# Secure Sharing with CMMC compliance
### FenixPyre On-Prem Secure Sharing Service (CMMC Connector) Setup Guide
This guide helps you set up the **FenixPyre On-Prem Secure Sharing Service**, functioning as a CMMC connector with mandatory TLS encryption.
#### Overview
The FenixPyre On-Prem Secure Sharing Service provides organizations with a robust solution for secure file sharing and storage within their internal network. Designed to meet CMMC (Cybersecurity Maturity Model Certification) standards, it ensures the protection of Controlled Unclassified Information (CUI) by encrypting all data transfers and implementing strict access controls. This guarantees that sensitive data remains securely within the organization's network at all times.
#### Why does the customer need to install this service?
Organizations that handle sensitive information must comply with CMMC standards to ensure the security and confidentiality of their data. This service provides a secure way to store, share, and access files within an organization while meeting compliance requirements.
#### Architecture Overview
Below is a simple architecture of the service:
***
#### Services to be deployed
**FenixPyre On-Prem Sharing Service**
The **FenixPyre On-Prem Sharing Service** is the core component enabling secure file sharing. Designed to operate within a virtual machine (VM) in your network, it bridges communication between the **FenixPyre Windows Agents** and the **FenixPyre Sharing Platform** hosted on our servers.
This service currently supports secure file sharing with specific users, allowing them to decrypt and download shared files while maintaining stringent security measures.
**Key Features**
1. **Private APIs**
* These APIs facilitate communication between the FenixPyre Windows Agents within your network.
* Default Port: **8080** (configurable).
* Secured using **mutual TLS (mTLS)** authentication.
* Must remain accessible only within your internal network.
* [Learn more about mTLS authentication](https://en.wikipedia.org/wiki/Mutual_authentication).
2. **Public APIs**
* These APIs are used by external recipients of shared links.
* Port: **443**
* Must be publicly exposed to the internet.
* Secured using **HMAC** and additional authentication techniques.
* [Learn more about HMAC](https://en.wikipedia.org/wiki/HMAC).
***
**MinIO Service**
MinIO is an open-source, high-performance distributed object storage system. It is utilized for securely storing **Controlled Unclassified Information (CUI)** files within your network, ensuring compliance and robust data security.
***
**PostgreSQL**
PostgreSQL serves as the database backend for the FenixPyre On-Prem Sharing Service. It stores critical file metadata required for the seamless operation of the service, ensuring fast and reliable access to necessary information.
***
#### Prerequisites
1. **Docker & Docker Compose**\
Docker and Docker Compose must be installed on both VM A and VM B:
* [Install Docker](https://docs.docker.com/get-docker/)
* [Install Docker Compose](https://docs.docker.com/compose/install/)
2. **Domains and Certificates**
* Two DNS entries for `onpremsharing.example.com` (Public API) and `minio.onpremsharing.example.com` (MinIO).
* TLS certificate from a trusted CA for the public API (e.g., `onpremsharing.example.com`).
* TLS certificate from a trusted CA for MinIO (e.g., `minio.onpremsharing.example.com`).
* mTLS certificate for the private API (**provided by FenixPyre support**). *Required for enabling mutual TLS on the private endpoint.*
3. **Database & Storage**
* PostgreSQL - The default installation command installs the database in the same VM as FenixPyre On Prem Sharing Service. You can also provide your PostgreSQL server details to the configuration too.
* MinIO - The default installation installs the storage in a secondary VM. You can also provide details to your MinIO server in the configuration too.
4. **System Requirements**\
We require two VMs (Virtual Machines) to host the services.
* **VM A (Service Virtual Machine)**: Runs the On-Prem Sharing Service and PostgreSQL.
* **Operating System**: FIPS mode-enabled Linux distribution
* **CPU**: At least 2 cores
* **Memory**: At least 4 GB RAM
* **Storage**: 20 GB or more
* **Networking**: Stable connectivity and valid DNS entries
* **VM B (MinIO Virtual Machine)**: Runs MinIO with TLS. MinIO is a high-performance, distributed object store ideal for storing files securely.
* **Operating System**: Linux (Docker-supported distribution)
* **CPU**: At least 2 cores
* **Memory**: At least 2 GB RAM
* **Storage**: Sufficient space for stored files (e.g., 50 GB or more)
***
### On-Prem Service Docker Image
* **Image:** `datanchorio/fenixpyre-onprem-secure-sharing-service:1.0`
For any versioning or update questions, contact [FenixPyre support](http://mailto:support@anchormydata.com/).
***
### CMMC and FIPS Compliance
The FenixPyre On-Prem Secure Sharing Service uses **FIPS validated OpenSSL 3.0.9** for all cryptographic operations, supporting your CMMC compliance efforts. To maintain full FIPS compliance, ensure that the host VM running the On-Prem Sharing Service is configured to operate in FIPS mode and uses FIPS-certified cryptographic libraries. The MinIO VM does not require FIPS mode.
***
### 1. Set Up MinIO (VM B)
1. **Directories**:
```bash
mkdir -p ~/minio/certs/minio
cd ~/minio
```
BashCopy
Structure:
```none
~/minio/
├── docker-compose.yaml
├── certs/minio/
├── private.key # MinIO private key
├── public.crt # MinIO TLS certificate
```
Plain textCopy
2. **Certificates**:\
Place your CA-signed TLS certificates for MinIO in `~/minio/certs/minio/`.
3. **docker-compose.yaml (MinIO)**:
```yaml
services:
minio:
image: minio/minio
environment:
MINIO_ROOT_USER: # e.g., "minioadmin"
MINIO_ROOT_PASSWORD: # e.g., "minioadmin123"
command: server /data
ports:
- "443:9000"
volumes:
- ./data:/data
- ./certs/minio:/root/.minio/certs
volumes:
minio-data:
```
YAMLCopy
4. **Start MinIO**:
```bash
docker-compose up -d
```
BashCopy
MinIO is at `https://minio.onpremsharing.example.com`.
5. **MinIO Health Check**:
```bash
curl -k https://minio.onpremsharing.example.com/minio/health/ready
```
BashCopy
A 200 OK indicates MinIO is healthy.
***
### 2. Set Up the On-Prem Sharing Service (VM A)
1. **Directories**:
```bash
mkdir -p ~/onpremsharing/certs/mtls
mkdir -p ~/onpremsharing/certs/ssl
cd ~/onpremsharing
```
BashCopy
Structure:
```none
~/onpremsharing/
├── docker-compose.yaml
├── config.yaml
└── certs/
├── mtls/
│ ├── server.crt # Private API certificate
│ ├── server.key # Private API private key
│ ├── ca.crt # Private API CA certificate
├── ssl/
│ ├── server.crt # Public API certificate
│ ├── server.key # Public API private key
```
Plain textCopy
2. **Certificates**:
* Place the mTLS certificates (server.crt, server.key, ca.crt) for the private API in `~/onpremsharing/certs/mtls/` (provided by FenixPyre support).
* Place the public TLS certificates (server.crt, server.key) in `~/onpremsharing/certs/ssl/`.
3. **Tokens and Secrets**\
To ensure secure communication and authentication, the **FenixPyre On-Prem Sharing Service** requires two tokens to be configured in the `config.yaml` file:
* **HMAC Secret**
* Purpose: Authenticates requests from the core sharing service (not the CMMC connector).
* Recommendation: Use a **10-15 character alphanumeric string** for optimal security.
* **Sharing Service Token**
* Purpose: Authenticates requests sent by the CMMC connector to the core sharing service.
* Recommendation: Use a **10-15 character alphanumeric string** for optimal security.
4. **Edit config.yaml**:\
Customize `config.yaml` based on your environment:
```yaml
public_port: "443"
private_port: "8080"
host_url: "https://onpremsharing.example.com"
db:
host: postgres # e.g.,"postgres"
port: "5432"
user: # e.g., "postgres-user"
password: # e.g., "postgres-pass123"
name: # e.g., "postgres"
minio:
endpoint: "minio.onpremsharing.example.com" # e.g., "minio.example.com"
access_key_id: # e.g., "minioadmin"
secret_access_key: # e.g., "minioadmin123"
bucket_name: # e.g., "secure-files"
certificate:
cert_file: "mtls/certs/server.crt"
key_file: "mtls/certs/server.key"
ca_file: "mtls/certs/ca.crt"
public_certificate:
cert_file: "ssl/certs/server.crt"
key_file: "ssl/certs/server.key"
connector_domain: # e.g., "orgId"
sharing_service_token: # e.g., "BFA71D52F6586562"
hmac_secret: # e.g., "cM-sdfsdfsdmYBYrFw@!G"
```
YAMLCopy
5. **Edit docker-compose.yaml (On-Prem Service)**:
```yaml
services:
postgres:
image: postgres:14
restart: always
environment:
POSTGRES_USER: postgres-user
POSTGRES_PASSWORD: postgres-pass
POSTGRES_DB: postgres
ports:
- "5432:5432"
volumes:
- pgdata:/var/lib/postgresql/data
onprem:
image: datanchorio/fenixpyre-onprem-secure-sharing-service:1.0
restart: on-failure
ports:
- "8080:8080" # Private API (mTLS)
- "443:443" # Public API (TLS)
volumes:
- ./config.yaml:/app/config.yaml
- ./logs/:/app/logs/
- ./certs/mtls:/app/mtls/certs
- ./certs/ssl:/app/ssl/certs
depends_on:
- postgres
volumes:
pgdata:
```
YAMLCopy
***
### 3. Starting the Service
**Foreground Mode**:
```bash
cd ~/onpremsharing
docker compose up
```
BashCopy
**Detached Mode**:
```bash
cd ~/onpremsharing
docker compose up -d
```
BashCopy
#### Check Containers
For VM A:
* `postgres`
* `onprem`
For VM B:
* `minio`
Verify all expected containers are up and running using `docker ps`.
***
### 4. Verification (Health Checks)
Health checks ensure the services are running and accessible:
**Public API Health Check**:
```bash
curl -k https://onpremsharing.example.com/health
```
BashCopy
A response like `{"status":"OK"}` indicates the public API is running.
**Private API Health Check (mTLS)**:\
To test the private API, you need the client certificate and key provided by FenixPyre support:
```bash
curl -k --cert client.crt --key client.key --location https://[PRIVATE_IP]:8080/health --header 'd-org-id: test' \
--header 'd-user-id: test' \
--header 'd-agent-id: test'
```
BashCopy
If `{"status":"OK"}` is returned, the private API is accessible with proper mTLS credentials.
***
### Integration Details from the Client
To set up the integration on our side, we require the following details from the client:
1. **HMAC Secret**:\
Used to authenticate requests coming from our core sharing service (not the CMMC connector).
2. **Sharing Service Token**:\
Used to authenticate requests sent by the CMMC connector to the core sharing service.
3. **Private URL (IP:Port)**:\
The internal/private endpoint of the on-prem sharing service (e.g., `10.0.0.5:8080`).
4. **Public URL (Domain)**:\
The external, domain-based endpoint of the on-prem sharing service (e.g., `https://onpremsharing.example.com`).
Providing these details ensures secure and proper integration between the on-prem sharing service and our core sharing service.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.fenixpyre.com/faqs-trouble-shooting/use-cases/secure-sharing-with-cmmc-compliance.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
