AppSuite:OX Guard
IN PRODUCTION - OX Guard
OX Guard is a security solution that provides protection for email communications and files alike. Fully integrated with OX as a Service, it allows users to send and read encrypted messages and store and share encrypted files – and requires no additional setup or knowledge. It works seamlessly for OX as a Service users, and also supports non-OX as a Service usage scenarios. OX Guard offers a simple way to increase security by limiting the opportunity for unauthorized access while data is en route or in storage, creating extra peace of mind.
This article will guide you through the installation of Guard, it describes the basic configuration and software requirements. As it is intended as a quick walk-through it assumes an existing installation of the operating system including a single server App Suite setup as well as average system administration skills. More, this guide will show you how to setup a basic installation with none of the typically used distributed environment settings. The objective of this guide is:
- To setup a single server installation
- To setup a single Guard instance on an existing Open-Xchange installation, no cluster
- To use the database service on the existing Open-Xchange installation for Guard, no replication
- To provide a basic configuration setup, no mailserver configuration
Key features
- Simple security at the touch of a button
- Provides user based security - Separate from provider
- Supplementary security to Provider based security - Layered
- Powerful features yet simple to use and understand
- Holistic security - Inside and outside of the OX environment
- Email and Drive integration
- Uses proven PGP security
Availability
A variety of options:
- Fully hosted with OX as a Service
- All on site (large scale customers solution)
IMPORTANT: If an OX App Suite customer would like to evaluate OX Guard integration, the first step is to contact OX Sales. OX Sales will work on the request to send prices and license/API (for the hosted infrastructure) key to customer.
Additionally, OX Guard will be provided via the OX as a Service which provides a best in class Email & Collaboration services to customers without becoming a cloud service provider supplying the hardware and software necessary for the services. Please contact Open-Xchange Sales for further information and pricing details.
Requirements
Please review following URL for remaining requirements OX Guard Requirements
Since Guard is a Microservice it can either be added to an existing Open-Xchange installation or it can be deployed on a dedicated environment without having any of the other Open-Xchange App Suite core services installed. Still, an OX App Suite v7.6.0 or later is required to operate this extension both in a single or multi server environment.
Prerequisites:
- Open-Xchange REST API
- Grizzly HTTP connector (open-xchange-grizzly)
- A supported Java Virtual Machine (Java 7)
- An Open-Xchange App Suite installation v7.6.0 or later
- Please Note: To get in favor of the latest minor features and bugfixes, you need to have a valid license. The article Updating OX-Packages explains how that can be done.
Download and Installation
Redhat Enterprise Linux 6 or CentOS 6
If not already done, add the following repositories to your Open-Xchange yum configuration:
[open-xchange-guard-stable-7.6.0] name=Open-Xchange-guard-stable-7.6.0 baseurl=https://LDBUSER:LDBPASSWORD@software.open-xchange.com/components/guard/stable/7.6.0/RHEL6/ gpgkey=https://software.open-xchange.com/oxbuildkey.pub enabled=1 gpgcheck=1 metadata_expire=0m
and run
$ yum update $ yum install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static
Debian GNU/Linux 6.0
If not already done, add the following repositories to your Open-Xchange apt configuration:
deb https://LDBUSER:LDBPASSWORD@software.open-xchange.com/components/guard/stable/7.6.0/DebianSqueeze /
and run
$ apt-get update $ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static
Debian GNU/Linux 7.0
If not already done, add the following repositories to your Open-Xchange apt configuration:
deb https://LDBUSER:LDBPASSWORD@software.open-xchange.com/components/guard/stable/7.6.0/DebianWheezy /
and run
$ apt-get update $ apt-get install open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static
SUSE Linux Enterprise Server 11
Add the package repository using zypper if not already present:
$ zypper ar https://LDBUSER:LDBPASSWORD@software.open-xchange.com/components/guard/stable/7.6.0/SLES11 guard-stable-7.6.0
and run
$ zypper ref $ zypper in open-xchange-rest open-xchange-guard open-xchange-guard-ui open-xchange-guard-ui-static
Configuration
The following gives an overview about the most important settings to enable Guard for users on the Open-Xchange installation. Some of those settings have to be modified in order to establish the database and REST API access from the Guard service. All settings regarding the Guard backend component are located in the configuration file guard.properties located in /opt/open-xchange/guard/etc. The default configuration should be sufficient for a basic "up-and-running" setup (with the exception of defining the database username and password). Please refer to the inline documentation of the configuration file for more advanced options.
$ vim /opt/open-xchange/guard/etc/guard.properties
Open-Xchange config_db host - Guard will establish a connection to the config_db
com.openexchange.guard.configdbHostname=localhost
Guard database for storing user keys
com.openexchange.guard.oxguardDatabaseHostname=localhost
Username and Password for the two databases above
com.openexchange.guard.databaseUsername=openexchange com.openexchange.guard.databasePassword=db_password
Open-Xchange REST API host
com.openexchange.guard.restApiHostname=localhost
External URL for this Open-Xchange installation. This setting will be used to generate the link to the secure content for external recipients
com.openexchange.guard.externalEmailURL=somewhere.com
Configure services
Apache
Configure the mod_proxy_http module by adding the Guard API.
Redhat Enterprise Linux 6 or CentOS 6
$ vim /etc/httpd/conf.d/proxy_http.conf
Debian GNU/Linux 7.0 and SUSE Linux Enterprise Server 11
$ vim /etc/apache2/conf.d/proxy_http.conf
<Proxy balancer://oxguard>
Order deny,allow
Allow from all, add
BalancerMember http://localhost:8080/oxguard timeout=1800 smax=0 ttl=60 retry=60 loadfactor=100 route=OX1
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=ON
SetEnv proxy-initial-not-pooled
SetEnv proxy-sendchunked
</Proxy>
<Proxy /appsuite/api/oxguard>
ProxyPass balancer://oxguard
</Proxy>
- Please Note:** The Guard API settings should be inserted before the existing “<Proxy /appsuite/api>” parameter.
After the configuration is done, restart the Apache webserver
$ apachectl restart
Open-Xchange
Please add the following settings to the permission settings configuration file of the Open-Xchange backend servers:
$ vim /opt/open-xchange/etc/permissions.properties
# OX GUard general permission com.openexchange.capability.guard=true
Initiating the Guard database and key store
Once the Guard configuration (database and backend configuration) as well as the service configuration has been applied the Guard administration script needs to be executed in order to create the Guard databases. The administration script takes also care about the creation of the master keys and the master password file in /opt/open-xchange/guard. The initiation only needs to be done once for a multi server setup, for details please see “Optional / Clustering”.
/opt/open-xchange/guard/sbin/guard init
- Please Note:** The It is important to understand that the master password file located at /opt/open-xchange/guard/oxguardpass is required to reset user passwords, without them the administrator will not be able to reset user passwords anymore in the future. The file contains the passwords used to encrypt the master database key, as well as passwords used to encrypt protected data in the users table.
Start Guard
The services have been configured and the database has been initiated, it's time to start Guard
$ /etc/init.d/open-xchange-guard start
Enabling Guard for Users
Guard provides two capabilities for users in the environment:
* **Guard Mail:** com.openexchange.capability.guard:mail * **Guard Drive:** com.openexchange.capability.guard:drive
Each of those two Guard components is enabled for all users that have the according capability configured. Please note that users need to have the Drive permission set to use Guard Drive. So the users that have Guard Drive enabled must be a subset of those users with infostore permission. Since 7.6.0 we enforce this via the default configuration. Those capabilities can be activated for specific user by using the Open-Xchange provisioning scripts:
- Guard Mail:**
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:mail=true
- Guard Drive:**
$ /opt/open-xchange/sbin/changeuser -c 1 -A oxadmin -P admin_password -u testuser --config/com.openexchange.capability.guard:drive=true
- Please Note:** Guard Drive requires Guard Mail to be configured for the user as well.
Optional
SSL Configuration
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. To enforce Guard to use SSL in the communication between those two components enable the follwing configurations in Guard configuration file. Please note that you have to provide access to the certificates.
$ vim /opt/open-xchange/guard/etc/guard.properties
com.openexchange.guard.useSSL: true
com.openexchange.guard.SSLPort: 8443
com.openexchange.guard.SSLKeyStore: //keystore location//
com.openexchange.guard.SSLKeyName: //alias name here//
com.openexchange.guard.SSLKeyPass: //ssl password//
- Please note:** Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.