β¨Secure Sharing with CMMC compliance
FenixPyre On-Prem Secure Sharing Service (CMMC Connector) Setup Guide
This guide helps you set up the FenixPyre On-Prem Secure Sharing Service, functioning as a CMMC connector with mandatory TLS encryption.
Overview
The FenixPyre On-Prem Secure Sharing Service provides organizations with a robust solution for secure file sharing and storage within their internal network. Designed to meet CMMC (Cybersecurity Maturity Model Certification) standards, it ensures the protection of Controlled Unclassified Information (CUI) by encrypting all data transfers and implementing strict access controls. This guarantees that sensitive data remains securely within the organization's network at all times.
Why does the customer need to install this service?
Organizations that handle sensitive information must comply with CMMC standards to ensure the security and confidentiality of their data. This service provides a secure way to store, share, and access files within an organization while meeting compliance requirements.
Architecture Overview
Below is a simple architecture of the service:

Services to be deployed
FenixPyre On-Prem Sharing Service
The FenixPyre On-Prem Sharing Service is the core component enabling secure file sharing. Designed to operate within a virtual machine (VM) in your network, it bridges communication between the FenixPyre Windows Agents and the FenixPyre Sharing Platform hosted on our servers.
This service currently supports secure file sharing with specific users, allowing them to decrypt and download shared files while maintaining stringent security measures.
Key Features
Private APIs
These APIs facilitate communication between the FenixPyre Windows Agents within your network.
Default Port: 8080 (configurable).
Secured using mutual TLS (mTLS) authentication.
Must remain accessible only within your internal network.
Public APIs
These APIs are used by external recipients of shared links.
Port: 443
Must be publicly exposed to the internet.
Secured using HMAC and additional authentication techniques.
MinIO Service
MinIO is an open-source, high-performance distributed object storage system. It is utilized for securely storing Controlled Unclassified Information (CUI) files within your network, ensuring compliance and robust data security.
PostgreSQL
PostgreSQL serves as the database backend for the FenixPyre On-Prem Sharing Service. It stores critical file metadata required for the seamless operation of the service, ensuring fast and reliable access to necessary information.
Prerequisites
Docker & Docker Compose Docker and Docker Compose must be installed on both VM A and VM B:
Domains and Certificates
Two DNS entries for
onpremsharing.example.com(Public API) andminio.onpremsharing.example.com(MinIO).TLS certificate from a trusted CA for the public API (e.g.,
onpremsharing.example.com).TLS certificate from a trusted CA for MinIO (e.g.,
minio.onpremsharing.example.com).mTLS certificate for the private API (provided by FenixPyre support). Required for enabling mutual TLS on the private endpoint.
Database & Storage
PostgreSQL - The default installation command installs the database in the same VM as FenixPyre On Prem Sharing Service. You can also provide your PostgreSQL server details to the configuration too.
MinIO - The default installation installs the storage in a secondary VM. You can also provide details to your MinIO server in the configuration too.
System Requirements We require two VMs (Virtual Machines) to host the services.
VM A (Service Virtual Machine): Runs the On-Prem Sharing Service and PostgreSQL.
Operating System: FIPS mode-enabled Linux distribution
CPU: At least 2 cores
Memory: At least 4 GB RAM
Storage: 20 GB or more
Networking: Stable connectivity and valid DNS entries
VM B (MinIO Virtual Machine): Runs MinIO with TLS. MinIO is a high-performance, distributed object store ideal for storing files securely.
Operating System: Linux (Docker-supported distribution)
CPU: At least 2 cores
Memory: At least 2 GB RAM
Storage: Sufficient space for stored files (e.g., 50 GB or more)
On-Prem Service Docker Image
Image:
datanchorio/fenixpyre-onprem-secure-sharing-service:1.0
For any versioning or update questions, contact FenixPyre support.
CMMC and FIPS Compliance
The FenixPyre On-Prem Secure Sharing Service uses FIPS validated OpenSSL 3.0.9 for all cryptographic operations, supporting your CMMC compliance efforts. To maintain full FIPS compliance, ensure that the host VM running the On-Prem Sharing Service is configured to operate in FIPS mode and uses FIPS-certified cryptographic libraries. The MinIO VM does not require FIPS mode.
1. Set Up MinIO (VM B)
Directories:
BashCopy
Structure:
Plain textCopy
Certificates: Place your CA-signed TLS certificates for MinIO in
~/minio/certs/minio/.docker-compose.yaml (MinIO):
YAMLCopy
Start MinIO:
BashCopy
MinIO is at
https://minio.onpremsharing.example.com.MinIO Health Check:
BashCopy
A 200 OK indicates MinIO is healthy.
2. Set Up the On-Prem Sharing Service (VM A)
Directories:
BashCopy
Structure:
Plain textCopy
Certificates:
Place the mTLS certificates (server.crt, server.key, ca.crt) for the private API in
~/onpremsharing/certs/mtls/(provided by FenixPyre support).Place the public TLS certificates (server.crt, server.key) in
~/onpremsharing/certs/ssl/.
Tokens and Secrets To ensure secure communication and authentication, the FenixPyre On-Prem Sharing Service requires two tokens to be configured in the
config.yamlfile:
HMAC Secret
Purpose: Authenticates requests from the core sharing service (not the CMMC connector).
Recommendation: Use a 10-15 character alphanumeric string for optimal security.
Sharing Service Token
Purpose: Authenticates requests sent by the CMMC connector to the core sharing service.
Recommendation: Use a 10-15 character alphanumeric string for optimal security.
Edit config.yaml: Customize
config.yamlbased on your environment:YAMLCopy
Edit docker-compose.yaml (On-Prem Service):
YAMLCopy
3. Starting the Service
Foreground Mode:
BashCopy
Detached Mode:
BashCopy
Check Containers
For VM A:
postgresonprem
For VM B:
minio
Verify all expected containers are up and running using docker ps.
4. Verification (Health Checks)
Health checks ensure the services are running and accessible:
Public API Health Check:
BashCopy
A response like {"status":"OK"} indicates the public API is running.
Private API Health Check (mTLS): To test the private API, you need the client certificate and key provided by FenixPyre support:
BashCopy
If {"status":"OK"} is returned, the private API is accessible with proper mTLS credentials.
Integration Details from the Client
To set up the integration on our side, we require the following details from the client:
HMAC Secret: Used to authenticate requests coming from our core sharing service (not the CMMC connector).
Sharing Service Token: Used to authenticate requests sent by the CMMC connector to the core sharing service.
Private URL (IP:Port): The internal/private endpoint of the on-prem sharing service (e.g.,
10.0.0.5:8080).Public URL (Domain): The external, domain-based endpoint of the on-prem sharing service (e.g.,
https://onpremsharing.example.com).
Providing these details ensures secure and proper integration between the on-prem sharing service and our core sharing service.
Last updated
Was this helpful?
