Difference between revisions of "Regify provider appliance tech"

From regify WIKI
Jump to navigation Jump to search
(44 intermediate revisions by the same user not shown)
Line 1: Line 1:
== PostFix ==
+
== Appliance Tips ==
 +
=== Appliance Shutdown ===
 +
If you like to '''turn off the regify Provider Appliance''', exit the appliance menu, login as <u>root</u> and enter
 +
> shutdown -h now
 +
 
 +
It may be you need to use '''sudo''', if you only logged in using 'regify' or you used the 'drop to shell' option.
 +
 
 +
=== Activating regibox ===
 +
In order to activate regibox on your regify provider, please follow those steps:
 +
# Make sure that you run the moste recent appliance version (Appliance-menu "Check for Updates").
 +
# Provide an [[Hardware#regibox_storage|adequate SMB-share]] in your network-range.
 +
# Activate regibox in your provider appliance menu and enter the SMB path (check regify provider appliance manual).
 +
# If your regify provider is not installed in 2016 or later, you may need to activate the menu-option "X" (Web-Admin -> "Manage sub-providers" -> "Manage sub-provider menu flags"). This must be done for every sub-provider (if you have some).
 +
# If you like to activate regibox by default for all new regify accounts, please edit the ''regify-provider main configuration file'' and add<br /><span style="color:blue;font-family: courier;">define('ENABLE_RGB_FOR_ALL', TRUE);</span><br />(Web-Admin -> "Manage sub-providers" -> "Edit main provider configuration file"). If you do not set this flag, new regify users will not have regibox activated by default.<br>'''Important:''' Activated regibox users cause cost, based on the regular regify price list!
 +
# You can also re-define the regibox default size for all users with no individual regibox size (default is 2GB). For this, add the following to your ''regify-provider main configuration file'':<br /><span style="color:blue; font-family: courier;">define('MAXBOXSIZE', 5);</span> <span style="color:#777777;font-family: courier;">// new default size 5 GB</span><br />This will set the default size to 5GB. If needed, you can overwrite the default value in the individual users product settings.
 +
 
 +
=== PostFix E-Mail Service ===
 
The regify Provider Appliance runs a PostFix server as MTA or SmartHost. You can use the following tricks to get a closer look:
 
The regify Provider Appliance runs a PostFix server as MTA or SmartHost. You can use the following tricks to get a closer look:
 +
 +
To '''show the mail log''' (continuously):
 +
> tail -f /var/log/maillog
 +
 +
To '''investigate the mail log''' (look and search using [https://www.linux.com/tutorials/vim-101-beginners-guide-vim/ vim]):
 +
> vim /var/log/maillog
  
 
To see the '''queue status''':
 
To see the '''queue status''':
Line 8: Line 30:
 
  > postqueue -f
 
  > postqueue -f
  
To '''show mail log''' (continuously):
+
'''Delete all deferred messages''' in your mailqueue (remove all hanging and/or delayed):
  > tail -f /var/log/maillog
+
  > postsuper -d ALL deferred
 +
 
 +
'''Delete a specific message''' (get Queue ID from '''mailq''' command)
 +
> postsuper -d Queue ID
  
== Logfiles ==
+
=== Logfiles ===
 
You can find most logs in
 
You can find most logs in
 
  > /var/log/
 
  > /var/log/
 
  > /var/log/httpd/
 
  > /var/log/httpd/
  
Additionally, the regify-provider does its own daily logging about provider business:
+
=== Timeserver ===
> /opt/provider/REGIFY_LOGS/
+
Sometimes it happens that your NTP does not sync because of a difference that is to big. You can force a re-sync with the following lines (as root):
 +
 
 +
systemctl stop ntpd
 +
ntpdate 0.pool.ntp.org
 +
systemctl start ntpd
 +
 
 +
== Networking ==
 +
=== SSH login information ===
 +
In order to find out what source IP address your current SSH session is using, try this:
 +
 
 +
echo $SSH_CLIENT
 +
 
 +
This is very useful for limiting the SSH access in "Network..." -> "Advanced Settings..." -> "SSH settings".
 +
 
 +
=== Networking Diagnostics ===
 +
'''If you have any other networking issues, please always use the diagnostics first!''' Enter your regify appliance menu (from command line type "providerConfig" or "regigateConfig" if you are not yet in the menu) and go to "Network..." -> "Run Diagnostics". The result should point you to most of the possible sources.
  
 
== Certificates ==
 
== Certificates ==
The installed certificates are located at
+
=== Upgrade or renew existing SSL certificate ===
/etc/pki/tls/certs
+
'''NOTE:''' All your certificates and key must be in PEM-Format. The regify appliance can not deal with IIS-Certificates like .cer or .p7 formats. If you only have such, you may want to convert using OpenSSL (google is your friend).
/etc/pki/tls/private
 
While installing SSL certificates by using the applicance SSH menu, please ensure that you copy the complete certificate chain including the root CA and the private key. The order of the entries does not matter.
 
  
== Appliance ==
+
In order to upgrade/renew an existing SSL certificate, simply follow this guide:
If you like to '''turn off the regify Provider Appliance''', exit the appliance menu, login as <u>root</u> and enter
+
* '''Step 1:''' Get certificate signing request
> shutdown -h now
+
** Login to regify provider appliance menu (SSH or PuTTY)
 +
*** Hint: If you login with ''root'', you need to type ''providerConfig'' to run the menu.
 +
** Enter "Provider..." -> "Edit Subprovider..." and select your provider to update
 +
** Select "Show Cert Request"
 +
** Fill in or update your certificate values (or simply select "OK")
 +
** Copy the certificate request and use this to let it sign by your certificate vendor (please ensure compatibility for Apache or ModSSL)
 +
* '''Step 2:''' Prepare the signed certificate
 +
** In most cases, the certificate you bought consists of the final certificate and some more intermediate certificates.
 +
** It turned out to be helpful if you open up your favorite text editor to copy all intermediate certificates and the final signed certificate into one file.
 +
** The order is not important. Only your signed cert and all intermediate certs must be in here.
 +
** Use this compiled information for copy & paste in the next step.
 +
* '''Step 3:''' Install signed certificate
 +
** Login to regify provider appliance menu (SSH or PuTTY)
 +
*** Hint: If you login with ''root'', you need to type ''providerConfig'' to run the menu.
 +
** Enter "Provider..." -> "Edit Subprovider..." and select your provider to update
 +
** Select "Import Cert & Optionally Key"
 +
** Paste the signed certificate and all intermediate certificates (certificate chain) into the window and confirm using CTRL+D
 +
* '''Step 4:''' Test it
 +
** Please go to some SSL certificate test tool like [https://www.sslshopper.com/ssl-checker.html ssl-checker] and verify your domain for a valid certificate.
  
It may be you need to use '''sudo''', if you only logged in using 'regify' or you used the 'drop to shell' option.
+
If you have any problems on this, please contact support (at) regify.com.
  
 
== SMS gateway ==
 
== SMS gateway ==
You can find information about the SMS gateway at the [http://www.regify.com/?PageID=sms_gateway regify homepage].
+
You can find information about the SMS gateway at the [http://www.regify.com/?PageID=sms_gateway regify homepage]. Re-run your regify web administration wizard (provider maintenance dialogue) to change your SMS gateway settings.
 +
 
 +
== Changing the clearing password ==
 +
Beginning with regify provider V4.1, the hash-codes of the users passwords are encrypted using the SHA256 of the clearing password. Thus, if your clearing password has changed, it will need re-calculation of all encrypted passwords in the database. Luckily, there is a function in your provider maintenance dialogue to do this automatically. If you run a redundant system with some master-master or master-slave configuration, you need to update the clearing password on both systems. Follow this guide to do a clearing-password update:
  
== Database access ==
+
# Create a backup of your provider database (refer to [[#Backup_and_recovery]]).
In order to access the regify provider database directly, we recommend the following:
+
# Enter the provider maintenance dialogue of your regify provider web administration.
 +
# If you run a redundant system, please use a second web-browser instance now(!) and also login to the second one.
 +
# Make sure your system(s) are in maintenance mode. This prevents user from registering and log-in during your work. Normally, if clearing has changed the password, this happened automatically.
 +
# Enter the provider maintenance dialogue of your regify provider web administration.
 +
# Click "Change clearing password now" and activate the function.
 +
# Enter the old (current) clearing password and enter the new one (twice).
 +
# Click on "Change clearing password now" and start the recalculation.
 +
# If you do not run a redundant system, jump to the last step now.
 +
# Switch to the already open web administration of the second system.
 +
# Click "Change clearing password now" and activate the function.
 +
# Enter the old (current) clearing password and enter the new one (twice).
 +
# Click on "Change clearing password now" and start the recalculation.
 +
# Done. Validate all your login functions.
  
# Use [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html PuTTy] to access the system (like accessing the provider appliance menu). Please configure your PuTTY connection to create a port forwarding tunnel like in the screenshot. This is to tunnel the remote systems port 3306 to your local client machines port 3306.
+
== Install VMWare Tools ==
# Use a tool like [http://www.heidisql.com/ HeidiSQL] to access the now local available MySQL database.
 
# '''PLEASE BE CAREFUL!''' You now have full control over the database!
 
  
<gallery>
+
1) Please respect the licence and support information about third party software on the regify provider appliance. You can find this information in your regify appliance manual. In short words, you are not allowed to install anything except software that is essentially needed for running the appliance on a virtual environment. No other RPM repositories allowed!
File:PuTTY_SQL.png|Configure MySQL tunnel in PuTTY
 
File:HeidiSQL.png|Setup HeidiSQL to access local database
 
</gallery>
 
  
== Install VMWare Tools ==
+
2) Chose to install or update VMWare tools for your virtual machine. This will create a new CD rom device for the regify provider software appliance.
1) Chose to install or update VMWare tools for your virtual machine. This will create a new CD rom device for the regify provider software appliance.
 
  
2) Enter in terminal:
+
3) Enter in terminal:
 
  mkdir /mnt/cdrom
 
  mkdir /mnt/cdrom
 
  mount /dev/cdrom /mnt/cdrom
 
  mount /dev/cdrom /mnt/cdrom
Line 62: Line 127:
 
Sometimes, you might need to mount '''/dev/sr0''' instead of '''/dev/cdrom'''.
 
Sometimes, you might need to mount '''/dev/sr0''' instead of '''/dev/cdrom'''.
  
3) Check if the VMWare tools are running:
+
4) Check if the VMWare tools are running:
 
  /etc/init.d/vmware-tools status
 
  /etc/init.d/vmware-tools status
 +
 +
== Manually run the updates ==
 +
In order to manually run the updates for the provider and regigate without SSH GUI, simply execute
 +
 +
yum upgrade
 +
 +
== Enable NAGIOS support ==
 +
Please note that we ship the NAGIOS modules. But you need to know and understand NAGIOS and how it works. regify does not support you in setting up your monitoring environment.
 +
 +
To enable NRPE, edit '''/etc/nagios/nrpe.cfg''' to fit your needs followed by
 +
 +
chkconfig nrpe on
 +
/etc/init.d/nrpe start
 +
 +
Now the firewall must get opened. Open '''/etc/sysconfig/iptables''' and locate the following line:
 +
-A INPUT -i lo -j ACCEPT
 +
 +
Below this, please add the following new line:
 +
-A INPUT -m state --state NEW -s <your_nagios_ip> -m tcp -p tcp  --dport 5666 -j ACCEPT
 +
 +
Now save and close these changes.
 +
 +
To enable the new rule, restart iptables:
 +
 +
/etc/init.d/iptables restart

Revision as of 16:31, 7 February 2023

Appliance Tips

Appliance Shutdown

If you like to turn off the regify Provider Appliance, exit the appliance menu, login as root and enter

> shutdown -h now

It may be you need to use sudo, if you only logged in using 'regify' or you used the 'drop to shell' option.

Activating regibox

In order to activate regibox on your regify provider, please follow those steps:

  1. Make sure that you run the moste recent appliance version (Appliance-menu "Check for Updates").
  2. Provide an adequate SMB-share in your network-range.
  3. Activate regibox in your provider appliance menu and enter the SMB path (check regify provider appliance manual).
  4. If your regify provider is not installed in 2016 or later, you may need to activate the menu-option "X" (Web-Admin -> "Manage sub-providers" -> "Manage sub-provider menu flags"). This must be done for every sub-provider (if you have some).
  5. If you like to activate regibox by default for all new regify accounts, please edit the regify-provider main configuration file and add
    define('ENABLE_RGB_FOR_ALL', TRUE);
    (Web-Admin -> "Manage sub-providers" -> "Edit main provider configuration file"). If you do not set this flag, new regify users will not have regibox activated by default.
    Important: Activated regibox users cause cost, based on the regular regify price list!
  6. You can also re-define the regibox default size for all users with no individual regibox size (default is 2GB). For this, add the following to your regify-provider main configuration file:
    define('MAXBOXSIZE', 5); // new default size 5 GB
    This will set the default size to 5GB. If needed, you can overwrite the default value in the individual users product settings.

PostFix E-Mail Service

The regify Provider Appliance runs a PostFix server as MTA or SmartHost. You can use the following tricks to get a closer look:

To show the mail log (continuously):

> tail -f /var/log/maillog

To investigate the mail log (look and search using vim):

> vim /var/log/maillog

To see the queue status:

> mailq

To flush the mailqueue (maybe, after you changed something)

> postqueue -f

Delete all deferred messages in your mailqueue (remove all hanging and/or delayed):

> postsuper -d ALL deferred

Delete a specific message (get Queue ID from mailq command)

> postsuper -d Queue ID

Logfiles

You can find most logs in

> /var/log/
> /var/log/httpd/

Timeserver

Sometimes it happens that your NTP does not sync because of a difference that is to big. You can force a re-sync with the following lines (as root):

systemctl stop ntpd
ntpdate 0.pool.ntp.org
systemctl start ntpd

Networking

SSH login information

In order to find out what source IP address your current SSH session is using, try this:

echo $SSH_CLIENT

This is very useful for limiting the SSH access in "Network..." -> "Advanced Settings..." -> "SSH settings".

Networking Diagnostics

If you have any other networking issues, please always use the diagnostics first! Enter your regify appliance menu (from command line type "providerConfig" or "regigateConfig" if you are not yet in the menu) and go to "Network..." -> "Run Diagnostics". The result should point you to most of the possible sources.

Certificates

Upgrade or renew existing SSL certificate

NOTE: All your certificates and key must be in PEM-Format. The regify appliance can not deal with IIS-Certificates like .cer or .p7 formats. If you only have such, you may want to convert using OpenSSL (google is your friend).

In order to upgrade/renew an existing SSL certificate, simply follow this guide:

  • Step 1: Get certificate signing request
    • Login to regify provider appliance menu (SSH or PuTTY)
      • Hint: If you login with root, you need to type providerConfig to run the menu.
    • Enter "Provider..." -> "Edit Subprovider..." and select your provider to update
    • Select "Show Cert Request"
    • Fill in or update your certificate values (or simply select "OK")
    • Copy the certificate request and use this to let it sign by your certificate vendor (please ensure compatibility for Apache or ModSSL)
  • Step 2: Prepare the signed certificate
    • In most cases, the certificate you bought consists of the final certificate and some more intermediate certificates.
    • It turned out to be helpful if you open up your favorite text editor to copy all intermediate certificates and the final signed certificate into one file.
    • The order is not important. Only your signed cert and all intermediate certs must be in here.
    • Use this compiled information for copy & paste in the next step.
  • Step 3: Install signed certificate
    • Login to regify provider appliance menu (SSH or PuTTY)
      • Hint: If you login with root, you need to type providerConfig to run the menu.
    • Enter "Provider..." -> "Edit Subprovider..." and select your provider to update
    • Select "Import Cert & Optionally Key"
    • Paste the signed certificate and all intermediate certificates (certificate chain) into the window and confirm using CTRL+D
  • Step 4: Test it
    • Please go to some SSL certificate test tool like ssl-checker and verify your domain for a valid certificate.

If you have any problems on this, please contact support (at) regify.com.

SMS gateway

You can find information about the SMS gateway at the regify homepage. Re-run your regify web administration wizard (provider maintenance dialogue) to change your SMS gateway settings.

Changing the clearing password

Beginning with regify provider V4.1, the hash-codes of the users passwords are encrypted using the SHA256 of the clearing password. Thus, if your clearing password has changed, it will need re-calculation of all encrypted passwords in the database. Luckily, there is a function in your provider maintenance dialogue to do this automatically. If you run a redundant system with some master-master or master-slave configuration, you need to update the clearing password on both systems. Follow this guide to do a clearing-password update:

  1. Create a backup of your provider database (refer to #Backup_and_recovery).
  2. Enter the provider maintenance dialogue of your regify provider web administration.
  3. If you run a redundant system, please use a second web-browser instance now(!) and also login to the second one.
  4. Make sure your system(s) are in maintenance mode. This prevents user from registering and log-in during your work. Normally, if clearing has changed the password, this happened automatically.
  5. Enter the provider maintenance dialogue of your regify provider web administration.
  6. Click "Change clearing password now" and activate the function.
  7. Enter the old (current) clearing password and enter the new one (twice).
  8. Click on "Change clearing password now" and start the recalculation.
  9. If you do not run a redundant system, jump to the last step now.
  10. Switch to the already open web administration of the second system.
  11. Click "Change clearing password now" and activate the function.
  12. Enter the old (current) clearing password and enter the new one (twice).
  13. Click on "Change clearing password now" and start the recalculation.
  14. Done. Validate all your login functions.

Install VMWare Tools

1) Please respect the licence and support information about third party software on the regify provider appliance. You can find this information in your regify appliance manual. In short words, you are not allowed to install anything except software that is essentially needed for running the appliance on a virtual environment. No other RPM repositories allowed!

2) Chose to install or update VMWare tools for your virtual machine. This will create a new CD rom device for the regify provider software appliance.

3) Enter in terminal:

mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
cp /mnt/cdrom/VMwareTools-*.tar.gz /tmp
umount /mnt/cdrom
tar -zxf /tmp/VMwareTools-*.tar.gz -C /tmp
cd /
./tmp/vmware-tools-distrib/vmware-install.pl --default
rm -f /tmp/VMwareTools-*.tar.gz
rm -rf /tmp/vmware-tools-distrib

Sometimes, you might need to mount /dev/sr0 instead of /dev/cdrom.

4) Check if the VMWare tools are running:

/etc/init.d/vmware-tools status

Manually run the updates

In order to manually run the updates for the provider and regigate without SSH GUI, simply execute

yum upgrade

Enable NAGIOS support

Please note that we ship the NAGIOS modules. But you need to know and understand NAGIOS and how it works. regify does not support you in setting up your monitoring environment.

To enable NRPE, edit /etc/nagios/nrpe.cfg to fit your needs followed by

chkconfig nrpe on
/etc/init.d/nrpe start

Now the firewall must get opened. Open /etc/sysconfig/iptables and locate the following line:

-A INPUT -i lo -j ACCEPT

Below this, please add the following new line:

-A INPUT -m state --state NEW -s <your_nagios_ip> -m tcp -p tcp  --dport 5666 -j ACCEPT

Now save and close these changes.

To enable the new rule, restart iptables:

/etc/init.d/iptables restart