SendSecure On-Premises Installation Procedure

Administrator -

This article provides all information and procedure to perform an installation of SendSecure On-Premises system according to your environment and needs.

Contents

Pre-Requisites / Pre-Installation All requirements to be met and mandatory steps to be performed – by the customer – before starting the SendSecure installation.
Installation & Configuration All steps to follow – under supervision of XMedius Professional Service Team – to install all SendSecure components (from OS installation to final configuration).
Appendix Additional references/optional procedure steps that may be required according to the SendSecure installation context and/or the local network infrasctructure specificities (self-signed certificate for testing / proxy configurations / use of alternative database).

Pre-Requisites / Pre-Installation

All the following must be observed/configured before starting the SendSecure installation:

Recommended Server Resources

Note: SendSecure can be either installed on a single host or deployed according to more complex scenarios (examples are provided here: SendSecure On-Premises Deployment: Typical Scenarios).
The Server(s) hosting the SendSecure services must have the following minimum resources:
  • At least 2 logical core processors (recommended: 4).
  • At least 8GB RAM (recommended: 16GB).
  • At least 4TB of disk space for storing SendSecure files.
    Note: This storage space can either be on the File Server's host, or on a NAS or other shared storage which will be mounted on the File Server's host.

Network Requirements

Tip: To help you better understand the following network requirements, see SendSecure On-Premises Deployment: Typical Scenarios.

  • An SMTP relay server is required for sending the SendSecure outgoing emails (notifications).
  • The server hosting the SendSecure Application must have an Internet connection.
  • Your corporate firewall must be properly configured for the following:
    • The server(s) hosting the following services must be accessible from the internet through https (port 443):
      • SendSecure (Login, Portal and SendSecure services)
      • File Server
    • Depending on your deployment scenario, you must ensure that:
      • The PostgreSQL database server will be accessible by both the SendSecure Application server and the Key Management Server through port 5432 (by default), and
      • The Key Management Server will be accessible by the SendSecure Application server through https (port 443).
    • The server running the SendSecure service needs to be able to send outgoing emails and therefore needs to be able to contact the SMTP relay server.
  • If your company does not have a local NTP server, you must ensure to allow UDP outbound calls to port 123.
  • DNS entries must be properly configured for each of the SendSecure services (see DNS Configuration)

DNS Configuration


  1. Plan the IP addresses that will be assigned to your SendSecure servers.
  2. Ensure the following hosts are resolvable in your DNS (internally and on the Internet)
    • postgresql.<your-domain.com>
    • kms.<your-domain.com>
    • portal.<your-domain.com>
    • login.<your-domain.com>
    • sendsecure.<your-domain.com>
    • fileserver.<your-domain.com>
    For example, in bind:
    1. add the following lines to the internal zone file for your domain:
      server1       IN     A      <Internal IP address>
      
      postgresql    IN     CNAME  server1
      kms           IN     CNAME  server1
      portal        IN     CNAME  server1
      login         IN     CNAME  server1
      sendsecure    IN     CNAME  server1
      fileserver    IN     CNAME  server1
    2. Do the following for the external bind zone file:
      server1       IN     A      <Public IP address>
      
      portal        IN     CNAME  server1
      login         IN     CNAME  server1
      sendsecure    IN     CNAME  server1
      fileserver    IN     CNAME  server1

Other Requirements & Planning

Enterprise Name

During SendSecure initial configuration, you will need to create one or several "Enterprises".

This requires to plan the following for each Enterprise:
  • A Display Name, for example "My Enterprise"; and
  • A unique identifier, for example "myenterprise" (note that you will not be able to change it afterwards).

Credentials

During the installation of SendSecure components, you will need to define several credentials (username + password).

It is recommended to prepare and securely store them prior to starting the installation. Here are the details:

User type Default username
Database user xmedius
Server local administrator sendsecure
SendSecure application administrator Administrator

SendSecure License

A SendSecure license activation code is required from XMedius to be able to use the product.

You will receive this code by email with instructions to use it.

Twilio Account

A Twilio account is required to enable the sending of SMS and/or voice calls to SendSecure users.

Visit https://www.twilio.com for more information to obtain such an account.

During SendSecure installation, you will be prompted to enter:
  • Your Twilio Account SID,
  • Your Twilio Auth Token, and
  • The phone number (owned by your company) that will be displayed as "from" number for the SMS/voice calls.

Google reCAPTCHA

If you are planning to use the Secure Links functionality in SendSecure, it is required to register your SendSecure domain to use the Google reCAPTCHA API in order to prevent unwanted creation of SafeBoxes by robots. Note that you need to have a Google account to perform the registration.

To get reCAPTCHA for your SendSecure system:
  1. Go to https://www.google.com/recaptcha/intro/invisible.html.
  2. Click on Get reCAPTCHA.
  3. Login with your Google account.
  4. Register a new site with the following info:
    • Label: sendsecure.your-domain.com: Secure Links
    • Type of reCAPTCHA: reCAPTCHA V2
    • Domains: sendsecure.your-domain.com
During SendSecure installation, you will be prompted to enter:
  • Your reCAPTCHA Site Key, and
  • Your reCAPTCHA Secret Key.

SSL Certificates

SSL Certificates are required for each SendSecure domain:
  • kms.<your-domain.com>
  • login.<your-domain.com>
  • portal.<your-domain.com>
  • sendsecure.<your-domain.com>
  • fileserver.<your-domain.com>

You need to obtain a signed certificate from a trusted certificate authority in order to make SendSecure usable by users.

Follow the instructions below to create a certificate signing request (see Creating a multi-host certificate signing request).

Creating a multi-host certificate signing request

Note: If you simply want to test SendSecure, you can use a self-signed certificate: skip this step for now, you will do it during the installation of the SendSecure Application.
Attention: A self signed certificate should be used for testing only. SendSecure will not be usable by users unless the certificates are signed by a trusted certificate authority (prior to SendSecure installation).

To create a multi name certificate signing request:

  1. Create an openssl.cnf file containing the following :
    [req]
    default_bits = 2048
    default_md = sha256
    prompt = no
    req_extensions = req_ext
    distinguished_name = dn
    
    [ dn ]
    # Country Name (2 letter code)
    C = <Country>
    # State or Province Name (full name)
    ST = <State or Province>
    # Locality Name (eg, city)
    L = <City>
    # Organization Name (eg, company)
    O = <Organization>
    # Organizational Unit Name (eg, section)
    OU = <Organizational Unit>
    # Common Name
    CN = sendsecure.<your-domain.com>
    # email address
    emailAddress= <email address>
    
    [ req_ext ]
    subjectAltName = @alt_names
    
    [ alt_names ]
    DNS.1 = kms.<your-domain.com>
    DNS.2 = login.<your-domain.com>
    DNS.3 = portal.<your-domain.com>
    DNS.4 = sendsecure.<your-domain.com>
    DNS.5 = fileserver.<your-domain.com>
    1. Enter the appropriate country, state, city, organization, organizational unit and email address.
    2. Replace <your-domain.com> with the domain used for SendSecure.
  2. Create the certificate signing request and private key:
    openssl req -new -nodes -out server.csr -keyout server.key -extensions req_ext -config openssl.cnf
You can now use this certificate signing request (server.csr) to obtain a certificate from a certificate authority.
Important: Keep the key (server.key) in a safe place with restricted access. You will need it for the SendSecure server(s).

Installation & Configuration

Important: Before starting the installation, you must ensure that you followed all pre-installation steps described in Pre-Requisites / Pre-Installation.
Attention: It is highly recommended to perform the following installation under the supervision of XMedius Professional Service Team.

SendSecure requires the installation of all the following elements:

Installation on a single host (all-in-one)
1. Operating System 2. Apache HTTP Server 3. Database 4. SendSecure Application 5. File Server 6. Key Server

If you need to deploy some of the SendSecure components on separate servers, the following table provides the elements that require to be installed on each separate server (according to your own deployment scenario):

Installation on multiple hosts (distributed)
Database Server 1. Operating System 2. Database
OR if you are going to use your own existing database server: Alternative Database Configuration
SendSecure Application Server 1. Operating System 2. Apache HTTP Server 3. SendSecure Application
File Server 1. Operating System 2. Apache HTTP Server 3. File Server
Key Server 1. Operating System 2. Apache HTTP Server 3. Key Server

Operating System Installation

The SendSecure components must be deployed on CentOS 7 Minimal (Linux) installed according to a specific procedure. All steps required to perform this OS installation are provided below.

  1. Download the CentOS 7 Minimal ISO:
    1. Go to http://isoredirect.centos.org/centos/7/isos/x86_64/
    2. Select a mirror.
    3. Select CentOS-7-x86_64-Minimal-xxxx.iso
  2. Install CentOS 7 Minimal:
    1. Choose English (United States) as the language.
    2. Configure System > Network & Hostname:
      1. Enable Ethernet (top-right button).
      2. Set the server Host name (bottom-left field) – for example sendsecure.<your-domain.com> – and click Apply.
      3. Click Configure (bottom-right button) and select IPv4 Settings.
      4. Select Method: Manual and Add an IPv4 Address for this server.
      5. Set the DNS servers and click Save.
      6. Click Done (top-left).
    3. Configure System > Installation Destination:
      1. In Device Selection, select the disk(s) where the system will be installed.
      2. In Other Storage Options > Partitioning, select I will configure partitioning.
      3. Click Done (top-left).
      4. In Manual Partitioning, create the following mount points and capacities (using "+" button):
        swap 8 192 MiB
        /boot 1 024 MiB
        /var/log 10 240 MiB (10 GiB)
      5. Plus the following:
        EITHER if the storage of the File Server is going to be external (NAS or shared storage):
        / (root) The remaining capacity
        OR if the storage of the File Server is going to be local (on this server):
        / (root) 20 480 MiB (20 GiB)
        /var/opt/xmedius/media The remaining capacity
        Note: The /var/opt/xmedius/media partition will contain all the encrypted files that are being transferred by SendSecure users (by default in .../fileserver), as well as the Audit Records (PDFs) of all SafeBoxes (by default in .../audit).
      6. Click Done (top-left).
    4. Configure Localization > Date & Time:
      1. Select your time zone (Region/City).
      2. Click Done (top-left).
    5. Click on Begin Installation (bottom-right).
    6. While the installation is in progress, create a user (which will be the server's local administrator):
      Note: It is not recommended to set a root password.
      User name sendsecure
      Make this user administrator Check the box.
    7. Once installation is complete:
      1. Click on Reboot.
      2. Log in using SSH with the sendsecure user you created.
  3. If your network infrastructure includes a proxy to connect to the Internet, you must perform some additional configuration before continuing this procedure:

    See Configuring Proxy for Installation/Update Processes.

  4. Add the XMedius yum repository and update your system:
    sudo -E curl http://repos.xmedius.com/CentOS/sendsecure/sendsecure.repo -o /etc/yum.repos.d/sendsecure.repo && sudo yum -y update
  5. Configure the firewall to allow only the necessary traffic for SendSecure:
    1. Stop and disable "firewalld" (firewall settings will be managed through iptables):
      sudo systemctl stop firewalld && sudo systemctl disable firewalld
    2. Delete all existing rules:
      sudo iptables -F
    3. If any of the SendSecure Application, File Server or Key Server are going to be installed on this server, allow access to the HTTP and HTTPS ports:
      sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Allow incoming HTTP connections"
      sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow incoming HTTPS connections"
    4. If the Database is going to be installed on this server but the SendSecure Application and the Key Server are going to be installed on separate servers, allow incoming connections from these servers (replace their respective IP addresses):
      sudo iptables -A INPUT -p tcp -s <SendSecure_App_Server_LAN_IP> --dport 5432 -j ACCEPT -m comment --comment "Allow incoming connections to Database from SendSecure"
      sudo iptables -A INPUT -p tcp -s <Key_Server_LAN_IP> --dport 5432 -j ACCEPT -m comment --comment "Allow incoming connections to Database from Key Server"
    5. Open the SSH port for remote management purposes:
      sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "Allow incoming SSH connections"
    6. Add some basic restrictions:
      sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -m comment --comment "Block null packets"
      sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "Force SYN packets check"
      sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP -m comment --comment "Reject XMAS recon packets"
      sudo iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Accept packets from localhost interface"
      sudo iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow established connections to receive replies"
      sudo iptables -P OUTPUT ACCEPT -m comment --comment "Allow all outgoing connections"
      sudo iptables -P INPUT DROP -m comment --comment "Block all incoming connections by default"
    7. Save the configuration:
      sudo yum -y install iptables-services
      sudo iptables-save | sudo tee /etc/sysconfig/iptables
      sudo systemctl restart iptables && sudo systemctl enable iptables
  6. Enable NTP service so that the server always has the accurate current date and time:
    sudo yum -y install ntp
    sudo systemctl enable ntpd && sudo systemctl start ntpd
    Note: By default, NTP synchronizes time with servers located on the Internet. If these servers are not reachable from your local server, you may need to use an NTP server within your network and perform the following additional steps:
    1. Edit the NTP service configuration to point to the NTP server within your network.
    2. Restart the NTP service:
      sudo systemctl restart ntpd
  7. (Optional) Mount a samba share for file storage:
    Note: The following example shows how to mount a Samba share on your system for filestorage for the file server. The example creates an automounting samba share, which is preferable to a static mount using fstab. The smb share will be mounted in /var/opt/xmedius/media.
    1. Install required packages:
      sudo yum -y install samba-client samba-common cifs-utils autofs
    2. Configure auto mount:
      1. Add a line for the share to /etc/auto.master:
        echo "/- /etc/auto.smbshare --ghost --timeout=300" | sudo tee -a /etc/auto.master
      2. Create a /etc/auto.smbshare file containing the configuration of the samba share:
        echo "/var/opt/xmedius/media -fstype=cifs,rw,noperm,user=[user],pass=[password],domain=[domain] ://[IP or hostname]/[shared directory]" | sudo tee /etc/auto.smbshare
      3. Hide credentials by making /etc/auto.smbshare readable only by root:
        sudo chmod 600 /etc/auto.smbshare
    3. Enable and start autofs service:
      sudo systemctl enable autofs && sudo systemctl start autofs
    4. Allow Apache to access CIFS volumes:
      sudo setsebool -P httpd_use_cifs on

Apache HTTP Server Installation

  1. Install httpd:
    sudo yum -y install httpd mod_ssl ca-certificates
  2. Setup SSL certificates directory
    sudo mkdir -pv /etc/httpd/ssl
  3. Start and enable httpd:
    sudo systemctl start httpd && sudo systemctl enable httpd

Database Installation

Note: This section is an installation procedure for a PostgreSQL database only. If you are using another database, you can skip this installation; however you must specifically configure your database prior to SendSecure installation (see Alternative Database Configuration).
  1. Install PostgreSQL:
    sudo yum -y install postgresql-server postgresql-contrib && sudo postgresql-setup initdb
  2. Generate a self-signed certificate for PostgreSQL:
    1. Execute the following command:
      openssl req -new -newkey rsa:2048 -days 7300 -nodes -x509 -keyout psql.key -out psql.crt
    2. When prompted, answer the questions required for creating the certificate (Country, City, Organization, etc.).
    3. When asked for the "Common Name", answer with the domain name for PostgreSQL (e.g. postgresql.<your-domain.com>).
    4. Once the certificate is created, restrict access to the private key:
      chmod og-rwx psql.key
  3. Enable ssl and copy certificate and key:
    sudo sed -i "s/#ssl = off/ssl = on/" /var/lib/pgsql/data/postgresql.conf
    sudo cp -v psql.crt /var/lib/pgsql/data/server.crt
    sudo cp -v psql.key /var/lib/pgsql/data/server.key
    sudo chown -v postgres:postgres /var/lib/pgsql/data/server.{key,crt}
    sudo chmod -v 600 /var/lib/pgsql/data/server.{key,crt}
  4. If the SendSecure Application and/or the Key Server are going to be installed on a separate server than PostgreSQL, set the listen addresses (replace the IP address):
    sudo sed -i "/^#listen_addresses/c\listen_addresses = '<PostgreSQL_Host_LAN_IP>'" /var/lib/pgsql/data/postgresql.conf
  5. Start PostgreSQL and set it to start at boot:
    sudo systemctl start postgresql && sudo systemctl enable postgresql
  6. Install and execute the script to create databases and users:
    sudo yum -y install xmedius-postgresql-setup
    sudo /opt/xmedius/postgresql/setup-postgresql.sh
Important: You will need the database password entered during database creation for the configuration of both SendSecure and the Key Server.

SendSecure Application Installation

  1. Install RVM:
    sudo -E gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3
    curl -sSL https://get.rvm.io | sudo -E bash -s stable
    sudo usermod -a -G rvm `whoami`
  2. Log out from your SSH session & re-log in.
  3. Install Ruby and dependencies:
    rvm requirements
    rvm install ruby-2.3.3
    gem install bundler
  4. Install RPMs:
    sudo yum -y install xmedius-portal xmedius-login xmedius-sendsecure
  5. Create a directory for your SSL certificate and private key:
    mkdir -pv ~/.ssl
  6. (Optional) If you are installing SendSecure for testing purposes only, you can use a self-signed certificate. Follow the instructions to create it (see Creating a self-signed certificate) before continuing.
  7. From the system where you have the signed certificate and key, copy them to the .ssl directory:
    (Replace <your-domain.com> with the domain used for SendSecure)
    scp server.crt sendsecure@sendsecure.<your-domain.com>:/home/sendsecure/.ssl
    scp server.key sendsecure@sendsecure.<your-domain.com>:/home/sendsecure/.ssl
  8. Copy SSL certificate and key and create symbolic links for Portal, Login and SendSecure services:
    sudo cp -v ~/.ssl/server.crt /etc/httpd/ssl/server.crt
    sudo cp -v ~/.ssl/server.key /etc/httpd/ssl/server.key
    sudo ln -sfv server.crt /etc/httpd/ssl/xmedius-portal.crt
    sudo ln -sfv server.key /etc/httpd/ssl/xmedius-portal.key
    sudo ln -sfv server.crt /etc/httpd/ssl/xmedius-login.crt
    sudo ln -sfv server.key /etc/httpd/ssl/xmedius-login.key
    sudo ln -sfv server.crt /etc/httpd/ssl/xmedius-sendsecure.crt
    sudo ln -sfv server.key /etc/httpd/ssl/xmedius-sendsecure.key
  9. Execute the SendSecure setup script:
    Note: If you are using another database than PostgreSQL, see the additional required pre-configuration instructions in order to correctly install the SendSecure application: Alternative Database Configuration.
    rvmsudo_secure_path=1 rvmsudo /opt/xmedius/portal/script/setup.sh
    1. Read and accept the terms of the license agreement.
    2. You will be prompted for the following information:
      Domain Suffix Enter the domain that will be used for your SendSecure services (<your-domain.com>).
      SMTP Relay Server Enter the host name or IP address of the SMTP relay server that will be used by postfix to send outgoing emails. Press Enter if you want to skip this step and configure postfix manually.
      From Address Choose the "From" address that will be used for outgoing email sent by SendSecure.
      Database Password Enter the database role password that you previously created during database installation.
      Database System Enter the type of database that was installed: postgresql (default), mysql, mssql or oracle.
      Database Host Enter the host name or IP address of the server where the database was installed (default: localhost).
      Audit Records Path Enter the path where the Audit Records (PDFs) will be stored. Default value: /var/opt/xmedius/media/audit.
      Administrator Username Choose a user name for the first SendSecure administrator (default value: "Administrator").
      Administrator Email Enter the email address of the first SendSecure administrator.
      Administrator Password Create a password for the first SendSecure administrator – and confirm it.
      Twilio Account SID Enter the "Account SID" of your Twilio account, as provided by Twilio.
      Twilio Auth Token Enter the "Auth Token" of your Twilio account, as provided by Twilio.
      Twilio Phone Number Enter the phone number that will be displayed as "from" number for the SMS/voice calls.
      reCAPTCHA Site Key Enter your reCAPTCHA Site Key, as provided by Google.
      reCAPTCHA Secret Key Enter your reCAPTCHA Secret Key, as provided by Google.
      Note: Once you have verified that the information entered is correct, you will be warned that all current SendSecure configuration data will be overwritten.

      If this is your first SendSecure installation on this server, no data will actually be lost. Simply enter "confirm" to proceed.

  10. If your network infrastructure includes a proxy to connect to the Internet, you must perform some additional configuration before continuing this procedure:

    See Configuring Proxy for the SendSecure Application.

  11. Download and install the license using the activation code you received by email:
    sudo /opt/xmedius/portal/script/getlicense.sh <your_activation_code>
  12. You can now test that SendSecure is properly working.

Testing SendSecure After Installation

  1. Log in as an administrator:
    1. Using your Web browser, go to https://login.<your-domain.com>/admin
    2. Enter the SendSecure administrator username and password that you created during installation.
  2. Create an Enterprise:
    1. Click on Add New Enterprise.
    2. Enter the minimum required settings:
      • a Display Name
      • a Home Page (actually enter the unique identifier of the enterprise in URLs)
        Note: The Home Page setting cannot be changed once the enterprise is created. Use the name that you defined while planning the installation (see Other Requirements & Planning).
    3. Click on Add.
  3. Create a user:
    1. Click on More Actions for the enterprise you just created and select Users.
    2. Click on Add New User.
    3. Enter a Username, Email and Password for this user.
      Note: Choose an email address that you can monitor, to be able to test the user login.
    4. Click on Add.
  4. Test the created user:
    1. Log out from the administrator account.
    2. Click on the link sent by email to the user you just created.
    3. Complete the registration and log in to SendSecure.

File Server Installation

  1. Install custom mod_ssl, fileserver and fileserver-config packages:
    sudo yum -y install epel-release && sudo yum -y install xmedius-sendsecure-fileserver-mod_ssl xmedius-sendsecure-fileserver-mod_xmss xmedius-sendsecure-fileserver-config
  2. If not already done on this server as part of the SendSecure Application installation, retrieve and copy your SSL certificate and private key:
    1. Create a directory for certificate and key:
      mkdir -pv ~/.ssl
    2. From the system where you have the signed certificate and key, copy them to the .ssl directory:
      (Replace <your-domain.com> with the domain used for SendSecure)
      scp server.crt sendsecure@sendsecure.<your-domain.com>:/home/sendsecure/.ssl
      scp server.key sendsecure@sendsecure.<your-domain.com>:/home/sendsecure/.ssl
    3. Copy certificate and key to the Apache HTTP Server SSL folder:
      sudo cp -v ~/.ssl/server.crt /etc/httpd/ssl/server.crt
      sudo cp -v ~/.ssl/server.key /etc/httpd/ssl/server.key
  3. Create symbolic links for File Server certificate and key:
    sudo ln -sfv server.crt /etc/httpd/ssl/xmedius-fileserver.crt
    sudo ln -sfv server.key /etc/httpd/ssl/xmedius-fileserver.key
  4. If your network infrastructure includes a proxy to connect to the Internet, you must perform some additional configuration before continuing this procedure:

    See Configuring Proxy for the Anti-Virus.

  5. Execute configuration script for fileserver:
    sudo /opt/xmedius/fileserver/scripts/configure_fileserver.sh
    After accepting the terms of the license agreement, you will be prompted to enter the following information:
    Storage path The directory to which encrypted SendSecure files will be saved. Default value: /var/opt/xmedius/media/fileserver.
    If executing the script on a server which does not have SendSecure installed, you will also be prompted to enter the following information:
    URL Secret Key The URL secret key for SendSecure (must be identical to the 'xmss_url_secret_key' value from the SendSecure /opt/xmedius/sendsecure/config/secrets.yml file)
    JWT Secret Key The JWT secret key for SendSecure (must be identical to the 'xmss_jwt_secret_key' value from the SendSecure /opt/xmedius/sendsecure/config/secrets.yml file)
    Private FileServer Token The private FileServer token (must be identical to the 'api_private_fileserver_token' value from the SendSecure /opt/xmedius/sendsecure/config/secrets.yml file)
    Private SendSecure Token The private SendSecure token (must be identical to the 'api_private_sendsecure_token' value from the SendSecure /opt/xmedius/sendsecure/config/secrets.yml file)
    SendSecure hostname The hostname for SendSecure (e.g. sendsecure.<your-domain.com>)
    FileServer hostname The hostname for the fileserver (e.g. fileserver.<your-domain.com>)
  6. (Optional) To use Amazon S3 instead of local file system to store encrypted files:
    1. Edit the file:/etc/httpd/conf.d/xmss.conf
    2. Delete or comment out the following lines:
      XmssUseFileSystemStorage On
      XmssFileSystemStoragePath /var/opt/xmedius/media/fileserver
    3. Add the following lines:
      XmssStore s3
      XmssStoreHost s3.amazonaws.com
      XmssStoreRegion <StoreRegionName>
      XmssStoreBucket <StoreBucketName>
      XmssStoreAccessKeyId <StoreAccessKeyId>
      XmssStoreSecretAccessKey <StoreSecretAccessKey>
      Note: Replace <StoreRegionName>. <StoreBucketName>, <StoreAccessKeyId> and <StoreSecretAccessKey> with the proper values to give access to the S3 Store Bucket
    4. If your network infrastructure includes a proxy to connect to the Internet, you must perform some additional configuration before continuing this procedure:

      See Configuring Proxy for Apache HTTP Server.

    5. Save file and restart Apache:
      sudo systemctl restart httpd
  7. Configure the SendSecure application to use the File Server:
    1. Log in as an administrator to the SendSecure portal using a Web Browser.
    2. Go to System > File Servers.
    3. Click on Add File Server and enter the URL of the File Server (e.g. https://fileserver.your-domain.com)
    4. Wait for one minute to verify that the server status becomes Online (manual refresh needed).

Key Server Installation

  1. Install key server:
    sudo yum -y install xmedius-sendsecure-keyserver
  2. If not already done on this server as part of the SendSecure Application installation, retrieve and copy your SSL certificate and private key:
    1. Create a directory for certificate and key:
      mkdir -pv ~/.ssl
    2. From the system where you have the signed certificate and key, copy them to the .ssl directory:
      (Replace <your-domain.com> with the domain used for SendSecure)
      scp server.crt sendsecure@sendsecure.<your-domain.com>:/home/sendsecure/.ssl
      scp server.key sendsecure@sendsecure.<your-domain.com>:/home/sendsecure/.ssl
    3. Copy certificate and key to the Apache HTTP Server SSL folder:
      sudo cp -v ~/.ssl/server.crt /etc/httpd/ssl/server.crt
      sudo cp -v ~/.ssl/server.key /etc/httpd/ssl/server.key
  3. Create symbolic links for Key Server certificate and key:
    sudo ln -sfv server.crt /etc/httpd/ssl/xmedius-kms.crt
    sudo ln -sfv server.key /etc/httpd/ssl/xmedius-kms.key
  4. If you are installing the Key Server on a separate host from the SendSecure Application, execute the following additional commands:
    sudo yum -y install policycoreutils-python
    sudo semanage port -a -t http_port_t -p tcp 4848
  5. Execute setup script:
    Note: If you are using another database than PostgreSQL, see the additional required pre-configuration instructions in order to correctly install the Key Server: Alternative Database Configuration.
    sudo /opt/xmedius/keyserver/scripts/setup.sh
    After accepting the terms of the license agreement, you will be prompted to enter the following information:
    Domain Suffix The domain that will be used for your SendSecure services (<your-domain.com>).
    Database Password Enter the database role password that you previously created during database installation.
    Database System Enter the type of database that was installed: postgresql (default), mysql, mssql or oracle.
    Database Host Enter the host name or IP address of the server where the database was installed (default: localhost).
    If executing the script on a server which does not have SendSecure installed, you will also be prompted to enter the following information:
    Key Server Authentication Token The authentication token for SendSecure (must be identical to the 'key_server_auth_token' value from the SendSecure /opt/xmedius/sendsecure/config/secrets.yml file)

Appendix

Important: The instructions found in this appendix are provided as references for optional steps of the above procedure.

Creating a self-signed certificate

This additional section describes how create a self-signed certificate when needed for testing purposes.

Attention: A self signed certificate should be used for testing only. SendSecure will not be usable by users unless the certificates are signed by a trusted certificate authority.
  1. Create a certificate signing request (see Creating a multi-host certificate signing request).
  2. Create a self-signed certificate authority (CA) certificate:
    (Replace <your-domain.com> with the domain used for SendSecure)
    openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout sendsecure-ca.key -out sendsecure-ca.crt -subj /CN=sendsecure.<your-domain.com>
  3. Sign the certificate signing request that you created with the self-signed CA certificate:
    openssl x509 -req -days 365 -in server.csr -CA sendsecure-ca.crt -CAkey sendsecure-ca.key -CAcreateserial -out server.crt -extensions req_ext -extfile openssl.cnf -sha256
  4. On the server(s) that will be running the SendSecure services (Login, Portal, SendSecure, File Server and Key Server), add the CA certificate to the trusted certificates:
    sudo yum -y install ca-certificates
    sudo update-ca-trust force-enable
    sudo cp sendsecure-ca.crt /etc/pki/ca-trust/source/anchors/
    sudo update-ca-trust extract
  5. You need to add the certificate to the trusted certificates for the browser used to access SendSecure.
    1. Open the Certificates Snap-in:
      • If using Google Chrome as your browser for accessing SendSecure:
        1. Open the menu and click on "Settings"
        2. Click on "Show advanced settings..."
        3. Click on "Manage certificates..."
      • If using Internet Explorer:
        1. Click on Tools (gear icon) in the upper right part of the browser and click on "Internet Options"
        2. Go to the "Content" tab and click on "Certificates"
        3. Click on "Import..."
    2. Select your self-signed CA certificate ("sendsecure-ca.crt").
    3. Select "Place all certificates in the following store" and select "Trusted Root Certification Authorities" as the certificate store.
    4. Click "Next" and "Finish".
    Or otherwise if using Firefox:
    1. Open the "Certificate Manager":
      1. Click on the "Open menu" icon and select "Options".
      2. Click on "Advanced" and select "Certificates".
      3. Click on "View Certificates", then select "Authorities".
      4. Click on "Import".
    2. Select your silf-signed CA certificate ("sendsecure-ca.crt")
    3. Select all the trust options and click "OK".
    4. Click "OK" to close the "Certificate Manager" window.
  6. You can now continue the SendSecure Application installation.

Proxy Configurations

If your network infrastructure includes a proxy to connect to the Internet, some additional steps are required to properly install and configure the SendSecure components.

Configuring Proxy for Installation/Update Processes

  1. Edit the file /etc/yum.conf and:
    1. Add the following line:
      (Use proper values for <PROXY_ADDRESS> and <PROXY_PORT>)
      proxy=http://<PROXY_ADDRESS>:<PROXY_PORT>/
    2. (optional) If credentials are required, also add the following lines:
      (Use proper values for <USERNAME> and <PASSWORD>)
      proxy_username=<USERNAME>
      proxy_password=<PASSWORD>
  2. Execute the following command (if no credentials are required):
    (Make sure to replace <PROXY_ADDRESS> and <PROXY_PORT>)
    sudo sh -c 'echo "export {http,https}_proxy=http://<PROXY_ADDRESS>:<PROXY_PORT>/" > /etc/profile.d/http_proxy.sh'
    OR if credentials are required:
    (Make sure to replace <USERNAME>, <PASSWORD>, <PROXY_ADDRESS> and <PROXY_PORT>)
    sudo sh -c 'echo "export {http,https}_proxy=http://<USERNAME>:<PASSWORD>@<PROXY_ADDRESS>:<PROXY_PORT>/" > /etc/profile.d/http_proxy.sh'
    Note: If the password contains characters that are not allowed in URLs (as per RFC 3986 - section 2), replace them by their escaped values; here are some examples:
    Character @ : ! # $ %
    Escaped value %40 %3A %21 %23 %24 %25
  3. Log off & log in again.

Configuring Proxy for Apache HTTP Server

  1. Execute the following command (if no credentials are required):
    (Make sure to replace <PROXY_ADDRESS> and <PROXY_PORT>)
    sudo sh -c 'echo "https_proxy=http://<PROXY_ADDRESS>:<PROXY_PORT>/" >> /etc/sysconfig/httpd'
    OR if credentials are required:
    (Make sure to replace <USERNAME>, <PASSWORD>, <PROXY_ADDRESS> and <PROXY_PORT>)
    sudo sh -c 'echo "https_proxy=http://<USERNAME>:<PASSWORD>@<PROXY_ADDRESS>:<PROXY_PORT>/" >> /etc/sysconfig/httpd'
    Note: If the password contains characters that are not allowed in URLs (as per RFC 3986 - section 2), replace them by their escaped values; here are some examples:
    Character @ : ! # $ %
    Escaped value %40 %3A %21 %23 %24 %25
  2. Execute the following command:
    (Make sure to replace <LOCAL_DOMAIN_SUFFIX> by your local domain suffix)
    sudo sh -c 'echo "no_proxy=127.0.0.1,localhost,<LOCAL_DOMAIN_SUFFIX>" >> /etc/sysconfig/httpd'

Configuring Proxy for the SendSecure Application

  1. Set proxy server name and port:
    sudo sed -i 's/proxy_address.*/proxy_address: "[proxy server address]"/' /opt/xmedius/sendsecure/config/app_config/on_premises.yml
    sudo sed -i 's/proxy_port.*/proxy_port: "[proxy server port]"/' /opt/xmedius/sendsecure/config/app_config/on_premises.yml
  2. If the proxy requires authentication, execute the following commands to set proxy server username and password:
    sudo sed -i 's/proxy_user.*/proxy_user: "[proxy server user name]"/' /opt/xmedius/sendsecure/config/app_config/on_premises.yml
    sudo sed -i 's/proxy_password.*/proxy_password: "[proxy server password]"/' /opt/xmedius/sendsecure/config/app_config/on_premises.yml

Configuring Proxy for the Anti-Virus

  1. Add your proxy port in the SELinux http_port_t port type:
    sudo yum -y install policycoreutils-python
    
    sudo semanage port -a -t http_port_t -p tcp [proxy server port] 
  2. Set proxy server name and port:
    sudo sed -i '/^#HTTPProxyServer /c\HTTPProxyServer [proxy server address]' /etc/freshclam.conf
    sudo sed -i '/^#HTTPProxyPort /c\HTTPProxyPort [proxy server port]' /etc/freshclam.conf
  3. If the proxy requires authentication execute, following commands to set proxy server username and password:
    sudo sed -i '/^#HTTPProxyUsername /c\HTTPProxyUsername [proxy server user name]' /etc/freshclam.conf
    sudo sed -i '/^#HTTPProxyPassword /c\HTTPProxyPassword [proxy server password]' /etc/freshclam.conf

Alternative Database Configuration

This section is a complement to the main installation procedure when using another database than PostgreSQL.

Supported databases are:

MySQL Tested on MySQL 5.5 (lower versions were not tested).
Microsoft SQL Server Tested on SQL Server 2012 (lower versions were not tested).
Oracle Tested on Oracle Database 12.2 (lower versions were not tested).
Several additional configurations are required prior to SendSecure Application / Key Server installation:
  1. Configuring your Database
  2. Before Installing the SendSecure Application
  3. Before Installing the Key Server

Configuring your Database

Note: Your database server must be installed and ready to be used.

You must perform specific configurations on it in order to make it usable for SendSecure:

  1. Create a new user with username xmedius.
  2. Create the four following databases:
    • xmedius_login
    • xmedius_portal
    • xmedius_sendsecure
    • xmedius_keyserver
  3. Grant all privileges to user xmedius.
    Important: This user must have database owner role for all four databases or have the same permissions as a database owner.
  4. Open your database port in the firewall to allow incoming connections from the server(s) hosting the SendSecure Application and the Key Server.

Before Installing the SendSecure Application

In the SendSecure Application installation procedure, before executing the setup script:

  1. If you are using an Oracle Database, install the Oracle Instant Client.
  2. Edit the file /opt/xmedius/portal/config/database.yml:
    1. If your database server is not configured to listen on default port, add the line:
      port: <your database configured port>
    2. If you are using Microsoft SQL Server, add the line:
      dataserver: <your database host\database server instance>
  3. Edit the following two files the same way:
    • /opt/xmedius/login/config/database.yml
    • /opt/xmedius/sendsecure/config/database.yml

Before Installing the Key Server

In the Key Server installation procedure, before executing the setup script:

Edit the file /opt/xmedius/keyserver/config/configuration.properties:
  1. Change the current port setting to the listening port that is configured on your database server:
    port = <your database configured port>
  2. If you are using Microsoft SQL Server, add the line:
    dataserverInstance = <your database server instance>
Have more questions? Submit a request

Comments

Powered by Zendesk