Private Cloud Installation : requirements

The LockSelf solution uses two main components:

  • A MariaDB database (version 10.X)
  • A PHP REST API

The database and web server are installed on two separate Linux servers within a company-specific VPC.

This installation is carried out on the sovereign French cloud of our partner 3DS Outscale. Depending on the contract, the installation will be in either the eu-west-2 region or the cloudgouv-eu-west-1 region, the latter being certified SECNUMCLOUD by ANSSI.

Infrastructure Description

mceclip0.png

Network Flow Matrix

The flows configured on the different servers are:

Server Inbound
Application 443 from 0.0.0.0/0
Database 3306 from the application server subnet

The inbound flows on the application side can be restricted to specific IPs/Ranges upon request.

There are two installation methods: a turnkey installation and a more customized installation according to your needs.

Option 1 (recommended): Turnkey installation

To save time on installation, you can use 1. a LockSelf subdomain as the URL and 2. the LockSelf SMTP server.

1. The Subdomain

This LockSelf subdomain will point to the specific installation for your company, allowing your employees to connect to the application.

The domain name should be in the following format: FQDN.lockself-cloud.com

The advantage is that you will not have to manage the certificate for this domain name (since it will be managed by LockSelf), and the IP connection will be handled on our side.

For your information, this subdomain will also be exposed to your external contacts in case of using LockTransfer.

2. The SMTP Server

By using our SMTP server instead of yours, you won't have to manage the SMTP configuration on the application, as everything will be handled on our side.

For your information, SMTP information is necessary for sending system emails: password change notifications, account creation, etc.

Option 2: Customized Installation

If you wish to use a custom domain name, or a subdomain of your company, and use your own SMTP server, we will need the following elements:

1. The domain name you wish to use (e.g., lockself.company.com)

This custom domain name will point to the specific installation for your company, where your employees can connect to the application. Once the installation is complete, we will provide you with an IP address to which you must point the chosen domain name.

For your information, this subdomain will also be exposed to your external contacts in case of using LockTransfer.

2. The SSL certificate associated with this domain name (at least 1 year validity)

Since you have chosen a specific domain name, you will need to provide us with the associated SSL certificate. The renewal and provision of the certificate to the LockSelf teams is your responsibility.

Three elements need to be provided:

  1. The certificate (formats: crt, cer, pem, or text)
  2. The associated unencrypted private key (formats: key or text)
  3. The certification chain, OR the intermediate certificate + CA (formats: crt or text)

The certificate must be valid for at least one year.

This certificate will allow us to add SSL termination to the chosen domain, thereby enabling the HTTPS layer. An HSTS layer is also applied at the subdomain level.

We recommend using an external SSL certificate provider, such as Gandi, to simplify its management (renewal, verification, etc.).

If you wish, we can provide you with the CSR (Certificate Signing Request) that will be required by the certificate provider. For this, you will need to provide us with the following information:

Country
Region
Locality Name
Organization name
Organization unit name
Common name (chosen subdomain)
Email address (email associated with the certificate)

3. Your SMTP Server Information

For all three modules (LockPass, LockFiles, LockTransfer), SMTP information will allow the LockSelf installation for your company to connect to your SMTP server to send system emails (password change notifications, account creation, etc.).

In case of using the LockTransfer product, emails will also be sent to the recipients of your transfers via this same SMTP server.

Since we will be using your internal SMTP server, updating the information in case of changes is your responsibility.

The information to be provided is as follows: 

  • Host / SMTP server URL
  • Port
  • Is authentication required? (true/false)
  • Desired User / @noreply email address
  • Password
  • SSL or TLS used
In the case of IP-based authentication, the information to be provided is:
  • Host / SMTP server URL
  • Port
  • Desired User / @noreply email address
  • Encryption method

If your SMTP server is not open to the outside, it will be possible to use an Office account. For this, we recommend creating a specific user account and then providing us with:

  • The Office account username
  • The Office account password

Updated