How to Configure Fenixpyre On-Prem Secure Sharing Solution
This document outlines how to deploy the FenixPyre On-Prem Secure Sharing Service, a solution engineered for high-security environments requiring FIPS 140-3 validated cryptography .
Overview
The Fenixpyre On-Prem Secure Sharing Solution is designed for organizations handling sensitive data, including Controlled Unclassified Information (CUI). This solution follows a distributed architecture, deploying its two main components on separate Virtual Machines (VMs) to enhance security and scalability:
VM 1: Secure Storage Service - A dedicated object storage layer, powered by a FIPS-enabled MinIO Server, for secure, compliant data persistence.
VM 2: On-Prem Sharing Service - The core application service for managing and controlling access to sensitive data.
Each service is deployed through a dedicated, automated process that handles all configuration, FIPS-validated certificate management, and deployment, ensuring a secure and compliant baseline.
Deployment Steps
Pre-Deployment Checklist
Before beginning the deployment, ensure that your environment meets the following requirements.
1. Provision Two VMs
This VM will host the secure storage layer.
1. System and Hardware Requirements:
Operating System:
Option 1: Ubuntu 22.04 LTS FIPS (Recommended for FIPS support)
Option 2: RHEL 8 or 9 (FIPS mode enabled)
CPU: Minimum 4 cores.
Memory (RAM): Minimum 16 GB.
Storage: Sufficient disk space for your data needs (e.g., 128 GB or more).
Disk Encryption: Enable Disk Encryption - Mandatory for CMMC compliance
Privileges: Sudo access is required.
2. Network and DNS Requirements:
Static IP Address: A static IP address is highly recommended.
DNS Record: An
Arecord for your storage service domain (e.g.,storage.your-company.com) pointing to this VM's static IP.Firewall Ports: The following inbound ports must be open:
Port 443 (TCP): For secure public HTTPS access to the storage service.
Port 80 (TCP): Required by Let's Encrypt for the HTTP-01 challenge to issue and renew TLS certificates automatically.
This VM will host the core application service.
1. System and Hardware Requirements:
Operating System:
Option 1: Ubuntu 22.04 LTS FIPS (FIPS mode enabled)
Option 2: RHEL 8 or 9 (FIPS mode enabled)
CPU: Minimum 4 cores.
Memory (RAM): Minimum 16 GB.
Storage: Minimum 128 GB.
Disk Encryption: Enable Disk Encryption - Mandatory for CMMC compliance
Privileges: Sudo access is required.
2. Network and DNS Requirements:
Static IP Address: A static IP address is highly recommended.
DNS Record: An
Arecord for your On-Prem Sharing Service domain (e.g.,onprem.your-company.com) pointing to this VM's static IP.Firewall Ports: The following inbound ports must be open:
Port 443 (TCP): For secure public HTTPS/TLS access to the On-Prem Sharing Service.
Port 8080 (TCP): For the private, mTLS-secured API. This port must only be accessible from trusted sources like the FenixPyre cloud platform.
Port 80 (TCP): Required by Let's Encrypt for automatic TLS certificate issuance and renewal.
Note: For RHEL, enable FIPS mode during installation or by running
fips-mode-setup --enablefollowed by a reboot. Ensureopenssl list -providersshows the FIPS provider module loaded.
Setting Up a FIPS-Compliant Host Environment
Option 1: Use a Pre-Hardened Marketplace Image (Recommended)
The simplest and recommended method is to launch a pre-configured Ubuntu Pro 22.04 LTS FIPS or RHEL 8/9 FIPS instance from your cloud provider’s marketplace.
For Ubuntu Pro FIPS 22.04, follow the Azure Portal Quickstart .
For RHEL VMs on Azure, follow Red Hat-based virtual machine .
Ensure the Network Security Group (NSG) allows traffic on the required ports. Ports 443, 80 and 8080
Use the EC2 Launch Wizard to create instances of Ubuntu Pro FIPS 22.04 LTS or RHEL 8/9 FIPS
Configure security groups to allow inbound traffic on ports 443, 80 and 8080.
Use Google Compute Engine to create instances of Ubuntu 22.04 LTS Pro FIPS Updates Server or RHEL 8/9 FIPS
Configure firewall rules to permit traffic on ports 443, 80 and 8080.
Option 2: Manually Enable FIPS on an Existing System
Steps to Enable FIPS on Ubuntu
To manually enable FIPS on a standard Ubuntu 22.04 LTS installation. This requires a free or paid Ubuntu Pro subscription.
Obtain an Ubuntu Pro Token:
To enable FIPS, your system must be attached to an Ubuntu Pro subscription. You can use a paid corporate subscription or get a free subscription for personal use (up to 5 machines) from ubuntu.com/pro.
Retrieve your subscription token from your Ubuntu Pro dashboard.
Attach Your VM to Ubuntu Pro:
The
proclient comes pre-installed on Ubuntu 22.04 LTS. Use it to attach your VM:(Replace
<YOUR_PRO_TOKEN>with the token from your dashboard.)
Enable FIPS with Security Updates:
Canonical recommends enabling the
fips-updateschannel, which provides FIPS-certified modules along with the latest security patches.
Reboot the System:
A reboot is required to load the FIPS-certified kernel and enable FIPS mode across the system.
Verify FIPS Enablement:
After the reboot, confirm that FIPS mode is active. The following command should output
1:
Steps to Enable FIPS on RHEL 8 / 9
Install the required FIPS package (if not already present):
Enable FIPS mode:
Reboot the system:
Verify that FIPS mode is enabled:
You should see output similar to:
FIPS mode is enabled.
Note: Once FIPS is enabled, the kernel and OpenSSL use FIPS-validated cryptographic modules automatically.
2. Update DNS
Create an A Record on your DNS provider so each domain points to its VM’s public IP:
fp-storage-service.your-domain.com → <VM A Public IP>
fp-sharing-service.your-domain.com → <VM B Public IP>Why: Let’s Encrypt checks DNS to validate domain ownership. Even with manual certificates, consistent DNS ensures stable host references.
Deployment Steps
During or after Pre-Deployment, coordinate with FenixPyre: raise a ticket with [email protected].
The deployment is a two-stage process performed on your two prepared VMs. The necessary commands are provided within the FenixPyre admin dashboard.
Accessing the Deployment Commands
First, retrieve the unique deployment commands for your environment:
Log into your FenixPyre Admin Dashboard.
Navigate to the Integrations section from the side menu.
Select On-Prem Secure Sharing to open the setup page.
You will see two distinct commands on this page, one for each VM. Follow the steps below in order.
On the setup page in your admin dashboard, find the "Setup Secure Storage Service" section.
Click "Copy Command" to copy the provided command.
Connect to VM 1 via SSH or console.
Paste and run the command in the terminal.
The automated process will then prompt you for configuration details, including:
The domain name for the storage service (e.g.,
fp-storage-service.your-company.com).Your preference for TLS certificate handling (Let's Encrypt or manual).
A root username, password and bucket name for the storage service.
Once complete, the service will start, and the deployment process will perform final health checks to verify that service are operational.
This command installs the secure sharing server and connects it to the FenixPyre platform and your newly configured storage service. This command includes a short-lived JWT token for secure, automated registration.
On the setup page in your admin dashboard, find the "Setup Secure Sharing Service" section
Click "Copy Command" to copy the provided
curlcommand.Connect to VM 2 via SSH or console.
Paste and run the command in the terminal.
The automated process will prompt you for the remaining configuration details:
The domain name for the On-Prem Secure Sharing Service (e.g.,
fp-sharing-service.your-domain.com).Connection details for your deployed storage instance (endpoint, access key, and secret key).
The setup process will automatically generate credentials for the internal PostgreSQL database and complete the full service configuration, registration, and health checks without further interaction.
Upgrading an Existing Deployment
To upgrade your On-Prem Secure Sharing Service to a newer version:
Copy the setup command from your FenixPyre Admin Dashboard (Integrations → Onprem Secure Sharing → Copy Command from the "Setup Secure Sharing Service" section)
Connect to VM 2 (Sharing Service) and paste the command
When the script detects an existing deployment, select U (Upgrade) from the menu:
When asked to reuse existing configuration, press Enter or type Y to confirm:
That's it! The script will:
Automatically backup your current deployment
Upgrade to the new version
Restart services
Verify everything is working
Note: Backups are stored at
/home/<user>/fenixpyre-onprem-secure-sharing-backups/for safe rollback if needed.
Known Issues
Favourites: Marking files as favourites is not fully implemented; please refrain from using it until a future update.
Frequently Asked Questions
Integration and Usage
How can I verify the health of the deployment without a full setup?
Both scripts include health check functionality. You can also manually verify:
Storage Service: Visit
https://<MINIO_DOMAIN>/minio/health/readySharing Service:
You can run the script with the
-v(or--verify) flag to perform health checks on an existing deployment without making any changes. This mode does not require a JWT token.Example command:
sudo ./setup_onprem.sh -vThe script will then check the public and private APIs and report their status.
How can I re-run just the integration registration step?
The initial setup command handles the integration automatically. However, if you need to re-register the integration with the FenixPyre platform for any reason, you can do so by running the setup script again with the -i (or --integrate) flag. You will need a new JWT token from the FenixPyre admin dashboard.
Example command: sudo ./setup_onprem.sh -i YOUR_JWT_TOKEN
Certificate Management
How can I forcefully renew the certificates?
You can force certificate renewal using the following commands:
For MinIO:
For OnPrem Service:
The --force-renewal flag forces renewal regardless of expiration date, and --verbose provides detailed output for troubleshooting.
How do I check when my certificates will expire?
You can check certificate expiration dates with:
This will list all certificates managed by certbot, including their expiration dates.
Can I use my own certificates instead of Let's Encrypt?
Yes, both scripts support manual certificate placement. When prompted for TLS options, select the manual option and place your certificates in the appropriate directories:
For MinIO:
./minio/certs/minio/private.keyand./minio/certs/minio/public.crtFor OnPrem Service:
./fenixpyre-onprem-secure-sharing/certs/ssl/server.keyand./fenixpyre-onprem-secure-sharing/certs/ssl/server.crt
Service Management
How do I restart the services after making configuration changes?
Navigate to the service directory and use Docker Compose:
How can I view the logs for the services?
Application logs are stored in the following locations:
Sharing Service:
./fenixpyre-onprem-secure-sharing/logs/directoryStorage Service: Logs are available through Docker Compose logs command
PostgreSQL: Logs are available through Docker Compose logs command
You can also access these logs directly from the container:
Security and Credentials
Where are the HMAC secret and sharing service token stored?
These are stored in:
The
config.yamlfile in thefenixpyre-onprem-secure-sharingservice directoryA separate
onprem_details.txtfile for easy reference
How can I change the Secure Storage credentials after initial setup?
You can update the credentials in the docker-compose.yaml file and restart the service:
How do I backup my configuration and data?
For Storage Service, backup the ./minio/data directory. For Sharing Service, backup:
./fenixpyre-onprem-secure-sharing/config.yaml./fenixpyre-onprem-secure-sharing/certsdirectoryPostgreSQL data volume (requires Docker volume backup)
For help or questions:
Support: [email protected]
Documentation: docs.anchormydata.com
Last updated
Was this helpful?