Prerequisites to install the PEM server on Linux v8

You can install PEM on a single server, or you can install the web application server and the backend database on two separate servers. You must prepare your servers for PEM installation.

After completing the prerequisites, install and configure PEM. If you're using two servers, install and configure PEM on both servers.

To install a PEM server on Linux, perform this preliminary configuration:

  1. Install a supported Postgres instance for PEM to use as a backend database. You can install this instance on the same server as you will use for the PEM web application or a separate server. You can also use an existing Postgres instance providing it is configured as detailed in steps 2 and 3 below.

  2. Configure authentication on the Postgres backend database by updating the pg_hba.conf file.

    You must make the following changes manually, prior to configuration. (Additional changes are made to this file during configuration.)

    • To create the relations required for PEM, the PEM configuration script connects to the Postgres backend database as a superuser of your choice using password authentication. This requires you to permit your chosen superuser to authenticate using a password. This user must be able to connect from any location in which you run the configuration script. In practice, this means the server on which the backend database is located and the server on which the PEM web application is to be installed, if they're different.

    • To allow the chosen superuser to connect using password authentication, add a line to pg_hba.conf that allows host connections using md5 or scram-sha-256 authentication, for example, host all superusername 127.0.0.1/32 scram-sha-256.

    Note

    If you're using EDB Postgres Advanced Server, see Modifying the pg_hba.conf file.

    If you're using PostgreSQL, see Client Authentication.

  3. Verify that the sslutils extension is installed on your Postgres server. If you're using PostgreSQL or EDB Postgres Extended Server on RHEL/AlmaLinux/Rocky Linux or SLES, you also need to install the hstore contrib module.

    • If you're using EDB Postgres Advanced Server, you can install the sslutils extension as follows, where <x> is the EDB Postgres Advanced server version.

      For RHEL/AlmaLinux/Rocky Linux 8/9:

      dnf install edb-as<x>-server-sslutils

      For Debian/Ubuntu:

      apt install edb-as<x>-server-sslutils

      For SLES:

      zypper install edb-as<x>-server-sslutils
    • If you're using PostgreSQL, you can install the sslutils and, if required, hstore modules as follows, where <x> is the PostgreSQL version.

      For RHEL/AlmaLinux/Rocky Linux 8/9:

      dnf install sslutils_<x> postgresql<x>-contrib

      For Debian/Ubuntu:

      apt install postgresql-<x>-sslutils

      For SLES:

      zypper install sslutils_<x> postgresql<x>-contrib
      
    • If you're using EDB Postgres Extended Server, you can install the sslutils and, if required, hstore modules as follows, where <x> is the EDB Postgres Extended Server version.

      For RHEL/AlmaLinux/Rocky Linux 8/9:

      dnf install edb-postgresextended<x>-sslutils edb-postgresextended<x>-contrib

      For Debian/Ubuntu:

      apt install edb-postgresextended-sslutils-<x>

      For SLES:

      zypper install edb-postgresextended<x>-sslutils edb-postgresextended<x>-contrib
    For Debian and Ubuntu users

    Debian 10 and Ubuntu 20 changed the requirements for accepting certificates.

    • If you want to install the PEM agent on a machine with an old version of sslutils, then you must upgrade sslutils to 1.3. Version 1.3 has a 4096-bit RSA key and sha256 signature algorithm support added to it.
    • If you don't upgrade sslutils to 1.3, then PEM agent might fail to connect to the PEM backend database server, and it might log the error "ca md too weak."
  4. If you're using a firewall, allow access to port 8443 on the server where the PEM web application will be located:

    For RHEL/Rocky Linux/AlmaLinux/SLES:

    firewall-cmd --permanent --zone=public --add-port=8443/tcp
         
    firewall-cmd --reload

    For Debian/Ubuntu:

    iptables -t filter -A INPUT -p TCP --dport 8443 -j ACCEPT
  5. Make sure the components Postgres Enterprise Manager depends on, such as python3, libboost, openssl (1.0.2k or later), snmp++, and libcurl, are up to date on all servers:

    For RHEL/AlmaLinux/Rocky Linux 8:

    dnf upgrade

    For Debian/Ubuntu:

    apt-get update

    For SLES:

    zypper update