a symbolic link to the OTRS CGIs
OTRS configuration¶
/etc/otrs/
OTRS configuration
/etc/otrs/database.pm
OTRS’s database configuration
Postfix configuration¶
/etc/postfix
Postfix configuration
/etc/postfix/sender_relay
Defines a list of sender addresses that are relayed via Email
/etc/postfix/sender_rewrite
Configures rewriting of all but a short list of addresses to returns@cacert.org
Tasks¶
Creating new OTRS user accounts¶
Go to Admin -> Users -> Add
Fill out user details
Use a securely random generated password (min. 12 chars, mixed of capital- non-capital letters, numbers and special chars), send it to the user via encrypted mail (also include URL of the issue tracking system, username and some initial instructions or a link to documentation if available)
Use CAcert email addresses only
Set the preferences for the user. Good standards are:
Show tickets: 25
New ticket notification: Yes (or No for high volume queues having agents regulary looking at
Follow up notification: Yes
Ticket lock timeout notification: Yes
Move notification: Yes (or No if the queues for the user get many new tickets)
Spelling Dictionary: English
Submit
Do NOT set any groups for the user.
Go to Admin -> Users -> Roles <-> Users
Choose the newly created user
Set the roles the user has
Submit
Now you are done :)
Changes¶
Planned¶
Ideas¶
The system should be upgraded to a newer Debian release.
Deployment
implement access for other teams
OTRS
change to CAcert corporate design (low priority)
should be updated to a newer release that is supported by upstream
Monitoring
create a list of services to monitor
Configuration management
X.509 Authentication
Use centralised logging
System Future¶
No plans
Additional documentation¶
See also