Archive for the ‘Admin Tools and Tips’ Category

FileCloud Best Practices: How to Use Private Shares and External User Accounts

One of the most frequent use cases of FileCloud is “sharing files securely with an external user.” By default, FileCloud enables all types of shares (public, public with password-protection, and private shares), with a focus on security and collaboration.

In this article, we will review the recommended configuration to securely share files to external users and use External Accounts (free user accounts) to improve traceability and auditing.

Types of Shares in FileCloud

FileCloud gives you the option to use public and private shares; in essence, you can do the following:

  1. Share a public link.
  2. Share a public link with a password.
  3. Allow selected users or groups to access the link (private).

Share a Public Link

The default share option in FileCloud is to share a public link. This will allow anyone with the link to view, download, or upload (depending on your choice).

Allow Selected Users or Groups

The third option is to share a link to a selected list of users or groups. These users can be external users, and their accounts can be created while creating the share.

You can “Invite users” with this type of share and create their accounts on the fly in the background. First though, you need to configure some settings to enable the account creation option.

Configure FileCloud to Create User Accounts with Shares

To create accounts when creating a new share, the following settings need to be applied in the admin portal:

Adjust the Admin settings to allow the creation of new accounts for external users.

Log in to your admin portal and go to Settings > Admin, and set the following values:

Allow Account Signups -> True

This will allow accounts to be created automatically in the background.

Automatic Account Approval -> 3

This configures the system so that “Limited” or external accounts are the default account to be created in the background.

Note: External User Accounts don’t count towards your license; you can create as many as you need. These accounts have a few limitations: they can only be accessed via the web browser (no applications), and you can only share files with external user accounts from the User UI, not from the Admin UI (for example, Team Folders cannot be shared).

Allow accounts to be created when creating a new share.

In your admin portal, go to Settings > Policies and edit the “Global Default Policy.” Then go to “User Policy” and change the following values:

Disable Invitations to New Users -> No

This configures the system to “send” invitations to new users. (Default Value: No)

Create account on new user shares -> Yes

This configures the system to “allow” the creation of new accounts “when” creating a new share. (Default Value: No).

Changing these settings will allow accounts to be created in the background when creating the share.

Configure FileCloud to Only Create Private Shares

Now that external accounts are allowed to be created in the background, the next step is to restrict the type of shares that can be made. For that, go to Settings > Policies > Edit the Global Default Policy. Then select the “General” tab.

Share mode -> Allow Private Shares Only

This configures the system to only allow the creation of private shares.

How Sharing Works After Configuration Changes

After the configuration changes are made, when you create a new share, this is the result:

The option to “Allow selected users or groups” is selected by default, with the options to “Allow anyone with the link” and “Allow anyone with link and password” disabled.

Note: The ability to invite users and enable “Private Shares Only” is a setting based on Policy Group. This means that you can apply these restrictions to a subset of your users and still allow other groups of users to create different types of shares.

Add an External Account to the Share

To invite a new user, you need to click on the “Invite Users” button; this will open the invite window; write the email address of the external user you want to add, then click on the “Invite” button below the email address. You can add multiple new users in the same way; once completed, click on the “Add Users to this Share” button.

Once you have added all the emails necessary to your share, you can check the sharing permissions desired for the users in the original share link box.

Now, those two accounts have been created as “Limited User Accounts” in the background; you can confirm these external accounts have been created by visiting the Admin UI > Users section.

The External User Experience

After adding the account to the share, the External User will receive two emails. If you checked the “send email” box when adding them, they only receive one.

Welcome to FileCloud Email

The first email they receive is the Welcome to FileCloud! Email. This email includes the Server URL, user email, and login password.

Shared Files Notification Email

This email includes the name of the “Full User” that has shared files with the “External User.” Additionally, it consists of the Folder Name (if you share a single file, they will get the single file name) and the share link URL to directly click on it.

Once the external user logs in, they will gain access to the shared content.

Improve Traceability and Auditing with External Accounts

Following our example, the external user uploads a PDF file.

The Full User can view shared document and folder details, including “Activity,” which shows who uploaded the file, to which folder, and when. Without an External User account, this file information would show as uploaded by “ANONYMOUS.” With an external account, the file information includes the user’s information.

If you click on the “i” icon to the right of the username, you can view details like the IP address, date, and time of when the file was uploaded.

Collectively, external user accounts provide more information about your external shares and help you identify when a user uploads/downloads or takes any action on shared content.

In following blog posts, we will discuss how to maintain these External User accounts automatically and enable 2FA.

 

Article written by Daniel Alarcon and Katie Gerhardt

 

 

Continuously Improving FileCloud – 21.3.6 Release

FileCloud’s Commitment

FileCloud’s mission is “to build a hyper-secure content collaboration and processes platform that customers love to use.”

Part of making software that customers love is investing in quality assessment and continuous improvement. It’s a cohesive and collaborative process, roping in engineering, QA, sales, marketing, and leadership teams.

We also depend on our clients and users, who provide amazing feedback not only on opportunities for improvement but also desired features and functionalities.

These elements of the software journey are captured in our stated values:

  • Be Customer Centric – Without our customers, FileCloud wouldn’t exist. That’s why they’re always our top priority.
  • Get Work Done – We achieve great results through our resourcefulness, hard work, and drive for perfection.
  • Innovate with Global Mindset – We have a vibrant mix of cultures and ideas that constantly encourage growth and innovation.

Release Details

There are a few exciting developments in the pipeline for our upcoming 22.1 release, including highly requested functionalities.

In the meantime, FileCloud has been putting in a lot of work behind the scenes to harden security and functionality across the server, Sync and Drive clients, and ServerSync.

The 21.3.6 release in July included many improvements for the FileCloud server, including streamlining recycle bin deletion, optimizing processing by cutting out feedback loops, removing visibility on password entries, and ensuring the functionality of user workflows.

The Sync and Drive apps have also been improved. Issues with login and password processes in FileCloud Sync were resolved, and the centralized configuration option for selective sync was reinforced. In the Drive app, the file locking function was optimized.

You can review all the improvements we’ve made by visiting the 21.3.6 Release Notes.

 

 

Migrating VMs Between ESXI Servers Using SCP Command

FileCloud customers may choose to use a virtual machine (VM) in an ESXI server. At times, ESXI servers may be decommissioned, requiring a migration. When FileCloud is hosted on one ESXI server, it can be moved to another using this method. This is generally a bare metal migration.

Yet migrating VMware ESXI servers has always been difficult, at times even requiring the use of a third-party paid application. In this blog, we discuss a simple method to transfer VMs using the basic SCP command. We also ensure that the transferred VM disks are configured in thin provisioning.

Follow the steps below to migrate the ESXi servers:

Enable SSH Service on Source and Destination ESXI Servers

To enable the SSH service, log in to the web interfaces for your ESXI servers. Then click on Host at the top right. Click Actions -> Services -> Enable Secure Shell (SSH) (if it is not already enabled).

Enable SSH Client Service on Source ESXI Server.

Log in to the SSH of the source ESXI server using the putty tool. You may need to run the below commands:

esxcli network firewall ruleset list --ruleset-id sshClient

Check if the SSH client service is enabled. If disabled, the command will return a result of ‘False’. If a ‘False’ response is returned, run this next command. If ‘False’ is not the returned response, proceed to the next step!

esxcli network firewall ruleset set --ruleset-id sshClient --enabled=true

Copy the VM from Source to Destination

Before running the below commands, make sure the VM that will be migrated is turned off in the source ESXI server.

Connect to your source ESXI server using putty or your favorite SSH client (depending on Windows or Mac OS).

Navigate to your datastore where your guest VM resides. By default, it will show as below.

cd /vmfs/volumes/datastore1/

Next, migrate the data to the proper datastore path in the Destination VM.

Afterward, execute the below command in the source ESXI server:

scp -rv /vmfs/volumes/datastore1/VM_NAME root@xx.xx.xx.xx:/vmfs/volumes/datastore1/

Press ‘Enter.’ You should be prompted for a password – then the migration process will begin. The time to complete the transfer depends on the network speed between the ESXI servers.

Convert Thick Provisioning to Thin Provisioning

Log in to your SSH console of the destination server. Then, navigate to the datastore path where the new VM data will be migrated from the old server.

cd /vmfs/volumes/datastore1/ VM_NAME

Run the below command to clone the VMDK to a thin provisioned disk using vmkfstools

vmkfstools -i VM_NAME.vmdk -d thin VM_NAME -thin.vmdk.

After the cloning is complete, list the files in the directory and verify that two files were created:

VM_NAME.vmdk and VM_NAME -thin.vmdk.

Rename the old flat file to a different name (e.g., mv VM_NAME-flat.vmdk VM_NAME-flat.vmdk.old)

Rename the new flat file to a different name (e.g., mv VM_NAME-thin-flat.vmdk VM_NAME-flat.vmdk)

Register the Migrated VM on the ESXI Host

Log in to the web interface of the destination ESXI server where the VM was migrated from the source server.

Click on Virtual Machines –> Create/Register VM

Select ‘Register an Existing Virtual Machine.’ Then select one or more virtual machines, a datastore, or a directory. Select the folder of the VM Guest you moved to the new server. Click: Select –> Next –> Finish

Once you turn on the migrated VM in the destination ESXI server for the first time, you will be prompted to answer if you moved or copied the guest machine. Leave the default “I Copied It” and click “Answer.”

If the migration was completed without any errors, the VMs should start in the new host.

 

Article written by Nandakumar Chitra Suresh and Katie Gerhardt

 

 

Installing an SSL Certificate on an ESXI Server

In the latest version of the ESXI server, the web UI is only available for managing the existing virtual machines (VMs) or creating new VMs. By default, the SSL certificate that comes with ESXI is a self-signed certificate, which is not accepted by most browsers. In this case, we are using ESXI version 6.7, with the URL dubbed esxi-srv.example.com and an expired SSL certificate. We are going to replace it with a new SSL certificate.

Login to the ESXI Web UI

To install the new SSL, we will need to log in to the ESXI web UI and enable SSH access. We can use the Mozilla web browser, which will help us log in to the UI by accepting the risk associated with an expired SSL.

Install SSL Certificate-ESXI Server

Start the SSH Service

To start the SSH service, log in to the ESXI server with root credentials, then click on Manage –> Services –> Start TSM-SSH service.

Install SSL Certificate-ESXI Server

Locate Your Certificates

Navigate to the dir /etc/vmware/ssl

[root@vmxi:/etc/vmware/ssl] pwd
/etc/vmware/ssl

We will need to update the rui.crt and rui.key files by adding your new SSL and Chain certificates to file rui.crt (SSL certificate and Chain certificate in that order). Then you will add your SSL private key to the rui.key file.

Safety First

Before making any changes though, make a backup of the existing certificate and key.

cp /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt_old
cp /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.crt_key

Update Certificates and Restart

Then, using the vi editor, replace the SSL and key certificate.

cat /dev/null > /etc/vmware/ssl/rui.crt
vi /etc/vmware/ssl/rui.crt
cat /dev/null > /etc/vmware/ssl/ rui.key
vi /etc/vmware/ssl/ rui.key

After making the changes, you will need to restart the hosted service using the below commands:

[root@vmxi:/etc/vmware/ssl]  /etc/init.d/hostd restart
watchdog-hostd: Terminating watchdog process with PID 5528316
hostd stopped.
hostd started.
[root@vmxi:/etc/vmware/ssl]  /etc/init.d/hostd status
hostd is running.
[root@vmxi:/etc/vmware/ssl]

Now if we look at the browser, we can see the new SSL certificate is in effect.

Install SSL Certificate - ESXI Server

Conclusion

FileCloud is a powerful content collaboration platform that integrates with your favorite tools and programs. That includes cloud storage services, Microsoft and Google apps, online editing tools like OnlyOffice and Collabora, Zapier, Salesforce, and more. Set up APIs to fine-tune file and user operations and learn more about available features in FileCloud University. You can also reach out to our best-in-class support team through the customer portal for any questions regarding your FileCloud environment.

 

Article written by Nandakumar Chitra Suresh and edited by Katie Gerhardt

 

Enable FIPS Encryption in FileCloud

enable FIPS in FileCloud

FileCloud officially supports FIPS mode with CentOS 7.x version. This post explains how to enable FIPS encryption in your FileCloud installation.

Important Note – 

Please make sure you have the FIPS component enabled in your FileCloud license. If you do not have the component, please contact our sales team at sales@filecloud.com for further help in adding the component to your license.

Step 1: Enable Dracut Modules

To enable FIPS encryption, you must first enable Dracut modules in CentOS; this can be installed by running the below commands:

yum install dracut-fips
yum install dracut-fips-aesni
dracut -v -f

It should yield the following results:

FIPS certification - enable dracut modules in CentOS

Step 2: Add the FIPS flag to the Grub Configuration

Once the Dracut module is configured, the next step is to add the FIPS flag to the grub configuration. To make the necessary changes, modify this file /etc/default/grub by adding fips=1 to GRUB_CMDLINE_LINUX.

GRUB_CMDLINE_LINUX=”crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet fips=1″

GRUB_CMDLINE_LINUX=”crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet fips=1 boot=UUID=34c96d6b-a43c-fec3-a2a6-e6593c977550″ #if /boot is on a different partition use blkid of the boot partition 

Step 3: Regenerate the Grub Configuration

After modifying the grub configuration, we will need to regenerate the grub configuration using the below command:

grub2-mkconfig -o /etc/grub2.cfg

If prelinking is installed in the server, you must first disable prelinking by modifying this file – /etc/sysconfig/prelink – and setting PRELINKING=no

Step 4: Reboot the Server

After the above changes are made, reboot the server and check this file – cat /proc/sys/crypto/fips_enabled – to ensure FIPS is enabled.

[root@cnfc ~]# cat /proc/sys/cryto/fips_enabled
1

Step 5: Install FileCloud

The next step is to install FileCloud.

yum install wget
wget http://patch.codelathe.com/tonidocloud/live/installer/filecloud-liu.sh && bash filecloud-liu.sh

Install FileCloud with the above script and configure the components required depending on your use case. Once completed, your FileCloud server will run under the FIPS mode.

Alternative Options

You can also download and install a FIPS-enabled OpenSSL.
NOTE: This is only needed if safelogic modules are required. Once FIPS mode is enabled, CentOS installs FIPS-enabled packages by default.

yum install unzip
wget http://patch.codelathe.com/tonidocloud/live/3rdparty/fipsopenssl/fipsopenssl.zip
unzip -q fipsopenssl.zip -d /root/fipsopenssl
rpm -Uvh –nodeps /root/fipsopenssl/*.rpm

We also recommend enabling strong ciphers and TLS 1.2/TLS 1.3 in your Apache SSL configuration:

#SSLProtocol all -SSLv2 -SSLv3
SSLProtocol -all +TLSv1.2 +TLSv1.3
#SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
#SSLCipherSuite HIGH:!aNULL:!MD5
SSLCipherSuite HIGH:!MEDIUM:!LOW:!EXP:!aNULL:!MD5:!EXPORT:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!PSK:!SRP:!KRB5:@STRENGTH

Conclusion

For greater security and governance over your data, FileCloud supports FIPS encryption. With this step-by-step process, you can now enable FIPS on your own FileCloud installation (provided it is available with your license.) For additional support or clarification, please get in touch with our support team at support@filecloud.com.

 

Article written by Nandakumar Chitra Suresh

 

 

Import Users to AD via PowerShell

Integrating FileCloud with your existing Active Directory (AD) can make setup much easier, faster, and secure. Users don’t need to worry about creating new accounts or credentials, and IT admins can efficiently manage assets across networks and monitor security.

Maybe you’re ready to go with FileCloud, but you don’t have an Active Directory set up yet. If your user base is large enough, if you have certain security thresholds, or if your organization uses a wide variety of applications, it makes sense to establish your AD first. Then you will have a single database to manage user access across your network.

Here we describe how to import users into an AD using PowerShell:

Single User Import

SamAccountName :  jdoe2

Name:  John2 Doe

DisplayName:  John2 Doe

Surname:  john2

GivenName:  John2

Email:  fc@company.ur1

UserPrincipalName:  john2@ns.fctestin.com

Password:  test@1234562

To import a user with the above details to the AD, the below command can be used.

New-ADUser -PassThru -Path OU=Users,OU=US,DC=ns,DC=fctestin,DC=com -AccountPassword (ConvertTo-SecureString test@1234562 -AsPlainText -Force) -CannotChangePassword $False -DisplayName "John2 Doe" -GivenName John2 -Name "John2 Doe" -SamAccountName jdoe2 -Surname john2 -email fc@company.ur1 -UserPrincipalName john2@ns.fctestin.com

Bulk User Import

To bulk import users, you must first add those users and some detail to a CSV file.  Then use a PowerShell script to read those values from the CSV file and import them to AD.

Add user details to a CSV file as shown in the screenshot below:


Power Shell Script

In the script below, values from the CSV file are assigned to variables. We then use these variables in the New-ADUser command to import each user.

Import-Module ActiveDirectory

$Domain="@ns.fctestin.com"

$NewUsersList=Import-CSV "aduser.csv"

ForEach ($User in $NewUsersList) {

$fullname=$User.FullName

$givenname=$User.givenName

$samaccountname=$User.sAMAccountName

$sn=$User.sn

$userprincipalname=$User.sAMAccountName+$Domain

$useremail=$User.email

New-ADUser -PassThru -Path "OU=Users,OU=US,DC=ns,DC=fctestin,DC=com" -AccountPassword (ConvertTo-SecureString test@1234562 -AsPlainText -Force) -CannotChangePassword $False -DisplayName $fullname -GivenName $givenname -Name $fullname -SamAccountName $samaccountname -Surname $sn -email $useremail -UserPrincipalName $userprincipalname

}

NOTE: In that CSV file, you can add more columns like Company, Department, telephone number, etc. You can then assign values to those variables that can be used with the New-ADUser command.

Executing the Script

  • Save the script into a notepad and save it as “AD import.ps1”
  • Open the PowerShell and change the directory to the location of the script and execute the below command:
& '.\AD import.ps1' -delimiter ","

Here, the delimiter is given as a comma. If you open the CSV file in notepad++, you can see that fields will be separated by commas.

Other Useful Commands

  1. To get the total number of users in a group:
(Get-ADGroup "Test import" -Properties *).Member.Count

Here, Test import is the group name. If the group name has a space in between, it should be enclosed in quotes.

  1. To add all users from an OU to a group
Get-ADUser -SearchBase ` OU=Users,OU=US,DC=ns,DC=fctestin,DC=com ' -Filter * | ForEach-Object {Add-ADGroupMember -Identity `Test import' -Members $_ }

Here, Test import is the group name. If the group name has a space in between, it should be enclosed in quotes.

Conclusion

Now that you have an AD set up, you can explore all the exciting integrations and security benefits For more information on how you can integrate FileCloud within your existing IT infrastructure, check out FileCloud’s Extensibility. You can also reach out to the Support Team through your Admin dashboard or explore other tools and features in FileCloud University.

 

Article written by Sanu Varkey

 

Migrating Storage Between Regions

Migrating Storage: AWS S3 vs Wasabi

FileCloud supports S3 compatible storage such as Wasabi storage; however, migrating from one Wasabi bucket to another in a different region is not possible, unlike AWS S3 storage. This blog will help you migrate the managed storage in your FileCloud system from one location to another.

Usually, the best method to perform an S3-to-S3 migration is with the help of the AWS CLI tool. However, Wasabi restricts the use of the AWS CLI tool migration if both the buckets are in different regions due to architecture issues within Wasabi.

In this post, we will review how to migrate a FileCloud server running in Ubuntu 18.04 LTS, where the server and Wasabi storage is in Amsterdam, to London.

Transfer storage from different buckets across regions

Step 1: Setting up the Environment

Set up the new server and install the latest version of FileCloud on it. In our case, we are installing a new FileCloud instance on Ubuntu 20.04 LTS.

Step 2: Running the Required Services

Stop all the services in Region 1 except MongoDB.

Step 3: Exporting Data

Mount additional disk space to export the data in Region 1.

In our test case here, the servers are hosted in linode server. We have created a temp disk space of 1 TB and then mounted on Region 1. Using our export method mentioned in the below documentation, we can export all the data into the temp disk which we created for Region 1.

https://www.filecloudFileCloud.com/supportdocs/fcdoc/2v/server/filecloudFileCloud-server-administrator-guide/manage-filecloudFileCloud-data/export-files

:/WWWROOT/resources/tools/fileutils$ sudo php ./exportfs.php -d /cloudexport/ -u all -p / -r realRun

The temporary storage is mounted to /cloudexport

Step 4: Transferring the Exported Data

In Region 2, we must ensure that we have a temporary disk attached similar to the specs in Region 1 and that it is mounted to /cloudexport

To transfer data between two regions, we prefer to use rsync client over ssh. Run the below command on the Region 1 server:

rsync -avz /cloudexport root@192.168.1.2:/cloudexport

Replace the IP 192.168.1.2 with the public IP of Region 2. Then wait until the rsync is completed.

Step 5: Transferring the Database from Region 1 to Region 2

To transfer the MongoDB data, we can take a mongodump from Region 1, transfer it using rsync (as in Step 4), and then perform mongorestore in Region 2.

The below commands should be executed in the same order to complete the DB migration:

mongodump –out /root/db-dumps

rsync -avz /root/db-dumps roo@192.168.1.2:/root

mongorestore –noIndexRestore /root/db-dumps

Step 6: Seeding the Exported Data into a New Server

To seed the exported data, we can use the documentation here:

https://www.FileCloud.com/supportdocs/fcdoc/2v/server/FileCloud-server-administrator-guide/installing-FileCloud-server/installation/amazon-web-services-aws-installation/seeding-FileCloud-for-amazon-s3

sudo php ./seed.php -h default -p /cloudexport -i -r

After the data is completed, please restart all services and make sure the data is copied across properly before making the DNS switch to the new server.

Conclusion

The above documentation is tested on a standard FileCloud installation with the default site. For multitenant setups, the commands need to change accordingly. We recommend getting in touch with our support team at support@filecloud.com for any clarifications.

 

Article written by Nandakumar Chitra Suresh

 

 

Upgrade Your FileCloud Cluster and MongoDB with Offline Upgrade Tool

Upgrade MongoDB

This blog post explains how to upgrade the FileCloud High Availability cluster using the FileCloud Offline Upgrade tool for Linux. At the moment, the FileCloud Offline Upgrade tool only supports CentOS7 and RHEL7 machines.

Offline Upgrade Tool download links:

offline_rpm_upgrader.tgz

mongodb_upgrader_40_rpm.tgz

mongodb_upgrader_42_rpm.tgz

 

Reviewing the Architecture

In this scenario, let us consider the architecture. The FileCloud architecture below consists of:

  • 2 x web servers
  • 3 x MongoDB servers
  • 1 x Solr server

Update FileCloud Cluster - 9 Server Cluster Example

The example used throughout this how-to blog post is based on FileCloud 20.1, where MongoDB runs on 3.6. Starting from 21.1, we will have to upgrade the MongoDB clusters manually, prior to Web node upgrades.

 

Upgrading FileCloud’s MongoDB Servers

We described how to upgrade MongoDB servers for Windows and Linux in a previous blog post. Here, we describe steps to upgrade MongoDB with the FileCloud offline upgrade too.

Step 1: Download the Upgrade Tool and Create a Path

First, download mongodb_upgrader_40_rpm.tgz and mongodb_upgrader_42_rpm.tgz into the MongoDB servers. You will need to implement these upgrades step by step.

mongodb_upgrader_40_rpm.tgz is MongoDB 4.0
mongodb_upgrader_42_rpm.tgz is MongoDB 4.2

Step 2: Create a Directory and Path

Create a directory as below in any path; $path can be any path location

mkdir -p $path/mongo40
mkdir -p $path/mongo42

tar -xzvf mongodb_upgrader_40_rpm.tgz -C $path/mongo40
tar -xzvf mongodb_upgrader_42_rpm.tgz -C $path/mongo42

Step 3: Set Feature Compatibility to 3.6

mongo --host {IP address of Primary}  --eval "db.adminCommand( { setFeatureCompatibilityVersion: '3.6' } )"

Step 4: Upgrade Secondary Nodes to 4.0

service mongod stop
cd $path/mongo40
rpm -Uvh *.rpm

Step 5: Stepdown current primary as secondary

rs.stepDown()

Step 6: Upgrade the last server to 4.0

Step 7: Set Feature Compatibility to 4.0 in the current Primary Server

mongo --host {IP address of Primary} "db.adminCommand( { setFeatureCompatibilityVersion: '4.0' } )"

Step 8: Upgrade Secondary Nodes

Upgrade secondary nodes from 4.0 to 4.2, one by one, using the below commands or by running as a script

cd $path/mongo42
service mongod stop
rpm -Uvh *.rpm

Step 9: Stepdown current primary as secondary

rs.stepDown()

Step 10: Upgrade Server to 4.2

Run command in Step 6 to upgrade the last server to 4.2

Step 11: Set Feature Compatibility to 4.2

In the current Primary Server, apply the following to update the feature compatibility to 4.2:

mongo --host {IP address of Primary} "db.adminCommand( { setFeatureCompatibilityVersion: '4.2' } )"

 

Upgrading FileCloud’s web and Solr servers

Download the offline_rpm_upgrader.tgz to both the web and Solr servers.

tar -xzvf offline_rpm_upgrader.tgz

Run the upgrader_offline_rpm.sh in the web nodes (you can skip the MongoDB upgrade option in upgrader_offline_rpm.sh as we will upgrade MongoDB servers manually prior to web nodes)

For Solr nodes, select the option Solr server and skip the web server and Solr.

 

Conclusion

Please note that this blog post is written based on the sample architecture mentioned at the start of the post. If you have different architecture, please feel free to reach out for any clarifications at support@filecloud.com.

 

Article written by Nandakumar Chitra Suresh

 

Securing Your Filecloud Installation with a Wildcard Letsencrypt SSL Certificate

For this blog post, we will delve into the steps necessary to secure a FileCloud installation with a wildcard “Lets Encrypt” SSL Certificate and  Ubuntu 20.04 LTS on a multi-tenant site.

Install Certbot Package

To obtain the Let’s Encrypt SSL certificate, we will be required to install a Certbot package in the Ubuntu 20.04 LTS machine. This package can be installed from one of the default Ubuntu package repositories. The below command can help install the necessary packages.

apt install certbot python3-certbot-apache -y

Generate SSL Certificate

After the installation is complete, run the below command to generate the SSL certificate. This process is managed by the Apache plugin that comes with the certbot. In this case, we are going to install a wildcard certificate for the domain example.com. Since this is a wildcard certificate, we will need to manually generate the certificate using the certbot command. The command we are using is below:

root@fcsrv:~# certbot certonly –server https://acme-v02.api.letsencrypt.org/directory –manual –preferred-challenges dns -d ‘*.example.com’

Confirm (or Deny) Logging of IP Address

After running this command, it will ask to confirm if the machine IP can be logged for the SSL generation purpose. In this demo, we have selected Yes.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you’re running certbot in manual mode on a machine that is not

your server, please ensure you’re okay with that.

 

Are you OK with your IP being logged?

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

(Y)es/(N)o: Y

 

Then it will ask us to create a TXT record against the domain for which we need to have the SSL issued:

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Please deploy a DNS TXT record under the name

_acme-challenge.example.com with the following value:

 

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

Before continuing, verify the record is deployed.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

For security reasons, we have masked the record. After the verification is completed, the SSL can be found at

/etc/letsencrypt/live/example.com/

Configure Changes and Create Virtual Host Entry

The next step is to make the required changes in /etc/apache2/sites-available/default-ssl.conf. Since this is a multi-tenant installation, we must first create a separate virtual host entry. Below is the virtual host entry we created in the file default-ssl.conf:

<VirtualHost *:443>

# Admin email, Server Name (domain name) and any aliases
ServerAdmin xxx@xxxxxx
ServerName demo.example.com

# Index file and Document Root (where the public files are located)
DirectoryIndex index.php

DocumentRoot /var/www/html
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

</VirtualHost>

Run Configuration Test

After making the changes, it is advised to run an apache config test to make sure everything is configured correctly. The expected output should be:

root@fcsrv:/etc/apache2/sites-enabled# apachectl -t

Syntax OK

Restart the apache service and use any SSL verification site to make sure your SSL certificate has been installed correctly. For additional support, please contact our FileCloud Support Team.

 

Article written by Nandakumar Chitra Suresh

 

Access your FileCloud Community Edition Server using NoIP

If you’re currently using Tonido and considering switching to FileCloud Community Edition, there is one key difference to note: Tonido uses a relay server to access your local server.

For example, <username>.tonido.com is your external URL; this means that you will need to use a third-party service to redirect from a custom URL to your local IP address. You can use commercial or free services to accomplish this.

Some available options include:

Redirect Your Tonido URL

This article will explain how to accomplish this using a Freemium service like NoIP.

Requirements:

  • Server Computer Running FileCloud Community Server
  • com Account
  • Your Public IP Address
  • Port Forwarding in Your Router
  • External URL Access
  • Set Up Automatic Updates for Local IP Changes

Install FileCloud Server

FileCloud provides installation guides for Windows and Linux operating systems. Select the right one for your computer below.

Windows: https://www.filecloud.com/supportdocs/display/cloud/Installation+on+Windows

Linux: https://www.filecloud.com/supportdocs/display/cloud/Ubuntu+Package+Installation

NoIP account

If you don’t have a NoIP.com account, please create one here.

Public IP address

Several options can help you identify your public IP address. For our tutorial, we will use this website: https://www.whatismyip-address.com/?check

When you open this website from your local home network, you will see something like this:

screenshot of website WhatIsMyIPAddress

Please take note of your IP4 Address as we will use this shortly.

Set Up Port Forwarding in Your Router

To access your FileCloud Community Edition server outside of your local network, you will need to create a rule in your router to redirect traffic from your public IP address to the local IP address of your server.

The instructions may vary depending on your router brand. You can check the guide from NoIP to help you set up the port forwarding for a comprehensive list of router brands (D-Link, Netgear, Linksys, Asus, TP-Link, etc.)

Create and Configure External URL Access

Once you have completed the above steps, it is time to create your hostname in NoIP. Go to dynamic DNS and create a new hostname.

screenshot of website NoIP to create a hostname

You can choose your preferred hostname and direct a DNS Host (A) to your IPc4 Address.

Screenshot of NoIP - Direct Your DNS

After waiting an average of 30 minutes, your DNS entry should be ready. Now you can access your FileCloud Community Edition Server from anywhere using the URL you chose, including via mobile application and web access.

Set Up Automatic Updates for the IP Address

To make updating the IP address simple, NoIP offers an application you can install on your server or any computer that runs from your local network. The application will monitor if the public IP is updated; whenever the IP address changes, the app will automatically update your DNS entry in your account. You can find and download the application from NoIP.

Once you install the application, log in to your NoIP account and select the hostname. You will see the following:

screenshot of NoIP website, configuring automatic updates for DNS changes

Now, whenever your local IP address is updated, your DNS entry will also be updated, ensuring you never lose access to your FileCloud Community Edition Server.

Article written by Daniel Alarcon