🔐 SysManage Secure Installation
Automated production-ready setup with integrated OpenBAO vault initialization and enterprise security defaults.
🏆 Production-Ready Security from Day One
The sysmanage_secure_installation script represents a quantum leap in system management deployment. Inspired by MySQL's legendary secure installation process, this script transforms a basic SysManage installation into an enterprise-grade, production-ready security fortress.
🚀 Zero-Configuration Excellence
What used to take hours of manual configuration now happens in minutes with bulletproof automation that never makes mistakes.
⚡ What the Script Accomplishes
This revolutionary script automates the complete transformation of your SysManage installation into an enterprise-grade security platform:
🏗️ OpenBAO Vault Initialization
- Automatic OpenBAO server configuration and startup
- Production-mode vault initialization with secure defaults
- Automated vault unsealing and secrets engine setup
- Secure credential generation and storage
🗄️ Database Security Hardening
- Complete Alembic migration execution
- UUID-based primary keys for enhanced security
- Secure database schema initialization
- Database connection validation and optimization
👤 Administrative User Setup
- Secure admin user creation with Argon2 password hashing
- UUID-based user identification
- Comprehensive password policy enforcement
- Role-based access control initialization
🔒 Security Configuration
- Cryptographically secure JWT secret generation
- Production security defaults activation
- SSL/TLS configuration optimization
- Security warning system initialization
🌐 Cross-Platform Excellence
The secure installation script demonstrates SysManage's commitment to universal compatibility with intelligent platform detection and privilege management:
✅ Supported Platforms
🐧 Linux
Full support for all major distributions with automatic sudo detection
🍎 macOS
Native macOS support with Homebrew integration
😈 FreeBSD
BSD-native with doas and sudo support
🐡 OpenBSD
OpenBSD security-first approach with doas integration
🪟 Windows
PowerShell and MSYS2 support with Administrator privilege detection
🔐 Intelligent Privilege Management
- Automatic Detection: Detects current privilege level across all platforms
- Smart Elevation: Uses appropriate elevation method (sudo, doas, or Administrator)
- Virtual Environment: Maintains proper Python virtual environment context
- Safety Checks: Validates environment before making system changes
🚀 Usage Guide
📋 Prerequisites
- SysManage installation with virtual environment set up (
make install-dev) - Administrative/root privileges on the system
- PostgreSQL database running and accessible
- OpenBAO binary available (automatically installed with
make install-dev)
⚡ Running the Script
Basic Usage:
# Navigate to your SysManage installation
cd /path/to/sysmanage
# Run the secure installation script
./scripts/sysmanage_secure_installationAdvanced Options:
# Skip interactive prompts (use defaults)
./scripts/sysmanage_secure_installation --non-interactive
# Specify custom configuration file
./scripts/sysmanage_secure_installation --config /custom/path/sysmanage.yaml
# Skip OpenBAO initialization (if already configured)
./scripts/sysmanage_secure_installation --skip-vault📊 Installation Flow
Environment Validation
Validates virtual environment, dependencies, and system requirements
Database Migration
Executes Alembic migrations to set up secure database schema
Admin User Creation
Creates administrative user with secure password hashing
Security Configuration
Generates JWT secrets and applies security hardening
OpenBAO Initialization
Configures and initializes OpenBAO vault in production mode
Production Ready!
Enterprise-grade SysManage installation ready for production use
🛡️ Advanced Security Features
🔐 Argon2 Password Hashing
Uses Argon2id, the winner of the Password Hashing Competition, providing military-grade protection against rainbow table and GPU-based attacks.
- Memory-hard algorithm resistant to specialized hardware attacks
- Configurable time and memory parameters for optimal security
- Salt-based protection against rainbow table attacks
🆔 UUID-Based Security
All primary keys use cryptographically secure UUIDs, eliminating enumeration attacks and providing enhanced privacy.
- Version 4 UUIDs with cryptographic randomness
- Prevents user enumeration and predictable resource URLs
- Enhanced privacy and GDPR compliance
🎫 Cryptographic JWT Secrets
Generates cryptographically secure JWT secrets using Python's secrets module for unbreakable token security.
- 256-bit entropy from OS-level randomness
- Automatic secret rotation capabilities
- Secure token validation and expiration
🏦 OpenBAO Vault Integration
Seamless OpenBAO integration provides enterprise-grade secrets management from the moment of installation.
- Automatic vault initialization and unsealing
- Production-mode configuration with secure defaults
- Key-value secrets engine setup and configuration
🔧 Troubleshooting
❌ Privilege Issues
Problem: Script fails with permission denied errors
Solution:
- Ensure you have administrative privileges on your system
- On Linux/macOS: Use
sudoor ensure your user is in sudoers - On FreeBSD/OpenBSD: Configure
doasor usesudo - On Windows: Run terminal as Administrator
🐍 Virtual Environment Issues
Problem: "Virtual environment not found" error
Solution:
# Create and set up virtual environment
make install-dev
# Verify virtual environment exists
ls -la .venv/🗄️ Database Connection Issues
Problem: Database connection failures during migration
Solution:
- Verify PostgreSQL is running:
systemctl status postgresql - Check database credentials in configuration file
- Ensure database user has CREATE privileges
- Test connection manually:
psql -h host -U user -d database
🏦 OpenBAO Installation Issues
Problem: OpenBAO binary not found or initialization fails
Solution:
- Install OpenBAO:
make install-dev(includes OpenBAO) - Manually install OpenBAO from official releases
- Check firewall settings for localhost connections
- Use
--skip-vaultflag to skip OpenBAO setup temporarily
🎉 Post-Installation Steps
After successful completion, your SysManage installation is production-ready with enterprise-grade security. Here's what to do next:
✅ Post-Installation Checklist
-
Secure Credentials: Store the generated
.vault_credentialsfile in a secure location -
Start Services: Use
make startto launch all services -
Access Web Interface: Navigate to
https://your-server:8443 - Login: Use the admin credentials you created during installation
- Deploy Agents: Install and approve SysManage agents on your infrastructure
- Upload Secrets: Begin using the secrets management features