✨Secure Sharing with CMMC compliance

This guide helps you set up the FenixPyre On-Prem Secure Sharing Service, functioning as a CMMC connector with mandatory TLS encryption.

Overview

The FenixPyre On-Prem Secure Sharing Service provides organizations with a robust solution for secure file sharing and storage within their internal network. Designed to meet CMMC (Cybersecurity Maturity Model Certification) standards, it ensures the protection of Controlled Unclassified Information (CUI) by encrypting all data transfers and implementing strict access controls. This guarantees that sensitive data remains securely within the organization's network at all times.

Why does the customer need to install this service?

Organizations that handle sensitive information must comply with CMMC standards to ensure the security and confidentiality of their data. This service provides a secure way to store, share, and access files within an organization while meeting compliance requirements.

Architecture Overview

Below is a simple architecture of the service:

Services to be deployed

FenixPyre On-Prem Sharing Service

The FenixPyre On-Prem Sharing Service is the core component enabling secure file sharing. Designed to operate within a virtual machine (VM) in your network, it bridges communication between the FenixPyre Windows Agents and the FenixPyre Sharing Platform hosted on our servers.

This service currently supports secure file sharing with specific users, allowing them to decrypt and download shared files while maintaining stringent security measures.

Key Features

Private APIs
- These APIs facilitate communication between the FenixPyre Windows Agents within your network.
- Default Port: 8080 (configurable).
- Secured using mutual TLS (mTLS) authentication.
- Must remain accessible only within your internal network.
- Learn more about mTLS authentication.
Public APIs
- These APIs are used by external recipients of shared links.
- Port: 443
- Must be publicly exposed to the internet.
- Secured using HMAC and additional authentication techniques.
- Learn more about HMAC.

MinIO Service

MinIO is an open-source, high-performance distributed object storage system. It is utilized for securely storing Controlled Unclassified Information (CUI) files within your network, ensuring compliance and robust data security.

PostgreSQL

PostgreSQL serves as the database backend for the FenixPyre On-Prem Sharing Service. It stores critical file metadata required for the seamless operation of the service, ensuring fast and reliable access to necessary information.

Prerequisites

Docker & Docker Compose Docker and Docker Compose must be installed on both VM A and VM B:
- Install Docker
- Install Docker Compose
Domains and Certificates
- Two DNS entries for onpremsharing.example.com (Public API) and minio.onpremsharing.example.com (MinIO).
- TLS certificate from a trusted CA for the public API (e.g., onpremsharing.example.com).
- TLS certificate from a trusted CA for MinIO (e.g., minio.onpremsharing.example.com).
- mTLS certificate for the private API (provided by FenixPyre support). Required for enabling mutual TLS on the private endpoint.
Database & Storage
- PostgreSQL - The default installation command installs the database in the same VM as FenixPyre On Prem Sharing Service. You can also provide your PostgreSQL server details to the configuration too.
- MinIO - The default installation installs the storage in a secondary VM. You can also provide details to your MinIO server in the configuration too.
System Requirements We require two VMs (Virtual Machines) to host the services.

VM A (Service Virtual Machine): Runs the On-Prem Sharing Service and PostgreSQL.
- Operating System: FIPS mode-enabled Linux distribution
- CPU: At least 2 cores
- Memory: At least 4 GB RAM
- Storage: 20 GB or more
- Networking: Stable connectivity and valid DNS entries
VM B (MinIO Virtual Machine): Runs MinIO with TLS. MinIO is a high-performance, distributed object store ideal for storing files securely.
- Operating System: Linux (Docker-supported distribution)
- CPU: At least 2 cores
- Memory: At least 2 GB RAM
- Storage: Sufficient space for stored files (e.g., 50 GB or more)

On-Prem Service Docker Image

Image: datanchorio/fenixpyre-onprem-secure-sharing-service:1.0

For any versioning or update questions, contact FenixPyre support.

CMMC and FIPS Compliance

The FenixPyre On-Prem Secure Sharing Service uses FIPS validated OpenSSL 3.0.9 for all cryptographic operations, supporting your CMMC compliance efforts. To maintain full FIPS compliance, ensure that the host VM running the On-Prem Sharing Service is configured to operate in FIPS mode and uses FIPS-certified cryptographic libraries. The MinIO VM does not require FIPS mode.

1. Set Up MinIO (VM B)

Directories:

mkdir -p ~/minio/certs/minio
cd ~/minio

BashCopy

Structure:

~/minio/
├── docker-compose.yaml
├── certs/minio/
    ├── private.key   # MinIO private key
    ├── public.crt    # MinIO TLS certificate

Plain textCopy

Certificates: Place your CA-signed TLS certificates for MinIO in ~/minio/certs/minio/.

docker-compose.yaml (MinIO):

services:
  minio:
    image: minio/minio
    environment:
         MINIO_ROOT_USER: <your-minio-root-user> # e.g., "minioadmin"
         MINIO_ROOT_PASSWORD: <your-minio-root-password> # e.g., "minioadmin123"
    command: server /data
    ports:
      - "443:9000"
    volumes:
      - ./data:/data
      - ./certs/minio:/root/.minio/certs

volumes:
  minio-data:

YAMLCopy

Start MinIO:
```
docker-compose up -d
```
BashCopy
MinIO is at https://minio.onpremsharing.example.com.
MinIO Health Check:
```
curl -k https://minio.onpremsharing.example.com/minio/health/ready
```
BashCopy
A 200 OK indicates MinIO is healthy.

Directories:

mkdir -p ~/onpremsharing/certs/mtls
mkdir -p ~/onpremsharing/certs/ssl
cd ~/onpremsharing

BashCopy

Structure:

~/onpremsharing/
├── docker-compose.yaml
├── config.yaml
└── certs/
    ├── mtls/
    │   ├── server.crt    # Private API certificate
    │   ├── server.key    # Private API private key
    │   ├── ca.crt        # Private API CA certificate
    ├── ssl/
    │   ├── server.crt    # Public API certificate
    │   ├── server.key    # Public API private key

Plain textCopy

Certificates:
- Place the mTLS certificates (server.crt, server.key, ca.crt) for the private API in ~/onpremsharing/certs/mtls/ (provided by FenixPyre support).
- Place the public TLS certificates (server.crt, server.key) in ~/onpremsharing/certs/ssl/.
Tokens and Secrets To ensure secure communication and authentication, the FenixPyre On-Prem Sharing Service requires two tokens to be configured in the config.yaml file:

HMAC Secret
- Purpose: Authenticates requests from the core sharing service (not the CMMC connector).
- Recommendation: Use a 10-15 character alphanumeric string for optimal security.
Sharing Service Token
- Purpose: Authenticates requests sent by the CMMC connector to the core sharing service.
- Recommendation: Use a 10-15 character alphanumeric string for optimal security.

Edit config.yaml: Customize config.yaml based on your environment:

public_port: "443"
private_port: "8080"
host_url: "https://onpremsharing.example.com"

db:
 host: postgres # e.g.,"postgres"
 port: "5432"
 user: <your-postgres-username> # e.g., "postgres-user"
 password: <your-postgres-password> # e.g., "postgres-pass123"
 name: <your-postgres-database> # e.g., "postgres"

minio:
 endpoint: "minio.onpremsharing.example.com" # e.g.,     "minio.example.com"
 access_key_id: <your-minio-access-key-id> # e.g., "minioadmin"
 secret_access_key: <your-minio-secret-access-key> # e.g., "minioadmin123"
 bucket_name: <your-bucket-name> # e.g., "secure-files"


certificate:
  cert_file: "mtls/certs/server.crt"
  key_file: "mtls/certs/server.key"
  ca_file: "mtls/certs/ca.crt"

public_certificate:
  cert_file: "ssl/certs/server.crt"
  key_file: "ssl/certs/server.key"
connector_domain: <your-connector-domain> # e.g., "orgId"
sharing_service_token: <your-sharing-service-token> # e.g., "BFA71D52F6586562"
hmac_secret: <your-hmac-secret> # e.g., "cM-sdfsdfsdmYBYrFw@!G"

YAMLCopy

Edit docker-compose.yaml (On-Prem Service):

services:
  postgres:
    image: postgres:14
    restart: always
    environment:
      POSTGRES_USER: postgres-user
      POSTGRES_PASSWORD: postgres-pass
      POSTGRES_DB: postgres
    ports:
      - "5432:5432"
    volumes:
      - pgdata:/var/lib/postgresql/data

  onprem:
    image: datanchorio/fenixpyre-onprem-secure-sharing-service:1.0
    restart: on-failure
    ports:
      - "8080:8080" # Private API (mTLS)
      - "443:443"   # Public API (TLS)
    volumes:
      - ./config.yaml:/app/config.yaml
      - ./logs/:/app/logs/
      - ./certs/mtls:/app/mtls/certs
      - ./certs/ssl:/app/ssl/certs
    depends_on:
      - postgres

volumes:
  pgdata:

YAMLCopy

3. Starting the Service

Foreground Mode:

cd ~/onpremsharing
docker compose up

BashCopy

Detached Mode:

cd ~/onpremsharing
docker compose up -d

BashCopy

Check Containers

For VM A:

postgres
onprem

For VM B:

minio

Verify all expected containers are up and running using docker ps.

4. Verification (Health Checks)

Health checks ensure the services are running and accessible:

Public API Health Check:

curl -k https://onpremsharing.example.com/health

BashCopy

A response like {"status":"OK"} indicates the public API is running.

Private API Health Check (mTLS): To test the private API, you need the client certificate and key provided by FenixPyre support:

curl -k --cert client.crt --key client.key  --location https://[PRIVATE_IP]:8080/health --header 'd-org-id: test' \
--header 'd-user-id: test' \
--header 'd-agent-id: test'

BashCopy

If {"status":"OK"} is returned, the private API is accessible with proper mTLS credentials.

Integration Details from the Client

To set up the integration on our side, we require the following details from the client:

HMAC Secret: Used to authenticate requests coming from our core sharing service (not the CMMC connector).
Sharing Service Token: Used to authenticate requests sent by the CMMC connector to the core sharing service.
Private URL (IP:Port): The internal/private endpoint of the on-prem sharing service (e.g., 10.0.0.5:8080).
Public URL (Domain): The external, domain-based endpoint of the on-prem sharing service (e.g., https://onpremsharing.example.com).

Providing these details ensures secure and proper integration between the on-prem sharing service and our core sharing service.

Last updated 1 year ago

Was this helpful?

hashtagFenixPyre On-Prem Secure Sharing Service (CMMC Connector) Setup Guide

hashtagOverview

hashtagWhy does the customer need to install this service?

hashtagArchitecture Overview

hashtagServices to be deployed

hashtagPrerequisites

hashtagOn-Prem Service Docker Image

hashtagCMMC and FIPS Compliance

hashtag1. Set Up MinIO (VM B)

hashtag2. Set Up the On-Prem Sharing Service (VM A)

hashtag3. Starting the Service

hashtagCheck Containers

hashtag4. Verification (Health Checks)

hashtagIntegration Details from the Client

FenixPyre On-Prem Secure Sharing Service (CMMC Connector) Setup Guide

Overview

Why does the customer need to install this service?

Architecture Overview

Services to be deployed

Prerequisites

On-Prem Service Docker Image

CMMC and FIPS Compliance

1. Set Up MinIO (VM B)

2. Set Up the On-Prem Sharing Service (VM A)

3. Starting the Service

Check Containers

4. Verification (Health Checks)

Integration Details from the Client