Private Cloud Installation : requirements

Preamble

LockSelf software uses two main components:

  • Une base de données MariaDB
  • API REST PHP

The database and the web server are set up on two separate Linux servers in a VPC dedicated to the company.

This installation is made on our French partner’s sovereign cloud, 3DS Outscale. Depending on the contract, the installation will be effective either in the eu-west-2 region or in the cloudgouv-eu-west-1 region, the latter being SECNUMCLOUD certified by ANSSI.

Infrastructure' description

mceclip0.png

Network flow' matrix

The flows configured on the different servers are :

Server Incoming
Application 443 since 0.0.0.0/0
Database 3306 since application
servers ’subnet

The incoming flows on the application part can be restricted on several specific IP / range on simple request.

There are two installation methods: a turnkey installation and a more customized installation according to your needs.

Option 1 (recommended): turnkey installation

In order to save installation time, you can use 1. a LockSelf sub-domain as URL and 2. LockSelf's SMTP server.

1. The Sub-domain

It's on this LockSelf sub-domain that the installation specific to your company will point, and which will allow your collaborators to connect to the application.

The domain name must be in the following format : FQDN-cloud.lockself.com

Thanks to that, you won't have to manage the specific certificate to this domain name (it will be managed by LockSelf), and the connection to the IP will therefore be done on our side.

For information, it is also this subdomain that will be exposed to your external contacts when using LockTransfer.

2. The SMTP server

By using our SMTP server rather than yours, you won't have to manage the SMTP configuration settings on the application, because everything will be done on our side.

For information, SMTP information is necessary for sending system mails: password change notifications, account creation, etc.).

Option 2: customized installation

In case you want to use a custom domain name, or create a subdomain of your company, as well as use your own SMTP server, we will need the following:

1. The domain name you want to use (ex: lockself.company.com)

It is on this personalized domain name that the installation specific to your company will point and on which your employees will be able to connect to the application. Once the installation is done, we will provide you with an IP to which you must point the chosen domain name.

For information, it is also this subdomain that will be exposed to your external contacts when using LockTransfer.

2. The SSL certificate associated with this domain name (minimum one year)

Since you have chosen a specific domain name, you will need to provide us with the associated SSL certificate. You are responsable of certificat renewal and it provision to the LockSelf teams.

Three elements must be provided :

  1. The certificate (crt, cer, pem or text format)
  2. The associated private key (key or text format)
  3. The certificate chain (or chain of Trust, in crt or text format)

The certificate must be for a minimum period of one year.

This certificate will add SSL termination to the chosen domain, which will therefore activate the HTTPS layer. An HSTS overlay is also applied at the level of the chosen sub-domain.

We recommend that you go through an external SSL certificate provider, such as Gandi, in order to simplify its management (renewal, verification, etc).

We can, if you wish, send you the CSR (Certificate Signing Request) which will be requested by the certificate creator provider. To do this, you will need to send us the following information:

Country
Region
Locality name
Organization name
Organization unit name
Common name (chosen sub-domain)
Email address (email associated to the certificate)

3. Your SMTP server information

For the 3 modules (LockPass, LockFiles, LockTransfer), the SMTP information will allow you to connect the installation of LockSelf made for your company to your SMTP server in order to send system emails (notification of change of password, creation of account, etc).

When using the LockTransfer product, emails will also be sent to the recipients of your transfers via this same SMTP server.

Since we will be using your internal SMTP server, you are responsable of the updates if your information changes.

The information needed are:

  • Host / URL serveur SMTP
  • Port
  • Authentication requested? (true / false)
  • User / email adress @noreply wished
  • Password
  • SSL ou TLS utilisé

For the authentication by IP, the information to be provided are:

  • Host / URL server SMTP
  • Port
  • User / email adress @noreply wished
  • Encryption method

Updated