• No results found

Oxygen Storage Connector and Oxygen Authentication Connector Deployment and Installation Manual v2.8.6

N/A
N/A
Protected

Academic year: 2021

Share "Oxygen Storage Connector and Oxygen Authentication Connector Deployment and Installation Manual v2.8.6"

Copied!
28
0
0

Loading.... (view fulltext now)

Full text

(1)

Oxygen Storage Connector and

Oxygen Authentication Connector

(2)

Contents

Oxygen Storage Connector and Oxygen Authentication Connector Deployment and Installation Manual v2.8.61

Overview ... 3

Installation Pre-requisite checklist: ... 3

Installation Requirements (per VM) ... 3

Prerequisite Details: ... 4

Oxygen VM Deployment ... 6

PHASE 1 Network Configuration ... 6

PHASE 2 Storage Configuration ... 11

Configure Your Atmos Storage Connectivity ... 11

Configuring Your Storage for (CIFS) ... 13

Configuring Your Storage for NAS (NFS) ... 14

Configuring Your Storage for AWS S3 and compatible services ... 15

Configuring Your Nirvanix Storage and compatible services ... 16

Registering your Private Storage ... 17

PHASE 3 Authentication (AD/LDAP)... 18

Appendix ... 21

Storage Connector... 21

Authentication (AD/LDAP) Connector ... 21

Troubleshooting ... 22

Example deployment diagram ... 23

Oxygen SSL Guide ... 24

Verify/Backup the Certificates ... 25

(3)

Overview

Oxygen Cloud is a SaaS based service which allows you to leverage your existing private storage rather than the public cloud, allowing for greater control and security over your valuable data while allowing for anywhere access.

The Oxygen Storage Connector is a virtual appliance that allows Customers to store and access their encrypted data in a Private Storage Cloud behind their firewall.

The Oxygen Authentication (AD/LDAP) VM allows Customers to delegate user authentication to their existing infrastructure behind their firewall (i.e. leverage an existing Active Directory), adding another layer of security controlled by IT security policies.

You can reuse the single .OVA for both services by deploying it twice. Deploy one VM specifically for the private storage, and then deploy a second VM specifically for the authentication gateway:

Installation Pre-requisite checklist:

 Virtualization Environment (VMware ESX or Microsoft Hyper-V)  DNS A record e.g. oxygen.yourcompany.com

 SSL certificate from a Trusted Root CA vendor (e.g. GoDaddy for $13)  Static External Public IP Address at your datacenter

 Firewall Rule allowing HTTPS for the VM (inbound TCP 443 and outbound TCP 443)  NAT network route mapping the External IP Address to the Private IP Address of the VM

 Network access from the VM to the Storage and/or Authentication (e.g. allowing port 389 to AD)

Installation Requirements (per VM)

Hardware Requirements:

Bare minimum: 2 cores @ 2.5Ghz, 2GB RAM, 25GB HD

Recommended: 4 cores @ 3.0Ghz, 4GB RAM, 25GB HD

High Performance: 8 cores @ 3.0Ghz, 8GB RAM, 25GB HD

Software Requirements; Oxygen Cloud Account, VMWare ESX, ESXi (4.0, 4.1, 5.0), vSphereClient, and Hyper-V support

(4)

Prerequisite Details:

1. Oxygen Cloud Account has been created:

a. If you have not yet already; Sign up for an Oxygen Cloud account (http://oxygencloud.com)

2. A workstation or mobile device that has network connectivity (i.e. can reach the internet) with the latest Oxygen Cloud Client installed (http://oxygencloud.com/download)

3. Static Public IP Address

4. SSL certificates have been created: MANDATORY! SSL Certificate and Key matching your DNS entry (in PEM Format for Apache Tomcat; cert.crt, intermediate.crt, and cert.key), which will be installed onto your Oxygen Storage Connector. The intermediate.crt IS REQUIRED.

a. An SSL certificate is absolutely required to use the OxygenVM Storage and/or Authentication sevice(s)!

b. Important Note: this CAN NOT be a self-signed certificate, it must come from a trusted CA

Vendor like Verisign, Godaddy, etc… to prevent man in the middle attacks

c. When generating the .CSR file please be sure to create a no-password key as well. See page 19 Oxygen SSL Guide for more information

d. **Oxygen Cloud does not provide or generate SSL certificates, it is the responsibility of the customer to generate and purchase as needed. (See SSL section pg. 25)

5. DNS is set up: Create a DNS (A) entry, mapping the URL of your SSL certificate (i.e.

oxygen.yourcompany.com) which points to your Static Public IP Address at your datacenter 6. Router + NAT and firewall are set up:

a. Prepare a static internal/private IP address that will be assigned to the VM, and map port 443 (SSL) from your external/publicIP address to the staticprivate IP address of the OxygenVM (inbound NAT / port mapping)

(5)

b.

Firewall requirements:

* Allow ALL inbound traffic on HTTPS port 443 only

* Allow outbound to *.oxygencloud.com HTTPS port 443 only

* Allow inbound d2o54ray40ht1h.cloudfront.net (for desktop client autoupdates)

* We cannot specify permanent/static IP addresses as our elastic cloud based infrastructure dynamically scales up, and the necessary DNS entries may route you to a different IP address at any given time.

7. Ensure your Storage is set up and accessible:

i. For NAS: Ensure the OxygenVM has internal routing/access to the Storage Server (i.e. for CIFS tcp port 445)

ii. For EMC Atmos: Ensure the Oxygen Storage Connector has internal routing/access to the Atmos Private Cloud Storage (i.e. tcp port 80 for HTTP or tcp port 443 for HTTPS)

iii. For AD/LDAP Ensure the VM has routing access to your AD server (i.e. port 389, or 636 for Secure LDAP)

iv. Port 443 has been opened (inbound and outbound) to the VM. REQUIRED for operation

v. Ping and SSH enabled: It is advisable to allow ping as well as open SSH (port 22, at least temporarily) from a private subnet to the Oxygen VM’s in the event that more advanced troubleshooting needs to be performed during deployment and testing. After REBOOT the OxygenVM Firewall is reset to a locked down state.

8. ** Contact Oxygen Sales to receive your Oxygen Storage Connector License or to convert your Account to AD/LDAP based authentication

(6)

Oxygen VM Deployment

*Before starting verify you have fulfilled all of the pre-requisites (Please see the self-configure check list at the end of this Document)

1. DNS (A) record is setup corresponding to your SSL Certificate/URL

2. SSL certificate, intermediate bundle, and no password key in .PEM format are available 3. Firewall, Router, and NAT are properly setup and configured

4. Existing Storage (or Authentication AD/LDAP) is setup and configured as required (i.e. “storage” directory is created when using CIFS or NFS)

5. Oxygen .OVA or .VHD is deployed in your virtual environment 6. Port 443 has been opened (inbound and outbound) to the VM

PHASE 1 Network Configuration

Ensure you have an internal static IP available for each OxygenVM, with the proper ports open between the OxygenVM and your storage or AD/LDAP authentication server(s). The OxygenVM does not support DHCP.

1. Select Complete RESET of the VM’s configuration, type ‘yes’ -> Press the Enter key to REBOOT. **IMPORTANT NOTE: Oxygen follows system administration best practice of resetting the Firewall to fully locked down state after a restart. Please be sure to re-enable these settings in the Console Menu after REBOOT if deemed necessary. This includes Ping, SSH, and UploadSSL**

2. Setup the IP address of the Oxygen VM a. Select Configure Network Settings

b. Select Change the IP address, subnet mask, and gateway

c. Enter the static internal IP address, subnet, gateway, and DNS server

d. REBOOT

3. Set the VM hostname to match the URL of your SSL certificate (i.e. oxygen.mycompany.com) a. Select Configure Network Settings -> Modify the Hostname

b. Enter desired hostname and REBOOT (Note: this will overwrite the /etc/hosts file) i. OPTIONAL: If needed you add remote hosts (hostfile) to the VM under Configure

Network Settings -> Add an entry to the /etc/hosts file

ii. To remove any hostfile(s) follow the above but leave the entry blank

c. REBOOT

4. Use ping to test connectivity Modify Firewall -> Ping an Address a. Ping from the VM Console Menu to your gateway IP address

(7)

b. Ping from the VM Console Menu to the DNS Server IP address

c. Ping from the VM Console Menu to any outside domain name (google.com) d. Ping your storage device and/or AD/LDAP server

5. Modify the Firewall to Allow ping (icmp) from external sources

a. Ping from a Workstation to the internal IP of the OxygenVM (must be on same subnet)

6. Configure the Date, Time, and NTP Server from main console menu

a. Set the Date b. Set the Time

c. Set the NTP (example): “ntp.nasa.gov” (This operation may take several minutes.)

**IMPORTANT NOTE: Oxygen follows system administration best practice of using UTC**

The following steps are MANDATORY for use of the OxygenVM!

*BEFORE CONTINUING:

Ensure you have your SSL certificate, intermediate, and key

are

ready

and

available at this time

7. Upload your SSL Certificates (oxygen.mycompany.crt, intermediate.crt, oxygen.mycompany.key) a. Select Configure SSL, Date, Time, and NTP Server -> ADD your own SSL Certificate

Intermediate cert via Web UI *Do NOT REBOOT the VM YET!

**IMPORTANT NOTE: Oxygen follows security best practice of not allowing self-signed certificates** This will enable the application and create a one-time use CASE SENSITIVE password

**Do NOT REBOOT the VM until all the following steps have been completed! b. Use a web browser to navigate to:

(8)

Example: https://10.10.10.221/UploadSSL/UploadSSL (CASE SENSITIVE)*

**IMPORTANT NOTE: *You will receive a website certificate error at this time, please ignore and continue to the Upload SSL page, then log in using the password provided in the OxygenVM Console Menu.

c. There are 3 items that MUST be uploaded Certificate (cert.crt), Intermediate Bundle (intermediate.crt), Private (no password) Key (cert.key)

*use a text editor to copy/paste into the window, ENSURE formatting is correct as outlined below

d. Select Upload cert.crt radio button

1. Copy/Paste the cert.crt into the provided field and select the save button

e. Select Upload intermediate.crt, copy/paste the intermediate chain and select the “save” button

f. Select Upload cert.key, copy/paste your private key and select the “save” button

i. Validate each upload in the browser display at the bottom of the page for accuracy, after changing one certificate the message at the bottom indicates the SSL Certificate, Key, and Intermediate are not in sync.

ii. As you work through the process the result at the bottom will let you know if your Certificate, Intermediate, and Key combination don’t match…

(9)

After uploading the intermediate the message at the bottom indicates the Certificate and Intermediate match, but not the key…

Finally after all three are loaded and the Certificate, Intermediate, and Key all match:

**IMPORTANT NOTE: Please use an advanced text editor such as Notepad++, as Microsoft’s Notepad does not always maintain the proper formatting of the certificates which can cause errors** (See below examples): **Correct Format:

---BEGIN CERTIFICATE---

LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn/kajhLKHJLKq=

---END CERTIFICATE---

**Incorrect Format:

--BEGIN CERTIFICATE---

LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghnkjkjlk LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn

LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn,mnddfgdf LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghn

DKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn,LKHLKHbjbhvuyfFGjlghnfd LDKSJLKNklngd;DSlkhvOIHLKNfcklaknLKHLKhnmn/kajhLKHJLKq=---END CERTIFICATE---

(10)

g. When complete logout from the web application and REBOOT by pressing Enter in the OxygenVM Console Menu to apply the changes

8. From the Console Menu again verify the SSL Certificate, Intermediate, and Key match

a. Configure SSL, Date, Time, and NTP Server -> Verify that the current SSL key matches the SSL certificate

Cert and Key Match:

**IMPORTANT Note: If the two lines do not exactly match, or your /var/lib/ssl.cert.crt fails you will need to Reset the SSL certificate, intermediate cert, and key, REBOOT, and start again from Step 7. ”Upload

your certificates” **

9. Configure SSL, Date, Time, and NTP Server -> Verify that the current SSL key matches the Intermediate chain Cert and Intermediate Bundle

10.Verify the SSL and External Public IP Address/DNS connectivity

a. Use the Console Menu to view & verify your new certificate as noted above

b.

Navigate to https://oxygen.mycompany.com

i. Your browser will be blank as no services are running at this time c. Examine and Verify SSL certificate and intermediate chain via web browser

**IMPORTANT NOTE: The only way to to verify SSL is with the correct DNS name, if your DNS is not yet fully propagated it may be necessary to hostfile your local machine**

(11)

PHASE 2 Storage Configuration

1.

Follow the guide below to configure the OxygenVM for your specific Storage Type

2.

Ensure you have your License ID and Key provided by Oxygen Sales before starting

Configure Your Atmos Storage Connectivity

1.

ENABLE Private Storage Cloud functionality -> REBOOT

2.

STORAGE Configuration -> Select which storage type to use for your Private Cloud -> Atmos

3.

In your web browser navigate to:

(example) https://oxygen.mycompany.com /AppProperties/AppProperties (case sensitive). *Do NOT REBOOT yet!

4.

Enter the password displayed in the console menu (case sensitive)

5.

Select the “configure-atmos-storage” button

6.

Configure your Atmos storage connector accordingly: a. Enter Oid and Key (Provided by Oxygen Cloud)

b. Set the public DNS name you set up (e.g. oxygen.mycompany.com) no http,https, or www needed

c. Set the Atmos Hostname or IP Address (hostname required if using port 443) d. Set the

Subtenant/UID(example:b56d054abd2c4de0a15df1ce1c3ce66e/oxygencloudstoragegw) *Example Atmos Configuration:

 External DNS: atmosstorage.mycompany.com

 Internal Hostname (or IP address): myatmos.storage.net (MUST enter Hostname if using Atmos with SSL/443)

 Internal Port: 443

 Subtenant/UID: b56d054abd2c4de0a15df1ce1c3ce66e/oxygencloud  Shared Secret: example7lrK1FOTLzHt92+fRjfE=

**IMPORTANT NOTE: the Oxygen UID’s shared secret cannot contain a forward slash** (Example EMC Atmos Web Admin below:)

(12)

(Example Oxygen Web UI configuration below:)

7.

Select save-atmos button -> press Enter in the Oxygen VM Console Menu to REBOOT the VM

8.

If using port 443 (HTTPS) to connect to your EMC Atmos you MUST Import the SSL certificate to the VM. If using port 80 skip to Step 9.

a. Configure SSL, Date, Time, and NTP Server -> Import remote server’s SSL Certificate

b. Enter the Hostname/URL of the remote server and port number (e.g. myatmos.storage.net 443)

c. Press Enter to import the certificate

d. REBOOT the VM

9.

Test your Atmos connectivity:

a. STORAGE Configuration -> Test the connection to Atmos storage (should say “success”).

(13)

**IMPORTANT Note: You only need to add the remote server’s SSL if using port 443/HTTPS on your Atmos

Configuring Your Storage for (CIFS)

**IMPORTANT Note: the pre-requisite CIFS share must be created with a subfolder named “storage” should

already be setup, user MUST have read/write privileges to ‘storage’ directory, port 445 open and accessible to the OxygenVM’s internal IP address

1.

ENABLE Private Storage Cloud functionality -> REBOOT

2.

Storage Configuration -> Select which storage type to use for your Private Cloud -> CIFS

3.

In your web browser navigate to:

https://your-domain-here/AppProperties/AppProperties (case sensitive). *Do NOT REBOOT yet!

4.

Enter the password displayed in the console menu

5.

Select configure-cifs-storage button

6.

Configure your CIFS settings accordingly:

a. Enter OID and Key (Provided by Oxygen Cloud)

b. Set the public DNS name example: storage.mycompany.com no http,https, or www needed

c. Set the CIFS Server IP or DNSexample: //10.10.10.250/sharename d. Set the CIFS Username (if in a domain use DOMAIN/username) e. Set the CIFS user Password

*Example CIFS Configuration:

 CIFS Server Address: //10.10.10.250/sharename or //cifsshare.mycomapnyname.com/sharename

Username: winshareuser or (DOMAIN/username: OXYGEN/winshareuser)

Password: ThePassword

(Subfolder will be //10.10.10.250/sharename/storage) Do NOT add “/storage” to the path!

(14)

CIFS storage settings saved successfully.

7.

Select save-cifs button, you should see “CIFS storage settings saved successfully.” In the browser.

Press Enter in the OxygenVM Console Menu to REBOOT

8.

Test your setup in the OxygenVM Console Menu:

a. STORAGE Configuration -> Test the CIFS storage configuration (Lists the required “storage” folder and says “Test Successful”)

9.

Register your Private Storage as listed in the next section “Registering your Private Storage”

Configuring Your Storage for NAS (NFS)

**IMPORTANT Note: the pre-requisite NFS share with a subfolder named “storage” should already be setup

with full read/write permissions**

1.

ENABLE Private Storage -> REBOOT

2.

STORAGE Configuration -> Modify the Web Upload and Download configuration

a. Enter the Public DNS name of your OxygenVM (e.g. storage.mycompany.com)

b. REBOOT

3.

STORAGE Configuration -> Modify the Oxygen Private Storage Cloud License Info(Provided by

(15)

a. Enter your Gateway ID (no copy/paste) b. Enter your Gateway Key (no copy/paste)

c. REBOOT

4.

STORAGE Configuration -> Select which storage type to use for your Private Cloud -> NFS

5.

Enter NFS Target IP (follow console menu example format, eg: IPADDRESS:/foldername).

*Example NFS Configuration below:

 Storage IP address: 10.10.10.221

 (Subfolder will be 10.10.10.221:/ifs/storage) Do NOT add “/storage” to the path!

(Example OxygenVM configuration)

6.

Press enter toREBOOT

7.

Register your Private Storage as listed in the next section “Registering your Private Storage”

Configuring Your Storage for AWS S3 and compatible services

*Copy/Paste DOES NOT WORK in the console menu, please type your information carefully and double-check for typos before submitting!

(16)

2.

STORAGE Configuration -> Modify the Web Upload and Download configuration

a. Enter the Public DNS name of your OxygenVM (e.g. oxygen.mycompany.com) no copy/paste

b. REBOOT

3.

STORAGE Configuration -> Modify the Oxygen Private Storage Cloud License Info(Provided by

Oxygen Cloud)

d. Enter your Gateway ID (no copy/paste) e. Enter your Gateway Key (no copy/paste)

f. REBOOT

4.

STORAGE Configuration -> Modify the S3 (or S3 compatible) storage configuration

a. Enter your credentials as prompted If using Amazon AWS leave Service Endpoint blank

i. Set the S3 Access Key

ii. Set the S3 Secret Access Key

iii. Set the S3 Bucket Name (e.g. BUCKETNAME.domain.com)

iv. Set the S3 Service Endpoint (NOT REQUIRED if using Amazon S3)

v. Set the Port number (Only ports 80 or 18080 (http), 443 or 8443 (https*) are allowed) * IF USING HTTPS (ssl) then from the Main Menu you must choose to Modify the SSL -> Add

remote server’s certificate ->REBOOT machine

5.

Return to Main Menu andREBOOT machine

6.

Register your Private Storage as listed in the next section

Configuring Your Nirvanix Storage and compatible services

*Copy/Paste DOES NOT WORK in the console menu, please type your information carefully and double-check for typos before submitting!

1.

Enable Private Storage Cloud -> REBOOT

2.

STORAGE Configuration -> Modify the Web Upload and Download configuration

a. Enter the Public DNS name of your OxygenVM (e.g. storage.mycompany.com)

b. REBOOT

3.

STORAGE Configuration -> Modify the Oxygen Private Storage Cloud License Info(Provided by

(17)

a. Enter your Gateway ID (no copy/paste) b. Enter your Gateway Key (no copy/paste)

c. REBOOT

4.

STORAGE Configuration -> Nirvanix (or Nirvanix compatible) storage

5.

Configure as necessary

a. Enter OID and KEY (Provided by Oxygen Cloud) b. Enter the Public DNS Name for the OxygenVM

c. Set the Username

d. Set the Password

e. Set the App Name

f. Set the App Key

g. Set the API Host Name (only required if using IBM SmartCloud)

*Example Nirvanix Configuration:

 Username: OxygenCloud

 Password: securepasswordplease!  App Name: Oxygen-Cloud-Secure

 App Key: xxXXxx-XXxxXX-xxXXxx-XXxxXX

6.

Register your Private Storage as listed in the next section “Registering your Private Storage”

Registering your Private Storage

1.

If you have not already received your Storage License please contact Oxygen Sales

a. If you have not already entered the Gateway ID and Key using the Web UI, manually enter them the Console Menu(you cannot copy/paste) STORAGE Configuration -> Modify the Oxygen Private Storage Cloud Info

b. Verify there are no errors or typos before submitting each line Using your Admin (web) Console to register the Private Cloud:

1.

Login to your Administrator account: https://wgw.oxygencloud.com/adminconsole/

2.

Navigate to Storage > Add New Storage

(18)

3.

Enter desired storage Name, and Choose Capacity in GiBs

4.

Enter the External DNS entry for your OxygenVM e.g. oxygen.mycompany.com (please note DO NOT enter http, https, or www in front of the URL)

5.

Gateway ID = Use the ID provided by Oxygen

6.

Gateway Key = Use the Key provided by Oxygen

7.

Signature = Use the Signature provided by Oxygen

(If you receive a “Failed to connect to Private Cloud” errors during Registration please check that your VM DNS is correct, the the firewall allows tcp 443 traffic, and that your SSL Certificate matches your Intermediate

Certificate Bundle.)

8.

Set your Default storage to your newly created Private Cloud

9.

Create a new Space against your new Private Cloud

8.

Use the Oxygen Web, Desktop, and Mobile Clients to verify functionality

9.

Learn more at:

https://oxygen.zendesk.com

https://oxygen.zendesk.com/entries/21208331-faqs

https://oxygen.zendesk.com/entries/21221501-storage-connector-troubleshooting

PHASE 3 Authentication (AD/LDAP)

*Please ensure you have completed PHASE 1 and contacted Oxygen before continuing on to this stage *Ensure you have created a binding user and that the OxygenVM and AD/LDAP server can communicate over the proper port

**Important Note: The OxygenVM performs READ ONLY queries to the authentication server

1.

ENABLE Private Authentication functionality

a. Select AUTHENTICATION AD/LDAP Configuration (Do NOT REBOOT until you have entered all information into the web browser)

b. Navigate to https://your-domain-here/AppProperties/AppProperties (Case sensitive) c. Select “Configure Authentication” button

d. Configure your Active Directory settings as displayed in each example -> Save e. From the VM Console Menu Press ‘Enter’ to REBOOT

(19)

i. Select Test Authentication connection (Test function does not work if using 636 LDAPS)

ii. Fix any configuration settings using the Console Menu or web UI if the test fails

*Example configuration of standard AD/LDAP:

 AD/LDAP Server Address: 10.10.10.235 or DNS: mycompany.ad  Port: 389

 AD/LDAP Base DN: dc=company,dc=com

 AD/LDAP Binding User DN:cn=administrator,ou=service,dc=mycompany,dc=com**  AD/LDAP Binding User Password: YourPassword!

 Search Attribute: sAMAccountName (Default)  AD/LDAP Search Subtree: enabled

**Important Note: To obtain Binding User DN: from Windows AD Server command line type “ dsQuery user -name nameofbindinguser

(should return cn=nameofbindinguser,ou=users,ou=itsystems,dc=ad,dc=mycompany,dc=com" )

Copy and paste this string in to the web UI minus the quotation marks (right click -> mark -> highlight text->Enter to copy to clipboard)

*Example: C:\ > dsQuery user –name oxygenservice

(“cn=oxygenservice,ou=users,dc=mycompany,dc=com”)

2. ONLY If using LDAPS (port 636) you will need to import the SSL certificate to the VM if you did not do so during setup within the Web UI. This can be skipped if using the standard port 389

a. Select AUTHENTICATION AD/LDAP Configuration

b. Select Set AD/LDAP Server and enter your AD server hostname again

c. Enter your port number 636 (the system will now import the SSL certificate from the AD server) d. If using the Optional Search Base be sure to exclude the Base DN from the string

Example: cn\=oxygenservice,ou\=users,ou e. REBOOT to apply any setting changes f. Test Oxygen Appliance Connection

a. AUTHENTICATION AD/LDAP Configuration -> Test Authentication Configuration via main

console menu

b.

Test Internet connectivity via web browser with

https://<<yourdomain>>/authgateway/Login.jsp (case sensitive)

(You will not be able to login until LDAP is enabled on your account) c. Fix any configuration settings using the Console Menu if the test fails d. Convert your account to use your Authentication

i. Create a screenshot of a successful test of the Authentication VM's connectivity to your AD or LDAP Server

(20)

ENSURE you see "result: 0 Success" otherwise there may be a typo or some other misconfiguration

ii. Create a support ticket (https://oxygen.zendesk.com/tickets/new) iii. In the ticket you MUST include all of the following:

 The screenshot of the Successful test showing "result: 0 Success"

 Your public domain name of the Oxygen VM (e.g. oxygenauth.mycompany.com )  Your Oxygen Administrator email address (oxygen userid)

 Your Oxygen Administrator AD Username (not the password, just the username) for a User who has Administrator privileges for your Oxygen Account

 A screenshot of the AD/LDAP configuration summary screen from the appliance (0. on the AD/LDAP menu)

 The result of the dsquery for both the binding user AND the Oxygen administrator configuring/testing the account (see screenshot example below)

iv. We will then convert your whole Oxygen Account to use your AD/LDAP authentication (all User logins will now require an AD or LDAP authentication from your systems to succeed)

8. Using the Oxygen Account that is configured to use AD/LDAP verify login with Oxygen Web, Desktop, and Mobile Clients using “Corporate” mode (not required for web access)

(21)

Once your account is enabled see https://oxygen.zendesk.com/entries/21141393-ad-ldap-admin-guide-to-adding-users

Learn more https://oxygen.zendesk.com/entries/21224966-oxygen-authentication-ad-ldap-connector

Appendix

Storage Connector

 Press Ctrl + C to cancel from any menu and return to the home screen.  The Oxygen Appliance can be deployed in a DMZ.

 You MUST supply your own SSL certificate(s)

 Modify Firewall -> Enable SSH for advanced troubleshooting with Oxygen Cloud Support

 If using the timestamp based security for the Atmos the clock on the Oxygen Appliance must be set to be in sync with the Atmos, this can be disabled from the EMC Atmos Web Admin -> Security.

 If using a Load Balancer in front of the Oxygen Appliances, a CIFS share IS REQUIRED FOR STORAGE that both nodes can access to ensure WebDAV and Web-Link functionality. Best practice

recommendations are to use “sticky sessions” and to use a URL to determine availability, i.e.

https://oxygen.yourcompany.com/storagegateway/service-status

rather than ping, as ping is

disabled by default for security purposes

An optional third party tool for diagnostic/troubleshooting the installation is the browser plugin for Firefox which allows you to see what is stored on your EMC Atmos

https://addons.mozilla.org/en-US/firefox/addon/atmosfox/

Authentication (AD/LDAP) Connector

 To obtain Binding User DN: from Windows Server command line use “dsquery”, “ dsQuery user -name oxygenbindinguser

(22)

http://www.techrepublic.com/article/solutionbase-using-the-dsquery-command-in-windows-server-2003/5427386

 Apache Directory Studio is a good alternate to Microsoft AD based tools:

http://directory.apache.org/studio/

 Or LDAP Explorer 2 can be useful for getting BaseDN and testing the Oxygen Service Username and Password, http://sourceforge.net/projects/ldaptool/files/ldaptool/ldaptool-2.0.1

Troubleshooting

https://oxygen.zendesk.com/entries/21208331-faqs

https://oxygen.zendesk.com/entries/21221501-storage-connector-troubleshooting

Timeouts during tests can occur because of: Incorrect DNS or IP Address (check for typos) Firewall Rules and Networking configuration

PKIX errors means the Oxygen VM does not have the SSL certificates for a remote server loaded. (i.e. HTTPS connection to your Atmos device)

Forbidden errors may mean that the clock on your VM has drifted and is out of sync – many secure setups (i.e. Atmos) will not work if the clocks are more than 5 minutes out of sync.

Atmos “Signature Mismatch” errors may mean that the Shared Secret in the Atmos configuration section may have a typo. (Check very carefully for 1 and letter l or I , similarly O and 0)

Upload/Download hangs ensure the CIFS share has a subfolder named “storage”, ensure setup and connectivity between Oxygen Connector and Storage device.

404 Error when Uploading SSL Certificates If you have REBOOTed you may need to reselect the ADD your own SSL Certificate, Intermediate Cert, and Key option in the menu as a REBOOT will have locked down the server to a secure state.

Cannot Reach Storage Gateway Ensure your Intermediate certificate is correct and that the Oxygen servers can communicate with the VM.

No Network access and the View current Network configuration returns blank or no device found If you have exported and re-imported the VM to another Virtualization Host the VM may have “remembered” the old virtual MAC address of the virtual network card. In order to resolve this issue use Network Configuration -> Fix Error where Interface is not Available

(23)

After the subsequent REBOOT your Network Configuration -> View current Network configuration should display your previous IP Address and other network settings.

Example deployment diagram

(24)

Oxygen SSL Guide

Click here for a list of supported SSL CA Vendors

SSL Certificates use public key encryption to guarantee the authenticity of a web server and encrypt traffic between a Client and the Server. On any computer you can create a “private encryption key” (best practice is 2048 bit as required by Oxygen).

To create a CSR using a Linux/Unix command line to submit to your preferred vendor type:

openssl req -out oxygen.mycompany.com.csr -new -newkey rsa:2048 -nodes -keyout cert.key

If using a Windows machine, download the binaries (I prefer the “no install” .zip format)

http://gnuwin32.sourceforge.net/packages/openssl.htm , and use the a Command Prompt (cmd.exe)

(creates a 2048 bit nopass key + csr,

Do not lose or share your private key, it is critical to the security of your systems)

http://www.sslshopper.com/ssl-faq.html

http://www.sslshopper.com/article-most-common-openssl-commands.html Now you’ve created a Private Key and a CSR.

With that private key you can generate a “Certificate Signing Request” which is what links the private key to a specific Domain Name (common name). The Root Certificate Authorities (i.e. Verisign, GeoTrust, etc.) are installed in most client devices (browsers, Java VM, etc.)

You will need your Certificate along with the Root CA and all other Intermediate Certs and a “no password”

Private Key to be installed into the Oxygen VM in standard PEM format (apache tomcat cert.crt , intermediate.crt , cert.key).

If you have a Windows/IIS environment with your certificate and keys you’ll need to export and then convert it to the PEM format, here are some links that can help with

To export: http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm

To convert (if using a Windows machine), download the binaries (I prefer the “no install” .zip format)

http://gnuwin32.sourceforge.net/packages/openssl.htm , using a Command Prompt (cmd.exe) you can convert your pfx format Certificate, Intermediate, and Keys to a single PEM file (the –nodes means no password as it’s for servers).

(25)

The single PEM file will contain the important elements (that you’ll need to copy paste), the Private Key will need to be copied (ideally with Notepad++ or another tool that does not mangle line endings), beginning and ending with

---BEGIN RSA PRIVATE KEY--- ---END RSA PRIVATE KEY---

Follow a similar process with the Certificate (the “CN or common name” will match your DNS name) ---BEGIN CERTIFICATE---

---END CERTIFICATE---

Finally copy and upload the Intermediate Certificate (the “CN or common name will only list the “issuer” as the CA vendor like GeoTrust or Verisign).

---BEGIN CERTIFICATE--- ---END CERTIFICATE---

Verify/Backup the Certificates

Using a command line tool: openssl s_client -showcerts -connect domain.com:443

Using a Browser (images are Chrome) and click on the green lock -> then click on the Certificate information

(26)

The Certificate Path is important for ensuring the correct “Certificate Chain”, double click on the Root Certificate

(27)

Export the Certificate in Base-64 x.509 format

Continue the same process of double clicking to open and Copy to File for the Intermediate Cert(s) and Oxygen Appliance (server) Certificate.

(28)

Self-configuration checklist

Purchased necessary SSL Cerificate(s) _____________________________________ The DNS A record that you have setup _____________________________________ Public IP address forwarded to the Oxygen VM: _____________________________________ Private IP address reserved for the Oxygen VM: _____________________________________ Subnet Mask for the Oxygen VM: _____________________________________ IP address for the Router/Gateway for the Oxygen Appliance: ________________________________

NTP Server _____________________________________

IP address of a DNS server (optional) _____________________________________ (optional) Outbound proxy address, port, user/pass _____________________________________

Storage Configuration (Atmos)

Atmos (Hostname or IP Address): ____________________________________________ Atmos Subtenant ID / UID: ____________________________________________ Example: (abcde123abcde1234abcde1234/oxygencloudstorage )

Atmos Shared Secret: ____________________________________________

Storage Configuration (CIFS)

CIFS Server (Hostname or IP Address): ____________________________________________ CIFS Username and Password ____________________________________________

Storage Configuration (NFS)

NFS Server Share (Hostname or IP Address): ____________________________________________

Corporate Authentication Details

AD or LDAP (Hostname or IP Address): ____________________________________________

BaseDN: ____________________________________________

Read only Service UserDN: ________________________________________________________ (e.g. CN=username,OU=oufolder,CN=domain,CN=com)

Read only Service User Password: __________________________________________________ (only requires read permissions to bind)

References

Related documents

[r]

Thus, we expect both that one of the most fundamental aspects of national planning systems (the division of property rights and development rights between private and public bodies)

keywords: Swedish Mortgage Portfolio, Covered Bond, Cover Pool, House Price risk, Mortgage risk, Credit risk, Liquidity risk I... Acknowledgements We would first like to thank

Such a collegiate cul- ture, like honors cultures everywhere, is best achieved by open and trusting relationships of the students with each other and the instructor, discussions

One Miscanthus sacchariflorus accession was found to have higher photosynthetic chilling tolerance over a 15-day chilling period, and maintained higher net rate of carbon

5 April - July ‘10 Aug - Sep ‘10 10 Himachal Pradesh Punjab Haryana Uttar Pradesh Bihar Gujarat Maharashtra Karnataka Kerala Tamil Nadu Andhra Pradesh Orissa West Bengal

16 ] for the NUHM, is that the relatively large value of the Higgs mass, the SM-like nature of its couplings to the other SM particles, the measured values of the flavor

Information: Literacy development, computer training, homework tutoring, and social development for ages 5 - 13. A 6-week summer program is also offered.. seeks to provide