# How to Configure Fenixpyre On-Prem Secure Sharing Solution This document outlines how to deploy the **FenixPyre On-Prem Secure Sharing Service**, a solution engineered for high-security environments requiring FIPS 140-3 validated cryptography . *** ## Overview The **Fenixpyre On-Prem Secure Sharing Solutio**n is designed for organizations handling sensitive data, including Controlled Unclassified Information (CUI). This solution follows a distributed architecture, deploying its two main components on separate Virtual Machines (VMs) to enhance security and scalability: 1. **VM 1: Secure Storage Service** - A dedicated object storage layer, powered by a FIPS-enabled MinIO Server, for secure, compliant data persistence. 2. **VM 2: On-Prem Sharing Service** - The core application service for managing and controlling access to sensitive data. Each service is deployed through a dedicated, automated process that handles all configuration, FIPS-validated certificate management, and deployment, ensuring a secure and compliant baseline. *** ## Deployment Steps {% stepper %} {% step %} ### **Pre-Deployment** Checklist *Before beginning the deployment, ensure that your environment meets the following requirements.* ### **1. Provision Two VMs** {% tabs %} {% tab title="VM1 : Secure Storage Service" %} *This VM will host the secure storage layer.* **1. System and Hardware Requirements:** * **Operating System**: * **Option 1:** Ubuntu 22.04 LTS FIPS (Recommended for FIPS support) * **Option 2:** RHEL 8 or 9 (FIPS mode enabled) * **CPU**: Minimum 4 cores. * **Memory (RAM)**: Minimum 16 GB. * **Storage**: Sufficient disk space for your data needs (e.g., 128 GB or more). * **Disk Encryption**: Enable Disk Encryption - **Mandatory for CMMC compliance** * **Privileges**: Sudo access is required. **2. Network and DNS Requirements:** * **Static IP Address**: A static IP address is highly recommended. * **DNS Record**: An `A` record for your storage service domain (e.g., `storage.your-company.com`) pointing to this VM's static IP. * **Firewall Ports**: The following inbound ports must be open: * **Port 443 (TCP)**: For secure public HTTPS access to the storage service. * **Port 80 (TCP)**: Required by Let's Encrypt for the HTTP-01 challenge to issue and renew TLS certificates automatically. {% endtab %} {% tab title="VM2: On-Prem Sharing Service" %} *This VM will host the core application service.* **1. System and Hardware Requirements:** * **Operating System**: * **Option 1:** Ubuntu 22.04 LTS FIPS (FIPS mode enabled) * **Option 2:** RHEL 8 or 9 (FIPS mode enabled) * **CPU**: Minimum 4 cores. * **Memory (RAM)**: Minimum 16 GB. * **Storage**: Minimum 128 GB. * **Disk Encryption**: Enable Disk Encryption - **Mandatory for CMMC compliance** * **Privileges**: Sudo access is required. **2. Network and DNS Requirements:** * **Static IP Address**: A static IP address is highly recommended. * **DNS Record**: An `A` record for your On-Prem Sharing Service domain (e.g., `onprem.your-company.com`) pointing to this VM's static IP. * **Firewall Ports**: The following inbound ports must be open: * **Port 443 (TCP)**: For secure public HTTPS/TLS access to the On-Prem Sharing Service. * **Port 8080 (TCP)**: For the private, mTLS-secured API. This port must only be accessible from trusted sources like the FenixPyre cloud platform. * **Port 80 (TCP)**: Required by Let's Encrypt for automatic TLS certificate issuance and renewal. {% endtab %} {% endtabs %} > **Note:** For RHEL, enable FIPS mode during installation or by running `fips-mode-setup --enable` followed by a reboot. Ensure `openssl list -providers` shows the FIPS provider module loaded. ### Setting Up a FIPS-Compliant Host Environment #### Option 1: Use a Pre-Hardened Marketplace Image (Recommended) The simplest and recommended method is to launch a pre-configured **Ubuntu Pro 22.04 LTS FIPS** or **RHEL 8/9 FIPS** instance from your cloud provider’s marketplace. {% tabs %} {% tab title="Azure" %} * For **Ubuntu Pro FIPS 22.04,** follow the [Azure Portal Quickstart](https://docs.microsoft.com/azure/virtual-machines/linux/quick-create-portal) . * For **RHEL** VMs on Azure, follow [Red Hat-based virtual machine](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/redhat-create-upload-vhd?utm_source=chatgpt.com) . * Ensure the Network Security Group (NSG) allows traffic on the required ports.\ Ports 443, 80 and 8080 {% endtab %} {% tab title="AWS" %} * Use the [EC2 Launch Wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html) to create instances of **Ubuntu Pro FIPS 22.04 LTS** or **RHEL 8/9 FIPS** * Configure security groups to allow inbound traffic on ports 443, 80 and 8080. {% endtab %} {% tab title="Google" %} * Use [Google Compute Engine](https://console.cloud.google.com/compute/instancesAdd?imageId=4467206581577450407\&imageProjectId=ubuntu-os-pro-cloud) to create instances of **Ubuntu 22.04 LTS Pro FIPS Updates Server** or **RHEL 8/9 FIPS** * Configure firewall rules to permit traffic on ports 443, 80 and 8080. {% endtab %} {% endtabs %} #### Option 2: Manually Enable FIPS on an Existing System {% tabs %} {% tab title="Ubuntu" %} **Steps to Enable FIPS on Ubuntu** To manually enable FIPS on a standard Ubuntu 22.04 LTS installation. This requires a free or paid **Ubuntu Pro** subscription. * **Obtain an Ubuntu Pro Token**: * To enable FIPS, your system must be attached to an Ubuntu Pro subscription. You can use a paid corporate subscription or get a free subscription for personal use (up to 5 machines) from [ubuntu.com/pro](https://ubuntu.com/pro). * Retrieve your subscription token from your Ubuntu Pro dashboard. * **Attach Your VM to Ubuntu Pro**: * The `pro` client comes pre-installed on Ubuntu 22.04 LTS. Use it to attach your VM: ```bash sudo pro attach ``` *(Replace `` with the token from your dashboard.)* * **Enable FIPS with Security Updates**: * Canonical recommends enabling the `fips-updates` channel, which provides FIPS-certified modules along with the latest security patches. ```bash sudo pro enable fips-updates ``` * **Reboot the System**: * A reboot is required to load the FIPS-certified kernel and enable FIPS mode across the system. ```bash sudo reboot ``` * **Verify FIPS Enablement**: * After the reboot, confirm that FIPS mode is active. The following command should output `1`: ```bash cat /proc/sys/crypto/fips_enabled ``` {% endtab %} {% tab title="RHEL" %} **Steps to Enable FIPS on RHEL 8 / 9** 1. **Install the required FIPS package (if not already present):** ```bash sudo dnf install dracut-fips -y sudo dracut -f ``` 2. **Enable FIPS mode:** ```bash sudo fips-mode-setup --enable ``` 3. **Reboot the system:** ```bash sudo reboot ``` 4. **Verify that FIPS mode is enabled:** ```bash sudo fips-mode-setup --check ``` You should see output similar to:\ `FIPS mode is enabled.` > **Note:** Once FIPS is enabled, the kernel and OpenSSL use FIPS-validated cryptographic modules automatically. > {% endtab %} > {% endtabs %} ### **2. Update DNS** Create an A Record on your DNS provider so each domain points to its VM’s public IP: > * `fp-storage-service.your-domain.com → ` > * `fp-sharing-service.your-domain.com → ` > > **Why**: Let’s Encrypt checks DNS to validate domain ownership. Even with manual certificates, consistent DNS ensures stable host references. *** {% endstep %} {% step %} ### **Deployment Steps** > **During or after Pre-Deployment, coordinate with FenixPyre: raise a ticket with** [**support@fenixpyre.com**](mailto:support@fenixpyre.com)**.** The deployment is a two-stage process performed on your two prepared VMs. The necessary commands are provided within the FenixPyre admin dashboard. #### Accessing the Deployment Commands First, retrieve the unique deployment commands for your environment: 1. Log into your **FenixPyre Admin Dashboard**. 2. Navigate to the **Integrations** section from the side menu. 3. Select **On-Prem Secure Sharing** to open the setup page. You will see two distinct commands on this page, one for each VM. Follow the steps below in order. {% tabs %} {% tab title="Deploy Storage Service (on VM 1)" %} 1. On the setup page in your admin dashboard, find the **"Setup Secure Storage Service"** section. 2. Click **"Copy Command"** to copy the provided command. 3. **Connect to VM 1** via SSH or console. 4. Paste and run the command in the terminal. The automated process will then prompt you for configuration details, including: * The domain name for the storage service (e.g., `fp-storage-service.your-company.com`). * Your preference for TLS certificate handling (Let's Encrypt or manual). * A root username, password and bucket name for the storage service. Once complete, the service will start, and the deployment process will perform final health checks to verify that service are operational. {% endtab %} {% tab title="Deploy Sharing Service (on VM 2)" %} This command installs the secure sharing server and connects it to the FenixPyre platform and your newly configured storage service. This command includes a short-lived JWT token for secure, automated registration. 1. On the setup page in your admin dashboard, find the **"Setup Secure Sharing Service"** section 2. Click **"Copy Command"** to copy the provided `curl` command. 3. **Connect to VM 2** via SSH or console. 4. Paste and run the command in the terminal. The automated process will prompt you for the remaining configuration details: * The domain name for the On-Prem Secure Sharing Service (e.g., `fp-sharing-service.your-domain.com`). * Connection details for your deployed storage instance (endpoint, access key, and secret key). The setup process will automatically generate credentials for the internal PostgreSQL database and complete the full service configuration, registration, and health checks without further interaction. {% endtab %} {% endtabs %} {% endstep %} {% endstepper %} *** ## Upgrading an Existing Deployment To upgrade your On-Prem Secure Sharing Service to a newer version: 1. **Copy the setup command** from your FenixPyre Admin Dashboard (**Integrations** → **Onprem Secure Sharing** → **Copy Command** from the **"Setup Secure Sharing Service"** section) 2. **Connect to VM 2** (Sharing Service) and paste the command 3. **When the script detects an existing deployment**, select **U** (Upgrade) from the menu: ``` [U] Upgrade to a newer release [R] Reinstall the current version [F] Force a fresh install [A] Abort and exit ``` 4. **When asked to reuse existing configuration**, press **Enter** or type **Y** to confirm: ``` Do you want to reuse this configuration? (Y/n): ``` That's it! The script will: * Automatically backup your current deployment * Upgrade to the new version * Restart services * Verify everything is working > **Note**: Backups are stored at `/home//fenixpyre-onprem-secure-sharing-backups/` for safe rollback if needed. *** ### Known Issues * **Favourites**: Marking files as favourites is not fully implemented; please refrain from using it until a future update. *** ## Frequently Asked Questions #### Integration and Usage
How can I verify the health of the deployment without a full setup? Both scripts include health check functionality. You can also manually verify: * **Storage Service**: Visit `https:///minio/health/ready` * **Sharing Service:** You can run the script with the `-v` (or `--verify`) flag to perform health checks on an existing deployment without making any changes. This mode does not require a JWT token. Example command: `sudo ./setup_onprem.sh -v` The script will then check the public and private APIs and report their status.
How can I re-run just the integration registration step? The initial setup command handles the integration automatically. However, if you need to re-register the integration with the FenixPyre platform for any reason, you can do so by running the setup script again with the `-i` (or `--integrate`) flag. You will need a new JWT token from the FenixPyre admin dashboard. Example command: `sudo ./setup_onprem.sh -i YOUR_JWT_TOKEN`
#### Certificate Management
How can I forcefully renew the certificates? You can force certificate renewal using the following commands: For MinIO: ```bash sudo certbot renew --cert-name your-minio-domain.com --deploy-hook /path/to/minio/scripts/cert-deploy-hook.sh --force-renewal --verbose ``` For OnPrem Service: ```bash sudo certbot renew --cert-name your-onprem-domain.com --deploy-hook /path/to/fenixpyre-onprem-secure-sharing/scripts/cert-deploy-hook.sh --force-renewal --verbose ``` {% hint style="info" %} The `--force-renewal` flag forces renewal regardless of expiration date, and `--verbose` provides detailed output for troubleshooting. {% endhint %}
How do I check when my certificates will expire? You can check certificate expiration dates with: ```bash sudo certbot certificates ``` This will list all certificates managed by certbot, including their expiration dates.
Can I use my own certificates instead of Let's Encrypt? Yes, both scripts support manual certificate placement. When prompted for TLS options, select the manual option and place your certificates in the appropriate directories: * For MinIO: `./minio/certs/minio/private.key` and `./minio/certs/minio/public.crt` * For OnPrem Service: `./fenixpyre-onprem-secure-sharing/certs/ssl/server.key` and `./fenixpyre-onprem-secure-sharing/certs/ssl/server.crt`
#### Service Management
How do I restart the services after making configuration changes? Navigate to the service directory and use Docker Compose: ```bash # For MinIO cd ./minio sudo docker compose restart # For OnPrem Service cd ./fenixpyre-onprem-secure-sharing sudo docker compose restart ```
How can I view the logs for the services? Application logs are stored in the following locations: * **Sharing Service**: `./fenixpyre-onprem-secure-sharing/logs/` directory * **Storage Service**: Logs are available through Docker Compose logs command * **PostgreSQL**: Logs are available through Docker Compose logs command You can also access these logs directly from the container: ```bash # For Sharing Service logs sudo docker exec onprem cat /app/logs/app.log # For Storage logs sudo docker exec minio cat /var/log/minio/minio.log ```
#### Security and Credentials
Where are the HMAC secret and sharing service token stored? These are stored in: * The `config.yaml` file in the `fenixpyre-onprem-secure-sharing` service directory * A separate `onprem_details.txt` file for easy reference
How can I change the Secure Storage credentials after initial setup? You can update the credentials in the `docker-compose.yaml` file and restart the service: ```bash cd ./minio # Edit docker-compose.yaml to update MINIO_ROOT_USER and MINIO_ROOT_PASSWORD sudo docker compose down sudo docker compose up -d ```
How do I backup my configuration and data? For Storage Service, backup the `./minio/data` directory. For Sharing Service, backup: * `./fenixpyre-onprem-secure-sharing/config.yaml` * `./fenixpyre-onprem-secure-sharing/certs` directory * PostgreSQL data volume (requires Docker volume backup)
*** For help or questions: * **Support**: * **Documentation**: [docs.anchormydata.com](https://docs.anchormydata.com/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fenixpyre.com/fenixpyre-for-admins/cloud-integrations/on-prem-secure-sharing-solution/how-to-configure-fenixpyre-on-prem-secure-sharing-solution.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.