Skip to main content
SaltStack Support

Enterprise Installation: Manual Install on RedHat

These instructions walk you through installing Enterprise API without using the installation states. These instructions are intended for advanced users who need granular control over the installation process, and who are familiar with PostgreSQL and Redis database configuration.

The steps below are confirmed for a standalone deployment of SaltStack Enterprise (where all related services reside on a single host). As an advanced user, you will likely adapt these instructions to your deployment. If you are not an advanced user, consider using the deployment states provided by installer. See Use the installer.

SaltStack Enterprise requires a PostgreSQL 9.5 or 9.6 database. PostgreSQL 9.6 is recommended. PostgreSQL 10 is not supported.

Red Hat Enterprise Linux 7/CentOS 7

Step 1: PostgreSQL database installation and configuration

  1. Install PostgreSQL.
# run one of these commands based on your OS
Red Hat
sudo wget

sudo wget

# run all of these commands
sudo yum install pgdg-*.noarch.rpm
sudo yum update
sudo yum install postgresql96-server
sudo yum install postgresql96-contrib
sudo /usr/pgsql-9.6/bin/postgresql96-setup initdb
  1. Update the pg_hba.conf file as needed to enable connections from your SaltStack Enterprise server. Optionally, enable ssl.

  2. Start PostgreSQL and create a database account for Enterprise API, for example:
sudo systemctl enable postgresql-9.6
sudo systemctl start postgresql-9.6
sudo su - postgres -c 'createuser -s -P salt_eapi'
# This account has Superuser privileges so that
# various extensions my be installed.
# After initial deployment the Superuser privilege
# may be removed.

Step 2: Redis installation and configuration

  1. Download the Redis and jemalloc installation packages for RH/CentOS that are provided in the download section.
sudo yum install redis40u-4.0.11-1.ius.el7.x86_64.rpm jemalloc-3.6.0-1.el7.x86_64.rpm
  1. Optional: Update configuration

If you are setting up Redis on a host that is separate from the SaltStack Enterprise Server, you will need to configure Redis to accept remote connections and to limit access using a password. To do this, update the /etc/redis.conf file, specifying the bind parameter and setting the password that your SaltStack Enterprise servers should use to authenticate.

  1. Start the Redis service
sudo systemctl enable redis
sudo systemctl start redis

Step 3: SaltStack Enterprise installation and configuration

  1. Download the Python3.5 and libpython3.5 installation packages for RH/CentOS that are provided in the download section.
sudo yum install python35u-libs-3.5.4-1.*.rpm python35u-3.5.4-1.*.rpm
  1. Download and install the Red Hat/CentOS SaltStack Enterprise RPM.
sudo yum install raas-6.0.1+3.el7.x86_64.rpm
  1. Update RaaS Configuration File.


Update the sql configuration to provide the host, port, and the username and password created in the previous section. If you plan to use SSL, set ssl to True.

  dialect: postgresql
  username: salt_eapi
  password: abc123
  host: localhost
  port: 5432
  driver: psycopg2
  ssl: false

Optional: To avoid saving passwords in files:

Define options for background workers.

  combined_process: True
  max_tasks: 100000
  max_memory: 1048576
SaltStack Enterprise includes a range of different background worker settings to improve performance for various deployment scenarios. For more on customizing background worker settings, see Background Worker Options.

Configure the location of your Redis server.

  url: redis://<Redis_IP>:6379

Optional: To avoid saving passwords in files:

  •  Use this alternate URL configuration.
      url: ENV 
  • Then in your environment, set the corresponding variable REDIS_URL.

    For example:


    Redis database numbers are automatically appended to the end of the URL since different databases are used for different purposes (caching, queueing, result storage).

  1. Start the Enterprise API service.
    • Create and set permissions for the certificate folder for raas.
      sudo mkdir /etc/raas/pki
      sudo chown raas:raas /etc/raas/pki
      sudo chmod 750 /etc/raas/pki
    • Generate keys for raas using salt, or provide your own.
      sudo salt-call --local tls.create_self_signed_cert tls_dir=raas
      sudo chown raas:raas /etc/pki/raas/certs/localhost.crt
      sudo chown raas:raas /etc/pki/raas/certs/localhost.key
      sudo chmod 400 /etc/pki/raas/certs/localhost.crt
      sudo chmod 400 /etc/pki/raas/certs/localhost.key
    • Enable the raas service at system startup and launch the service.
      sudo systemctl enable raas
      sudo systemctl start raas
  1. Confirm that you can connect to the web console in a web browser.

Enable SSL on Red Hat Enterprise Linux 7/CentOS 7 (optional)

  1. Install pyOpenSSL.
    For instructions on how to update SSL certificates for SaltStack Enterprise, see this article.
Red Hat/CentOS
sudo yum install pyOpenSSL
  1. Enable SSL.

To enable SSL connections to Enterprise Console, generate a PEM-encoded SSL certificate or ensure that you have access to an existing PEM-encoded certificate. Save the .crt and .key files to /etc/pki/raas/certs.

  1. Update RaaS Configuration

Open /etc/raas/raas in a text editor and configure the following values (replace <filename> with your certificate filename).

tls_crt: /etc/pki/raas/certs/<filename>.crt
tls_key: /etc/pki/raas/certs/<filename>.key
port: 443

  ssl: True
  1. Restart the Enterprise API service.
sudo systemctl restart raas
  1. Verify the Enterprise API is running.
sudo systemctl status raas
  1. Confirm that you can connect to the web console in a web browser.

Install Salt Master plugin

  1. Log in to your Salt Master.

  2. Download the Salt Master plugin Egg file.

  3. Install the plugin (requires Python setuptools).
sudo easy_install-2.7 SSEAPE-6.0.1+3-py2.7.egg
  1. Verify the /etc/salt/master.d directory exists. If it doesn’t, create it.
  2. Generate the master configuration settings.
sudo sseapi-config --all > /etc/salt/master.d/raas.conf
  1. Edit the generated raas.conf file to update the following values:
  • sseapi_ssl_validate_cert - Validates the certificate that Enterprise API uses. The default is True. If you are using your own CA-issued certificates, set this value to True and configure the sseapi_ssl_casseapi_ssl_cert, and sseapi_ssl_cert: settings. Otherwise set this to False to not validate the certificate.
sseapi_ssl_validate_cert: False
  • sseapi_ssl_ca - The path to a CA file.
  • sseapi_ssl_cert - The path to the certificate. The default value is/etc/pki/raas/certs/localhost.crt.
  • sseapi_ssl_key - The path to the certificate’s private key. The default value is /etc/pki/raas/certs/localhost.key.
  • id - Comment this line out by adding a # at the beginning. It is not required.
  • sseapi_server - HTTP IP address of of your SaltStack Enterprise server, for example,, or if SSL is enabled.
  1. Restart the Salt Master.
sudo systemctl restart salt-master

After a minute or two the Salt Master and its Minions appear in Enterprise Console.

Deploy your license key

When deploying a SaltStack Enterprise server, you will need to add your license key to the /etc/raas folder. Upon doing so, you will need to set the ownership of this file to raas user, as follows:

sudo chown raas:raas /etc/raas/raas.license
sudo chmod 400 /etc/raas/raas.license
  • Was this article helpful?