Skip to main content

Backend Fundamentals

The required preparation steps fall into several categories:

  • Server preparation
  • DNS mappings
  • TLS certificates
  • Firewall setup

After an introduction to key tiCrypt components, we recommend preparation steps for each of the categories.

tiCrypt components

tiCrypt services are grouped into three categories. Each category has different considerations in terms of deployment.

tiCrypt Backend

The main tiCrypt infrastructure is provided by the tiCrypt backend. It consists of 11 services that cooperate to implement the functionality. Depending on the functionality required, some of the components might not be installed in a particular installation. A short explanation of the role of each component is:

  • tiCrypt-auth: is responsible for authentication, some auxiliary responsibility, and keeping all other services together.
  • tiCrypt-rest: is the HTTPS entry point.
  • tiCrypt-vm: offers virtual machine functionality.
  • tiCrypt-file-manager: is responsible for files and directories in the vault.
  • tiCrypt-storage: is responsible for file content storage.
  • tiCrypt-logger: is responsible for logging.
  • tiCrypt-maintenance: is responsible for regular maintenance tasks.
  • tiCrypt-notifications: is responsible for the notification facility (informing users of various actions affecting them).
  • tiCrypt-proxy: is responsible for bridging connections between user desktops and their VMs.
  • tiCrypt-stats: is responsible for statistic gathering.
  • tiCrypt-backup: coordinates backup activities.

Most tiCrypt installations should run all 11 services on a single server. Only for very large installations, it is recommended to split the services on multiple servers.

tiCrypt Audit (tiAudit)

tiCrypt Audit component processes the logs, extracts alerts, can create reports and allows execution of forensic queries. It consists of 3 sub-components:

  • log-streamer: loads the log live from a tiCrypt backend (the tiCrypt-logger service).
  • log-uploader: loads historical logs from raw tiCrypt logs.
  • audit: provides a web-based interface to view alerts, and run reports and queries.

The tiAudit components can run on the same server as tiCrypt backend or on a different server. Multiple independent tiAudit installations can be supported.

tiCrypt data acquisition services

To mediate data acquisition, three independent services can be used:

  • tiCrypt-mailbox: Allows file transfers from external users into the Vault using a web interface.
  • tiCrypt-sftp: Allows file transfers from external users using SFTP protocol.
  • tiCrypt-forms: Allows form submission (either via designed surveys or raw form data).

These services are typically deployed on public-facing servers to allow users not part of the organization to interact with tiCrypt users. All 3 services can be hosted on a single (virtual) server.

Server preparation

For deploying either tiCrypt backend, audit, or data acquisition services, we recommend the (virtual) servers are prepared in the following manner:

  1. RedHat Enterprise 7 or 8 or equivalent (Centos, Springdale) is installed.
  2. Only root accounts are created. No regular users should be allowed on these servers.
  3. Adequate storage is provisioned depending on the intended use.
  4. CPU and RAM minimum requirements are met:
    • backend: 8 CORES, 32GB RAM.
    • audit: 4 CORES, 16GB RAM.
    • data: 1 CORE, 4GB RAM.
  5. IP addresses and service names (internal and external).

DNS mappings and TLS certificates

The main mechanism of communication in tiCrypt is HTTPS-based. To consolidate functionality, extensive use of host virtualization should be used. Specifically, multiple names should map to the same physical server via DNS mappings.

The specific mappings needed and their visibility are:

  • tiCrypt-rest: A name for the backend entry point, e.g. backend.ticrypt.myunv.edu visible to the intended tiCrypt users pointing to the server running the tiCrypt backend.
  • tiCrypt-audit: A name for the tiAudit instance, e.g. audit.ticrypt.myunv.edu, pointing to the server running the audit components (might be the same as tiCrypt backend).
  • data services: three names for the three data services, e.g. mailbox.ticrypt.myunv.edu, sftp.ticrypt.myunv.edu and forms.ticrypt.umyunv.edu pointing to the server hosting the data services.

All of the above-mentioned DNS names must have matching TLS certificates. We strongly suggest the user of multi-certificates for the data services (i.e. a single certificate for all three names).

Firewall Setup

For the various services to be able to talk to each other and for users to be able to use the functionality, the following ports need to be opened (with specified visibility):

  • tiCrypt-backend:
    • 443(https) visible to all tiCrypt users (can be protected by institution firewall), VM hosts, and data servers (mailbox, sftp and forms).
    • 6000-6100(proxy) visible to all tiCrypt users. This port range is used by the tiCrypt-proxy to provide access to using virtual machines.
  • VM hosts: visible exclusively to tiCrypt backend.
    • 6000-6255: used to proxy connections to user VMs.
    • 22(ssh): used for LibVirt management and maintenance.
  • tiAudit:
    • 443(https): visible to all users that have access to the audit facility (not necessarily tiCrypt users).
    • 25000: visible to the tiCrypt backend server (used to publish new logs).
  • data services:
    • 443(https): visible to the entire world (placing this behind an institutional firewall diminishes usefulness).
    • 22(ssh): visible to the entire world. Used by the tiCrypt-sftp service. Does not provide access to the underlying OS.
    • 2022(ssh): for management purposes, the real SSH server should be bound to this port. Visibility should be restricted to admins.

Note on VM Hosts

The user VMs run on VM Hosts and pose the largest security risk. The VM Hosts need to be protected by a separate firewall making them visible only to the tiCrypt backend server and never to any direct user communication. Only administrator and service accounts should be created on these servers (no regular user accounts).


tiCrypt Backend Installation Steps

Sr. No.ActionNotes
1.Download Documentation
2.AssignPublic IP for backend server (visible by intended users)
3.AssignPublic fully qualified name with DNS binding to IP
4.GenerateTLS certificate for name (need perfect match)
5.CreateLogos for deployment and host somewhere
6.RequestDeployment file bound to name from Tera Insights
7.Download
8.InstallRPMs in tgz archive (Section 2.2)
9.SetupFirewall (Section 2.3)
10.InstallNginx
11.ConfigureNginx (Section 2.4) using name+TLS certificate
12.InstallMongoDB (version 4.2 or higher)
13.ConfiguretiCrypt-auth service (Chapter 4)
14.ConfiguretiCrypt-rest service (Section 3.2)
15.ConfiguretiCrypt-file-manager service (Section 3.3)
16.ConfiguretiCrypt-storage service (Section 3.4)
17.ConfiguretiCrypt-proxy service (Section 3.5)
18.ConfiguretiCrypt-logger service (Section 3.6)
19.ConfiguretiCrypt-stats service (Section 3.7)
20.ConfiguretiCrypt-notifications service (Section 3.8)
21.ConfiguretiCrypt-maintainance service (Section 3.9)
22.ConfiguretiCrypt-vm service (Chapter 5)
23.CreateVM images (see )
24.Download
25.Install & ConfigureVM Controller (Chapter 6)
26.Registerthe first account using tiCrypt frontend. Becomes SuperAdmin

tiCrpt Frontend Installation Steps

Sr. No.ActionNotes
1.Distribute
2.Distributedeployment file (generated by Tera Insights)
3.Registernew accounts
4.ManagetiCrypt through web interface

tiCrypt Audit Installation Steps

Sr. No.ActionNotes
1.Download Documentation
2.AssignPublic IP for audit server (visible by intended users)
3.AssignPublic fully qualified name with DNS binding to IP
4.GenerateTLS certificate for name (need perfect match)
5.InstallNginx (if needed, Section 2.1)
6.ConfigureNginx domain (Section 3.7)
7.InstallClickhouse (Section 2.1.3)
8.InstallMaxMind GeoIP2 database (if geo-location is desired, Section 2.1.4)
9.Download
10.InstalltiCrypt Audit (Section 2.2)
11.ConfiguretiCrypt Audit (Chapter 3)
12.Loadexisting logs (Section 3.8)
13.Createfirst user (will be admin, Section 3.9)

tiCrypt Mailbox Installation Steps

Sr. No.ActionNotes
1.Download Documentation
2.AssignPublic IP for mailbox server (visible to the entire Internet unrestricted)
3.AssignPublic fully qualified name with DNS binding to IP
4.GenerateTLS certificate for name (need perfect match)
5.InstallNginx (if needed, Section 2.1.1)
6.Configurefirewall (Section 2.2.2)
7.Download
8.InstalltiCrypt mailbox (Section 2.1.3)
9.ConfiguretiCrypt mailbox (Sectin 2.2)
10.ConfigureNginx domain (Section 2.2.3)