Regify provider appliance tech

From regify WIKI
Jump to navigation Jump to search

Appliance Tips

Appliance Shutdown

If you like to turn off the regify Provider Appliance, exit the appliance menu, login as root and enter

> shutdown -h now

It may be you need to use sudo, if you only logged in using 'regify' or you used the 'drop to shell' option.

Activating regibox

In order to activate regibox on your regify provider, please follow those steps:

  1. Make sure that you run the moste recent appliance version (Appliance-menu "Check for Updates").
  2. Provide an adequate SMB-share in your network-range.
  3. Activate regibox in your provider appliance menu and enter the SMB path (check regify provider appliance manual).
  4. If your regify provider is not installed in 2016 or later, you may need to activate the menu-option "X" (Web-Admin -> "Manage sub-providers" -> "Manage sub-provider menu flags"). This must be done for every sub-provider (if you have some).
  5. If you like to activate regibox by default for all new regify accounts, please edit the regify-provider main configuration file and add
    define('ENABLE_RGB_FOR_ALL', TRUE);
    (Web-Admin -> "Manage sub-providers" -> "Edit main provider configuration file"). If you do not set this flag, new regify users will not have regibox activated by default.
    Important: Activated regibox users cause cost, based on the regular regify price list!
  6. You can also re-define the regibox default size for all users with no individual regibox size (default is 2GB). For this, add the following to your regify-provider main configuration file:
    define('MAXBOXSIZE', 5); // new default size 5 GB
    This will set the default size to 5GB. If needed, you can overwrite the default value in the individual users product settings.

PostFix E-Mail Service

The regify Provider Appliance runs a PostFix server as MTA or SmartHost. You can use the following tricks to get a closer look:

To show the mail log (continuously):

> tail -f /var/log/maillog

To investigate the mail log (look and search using vim):

> vim /var/log/maillog

To see the queue status:

> mailq

To flush the mailqueue (maybe, after you changed something)

> postqueue -f

Delete all deferred messages in your mailqueue (remove all hanging and/or delayed):

> postsuper -d ALL deferred

Delete a specific message (get Queue ID from mailq command)

> postsuper -d Queue ID

Logfiles

You can find most logs in

> /var/log/
> /var/log/httpd/

Additionally, the regify-provider does its own daily logging about provider business:

> /opt/provider/REGIFY_LOGS/

Networking

SSH login information

In order to find out what source IP address your current SSH session is using, try this:

echo $SSH_CLIENT

This is very useful for limiting the SSH access in "Network..." -> "Advanced Settings..." -> "SSH settings".

Networking Diagnostics

If you have any other networking issues, please always use the diagnostics first! Enter your regify appliance menu (from command line type "providerConfig" or "regigateConfig" if you are not yet in the menu) and go to "Network..." -> "Run Diagnostics". The result should point you to most of the possible sources.

Certificates

Upgrade or renew existing SSL certificate

In order to upgrade/renew an existing SSL certificate, simply follow this guide:

  • Step 1: Get certificate signing request
    • Login to regify provider appliance menu (SSH or PuTTY)
    • Enter "Provider..." -> "Edit Subprovider..." and select your provider to update
    • Select "Show Cert Request"
    • Fill in or update your certificate values (or simply select "OK")
    • Copy the certificate request and use this to let it sign by your certificate vendor (please ensure compatibility for Apache or ModSSL)
  • Step 2: Prepare the signed certificate
    • In most cases, the certificate you bought consists of the final certificate and some more intermediate certificates.
    • It turned out to be helpful if you open up your favorite text editor to copy all intermediate certificates and the final signed certificate into one file.
    • The order is not important. Only your signed cert and all intermediate certs must be in here.
    • Use this compiled information for copy & paste in the next step.
  • Step 3: Install signed certificate
    • Login to regify provider appliance menu (SSH or PuTTY)
    • Enter "Provider..." -> "Edit Subprovider..." and select your provider to update
    • Select "Import Cert & Optionally Key"
    • Paste the signed certificate and all intermediate certificates (certificate chain) into the window and confirm using CTRL+D
  • Step 4: Test it
    • Please go to some SSL certificate test tool like ssl-checker and verify your domain for a valid certificate.

If you have any problems on this, please contact support (at) regify.com.

Location

Do not use this information to manually import SSL certificates! Please see the chapter above for some hints about upgrading SSL certs. The installed certificates are located at

/etc/pki/tls/certs
/etc/pki/tls/private

While installing SSL certificates by using the appliance SSH menu, please ensure that you copy the complete certificate chain including all intermediate certificates and the private key. The order of the entries does not matter.

SMS gateway

You can find information about the SMS gateway at the regify homepage. Re-run your regify web administration wizard (provider maintenance dialogue) to change your SMS gateway settings.

Changing the clearing password

Beginning with regify provider V4.1, the hash-codes of the users passwords are encrypted using the SHA256 of the clearing password. Thus, if your clearing password has changed, it will need re-calculation of all encrypted passwords in the database. Luckily, there is a function in your provider maintenance dialogue to do this automatically. If you run a redundant system with some master-master or master-slave configuration, you need to update the clearing password on both systems. Follow this guide to do a clearing-password update:

  1. Create a backup of your provider database (refer to #Backup_and_recovery).
  2. Enter the provider maintenance dialogue of your regify provider web administration.
  3. If you run a redundant system, please use a second web-browser instance now(!) and also login to the second one.
  4. Make sure your system(s) are in maintenance mode. This prevents user from registering and log-in during your work. Normally, if clearing has changed the password, this happened automatically.
  5. Enter the provider maintenance dialogue of your regify provider web administration.
  6. Click "Change clearing password now" and activate the function.
  7. Enter the old (current) clearing password and enter the new one (twice).
  8. Click on "Change clearing password now" and start the recalculation.
  9. If you do not run a redundant system, jump to the last step now.
  10. Switch to the already open web administration of the second system.
  11. Click "Change clearing password now" and activate the function.
  12. Enter the old (current) clearing password and enter the new one (twice).
  13. Click on "Change clearing password now" and start the recalculation.
  14. Done. Validate all your login functions.

Database hints

Direct access using SSH

In order to access the regify provider database directly, we recommend the following:

  1. Use PuTTY to access the system (like accessing the provider appliance menu). Please configure your PuTTY connection to create a port forwarding tunnel like in the screenshot. This is to tunnel the remote systems port 3306 to your local client machines port 3306.
  2. Use a tool like HeidiSQL to access the now local available MySQL database.
  3. PLEASE BE CAREFUL! You now have full control over the database!

Backup and recovery

Sometimes we encounter problems with character encoding during export and (re)import. This solution managed it to export on a regify-provider and import the data on another machine with no problems:

Export:

mysqldump -uroot --opt --quote-names --skip-set-charset --default-character-set=latin1 regify > backup_dump.sql

Import:

mysql -uroot -ppassword
mysql> create database regify;
mysql> quit

mysql -uroot -pregify --default_character_set utf8 regify < backup_dump.sql

Try using these options to fix your problem. The above values fixed the problem of double encoded UTF8 characters (the characters have been double encoded in the exported dump file).

Install VMWare Tools

1) Please respect the licence and support information about third party software on the regify provider appliance. You can find this information in your regify appliance manual. In short words, you are not allowed to install anything except software that is essentially needed for running the appliance on a virtual environment. No other RPM repositories allowed!

2) Chose to install or update VMWare tools for your virtual machine. This will create a new CD rom device for the regify provider software appliance.

3) Enter in terminal:

mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
cp /mnt/cdrom/VMwareTools-*.tar.gz /tmp
umount /mnt/cdrom
tar -zxf /tmp/VMwareTools-*.tar.gz -C /tmp
cd /
./tmp/vmware-tools-distrib/vmware-install.pl --default
rm -f /tmp/VMwareTools-*.tar.gz
rm -rf /tmp/vmware-tools-distrib

Sometimes, you might need to mount /dev/sr0 instead of /dev/cdrom.

4) Check if the VMWare tools are running:

/etc/init.d/vmware-tools status

Manually run the updates

In order to manually run the updates for the provider and regigate without SSH GUI, simply execute

yum upgrade

Enable NAGIOS support

Please note that we ship the NAGIOS modules. But you need to know and understand NAGIOS and how it works. regify does not support you in setting up your monitoring environment.

To enable NRPE, edit /etc/nagios/nrpe.cfg to fit your needs followed by

chkconfig nrpe on
/etc/init.d/nrpe start

Now the firewall must get opened. Open /etc/sysconfig/iptables and locate the following line:

-A INPUT -i lo -j ACCEPT

Below this, please add the following new line:

-A INPUT -m state --state NEW -s <your_nagios_ip> -m tcp -p tcp  --dport 5666 -j ACCEPT

Now save and close these changes.

To enable the new rule, restart iptables:

/etc/init.d/iptables restart

Change SMB Login Protocol to NTLMSSP

Note: With regify provider V5 (June 2018), this should be no longer needed as it supports SMBv2 by default.

Some environments need you to utilize another authentication for regibox SMB storage. In many cases, NTLMSSP will do here.

Follow this guide to set-up your provider to mount the regibox share using NTLMSSP protocol:

1) Login as root or elevate to root

2) Unmount the /box share

umount /box

3) Edit /etc/fstab and add ,sec=ntlmssp to the line for the /box mount. Example line:

//nas/servicestore/     /box    cifs    iocharset=utf8,user=regify,pass=xxx,noperm,sec=ntlmssp

4) Remount fstab using

mount -a

Important note: The fstab is rewritten by the appliance menu if you enter the "Provider..." -> "Configure regibox" dialogue (where you define the regibox share). If you click save in this dialogue, you have to fix the fstab again!

Please note that the regify provider appliance does not support SMBv2 or SMBv3 because of the base OS not supporting it (CentOS 6).

change some internal values or settings

Please use the Edit regify-provider main configuration file function in your Manage sub-providers interface.

You can find the possible settings and some examples in your regify provider documentation (PDF). Please do not edit this file manually using vi or vim on the appliance!