Versions Compared

Old Version 4

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 5

changes.mady.by.user Olivier Michaut

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

# Proxy Configuration
[proxy]
# Port, default "5000"
port = "5000"
# Network interface, default "0.0.0.0"
inet = "127.0.0.1"
# Enable recover on panic, default true, should be true for production environment
recover = true
# Enable Cross-Origin Resource Sharing (CORS), should be true for production environment
cors = true
# Enable Request Track ID, default true
tracker = true
# Enable Request Logguer, default true
logger = true
# Rate Limit IP Request over 1 second, default 0 (unlimited)
limit = 0
# Enable the Prometheus Metric Endpoint '/metric', default false
metrics = false

# Service 'local' with direct authentication on the waarp gateway
[service.local]
# MFT Waarp Gateway Listen Protocol
protocol = "http"

[[service.local.targets]]
# MFT Waarp Gateway Hostname or IP
hostname = "localhost"
# MFT Waarp Gateway Port
port = " 18080"

  • Install the binary under /usr/local/bin:

...

Configuration for LDAP Authentication

The UDMG Authentication Proxy is capable to use a LDAP Service to authenticate users for UDMG Admin UI:

Panel

# vi /etc/mft/auth_proxy/config.toml

Panel

# Proxy Configuration
[proxy]
# Port, default "5000"
port = "5000"
# Network interface, default "0.0.0.0"
inet = "127.0.0.1"
# Enable recover on panic, default true, should be true for production environment
recover = true
# Enable Cross-Origin Resource Sharing (CORS), should be true for production environment
cors = true
# Enable Request Track ID, default true
tracker = true
# Enable Request Logguer, default true
logger = true
# Rate Limit IP Request over 1 second, default 0 (unlimited)
limit = 0
# Enable the Prometheus Metric Endpoint '/metric', default false
metrics = false

# Service 'mft' with LDAP Authentication
[service.mft]
# MFT Waarp Gateway connection protocol(http or https)
protocol = "http"
# This is breaking glass option for admins, 
# the users in the admins list are authenticated directly on the MFT service, not with LDAP
admins = ["admin"]

[[service.mft.targets]]
# MFT Waarp Gateway Hostname or IP
hostname = "localhost"
# MFT Waarp Gateway Port
port = " 18080"

# Credentials for the synchronisation from LDAP to MFT service
# user must have permission to create/update waarp gateway users
[service.mft.credential]
username = "ldap_sync"
password = "ldap_password"

# LDAP Configuration
[service.mft.auth.ldap]
# LDAP Server DC with OU
dn = "ou=users,dc=stonebranch,dc=com"
# LDAP Server FQDN or IP
hostname = "myldap.server.fqdn.com"
# LDAP Server Port
port = "1389"

...

Panel

[agent]
# MFT Agent Proxy Hostname or IP, and port
hostname = "0.0.0.0"
port = "2222"
# path to the SSH private key file
ssh_key = "agent"
# path to the SSH public key file
ssh_key_pub = "agent.pub"

# Agent Service User and password
username = "mft"
password = "61ee8b5601a84d5154387578466c8998848ba089"

The password key will be used for the client authentication.

Client Configuration

  • Create a configuration file as /etc/mft/agent_proxy/client.toml:

...

Panel

[client]
# Target MFT Agent Proxy Hostname or IP, and port
hostname = "localhost"
port = "2222"

# path to the SSH private key file
ssh_key = "/etc/mft/agent_proxy/client"
# path to the SSH public key file
ssh_key_pub = "/etc/mft/agent_proxy/client.pub"

# Agent Service User and password
username = "mft"
password = "61ee8b5601a84d5154387578466c8998848ba089"

# Default TTL to Connection Retry
ttl="5s"

[client.api]
# Administrative API port
port="2280"

[gateway]
# MFT Waarp Gateway Hostname or IP, and port
hostname = "localhost"
port = "18080"
# MFT Waarp Gateway Username/Password
username = "admin"
password = "admin_password"

The password key will be used for the client authentication.

Setup the Systemd Services

UDMG Server

Create a new service definition:

Panel

# vi /etc/systemd/system/mft_waarp_gateway.service

...

Panel

# systemctl start mft_waarp_gateway
# systemctl status mft_waarp_gateway
● mft_waarp_gateway.service - MFT Waarp Gateway server
Loaded: loaded ( /etc/systemd/system/mft_waarp_gateway.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-07 16:43:16 -03; 10s ago
Main PID: 24888 (waarp-gatewayd)
Tasks: 6 (limit: 3509)
CPU: 11ms
CGroup: /system.slice/mft_waarp_gateway.service
└─24888 /usr/local/bin/waarp-gatewayd server -c /etc/mft/waarp_gateway/server.ini

Be sure that the listen port and network interface is reachable by UDMG Authentication Proxy and UDMG Agent Client.

UDMG Authentication Proxy

...

Panel

# systemctl start mft_auth_proxy
# systemctl status mft_auth_proxy
● mft_auth_proxy.service - MFT Auth Proxy server
Loaded: loaded ( /etc/systemd/system/mft_auth_proxy.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-07 16:58:48 -03; 21s ago
Main PID: 25008 (mft_auth_proxy_)
Tasks: 3 (limit: 3509)
CPU: 4ms
CGroup: /system.slice/mft_auth_proxy.serviceservice
└─25008 /usr/local/bin/mft_auth_proxservicey_server

Be sure that the listen port and network interface is reachable by NGINX Server.

UDMG Agent Proxy

Agent Proxy Server Service

...

Panel

# systemctl start mft_agent_proxy_server
# systemctl status mft_agent_proxy_server
● mft_agent_proxy_server.service - MFT Agent Proxy Server
Loaded: loaded ( /etc/systemd/system/mft_agent_proxy_server.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-07 16:26:53 -03; 2s ago
Main PID: 25444 (mft_agent_proxy)
Tasks: 5 (limit: 3509)
CPU: 5ms
CGroup: /system.slice/mft_agent_proxy_server.service
└─25444 /usr/local/bin/mft_agent_proxy_server

Jun 07 16:26:53 localhost.localdomain systemd[1]: Started MFT Agent Proxy Server.
Jun 07 16:26:53 localhost.localdomain sh[25444]: level=info TS=2022-06-07T19:26:53.624296821Z HostKey=Ok Path=/data/agent

Be sure that the listen port and network interface is reachable by UDMG Agent Client .

Agent Proxy Client Service

...

Panel

# systemctl start mft_agent_proxy_client
# systemctl status mft_agent_proxy_client
● mft_agent_proxy_client.service - MFT Agent Proxy Client
Loaded: loaded ( /etc/systemd/system/mft_agent_proxy_client.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-07 17:26:53 -03; 2s ago
Main PID: 25445 (mft_agent_proxy)
Tasks: 5 (limit: 3509)
CPU: 6ms
CGroup: /system.slice/mft_agent_proxy_client.service
└─25445 /usr/local/bin/mft_agent_proxy_client

Jun 07 17:26:53 localhost.localdomain systemd[1]: Started MFT Agent Proxy Server.
Jun 07 17:26:53 localhost.localdomain sh[25445]: level=info TS=2022-06-07T20:26:53.624296821Z Servers=[]

Component Ports

Make sure that all the ports needed are open under your firewall configuration.

Using UDMG with SELinux

  • Modify the file label so that NGINX (as a process labeled with the httpd_t context) can access the configuration file

...

Panel

# setsebool -P httpd_can_network_connect 1

References

This document references the following documents.

Name

Location

Systemd

Image ModifiedUnderstanding and Using Systemd - Linux.com

NGINX with SELinux

Image ModifiedModifying SELinux Settings for Full NGINX and NGINX Plus Functionality

PostgreSQL Client Authentication

Image Modified21.1. The pg_hba.conf File

PostgreSQL Password Authentication

Image Modified21.5. Password Authentication