> On-Premise Platform
On-Premise Platform
The Protectimus On-Premise Two-Factor Authentication Platform can be installed on your private servers or in your private cloud.To ensure uninterrupted operation of your multi-factor authentication server, deploy it to a cluster of several servers (we recommend using at least three nodes). Use a load balancer to distribute the load among them.
- Private server installation requirements: Java (JDK version 8); PostgreSQL DBMS, version 10 or later.
- Private cloud installation requirements: CPU: 2 cores, memory: 8 GB; OS: Linux; cloud disk: 20 GB; load balancer.
To install the Protectimus On-Premise Platform, you can use the installer for Windows or create a Docker Image.
1. Protectimus Platform Installation Using a Docker Image
- To start installing the Protectimus On-Premise Platform, first of all, download and install docker and docker-compose:
- Docker: https://docs.docker.com/engine/install/
- Docker-compose: https://docs.docker.com/compose/install/
- Then clone the git repository: https://github.com/protectimus/platform-linux.git
- Go to the platform-linux/platform directory and run:
docker-compose up -d- You can monitor the process of platform deployment using the command:
docker-compose logs -f- After the deployment process is complete, the platform will be available at: https://localhost:8443
2. Protectimus Platform Installation on Windows
- Download and run the Protectimus Platform installer. Check the Platform box and click Next.
If you are going to use DSPA or RADIUS integrations, and/or OTP delivery via chat-bots in messaging apps Telegram, Facebook Messenger, or Viber, also check the appropriate boxes.
- Before deploying the Protectimus Platform, Java must be installed on your server. Click the Install button to check for Java. If it’s not installed yet, the latest JDK version will be installed automatically.
- Also, database management system PostgreSQL (version 9.2 and above) must be installed on your server. Click the Install button to check for PostgreSQL. If it’s not installed yet, the latest PostgreSQL version will be installed automatically.
ATTENTION: You will need to set a superuser name and password during installation. You’ll need this password to login to PostgreSQL later.
Please, remember your superuser name (postgres) and the password you’ll add on this step. This name and password will be required to login to PostgreSQL later.
- Login to PostgreSQL Database. Enter the superuser name and password you specified during the PostgreSQL installation and click LogIn. Then click Next to continue the installation.
- Create and Select the database you will use for Protectimus On-Premise Platform.
- Create a new database. Enter the desired database name and click Create.
- Check whether it is created or not using the button List.
- Click the Select button, choose the database you’ve just created, and click Next.
- Initiate the database. Click Init to execute SQL scripts and initiate your database. This may take some time.
- Select the folder to install the Protectimus Platform and click Install.
The server will be started on port 8080, and the platform will be available from the address http://localhost:8080. It will be opened automatically after the installation. After launching the platform, you’ll need to register in the system.
3. How to Pay and Activate the License
After testing the Protectimus Platform successfully, you’ll need to get a license. To do so, go to http://platform_path/licensing, select the option you require and get the license key.Using the key you received, you can pay for and download your license online. To do so:
- Go to https://service.protectimus.com/en/platform and click Purchase License.
- Enter your license key into the Licensing Key field and click Submit.
- On the next step, click on the Pay button.
- Choose a payment method. If you require an alternate payment method, contact Protectimus customer support.
- After successful payment click on the Issue Platform License button.
You can also do this on the page https://service.protectimus.com/en/platform by clicking the Issue License button.
- Enter the key into the Licensing Key field and click Submit. After that, the license file will be downloaded.
- After receiving the license file, download it to the server and provide the path to the license file in the licence.file.path parameter, in the file named protectimus.platform.properties.
4. How to Get Registered in Protectimus System
The installer will automatically open the registration form at http://localhost:8080.Please, create an account and log in to configure the necessary settings.
5. How to Enable Users Synchronization With Your User Directory
- Login to your Protectimus account, and click: Users – Synchronization – Add LDAP user provider
- In the Connection section, fill in the details about your user directory.
Basic settings:
| Field | Value | Note |
| Connection URLs | URL to connect to your LDAP server | Example: ldaps://dc1.domain.local:636
For DSPA, you need to use the LDAP connection, and you also need to import the SSL certificate.A standard way: |
| Base DN | Full DN of the directory in which your users are stored | Example:
|
| Password | The password of the specified user | |
| User DN | DN or userPrincipalName of the administrator or user who has access to user information | Example:
For DSPA, the user must have rights to change passwords |
| Timeout (ms) | Connection timeout |
- After filling in details about your user directory, add synchronization attributes.
Click on the Attributes button.
Then add your attributes as shown in the example.
- After successfully adding the user provider, you need to import the users into the Protectimus system and synchronize them with your user directory.
In the Synchronization mode field, you should choose how you would like to import your users.
Importing users can be set up in three ways:- Import – will never update user data.
- Import and Update – will always update user data when possible.
- Import, Update and Delete – will always update user data when possible. Protectimus users, as well as the software tokens assigned to them, will be removed upon the user’s removal from external user storage.
- Now configure the Use pagination setting.
When Use pagination is activated, it means that if the number of records exceeds 200 or 500, multiple queries will be used for retrieval. This is due to LDAP typically returning a limited number of entries by default.
- Set up a filter to be applied during synchronization.
Use this filter to select only the users you want to synchronize.
For example, to import only those users who have the telephoneNumber and mail attributes specified, set up such a filter:
(&(telephoneNumber=*)(mail=*))
To import users from a specific group, choose the required group. In our example, it is the Users group.
- Now configure the Enroll SMS token setting.
When Enroll SMS token is activated, SMS tokens will be enrolled and assigned to your users during synchronization.
- In the Resource associations section, you can choose the resource to which the users will be assigned during synchronization.
- The next step is to enable user synchronization. This can be accomplished in three ways:
- Use the Synchronize now button to synchronize all users at once.
You can also select the Synchronize modified button to synchronize only the users who have been modified since the last synchronization.
- Use the Synchronize individuals feature to synchronize only the selected users from your user directory.
- Or enable automatic user synchronization by activating the Enabled option at the top of the page.
- Use the Synchronize now button to synchronize all users at once.
6. How to Configure SSL Certificate, Mail and SMS Tokens, and Specify the Path to the License File
Once you’ve successfully installed the platform, it will generate a configuration file named protectimus.platform.properties. The protectimus.platform.properties file must be located in the same directory as the executable.This file allows you to customize the following settings:
- Add SSL certificate for the Protectimus Platform. Different SSL certificate formats are supported, including .pkcs12, .pem, .der, .pfx.
- Configure delivery of messages via email;
- Configure SMPP server connection to add your SMS provider to deliver one-time passwords via SMS.
- Specify the path to the license file. Please note that the path to the license file should be indicated with double backslashes
(eg. C:\\some\\path\\file).
Available properties that you can add to the protectimus.platform.properties file include:
6.1. SSL Certificate Configuration
| PROPERTY NAME | PROTERTY STANDS FOR |
|
Port on which your application listens for HTTPS requests. Typically, platform uses port 8443 by default. |
|
Type of keystore used to store SSL certificates and private keys. Types: JKS, PKCS12. |
|
Password required to access the keystore. |
|
Full path to the keystore file containing SSL certificates and private keys. Please note that the keystore file should be located in the ..\\Protectimus\\Platform folder, in the same place as the .war and .properties files. The path should be indicated with double backslashes, for example C:\\Program Files\\Protectimus\\Platform\\keystore.jks. |
https.port = 8443
https.keystore.type = JKS
https.keystore.password = **********
https.keystore = C:\\Program Files\\Protectimus\\Platform\\keystore.jks6.2. Email Message Delivery Configuration
| PROPERTY NAME | PROTERTY STANDS FOR |
|
SMTP server’s hostname or IP address. |
|
Port number for SMTP server. |
|
Username or email account for authentication. |
|
Password associated with the username or email account. |
|
Allows you to set the address from which emails will be sent to the user. |
smtp.host = smtp-server.com
smtp.port = 25
smtp.user = [email protected]
smtp.password = **********6.3. SMPP Server Connection Configuration
| PROPERTY NAME | PROTERTY STANDS FOR |
|
SMPP server login. |
|
SMPP server password. |
|
Host or IP address of the SMPP server. |
|
Port for the SMPP server. |
|
Encoding for SMPP messages. |
|
Source or sender address for SMPP messages. |
smpp.server.login = login
smpp.server.password = **********
smpp.server.host = smpp.example.com
smpp.server.port = 12000
smpp.message.encoding = UTF-8
smpp.from.address = Protectimus7. How to Import Trusted SSL Certificate
By default, a self-signed SSL certificate is used for the SSL connections with the Protectimus On-Premise Platform. If you would like to import your own trusted SSL certificate, follow the instructions below.To import the SSL certificate, you will need the SSL certificate itself, the keytool, and openssl utilities.
Different SSL certificate formats are supported, including .pkcs12, .pem, .der, .pfx.
- Import the certificate as trusted into the keystore:
keytool -keystore ___.jks -import -alias ___ -file ___.crt -trustcacerts
Example:
keytool -keystore publicStore.jks -import -alias protectimus -file protectimus.crt -trustcacerts- Convert the certificate to PKCS12 format:
openssl pkcs12 -inkey ___.key -in ___.crt -export -out certificate.pkcs12
Example:
openssl pkcs12 -inkey privateKey.key -in protectimus_2020-2022.crt -export -out certificate.pkcs12- Import the certificate to the keystore:
keytool -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore ___.jks
Example:
keytool -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore publicStore.jks8. How To Integrate and Configure the Protectimus On-Premise Platform
Integrate the Protectimus On-Premise Platform with the system you plan to protect with two-factor authentication and configure the necessary settings. To do this, download the instructions for the integration component you require on the Integrations page.9. How to Update the Protectimus On-Premise Platform
You can update the Protectimus On-Premise Platform using a Docker image on any operating system.However, if you initially installed the Platform on Windows, you may follow the instructions for Windows users below.
9.1. Updating Platform Using a Docker Image
You have two options for updating the Protectimus On-Premise Platform with a Docker image: We’ll walk you through both methods, allowing you to choose the one that best suits your preferences.9.1.1. Updating via Git Repository Cloning
- Use this command to copy the repository containing Docker Compose files to your local computer, where the Protectimus On-Premise Platform is installed.
git clone https://github.com/protectimus/platform
The contents of the archive will be as follows:
. └── platform ├── platform │ ├── docker-compose.yaml │ ├── .env │ ├── platform_data │ │ ├── autogenerated-keystore.jks │ │ └── protectimus.platform.properties │ └── postgres_data ├── radius │ ├── config │ │ ├── radius.all.yml │ │ └── radius.yml │ ├── docker-compose.yaml │ └── .env └── unifi-guest-portal ├── config │ ├── fragments.html │ ├── guest-portal.all.yml │ └── guest-portal.yml ├── docker-compose.yaml └── .env
- Go to the platform directory:
cd platform/platform
- Run the application using Docker Compose.
This command will start all the containers required for your application in the background (-d):
docker-compose up -d
- Stop running containers using this command:
docker-compose down
- Make a backup of your database. The data is located in the postgres_data directory.
- Get latest changes from Git repository.
This command will update your local repository to the latest version that you have uploaded to Git.
Resolve any configuration conflicts if necessary.
git pull
- Download the updated images. This command will download the updated Docker images from your Docker registry:
docker-compose pull
- Restart containers with new images.
This command will restart the containers using the updated images in the background mode (-d):
docker-compose up -d
9.1.2. Manual Update from Github
- Download the latest version of the archive with the Protectimus Platform from Github and extract it:
https://github.com/protectimus/platform/releases
The contents of the archive will be as follows:
. └── platform ├── platform │ ├── docker-compose.yaml │ ├── .env │ ├── platform_data │ │ ├── autogenerated-keystore.jks │ │ └── protectimus.platform.properties │ └── postgres_data ├── radius │ ├── config │ │ ├── radius.all.yml │ │ └── radius.yml │ ├── docker-compose.yaml │ └── .env └── unifi-guest-portal ├── config │ ├── fragments.html │ ├── guest-portal.all.yml │ └── guest-portal.yml ├── docker-compose.yaml └── .env
- Go to the platform directory:
cd platform/platform
- Run the application using Docker Compose.
This command will start all the containers required for your application in the background (-d):
docker-compose up -d
- Stop running containers using this command:
docker-compose down
- Make a backup of your database. The data is located in the postgres_data directory.
- Change the component version to the latest in the .env file.
- Download the updated images. This command will download the updated Docker images from your Docker registry:
docker-compose pull
- Restart containers with new images.
This command will restart the containers using the updated images in the background mode (-d):
docker-compose up -d
9.2. Updating Platform on Windows
9.2.1. Before updating the platform, stop the platform in services.
9.2.2. Install the new version of the Protectimus On-Premise Platform, and when selecting a database, choose the one used in the old version of the Protectimus platform.
- Choose the necessary components.
- Click Next.
- Click Next.
- Use your username and password to log in to the PostgreSQL database you created during the first platform installation and click LogIn.
- Enter the name of the database you used in the old version of the Protectimus platform and click Select.
You can click the List button to see the list of available databases if you don’t remember the exact name of the necessary database.
- Preferably, use the same destination folder as previously.
- Once the platform is installed, you will see the changelog describing recent updates; close it.
- Then click OK to finish the installation.
Last updated on 2024-04-01