How to Configure On-Prem Secure Sharing Solution

This document outlines how to deploy MinIO (for secure storage) and the On-Prem Secure Sharing Service with TLS/mTLS using Docker and Docker Compose. The process is organized into Pre-Deployment, Registration, Deployment, and Verification phases, with a final step to provide the generated credential file to FenixPyre Support.

Pre-Deployment

Complete these steps before obtaining mTLS certificates from FenixPyre or installing the On-Prem Sharing Service.

1. Provision Two VMs

Purpose: Runs MinIO with TLS.
Minimum Requirements: Atleast 4 CPU cores, 16 GB RAM, disk space for storage, open inbound port 443 and port 80.
- Operating System: Linux (Docker-supported distribution)
- CPU: At least 4 cores
- Memory: At least 16 GB RAM
- Storage: Sufficient space for stored files (e.g., 50 GB or more)

Depending on your environment, use the appropriate approach to provision your VMs:

Follow the to create Linux VMs.
Ensure the Network Security Group (NSG) allows traffic on the required ports. Ports 443, 80 and 8080

2. Update DNS

Create an A Record on your DNS provider so each domain points to its VM’s public IP:

fp-sharing-storage.your-domain.com → <VM A Public IP>
fp-sharing.your-domain.com → <VM B Public IP>
Why: Let’s Encrypt checks DNS to validate domain ownership. Even with manual certificates, consistent DNS ensures stable host references.

3. Install Docker & Docker Compose (Both VMs)

Docker:
Docker Compose:

4. Download & Run `setup_minio.sh` on VM A

curl -fsSL https://raw.githubusercontent.com/dataanchor/onprem-secure-sharing-scripts/main/setup_minio.sh \
     -o setup_minio.sh
chmod +x setup_minio.sh
sudo ./setup_minio.sh

The script does the following

1. Domain Prompt: fp-sharing-storage.example.com
2. MinIO Credentials: Root user/password.
3. TLS: Let’s Encrypt (auto) or manual.
4. Docker Compose: Creates docker-compose.yaml in ~/minio/, starts MinIO on port 443.
5. Health Check: Script verifies readiness at https://fp-sharing-storage.example.com/minio/health/ready.

Automatic Certificate Renewal: Let’s Encrypt certificates created by the script are automatically renewed via a scheduled script that runs periodically.

The script creates a daily cron job that:

Runs certbot renew --quiet
Copies renewed certs into the MinIO cert folder
Restarts the MinIO container
Logs the event to ~/minio/certificate-renewal.log

5. Download `setup_onprem.sh` on VM B

curl -fsSL https://raw.githubusercontent.com/dataanchor/onprem-secure-sharing-scripts/main/setup_onprem.sh \
     -o setup_onprem.sh
chmod +x setup_onprem.sh

Do not run yet until you have mTLS certs from FenixPyre.

Registration with FenixPyre

During or after Pre-Deployment, coordinate with FenixPyre: raise a ticket with .

mTLS Certificates
- FenixPyre provides server.crt, server.key, ca.crt for your private API.
Credentials & Tokens
- Sharing Service Token, HMAC Secret, or advanced licensing keys if required.

Deployment Steps

With your VMs ready and mTLS certificates from FenixPyre, you can finalize deployment on VM B (On-Prem Sharing Service).

1. Run the On-Prem Service Script from the VM B terminal:

sudo ./onprem_service.sh

You’ll see a menu like: ============================================================

On-Prem Sharing Service - Choose an Option
1) Full Setup
2) Verify Deployment
3) Extract Credentials
4) Create Credentials File
5) Setup Certificate Renewal
=============================================================
Enter your choice (1, 2, 3, 4 or 5):

2. Choose “Full Setup” (Option 1)

mTLS Certificate Placement (Manual Step):During the Full Setup process, the script will prompt you to place the FenixPyre-provided mTLS certificates (server.crt, server.key, ca.crt) into the ~/onpremsharing/certs/mtls/ directory.

This is the only manual file placement you must do for certificates.

During Full Setup the script will:

Prompt you to place mTLS certs into ~/onpremsharing/certs/mtls/
Optionally obtain a public TLS cert (Let’s Encrypt) or accept a manual one
Collect PostgreSQL & MinIO credentials
Generate secure random values for HMAC secret and Sharing Service token
Write config.yaml and docker-compose.yaml in ~/onpremsharing/
Start containers (PostgreSQL + Sharing Service)
Verify:
- Public API → https://fp-sharing.example.com/health
- Private API (mTLS) → https://<VM B IP>:8080/health

Automatic certificate renewal

If Let’s Encrypt is enabled, a cron job runs nightly at 03:00:

Renews certificates if required
Deploys new certs, restarts the container
Logs to ~/onpremsharing/certificate-renewal.log

Verify Deployment: Checks health of existing On-Prem Service; no new setup.
Extract Credentials: Displays the credentials (including URL, tokens) from the generated onprem_details.txt file.
Create Credentials File: Rebuilds or updates the credential file from your config.yaml settings if needed.
Setup Certificate Renewal: Let’s Encrypt certificates created by the script are automatically renewed via a scheduled script that runs periodically.

Note: For a fresh installation, always start with “1) Full Setup.” The other options are useful if you’ve already installed the service or want to re-check or re-generate credentials.

Final Credential File

Upon successful completion of Full Setup, the script automatically generates a credential file (e.g., onprem_details.txt) in ~/onpremsharing/. Send this file to FenixPyre Support if requested, especially for advanced integration or troubleshooting.

Verification

By default, Full Setup already confirms the service health. However, these additional methods help if you want to re-check later or investigate any potential issues

Public API is checked at:
```
https://<YOUR_DOMAIN>/health
```
Private API (mTLS) is checked at:
```
https://<YOUR_VM_PUBLIC_IP>:8080/health
```
using the FenixPyre-provided certificates.

If these checks pass (the script typically shows “OK” or a JSON response with “status”: “OK”), your On-Prem Sharing Service is online and configured properly.

Although Full Setup includes a verification step, you can also:

Choose “2) Verify Deployment” from the script’s menu.
- This option re-runs the public and private API health checks without reinstalling anything.

Manually Run curl or Inspect Logs

Public API:
```
curl -k https://<YOUR_DOMAIN>/health
```

Private API (mTLS):

curl -k --cert ./onpremsharing/certs/mtls/server.crt \
     --key ./onpremsharing/certs/mtls/server.key \
     https://<YOUR_VM_PUBLIC_IP>:8080/health

Docker Logs:

cd ~/onpremsharing
docker compose logs onprem

Known Issues

Single-File Download: Only single-file downloading is currently supported.
Opening Files: Opening files is not yet fully supported and may exhibit unexpected behavior.
Favourites: Marking files as favourites is not fully implemented; please refrain from using it until a future update.

Frequently Asked Questions

Certificate Management

How can I forcefully renew the certificates?

You can force certificate renewal using the following commands:

For MinIO:

sudo certbot renew --cert-name your-minio-domain.com --deploy-hook /path/to/minio/scripts/cert-deploy-hook.sh --force-renewal --verbose

For OnPrem Service:

sudo certbot renew --cert-name your-onprem-domain.com --deploy-hook /path/to/onpremsharing/scripts/cert-deploy-hook.sh --force-renewal --verbose

The --force-renewal flag forces renewal regardless of expiration date, and --verbose provides detailed output for troubleshooting.

How do I check when my certificates will expire?

You can check certificate expiration dates with:

sudo certbot certificates

This will list all certificates managed by certbot, including their expiration dates.

Can I use my own certificates instead of Let's Encrypt?

Yes, both scripts support manual certificate placement. When prompted for TLS options, select the manual option and place your certificates in the appropriate directories:

For MinIO: ./minio/certs/minio/private.key and ./minio/certs/minio/public.crt
For OnPrem Service: ./onpremsharing/certs/ssl/server.key and ./onpremsharing/certs/ssl/server.crt

Service Management

How do I restart the services after making configuration changes?

Navigate to the service directory and use Docker Compose:

# For MinIO
cd ./minio
sudo docker compose restart

# For OnPrem Service

cd ./onpremsharing
sudo docker compose restart

How can I view the logs for the services?

Application logs are stored in the following locations:

OnPrem Service: ./onpremsharing/logs/ directory
MinIO: Logs are available through Docker Compose logs command
PostgreSQL: Logs are available through Docker Compose logs command

You can also access these logs directly from the container:

# For OnPrem Service logs
sudo docker exec onprem cat /app/logs/app.log

# For MinIO logs
sudo docker exec minio cat /var/log/minio/minio.log

Security and Credentials

How can I change the MinIO credentials after initial setup?

You can update the credentials in the docker-compose.yaml file and restart the service:

cd ./minio
# Edit docker-compose.yaml to update MINIO_ROOT_USER and MINIO_ROOT_PASSWORD
sudo docker compose down
sudo docker compose up -d

How do I backup my configuration and data?

For MinIO, backup the ./minio/data directory. For OnPrem Service, backup:

./onpremsharing/config.yaml
./onpremsharing/certs directory
PostgreSQL data volume (requires Docker volume backup)

Integration and Usage

How do I verify that my setup is working correctly?

Both scripts include health check functionality. You can also manually verify:

MinIO: Visit https://<MINIO_DOMAIN>/minio/health/ready
OnPrem Public API: Visit https://<ONPREM_DOMAIN>/health
OnPrem Private API: Use curl with mTLS certificates to access https://<VM_PUBLIC_IP>:8080/health

For help or questions:

Last updated 1 month ago

Was this helpful?

How to Configure On-Prem Secure Sharing Solution

Pre-Deployment

1. Provision Two VMs

2. Update DNS

3. Install Docker & Docker Compose (Both VMs)

4. Download & Run `setup_minio.sh` on VM A

5. Download `setup_onprem.sh` on VM B

Registration with FenixPyre

Deployment Steps

1. Run the On-Prem Service Script from the VM B terminal:

2. Choose “Full Setup” (Option 1)

Other Menu Options

Final Credential File

Verification

Known Issues

Frequently Asked Questions

Certificate Management

Service Management

Security and Credentials

Integration and Usage

Pre-Deployment

1. Provision Two VMs

2. Update DNS

3. Install Docker & Docker Compose (Both VMs)

4. Download & Run `setup_minio.sh` on VM A

5. Download `setup_onprem.sh` on VM B

Registration with FenixPyre

Deployment Steps

1. Run the On-Prem Service Script from the VM B terminal:

2. Choose “Full Setup” (Option 1)

Other Menu Options

Final Credential File

Verification

Known Issues

Frequently Asked Questions

Certificate Management

Service Management

Security and Credentials

Integration and Usage

Pre-Deployment

1. Provision Two VMs

2. Update DNS

3. Install Docker & Docker Compose (Both VMs)

4. Download & Run setup_minio.sh on VM A

5. Download setup_onprem.sh on VM B

Registration with FenixPyre

Deployment Steps

1. Run the On-Prem Service Script from the VM B terminal:

2. Choose “Full Setup” (Option 1)

Other Menu Options

Final Credential File

Verification

Known Issues

Frequently Asked Questions

Certificate Management

Service Management

Security and Credentials

Integration and Usage

Pre-Deployment

1. Provision Two VMs

2. Update DNS

3. Install Docker & Docker Compose (Both VMs)

4. Download & Run setup_minio.sh on VM A

5. Download setup_onprem.sh on VM B

Registration with FenixPyre

Deployment Steps

1. Run the On-Prem Service Script from the VM B terminal:

2. Choose “Full Setup” (Option 1)

Other Menu Options

Final Credential File

Verification

Known Issues

Frequently Asked Questions

Certificate Management

Service Management

Security and Credentials

Integration and Usage

4. Download & Run `setup_minio.sh` on VM A

5. Download `setup_onprem.sh` on VM B

4. Download & Run `setup_minio.sh` on VM A

5. Download `setup_onprem.sh` on VM B