SecureAnyBox - Support

Installation on Linux

Linux Standard Base (lsb) have to be installed, otherwise the SecureAnyBox can’t be registered for automatic start. Linux Standard Base is available through various online repositories like: https://software.opensuse.org/package/lsb
The installation procedure depends on your distribution, it can be for example sudo yum install lsb. If you decide not to install lsb or it is not available for your system, you still can register the starting script manually. We always create it in /etc/…

We don’t support other JVMs than Oracle Java. Tested and approved Oracle JVM is always a part of the installation package. You can install Oracle JVM manually, locate and use existing installation or choose private Oracle JVM installation. In order to use other than default JVM, just choose the Private Java option when you start the installation script.
Default installation path is /opt/tdp/secureanybox, but you can choose whatever path/device you need.

Installation script then needs IP address and port – this can be changed later, but you have to choose address:port combination which will not cause any conflict with other services running on the box. Thus we recommend starting with the default port. Once you enter the management console, you can change it or add more interfaces on different address:port combinations. If a conflict will be detected, the system reverts to the last “good” configuration which allows you to continue.

It is highly recommended to switch to SSL (https) as soon as possible. You can either use a built-in function for generating a self-signed certificate or you can import your existing certificate with a private key (usually available in PKCS12 format). Please keep in mind, that interfaces are virtualized – it is necessary to set both IP address and URL otherwise system is not able to accept a request.

In a case of upgrading the SecureAnyBox, the same installation script is used. Please confirm the same installation path like before and choose the default option NOT to overwrite the configuration file.

Upgrade on Linux

SecureAnyBox upgrade is provided by the installation script which is a part of the new release package downloaded from the website. Download the .bin package from the Downloads section at www.secureanybox.com. Then start the installation by ./inst_secureanybox…

Upgrade on Linux - step 1

If your installation is standard with the embedded Oracle Java (recommended), answer No.

Upgrade on Linux - step 2

Then the script gets the path used for the previous installation and offers it as default. Confirm this
path because this is upgrade and the goal is to upgrade the existing installation – running instance.

Upgrade on Linux - step 3

The configuration.properties file must be preserved in order to upgrade the running system.
Confirm default answer N = not to overwrite

Upgrade on Linux - step 4

Now you are ready to start the new installed release – it will stop SecureAnyBox and run it again. Once the new release is running, it will convert the database (if alteration is a part of the upgrade) seamlessly.
Don’t miss to authenticate to the system console and enter the configuration password if applied – otherwise agent support will not work.

Upgrade on Linux - step 5

Initialization of admin

After successful installation, the SecureAnyBox starts and the initialization page displays. In order to login into a web interface, is required to set admin password first.

Init Admin

In a field Security Code is prefilled unique code for your installation.

While entering the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols password contains and how secure your password is.

The password has to be confirmed by clicking on the OK button. After confirming the password, the login page displays.

First login

In order for a user to log into SecureAnyBox, the user needs to be created and has a password entered.
If more than one domain is specified, the user must also enter the domain name when logging in.

Login page

Only one domain is set. In order to log in SecureAnyBox, only username and password are required.

More than one domain set. In order to log in SecureAnyBox, it is necessary to enter a domain name too.

After entering the login credentials, a page for setting an access code displays. The access code is used to decrypt secured information (such as passwords, certificates) and to confirm changes.

While entering the access code, you can see how secure your access code is and also how many of required characters you are using.

New Access Code

1. Actual/required length of access code

2. Actual/required number of lowercase letters

3. Actual/required number of uppercase letters

4. Actual/required number of numbers

Requirements to characters of the access code can be changed in a configuration.

After the access code is set, the page automatically redirects to the root level of Safe Boxes.

How to set automatic login of default user by SecureAnyBox Agent

Automatic login by SecureAnyBox can be set for station default user only. Other users have to log in manually. This setting can be convenient for stations on which works more than one user, but the station primarily is used by a user with the lowest permissions. That user can be set as default and will automatically log on.

In order to set automatic login SecureAnyBox Agent on stations, please follow these steps:

Create Agent Configuration, where will be settings for all platforms of stations, on which you want install SecureAnyBox Agent.

At the Downloads page, please select appropriate Agent Configuration and download the SecureAnyBox Agent and it’s configuration.

Install SecureAnyBox Agent on a station.

If in the Agent Configuration is set to change the password of a group, is necessary to have set local users group in which will be all users, who will be able to obtain the password from SecureAnyBox. Default user has to be set as one of them.

Please set default user on your station.

After the restart of the station, the first automatic login should go through – the SecureAnyBox Agent sets the user’s password and changes it in the registers where the automatic login is stored. Password for default user can be obtained in SecureAnyBox at the Get Password page as for any other user.

Updating a password for default user in Active Directory domain

In a case, that same default user is set on more than one station, it is convenient to set changing a password for default user in Active Directory domain. When all is set correctly, after the change of password of LDAP user, SecureAnyBox LDAP Agent checks all registered stations and where the user to whom the password changed is set as default, the SecureAnyBox LDAP Agent changes a password for the station.

To update a password for default user in Active Directory domain, please follow these steps:

Set Agent configuration for stations. In Agent configuration for LDAP platform set field Change password of to value default users in domain .

Default user in domain

If you not have set App URL in general configuration of SecureAnyBox, is necessary to set it in the Agent Configuration. App URL have to be accessible from the internet (out of local network). Without setting of App URL, the SecureAnyBox Agent can have problems with connection to SecureAnyBox server.

Configure LDAP Agent. In LDAP Agent select Active Directory as Directory service and prepare Active Directory server.

Active Directory value in LDAP Agent form

Into LDAP Agent select the Agent Configuration, which you created in the first step.

Into a field Default user domain enter Active Directory domain name into which default user belongs, and if necessary, modify the User id attribute . Please configure other required values in LDAP Agent form and create LDAP Agent by clicking on the OK button. To apply the LDAP Agent is necessary restarting SecureAnyBox.

At the Downloads page, please select the Agent Configuration created in a first step and download the SecureAnyBox Agent and it’s configuration.

Please set default user on your station.

Install SecureAnyBox Agent on a station.

After successful installation of SecureAnyBox Agent, a station should be automatically registered in the SecureAnyBox. Please check at the Stations page, that registration of the station ran successfully.

Registered station

While registering, the SecureAnyBox Agent (for Windows) if the default user is enabled, sends default user information when registering (including domain if it is a domain user). If the default user is a domain user, the SecureAnyBox Agent does not set the password – because it does not have permission to change the password of a domain user. In that case, a password of a domain user is set by the LDAP Agent.

The LDAP Agent scans all registered stations and retrieves from them default users whose domain is the same as default user domain specified in the LDAP Agent configuration. LDAP Agent generates and sets new passwords for these default users. This process takes place when you start the SecureAnyBox server, then every hour and after click on the Execute button.

Automatic authentication to KeyShield SSO

Depending on your configuration, users can be authenticated via KeyShield SSO. For automatic authentication is necessary to install KeyShield SSO client on station.
Instructions for unattended installation are at KeyShield_server/static/kshield_msi.page. For manual installation/configuration please follow screenshots:

KeyShield SSO Installation 1

KeyShield SSO Installation 2

KeyShield SSO Installation 3

The OES client for Windows integration works in a similar manner like former ClientTrust for BorderManager – KeyShield server creates a token and stores it as a value of attribute of the user’s object. KeyShield client reads the value through the OES client for Windows API, uses it as a challenge, generates a response and sends it to the KeyShield server. Then the KeyShield server validates it and if OK, accepts the client authentication request and sends confirmation back to the client. Client changes color of the icon in the task bar to green in order to inform the user that authentication is done. Here is the related setting in the related eDirectory connector of the KeyShield server (keep in mind, you can use as many eDirectory trees, AD forests, etc. as you need at the time).

KeyShield SSO Installation 4

This is so called custom setup but it is not necessary. The best practice is to let the KeyShield server to configure eDirectory connector automatically by choosing.

First enter Connector ID and provide LDAP server IP and port

KeyShield SSO Installation 5

Then click “Create KeyShield SSO objects”

KeyShield SSO Installation 6

KeyShield SSO will create own mgr account (proxy account used to access eDirectory), extend schema by auxiliary class (can be removed) for tokens and assign minimum access rights the mgr account needs.

Once you are done with this setting, the automatic authentication with the OES client for Windows should work. If not, consult Diagnostic log.

Installation of SecureAnyBox Agent on MAC OS

To install SecureAnyBox Agent on MAC OS platform, please run installer (secureanybox-agent-1.x.pkg).

When installer started, please continue with installation steps. At the second step, it is necessary to select a destination (disk) where the SecureAnyBox Agent installs.

At the third step of the installer, it is possible to change an install location, by clicking the appropriate button ( 1). To proceed the installation, please click the Install button ( 2)

SAB Agent Installator

After clicking the Install button, it is necessary to enter user password to allow the installation.

Enter the password to allow the installation

Once the installation finished, information about the successful installation of the SecureAnyBox Agent is displayed.

Enter the password to allow the installation

When installer closed, please go to the Launchpad where you can find the sab-config application.

sab-config application

Start the application by double click on its icon. When the application starts, please select downloaded configuration file by clicking on the button ( 3). Once the configuration file selected, apply it by clicking appropriate button ( 4).

Select and apply the configuration

In order to apply the configuration it is necessary to enter your password.

Enter your password to apply the configuration

After the configuration was updated, information about it displays and SecureAnyBox agent is successfully installed.

Configuration updated

After the installation complete, SecureAnyBox Agent verifies that the applied Agent Configuration matches the configuration on the SecureAnyBox server. If so, the station will be registered automatically (it might take 10 minutes). If the SecureAnyBox Agent does not have access to the server, it is possible to register the station manually.

Import certificate on MS Windows

Importing the certificate is necessary for automatic registration of the station into SecureAnyBox via HTTPS protocol.

To import the certificate please follow these steps:

Click Start and into Windows search field please enter “mmc” ( 1) and click on the program in the search results ( 2).
Start Menu after searching for "mmc"

In the Console window, please click the File ( 1) -> Add/Remove Snap-in( 2).
"Microsoft Management Console window"

Select Certificates ( 1) in the left panel and click Add ( 2) to move a selection into the right panel. Then click OK button ( 3).
Add or Remove Snap-Ins window

In the Certificates snap-in window, select Computer account option ( 1) and click Next button ( 2). At the next window click Finish button ( 3).
Settings of Certificate Snap-In

In the Add or Remove Snap-ins window click OK button ( 1).
Add or Remove Snap-Ins window after certificate added

In the Console window expand Certificates and right click Trusted Root Certificates -> All tasks -> Import
Import Certificate

In Certificate Import Wizard window click Next ( 1), and at the next screen please select certificate to import ( 2). When certificate select, please click Next ( 3).
CertificateImportWizard

Please enter the certificate password ( 1) and click Next ( 2) and at the next windows click Next ( 3) and Finish ( 4).
CertificateImportWizard
CertificateImportWizard

After import completed, the station should be registered into SecureAnyBox automatically (it may takes 10 minutes). For immediate registration, you can restart SecureAnyBox agent service.

Import certificate on Mac OS

To install certificate on a Mac platform, please download the certificate on your station and follow these steps:

To open Keychain Access, start by clicking on Go in the Finder menu and the select Utilities.

When the Utilities window opens up, look for and click on the icon named Keychain Access.
Note: Alternatively, you can open the Keychain Access by typing “Keychain Access” in the Spotlight search field at the top.

In the Keychains window select System.

Within the Keychain Access menu select File > click Import Items.

Browse to the .p12 or .pfx file that you want to import and open it.

Enter your admin password to authorize the changes and click Modify Keychain.

Enter the password that you entered when you created your .p12 or .pfx file.

Your SSL certificate should now be installed and the station should be automatically registered.