Setting up an mSign server: Difference between revisions

From Scriptel Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This guide is for administrators in organizations who have purchased an mSign server license. Scriptel provides a public server for public use free of charge at msign.scriptel.com. However, this requires internet connectivity and is shared. Organizations may wish to use their own server behind their firewall. A 90-day trial license is available upon request.  
This guide is for administrators in organizations who have purchased an mSign server license. Scriptel provides a public server for public use free of charge at msign.scriptel.com. However, this requires internet connectivity and is shared. Organizations may wish to use their own server behind their firewall. A 90-day trial license is available upon request.  


mSign Sever is designed to run on an Ubuntu 16.04 server. It is written node.js, so technically it is possible to make it run on any platform that supports node. However, all of the scripts for installing are written for Ubuntu and that is all we are currently supporting.
mSign Sever is designed to run on an Ubuntu 20.04 server and up. It is written node.js, so technically it is possible to make it run on any platform that supports node. However, all of the scripts for installing are written for Ubuntu and that is all we are currently supporting.
 
mSign Server requires connection to a PostgreSQL database. This can live on the local machine or elsewhere. These instructions will assume it lives on the local system.


===Set up the service:===
===Set up the service:===


1. Obtain the scriptel-msign-x.x.xx-all.deb package and license file from Scriptel
1. Obtain the scriptel-msign-x.x.xx-all.deb package.


2. Obtain a server with Ubuntu 16.04 on it.
2. Obtain a server with Ubuntu 20.04 (or higher) on it.


3. Change the host name
3. Change the host name
Line 16: Line 14:
4. Point your DNS to the new server.
4. Point your DNS to the new server.


5. Install PostgreSQL
5. Start the install of mSign server
    sudo apt-get update
     sudo dpkg -i scriptel-msign-X.X.X-all.deb
    sudo apt-get install postgresql postgresql-contrib
 
6. Start command line PostgreSQL
    sudo -u postgres psql
 
7. type, changing the password 'secret' to a reasonable password.
    CREATE USER "scriptel-msign" WITH PASSWORD 'secret';
    CREATE DATABASE "scriptel-msign" WITH OWNER "scriptel-msign";
    \q
 
8. Start the install of mSign server
     sudo apt-get install -f ./scriptel-msign-*-all.deb
 
9. Take the default answers, except password. Make the password the same as in step 5.
 
10. Create the user
    cd /usr/lib/scriptel-msign
    sudo -u scriptel-msign node msign-util.js --create-user=guy@email.com:guysPassword
 
11. Create an organization
    sudo -u scriptel-msign node msign-util.js -o organization
 
12. Assign the user to the organization
    sudo -u scriptel-msign node msign-util.js -a guy@email.com:organization
 
13. If the directory /usr/lib/scriptel-msign/licenses does not exist, create it.
    sudo -u scriptel-msign mkdir licenses


14. License the server. This assumes that Scriptel has granted you a license. If not, this step will fail. This is the portal username and password, which may be different than one created earlier.
6. Edit the /usr/lib/scriptel-msign/config.js file.
    sudo -u scriptel-msign node msign-util.js --download-licenses guy@email.com:guysPassword
# hostName must be set to the fully qualified domain name for SSL to work.
# webappLocation must be set to the URL of the front-end server.
# publicHttpsPort is the port that the front end should connect to. Change this to 443.
# Everything else should work by default.


15. Start the service
7. Restart the service to pick up the changes by stopping and starting it. restart does not work.
    sudo service scriptel-msign start
  sudo service scriptel-msign stop
  sudo service scriptel-msign start


16. Make the service automatically start when the system is rebooted
8. check to see if the service is started the service
     sudo systemctl enable scriptel-msign.service
     sudo service scriptel-msign status


At this point, your mSign Desktop and mSign Mobile applications should be able to connect to the server on port 8443. For example, if your IP address were 54.291.191.59 you would put this into the applications as https://54.291.191.59:8443. You can try this using a browser for mSign Mobile as long as it will allow you to get to it as an unsafe site. Chrome will allow this, for example, but you will not be able to use the mSign mobile app for Android until there is a certificate.
At this point, your mSign Desktop and mSign Mobile applications should be able to connect to the server on port 8443. For example, if your IP address were 54.291.191.59 you would put this into the applications as https://54.291.191.59:8443. You can try this using a browser for mSign Mobile as long as it will allow you to get to it as an unsafe site. Chrome will allow this, for example, but you will not be able to use the mSign mobile app for Android until there is an SSL certificate.


===Reassign the ports===
===Reassign the ports===
Line 61: Line 36:
This section is optional. mSign Server runs natively on ports 8080 and 8443. You might want to use the standard http and https ports 80 and 443. You have to do this if you use Letsencrypt for a certificate in the next section.
This section is optional. mSign Server runs natively on ports 8080 and 8443. You might want to use the standard http and https ports 80 and 443. You have to do this if you use Letsencrypt for a certificate in the next section.


   sudo apt-get install iptables-persistent
Note that eth0 may or may not be the name of your ethernet adaptor. For example, on AWS T4g instances it is ens5.
 
   sudo apt install iptables-persistent
   sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
   sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
   sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
   sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
   sudo /etc/init.d/netfilter-persistent save
   sudo /etc/init.d/netfilter-persistent save


===Install a certificate===
===Certificate types===
 
There are two certificates. One is for SSL between the server and the browser and the server and the desktop. The other is for the mobile application (front end).
 
===SSL Key===


To avoid security warnings you need to install a certificate. You can buy one and install it. Or you can self-certify, but if you do, you will have to set yourself up as a root authority on each mobile device you use. Or you can use [https://letsencrypt.org/ Let's Encrypt], which is free, but requires that the server be public on the internet so that it can validate ownership of the domain.
To avoid security warnings you need to install a certificate. You can buy one and install it. Or you can self-certify, but if you do, you will have to set yourself up as a root authority on each mobile device you use. Or you can use [https://letsencrypt.org/ Let's Encrypt], which is free, but requires that the server be public on the internet so that it can validate ownership of the domain.
Line 76: Line 57:
2. Give your server a DNS name with your DNS provider and wait for it to propogate. This can be a subdomain of one you already own.
2. Give your server a DNS name with your DNS provider and wait for it to propogate. This can be a subdomain of one you already own.


3. Type the following, substituting your domain for domain.example.com:
3. Create the directory /usr/lib/scriptel-msign/www and change the owner to scriptel-msign
     sudo apt-get install software-properties-common
  sudo mkdir /usr/lib/scriptel-msign/www
    sudo add-apt-repository ppa:certbot/certbot
  sudo chown scriptel-msign /usr/lib/scriptel-msign/www
    sudo apt-get install certbot
 
4. Type the following, substituting your domain for domain.example.com:
     sudo apt install certbot
     sudo certbot certonly --webroot -w /usr/lib/scriptel-msign/www -d domain.example.com
     sudo certbot certonly --webroot -w /usr/lib/scriptel-msign/www -d domain.example.com


4. Create a file with the following text, but replace domain.example.com with your domain. Call it something like renewcert.sh
===Mobile certificate===
    #!/bin/bash
    #===============================================================================
    # This script is responsible for automatically renewing a Let's Encrypt
    # certificate for Scriptel mSign on a regular interval.
    #
    # Copyright 2017 - Scriptel Corporation
    #===============================================================================
    #Change these variables to match your environment if required.
    CP=/bin/cp
    CHOWN=/bin/chown
    CHMOD=/bin/chmod
    SERVICE=/usr/sbin/service
    LETS_ENCRYPT=/usr/bin/certbot
    CERT_DIR=/etc/letsencrypt/live/domain.example.com
    MSIGN_DIR=/usr/lib/scriptel-msign/ssl
    SERVICE_NAME=scriptel-msign
    USER_NAME=scriptel-msign
    #You shouldn't need to change anything below this line.
    #-------------------------------------------------------------------------------
    $LETS_ENCRYPT renew
    if [ $? -eq 0 ]; then
        $CP "$CERT_DIR/cert.pem" "$MSIGN_DIR/public.pem"
        $CP "$CERT_DIR/privkey.pem" "$MSIGN_DIR/private.pem"
        $CP "$CERT_DIR/chain.pem" "$MSIGN_DIR/intermediate.pem"
        $CHOWN $USER_NAME "$MSIGN_DIR/public.pem" "$MSIGN_DIR/private.pem" "$MSIGN_DIR/intermediate.pem"
        $CHMOD 600 "$MSIGN_DIR/public.pem" "$MSIGN_DIR/private.pem" "$MSIGN_DIR/intermediate.pem"
        $SERVICE $SERVICE_NAME restart
        echo "Successfully renewed certificate and restarted $SERVICE_NAME."
        echo `date`
    else
        echo "Failed to renew certificate."
        echo `date`
    fi
 
5. Execute the file.
    chmod 755 renewcert.sh
    sudo ./renewcert.sh


6. The certificat from Let's encrypt is good for 90 days. Running the script will renew it if it is within 30 days of expireation. You can create a cron job to renew the certficate. The following will run the job at 3:43AM (computer time) on Mondays. This should be done during low usage as it will cause msign-server to restart. Change the paths and file names according to what you chose in step 4.
This is the certficate pointed to in config.js. When the installer is run, a self-signed certificate is generated but it does not chain up to a root authority. In order to avoid security warnings on the mobile device, a certficate for the front end server's domain must be obtained. This can be done through Amazon's certificate manager, for example.
    sudo crontab -e
    43 3 * * 1 /home/ubuntu/renewcert.sh >>/home/ubuntu/renewcert.log

Latest revision as of 13:58, 29 June 2023

This guide is for administrators in organizations who have purchased an mSign server license. Scriptel provides a public server for public use free of charge at msign.scriptel.com. However, this requires internet connectivity and is shared. Organizations may wish to use their own server behind their firewall. A 90-day trial license is available upon request.

mSign Sever is designed to run on an Ubuntu 20.04 server and up. It is written node.js, so technically it is possible to make it run on any platform that supports node. However, all of the scripts for installing are written for Ubuntu and that is all we are currently supporting.

Set up the service:

1. Obtain the scriptel-msign-x.x.xx-all.deb package.

2. Obtain a server with Ubuntu 20.04 (or higher) on it.

3. Change the host name

   sudo hostnamectl set-hostname new-hostname

4. Point your DNS to the new server.

5. Start the install of mSign server

   sudo dpkg -i scriptel-msign-X.X.X-all.deb

6. Edit the /usr/lib/scriptel-msign/config.js file.

  1. hostName must be set to the fully qualified domain name for SSL to work.
  2. webappLocation must be set to the URL of the front-end server.
  3. publicHttpsPort is the port that the front end should connect to. Change this to 443.
  4. Everything else should work by default.

7. Restart the service to pick up the changes by stopping and starting it. restart does not work.

  sudo service scriptel-msign stop
  sudo service scriptel-msign start

8. check to see if the service is started the service

   sudo service scriptel-msign status

At this point, your mSign Desktop and mSign Mobile applications should be able to connect to the server on port 8443. For example, if your IP address were 54.291.191.59 you would put this into the applications as https://54.291.191.59:8443. You can try this using a browser for mSign Mobile as long as it will allow you to get to it as an unsafe site. Chrome will allow this, for example, but you will not be able to use the mSign mobile app for Android until there is an SSL certificate.

Reassign the ports

This section is optional. mSign Server runs natively on ports 8080 and 8443. You might want to use the standard http and https ports 80 and 443. You have to do this if you use Letsencrypt for a certificate in the next section.

Note that eth0 may or may not be the name of your ethernet adaptor. For example, on AWS T4g instances it is ens5.

 sudo apt install iptables-persistent
 sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
 sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
 sudo /etc/init.d/netfilter-persistent save

Certificate types

There are two certificates. One is for SSL between the server and the browser and the server and the desktop. The other is for the mobile application (front end).

SSL Key

To avoid security warnings you need to install a certificate. You can buy one and install it. Or you can self-certify, but if you do, you will have to set yourself up as a root authority on each mobile device you use. Or you can use Let's Encrypt, which is free, but requires that the server be public on the internet so that it can validate ownership of the domain.

These instructions are for Let's Encrypt:

1. Let's Encrypt requires that standard ports be used. So if you haven't already done so, reassign the ports as described in the previous section.

2. Give your server a DNS name with your DNS provider and wait for it to propogate. This can be a subdomain of one you already own.

3. Create the directory /usr/lib/scriptel-msign/www and change the owner to scriptel-msign

  sudo mkdir /usr/lib/scriptel-msign/www
  sudo chown scriptel-msign /usr/lib/scriptel-msign/www

4. Type the following, substituting your domain for domain.example.com:

   sudo apt install certbot
   sudo certbot certonly --webroot -w /usr/lib/scriptel-msign/www -d domain.example.com

Mobile certificate

This is the certficate pointed to in config.js. When the installer is run, a self-signed certificate is generated but it does not chain up to a root authority. In order to avoid security warnings on the mobile device, a certficate for the front end server's domain must be obtained. This can be done through Amazon's certificate manager, for example.