https://oxpedia.org/wiki/api.php?action=feedcontributions&user=Bartl3by&feedformat=atomOpen-Xchange - User contributions [en]2024-03-28T13:34:45ZUser contributionsMediaWiki 1.31.0https://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18427AppSuite:OX Guard2014-09-10T18:06:54Z<p>Bartl3by: /* Apache */</p>
<hr />
<div>= OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming using the configuration cascade, defining a templateID for a user or context. Additional details will be provided in customization documentation<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|appsuite/stable/guard-backend}}<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|appsuite/stable/guard-ui}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|appsuite/stable/guard-backend}}<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|appsuite/stable/guard-ui}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|appsuite/stable/guard-backend}}<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|appsuite/stable/guard-ui}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to a new configuration file on the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/guard.properties<br />
<br />
# OX GUard general permission, required to activate Guard in the AppSuite UI.<br />
com.openexchange.capability.guard=true<br />
<br />
# Default theme template id for all users that have no custom template id configured.<br />
com.openexchange.guard.templateID=0<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configuration in Guard configuration file. <br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.backend_ssl=true<br />
<br />
The Guard backend is most commonly placed behind a load balancer (APACHE or other) and defaults to HTTP for incoming and outgoing traffic, using the load balancer to do SSL with the users. If you want Guard to use SSL for all communications, you need to set up the SSL key to use.<br />
<br />
Please note that you have to provide access to the certificates.<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
<Location /preliminary><br />
Order Deny,Allow<br />
Deny from all<br />
# Only allow from access from Guard servers within the network. Do not expose this<br />
# location outside of your network. In case you use a load balancing service in front<br />
# of your Apache infrastructure you should make sure that access to /preliminary will<br />
# be blocked from the internet / outside clients. Examples:<br />
# Allow from 192.168.0.1<br />
# Allow from 192.168.1.1 192.168.1.2<br />
# Allow from 192.168.0.<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
</Location><br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite. Like explained in the example above, please make sure that this location is only available in your internal network, there is no need to expose /preliminary to the public, it is only used by Guard servers to connect to the OX backend. If you have a load balancer in front of the Apache cluster you should consider blocking access to /preliminary from WAN to restrict access to the servlet to internal network services only.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
If the Apache server is a dedicated server / instance you also have to install the OX Guard UI-Static package on all Apache nodes in the cluster in order to provide static files like images or CSS to the OX Guard client. Example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui-static<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
The OX Guard UI package has to be installed on all Open-Xchange backend nodes as well, example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80<br />
<br />
Please also change all settings in regards to MySQL like com.openexchange.guard.configdbHostname, com.openexchange.guard.oxguardDatabaseHostname, com.openexchange.guard.databaseUsername or com.openexchange.guard.databasePassword. Afterwards restart the OX Guard service and check the logfile if the OX Guard backend is able to connect to the configured REST API.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18393AppSuite:OX Guard2014-09-03T15:37:29Z<p>Bartl3by: </p>
<hr />
<div>= OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|appsuite/stable/guard-backend}}<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|appsuite/stable/guard-ui}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|appsuite/stable/guard-backend}}<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|appsuite/stable/guard-ui}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|appsuite/stable/guard-backend}}<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|appsuite/stable/guard-ui}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to a new configuration file on the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/guard.properties<br />
<br />
# OX GUard general permission, required to activate Guard in the AppSuite UI.<br />
com.openexchange.capability.guard=true<br />
<br />
# Default theme template id for all users that have no custom template id configured.<br />
com.openexchange.guard.templateID=0<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
If the Apache server is a dedicated server / instance you also have to install the OX Guard UI-Static package on all Apache nodes in the cluster in order to provide static files like images or CSS to the OX Guard client. Example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui-static<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
The OX Guard UI package has to be installed on all Open-Xchange backend nodes as well, example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80<br />
<br />
Please also change all settings in regards to MySQL like com.openexchange.guard.configdbHostname, com.openexchange.guard.oxguardDatabaseHostname, com.openexchange.guard.databaseUsername or com.openexchange.guard.databasePassword. Afterwards restart the OX Guard service and check the logfile if the OX Guard backend is able to connect to the configured REST API.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18383AppSuite:OX Guard2014-09-03T10:17:59Z<p>Bartl3by: /* Open-Xchange */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to a new configuration file on the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/guard.properties<br />
<br />
# OX GUard general permission, required to activate Guard in the AppSuite UI.<br />
com.openexchange.capability.guard=true<br />
<br />
# Default theme template id for all users that have no custom template id configured.<br />
com.openexchange.guard.templateID=0<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
If the Apache server is a dedicated server / instance you also have to install the OX Guard UI-Static package on all Apache nodes in the cluster in order to provide static files like images or CSS to the OX Guard client. Example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui-static<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
The OX Guard UI package has to be installed on all Open-Xchange backend nodes as well, example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80<br />
<br />
Please also change all settings in regards to MySQL like com.openexchange.guard.configdbHostname, com.openexchange.guard.oxguardDatabaseHostname, com.openexchange.guard.databaseUsername or com.openexchange.guard.databasePassword. Afterwards restart the OX Guard service and check the logfile if the OX Guard backend is able to connect to the configured REST API.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18382AppSuite:OX Guard2014-09-03T10:11:25Z<p>Bartl3by: /* Open-Xchange */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
Also you have to set a default configuration for the Guard config cascade for templates:<br />
<br />
$ vim /opt/open-xchange/etc/guard.properties<br />
<br />
com.openexchange.guard.templateID=0<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
If the Apache server is a dedicated server / instance you also have to install the OX Guard UI-Static package on all Apache nodes in the cluster in order to provide static files like images or CSS to the OX Guard client. Example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui-static<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
The OX Guard UI package has to be installed on all Open-Xchange backend nodes as well, example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80<br />
<br />
Please also change all settings in regards to MySQL like com.openexchange.guard.configdbHostname, com.openexchange.guard.oxguardDatabaseHostname, com.openexchange.guard.databaseUsername or com.openexchange.guard.databasePassword. Afterwards restart the OX Guard service and check the logfile if the OX Guard backend is able to connect to the configured REST API.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18288AppSuite:OX Guard2014-08-15T11:47:13Z<p>Bartl3by: /* Apache */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
If the Apache server is a dedicated server / instance you also have to install the OX Guard UI-Static package on all Apache nodes in the cluster in order to provide static files like images or CSS to the OX Guard client. Example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui-static<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
The OX Guard UI package has to be installed on all Open-Xchange backend nodes as well, example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80<br />
<br />
Please also change all settings in regards to MySQL like com.openexchange.guard.configdbHostname, com.openexchange.guard.oxguardDatabaseHostname, com.openexchange.guard.databaseUsername or com.openexchange.guard.databasePassword. Afterwards restart the OX Guard service and check the logfile if the OX Guard backend is able to connect to the configured REST API.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18287AppSuite:OX Guard2014-08-14T16:04:25Z<p>Bartl3by: /* Open-Xchange */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
If the Apache server is a dedicated server / instance you also have to install the OX Guard UI-Static package on all Apache nodes in the cluster in order to provide static files like images or CSS to the OX Guard client. Example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui-static<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
The OX Guard UI package has to be installed on all Open-Xchange backend nodes as well, example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80<br />
<br />
Please also change all settings in regards to MySQL like com.openexchange.guard.configdbHostname, com.openexchange.guard.oxguardDatabaseHostname, com.openexchange.guard.databaseUsername or com.openexchange.guard.databasePassword. Afterwards restart the OX Guard service and check the logfile if the OX Guard backend is able to connect to the configured REST API.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18286AppSuite:OX Guard2014-08-14T16:04:02Z<p>Bartl3by: /* Apache */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
If the Apache server is a dedicated server / instance you also have to install the OX Guard UI-Static package on all Apache nodes in the cluster in order to provide static files like images or CSS to the OX Guard client. Example for Debian (the OX Guard repository has to be configured in the package management prior):<br />
<br />
$ apt-get install open-xchange-guard-ui-static<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
The OX Guard UI package has to be installed on all Open-Xchange backend nodes as well, example for Debian:<br />
<br />
$ apt-get install open-xchange-guard-ui<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80<br />
<br />
Please also change all settings in regards to MySQL like com.openexchange.guard.configdbHostname, com.openexchange.guard.oxguardDatabaseHostname, com.openexchange.guard.databaseUsername or com.openexchange.guard.databasePassword. Afterwards restart the OX Guard service and check the logfile if the OX Guard backend is able to connect to the configured REST API.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18285AppSuite:OX Guard2014-08-14T16:01:33Z<p>Bartl3by: /* Open-Xchange */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
The OX Guard UI package has to be installed on all Open-Xchange backend nodes as well, example for Debian:<br />
<br />
$ apt-get install open-xchange-guard-ui<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80<br />
<br />
Please also change all settings in regards to MySQL like com.openexchange.guard.configdbHostname, com.openexchange.guard.oxguardDatabaseHostname, com.openexchange.guard.databaseUsername or com.openexchange.guard.databasePassword. Afterwards restart the OX Guard service and check the logfile if the OX Guard backend is able to connect to the configured REST API.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18277AppSuite:OX Guard2014-08-12T08:25:21Z<p>Bartl3by: /* OX Guard */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80<br />
<br />
Please also change all settings in regards to MySQL like com.openexchange.guard.configdbHostname, com.openexchange.guard.oxguardDatabaseHostname, com.openexchange.guard.databaseUsername or com.openexchange.guard.databasePassword. Afterwards restart the OX Guard service and check the logfile if the OX Guard backend is able to connect to the configured REST API.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18276AppSuite:OX Guard2014-08-12T08:23:08Z<p>Bartl3by: /* OX Guard */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===<br />
<br />
After all the services like MySQL, Apache and Open-Xchange have been configured you need to update the OX Guard backend configuration to point to the correct API endpoints. Set the REST API endpoint to an Apache server by setting the following value in /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.restApiHostname=apache.example.com<br />
<br />
Per default Guard will try to connect to port 8009 to this host, but as we configured the REST API to be proxies thorugh the serblet /preliminary on every Apache we now also need to change the target port for the REST API. You can do so by adding the following line into /opt/open-xchange/guard/etc/guard.properties:<br />
<br />
com.openexchange.guard.oxBackendPort=80</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18275AppSuite:OX Guard2014-08-12T08:13:41Z<p>Bartl3by: /* Open-Xchange */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
Restart the Open-Xchange service afterwards.<br />
<br />
=== OX Guard ===</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18274AppSuite:OX Guard2014-08-12T08:11:57Z<p>Bartl3by: /* Apache */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called "preliminary" to proxy_http.conf, example based on a clustered mod_proxy configuration:<br />
<br />
ProxyPass /preliminary balancer://oxcluster/preliminary<br />
<br />
Make sure that the balancer is properly configured in the mod_proxy configuration. Examples on how to do so can be found in our clustering configuration for Open-Xchange AppSuite.<br />
<br />
Now add the OX Guard BalancerMembers to the oxguard balancer configuration (also in proxy_http.conf) to address all your OX Guard nodes in the cluster in this balancer configuration. The configuration has to be applied to all Apache nodes within the cluster.<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
Restart the Open-Xchange service afterwards.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18273AppSuite:OX Guard2014-08-12T07:57:19Z<p>Bartl3by: /* Apache */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
OX Guard uses the Open-Xchange REST API to store and fetch data from the Open-Xchange databases. The REST API is a servlet running in the Grizzly container. By default it is not exposed as a servlet through Apache and is only accessibly via port 8009. In order to use Apache's load balancing via mod_proxy we need to add a servlet called<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
Restart the Open-Xchange service afterwards.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18272AppSuite:OX Guard2014-08-12T07:35:11Z<p>Bartl3by: /* MySQL */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;<br />
<br />
=== Apache ===<br />
<br />
=== Open-Xchange ===<br />
<br />
Disable the Open-Xchange IPCheck for session verification. This is required because OX Guard will use the users session cookie to connect to the Open-Xchange REST API, but as a different IP address than the OX Guard server has been used during authentication the request would fail if you don't disable the IPCheck:<br />
<br />
$ vim /opt/open-xchange/etc/server.properties<br />
<br />
and set:<br />
<br />
com.openexchange.IPCheck=false<br />
<br />
Restart the Open-Xchange service afterwards.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18271AppSuite:OX Guard2014-08-12T07:30:47Z<p>Bartl3by: /* MySQL */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname. After the bind for the MySQL instance is configured and the OX Guard backend would be able to connect to the configured host, you have to grant access for the OX Guard service on the MySQL instance to manage the databases. Do so by connecting to the MySQL server via the mysql client. Authenticate if necessary and execute the following, please note that you have to modify the hostname / IP address of the client who should be able to connect to this database, it should include all possible OX Guard servers:<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'oxguard.example.com' IDENTIFIED BY ‘secret’;</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18270AppSuite:OX Guard2014-08-12T07:26:31Z<p>Bartl3by: /* Clustering */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===<br />
<br />
The MySQL servers need to be configured in order to allow access to the configdb of Open-Xchange. To do so you need to set the following configuration in the MySQL my.cnf:<br />
<br />
bind = 0.0.0.0<br />
<br />
This allows the Guard backend to bind to the MySQL host which is configured in the guard.properties file with com.openexchange.guard.configdbHostname.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18269AppSuite:OX Guard2014-08-12T07:20:27Z<p>Bartl3by: /* Clustering */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==<br />
<br />
You can run multiple OX Guard servers in your environment to ensure high availability or enhance scalability. OX Guard integrates seamlessly into the existing Open-Xchange infrastructure by using the existing interface standards and is therefor transparent to the environment. A couple of things have to be prepared in order to loosely couple OX Guard servers with Open-Xchange servers in a cluster.<br />
<br />
=== MySQL ===</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18268AppSuite:OX Guard2014-08-12T07:10:53Z<p>Bartl3by: </p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.<br />
<br />
== Optional ==<br />
<br />
=== SSL Configuration ===<br />
<br />
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
com.openexchange.guard.useSSL: true<br />
com.openexchange.guard.SSLPort: 8443<br />
com.openexchange.guard.SSLKeyStore: //keystore location//<br />
com.openexchange.guard.SSLKeyName: //alias name here//<br />
com.openexchange.guard.SSLKeyPass: //ssl password//<br />
<br />
'''Please Note:''' Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.<br />
<br />
== Clustering ==</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18266AppSuite:OX Guard2014-08-12T06:58:50Z<p>Bartl3by: /* Open-Xchange */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 6.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianSqueeze|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
# OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18265AppSuite:OX Guard2014-08-12T06:39:30Z<p>Bartl3by: /* Please Note */</p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
== Please Note ==<br />
<br />
OX Guard version 1.0 supports branding / theming for one brand only. Multiple brand support based on the Open-Xchange Config Cascade will be supported with version > 1.2, this includes eMail templates and the external OX Guard reader.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 6.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianSqueeze|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18263AppSuite:OX Guard2014-08-12T04:52:44Z<p>Bartl3by: </p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 6.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianSqueeze|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18262AppSuite:OX Guard2014-08-12T04:52:09Z<p>Bartl3by: </p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 6.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianSqueeze|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
=== SELinux ===<br />
<br />
Running SELinux prohibits your local Open-Xchange backend service to connect to localhost:8080, which is where the Guard backend service listens to. In order to allow localhost connections to 8080 execute the following:<br />
<br />
$ setsebool -P httpd_can_network_connect 1<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:OX_Guard&diff=18261AppSuite:OX Guard2014-08-12T04:30:30Z<p>Bartl3by: </p>
<hr />
<div>= IN PRODUCTION - OX Guard =<br />
<br />
OX Guard is a security solution that provides protection for email communications and files. Fully integrated with both OX as a Service and standard OX App Suite installations, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en-route or in-storage, creating extra peace of mind.<br />
<br />
This article will guide you through the installation of Guard and describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. This guide will also show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:<br />
<br />
* To setup a single server installation<br />
* To setup a single Guard instance on an existing Open-Xchange installation, no cluster<br />
* To use the database service on the existing Open-Xchange installation for Guard, no replication<br />
* To provide a basic configuration setup, no mailserver configuration<br />
<br />
== Key features ==<br />
<br />
* Simple security at the touch of a button<br />
* Provides user based security - Separate from provider<br />
* Supplementary security to Provider based security - Layered<br />
* Powerful features yet simple to use and understand<br />
* Security - Inside and outside of the OX environment<br />
* Email and Drive integration<br />
* Uses proven PGP security<br />
<br />
== Availability ==<br />
<br />
A variety of options:<br />
* Fully hosted with OX as a Service<br />
* All on site (large scale customers solution)<br />
<br />
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will then work on the request and send prices and license/API (for the hosted infrastructure) key details to the customer.<br />
<br />
OX Guard can also be provided via OX as a Service. OXaaS provides a best in class Email & Collaboration services to customers without them needing to become a cloud service provider themselves and deal with hardware and software set-up for those services. Please contact Open-Xchange Sales for further information and pricing details.<br />
<br />
== Requirements ==<br />
<br />
Please review following URL for remaining requirements <br />
<br />
Please review [[AppSuite:OX_System_Requirements#OX_Guard|OX Guard Requirements]] for a full list of requirements.<br />
<br />
Since OX Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environments.<br />
<br />
Prerequisites:<br />
* Open-Xchange REST API<br />
* Grizzly HTTP connector (open-xchange-grizzly)<br />
* A supported Java Virtual Machine (Java 7)<br />
* An Open-Xchange App Suite installation v7.6.0 or later<br />
* Please Note: To get access to the latest minor features and bug fixes, you need to have a valid license. The article [[AppSuite:UpdatingOXPackages|Updating OX-Packages]] explains how that can be done.<br />
<br />
= Download and Installation =<br />
<br />
=== Redhat Enterprise Linux 6 or CentOS 6 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange yum configuration:<br />
<br />
{{for loop||call=YUMRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=rhelname|pc2v=RHEL6|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ yum update<br />
$ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 6.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianSqueeze|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== Debian GNU/Linux 7.0 ===<br />
<br />
If not already done, add the following repositories to your Open-Xchange apt configuration:<br />
<br />
{{for loop||call=APTRepo|pv=reponame|pc1n=path|pc1v=products|pc2n=debianname|pc2v=DebianWheezy|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ apt-get update<br />
$ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
=== SUSE Linux Enterprise Server 11 ===<br />
<br />
Add the package repository using zypper if not already present:<br />
<br />
{{for loop||call=SUSERepo|pv=reponame|pc1n=path|pc1v=products|pc2n=susename|pc2v=SLES11|pc3n=ldbaccount|pc3v=LDBUSER:LDBPASSWORD|appsuite/7.6.0/guard}}<br />
<br />
and run<br />
<br />
$ zypper ref<br />
$ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static<br />
<br />
Guard requires Java 1.7, which will be installed through the Guard packages, still SUSE Linux Enterprise Server 11 will not use Java 1.7 by default. Therefor we have to set Java 1.7 as the default instead of Java 1.6:<br />
<br />
$ update-alternatives --config java<br />
<br />
Now select the Java 1.7 JRE, example:<br />
<br />
There are 2 alternatives which provide `java'.<br />
<br />
Selection Alternative<br />
-----------------------------------------------<br />
* 1 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java<br />
+ 2 /usr/lib64/jvm/jre-1.7.0-ibm/bin/java<br />
<br />
Press enter to keep the default[*], or type selection number: 2<br />
Using '/usr/lib64/jvm/jre-1.7.0-ibm/bin/java' to provide 'java'.<br />
<br />
= Configuration =<br />
<br />
The following gives an overview of the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings relating to the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.<br />
<br />
$ vim /opt/open-xchange/guard/etc/guard.properties<br />
<br />
Open-Xchange config_db host - Guard will establish a connection to the config_db<br />
<br />
com.openexchange.guard.configdbHostname=localhost<br />
<br />
Guard database for storing user keys<br />
<br />
com.openexchange.guard.oxguardDatabaseHostname=localhost<br />
<br />
Username and Password for the two databases above<br />
<br />
com.openexchange.guard.databaseUsername=openexchange<br />
com.openexchange.guard.databasePassword=db_password<br />
<br />
Open-Xchange REST API host<br />
<br />
com.openexchange.guard.restApiHostname=localhost<br />
<br />
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients<br />
<br />
com.openexchange.guard.externalEmailURL=somewhere.com<br />
<br />
== Configure services ==<br />
<br />
=== Apache ===<br />
<br />
Configure the mod_proxy_http module by adding the Guard API.<br />
<br />
'''Redhat Enterprise Linux 6 or CentOS 6'''<br />
$ vim /etc/httpd/conf.d/proxy_http.conf<br />
<br />
'''Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11'''<br />
$ vim /etc/apache2/conf.d/proxy_http.conf<br />
<br />
<Proxy balancer://oxguard><br />
Order deny,allow<br />
Allow from all, add<br><br />
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1<br />
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON<br />
SetEnv proxy-initial-not-pooled<br />
SetEnv proxy-sendchunked<br />
</Proxy><br><br />
<Proxy /appsuite/api/oxguard><br />
ProxyPass balancer://oxguard<br />
</Proxy><br />
<br />
'''Please Note:''' The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.<br />
<br />
After the configuration is done, restart the Apache webserver<br />
<br />
$ apachectl restart<br />
<br />
=== Open-Xchange ===<br />
<br />
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:<br />
<br />
$ vim /opt/open-xchange/etc/permissions.properties<br />
<br />
OX GUard general permission<br />
com.openexchange.capability.guard=true<br />
<br />
== Initiating the Guard database and key store ==<br />
<br />
Once the Guard configuration (database and backend configuration) and the service configuration has been applied, the Guard administration script needs to be executed in order to create the Guard databases. The administration script also takes care of the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.<br />
<br />
/opt/open-xchange/guard/sbin/guard init<br />
<br />
'''Please Note:''' It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.<br />
<br />
== Start Guard ==<br />
<br />
The services have been configured and the database has been initiated, it's time to start Guard<br />
<br />
$ /etc/init.d/open-xchange-guard start<br />
<br />
== Enabling Guard for Users ==<br />
<br />
Guard provides two capabilities for users in the environment:<br />
<br />
* '''Guard Mail:''' com.openexchange.capability.guard:mail<br />
* '''Guard Drive:''' com.openexchange.capability.guard:drive<br />
<br />
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with OX Drive permission. Since v7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:<br />
<br />
'''Guard Mail:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true<br />
<br />
'''Guard Drive:'''<br />
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true<br />
<br />
'''Please Note:''' Guard Drive requires Guard Mail to be configured for the user as well.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=AppSuite:Open-Xchange_Plugin_Overview&diff=9872AppSuite:Open-Xchange Plugin Overview2012-01-16T17:40:20Z<p>Bartl3by: </p>
<hr />
<div>= Overview of available Open-Xchange Plugins =<br />
<br />
<br />
<br />
== Core Plugins ==<br />
<br />
These plugins are part of the Open-Xchange Server Core platform.<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
!style="width:230px" align="left" |Name<br />
!style="width:230px" align="left" |Description<br />
!align="left" |Documentation<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-authentication-ldap]<br />
|Authentication against LDAP server<br />
|<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-authentication-imap]<br />
|Authentication against IMAP server<br />
|[[Authentication_IMAP_Plugin_description|Authentication imap plugin description]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-contextrestore]<br />
|Plugin to restore one or more contexts from a complete database dump<br />
|http://software.open-xchange.com/OX6/doc/OX6-Installation-and-Administration.pdf<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-dataretention / open-xchange-dataretention-csv]<br />
|Module to be used for data retention (german: Vorratsdatenspeicherung)<br />
|open-xchange-dataretention-csv is an example implementation of the data retention service<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-commons-logging-log4j / open-xchange-log4j]<br />
|These packages must be installed when Open-Xchange should use syslog<br />
|[[Syslog_Configuration|Syslog configuration]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-contacts-ldap]<br />
|Integrate LDAP address book into Open-Xchange public folder tree<br />
|http://software.open-xchange.com/OX6/doc/OX6-Installation-and-Administration.pdf<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-subscribe-crawler]<br />
|The open-xchange Social OX PlugIn bundle to subscribe/import data<br />
|[[CrawlerArchitecture|Architecture of the Social OX PlugIn bundle]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-upsell-multiple]<br />
|Implementing an up sell layer in Open-Xchange<br />
|[[Upsell|Upsell package description]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-easylogin]<br />
|Example package to implement the EasyLogin mechanism<br />
|[[Open-Xchange_servlet_for_external_login_masks|EasyLogin description]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-report-client]<br />
|Tool to display and report the amount of users and contexts in the Open-Xchange environment<br />
|[[OXReportClient|Report Client description]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/OXtender-stable/OXUpdater/ open-xchange-outlook-updater]<br />
|Updater server bundle to download OXtender directly from Open-Xchange GUI<br />
|<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-passwordchange-script]<br />
|Use an external command to change a password<br />
|[[ChangePasswordExternal|Example Script]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-publish-microformats]<br />
|Publishing of Open-Xchange internal data structures like contacts, documents.<br />
|[[Open-Xchange_Publishing|Publishing Data with Open-Xchange]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-calendar-printing]<br />
|Generating printviews of calendar items<br />
|[[Open-Xchange_Publishing|Publishing Data with Open-Xchange]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-audit]<br />
|User action tracking bundle<br />
|[[OXAudit|Audit bundle description]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-push-mailnotify]<br />
|Accepting external new mail notifications<br />
|[[MailNotify_Bundle|Mail Notification (Push) with Open-Xchange]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-push-imapidle]<br />
|Mail push using IMAP IDLE<br />
|[[MailPushIMAPIDLE_Bundle|Mail Notification (Push) with Open-Xchange]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-messaging-facebook open-xchange-subscribe-facebook]<br />
|Facebook messaging and subscription<br />
|[[FacebookMessaging_Bundle|Using Facebook with Open-Xchange]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-subscribe-msn]<br />
|MSN subscription<br />
|[[MSN_Bundles|Windows Live / MSN]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-messaging-twitter]<br />
|Twitter messaging<br />
|[[Twitter_Bundles|Twitter]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-subscribe-linkedin]<br />
|LinkedIn subscription<br />
|[[LinkedIn_Bundles|LinkedIn]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-voipnow-gui open-xchange-voipnow-json]<br />
|Integration of 4PSA VoipNow<br />
|[[Installing_VoipNow|Install the Open-Xchange VoipNow integration packages]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-admin-plugin-reseller]<br />
|Reseller provisioning plugin<br />
|[[Reseller_Bundle|Install the Open-Xchange Reseller package]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-caldav open-xchange-carddav open-xchange-webdav-acl open-xchange-webdav-directory]<br />
|Bundles implementing CalDAV and CardDAV functionalities for Open-Xchange<br />
|[[Caldav carddav Bundles|Using the CalDAV and CardDAV bundles]]<br />
|-<br />
|[http://software.open-xchange.com/OX6/stable/ open-xchange-messaging-sms open-xchange-messaging-sms-gui open-xchange-messaging-sms-gui-theme-default]<br />
|Bundles offering the SMS/MMS interfaces for Open-Xchange<br />
|[[SMS MMS Messaging Interface|Developing a SMS/MMS gateway implementation]]<br />
|}<br />
<br />
<br />
----<br />
<br />
== Additional Plugins ==<br />
<br />
The plugins listed here are not - yet - part of the Core platform and may or may not ever be part of the Open-Xchange Core platform.<br />
<br />
These plugins are not supported by Open-Xchange with the exception of concrete projects. Please [http://www.open-xchange.com/en/contactus contact us] for more details.<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
!style="width:230px" align="left" |Name<br />
!style="width:230px" align="left" |Description<br />
!align="left" |Documentation<br />
|-<br />
|}<br />
<br />
<br />
----<br />
<br />
== Custom Plugins ==<br />
<br />
<br />
The following list consists of plugins, that Open-Xchange developed for specific customers. It is an overview of what is possible to do with the Open-Xchange integration platform.<br />
<br />
If you want Open-Xchange to develop a specific plugin for you, please [http://www.open-xchange.com/en/contactus contact us] for more details.<br />
<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
!style="width:150px" align="left" |Name<br />
!align="left" |Description<br />
|-<br />
|MAL<br />
|Plugin which replaces the standard imap/smtp plugin to access the mail store with a customer specific plugin, e.g. directly access a [http://en.wikipedia.org/wiki/Maildir maildir] mailstore.<br />
|-<br />
|Upsell<br />
|If the example upsell plugin does not fit your needs or has some missing functionality, do not hesitate to contact us.<br />
|-<br />
|Spam<br />
|It's possible to integrate the built in mark as SPAM/HAM functionality into almost any solution.<br />
|-<br />
|Authentication<br />
|Authentication can be done against every system that allows to specify a username/password combination.<br />
|-<br />
|Migration from OX5 to OX6<br />
|Migration plugin that updates the user passwords in OX6 Database after a successful login to the OX5 LDAP service. That way, passwords can be migrated automatically from any LDAP to OX6 database.<br />
|-<br />
|Corporate Integration: EasyLogin<br />
|The EasyLogin mechanism allows to login into Open-Xchange from other applications without specifying username and password again.<br />
|-<br />
|Corporate Integration: ConfigJump<br />
|Integrate your own configuration application in the Open-Xchange settings tree.<br />
|-<br />
|UI Customization<br />
|A lot of customization can be done in the Open-Xchange UI. Starting from themes to the integration of custom modules and functions.<br />
|}<br />
<br />
[[Category: OX6]]</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OX_monitoring_interface&diff=9390OX monitoring interface2011-11-10T15:04:27Z<p>Bartl3by: Created page with "= Monitoring Interface = == Introduction == The Open-Xchange JMX offers the ability to fetch runtime information of the Java virtual machine, and about the Open-Xchange Groupwa..."</p>
<hr />
<div>= Monitoring Interface =<br />
<br />
== Introduction ==<br />
<br />
The Open-Xchange JMX offers the ability to fetch runtime information of the Java virtual machine, and about the Open-Xchange Groupware backend. This article will give you information about the most common items from a monitoring perspective, and possible alarm trigger values.<br />
<br />
== Important monitoring interface items ==<br />
<br />
The following items seem to be the most imporant ones for monotoring the application. Of course there are several others available as well, and those might also be used if you require additional information about the runtime. Please use the common interfaces to fetch these information from the application (JMX, showruntimestats).<br />
<br />
=== Active user sessions ===<br />
<br />
* '''com.openexchange.monitoring:name=GeneralMonitor,NumberOfActiveSessions'''<br />
Total number of active Open-Xchange sessions on this virtual machine. Depending on the session timeout sessions will be removed after it has timed out, or if they have been killed by the client (clicks Logout), meaning: Not all of those sessions might be active, some of them are just pending. Monitor breakouts to determine if you have enough memory available (1MB per OX session is at least required per VM)<br />
<br />
=== AJP Requests ===<br />
* '''com.openexchange.monitoring:name=AJPv13TaskMonitor,NumRequests'''<br />
Total number of processed requests. The graph should show the difference between the current value and the last value. This difference and the time inbetween allows to monitor the number of requests per a certain time frame.<br />
<br />
=== AJP Request processing time ===<br />
* '''com.openexchange.monitoring:name=AJPv13TaskMonitor,AvgProcessingTime = 63.475'''<br />
Average time in milliseconds to process a single request. This average is calculated from the last 1000 requests and may be inaccurate if this value is fetched too few. Monitor breakouts to determine if the processing time gets to high.<br />
<br />
=== AJP Request processors' ===<br />
* '''com.openexchange.monitoring:name=AJPv13TaskMonitor,NumProcessing = 37'''<br />
Number of tasks/threads that are currently processing a request.<br />
<br />
* '''com.openexchange.monitoring:name=AJPv13TaskMonitor,NumWaiting = 9'''<br />
Number of tasks/threads that are currently waiting for the next request. Monitor breakouts to determine if to many AJP requests are queued.<br />
<br />
* '''com.openexchange.monitoring:name=AJPv13TaskMonitor,NumActive = 46'''<br />
Sum of the above 2 values.<br />
<br />
=== FileHandles ===<br />
* '''java.lang:type=OperatingSystem,MaxFileDescriptorCount'''<br />
Maximum number of file handles that can be taken by the Java virtual machine.<br />
<br />
* '''java.lang:type=OperatingSystem,OpenFileDescriptorCount'''<br />
Number of all file handles taken by the Java virtual machine currently. This includes all created sockets and virtual machine resources, too. Example notification value: (MaxFileDescriptorCount - OpenFileDescriptorCount) < 100. Monitor to determine if the number of open files that can be opened by the vm is sufficient.<br />
<br />
* '''com.openexchange.pooling:name=Overview,NumConnections'''<br />
Total number of currently open database connections. This includes database connections to all database machines in the cluster (ConfigDB, User-DB). Example notification value: The number of database connections raises to the number of AJP sockets or even beyond that. This means that the response of the database is to slow and needs to be monitored.<br />
<br />
* '''com.openexchange.monitoring:name=GeneralMonitor,NumberOfOpenAJPSockets'''<br />
Total number of currently opened connections from the Apache. This should be equal to total number of AJP request processors.<br />
<br />
* '''com.openexchange.monitoring:name=GeneralMonitor,NumberOfIMAPConnections'''<br />
Total number of currently opened connections to the mail servers. This are connections using the IMAP protocol. Monitor breakouts to determine if the IMAP servers are able to handle the number of requests.<br />
<br />
=== Threads ===<br />
* '''java.lang:type=Threading,ThreadCount'''<br />
Number of total threads running inside the Java virtual machine. This includes the number of threads from the thread pool mentioned next. Some components of Open-Xchange and the Java virtual machine create their threads on their own without using the thread pool.<br />
<br />
* '''com.openexchange.threadpool:name=ThreadPoolInformation,ActiveCount'''<br />
Number of threads created from the internal thread pool. The thread pool efficiently deals with creating and destroying threads and keeps the fork rate as low as possible. All essential components in Open-Xchange create their threads using this thread pool.<br />
<br />
=== Thread pool tasks ===<br />
* '''com.openexchange.threadpool:name=ThreadPoolInformation,TaskCount'''<br />
Total number of tasks to be executed submitted to the thread pool. The graph should show he difference between the current value and the last value. Example notification value: The number of newly submitted tasks raises extraordinary.<br />
<br />
* '''com.openexchange.threadpool:name=ThreadPoolInformation,CompletedTaskCount'''<br />
The total number of tasks executed by the thread pool. The graph should show the difference between the current value and the last value.<br />
<br />
=== Broken connections ===<br />
Every increase of one of this numbers is an indicator that fetching data from one of the backend systems did not work as expected.<br />
<br />
* '''com.openexchange.monitoring:name=MailInterfaceMonitor,NumTimeoutConnections = 0'''<br />
Number of IMAP connections that got into a timeout.<br />
<br />
* '''com.openexchange.monitoring:name=MailInterfaceMonitor,NumFailedLogins = 0'''<br />
Number of IMAP login attempts that failed.<br />
<br />
* '''com.openexchange.monitoring:name=MailInterfaceMonitor,NumBrokenConnections = 0'''<br />
Number of IMAP data fetches that failed somehow.<br />
<br />
* '''com.openexchange.monitoring:name=AJPv13TaskMonitor,NumBrokenConnections = 0'''<br />
Number of AJP connections that encountered a problem in the AJP request processing cycle.<br />
<br />
* '''com.openexchange.pooling:name=ConfigDB Read,NumBrokenConnections = 0'''<br />
Number of connections to the config database slave that encountered a problem.<br />
<br />
* '''com.openexchange.pooling:name=ConfigDB Write,NumBrokenConnections = 0'''<br />
Number of connections to the config database master that encountered a problem.<br />
<br />
* '''com.openexchange.pooling:name=DB Pool <masterNum>,NumBrokenConnections = 0'''<br />
Number of connections to the user database master that encountered a problem. Get the identifier of this database server from the listdatabase command.<br />
<br />
* '''com.openexchange.pooling:name=DB Pool <slaveNum>,NumBrokenConnections = 0'''<br />
Number of connections to the user database slave that encountered a problem. Get the identifier of this database server from the listdatabase command.<br />
<br />
=== Database <identifier> connections ===<br />
Get the identifier of this database server from the listdatabase command.<br />
<br />
* '''com.openexchange.pooling:name=DB Pool <identifier>,NumActive = 0'''<br />
Current number of used connections to this database. These connections sent a SQL command to the database server or data from the database is read.<br />
<br />
* '''com.openexchange.pooling:name=DB Pool <identifier>,NumIdle = 3'''<br />
Current number of established but not used connections to this database.<br />
<br />
* '''com.openexchange.pooling:name=DB Pool <identifier>,NumWaiting = 0'''<br />
Number of threads waiting for a database connection if the maximum configured number of database connections is already opened. As early as threads need to wait for database connections the performance will degrade extraordinary.<br />
<br />
* '''com.openexchange.pooling:name=DB Pool <identifier>,PoolSize = 3'''<br />
Sum of active and idle connections to the database.<br />
<br />
=== Database <identifier> times ===<br />
* '''com.openexchange.pooling:name=DB Pool <identifier>,AvgUseTime = 0.416'''<br />
Average time a thread occupies a database connection to fetch some data. This average is calculated from the last 1000 use times. A raise in the average use time indicates that the database servers are becoming slower and overall performance may degrade.<br />
<br />
=== Database replication monitoring ===<br />
* '''com.openexchange.pooling:name=Overview,MasterConnectionsFetched = 287'''<br />
Number of fetches of connections to the master database. Compared to the number of fetches of connections to the slave database this indicates the ratio of writes to reads on the database.<br />
<br />
* '''com.openexchange.pooling:name=Overview,SlaveConnectionsFetched = 1268334'''<br />
Number of fetches of connections to the slave database. Every time data needs to be read a connection to the slave is fetched.<br />
<br />
* '''com.openexchange.pooling:name=Overview,MasterInsteadOfSlave = 47'''<br />
Open-Xchange monitors the replication from master to slave for every context/tenant. If data is just written to the master and it is detected that the slave does not have this information yet, a connection to the master is used instead a connection to the slave to read most actual data. If you encounter a raise in this number it is an indicator that the replication on the database servers becomes more slow. A drawback of that is that the master server faces more load.<br />
<br />
=== Memory usage === <br />
* '''java.lang:name=Eden Space,type=MemoryPool,Usage = [used=4027408]'''<br />
* '''java.lang:name=Survivor Space,type=MemoryPool,Usage = [used=828448]'''<br />
* '''java.lang:name=CMS Old Gen,type=MemoryPool,Usage = [used=32447696]'''<br />
<br />
In total those three memory spaces reflect the total usage of non application memory usage for the Java virtual machine. Eden is used for new objects with the youngest lifetime, Survivor for older objects, and Old Gen for the oldest objects. In total this gives you the information how much memory is used for all your sessions. Devided through the number of sessions it gives you the indication of how much memory is used per session.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OX6:Gui_Plugin_Development&diff=8998OX6:Gui Plugin Development2011-09-27T09:21:06Z<p>Bartl3by: /* Events */</p>
<hr />
<div>= Introduction =<br />
<br />
With Open-Xchange you will be able to add your own JavaScript code for existing events. The following examples show how you can add your own About page, your own Window Title, and your own message for not activated/bought components of OX (Upsell Message).<br />
<br />
= Setup and file description =<br />
<br />
Two things have to be done to register your own JavaScript code within the server:<br />
<br />
1. You have to create the property file in /opt/open-xchange/etc/groupware/settings/, for example myjscode.properties. The file should have the following value:<br />
<br />
modules/$NAME/enabled=true<br />
<br />
$NAME is equal to the file name of the property file, in our case it would be:<br />
<br />
modules/myjscode/enabled=true<br />
<br />
This will enable the JS code located in $WEBSRV/ox6/plugins/$NAME (for example /var/www/ox6/plugins/myjscode/).<br />
<br />
2. Next we have to create the folder that we configured, in our example we would have to create:<br />
<br />
mkdir /var/www/ox6/plugins/myjscode/<br />
<br />
The server now will have a look at this directory and searches for the register.js file in this directory. All your JS enhancements should be written to that file.<br />
<br />
3. Afterwards you have to restart the groupware server with:<br />
<br />
/etc/init.d/open-xchange-groupware restart<br />
<br />
= Examples =<br />
<br />
== Customized About page ==<br />
<br />
/opt/open-xchange/etc/groupware/settings/productinfo.properties:<br />
<br />
# This program is free software; you can redistribute it and/or modify it<br />
# under the terms of the GNU General Public License, Version 2 as published<br />
# by the Free Software Foundation.<br />
#<br />
# Copyright (C) 2004-2007 Open-Xchange, Inc.<br />
# Mail: info@open-xchange.com <br />
# <br />
# @author: Stefan Preuss <stefan.preuss@open-xchange.com><br />
<br />
modules/productinfo/enabled=true<br />
<br />
/var/www/ox6/plugins/productinfo/register.js:<br />
<br />
/**<br />
*<br />
* This program is free software; you can redistribute it and/or modify it<br />
* under the terms of the GNU General Public License, Version 2 as published<br />
* by the Free Software Foundation.<br />
*<br />
* Copyright (C) 2004-2007 Open-Xchange, Inc.<br />
* Mail: info@open-xchange.com <br />
* <br />
* @author: Stefan Preuss <stefan.preuss@open-xchange.com><br />
*<br />
*/<br />
<br />
oxProductInfo.vendor_address = "<b>Open-Xchange GmbH</b>\nMartinstrasse 41\n57462 Olpe\nE-Mail: info@open-xchange.com\n<a href=\"http://www.open-xchange.com\" target=\"_blank\">www.open-xchange.com</a>"<br />
<br />
== Customized Window Title ==<br />
<br />
/opt/open-xchange/etc/groupware/settings/windowtitle.properties:<br />
<br />
# This program is free software; you can redistribute it and/or modify it<br />
# under the terms of the GNU General Public License, Version 2 as published<br />
# by the Free Software Foundation.<br />
#<br />
# Copyright (C) 2004-2007 Open-Xchange, Inc.<br />
# Mail: info@open-xchange.com <br />
# <br />
# @author: Stefan Preuss <stefan.preuss@open-xchange.com><br />
<br />
modules/windowtitle/enabled=true<br />
<br />
/var/www/ox6/plugins/windowtitle/register.js:<br />
<br />
/**<br />
*<br />
* This program is free software; you can redistribute it and/or modify it<br />
* under the terms of the GNU General Public License, Version 2 as published<br />
* by the Free Software Foundation.<br />
*<br />
* Copyright (C) 2004-2007 Open-Xchange, Inc.<br />
* Mail: info@open-xchange.com <br />
* <br />
* @author: Stefan Preuss <stefan.preuss@open-xchange.com><br />
*<br />
*/<br />
<br />
oxProductInfo.product_name = "This is the fabulous Open-Xchange Server"; <br />
<br />
try {<br />
window.document.title = oxProductInfo.product_name;<br />
} catch (e) { }<br />
<br />
== Customized Upsell Message ==<br />
<br />
/opt/open-xchange/etc/groupware/settings/upsell.properties:<br />
<br />
# This program is free software; you can redistribute it and/or modify it<br />
# under the terms of the GNU General Public License, Version 2 as published<br />
# by the Free Software Foundation.<br />
#<br />
# Copyright (C) 2004-2007 Open-Xchange, Inc.<br />
# Mail: info@open-xchange.com<br />
# <br />
# Author: Stefan Preuss <stefan.preuss@open-xchange.com><br />
<br />
# The following property enables the Upsell-Layer Plugin for the OX6 AJAX GUI<br />
modules/upsell/enabled=true<br />
<br />
/var/www/ox6/plugins/upsell/register.js:<br />
<br />
/**<br />
*<br />
* This program is free software; you can redistribute it and/or modify it<br />
* under the terms of the GNU General Public License, Version 2 as published<br />
* by the Free Software Foundation.<br />
*<br />
* Copyright (C) 2004-2007 Open-Xchange, Inc.<br />
* Mail: info@open-xchange.com <br />
* <br />
* @author: Stefan Preuss <stefan.preuss@open-xchange.com><br />
*<br />
*/<br />
<br />
/*<br />
* Example for an Upsell-Layer<br />
* The OX GUI triggers a special event if a user clicks on disabled features.<br />
*/<br />
<br />
/*<br />
* Register to Upsell-Event<br />
*/<br />
register("Feature_Not_Available", showUpsellLayer);<br />
<br />
/**<br />
* Function to display an Upsell-Alert dialog<br />
* @param feature String (optional) - Module description<br />
* @param win Window (optional) - Only needed/given if we trigger the event from the new object windows <br />
*/<br />
function showUpsellLayer(feature, win) {<br />
// setting corewindow to default if win is not defined<br />
win = win || corewindow; <br />
<br />
/*<br />
* Build up the dialog content<br />
* Note: You can also use myDiv.innerHTML!<br />
*/<br />
var myDiv = newnode("div",{ textAlign: "center", padding: "10px" }, 0, [ <br />
newnode("div", 0, { background: "url(http://www.example.com/img/header/logo.gif)" }, 0,<br />
win.document),<br />
newnode("span", 0, 0, [ <br />
document.createTextNode("Diese Funktion ist nur in Open-Xchange Premium verfügbar!") ],<br />
win.document),<br />
newnode("input", { marginTop: "10px"}, <br />
{ type: "button", onclick: function() { window.open("http://www.open-xchange.com") },<br />
value: "Weitere Information zu Open-Xchange Premium!" }, 0, <br />
win.document),<br />
newnode("input", { marginTop: "10px"}, <br />
{ type: "button", onclick: function() { window.open("http://www.open-xchange.com") },<br />
value: "Paket-Upgrade auf Open-Xchange Premium!" }, 0, <br />
win.document) <br />
], win.document);<br />
<br />
// calling the newAlert function to open the dialog at the given window<br />
win.newAlert("Hinweis " + feature, null, AlertPopup.close, myDiv);<br />
}<br />
<br />
/*<br />
* Comment this out to change the grayed out module images in the upper left corner!<br />
*/<br />
/*<br />
if (!document.getElementById("sp_c_portal").src.match(/mod_portal_sel.gif$/)) {<br />
document.getElementById("sp_c_portal").src = getFullImgSrc("img/portal/mod_portal.gif");<br />
}<br />
document.getElementById("sp_c_calendar").src = getFullImgSrc("img/calendar/mod_calendar.gif");<br />
document.getElementById("sp_c_tasks").src = getFullImgSrc("img/tasks/mod_tasks.gif");<br />
document.getElementById("sp_c_infostore").src = getFullImgSrc("img/infostore/mod_infostore.gif");<br />
*/<br />
<br />
Currently, the parameter <code>feature</code> can have following values:<br />
* configuration/mail/accounts/new<br />
* modules/calendar<br />
* modules/calendar/freebusy<br />
* modules/calendar/mini_calender<br />
* modules/calendar/new/add_attachment<br />
* modules/calendar/new/add_participants<br />
* modules/calendar/new/delete_attachment<br />
* modules/calendar/new/remove_participants<br />
* modules/calendar/save_to_infostore<br />
* modules/calendar/team<br />
* modules/contacts<br />
* modules/contacts/save_to_infostore<br />
* modules/contacts/new/add_attachment<br />
* modules/contacts/new/delete_attachment<br />
* modules/folders/users<br />
* modules/infostore<br />
* modules/infostore/send_as_attachment<br />
* modules/infostore/send_as_link<br />
* modules/infostore/mail/save_to_infostore<br />
* modules/mail<br />
* modules/mail/save_to_infostore<br />
* modules/mail/new/add_infostore_attachment<br />
* modules/portal<br />
* modules/tasks<br />
* modules/tasks/save_to_infostore<br />
* modules/tasks/new/add_participants<br />
* modules/tasks/new/remove_participants<br />
* modules/tasks/new/add_attachment<br />
* modules/tasks/new/delete_attachment<br />
<br />
The following events may triggered by plugins (if enabled):<br />
* modules/usm/eas<br />
<br />
== Customized / Extended configuration tree ==<br />
<br />
In order to extend your configuration frontend you will have to make more changes than overwriting existing JS methods. You have to implement your own configuration site. Below, you will find the JS API Doc that will show you how to build external contents into the configuration frontend:<br />
<br />
[[Main_Page#Interfaces|JavaScript API for extending the configuration frontend]]<br />
and<br />
[[Main_Page#UI_Customization|Gui Plugin API Documentation]]<br />
<br />
/opt/open-xchange/etc/groupware/settings/extendconfiguration.properties:<br />
<br />
modules/extendconfiguration/enabled=true<br />
<br />
/var/www/ox6/plugins/extendconfiguration/register.js:<br />
<br />
// Extending the configuration tree.<br />
<br />
// Add a new folder-like node called "Example", and inside it another node<br />
// called "Page". The position of a node is specified by a path string.<br />
// Each tree level is separated by slashes. There should be only two levels<br />
// below the standard "configuration" root element: configuration/x for inner<br />
// nodes and configuration/x/y for leaf nodes.<br />
<br />
new ox.Configuration.InnerNode("configuration/example", "Example");<br />
var node = new ox.Configuration.LeafNode("configuration/example/page", "Page");<br />
<br />
<br />
// Connect the node to a new page. <br />
<br />
var page = new ox.Configuration.Page(node, "Example Configuration Page");<br />
<br />
<br />
// All data on the page is collected in a single data object. This object is<br />
// transmitted to and from the server in the methods load() and save() using<br />
// static methods of ox.JSON.<br />
// For save(), the parameter cont is a continuation function which must be<br />
// called after the data was saved successfully.<br />
<br />
page.save = function(data, cont) {<br />
ox.JSON.put(AjaxRoot + "/serverplugin?action=set&session=" + session,<br />
data, cont);<br />
}<br />
<br />
<br />
// The continuation function of load() expects the data object as parameter.<br />
// To extract the data object from the server reply, a new continuation function<br />
// is used.<br />
<br />
page.load = function(cont) {<br />
ox.JSON.get(AjaxRoot + "/serverplugin?action=get&session=" + session,<br />
function(reply) { cont(reply.data); });<br />
};<br />
<br />
<br />
// Content is added to the page with the method addWidget().<br />
// Here, a static text is added at the top of the page.<br />
<br />
page.addWidget(new ox.UI.Text("Long explanation text"));<br />
<br />
<br />
// Individual input widgets can be connected to fields in the data object by<br />
// specifying the field name as the second parameter to addWidget().<br />
<br />
page.addWidget(new ox.UI.CheckBox("CheckBox Label"), "fieldname");<br />
<br />
<br />
// Layout can be controlled by using container widgets.<br />
// Configuration pages currently support only the Group container, which adds<br />
// a header over its children.<br />
// Every group has its own data object, which becomes nested in the page's<br />
// data object.<br />
<br />
var group = new ox.Configuration.Group("Group title");<br />
page.addWidget(group, "subobject");<br />
<br />
<br />
// Adding widgets to a goup happens exactly like for a page, since both are<br />
// descendants of ox.UI.Container.<br />
<br />
var input = new ox.UI.Input("Detail field");<br />
group.addWidget(input, "input");<br />
<br />
<br />
// All input widgets have a default value which is used when the data object<br />
// does not contain the widget's field (e. g. on first login).<br />
<br />
input.default_value = "default";<br />
<br />
<br />
// ox.UI.Selection has many descendants which implement the same thing:<br />
// A field which must contain one of several possible values.<br />
// The possible values are set with the method setEntries().<br />
<br />
var choice = new ox.UI.ComboBox("Choice");<br />
group.addWidget(choice, "choice");<br />
choice.setEntries([0, 1, Infinity], ["Zero", "One", "Infinity"]);<br />
<br />
== Customized new buttons in the panel ==<br />
<br />
This example adds a new area to the contacts panel called "SMS". The area then<br />
has two buttons, "Display" and "Send". The "Display" button is active if one ore <br />
multiple contacts are selected and fires a js alert for each of them when being <br />
clicked. The "SMS" button is only active when one single contact is active<br />
and has a business telephone number stored in it. On click a js alert is <br />
executed and the telephone number is displayed.<br />
<br />
<br />
/**<br />
*<br />
* This program is free software; you can redistribute it and/or modify it<br />
* under the terms of the GNU General Public License, Version 2 as published<br />
* by the Free Software Foundation.<br />
*<br />
* Copyright (C) 2004-2007 Open-Xchange, Inc.<br />
* Mail: info@open-xchange.com <br />
* <br />
* @author: Viktor<br />
*<br />
*/<br />
<br />
//create a new menu Object for the panel and define the unique id (id1 here)<br />
var contextmenu = MenuNodes.createSmallButtonContext("id1", "SMS");<br />
<br />
/**<br />
* Add menu Entries to the new generated panel object and define the icons<br />
* as well as the to be called functions. The identifiers must be unique <br />
* all over the complete js code (button1 and button2) in this example<br />
*/<br />
MenuNodes.createSmallButton(contextmenu,"button1", "Display",<br />
"themes/default/img/menu/edit.gif",<br />
"themes/default/img/menu/edit_d.gif",<br />
click1);<br />
MenuNodes.createSmallButton(contextmenu,"button2", "Send",<br />
"themes/default/img/menu/edit.gif",<br />
"themes/default/img/menu/edit_d.gif",<br />
click2);<br />
/* The pannel object gets the id 20 and gets displayed in the fixed area<br />
* possible areas are FIXED and DYNAMIC the id controls the order in the areas<br />
*/ <br />
addMenuNode(contextmenu.node, MenuNodes.FIXED, 20);<br />
<br />
//Following makes the new pannel options dynamic active/inactive<br />
changeDisplay("contacts", "id1");<br />
menuarrows["contacts"] = {};<br />
function changeplugin() {<br />
menuglobalzaehler = 0;<br />
menuarrows["contacts"]["id1"] = new Array();<br />
//menucountselected here holds the amount of select items<br />
menu_display_contents("contacts","id1", menucountselected >= 1,<br />
"button1");<br />
// following an example how to get data out of the GUI internal cache. button2<br />
// is only active when a contact which as a business tel number is selected.<br />
if (activemodule == "contacts") {<br />
OXCache.newRequest(null, "contacts", {<br />
objects: menuselectedobjects,<br />
columns: ["telephone_business1"]<br />
}, null, function(data) {<br />
menu_display_contents("contacts","id1",<br />
menucountselected == 1 &&<br />
data.objects[0].telephone_business1,<br />
"button2");<br />
});<br />
}<br />
}<br />
register("OX_SELECTED_ITEMS_CHANGED", changeplugin); <br />
<br />
//now the called functions for the buttons follow<br />
function click1() {<br />
OXCache.newRequest(null, "contacts", {<br />
objects: menuselectedobjects,<br />
columns: ["id", "folder_id", "last_name"]<br />
}, null, display);<br />
}<br />
<br />
function click2() {<br />
OXCache.newRequest(null, "contacts", {<br />
objects: menuselectedobjects,<br />
columns: ["telephone_business1"]<br />
}, null, call);<br />
}<br />
<br />
function display(data) {<br />
for (var i = 0; i < menucountselected; i++)<br />
alert(data.objects[i].last_name);<br />
}<br />
<br />
function call(data) {<br />
alert("Now, a SMS to " + data.objects[0].telephone_business1 + <br />
" could have been sent");<br />
}<br />
<br />
== Embedding external webapps which require authentication (works with OX 6.16 and higher) == <br />
<br />
In other examples on this page/wiki, you learned how to extend the settings tree with your own links to external web sites or similar. <br />
But often it is required to login into such external web applications with some credentials. In many situations, the OX credentials and the credentials for the external web app are the same. So it would be an improvement for the OX user to be automatically logged in to this webapp when clicking some link within OX settings tree. <br />
<br />
To achieve this functionality, we introduced a new servlet in OX version 6.16 and higher with some kind of "Single Sign On" functionality, which is reachable at path "/ajax/sso" only via HTTPS (INFO: HTTP connections will NOT work). This servlet can be used to retrieve the following data from the user which uses the OX GUI:<br />
<br />
<pre><br />
"login" -> The string which was entered at OX login screen.<br />
"imap_login" -> The string which was provisioned into the OX account as "imaplogin. This is used to authenticate against the primary IMAP/Mail Account.<br />
"username" -> OX internal username which was choosen by the administrator of the OX context/setup.<br />
"password" -> The password of the user.<br />
"context_id" -> OX internal number which references the context where the user resides in. Specified by the administrator at OX context creation.<br />
"context_name" -> OX internal string which references the context. Specified by the administrator at OX context creation.<br />
</pre><br />
<br />
Basically, you have to extend the settings/configuration tree in OX to contain a custom link/button where the user can click on. If this link is clicked, you have to call the SSO servlet with the session-id of the current user. Once you called the servlet, it will send some response with a json object which contains the needed data explained above. You can then use this data to "POST" to your external Webapplication Login URL, once your Webapplication has authenticated the POST request, it should redirect the request to its main application. In this case, the OX user is now successfully logged in to your external web application with just a click instead of entering his credentials again.<br />
<br />
Here is an example, how to call the SSO servlet:<br />
<br />
<pre><br />
<br />
//this will fetch needed infos for redirecting<br />
function callExtAPP(){<br />
ox.JSON.get("/ajax/sso?action=get&session="+session, function(reply) {<br />
username = reply.data.username;<br />
password = reply.data.password;<br />
login = reply.data.login;<br />
});<br />
}<br />
</pre><br />
<br />
You can call this function for example on a "onClick" event, which was triggered by an OX user who clicks some link in the configuration/settings tree.<br />
<br />
== Custom widget for the sidebar ( works with OX 6.18.2 and higher ) ==<br />
<br />
The sidebar has the possibility to add custom content, for example advertising, upsell or special help. The available space is equal to the, per default shown, mini calendar. The custom widget can be added below, above and as replacement for the mini calendar:<br />
<br />
// create the widget<br />
var swidget = new ox.gui.Custom(function() {<br />
this.dom.node.innerHTML = "Hey, I'm an custom widget!";<br />
}, "custom-widget").<br />
css({ backgroundColor: "lightyellow", border: "1px solid #fc0", <br />
padding: "5px", lineHeight: "11pt", height: "100%" }). setLayoutParam({ position: "bottom", height: "50px" }); <br />
<br />
// insert widget into the sidepanel on the given position<br />
// 3 = above mini-cal, 1 or 2 = below mini-cal <br />
ox.widgets.sidepanel.insert(swidget, 3);<br />
<br />
//trigger validate to force repaint<br />
ox.widgets.sidepanel.validate();<br />
<br />
// optional: remove comment to permanently disable the mini-calendar<br />
// ox.widgets.miniCalendar.disable();<br />
// ox.widgets.miniCalendar.hide();<br />
<br />
[[File:Custom-sidebar-widget.png]]<br />
<br />
== Customizing the Help, Logout, examples UWA link, Session Expired and Direct Link locations / URLs ==<br />
<br />
If you need to change or customize the Help, Logout, Session Expired or Direct Link locations / URLs you can use the following variables and parameters. You can set them anywhere within your plugin. If not set, the system defaults will be used. Don't use the expression 'var' as this is publicly available.<br />
<br />
// the base path for the help pages<br />
help_location = "[protocol]://[hostname][path]/help/[language{1}]/";<br />
<br />
// the redirect url after logout<br />
logout_location = "[protocol]://[hostname][path]";<br />
<br />
// the redirect url if the session expires<br />
sessionExpired_location = "[protocol]://[hostname][path]";<br />
<br />
// the direct link url, used in the infostore detail views and the new e-mail window<br />
// note: do not remove or modify the part "#m=[module]&f=[folder]&i=[object_id]", otherwise direct links won't work anymore<br />
directLink_location = "[protocol]://[hostname][path]#m=[module]&f=[folder]&i=[object_id]";<br />
<br />
// example for the UWA link from the UWA-Module settings page<br />
// The text between %s%s gets shown as href for the given link<br />
uwaLink.text = "Please have a look at the %sInteresting UWA modules%s page. It shows a list of widgets and their associated data."<br />
uwaLink.link = "http://www.open-xchange.com/index.php?id=361&L=[language{0}]"<br />
<br />
As you can see you can use place holders, similar to other programming languages. These place holders will get parsed and replaced by the OX application. Here comes a short description of some of them:<br />
<br />
[protocol] = the current used protocol - e.g. http or https<br />
[hostname] = the hostname - e.g www.myox.de<br />
[path] = the path (if any) behind the hostname - e.g. /ox6/ - or empty if not used<br />
[file] = the file parameter (if any) - e.g. ox.html<br />
[language{0|1}] = the users language - e.g. de_DE, where {0} is the language iso code and {1} the country iso code<br />
[context_id] = the users context id<br />
[timezone] = the users timezone - e.g. Europe/Berlin<br />
<br />
A full set of available parameters will follow soon.<br />
Note: The parameters [module], [folder] and [object_id] are only available at the directLink and can't be used anywhere else.<br />
<br />
= Help Menu =<br />
<br />
It is possible to add entries to the pop-up menu of the help button in the top right corner. The following is a simple example which opens a language-specific help page:<br />
<br />
var label = { de_DE: "Hilfe", en_US: "Help", fr_FR: "Aide" };<br />
HelpMenu.addText(label[config.language || "en_US"], displayLink);<br />
<br />
function displayLink() {<br />
open("/help/" + config.language);<br />
}<br />
<br />
The manual handling of the label is required until proper support for the internationalization plug-in is implemented.<br />
<br />
=Events=<br />
<br />
It is possible to hook in some Events of the Frontend, here an autogenerated list of a small for...if:<br />
<br />
{| border="1" cellpadding="3" cellspacing="0"<br />
!style="width:230px" align="left" |Event Name<br />
!style="width:230px" align="left" |Description<br />
|-<br />
| LanguageChanged<br />
|<br />
|-<br />
| LanguageChangedInternal<br />
|<br />
|-<br />
| OX_Configuration_Changed<br />
|<br />
|-<br />
| OX_Configuration_Loaded<br />
|<br />
|-<br />
| OX_Refresh<br />
|<br />
|-<br />
| OX_Configuration_Loaded_Complete<br />
|<br />
|-<br />
| OX_Login<br />
|<br />
|-<br />
| Loaded<br />
|<br />
|-<br />
| Loading<br />
|<br />
|-<br />
| OX_Show_Help_Panel<br />
|<br />
|-<br />
| OX_Show_Help<br />
|<br />
|-<br />
| OX_Show_About<br />
|<br />
|-<br />
| LoginPageLoaded<br />
|<br />
|-<br />
| OX_Folder_Cleared<br />
|<br />
|-<br />
| OX_SELECTED_ITEMS_CHANGED<br />
|<br />
|-<br />
| OX_menu_Change_Height<br />
|<br />
|-<br />
| OX_Switched<br />
|<br />
|-<br />
| OX_Mail_Move<br />
|<br />
|-<br />
| OX_Calendar_Move<br />
|<br />
|-<br />
| OX_Contact_Move<br />
|<br />
|-<br />
| OX_InfoStore_Move<br />
|<br />
|-<br />
| OX_Task_Move<br />
|<br />
|-<br />
| OX_Object_Move<br />
|<br />
|-<br />
| OX_Mail_Copy<br />
|<br />
|-<br />
| OX_Contact_Copy<br />
|<br />
|-<br />
| OX_Object_Copy<br />
|<br />
|-<br />
| OX_Configuration_Switch_Folder_View<br />
|<br />
|-<br />
| OX_Direct_Linking<br />
|<br />
|-<br />
| OX_GLOBAL_CLICK<br />
|<br />
|-<br />
| OX_menu_After_Change_Height<br />
|<br />
|-<br />
| OX_menu_RESIZE<br />
|<br />
|-<br />
| OX_New_Error<br />
|<br />
|-<br />
| OX_New_Info<br />
|<br />
|-<br />
| OX_Configuration_Set_Empty<br />
|<br />
|-<br />
| OX_Switch_Module<br />
|<br />
|-<br />
| OX_Switch_View<br />
|<br />
|-<br />
| OX_Selected_Nested<br />
|<br />
|-<br />
| OX_Selected_Draft<br />
|<br />
|-<br />
| Selected<br />
|<br />
|-<br />
| Confirmation_Changed<br />
|<br />
|-<br />
| SubSelected<br />
|<br />
|-<br />
| SubSelectedTeamMember<br />
|<br />
|-<br />
| OX_Selected_Member<br />
|<br />
|-<br />
| OX_Lockable<br />
|<br />
|-<br />
| OX_Change_InfoStore_Detail_View<br />
|<br />
|-<br />
| OX_Change_Language<br />
|<br />
|-<br />
| OX_Execute_Function<br />
|<br />
|-<br />
| OX_Calendar_Change_Confirm<br />
|<br />
|-<br />
| OX_Calendar_Team_Add_Team<br />
|<br />
|-<br />
| OX_Task_Change_Confirm<br />
|<br />
|-<br />
| OX_Task_Standard_Search<br />
|<br />
|-<br />
| Preload<br />
|<br />
|-<br />
| OX_Configuration_Load_Foldertree<br />
|<br />
|-<br />
| OX_Portal_Click_Item<br />
|<br />
|-<br />
| OX_NEW_MAIL<br />
|<br />
|-<br />
| OX_Mail_Reply<br />
|<br />
|-<br />
| OX_Mail_ReplyAll<br />
|<br />
|-<br />
| OX_Mail_Forward<br />
|<br />
|-<br />
| OX_Mail_Edit_Draft<br />
|<br />
|-<br />
| OX_Mail_Change_Structure<br />
|<br />
|-<br />
| updateAllNewMailNumbers_Created<br />
|<br />
|-<br />
| OX_Mail_Delete<br />
|<br />
|-<br />
| OX_Mail_SaveMail<br />
|<br />
|-<br />
| OX_Attachment_Open<br />
|<br />
|-<br />
| OX_Attachment_Open_Nested<br />
|<br />
|-<br />
| OX_Attachment_Save<br />
|<br />
|-<br />
| OX_New_OXObject<br />
|<br />
|-<br />
| OX_Calendar_Edit<br />
|<br />
|-<br />
| OX_Calendar_Delete<br />
|<br />
|-<br />
| _IE_resize_complete<br />
|<br />
|-<br />
| OX_Calendar_Switch_Detail<br />
|<br />
|-<br />
| OX_Contact_Edit<br />
|<br />
|-<br />
| OX_Contact_Duplicate<br />
|<br />
|-<br />
| OX_Contact_Delete<br />
|<br />
|-<br />
| OX_Contact_SendVCard<br />
|<br />
|-<br />
| OX_Contact_Switch_Detail<br />
|<br />
|-<br />
| cb_abstact_email1<br />
|<br />
|-<br />
| sendMailToContact<br />
|<br />
|-<br />
| OX_Changed_DefaultIMAP_Unread<br />
|<br />
|-<br />
| OX_Tasks_Switch_Split_Detail<br />
|<br />
|-<br />
| OX_Task_Delete<br />
|<br />
|-<br />
| OX_Task_Edit<br />
|<br />
|-<br />
| OX_Task_Duplicate<br />
|<br />
|-<br />
| OX_Object_Add_Attachment<br />
|<br />
|-<br />
| OX_Create_Object<br />
|<br />
|-<br />
| OX_Configuration_GUI_Changed<br />
|<br />
|-<br />
| OX_Save_Configuration<br />
|<br />
|-<br />
| OX_Configuration_Settings_Changed_Language<br />
|<br />
|-<br />
| OX_Configuration_Settings_Changed_Timezone<br />
|<br />
|-<br />
| OX_Configuration_Settings_Changed_GUI<br />
|<br />
|-<br />
| OX_Configuration_Settings_Changed_Mail<br />
|<br />
|-<br />
| OX_Configuration_Settings_Changed_Modules<br />
|<br />
|-<br />
| OX_Configuration_Settings_Changed_Calendar_Notification<br />
|<br />
|-<br />
| OX_Configuration_Settings_Changed_Task_Notification<br />
|<br />
|-<br />
| OX_Configuration_Settings_Changed_Region_Date<br />
|<br />
|-<br />
| OX_Configuration_Settings_Changed_Tree<br />
|<br />
|-<br />
| OX_SELECTION_CHANGED_CONFIRM<br />
|<br />
|-<br />
| OX_Show_Mail_Panel<br />
|<br />
|-<br />
| OX_Show_MiniCalendar<br />
|<br />
|-<br />
| OX_SELECTED_SUBSELECTION_CHANGED<br />
|<br />
|-<br />
| OX_Task_Search<br />
|<br />
|-<br />
| OX_Search_InfoStore<br />
|<br />
|-<br />
| OX_Configuration_Change_Right<br />
|<br />
|-<br />
| OX_Configuration_Move_Folder<br />
|<br />
|-<br />
| OX_Config_Folder_Changed<br />
|<br />
|-<br />
| OX_Show_Rights<br />
|<br />
|-<br />
| OX_Before_Create_Calendar<br />
|<br />
|-<br />
| OX_Before_Create_Contact<br />
|<br />
|-<br />
| OX_Before_Create_Distributionlist<br />
|<br />
|-<br />
| OX_Before_Create_Task<br />
|<br />
|-<br />
| OX_Before_Create_InfoStore<br />
|<br />
|-<br />
| OX_Teammember_Changed<br />
|<br />
|-<br />
| OX_Switch_InfoStore_Detail<br />
|<br />
|-<br />
| OX_SELECTION_CHANGED<br />
|<br />
|-<br />
| OX_Refresh_Mini_Calendar<br />
|<br />
|-<br />
| OX_Select_MiniMonth<br />
|<br />
|-<br />
| OX_Select_MiniYear<br />
|<br />
|-<br />
| OX_Dummy<br />
|<br />
|-<br />
| OX_Quota_Update<br />
|<br />
|-<br />
| Logout<br />
|<br />
|-<br />
| OX_Add_Flag<br />
|<br />
|-<br />
| OX_Mail_Flag<br />
|<br />
|-<br />
| OX_Mail_Spam<br />
|<br />
|-<br />
| OX_Mail_Ham<br />
|<br />
|-<br />
| OX_Mail_Show_Source<br />
|<br />
|-<br />
| OX_New_Search<br />
|<br />
|-<br />
| OX_Delete_Search<br />
|<br />
|-<br />
| OX_Print<br />
|<br />
|-<br />
| OX_Attachment_SaveInfoStore<br />
|<br />
|}<br />
<br />
Would be nice if some body could add some description to particular Events :-)<br />
<br />
[[Category: OX6]]</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OX6:OX_Mobile_Web_Interface&diff=8143OX6:OX Mobile Web Interface2011-07-07T09:38:20Z<p>Bartl3by: </p>
<hr />
<div>= Information and Installation of Open-Xchange Mobile Web App =<br />
<br />
== Description ==<br />
<br />
The Open-Xchange Mobile Web App provides you access to your data from the Open-Xchange Server 6 via your smartphone. The Open-Xchange Mobile Web App offers online and offline access to appointments, contacts and mails on the road using your smartphone's browser. Optimized for low bandwiths the Open-Xchange Mobile Web App offers instant and fast over the air access to your data, which are at the same time safely stored on Open-Xchange Server. The following modules are supported:<br />
<br />
*E-Mail<br />
*Calendar<br />
*Contacts<br />
<br />
Moreover the app offers seamless integration to use your phones basic functions like phone calls. You can easily start calls from your Open-Xchange contacts on your smartphone or directly send E-Mails.<br />
<br />
== Features and Functions ==<br />
<br />
=== Mail Module ===<br />
*Access to all Open-Xchange private mail folders<br />
*Creation of new e-mails<br />
*Answer, forward and delete e-mails<br />
*Mail attachments (Attachment handling/support is defined by mobile device)<br />
<br />
=== Contact Module ===<br />
*Access to all Open-Xchange contact folders and contacts with details<br />
*Creation of e-mails directly from contact module<br />
*Start calls directly from contact module<br />
<br />
=== Calendar Module ===<br />
* Access to all Open-Xchange calendar folders and appointments with details<br />
* Accept/Decline appointments<br />
* View participants, resources and notes each appointment<br />
<br />
=== Persistence of the Mobile Web App ===<br />
*Offline capability<br />
*All contacts are available offline<br />
*All appointments are available offline<br />
*All mail header are available offline<br />
*All mails which are opened once are available offline<br />
<br />
===Configuration===<br />
*Number of e-mails retrieved (25,50,75,100)<br />
*Number of days which will be checked for appointments (5,10,20,30)<br />
*Animation for iOS devices (on/off)<br />
*Subscription of contact folders<br />
*Subscription of mail folders<br />
*Autologin<br />
<br />
===Themeability, branding and i18n ===<br />
<br />
* i18n for DE, EN, ES, FR, NL and PL, other languages can be added.<br />
* Branding options: App name and app icon<br />
* Themeability by CSS<br />
<br />
== Supported devices ==<br />
<br />
The OX Mobile Web App runs on devices with a Webkit-based browser. These are mainly devices running iOS, Android and newest generation of BlackBerrys. For devices running Symbian we recommend using Opera Mobile Browser.<br />
<br />
{|border="2" rules="all" align="left"><br />
|-<br />
|'''Device Support'''<br />
|&nbsp;<br />
|&nbsp;<br />
|-<br />
|Apple iPhone<br />
|yes (iPhone running iOS 2.0, 2.1, 3.0, 4.0, 4.2.1, 4.3)<br />
|Official Supported by OX: 2G, 3G, 3GS, 4 and iPod-Touch 3.1.3<br />
|-<br />
|Android<br />
|yes<br />
|Official Supported by OX: Google Nexus One (Android 2.3.3), HTC Desire (Sense Android 2.1)<br />
|-<br />
|Nokia/Symbian S60 5th Edition<br />
|yes<br />
|Opera Mobile is recommended to guarantee a proper user experience. Symbian's default browser is simply too slow.<br />
|-<br />
|Windows Mobile 6.5 running Internet Explorer<br />
|no, not planed<br />
|<br />
|-<br />
|Windows Phone 7<br />
|not yet, scheduled for version 1.2<br />
|<br />
|-<br />
|}<br />
<br />
== Technical overview ==<br />
* Based on HTML5, CSS, Javascript (Frameworks jQuery and jQTouch)<br />
* Optimized for Webkit browsers like Mobile Safari and Chrome. Will also work with restrictions on Firefox and Opera Mobile<br />
* Complete offline capability<br />
<br />
===Offline Mode details===<br />
<br />
The OX Mobile Web App uses HTML5 to provide an offline mode for the user. To do this, there are two different kinds of storage mechanisms.<br />
<br />
* The whole application will be cached using the "HTML5 application cache". This will be done on the first visit/start of the app. After this initial download, all graphics, language files, js-files and everything else which is needed to run the app is stored locally on your phone in a storage managed by the browser.<br />
<br />
* The data from the OX server will be stored using the HTML5 storage mechanism which will be supportet by the users device. These can be a HTML5 local storage, session storage or an SQLite database. For the user there's no difference between these different storage modes.<br />
<br />
Note: In case your device has no storage support (like the Nokia N97), a log message will inform you about this. The log can be found under the settings page, hitting the button in the upper right corner showing the exclamation mark symbol.<br />
<br />
== Requirements ==<br />
<br />
* Open-Xchange Server >= v.6.20<br />
* 1GB RAM<br />
<br />
== Download & Documentation==<br />
<br />
Follow this [http://software.open-xchange.com/OX6/OXtender-stable/MobileApp/ link] to download the installation package, Release Notes and documentation.<br />
<br />
'''Please Note:''' You cannot just upgrade to this new version because we changed the versioning to a lower version (from 6.20.0.0 to 0.9.0). In order to install this latest version, you either need to uninstall the current version or download the latest version manually and install using<br />
<br />
$ dpkg -i open-xchange-gui-mobile*.deb<br />
<br />
on Debian and on RPM based systems<br />
<br />
$ rpm --force -Uhv open-xchange-gui-mobile*.rpm<br />
<br />
{{InstallPlugin|pluginname=open-xchange-gui-mobile-v2-gui open-xchange-gui-mobile-v2-theme-default open-xchange-gui-mobile-v2|sopath=OXtender-stable/MobileApp|reponame=mobilewebapp}}<br />
<br />
== Configuration ==<br />
<br />
Installation on the Apache or another webserver:<br />
* After installation locate the installed files in your webroot directory, i.e. <code>/var/www/ox6-mobile-v2/</code> on Debian<br />
* Edit the file <code>"ox-access.conf"</code> in directory ox6-mobile-v2<br />
* Change localhost to the address the mobile app will be reachable followed by "/ajax", i.e. "<code>https://m.example.com/ajax</code>". '''Note''': We strongly recommend the usage of https, otherwise data will be transmitted unencrypted via client and server<br />
* The Mobile App acts like a second UI next to the normal web frontend.<br />
* run the command (adopt webserver path on SLES/RHEL).<br />
$ /opt/open-xchange/sbin/update-cache.manifest /var/www/ox6-mobile-v2/cache.manifest.in /var/www/ox6-mobile-v2/cache.manifest /var/www/ox6-mobile-v2/ox-access.conf<br />
* You also need to add a new mimetype to your webserver configuration to make sure the caching (offline mode) works. <br />
** On Apache servers you can add the mimetype either global or via "<code>.htaccess</code>" file.<br />
** For global configuration edit the file <code>mime.conf</code> under <code>/etc/apache2/mods-enabled/</code><br />
** Add the line "<code>AddType text/cache-manifest .manifest</code>" to the file, save and restart apache<br />
** For configuration via <code>.htaccess</code> file just add a .htaccess file to the install directory. This should include the line "<code>AddType text/cache-manifest .manifest'</code>". '''Note''': Either the global configuration or the .htaccess file should be used. (.htaccess files will only work if your Apache settings contain <code>AllowOverride</code>. For further information on mime types, please refer to your webservers user manual)<br />
<br />
* For more details and README see the systems documentation directory (/usr/share/doc).<br />
<br />
==Running the OX Mobile Web App on your smartphone==<br />
<br />
After installation of the App on your webserver, a client can easily access the app via his phone's browser. We recommend to add a new subdomain to your web address to make access for clients easy. A short subdomain like <code>https://m.example.com</code> which points to your installation will save users from entering a long URL on their devices.<br />
<br />
Like mentioned before, the OX Mobile Web App is a pure web application. Due to this fact there is no installation or download needed to use this app on a smartphone. Just add a bookmark in your browser to access the app again later. <br />
<br />
Especially on iOS devices there's a seamless integration within the native apps installed via the AppStore®. Just add a new bookmark to the OX Mobile Web App and choose "Add to homescreen". After this, the OX Mobile Web App will place a new app icon on the homescreen.<br />
<br />
===Common mistakes===<br />
Most problems can be solved by clearing the browser cache and reload the app. Try this before you request a bug or change the server settings.<br />
<br />
Problem: After login a page is shown showing "Connection problem. Received response code 0". <br />
<br />
Resolution: Your ox-access.conf is not configured correctlly. You must enter the full web app server address followed by the /ajax path. Server address means the full url a user will type in his browser to access the app. I.e. "https://m.example.com/". If everything on the backend is configured correctly, try to reload the app.<br />
<br />
Problem: Using the browser's back button brings me back to the login page. After this the app does not work correctly.<br />
<br />
Resolution: Only use the navigation of the app. On each subpage a back button is located at the upper left corner which brings you back to the previous page.<br />
<br />
===Using the offline mode===<br />
<br />
During the first run, the app is stored localy on your smartphone. These caching mechanism makes a later access to the app very fast and gives you the possibility to run the app even if there's no internet connection available. <br />
<br />
The OX Mobile Web App detects on startup whether there's an internet connection available or not. If not, the App will start in offline mode. In this case a plane icon is shown in the upper left corner of the main menu. In offline mode you can access all your subscribed contacts and all of your appointments. Also all your mail headlines are available. Furthermore each email which was opened earlier is available in offline mode. <br />
<br />
'''Note:''' The Mobile Web App will detect the state of your internet connection live. Open the log under the settings page for informations<br />
<br />
===Known Problems===<br />
<br />
* The OX Mobile Web App uses a custom, built-in navigation and history. To navigate back you will have to use the "back" buttons located on the top-left of the page. Do not use browser's back button. This causes the app to jump to the login screen and you will have to reload the app.<br />
<br />
* If you want to use the App in airplane mode or no network connection is availabe, the android browser will show up a message like "page could not be loaded due to missing network connection". Just ignore this alert and press "OK". The app will work in offline mode even android shows up this message. <br />
<br />
* If you clean the browser cache on your device or reset it to defaults, all local stored data will be flushed.<br />
<br />
== Deployment as native app ==<br />
<br />
The OX Mobile Web App can also be deployed as a native smartphone app. This option is available for Android Systems and later for iOS, too. As Android allows installation of apps from every location you can place an *.apk file on a webserver or in your own Android App-Store. The OX Mobile Web App will act like any other app on the device and offers the same functionality as the web hosted variant.<br />
<br />
Deploying a native iOS App can only be done via the Apple AppStore®. To do so you need to submit your special branded version of the app to Apple. Only Apple decides if the app will be listed in the AppStore or not.<br />
<br />
For more information on native app deployment please contact us directly.<br />
<br />
== Branding options ==<br />
=== Application name===<br />
The OX Mobile Web App comes with the standard name set "OX Mobile Web App". This title is saved in a png file under "/lib/jqtouch/themes/cupertino/external/i18n_img/brand_[locale].png". To brand the app with your custom title just replace the files for each language to your needs. The i18n tool will show the graphic for each language. To configure the page title (in html title tag) please use the i18n module:<br />
<br />
# Locate your installstion directory (i.e. /var/www/ox6-mobile-v2)<br />
# Change to "lang" folder<br />
# The folder contains all available language files (*.po)<br />
# Open one of the files and locate the line containing msgid "OX Mobile" <br />
# Change the corresponding msgstr to your title of the app, i.e. "My App". <br />
# Do this for all language files<br />
* Note: Do not change the '''msgid''', this must be "OX Mobile". Only change the '''msgstr''' value.<br />
<br />
This title will also be the "App title" for the iPhone when the function "Add to homescreen" is used.<br />
<br />
== Theming ==<br />
<br />
The OX Mobile Web App is themed via CSS and HTML. To create your own theme you will have to create new graphics and edit the css files in the theme path. To do so follow the steps below:<br />
<br />
# Locate the theme path under "path to your webroot/ox6-mobile-v2/lib/jqtouch/themes"<br />
# The default theme is named "cupertino". To create your own theme make a copy of this folder and backup the original one<br />
# The folder contains two css files and two folders with images. The file jqt_theme.css contains all styles which belong to the "overall" look of the app. These are styles for lists, buttons, background, toolbars and so on. The file ox_theme.css contains more high level theming styles such as module icons, progress bars, infobox and the way the details in lists are shown (like the appointment lists or mail list). To change the whole look of the app (like colors) you will mainly edit the file jqt_theme.css<br />
# The folders "img" and "external" hold all graphics which are used in the app. To change them, just edit and save them under the same name. Don't change filenames or the theme will be broken. Also keep all file dimensions and file types (*.png, *.jpg). Changing files dimensions will corrupt the theme and layout will be broken.<br />
# Always remember: Your are designing for mobile. This means: Keep fonts clear and easy to read. Keep file sizes small due to small bandwiths. Keep buttons big enought the user can touch them easily.<br />
<br />
==Reporting Bugs==<br />
<br />
Open-Xchange is interested in learning about bugs, specifically in your runtime environment. If you experience any misbehaviors, please report bugs via our public bugzilla:<br />
[https://bugzilla.open-xchange.com/enter_bug.cgi?product=OX%20Mobile%20Web%20App Open-Xchange Bugzilla]<br><br />
Product: OX Mobile Web App<br />
<br />
The OX Mobile Web App logs all errors to a logfile which can be found under settings -> log.<br />
<br />
== Please note ==<br />
<br />
There may be some issues with checkboxes on Android devices. Sometimes checkboxes and listboxes do not respond to tap actions. If so, please rotate your phone to landscape mode and back. Then, the checkboxes should response again <br />
<br />
Please read the SDB article to inform you about the reasons and solution.<br />
<br />
[[Category: OX6]]</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Enable_TinyMCE_spellcheck_module&diff=7720Enable TinyMCE spellcheck module2011-05-03T09:44:43Z<p>Bartl3by: </p>
<hr />
<div>= Introduction =<br />
<br />
By default there is no spell check available in the Open-Xchange application itself because most of the modern browsers usually offer a spellcheck module. TinyMCE, the HTML editor which is used by Open-Xchange for HTML editing while writing an eMail, offers a wide set of functions and features which can be added to the HTML editor UI. This example will describe how you can enable the TinyMCE based spellcheck functionality within the Open-Xchange mail module.<br />
<br />
= Requirements =<br />
<br />
* An installed Open-Xchange Server<br />
<br />
* ASpell with the according dictionaries needs to be installed<br />
<br />
* PHP5 must be enabled in your Apache configuration<br />
<br />
= Enabling the TinyMCE Spellcheck module =<br />
<br />
Please note that enabling the spellcheck module will require the modification of one javascript file of the Open-Xchange UI, and therefor every update will disable the spellcheck button, as the javascript file will be overwritten during the update. Also Open-Xchange cannot support the spellcheck module itself and the according infrastructure (aspell, PHP), as those modules won't be maintained and tracked by Open-Xchange.<br />
<br />
== Installation of the TinyMCE spellchecker module ==<br />
<br />
Please visit the TinyMCE website and download the latest TinyMCE spellchecker module (at the bottom of the page) at http://tinymce.moxiecode.com/download.php. This article will use the following spellchecker module: http://prdownloads.sourceforge.net/tinymce/tinymce_spellchecker_php_2_0_2.zip?download<br />
<br />
Extract the downloaded archive and move the extracted directory "spellchecker" to the TinyMCE location on the Open-Xchange installation:<br />
<br />
$ mv spellchecker /var/www/ox6/3rdparty/tinymce/jscripts/tiny_mce/plugins/.<br />
<br />
== Enable the spellchecker button in the Open-Xchange HTML editor ==<br />
<br />
This can be accomplished by adding a properties file to directory "/opt/open-xchange/etc/groupware/settings".<br />
<br />
$ vim /opt/open-xchange/etc/groupware/settings/spellchecker.properties<br />
<br />
modules/mail/spellcheck=true<br />
<br />
== Setup the backend communication ==<br />
<br />
Finally we need to tell the spellchecker module which binary it should execute in order to get spelling suggestions. By default GoogleSpell is activated for remote suggestion, but as this would mean that every eMail which should be checked will be send to Google, we recommend to use a local aspell instance for this purpose. To do so, install aspell and the according dictionaries as we told you in the requirements section, and modify /var/www/ox6/3rdparty/tinymce/jscripts/tiny_mce/plugins/spellchecker/config.php to specify the aspell binary location. Please use the following example, and just replace [REPLACE_WITH_PATH_TO_ASPELL_BIN] with the location of the aspell binary (for example /usr/bin/aspell):<br />
<br />
<?php<br />
// General settings<br />
//$config['general.engine'] = 'GoogleSpell';<br />
//$config['general.engine'] = 'PSpell';<br />
$config['general.engine'] = 'PSpellShell';<br />
//$config['general.remote_rpc_url'] = 'http://some.other.site/some/url/rpc.php';<br />
<br />
// PSpell settings<br />
//$config['PSpell.mode'] = PSPELL_FAST;<br />
//$config['PSpell.spelling'] = "";<br />
//$config['PSpell.jargon'] = "";<br />
//$config['PSpell.encoding'] = "";<br />
<br />
// PSpellShell settings<br />
$config['PSpellShell.mode'] = PSPELL_FAST;<br />
$config['PSpellShell.aspell'] = '[REPLACE_WITH_PATH_TO_ASPELL_BIN]';<br />
$config['PSpellShell.tmp'] = '/tmp';<br />
<br />
// Windows PSpellShell settings<br />
//$config['PSpellShell.aspell'] = '"c:\Program Files\Aspell\bin\aspell.exe"';<br />
//$config['PSpellShell.tmp'] = 'c:/temp';<br />
?><br />
<br />
[[Category: OX6]]</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OX_HE_Tutorial_100K&diff=7447OX HE Tutorial 100K2011-03-04T14:15:41Z<p>Bartl3by: </p>
<hr />
<div>= Tutorial: High Available OX HE Setup for up to 100.000 users =<br />
<br />
'''This article describes what you need for a typical OX HE Setup for up to 100.000 Users, which is fully clustered and high available.'''<br />
<br />
It contains everything you need to:<br />
* Understand the design of the OX HE setup including additional services<br />
* Install the whole system based on the relevant articles<br />
* Find pointers to the next steps of integration<br />
<br />
<br />
= System Design =<br />
<br />
[[Image:SaaS-100k-1.jpg]]<br />
<br />
The system is designed to provide maximum functionality and availability with a minimum of necessary hardware. If the services on one server fail, it is enough to take over the IP address to the other machine and service will stay up and running.<br />
<br />
== Core Components for OX HE ==<br />
<br />
* Two OX HE servers (HW recommendation: 16GB RAM / 4 cores each)<br />
* MySQL installed directly on these server <br />
* NFS Server to store documents and files<br />
<br />
== Infrastructure Components not delivered by OX ==<br />
<br />
* An email system providing IMAP and SMTP<br />
* A control panel for creation and administration of users<br />
* A Load Balancer in front of the OX servers (optional, recommended)<br />
<br />
= Overview Installation Steps =<br />
<br />
'''To deploy the described OX setup, the following steps need to be done. '''<br />
<br />
<br />
== Mandatory Steps ==<br />
# Initialize and configure MySQL database on both servers<br />
# Install and configure OX on both servers<br />
<br />
== Steps depending on your environment ==<br />
# Implement Load Balancer<br />
# Connect Control Panel<br />
# Connect Email System<br />
<br />
== Recommended Optional Next Steps ==<br />
# Automated Frontend Tests<br />
# Upsell Plugin<br />
# Mobile Autoconfiguration<br />
# Automatic FailOver<br />
# Branding<br />
<br />
<br />
= Mandatory Installation Steps - Instructions & Recommendations =<br />
<br />
<br />
'''The following steps need to be done in every case to get OX up and running:'''<br />
<br />
== Initialize and configure MySQL database on both servers ==<br />
<br />
MySQL will run on both servers. MySQL will be configured as Master-Master configuration to ensure data consistency on both servers.<br />
If one machine fails, the other machine will take over all functionality.<br />
<br />
[[OXLoadBalancingClustering_Database|Database setup for clustered environments]]<br />
<br />
== Install and configure OX on both servers ==<br />
<br />
OX will be installed on both servers. It will be configured to '''write''' to the '''first''' MySQL database and to '''read''' from the '''second''' MySQL database. This will distribute the load during normal operation as smooth as possible. During FailOver the IP address of the failed server will be taken over to the working server, the system stays operable.<br />
<br />
[[OXLoadBalancingClustering_OXConfiguration|Open-Xchange setup and configuration for clustered environments]]<br />
<br />
The NFS server will be mounted on both machines and registered as filestore.<br />
<br />
[[OXLoadBalancingClustering_Filestore|Filestore setup for clustered environments]]<br />
<br />
When multiple Open-Xchange Servers are configured within a cluster Session and Loadbalancing needs to be set up.<br />
<br />
[[OXLoadBalancingClustering_SessionLoadbalancing|Session and Loadbalancing for clustered environments]]<br />
<br />
[[OXLoadBalancingClustering_NetworkConfiguration|Network configuration for clustered environments]]<br />
<br />
You also should install and configure the OXtender for Business Mobility<br />
<br />
[[OXtender_for_Business_Mobility_Installation_Guide|Installation of the OXtender for Business Mobility]]<br />
<br />
= Installation Steps depending on your environment - Instructions & Recommendations =<br />
<br />
'''The following components need to be implemented in your environment.'''<br />
<br />
<br />
== Implement Load Balancer ==<br />
<br />
A load balancer in front of the OX servers is recommended, but optional in this deployment size. (In small environments, DNS Round Robin may be sufficient).<br />
<br />
If you already have a hardware load balancing solution in place, this can be used. OX is known to work with the standard load balancing solutions from BigIP, Barracuda, Foundry, ...<br />
<br />
If you do not have a load balancing solution already in place, we recommend to use [http://www.keepalived.org/ Keepalived] as reliable and cost effective solution.<br />
<br />
Read more about configuring [[Keepalived | Keepalived for Open-Xchange]]<br />
<br />
<br />
{{OX_HE_Tutorial_CP}}<br />
<br />
<br />
{{OX_HE_Tutorial_HGP}}<br />
<br />
<br />
{{OX_HE_Tutorial_POA}}<br />
<br />
<br />
{{OX_HE_Tutorial_Auth}}<br />
<br />
<br />
== Connect Email System ==<br />
<br />
Every email system providing IMAP and SMTP can be used as backend to OX. Best experiences are made with the widespread Linux based IMAP servers [http://dovecot.org/ Dovecot], [http://www.cyrusimap.org/ Cyrus] or [http://www.courier-mta.org/imap/ Courier]. <br />
<br />
Other IMAP servers need to be tested thoroughly before going into production.<br />
<br />
There are several possibilities to implement the Email system:<br />
<br />
# You already have an email system available: Nothing needs to be done, it just needs to be configured<br />
# You use Parallels Automation (POA): Nothing special needs to be done, everything you need is contained in the APS package<br />
# You want to setup a new Email system: It is recommended to use Dovecot, as this is very stable, fast, feature rich and easy to scale<br />
<br />
<br />
{{OX_HE_Tutorial_Dovecot}}<br />
<br />
<br />
{{OX_HE_Tutorial_Next}}<br />
<br />
<br />
{{OX_HE_Tutorial_FailOver}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Template:Main_Page_Quickinstall&diff=7446Template:Main Page Quickinstall2011-03-04T14:14:13Z<p>Bartl3by: </p>
<hr />
<div>__NOTOC__<br />
{{#switch: {{{1}}} <br />
| HESE=<br />
<br />
{{=}} Quick Installation Guide (supported packages) {{=}}<br />
<br />
To download and install the software, please use the following Installation Guides:<br />
<br />
* [[Open-Xchange_Installation_Guide_for_Debian_5.0|Download and Installation Guide for Debian GNU/Linux 5.0 (Lenny)]]<br />
* [[Open-Xchange_Installation_Guide_for_SLES10|Download and Installation Guide for SUSE Linux Enterprise Server 10]]<br />
* [[Open-Xchange_Installation_Guide_for_SLES11|Download and Installation Guide for SUSE Linux Enterprise Server 11]]<br />
* [[Open-Xchange_Installation_Guide_for_RHEL5|Download and Installation Guide for RedHat Enterprise Linux 5]]<br />
* [[OXSE4UCS_Installation_en|Download and Installation Guide for Univention Corporate Server (SE for UCS)]]<br />
* [[Installing_OX_Language_Packages|Installing Open-Xchange Language Packages]]<br />
* [http://software.open-xchange.com/OX6/stable/ Software repository]<br />
<br />
{{=}} Hosting Edition deployment tutorials {{=}}<br />
<br />
A complete guide of necessary tasks with a hardware and setup recommendation for different Open-Xchange Hosting environments:<br />
<br />
* [[OX_HE_Tutorial_10K|Hosting Edition deployment tutorial for up to 10.000 Users]]<br />
* [[OX_HE_Tutorial_100K|Hosting Edition deployment tutorial for up to 100.000 Users]]<br />
* [[OX_HE_Tutorial_1M|Hosting Edition deployment tutorial for up to 1.000.000 Users]]<br />
<br />
{{=}} Installing the latest Updates {{=}}<br />
<br />
To get in favor of the latest minor features and bugfixes, you need to have a valid license. The article [[UpdatingOXPackages|Updating Open-Xchange Server packages]] packages explains how that can be done. <br />
<br />
{{=}}Upsell functionality{{=}}<br />
<br />
The Open-xchange Upsell packages provide the ability to show advertisements to an Open-Xchange user who is using a free of charge package like "Webmail" or "PIM". It gives hosting companies the possibility to take advantage of selling premium OX services (Mobility OXtender etc.) via "in app" technology.<br />
<br />
[[Upsell|Upsell Layer installation and configuration]]<br><br />
[[OX_Permission_Level | OX Permission Level Matrix]]<br />
<br />
{{=}}Reporting Tool (Mandatory for Maintenance){{=}}<br />
<br />
To receive maintenance in the future, the installation of the Open-Xchange Reporting Tool is mandatory. It documents the current state of your system installation. Furthermore, the tool runs a validity check for your current maintenance. Based on the reported detail information Open-Xchange will be able to improve its own support and maintenance offerings for you. This article explains how that can be done: <br />
<br />
* Configuring [[OXReportClient|open-xchange-report-client]]<br />
<br />
{{=}}OXtender 2 for Microsoft Outlook{{=}}<br />
<br />
The Open-Xchange OXtender 2 for Microsoft Outlook® lets users keep their familiar Outlook client when their organization moves to Open-Xchange Server. Users feel right at home working with their Outlook interface while in the background the OXtender synchronizes E-Mails, Calendar, Contacts and Tasks, along with Public, Shared and System Folders. Real-time synchronization enables fast response times, so teams can work as efficiently as possible.<br />
<br />
OXtender 2 for Microsoft Outlook is part of the offering for Open-Xchange Server Edition, Open-Xchange Hosting Edition and Open-Xchange Advanced Server Edition via Open-Xchange and its partners. The new OXtender will be available for the Open-Xchange Appliance Edition End of February 2011.<br />
<br />
* [[OXtender_2_for_Microsoft_Outlook|Installation & Configuration of the Open-Xchange OXtender 2 for Microsoft Outlook]]<br />
<br />
{{=}}OXtender for Business Mobility (ActiveSync) {{=}}<br />
<br />
OXtender for Business Mobility enables to securely manage emails, contacts, calendar and tasks always synchronized with Open-Xchange – Based on Microsoft Exchange Active Sync (EAS) standard. <br />
* [[OXtender_for_Business_Mobility|Installation and information of the OXtender for Business Mobility]]<br />
<br />
{{=}}Client Updater (OXtender for MS Outlook){{=}}<br />
<br />
The Open-Xchange Updater is a software tool by Open-Xchange that installs the latest version of Open-Xchange client software on computers running Windows. The Updater automatically informs users of new updates of e.g. the Open-Xchange OXtender for Microsoft Outlook. <br />
<br />
* [[Open-Xchange_Updater|Installation of the Open-Xchange Client Updater]]<br />
<br />
{{=}}Data MigrationTools {{=}}<br />
* [[Open-Xchange_Datamigration_OX5toOX6_Installation|Download and Install OX5 to OXSE]]<br />
* [[Open-Xchange_Datamigration_OX5toOXSEforUCS_Installation|Download and Install OX5 to OXSE for UCS]]<br />
<br />
Open-Xchange provides Open-Xchange Microsoft Outlook® Uploader, a migration tool to export data from Microsoft Outlook® or from a Microsoft Exchange Server® to the Open-Xchange Server<br />
<br />
* [[OX_Outlook_Uploader|Download and Install Open-Xchange Microsoft Outlook® Uploader]]<br />
* [[OX_Outlook_Uploader#Open-Xchange_Microsoft_Outlook.C2.AE_Uploader_.28Open_Source_via_SVN.29|Download and Install Open-Xchange Microsoft Outlook® Uploader - Open Source via SVN]]<br />
<br />
{{=}}OXtender for Mac OS X{{=}}<br />
<br />
The OXtender for Mac OS X synchronizes Open-Xchange Server 6 with your Mac OS X computer. The OXtender is available for all customers with a Open-Xchange Hosting Edition, Open-Xchange Server Edition and Open-Xchange Appliance Edition Maintenance. <br />
<br />
* [[Open-Xchange_Mac_OXtender_Installation_Guide|Installation of the OXtender for Mac OS X]]<br />
<br />
{{=}}OXtender for Mobile Web{{=}}<br />
<br />
The OXtender for Mobile Web display Contacts, Appointments and Tasks at the Browser of the Mobile Device. The OXtender is available for all customers with a Open-Xchange Hosting Edition, Open-Xchange Server Edition and Open-Xchange Appliance Edition Maintenance. <br />
<br />
* [[OXtender_for_Mobile_Web|Installation of the OXtender for Mobile Web]]<br />
<br />
{{=}} Installation Requirements {{=}}<br />
<br />
* [[SupportedIMAPServers|Supported IMAP servers]]<br />
* [[SupportedJavaRuntimes|Supported Java runtimes]]<br />
* [[SupportedWebBrowsers|Supported Web browsers]]<br />
* [[Importing_OX_Buildkey|Importing the Open-Xchange public buildkey]]<br />
<br />
<br />
| CE=<br />
<br />
Open-Xchange Community Edition differs from other Open-Xchange<br />
editions in not being supported by Open-Xchange. It has the very same<br />
functionality like all other editions and shares the same code base.<br />
<br />
When you choose to install packages for one of the maintained<br />
platforms as listed below, you can later buy maintenance and a support<br />
contract without migrating any data.<br />
<br />
Products like OXtender for MS Outlook and OXtender for Mac OS can only<br />
be purchased and supported in combination with a maintenance contract<br />
and thus only with products like HE, SE, SE for UCS or AE.<br />
<br />
= Maintained packages (Support contract available) =<br />
<br />
To download and install the software, please use the following Installation Guides:<br />
<br />
* [[Open-Xchange_Installation_Guide_for_Debian_5.0|Download and Installation Guide for Debian GNU/Linux 5.0 (Lenny)]]<br />
* [[Open-Xchange_Installation_Guide_for_SLES10|Download and Installation Guide for SUSE Linux Enterprise Server 10]]<br />
* [[Open-Xchange_Installation_Guide_for_SLES11|Download and Installation Guide for SUSE Linux Enterprise Server 11]]<br />
* [[Open-Xchange_Installation_Guide_for_RHEL5|Download and Installation Guide for RedHat Enterprise Linux 5]]<br />
* [[OXSE4UCS_Installation_en|Download and Installation Guide for Univention Corporate Server (SE for UCS)]]<br />
* [[Installing_OX_Language_Packages|Installing Open-Xchange Language Packages]]<br />
* [http://software.open-xchange.com/OX6/stable/ Software repository]<br />
<br />
= Unsupported packages =<br />
* [[CommunitySoftwareRepositories|About Community Packages]]<br />
<br />
* [[Open-Xchange_Installation_Guide_for_CentOS_5|Installation Guide for CentOS5]]<br />
* [[Open-Xchange_Installation_Guide_for_Ubuntu_10.04|Installation Guide for Ubuntu 10.04]]<br />
* [[Open-Xchange_Installation_Guide_for_Fedora_9|Installation Guide <br />
for Fedora 9]]<br />
* [[Open-Xchange_Installation_Guide_for_Ubuntu_8.04|Installation Guide for Ubuntu 8.04]]<br />
* [[Open-Xchange_Installation_Guide_for_Ubuntu_8.04_(French)|Installation Guide for Ubuntu 8.04 (French)]]<br />
* [[Open-Xchange_Installation_Guide_for_openSUSE_11.0|Installation Guide for openSUSE 11.0]]<br />
* [http://download.opensuse.org/repositories/server:/OX:/ox6/ Software repository].<br />
<br />
= Update from old packages =<br />
<br />
* [[UpdatingOXPackages|Updating Open-Xchange Server packages]]<br />
<br />
<br />
= Installation Requirements =<br />
* [[SupportedIMAPServers|Supported IMAP servers]]<br />
* [[SupportedJavaRuntimes|Supported Java runtimes]]<br />
* [[SupportedWebBrowsers|Supported Web browsers]]<br />
* [[Importing_OX_Buildkey|Importing the Open-Xchange public buildkey]]<br />
<br />
<br />
| AE=<br />
<br />
{{=}}Advanced Server Edition (ASE) {{=}}<br />
<br />
Open-Xchange Advanced Server Edition is a multi-tier, small footprint solution that integrates seamlessly into customers architectures enabling smooth start of operation based on flexible services with Enterprise Linux distribution, identity management and Infrastructure management.<br />
<br />
* [[OXASE_Installation_en|Download and Install Open-Xchange Advanced Server Edition (English)]] <br />
<br />
{{=}}Setup for synchronisation of Active Directory objects to OXASE {{=}}<br />
* [[UCS_AD_Connector_en|Setup]]<br />
<br />
{{=}}Data MigrationTools {{=}}<br />
* [[Open-Xchange_Datamigration_OX5toOXSEforUCS_Installation|Download and Install OX5 to OXASE]]<br />
<br />
Open-Xchange provides Open-Xchange Microsoft Outlook® Uploader, a migration tool to export data from Microsoft Outlook® or from a Microsoft Exchange Server® to the Open-Xchange Server<br />
<br />
* [[OX_Outlook_Uploader|Download and Install Open-Xchange Microsoft Outlook® Uploader]]<br />
* [[OX_Outlook_Uploader#Open-Xchange_Microsoft_Outlook.C2.AE_Uploader_.28Open_Source_via_SVN.29|Download and Install Open-Xchange Microsoft Outlook® Uploader - Open Source via SVN]]<br />
<br />
= OXtender for Business Mobility (ActiveSync) =<br />
<br />
OXtender for Business Mobility enables to securely manage emails, contacts, calendar and tasks always synchronized with Open-Xchange – Based on Microsoft Exchange Active Sync (EAS) standard. <br />
<br />
* [[OXtender_for_Business_Mobility|Installation and information of the OXtender for Business Mobility]]<br />
<br />
= OXtender for Mac OS X =<br />
<br />
The OXtender for Mac OS X synchronizes Open-Xchange Server 6 with your Mac OS X computer. The OXtender is available for all customers with a Open-Xchange Hosting Edition, Open-Xchange Server Edition and Open-Xchange Appliance Edition Maintenance. <br />
<br />
* [[Open-Xchange_Mac_OXtender_Installation_Guide|Installation of the OXtender for Mac OS X]]<br />
<br />
= OXtender for Mobile Web=<br />
<br />
The OXtender for Mobile Web display Contacts, Appointments and Tasks at the Browser of the Mobile Device. The OXtender is available for all customers with a Open-Xchange Hosting Edition, Open-Xchange Server Edition and Open-Xchange Appliance Edition Maintenance. <br />
<br />
* [[OXtender_for_Mobile_Web|Installation of the OXtender for Mobile Web]]<br />
<br />
= Client Updater (OXtender for MS Outlook) =<br />
<br />
The Open-Xchange Updater is a software tool by Open-Xchange that installs the latest version of Open-Xchange client software on computers running Windows. The Updater automatically informs users of new updates of e.g. the Open-Xchange OXtender for Microsoft Outlook. <br />
<br />
* [[Open-Xchange_Updater|Installation of the Open-Xchange Client Updater]]<br />
| default= <br />
}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Template:Main_Page_Quickinstall&diff=7437Template:Main Page Quickinstall2011-03-04T08:21:38Z<p>Bartl3by: </p>
<hr />
<div>__NOTOC__<br />
{{#switch: {{{1}}} <br />
| HESE=<br />
<br />
{{=}} Quick Installation Guide (supported packages) {{=}}<br />
<br />
To download and install the software, please use the following Installation Guides:<br />
<br />
* [[Open-Xchange_Installation_Guide_for_Debian_5.0|Download and Installation Guide for Debian GNU/Linux 5.0 (Lenny)]]<br />
* [[Open-Xchange_Installation_Guide_for_SLES10|Download and Installation Guide for SUSE Linux Enterprise Server 10]]<br />
* [[Open-Xchange_Installation_Guide_for_SLES11|Download and Installation Guide for SUSE Linux Enterprise Server 11]]<br />
* [[Open-Xchange_Installation_Guide_for_RHEL5|Download and Installation Guide for RedHat Enterprise Linux 5]]<br />
* [[OXSE4UCS_Installation_en|Download and Installation Guide for Univention Corporate Server (SE for UCS)]]<br />
* [[Installing_OX_Language_Packages|Installing Open-Xchange Language Packages]]<br />
* [http://software.open-xchange.com/OX6/stable/ Software repository]<br />
<br />
{{=}} Hosting Edition deployment tutorials {{=}}<br />
<br />
A complete guide of necessary tasks with a hardware and setup recommendation for different Open-Xchange Hosting environments:<br />
<br />
* [[OX_HE_Tutorial_10K|Hosting Edition deployment tutorial for up to 10.000 Users]]<br />
* [[OX_HE_Tutorial_100K|Hosting Edition deployment tutorial for up to 100.000 Users]]<br />
* [[OX_HE_Tutorial_10K|Hosting Edition deployment tutorial for up to 1.000.000 Users]]<br />
<br />
{{=}} Installing the latest Updates {{=}}<br />
<br />
To get in favor of the latest minor features and bugfixes, you need to have a valid license. The article [[UpdatingOXPackages|Updating Open-Xchange Server packages]] packages explains how that can be done. <br />
<br />
{{=}}Upsell functionality{{=}}<br />
<br />
The Open-xchange Upsell packages provide the ability to show advertisements to an Open-Xchange user who is using a free of charge package like "Webmail" or "PIM". It gives hosting companies the possibility to take advantage of selling premium OX services (Mobility OXtender etc.) via "in app" technology.<br />
<br />
[[Upsell|Upsell Layer installation and configuration]]<br><br />
[[OX_Permission_Level | OX Permission Level Matrix]]<br />
<br />
{{=}}Reporting Tool (Mandatory for Maintenance){{=}}<br />
<br />
To receive maintenance in the future, the installation of the Open-Xchange Reporting Tool is mandatory. It documents the current state of your system installation. Furthermore, the tool runs a validity check for your current maintenance. Based on the reported detail information Open-Xchange will be able to improve its own support and maintenance offerings for you. This article explains how that can be done: <br />
<br />
* Configuring [[OXReportClient|open-xchange-report-client]]<br />
<br />
{{=}}OXtender 2 for Microsoft Outlook{{=}}<br />
<br />
The Open-Xchange OXtender 2 for Microsoft Outlook® lets users keep their familiar Outlook client when their organization moves to Open-Xchange Server. Users feel right at home working with their Outlook interface while in the background the OXtender synchronizes E-Mails, Calendar, Contacts and Tasks, along with Public, Shared and System Folders. Real-time synchronization enables fast response times, so teams can work as efficiently as possible.<br />
<br />
OXtender 2 for Microsoft Outlook is part of the offering for Open-Xchange Server Edition, Open-Xchange Hosting Edition and Open-Xchange Advanced Server Edition via Open-Xchange and its partners. The new OXtender will be available for the Open-Xchange Appliance Edition End of February 2011.<br />
<br />
* [[OXtender_2_for_Microsoft_Outlook|Installation & Configuration of the Open-Xchange OXtender 2 for Microsoft Outlook]]<br />
<br />
{{=}}OXtender for Business Mobility (ActiveSync) {{=}}<br />
<br />
OXtender for Business Mobility enables to securely manage emails, contacts, calendar and tasks always synchronized with Open-Xchange – Based on Microsoft Exchange Active Sync (EAS) standard. <br />
* [[OXtender_for_Business_Mobility|Installation and information of the OXtender for Business Mobility]]<br />
<br />
{{=}}Client Updater (OXtender for MS Outlook){{=}}<br />
<br />
The Open-Xchange Updater is a software tool by Open-Xchange that installs the latest version of Open-Xchange client software on computers running Windows. The Updater automatically informs users of new updates of e.g. the Open-Xchange OXtender for Microsoft Outlook. <br />
<br />
* [[Open-Xchange_Updater|Installation of the Open-Xchange Client Updater]]<br />
<br />
{{=}}Data MigrationTools {{=}}<br />
* [[Open-Xchange_Datamigration_OX5toOX6_Installation|Download and Install OX5 to OXSE]]<br />
* [[Open-Xchange_Datamigration_OX5toOXSEforUCS_Installation|Download and Install OX5 to OXSE for UCS]]<br />
<br />
Open-Xchange provides Open-Xchange Microsoft Outlook® Uploader, a migration tool to export data from Microsoft Outlook® or from a Microsoft Exchange Server® to the Open-Xchange Server<br />
<br />
* [[OX_Outlook_Uploader|Download and Install Open-Xchange Microsoft Outlook® Uploader]]<br />
* [[OX_Outlook_Uploader#Open-Xchange_Microsoft_Outlook.C2.AE_Uploader_.28Open_Source_via_SVN.29|Download and Install Open-Xchange Microsoft Outlook® Uploader - Open Source via SVN]]<br />
<br />
{{=}}OXtender for Mac OS X{{=}}<br />
<br />
The OXtender for Mac OS X synchronizes Open-Xchange Server 6 with your Mac OS X computer. The OXtender is available for all customers with a Open-Xchange Hosting Edition, Open-Xchange Server Edition and Open-Xchange Appliance Edition Maintenance. <br />
<br />
* [[Open-Xchange_Mac_OXtender_Installation_Guide|Installation of the OXtender for Mac OS X]]<br />
<br />
{{=}}OXtender for Mobile Web{{=}}<br />
<br />
The OXtender for Mobile Web display Contacts, Appointments and Tasks at the Browser of the Mobile Device. The OXtender is available for all customers with a Open-Xchange Hosting Edition, Open-Xchange Server Edition and Open-Xchange Appliance Edition Maintenance. <br />
<br />
* [[OXtender_for_Mobile_Web|Installation of the OXtender for Mobile Web]]<br />
<br />
{{=}} Installation Requirements {{=}}<br />
<br />
* [[SupportedIMAPServers|Supported IMAP servers]]<br />
* [[SupportedJavaRuntimes|Supported Java runtimes]]<br />
* [[SupportedWebBrowsers|Supported Web browsers]]<br />
* [[Importing_OX_Buildkey|Importing the Open-Xchange public buildkey]]<br />
<br />
<br />
| CE=<br />
<br />
Open-Xchange Community Edition differs from other Open-Xchange<br />
editions in not being supported by Open-Xchange. It has the very same<br />
functionality like all other editions and shares the same code base.<br />
<br />
When you choose to install packages for one of the maintained<br />
platforms as listed below, you can later buy maintenance and a support<br />
contract without migrating any data.<br />
<br />
Products like OXtender for MS Outlook and OXtender for Mac OS can only<br />
be purchased and supported in combination with a maintenance contract<br />
and thus only with products like HE, SE, SE for UCS or AE.<br />
<br />
= Maintained packages (Support contract available) =<br />
<br />
To download and install the software, please use the following Installation Guides:<br />
<br />
* [[Open-Xchange_Installation_Guide_for_Debian_5.0|Download and Installation Guide for Debian GNU/Linux 5.0 (Lenny)]]<br />
* [[Open-Xchange_Installation_Guide_for_SLES10|Download and Installation Guide for SUSE Linux Enterprise Server 10]]<br />
* [[Open-Xchange_Installation_Guide_for_SLES11|Download and Installation Guide for SUSE Linux Enterprise Server 11]]<br />
* [[Open-Xchange_Installation_Guide_for_RHEL5|Download and Installation Guide for RedHat Enterprise Linux 5]]<br />
* [[OXSE4UCS_Installation_en|Download and Installation Guide for Univention Corporate Server (SE for UCS)]]<br />
* [[Installing_OX_Language_Packages|Installing Open-Xchange Language Packages]]<br />
* [http://software.open-xchange.com/OX6/stable/ Software repository]<br />
<br />
= Unsupported packages =<br />
* [[CommunitySoftwareRepositories|About Community Packages]]<br />
<br />
* [[Open-Xchange_Installation_Guide_for_CentOS_5|Installation Guide for CentOS5]]<br />
* [[Open-Xchange_Installation_Guide_for_Ubuntu_10.04|Installation Guide for Ubuntu 10.04]]<br />
* [[Open-Xchange_Installation_Guide_for_Fedora_9|Installation Guide <br />
for Fedora 9]]<br />
* [[Open-Xchange_Installation_Guide_for_Ubuntu_8.04|Installation Guide for Ubuntu 8.04]]<br />
* [[Open-Xchange_Installation_Guide_for_Ubuntu_8.04_(French)|Installation Guide for Ubuntu 8.04 (French)]]<br />
* [[Open-Xchange_Installation_Guide_for_openSUSE_11.0|Installation Guide for openSUSE 11.0]]<br />
* [http://download.opensuse.org/repositories/server:/OX:/ox6/ Software repository].<br />
<br />
= Update from old packages =<br />
<br />
* [[UpdatingOXPackages|Updating Open-Xchange Server packages]]<br />
<br />
<br />
= Installation Requirements =<br />
* [[SupportedIMAPServers|Supported IMAP servers]]<br />
* [[SupportedJavaRuntimes|Supported Java runtimes]]<br />
* [[SupportedWebBrowsers|Supported Web browsers]]<br />
* [[Importing_OX_Buildkey|Importing the Open-Xchange public buildkey]]<br />
<br />
<br />
| AE=<br />
<br />
{{=}}Advanced Server Edition (ASE) {{=}}<br />
<br />
Open-Xchange Advanced Server Edition is a multi-tier, small footprint solution that integrates seamlessly into customers architectures enabling smooth start of operation based on flexible services with Enterprise Linux distribution, identity management and Infrastructure management.<br />
<br />
* [[OXASE_Installation_en|Download and Install Open-Xchange Advanced Server Edition (English)]] <br />
<br />
{{=}}Setup for synchronisation of Active Directory objects to OXASE {{=}}<br />
* [[UCS_AD_Connector_en|Setup]]<br />
<br />
{{=}}Data MigrationTools {{=}}<br />
* [[Open-Xchange_Datamigration_OX5toOXSEforUCS_Installation|Download and Install OX5 to OXASE]]<br />
<br />
Open-Xchange provides Open-Xchange Microsoft Outlook® Uploader, a migration tool to export data from Microsoft Outlook® or from a Microsoft Exchange Server® to the Open-Xchange Server<br />
<br />
* [[OX_Outlook_Uploader|Download and Install Open-Xchange Microsoft Outlook® Uploader]]<br />
* [[OX_Outlook_Uploader#Open-Xchange_Microsoft_Outlook.C2.AE_Uploader_.28Open_Source_via_SVN.29|Download and Install Open-Xchange Microsoft Outlook® Uploader - Open Source via SVN]]<br />
<br />
= OXtender for Business Mobility (ActiveSync) =<br />
<br />
OXtender for Business Mobility enables to securely manage emails, contacts, calendar and tasks always synchronized with Open-Xchange – Based on Microsoft Exchange Active Sync (EAS) standard. <br />
<br />
* [[OXtender_for_Business_Mobility|Installation and information of the OXtender for Business Mobility]]<br />
<br />
= OXtender for Mac OS X =<br />
<br />
The OXtender for Mac OS X synchronizes Open-Xchange Server 6 with your Mac OS X computer. The OXtender is available for all customers with a Open-Xchange Hosting Edition, Open-Xchange Server Edition and Open-Xchange Appliance Edition Maintenance. <br />
<br />
* [[Open-Xchange_Mac_OXtender_Installation_Guide|Installation of the OXtender for Mac OS X]]<br />
<br />
= OXtender for Mobile Web=<br />
<br />
The OXtender for Mobile Web display Contacts, Appointments and Tasks at the Browser of the Mobile Device. The OXtender is available for all customers with a Open-Xchange Hosting Edition, Open-Xchange Server Edition and Open-Xchange Appliance Edition Maintenance. <br />
<br />
* [[OXtender_for_Mobile_Web|Installation of the OXtender for Mobile Web]]<br />
<br />
= Client Updater (OXtender for MS Outlook) =<br />
<br />
The Open-Xchange Updater is a software tool by Open-Xchange that installs the latest version of Open-Xchange client software on computers running Windows. The Updater automatically informs users of new updates of e.g. the Open-Xchange OXtender for Microsoft Outlook. <br />
<br />
* [[Open-Xchange_Updater|Installation of the Open-Xchange Client Updater]]<br />
| default= <br />
}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OX_HE_Tutorial_1M&diff=7412OX HE Tutorial 1M2011-03-03T11:15:55Z<p>Bartl3by: </p>
<hr />
<div>= Tutorial: High Available OX HE Setup for up to 1 Milion users =<br />
<br />
'''This article describes what you need for a typical OX HE Setup for up to 1.000.000 Users, which is fully clustered, high available and scaling very flexible.'''<br />
<br />
It contains everything you need to:<br />
* Understand the design of the OX HE setup including additional services<br />
* Install the whole system based on the relevant articles<br />
* Find pointers to the next steps of integration<br />
<br />
<br />
= System Design =<br />
<br />
[[Image:SaaS-1M.jpg]]<br />
<br />
The system is designed to provide maximum functionality and availability with a minimum of necessary hardware. If the services on one OX server fail, this is transparently handled by the load balancer. If one MySQL server fails, it is sufficient to take over the IP address on the other MySQL server in the cluster to stay fully in operation.<br />
<br />
== Core Components for OX HE ==<br />
<br />
* Minimum two (recommended three) OX HE servers (HW recommendation: 32GB RAM / 8 cores each)<br />
* Minimum one MySQL cluster with two servers in Master-Master configuration (HW recommendation: 32GB RAM / 8 cores each)<br />
* NFS Server to store documents and files<br />
* Recommended for more than 500.000 mailboxes: one OX HE server dedicated for user provisioning (HW recommendation: 16GB RAM / 4 cores each)<br />
<br />
== Infrastructure Components not delivered by OX ==<br />
<br />
* An email system providing IMAP and SMTP<br />
* A control panel for creation and administration of users<br />
* A Load Balancer in front of the OX servers (optional, recommended)<br />
<br />
= Overview Installation Steps =<br />
<br />
'''To deploy the described OX setup, the following steps need to be done. '''<br />
<br />
<br />
== Mandatory Steps ==<br />
# Initialize and configure MySQL database servers<br />
# Install and configure OX on all servers<br />
<br />
== Steps depending on your environment ==<br />
# Implement Load Balancer<br />
# Connect Control Panel<br />
# Connect Email System<br />
<br />
== Recommended Optional Next Steps ==<br />
# Automated Frontend Tests<br />
# Upsell Plugin<br />
# Mobile Autoconfiguration<br />
# Automatic FailOver<br />
# Branding<br />
<br />
<br />
= Mandatory Installation Steps - Instructions & Recommendations =<br />
<br />
<br />
'''The following steps need to be done in every case to get OX up and running:'''<br />
<br />
== Initialize and configure MySQL database on both servers ==<br />
<br />
MySQL will be configured as Master-Master configuration to ensure data consistency on both servers.<br />
If one machine fails, the other machine will take over all functionality.<br />
<br />
[[OXLoadBalancingClustering_Database|Database setup for clustered environments]]<br />
<br />
== Install and configure OX on both servers ==<br />
<br />
OX will be installed on minimum two servers. It will be configured to '''write''' to the '''first''' MySQL database and to '''read''' from the '''second''' MySQL database in one cluster. This will distribute the load during normal operation as smooth as possible. During FailOver the IP address of the failed MySQL server will be taken over to the working server, the system stays operable.<br />
<br />
[[OXLoadBalancingClustering_OXConfiguration|Open-Xchange setup and configuration for clustered environments]]<br />
<br />
The NFS server will be mounted on all machines and registered as filestore.<br />
<br />
[[OXLoadBalancingClustering_Filestore|Filestore setup for clustered environments]]<br />
<br />
When multiple Open-Xchange Servers are configured within a cluster Session and Loadbalancing needs to be set up.<br />
<br />
[[OXLoadBalancingClustering_SessionLoadbalancing|Session and Loadbalancing for clustered environments]]<br />
<br />
[[OXLoadBalancingClustering_NetworkConfiguration|Network configuration for clustered environments]]<br />
<br />
You also should install and configure the OXtender for Business Mobility:<br />
<br />
[[OXtender_for_Business_Mobility| exchange active sync configuration for Open-Xchange]]<br />
<br />
<br />
= Installation Steps depending on your environment - Instructions & Recommendations =<br />
<br />
'''The following components need to be implemented in your environment.'''<br />
<br />
<br />
== Implement Load Balancer ==<br />
<br />
A load balancer in front of the OX servers is necessary for this deployment size. It needs to handle the requests if one OX server fails.<br />
<br />
If you already have a hardware load balancing solution in place, this can be used. OX is known to work with the standard load balancing solutions from BigIP, Barracuda, Foundry, ...<br />
<br />
If you do not have a load balancing solution already in place, we recommend to use [http://www.keepalived.org/ Keepalived] as reliable and cost effective solution.<br />
<br />
Read more about configuring [[Keepalived | Keepalived for Open-Xchange]]<br />
<br />
<br />
{{OX_HE_Tutorial_CP}}<br />
<br />
<br />
{{OX_HE_Tutorial_HGP}}<br />
<br />
<br />
{{OX_HE_Tutorial_POA}}<br />
<br />
<br />
{{OX_HE_Tutorial_Auth}}<br />
<br />
== Connect Email System ==<br />
<br />
Every email system providing IMAP and SMTP can be used as backend to OX. Best experiences are made with the widespread Linux based IMAP servers [http://dovecot.org/ Dovecot], [http://www.cyrusimap.org/ Cyrus] or [http://www.courier-mta.org/imap/ Courier]. <br />
<br />
Other IMAP servers need to be tested thoroughly before going into production.<br />
<br />
There are several possibilities to implement the Email system:<br />
<br />
# You already have an email system available: Nothing needs to be done, it just needs to be configured<br />
# You use Parallels Automation (POA): Nothing special needs to be done, everything you need is contained in the APS package<br />
# You want to setup a new Email system: It is recommended to use Dovecot, as this is very stable, fast, feature rich and easy to scale<br />
<br />
<br />
{{OX_HE_Tutorial_Dovecot}}<br />
<br />
<br />
{{OX_HE_Tutorial_Next}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OXLoadBalancingClustering_NetworkConfiguration&diff=7411OXLoadBalancingClustering NetworkConfiguration2011-03-03T11:15:12Z<p>Bartl3by: Created page with "{{OXLoadBalancingClustering_NetworkConfiguration}}"</p>
<hr />
<div>{{OXLoadBalancingClustering_NetworkConfiguration}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OXLoadBalancingClustering_SessionLoadbalancing&diff=7410OXLoadBalancingClustering SessionLoadbalancing2011-03-03T11:11:46Z<p>Bartl3by: Created page with "{{OXLoadBalancingClustering_SessionLoadbalancing}}"</p>
<hr />
<div>{{OXLoadBalancingClustering_SessionLoadbalancing}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OX_HE_Tutorial_1M&diff=7409OX HE Tutorial 1M2011-03-03T11:10:41Z<p>Bartl3by: </p>
<hr />
<div>= Tutorial: High Available OX HE Setup for up to 1 Milion users =<br />
<br />
'''This article describes what you need for a typical OX HE Setup for up to 1.000.000 Users, which is fully clustered, high available and scaling very flexible.'''<br />
<br />
It contains everything you need to:<br />
* Understand the design of the OX HE setup including additional services<br />
* Install the whole system based on the relevant articles<br />
* Find pointers to the next steps of integration<br />
<br />
<br />
= System Design =<br />
<br />
[[Image:SaaS-1M.jpg]]<br />
<br />
The system is designed to provide maximum functionality and availability with a minimum of necessary hardware. If the services on one OX server fail, this is transparently handled by the load balancer. If one MySQL server fails, it is sufficient to take over the IP address on the other MySQL server in the cluster to stay fully in operation.<br />
<br />
== Core Components for OX HE ==<br />
<br />
* Minimum two (recommended three) OX HE servers (HW recommendation: 32GB RAM / 8 cores each)<br />
* Minimum one MySQL cluster with two servers in Master-Master configuration (HW recommendation: 32GB RAM / 8 cores each)<br />
* NFS Server to store documents and files<br />
* Recommended for more than 500.000 mailboxes: one OX HE server dedicated for user provisioning (HW recommendation: 16GB RAM / 4 cores each)<br />
<br />
== Infrastructure Components not delivered by OX ==<br />
<br />
* An email system providing IMAP and SMTP<br />
* A control panel for creation and administration of users<br />
* A Load Balancer in front of the OX servers (optional, recommended)<br />
<br />
= Overview Installation Steps =<br />
<br />
'''To deploy the described OX setup, the following steps need to be done. '''<br />
<br />
<br />
== Mandatory Steps ==<br />
# Initialize and configure MySQL database servers<br />
# Install and configure OX on all servers<br />
<br />
== Steps depending on your environment ==<br />
# Implement Load Balancer<br />
# Connect Control Panel<br />
# Connect Email System<br />
<br />
== Recommended Optional Next Steps ==<br />
# Automated Frontend Tests<br />
# Upsell Plugin<br />
# Mobile Autoconfiguration<br />
# Automatic FailOver<br />
# Branding<br />
<br />
<br />
= Mandatory Installation Steps - Instructions & Recommendations =<br />
<br />
<br />
'''The following steps need to be done in every case to get OX up and running:'''<br />
<br />
== Initialize and configure MySQL database on both servers ==<br />
<br />
MySQL will be configured as Master-Master configuration to ensure data consistency on both servers.<br />
If one machine fails, the other machine will take over all functionality.<br />
<br />
[[OXLoadBalancingClustering_Database|Database setup for clustered environments]]<br />
<br />
== Install and configure OX on both servers ==<br />
<br />
OX will be installed on minimum two servers. It will be configured to '''write''' to the '''first''' MySQL database and to '''read''' from the '''second''' MySQL database in one cluster. This will distribute the load during normal operation as smooth as possible. During FailOver the IP address of the failed MySQL server will be taken over to the working server, the system stays operable.<br />
<br />
[[OXLoadBalancingClustering_OXConfiguration|Open-Xchange setup and configuration for clustered environments]]<br />
<br />
The NFS server will be mounted on all machines and registered as filestore.<br />
<br />
[[OXLoadBalancingClustering_Filestore|Filestore setup for clustered environments]]<br />
<br />
{{OXLoadBalancingClustering_SessionLoadbalancing}}<br />
<br />
{{OXLoadBalancingClustering_OXConfiguration}}<br />
<br />
{{OXLoadBalancingClustering_NetworkConfiguration}}<br />
<br />
You also should install and configure the OXtender for Business Mobility:<br />
<br />
[[OXtender_for_Business_Mobility| exchange active sync configuration for Open-Xchange]]<br />
<br />
<br />
= Installation Steps depending on your environment - Instructions & Recommendations =<br />
<br />
'''The following components need to be implemented in your environment.'''<br />
<br />
<br />
== Implement Load Balancer ==<br />
<br />
A load balancer in front of the OX servers is necessary for this deployment size. It needs to handle the requests if one OX server fails.<br />
<br />
If you already have a hardware load balancing solution in place, this can be used. OX is known to work with the standard load balancing solutions from BigIP, Barracuda, Foundry, ...<br />
<br />
If you do not have a load balancing solution already in place, we recommend to use [http://www.keepalived.org/ Keepalived] as reliable and cost effective solution.<br />
<br />
Read more about configuring [[Keepalived | Keepalived for Open-Xchange]]<br />
<br />
<br />
{{OX_HE_Tutorial_CP}}<br />
<br />
<br />
{{OX_HE_Tutorial_HGP}}<br />
<br />
<br />
{{OX_HE_Tutorial_POA}}<br />
<br />
<br />
{{OX_HE_Tutorial_Auth}}<br />
<br />
== Connect Email System ==<br />
<br />
Every email system providing IMAP and SMTP can be used as backend to OX. Best experiences are made with the widespread Linux based IMAP servers [http://dovecot.org/ Dovecot], [http://www.cyrusimap.org/ Cyrus] or [http://www.courier-mta.org/imap/ Courier]. <br />
<br />
Other IMAP servers need to be tested thoroughly before going into production.<br />
<br />
There are several possibilities to implement the Email system:<br />
<br />
# You already have an email system available: Nothing needs to be done, it just needs to be configured<br />
# You use Parallels Automation (POA): Nothing special needs to be done, everything you need is contained in the APS package<br />
# You want to setup a new Email system: It is recommended to use Dovecot, as this is very stable, fast, feature rich and easy to scale<br />
<br />
<br />
{{OX_HE_Tutorial_Dovecot}}<br />
<br />
<br />
{{OX_HE_Tutorial_Next}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OX_HE_Tutorial_100K&diff=7098OX HE Tutorial 100K2011-02-10T15:36:39Z<p>Bartl3by: /* Install and configure OX on both servers */</p>
<hr />
<div>= Tutorial: High Available OX HE Setup for up to 100.000 users =<br />
<br />
'''This article describes what you need for a typical OX HE Setup for up to 100.000 Users, which is fully clustered and high available.'''<br />
<br />
It contains everything you need to:<br />
* Understand the design of the OX HE setup including additional services<br />
* Install the whole system based on the relevant articles<br />
* Find pointers to the next steps of integration<br />
<br />
<br />
= System Design =<br />
<br />
[[Image:SaaS-100k-1.jpg]]<br />
<br />
The system is designed to provide maximum functionality and availability with a minimum of necessary hardware. If the services on one server fail, it is enough to take over the IP address to the other machine and service will stay up and running.<br />
<br />
== Core Components for OX HE ==<br />
<br />
* Two OX HE servers (HW recommendation: 16GB RAM / 4 cores each)<br />
* MySQL installed directly on these server <br />
* NFS Server to store documents and files<br />
<br />
== Infrastructure Components not delivered by OX ==<br />
<br />
* An email system providing IMAP and SMTP<br />
* A control panel for creation and administration of users<br />
* A Load Balancer in front of the OX servers (optional, recommended)<br />
<br />
= Overview Installation Steps =<br />
<br />
'''To deploy the described OX setup, the following steps need to be done. '''<br />
<br />
<br />
== Mandatory Steps ==<br />
# Initialize and configure MySQL database on both servers<br />
# Install and configure OX on both servers<br />
<br />
== Steps depending on your environment ==<br />
# Implement Load Balancer<br />
# Connect Control Panel<br />
# Connect Email System<br />
<br />
== Recommended Optional Next Steps ==<br />
# Automated Frontend Tests<br />
# Upsell Plugin<br />
# Mobile Autoconfiguration<br />
# Automatic FailOver<br />
# Branding<br />
<br />
<br />
= Mandatory Installation Steps - Instructions & Recommendations =<br />
<br />
<br />
'''The following steps need to be done in every case to get OX up and running:'''<br />
<br />
== Initialize and configure MySQL database on both servers ==<br />
<br />
MySQL will run on both servers. MySQL will be configured as Master-Master configuration to ensure data consistency on both servers.<br />
If one machine fails, the other machine will take over all functionality.<br />
<br />
[[OXLoadBalancingClustering_Database|Database setup for clustered environments]]<br />
<br />
== Install and configure OX on both servers ==<br />
<br />
OX will be installed on both servers. It will be configured to '''write''' to the '''first''' MySQL database and to '''read''' from the '''second''' MySQL database. This will distribute the load during normal operation as smooth as possible. During FailOver the IP address of the failed server will be taken over to the working server, the system stays operable.<br />
<br />
[[OXLoadBalancingClustering_OXConfiguration|Open-Xchange setup and configuration for clustered environments]]<br />
<br />
The NFS server will be mounted on both machines and registered as filestore.<br />
<br />
[[OXLoadBalancingClustering_Filestore|Filestore setup for clustered environments]]<br />
<br />
You also should install and configure the OXtender for Business Mobility<br />
<br />
[[OXtender_for_Business_Mobility_Installation_Guide|Installation of the OXtender for Business Mobility]]<br />
<br />
= Installation Steps depending on your environment - Instructions & Recommendations =<br />
<br />
'''The following components need to be implemented in your environment.'''<br />
<br />
<br />
== Implement Load Balancer ==<br />
<br />
A load balancer in front of the OX servers is recommended, but optional in this deployment size. (In small environments, DNS Round Robin may be sufficient).<br />
<br />
If you already have a hardware load balancing solution in place, this can be used. OX is known to work with the standard load balancing solutions from BigIP, Barracuda, Foundry, ...<br />
<br />
If you do not have a load balancing solution already in place, we recommend to use [http://www.keepalived.org/ Keepalived] as reliable and cost effective solution.<br />
<br />
Read more about configuring [[Keepalived | Keepalived for Open-Xchange]]<br />
<br />
<br />
{{OX_HE_Tutorial_CP}}<br />
<br />
<br />
{{OX_HE_Tutorial_HGP}}<br />
<br />
<br />
{{OX_HE_Tutorial_POA}}<br />
<br />
<br />
{{OX_HE_Tutorial_Auth}}<br />
<br />
<br />
== Connect Email System ==<br />
<br />
Every email system providing IMAP and SMTP can be used as backend to OX. Best experiences are made with the widespread Linux based IMAP servers [http://dovecot.org/ Dovecot], [http://www.cyrusimap.org/ Cyrus] or [http://www.courier-mta.org/imap/ Courier]. <br />
<br />
Other IMAP servers need to be tested thoroughly before going into production.<br />
<br />
There are several possibilities to implement the Email system:<br />
<br />
# You already have an email system available: Nothing needs to be done, it just needs to be configured<br />
# You use Parallels Automation (POA): Nothing special needs to be done, everything you need is contained in the APS package<br />
# You want to setup a new Email system: It is recommended to use Dovecot, as this is very stable, fast, feature rich and easy to scale<br />
<br />
<br />
{{OX_HE_Tutorial_Dovecot}}<br />
<br />
<br />
{{OX_HE_Tutorial_Next}}<br />
<br />
<br />
{{OX_HE_Tutorial_FailOver}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OXLoadBalancingClustering_OXConfiguration&diff=7097OXLoadBalancingClustering OXConfiguration2011-02-10T15:35:50Z<p>Bartl3by: Created page with "{{OXLoadBalancingClustering_OXConfiguration}}"</p>
<hr />
<div>{{OXLoadBalancingClustering_OXConfiguration}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OX_HE_Tutorial_100K&diff=7096OX HE Tutorial 100K2011-02-10T15:34:57Z<p>Bartl3by: /* Install and configure OX on both servers */</p>
<hr />
<div>= Tutorial: High Available OX HE Setup for up to 100.000 users =<br />
<br />
'''This article describes what you need for a typical OX HE Setup for up to 100.000 Users, which is fully clustered and high available.'''<br />
<br />
It contains everything you need to:<br />
* Understand the design of the OX HE setup including additional services<br />
* Install the whole system based on the relevant articles<br />
* Find pointers to the next steps of integration<br />
<br />
<br />
= System Design =<br />
<br />
[[Image:SaaS-100k-1.jpg]]<br />
<br />
The system is designed to provide maximum functionality and availability with a minimum of necessary hardware. If the services on one server fail, it is enough to take over the IP address to the other machine and service will stay up and running.<br />
<br />
== Core Components for OX HE ==<br />
<br />
* Two OX HE servers (HW recommendation: 16GB RAM / 4 cores each)<br />
* MySQL installed directly on these server <br />
* NFS Server to store documents and files<br />
<br />
== Infrastructure Components not delivered by OX ==<br />
<br />
* An email system providing IMAP and SMTP<br />
* A control panel for creation and administration of users<br />
* A Load Balancer in front of the OX servers (optional, recommended)<br />
<br />
= Overview Installation Steps =<br />
<br />
'''To deploy the described OX setup, the following steps need to be done. '''<br />
<br />
<br />
== Mandatory Steps ==<br />
# Initialize and configure MySQL database on both servers<br />
# Install and configure OX on both servers<br />
<br />
== Steps depending on your environment ==<br />
# Implement Load Balancer<br />
# Connect Control Panel<br />
# Connect Email System<br />
<br />
== Recommended Optional Next Steps ==<br />
# Automated Frontend Tests<br />
# Upsell Plugin<br />
# Mobile Autoconfiguration<br />
# Automatic FailOver<br />
# Branding<br />
<br />
<br />
= Mandatory Installation Steps - Instructions & Recommendations =<br />
<br />
<br />
'''The following steps need to be done in every case to get OX up and running:'''<br />
<br />
== Initialize and configure MySQL database on both servers ==<br />
<br />
MySQL will run on both servers. MySQL will be configured as Master-Master configuration to ensure data consistency on both servers.<br />
If one machine fails, the other machine will take over all functionality.<br />
<br />
[[OXLoadBalancingClustering_Database|Database setup for clustered environments]]<br />
<br />
== Install and configure OX on both servers ==<br />
<br />
OX will be installed on both servers. It will be configured to '''write''' to the '''first''' MySQL database and to '''read''' from the '''second''' MySQL database. This will distribute the load during normal operation as smooth as possible. During FailOver the IP address of the failed server will be taken over to the working server, the system stays operable.<br />
<br />
The NFS server will be mounted on both machines and registered as filestore.<br />
<br />
[[OXLoadBalancingClustering_Filestore|Filestore setup for clustered environments]]<br />
<br />
You also should install and configure the OXtender for Business Mobility<br />
<br />
[[OXtender_for_Business_Mobility_Installation_Guide|Installation of the OXtender for Business Mobility]]<br />
<br />
= Installation Steps depending on your environment - Instructions & Recommendations =<br />
<br />
'''The following components need to be implemented in your environment.'''<br />
<br />
<br />
== Implement Load Balancer ==<br />
<br />
A load balancer in front of the OX servers is recommended, but optional in this deployment size. (In small environments, DNS Round Robin may be sufficient).<br />
<br />
If you already have a hardware load balancing solution in place, this can be used. OX is known to work with the standard load balancing solutions from BigIP, Barracuda, Foundry, ...<br />
<br />
If you do not have a load balancing solution already in place, we recommend to use [http://www.keepalived.org/ Keepalived] as reliable and cost effective solution.<br />
<br />
Read more about configuring [[Keepalived | Keepalived for Open-Xchange]]<br />
<br />
<br />
{{OX_HE_Tutorial_CP}}<br />
<br />
<br />
{{OX_HE_Tutorial_HGP}}<br />
<br />
<br />
{{OX_HE_Tutorial_POA}}<br />
<br />
<br />
{{OX_HE_Tutorial_Auth}}<br />
<br />
<br />
== Connect Email System ==<br />
<br />
Every email system providing IMAP and SMTP can be used as backend to OX. Best experiences are made with the widespread Linux based IMAP servers [http://dovecot.org/ Dovecot], [http://www.cyrusimap.org/ Cyrus] or [http://www.courier-mta.org/imap/ Courier]. <br />
<br />
Other IMAP servers need to be tested thoroughly before going into production.<br />
<br />
There are several possibilities to implement the Email system:<br />
<br />
# You already have an email system available: Nothing needs to be done, it just needs to be configured<br />
# You use Parallels Automation (POA): Nothing special needs to be done, everything you need is contained in the APS package<br />
# You want to setup a new Email system: It is recommended to use Dovecot, as this is very stable, fast, feature rich and easy to scale<br />
<br />
<br />
{{OX_HE_Tutorial_Dovecot}}<br />
<br />
<br />
{{OX_HE_Tutorial_Next}}<br />
<br />
<br />
{{OX_HE_Tutorial_FailOver}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OX_HE_Tutorial_100K&diff=7093OX HE Tutorial 100K2011-02-10T10:42:25Z<p>Bartl3by: </p>
<hr />
<div>= Tutorial: High Available OX HE Setup for up to 100.000 users =<br />
<br />
'''This article describes what you need for a typical OX HE Setup for up to 100.000 Users, which is fully clustered and high available.'''<br />
<br />
It contains everything you need to:<br />
* Understand the design of the OX HE setup including additional services<br />
* Install the whole system based on the relevant articles<br />
* Find pointers to the next steps of integration<br />
<br />
<br />
= System Design =<br />
<br />
[[Image:SaaS-100k-1.jpg]]<br />
<br />
The system is designed to provide maximum functionality and availability with a minimum of necessary hardware. If the services on one server fail, it is enough to take over the IP address to the other machine and service will stay up and running.<br />
<br />
== Core Components for OX HE ==<br />
<br />
* Two OX HE servers (HW recommendation: 16GB RAM / 4 cores each)<br />
* MySQL installed directly on these server <br />
* NFS Server to store documents and files<br />
<br />
== Infrastructure Components not delivered by OX ==<br />
<br />
* An email system providing IMAP and SMTP<br />
* A control panel for creation and administration of users<br />
* A Load Balancer in front of the OX servers (optional, recommended)<br />
<br />
= Overview Installation Steps =<br />
<br />
'''To deploy the described OX setup, the following steps need to be done. '''<br />
<br />
<br />
== Mandatory Steps ==<br />
# Initialize and configure MySQL database on both servers<br />
# Install and configure OX on both servers<br />
<br />
== Steps depending on your environment ==<br />
# Implement Load Balancer<br />
# Connect Control Panel<br />
# Connect Email System<br />
<br />
== Recommended Optional Next Steps ==<br />
# Automated Frontend Tests<br />
# Upsell Plugin<br />
# Mobile Autoconfiguration<br />
# Automatic FailOver<br />
# Branding<br />
<br />
<br />
= Mandatory Installation Steps - Instructions & Recommendations =<br />
<br />
<br />
'''The following steps need to be done in every case to get OX up and running:'''<br />
<br />
== Initialize and configure MySQL database on both servers ==<br />
<br />
MySQL will run on both servers. MySQL will be configured as Master-Master configuration to ensure data consistency on both servers.<br />
If one machine fails, the other machine will take over all functionality.<br />
<br />
[[OXLoadBalancingClustering_Database|Database setup for clustered environments]]<br />
<br />
== Install and configure OX on both servers ==<br />
<br />
OX will be installed on both servers. It will be configured to '''write''' to the '''first''' MySQL database and to '''read''' from the '''second''' MySQL database. This will distribute the load during normal operation as smooth as possible. During FailOver the IP address of the failed server will be taken over to the working server, the system stays operable.<br />
<br />
The NFS server will be mounted on both machines and registered as filestore.<br />
<br />
[[OXLoadBalancingClustering_Filestore|Filestore setup for clustered environments]]<br />
<br />
You also should install and configure the OXtender for Business Mobility<br />
<br />
LINK_TO_DOCUMENTATION<br />
<br />
<br />
= Installation Steps depending on your environment - Instructions & Recommendations =<br />
<br />
'''The following components need to be implemented in your environment.'''<br />
<br />
<br />
== Implement Load Balancer ==<br />
<br />
A load balancer in front of the OX servers is recommended, but optional in this deployment size. (In small environments, DNS Round Robin may be sufficient).<br />
<br />
If you already have a hardware load balancing solution in place, this can be used. OX is known to work with the standard load balancing solutions from BigIP, Barracuda, Foundry, ...<br />
<br />
If you do not have a load balancing solution already in place, we recommend to use [http://www.keepalived.org/ Keepalived] as reliable and cost effective solution.<br />
<br />
Read more about configuring [[Keepalived | Keepalived for Open-Xchange]]<br />
<br />
<br />
{{OX_HE_Tutorial_CP}}<br />
<br />
<br />
{{OX_HE_Tutorial_HGP}}<br />
<br />
<br />
{{OX_HE_Tutorial_POA}}<br />
<br />
<br />
{{OX_HE_Tutorial_Auth}}<br />
<br />
<br />
== Connect Email System ==<br />
<br />
Every email system providing IMAP and SMTP can be used as backend to OX. Best experiences are made with the widespread Linux based IMAP servers [http://dovecot.org/ Dovecot], [http://www.cyrusimap.org/ Cyrus] or [http://www.courier-mta.org/imap/ Courier]. <br />
<br />
Other IMAP servers need to be tested thoroughly before going into production.<br />
<br />
There are several possibilities to implement the Email system:<br />
<br />
# You already have an email system available: Nothing needs to be done, it just needs to be configured<br />
# You use Parallels Automation (POA): Nothing special needs to be done, everything you need is contained in the APS package<br />
# You want to setup a new Email system: It is recommended to use Dovecot, as this is very stable, fast, feature rich and easy to scale<br />
<br />
<br />
{{OX_HE_Tutorial_Dovecot}}<br />
<br />
<br />
{{OX_HE_Tutorial_Next}}<br />
<br />
<br />
{{OX_HE_Tutorial_FailOver}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OXLoadBalancingClustering_Filestore&diff=7092OXLoadBalancingClustering Filestore2011-02-10T10:40:25Z<p>Bartl3by: Created page with "{{OXLoadBalancingClustering_Filestore}}"</p>
<hr />
<div>{{OXLoadBalancingClustering_Filestore}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=OXLoadBalancingClustering_Database&diff=7091OXLoadBalancingClustering Database2011-02-10T10:36:29Z<p>Bartl3by: Created page with "{{OXLoadBalancingClustering_Database}}"</p>
<hr />
<div>{{OXLoadBalancingClustering_Database}}</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Load_balancing_and_clustering&diff=7090Load balancing and clustering2011-02-10T10:35:37Z<p>Bartl3by: </p>
<hr />
<div>= Load balancing and clustering Open-Xchange =<br />
<br />
== General ==<br />
Open-Xchange Server 6 is primarily built for the Software-as-a-Service world. Hosting and telecommunication providers around the world use Open-Xchange to offer hosted services to their customers. Open-Xchange Server 6 scales vertically and horizontally which means either use a more powerful server or add more machines to fulfill resource requirements. While upgrading a single server installation inevitably gets to a point where costs rise faster than performance gains, adding some simple machines to the installation provides linear cost increase and a slightly more complex administration. Besides the fiscal impact of using medium sized servers another key argument for clustering is service availability, single nodes can go down for maintenance without influencing the general service availability. A typical scenario for clustering is virtualization where multiple nodes can provide resources on demand.<br />
<br />
One of the main principles of Open-Xchange Server 6 is the ability to utilize several medium sized servers. This guide will outline the basic principles of clustering Open-Xchange Server instances and provide load balancing to utilize all nodes of a cluster.<br />
<br />
== Requirements ==<br />
Since clustering and load balancing is an advanced topic, skills on operating system and Open-Xchange Server 6 administration are required. To gain those skills, please refer to the [http://software.open-xchange.com/OX6/doc documentation repository] and general system administration lecture.<br />
With this guide we're going to set up five machines in total. Therefor it's recommended to get some training on a virtualized environment first. When rolling out the setup it is recommended to use real hardware or enterprise grade virtualization solutions like VMware ESX or Citrix XEN. If VMware is used, please make sure that VMware Tools are installed on all hosts to ensure optimal network performance. The following types servers will be set up:<br />
<br />
* 1 Webserver (Apache)<br />
* 2 Groupware nodes (Open-Xchange Server 6)<br />
* 2 Database servers (MySQL Master/Slave)<br />
<br />
To maintain consistency throughout the guide, each system gets a unique name which can be set as hostname. The IP addresses are also used through the whole guide but they may differ at the actual network setup. All systems run Debian GNU/Linux 5.0 (Lenny), any other supported platform works as well. All assumptions and instructions about system configuration is based on a minimal installation of the operating system. This guide is valid for Open-Xchange 6.10.<br />
<br />
* web (10.20.30.210)<br />
* oxgw01 (10.20.30.213)<br />
* oxgw02 (10.20.30.215)<br />
* dbmaster (10.20.30.217)<br />
* dbslave (10.20.30.219)<br />
<br />
When finishing the guide the setup will provide several load balancing and clustering features.<br />
<br />
* Session load balancing<br />
* Open-Xchange clustering<br />
* Database master/slave replication<br />
* Database read/write separation<br />
* Distributed file storage<br />
<br />
{{OXLoadBalancingClustering_Database}}<br />
<br />
{{OXLoadBalancingClustering_Filestore}}<br />
<br />
{{OXLoadBalancingClustering_SessionLoadbalancing}}<br />
<br />
{{OXLoadBalancingClustering_OXConfiguration}}<br />
<br />
== Clustering Open-Xchange Server ==<br />
It is already possible to distribute sessions through several groupware nodes by using the proxy_ajp load balancing technology. While this might be adequate for simple failover, it lacks clustering on the application side.<br />
Just as an example, users may be distributed to different OX servers but they are still working together in one context. If User A on the first server shares a folder to User B on the second server, User B will not be able to access this folder since the foldertree is cached within Open-Xchange Server.<br />
Clustering with Open-Xchange Server primarily affects cache invalidation which allows a groupware node to delete a reference to a piece of data through the whole cluster, the single nodes will then fetch an updated version of this data.<br />
There are various caches used by the Open-Xchange Server, by using clustering it is possible to move cache content from one node to another which enables user session migration that allows restarts of single nodes without losing user sessions bound to that machine.<br />
<br />
{{OXLoadBalancingClustering_NetworkConfiguration}}<br />
<br />
[[Category: OX6]]</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Template:OXLoadBalancingClustering_OXConfiguration&diff=7089Template:OXLoadBalancingClustering OXConfiguration2011-02-10T10:33:26Z<p>Bartl3by: </p>
<hr />
<div>== Configuring Open-Xchange Server ==<br />
Install all relevant Open-Xchange Server packages to both groupware nodes after adding the Open-Xchange software repository to your package manages configuration. This package selection does not contain user interface packages.<br />
<br />
apt-get install{{OXPackageInstallation-Server|javavendor=sun}}<br />
<br />
Create the ''configdb'' database at the MySQL Master. This step does only need to be performed on one of the Open-Xchange Server nodes.<br />
$ /opt/open-xchange/sbin/initconfigdb --configdb-user=openexchange --configdb-pass=secret --configdb-host=10.20.30.217<br />
<br />
Setup the Open-Xchange Server configuration. This step needs to be performed on 'both' groupware nodes. Note that the ''--jkroute'' parameter must equal the ''route'' parameter at the web servers ''proxy_ajp'' load balancing configuration of the specific server.<br />
Node 1:<br />
$ /opt/open-xchange/sbin/oxinstaller --servername=oxserver --configdb-readhost=10.20.30.217 --configdb-writehost=10.20.30.217 --configdb-user=openexchange --master-pass=secret --configdb-pass=secret --jkroute=OX-1 --ajp-bind-port=*<br />
Node 2:<br />
$ /opt/open-xchange/sbin/oxinstaller --servername=oxserver --configdb-readhost=10.20.30.217 --configdb-writehost=10.20.30.217 --configdb-user=openexchange --master-pass=secret --configdb-pass=secret --jkroute=OX-2 --ajp-bind-port=*<br />
<br />
Startup the Administration Daemon on one of the nodes. Wait some seconds until the Open-Xchange Administration Daemon is started completely.<br />
$ /etc/init.d/open-xchange-admin start<br />
<br />
Now register the Open-Xchange Server at the database. Note that a ''server'' is a whole cluster in this case. This step does only need to be performed on one of the Open-Xchange Server nodes.<br />
$ /opt/open-xchange/sbin/registerserver -n oxserver -A oxadminmaster -P secret<br />
<br />
Register the filestorage. This step does only need to be performed on one of the Open-Xchange Server nodes. Note that the NFS export must be mounted to the same path on both groupware nodes.<br />
$ /opt/open-xchange/sbin/registerfilestore -A oxadminmaster -P secret -t file:///var/opt/filestore<br />
<br />
Now register the MySQL Master database in configdb. This step does only need to be performed on one of the Open-Xchange Server nodes.<br />
$ /opt/open-xchange/sbin/registerdatabase -A oxadminmaster -P secret --name oxdatabase --hostname 10.20.30.217 --dbuser openexchange --dbpasswd secret --master true<br />
database 4 registered<br />
<br />
Check the returned database ID which is 4 in this case. This value is required to register the MySQL Slave database in configdb. This step does only need to be performed on one of the Open-Xchange Server nodes.<br />
$ /opt/open-xchange/sbin/registerdatabase -A oxadminmaster -P secret --name oxdatabase_slave --hostname 10.20.30.219 --dbuser openexchange --dbpasswd secret --master false --masterid=4<br />
<br />
Now start Open-Xchange Server on both groupware nodes.<br />
$ /etc/init.d/open-xchange-groupware start<br />
<br />
Create a new context and a testuser<br />
$ /opt/open-xchange/sbin/createcontext -A oxadminmaster -P secret -c 1 -u oxadmin -d "Context Admin" -g Admin -s User -p secret -L defaultcontext -e oxadmin@example.com -q 1024 --access-combination-name=all<br />
$ /opt/open-xchange/sbin/createuser -c 1 -A oxadmin -P secret -u testuser -d "Test User" -g Test -s User -p secret -e testuser@example.com<br />
<br />
=== Test Session load balancing ===<br />
Apache is configured to use a 50:50 balancing between both Open-Xchange Servers. Now that they are up and running its time to check if this balancing works. This can be done by simply watching the Open-Xchange Server log files while a user logs in.<br />
Execute ''tail'' to the ''open-xchange.log.0'' file on both servers. Then login with the testuser, one of the servers log file should show something like<br />
$ tail -fn200 /var/log/open-xchange/open-xchange.log.0<br />
[...]<br />
INFO: Session created. ID: 31060fc80b9e44d38148ef4d5d19963d, Context: 1, User: 3<br />
<br />
Then logout and login again. This time, the session should be created on the other server. On the client side, the JSESSIONID cookie at the browser shows evidence on which server the user has logged in by the trailing ".OX-" identifier. This identifier is set by Open-Xchange Server based on its AJP_JVM_ROUTE attribute.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Template:OXLoadBalancingClustering_Database&diff=6949Template:OXLoadBalancingClustering Database2011-01-25T13:18:34Z<p>Bartl3by: </p>
<hr />
<div>== Master/Slave database setup ==<br />
Startup both database machines and install the mysql server packages<br />
$ apt-get install mysql-server<br />
<br />
During the installation, a dialog will show up to set a password for the MySQL 'root' user. Please set a strong password here.<br />
<br />
=== Master configuration ===<br />
Open the MySQL configuration file with you favorite editor<br />
$ vim /etc/mysql/my.cnf<br />
<br />
Modify or enable the following configuration options<br />
bindaddress = 10.20.30.217<br />
server-id = 1<br />
log_bin = /var/log/mysql/mysql-bin.log<br />
<br />
* ''bindaddress'' specifies the network address where MySQL is listening for network connections. Since the MySQL slave and both Open-Xchange Servers are dedicated machines it is required to have the master accessible through the network.<br />
* ''server-id'' is just a number within a environment with multiple MySQL servers. It needs to be unique for each server.<br />
* ''log_bin'' enables the MySQL binary log which is required for Master/Slave replication. In general every statement triggered at the database is stored there to get distributed through the database cluster.<br />
<br />
To apply the configuration changes, restart the MySQL server.<br />
$ /etc/init.d/mysql restart<br />
<br />
Then login to MySQL with the credentials given at the MySQL installation process<br />
$ mysql -u root -p<br />
Enter password:<br />
<br />
Configure replication permissions for the MySQL slave server and the MySQL user "replication". This account is used by the MySQL slave to get database updates from the master. Please choose a strong password here.<br />
mysql> GRANT REPLICATION SLAVE ON *.* TO 'replication'@'10.20.30.219' IDENTIFIED BY 'secret';<br />
<br />
Now setup access for the Open-Xchange Server database user ''openexchange'' to configdb and the groupware database for both groupware server addresses. These databases do not exist yet, but will be created during the Open-Xchange Server installation.<br />
mysql> GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'10.20.30.213' IDENTIFIED BY 'secret';<br />
mysql> GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'10.20.30.215' IDENTIFIED BY 'secret';<br />
<br />
Verify that the MySQL master is writing a binary log and remember the values<br />
mysql> SHOW MASTER STATUS;<br />
+------------------+----------+--------------+------------------+<br />
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |<br />
+------------------+----------+--------------+------------------+<br />
| mysql-bin.000001 | 1082| | |<br />
+------------------+----------+--------------+------------------+<br />
<br />
Copy the MySQL master binary log and the index file to the slave. This is required for initial synchronization.<br />
$ scp /var/log/mysql/mysql-bin.* root@10.20.30.219:/var/log/mysql<br />
<br />
=== Slave configuration ===<br />
<br />
Set the MySQL system user as owner to the binary log that has just been copied to the slave.<br />
$ chown mysql:adm /var/log/mysql/*<br />
<br />
Open the MySQL configuration file with you favorite editor<br />
$ vim /etc/mysql/my.cnf<br />
<br />
Modify or enable the following configuration options. Just like the master, the slave requires a unique ''server-id'' and needs to listen to an external network address. Activating the binary log is not required at the slave.<br />
bindaddress = 10.20.30.219<br />
server-id = 2<br />
<br />
To apply the configuration changes, restart the MySQL server.<br />
$ /etc/init.d/mysql restart<br />
<br />
Then login to MySQL with the credentials given at the MySQL installation process<br />
$ mysql -u root -p<br />
Enter password:<br />
<br />
Configure the replication from the master based on the 'replication' user and the masters binary log status. The values for ''MASTER_LOG_FILE'' and ''MASTER_LOG_POS'' must equal the output of the ''SHOW MASTER STATUS'' command at the MySQL master.<br />
mysql> CHANGE MASTER TO MASTER_HOST='10.20.30.217', MASTER_USER='replication', MASTER_PASSWORD='secret', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=1082;<br />
<br />
Now setup access for the Open-Xchange Server database user 'openexchange' to configdb and the oxdb for both groupware server addresses. These databases do not exist yet, but will be created during the Open-Xchange Server installation.<br />
mysql> GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'10.20.30.213' IDENTIFIED BY 'secret';<br />
mysql> GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'10.20.30.215' IDENTIFIED BY 'secret';<br />
<br />
Start the MySQL slave replication<br />
mysql> START SLAVE;<br />
<br />
Check the slave status, sometimes it can take a while until the replication starts. ''Slave_IO_Running'' shows that the MySQL slave is exchanging data with the MySQL master.<br />
mysql> SHOW SLAVE STATUS \G;<br />
Slave_IO_Running: Yes<br />
Slave_SQL_Running: Yes<br />
<br />
Also check the syslog if the replication has been sucessfully started<br />
$ tail -fn20 /var/log/syslog<br />
Jul 26 19:03:45 dbslave mysqld[4718]: 090726 19:03:45 [Note] Slave I/O thread: connected to master 'replication@10.20.30.217:3306', replication started in log 'mysql-bin.000001' at position 1082<br />
<br />
=== Testing Master/Slave ===<br />
<br />
On the master, create a new database in MySQL:<br />
mysql> CREATE DATABASE foo;<br />
<br />
Check if this database is available on the slave:<br />
mysql> SHOW DATABASES;<br />
+--------------------+<br />
| Database |<br />
+--------------------+<br />
| information_schema |<br />
| foo |<br />
| mysql |<br />
+--------------------+<br />
<br />
Delete the database on the master<br />
mysql> DROP DATABASE foo;<br />
<br />
Check if the database has been removed at the slave<br />
mysql> SHOW DATABASES;<br />
+--------------------+<br />
| Database |<br />
+--------------------+<br />
| information_schema |<br />
| mysql |<br />
+--------------------+</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Template:OXLoadBalancingClustering_NetworkConfiguration&diff=6948Template:OXLoadBalancingClustering NetworkConfiguration2011-01-25T13:17:27Z<p>Bartl3by: Created page with "=== Network configuration === Open-Xchange Server uses multicast discovery to find other nodes. Once this discovery has been successful, the groupware nodes will establish TCP co..."</p>
<hr />
<div>=== Network configuration ===<br />
Open-Xchange Server uses multicast discovery to find other nodes. Once this discovery has been successful, the groupware nodes will establish TCP connections for cache communication.<br />
<br />
Configure a multicast address for the servers' network. This needs to be done on all groupware nodes.<br />
$ vim /etc/network/interfaces<br />
[...]<br />
iface eth0 inet static<br />
[...]<br />
post-up route add -net 224.0.0.0/8 dev eth0<br />
<br />
Check the Open-Xchange Servers cache configuration files ''/opt/open-xchange/etc/groupware/cache.ccf'' and ''/opt/open-xchange/etc/admindaemon/cache.ccf'' on all groupware nodes. Only the very last section is interesting for distributed caching (jcs.auxiliary.*)<br />
Make sure the TCPServers attribute is commented out and the UDPDiscovery settings are active. Also check the cache configuration for ''/opt/open-xchange/etc/groupware/sessioncache.ccf''<br />
<br />
# jcs.auxiliary.LTCP.attributes.TcpServers=127.0.0.1:57461<br />
jcs.auxiliary.LTCP.attributes.TcpListenerPort=57462<br />
jcs.auxiliary.LTCP.attributes.UdpDiscoveryAddr=224.0.0.1<br />
jcs.auxiliary.LTCP.attributes.UdpDiscoveryPort=6780<br />
jcs.auxiliary.LTCP.attributes.UdpDiscoveryEnabled=true<br />
<br />
These settings configure Open-Xchange Server to discover other nodes through the multicast address 224.0.0.1 and UDP port 6780. Note that the property TcpListenerPort differs at the groupware and admindaemon configuration file. This is required to avoid socket conflicts, they define the TCP port that listens for incoming connections by other groupware nodes.<br />
<br />
Restart the networking to enable the new multicast address on both groupware nodes. Also restart the Open-Xchange Server processes on all nodes.<br />
$ /etc/init.d/networking restart<br />
$ /etc/init.d/open-xchange-groupware restart<br />
$ /etc/init.d/open-xchange-admin restart<br />
<br />
=== Test the network settings ===<br />
The new routing information for the multicast network should be available when printing the routing table.<br />
$ route -n<br />
[...]<br />
224.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0<br />
<br />
TCP connections that are created after the UDP multicast discovery are shown with netstat.<br />
$netstat -tlpa | grep java | grep ESTABLISHED<br />
Proto Recv-Q Send-Q Local Address Foreign Address State<br />
tcp6 0 0 oxgw01:49103 oxgw02:57461 ESTABLISHED 3706/java<br />
tcp6 0 0 oxgw01:37912 oxgw02:57462 ESTABLISHED 3706/java<br />
tcp6 0 0 oxgw01:58849 oxgw02:49302 ESTABLISHED 3706/java<br />
tcp6 0 0 oxgw01:57462 oxgw02:46054 ESTABLISHED 3706/java<br />
tcp6 0 0 oxgw01:57462 oxgw01:41904 ESTABLISHED 3706/java<br />
tcp6 0 0 oxgw01:48628 oxgw02:57461 ESTABLISHED 3582/java<br />
tcp6 0 0 oxgw01:57461 oxgw02:47115 ESTABLISHED 3582/java<br />
tcp6 0 0 oxgw01:57461 oxgw02:57348 ESTABLISHED 3582/java<br />
tcp6 0 0 oxgw01:57461 oxgw01:42589 ESTABLISHED 3582/java<br />
tcp6 0 0 oxgw01:43960 oxgw02:57462 ESTABLISHED 3582/java<br />
tcp6 0 0 oxgw01:41904 oxgw01:57462 ESTABLISHED 3582/java<br />
tcp6 0 0 oxgw01:42589 oxgw01:57461 ESTABLISHED 3706/java<br />
tcp6 0 0 oxgw01:43786 oxgw02:57461 ESTABLISHED 3706/java<br />
tcp6 0 0 oxgw01:35196 oxgw02:58849 ESTABLISHED 3706/java<br />
tcp6 0 0 oxgw01:57462 oxgw02:44548 ESTABLISHED 3706/java<br />
tcp6 0 0 oxgw01:57461 oxgw02:44893 ESTABLISHED 3582/java<br />
<br />
How to verify those connections? The last line shows a process id (PID) of the local process that has an established connection. In this case, PID3706 is the Open-Xchange Groupware Daemon and PID3582 is the Open-Xchange Administration Daemon.<br />
These services build mesh connections between each groupware, each admindaemon and each foldercache service. Some connections are used bidirectionally so only one connection is visible, others use two connections (inbound and outbound) depending on the network responses.<br />
It is important that each service is connected to each other while the foldercache is only connected between two groupware services. It can take some time until all connections are established after Open-Xchange Server has been started.<br />
In this example, the first two lines indicate connections between the local groupware process and the remote admindaemon and groupware processes.</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Template:OXLoadBalancingClustering_OXConfiguration&diff=6947Template:OXLoadBalancingClustering OXConfiguration2011-01-25T13:15:57Z<p>Bartl3by: Created page with "== Configuring Open-Xchange Server == Install all relevant Open-Xchange Server packages to both groupware nodes after adding the Open-Xchange software repository to your package ..."</p>
<hr />
<div>== Configuring Open-Xchange Server ==<br />
Install all relevant Open-Xchange Server packages to both groupware nodes after adding the Open-Xchange software repository to your package manages configuration. This package selection does not contain user interface packages.<br />
<br />
apt-get install{{OXPackageInstallation-Server|javavendor=sun}}<br />
<br />
Create the ''configdb'' database at the MySQL Master. This step does only need to be performed on one of the Open-Xchange Server nodes.<br />
$ /opt/open-xchange/sbin/initconfigdb --configdb-user=openexchange --configdb-pass=secret --configdb-host=10.20.30.217<br />
<br />
Setup the Open-Xchange Server configuration. This step needs to be performed on 'both' groupware nodes. Note that the ''--jkroute'' parameter must equal the ''route'' parameter at the web servers ''proxy_ajp'' load balancing configuration of the specific server.<br />
Node 1:<br />
$ /opt/open-xchange/sbin/oxinstaller --servername=oxserver --configdb-readhost=10.20.30.217 --configdb-writehost=10.20.30.217 --configdb-user=openexchange --master-pass=secret --configdb-pass=secret --jkroute=OX-1 --ajp-bind-port=*<br />
Node 2:<br />
$ /opt/open-xchange/sbin/oxinstaller --servername=oxserver --configdb-readhost=10.20.30.217 --configdb-writehost=10.20.30.217 --configdb-user=openexchange --master-pass=secret --configdb-pass=secret --jkroute=OX-2 --ajp-bind-port=*<br />
<br />
Startup the Administration Daemon on one of the nodes. Wait some seconds until the Open-Xchange Administration Daemon is started completely.<br />
$ /etc/init.d/open-xchange-admin start<br />
<br />
Now register the Open-Xchange Server at the database. Note that a ''server'' is a whole cluster in this case. This step does only need to be performed on one of the Open-Xchange Server nodes.<br />
$ /opt/open-xchange/sbin/registerserver -n oxserver -A oxadminmaster -P secret<br />
<br />
Register the filestorage. This step does only need to be performed on one of the Open-Xchange Server nodes. Note that the NFS export must be mounted to the same path on both groupware nodes.<br />
$ /opt/open-xchange/sbin/registerfilestore -A oxadminmaster -P secret -t file:///var/opt/filestore<br />
<br />
Now register the MySQL Master database in configdb. This step does only need to be performed on one of the Open-Xchange Server nodes.<br />
$ /opt/open-xchange/sbin/registerdatabase -A oxadminmaster -P secret --name oxdatabase --hostname 10.20.30.217 --dbuser openexchange --dbpasswd secret --master true<br />
database 4 registered<br />
<br />
Check the returned database ID which is 4 in this case. This value is required to register the MySQL Slave database in configdb. This step does only need to be performed on one of the Open-Xchange Server nodes.<br />
$ /opt/open-xchange/sbin/registerdatabase -A oxadminmaster -P secret --name oxdatabase_slave --hostname 10.20.30.219 --dbuser openexchange --dbpasswd secret --master false --masterid=4<br />
<br />
Now start Open-Xchange Server on both groupware nodes.<br />
$ /etc/init.d/open-xchange-groupware start<br />
<br />
Create a new context and a testuser<br />
$ /opt/open-xchange/sbin/createcontext -A oxadminmaster -P secret -c 1 -u oxadmin -d "Context Admin" -g Admin -s User -p secret -L defaultcontext -e oxadmin@example.com -q 1024 --access-combination-name=all<br />
$ /opt/open-xchange/sbin/createuser -c 1 -A oxadmin -P secret -u testuser -d "Test User" -g Test -s User -p secret -e testuser@example.com</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Template:OXLoadBalancingClustering_SessionLoadbalancing&diff=6946Template:OXLoadBalancingClustering SessionLoadbalancing2011-01-25T13:15:05Z<p>Bartl3by: Created page with "== Session load balancing == Since configuration of system services for the corresponding operating system is already described in the general [[Main_Page#Installation_based_on_p..."</p>
<hr />
<div>== Session load balancing ==<br />
Since configuration of system services for the corresponding operating system is already described in the general [[Main_Page#Installation_based_on_packages|installation guides]], this guide will focus on the specialties when creating a distributed setup. Please refer to the [[Main_Page#Installation_based_on_packages|installation guides]] for configuration that is not mentioned in this guide.<br />
<br />
The web server on this setup is a pure frontend server. This means it takes and responds to requests sent by a client but it does not contain any groupware logic. All requests are forwarded to the Open-Xchange Servers through the ''AJP13'' protocol. The configuration will allow round-robin session load balancing, basically both Open-Xchange servers are configured as backends for answering requests with an 50:50 probability of being chosen. Once a new session is created, that session is bound to the groupware server it has been created.<br />
<br />
For the web server we only need a very small set of packages, basically only packages that starts with ''open-xchange-gui'' where most of additional packages are languagepacks or plugins. Add the Open-Xchange software repository to the package manager configuration first. Then install the ''open-xchange-gui'' package to the web server.<br />
<br />
$ apt-get install{{OXPackageInstallation-GUI}}<br />
<br />
This will install the Open-Xchange user interface, Apache 2 and several services as dependency. The Apache module ''proxy_ajp'' will handle all the communication with the Open-Xchange Servers. Its configuration also contains the setup of the session balancing. What it basically does is defining two backend nodes and forwarding servlet paths to them based on the ''loadfactor''. This setting can be customized in case the backend servers are not equal in terms of performance. The ''route'' property is important, it specifies a unique ID of a backend server and will be used when setting up Open-Xchange Servers later. Please see the Apache mod_proxy_ajp [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html documentation] for more details.<br />
<br />
$ vim /etc/apache2/conf.d/proxy_ajp.conf<br />
<br />
<IfModule mod_proxy_ajp.c><br />
<br />
<Proxy *><br />
Order deny,allow<br />
Allow from all<br />
</Proxy><br />
<br />
<Proxy balancer://oxcluster><br />
BalancerMember ajp://10.20.30.213:8009 smax=0 ttl=60 retry=5 loadfactor=50 route=OX-1<br />
BalancerMember ajp://10.20.30.215:8009 smax=0 ttl=60 retry=5 loadfactor=50 route=OX-2<br />
</Proxy><br />
<br />
ProxyPass /ajax balancer://oxcluster/ajax stickysession=JSESSIONID<br />
ProxyPass /servlet balancer://oxcluster/servlet stickysession=JSESSIONID<br />
ProxyPass /axis2 balancer://oxcluster/axis2 stickysession=JSESSIONID<br />
ProxyPass /infostore balancer://oxcluster/infostore stickysession=JSESSIONID<br />
ProxyPass /publications balancer://oxcluster/publications stickysession=JSESSIONID<br />
ProxyPass /Microsoft-Server-ActiveSync balancer://oxcluster/Microsoft-Server-ActiveSync stickysession=JSESSIONID<br />
</IfModule><br />
<br />
Restart the Apache 2 web server and check if it is possible to connect with a browser. By default, this configuration allows plain HTTP access. In order to offer privacy to the customer the connection must be secured by a HTTPS connection based on a valid certificate. It is also recommended to set a redirect for all plain HTTP connections to use HTTPS.<br />
<br />
Add some required apache modules to the web server. See the general [[Main_Page#Installation_based_on_packages|installation guides]] for more information about configuration of ''expires'' and ''deflate''.<br />
<br />
$ a2enmod proxy && a2enmod proxy_ajp && a2enmod proxy_balancer && a2enmod expires && a2enmod deflate && a2enmod headers<br />
<br />
Restart the Apache web server after applying all configuration changes.<br />
$ /etc/init.d/apache2 restart</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Template:OXLoadBalancingClustering_Filestore&diff=6945Template:OXLoadBalancingClustering Filestore2011-01-25T12:58:14Z<p>Bartl3by: Created page with "== Distributed file storage == The distributed file storage will be set up on the MySQL database master server. Of course it is possible to use a dedicated file server or an alre..."</p>
<hr />
<div>== Distributed file storage ==<br />
The distributed file storage will be set up on the MySQL database master server. Of course it is possible to use a dedicated file server or an already existing storage system, however this guide does not cover that. This has several reasons:<br />
* Open-Xchange Server does not require much I/O on typical operation<br />
* Data for groupware objects like the Infostore is stored at the file storage and file metadata is stored at the database. Consistency between the database and the file storage is critical.<br />
<br />
=== Installation of the NFS server ===<br />
Open-Xchange Server is able to access various storage backends, NFS (Network File System) is a mature and proven backend.<br />
Install the following packages at the MySQL master server to enable NFS storage<br />
$ apt-get install nfs-kernel-server nfs-common portmap<br />
<br />
Create a directory for the Open-Xchange Server file storage.<br />
$ mkdir /var/opt/filestore<br />
<br />
Open-Xchange Server runs as user ''open-xchange'', create a user account at the NFS server, this is required for accessing the NFS export later. NFS will map the user id (uid) and group id (gid), therefore they need to be equal at the Open-Xchange Server nodes and the NFS server.<br />
$ useradd open-xchange<br />
<br />
Check the uid and gid, typically it's 1001:1001 since it's the first user on the system.<br />
$ grep open-xchange /etc/passwd<br />
open-xchange:x:1001:1001::/home/open-xchange:/bin/sh<br />
<br />
Make the newly created user own the filestore at the NFS server<br />
$ chown open-xchange:open-xchange /var/opt/filestore<br />
<br />
Configure the NFS server to provide this directory to both Open-Xchange Server nodes in read and write mode. Enter the uid and gid of the ''open-xchange'' user to the NFS export.<br />
$ vim /etc/exports<br />
/var/opt/filestore 10.20.30.213(rw,no_subtree_check,all_squash,anonuid=1001,anongid=1001) 10.20.30.215(rw,no_subtree_check,all_squash,anonuid=1001,anongid=1001)<br />
<br />
Make the changes effective to the running NFS server<br />
$ exportfs -a<br />
<br />
=== Installation of NFS clients ===<br />
Both Open-Xchange Server machines are NFS clients since they mount the distributed file storage. It's critical that both Open-Xchange Server nodes can access the same filestorage since due to session load balancing it is possible that a user logs in to either one Open-Xchange Server.<br />
<br />
Install required NFS client packages on both Open-Xchange Server nodes<br />
$ apt-get install nfs-common portmap<br />
<br />
Create mountpoints for the filestore at both Open-Xchange Server nodes<br />
$ mkdir /var/opt/filestore/<br />
<br />
Open-Xchange Server runs as user ''open-xchange'', to let this user access the filestore, create a user account at all Open-Xchange Server nodes. NFS will map the user id (uid) and group id (gid) to the ones at the NFS server, therefore they need to be equal at the Open-Xchange Server nodes and the NFS Server.<br />
$ useradd open-xchange<br />
$ grep open-xchange /etc/passwd<br />
open-xchange:x:1001:1001::/home/open-xchange:/bin/sh<br />
<br />
Add the NFS storage to the fstab configuration file to mount the storage automatically on boot at both Open-Xchange Server nodes<br />
$ vim /etc/fstab<br />
10.20.30.217:/var/opt/filestore /var/opt/filestore nfs defaults 0 0<br />
<br />
=== Testing the distributed file storage ===<br />
Mount the filestore manually on both Open-Xchange Server nodes to check if the connection works properly<br />
$ mount /var/opt/filestore<br />
<br />
To test the distributed storage, create a file on one Open-Xchange Server node as user ''open-xchange''<br />
$ su open-xchange<br />
$ touch /var/opt/filestore/foo<br />
<br />
Then check if the file is available and writeable at the other node also as user ''open-xchange''<br />
$ su open-xchange<br />
$ ls -la /var/opt/filestore<br />
$ rm /var/opt/filestore/foo</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=Template:OXLoadBalancingClustering_Database&diff=6943Template:OXLoadBalancingClustering Database2011-01-25T12:53:11Z<p>Bartl3by: Created page with "=== Master configuration === Open the MySQL configuration file with you favorite editor $ vim /etc/mysql/my.cnf Modify or enable the following configuration options bindaddres..."</p>
<hr />
<div>=== Master configuration ===<br />
Open the MySQL configuration file with you favorite editor<br />
$ vim /etc/mysql/my.cnf<br />
<br />
Modify or enable the following configuration options<br />
bindaddress = 10.20.30.217<br />
server-id = 1<br />
log_bin = /var/log/mysql/mysql-bin.log<br />
<br />
* ''bindaddress'' specifies the network address where MySQL is listening for network connections. Since the MySQL slave and both Open-Xchange Servers are dedicated machines it is required to have the master accessible through the network.<br />
* ''server-id'' is just a number within a environment with multiple MySQL servers. It needs to be unique for each server.<br />
* ''log_bin'' enables the MySQL binary log which is required for Master/Slave replication. In general every statement triggered at the database is stored there to get distributed through the database cluster.<br />
<br />
To apply the configuration changes, restart the MySQL server.<br />
$ /etc/init.d/mysql restart<br />
<br />
Then login to MySQL with the credentials given at the MySQL installation process<br />
$ mysql -u root -p<br />
Enter password:<br />
<br />
Configure replication permissions for the MySQL slave server and the MySQL user "replication". This account is used by the MySQL slave to get database updates from the master. Please choose a strong password here.<br />
mysql> GRANT REPLICATION SLAVE ON *.* TO 'replication'@'10.20.30.219' IDENTIFIED BY 'secret';<br />
<br />
Now setup access for the Open-Xchange Server database user ''openexchange'' to configdb and the groupware database for both groupware server addresses. These databases do not exist yet, but will be created during the Open-Xchange Server installation.<br />
mysql> GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'10.20.30.213' IDENTIFIED BY 'secret';<br />
mysql> GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'10.20.30.215' IDENTIFIED BY 'secret';<br />
<br />
Verify that the MySQL master is writing a binary log and remember the values<br />
mysql> SHOW MASTER STATUS;<br />
+------------------+----------+--------------+------------------+<br />
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |<br />
+------------------+----------+--------------+------------------+<br />
| mysql-bin.000001 | 1082| | |<br />
+------------------+----------+--------------+------------------+<br />
<br />
Copy the MySQL master binary log and the index file to the slave. This is required for initial synchronization.<br />
$ scp /var/log/mysql/mysql-bin.* root@10.20.30.219:/var/log/mysql<br />
<br />
=== Slave configuration ===<br />
<br />
Set the MySQL system user as owner to the binary log that has just been copied to the slave.<br />
$ chown mysql:adm /var/log/mysql/*<br />
<br />
Open the MySQL configuration file with you favorite editor<br />
$ vim /etc/mysql/my.cnf<br />
<br />
Modify or enable the following configuration options. Just like the master, the slave requires a unique ''server-id'' and needs to listen to an external network address. Activating the binary log is not required at the slave.<br />
bindaddress = 10.20.30.219<br />
server-id = 2<br />
<br />
To apply the configuration changes, restart the MySQL server.<br />
$ /etc/init.d/mysql restart<br />
<br />
Then login to MySQL with the credentials given at the MySQL installation process<br />
$ mysql -u root -p<br />
Enter password:<br />
<br />
Configure the replication from the master based on the 'replication' user and the masters binary log status. The values for ''MASTER_LOG_FILE'' and ''MASTER_LOG_POS'' must equal the output of the ''SHOW MASTER STATUS'' command at the MySQL master.<br />
mysql> CHANGE MASTER TO MASTER_HOST='10.20.30.217', MASTER_USER='replication', MASTER_PASSWORD='secret', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=1082;<br />
<br />
Now setup access for the Open-Xchange Server database user 'openexchange' to configdb and the oxdb for both groupware server addresses. These databases do not exist yet, but will be created during the Open-Xchange Server installation.<br />
mysql> GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'10.20.30.213' IDENTIFIED BY 'secret';<br />
mysql> GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'10.20.30.215' IDENTIFIED BY 'secret';<br />
<br />
Start the MySQL slave replication<br />
mysql> START SLAVE;<br />
<br />
Check the slave status, sometimes it can take a while until the replication starts. ''Slave_IO_Running'' shows that the MySQL slave is exchanging data with the MySQL master.<br />
mysql> SHOW SLAVE STATUS \G;<br />
Slave_IO_Running: Yes<br />
Slave_SQL_Running: Yes<br />
<br />
Also check the syslog if the replication has been sucessfully started<br />
$ tail -fn20 /var/log/syslog<br />
Jul 26 19:03:45 dbslave mysqld[4718]: 090726 19:03:45 [Note] Slave I/O thread: connected to master 'replication@10.20.30.217:3306', replication started in log 'mysql-bin.000001' at position 1082<br />
<br />
=== Testing Master/Slave ===<br />
<br />
On the master, create a new database in MySQL:<br />
mysql> CREATE DATABASE foo;<br />
<br />
Check if this database is available on the slave:<br />
mysql> SHOW DATABASES;<br />
+--------------------+<br />
| Database |<br />
+--------------------+<br />
| information_schema |<br />
| foo |<br />
| mysql |<br />
+--------------------+<br />
<br />
Delete the database on the master<br />
mysql> DROP DATABASE foo;<br />
<br />
Check if the database has been removed at the slave<br />
mysql> SHOW DATABASES;<br />
+--------------------+<br />
| Database |<br />
+--------------------+<br />
| information_schema |<br />
| mysql |<br />
+--------------------+</div>Bartl3byhttps://oxpedia.org/wiki/index.php?title=File:SaaS-100k-1.jpg&diff=6942File:SaaS-100k-1.jpg2011-01-25T09:52:15Z<p>Bartl3by: </p>
<hr />
<div></div>Bartl3by