As we mentioned above, you are free to name your Symphony service the way you want. In this guide, we will use the following representation to indicate your pod’s name:

<OrgName>. Symphony.com

Some screenshots may also use:

qa.Symphony.com

In either case, you should substitute the name you have selected for your Symphony service.

Finally some examples in the LDAP Sync section use “fakecorp” to represent your company name and this should be changed to the name used in your corporate directory service.

During the creation of your pod (your company’s dedicated Symphony cloud service) we provisioned the following items:

1. The FQDN (domain name) for your pod

2. The associated IP address range

3. The credentials for your Super Admin account

4. Credentials for the Super Compliance Officer account

You should have received all of the relevant details in an email from Symphony Global Services.

Please locate this email and follow the instructions it contains.

You should have the latest version of the Google Chrome browser running on Windows, Mac or Chromebook computers or Internet Explorer (IE) 11.

Please configure your firewall to allow the URLs and port numbers listed below. These values are provided as guidelines only. The actual names will be aligned with the service name you selected for your pod:

https://<OrgName>.symphony.com port 443

http://<OrgName>.symphony.com port 80

https://s3.amazonaws.com/user-pics-demo port 443

https://resources.symphony.com port 443

To confirm that the firewall is open, testing each link will either result in a Symphony Login page or a 500 error confirming that the server was reached and responded. You should now be able to start managing your pod.

We use Amazon Simple Email Service (Amazon SES) to send application transaction emails.

To avoid any spam filtering of Symphony application emails:

• Whitelist the FROM address: no-reply-<OrgName>@symphony.com in your corporate email system.

• Make sure that emails from the following IPs are not blocked by your spam filters:

  • 199.255.192.0/22

    199.127.232.0/22

    54.240.0.0/18

For more information about AWS SES and DKIM features, visit:

• http://sesblog.amazon.com/blog/tag/SPF

• http://sesblog.amazon.com/post/TxEH4YOF3YJG0L/Amazon-SES-IP-addresses

• http://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html

We use the CAPTCHA mechanism to ensure a live person is using <set password>. Please allow access to: www.google.com/recaptcha

You can read more about configuring firewalls to support CAPTCHA at: https://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha

Don’t forget to make sure you have set user as active. Otherwise the account will be created in your Symphony pod but the user will not be able to log in. There may be occasions when you will want to do that in the future – but for now, we need an active admin account.

Depending on what you selected, you’ll see one of the following:

1. Email Link:

2. Password set manually:

3. If you entered an invalid password:

The username is the name you assigned when you created the account. Please make sure to communicate to the user what their username is.

Admins cannot use SSO to log in to the Admin Portal. They must always use a password.

As shown in the diagram below, the key manager and Software SM are hosted in a customer- controlled Virtual Private Cloud (VPC). This has the advantage of being the easiest deployment option as Symphony will carry out the installation and configuration on behalf of the customer. However, Option 1 should be considered a temporary less secure solution on the way to a full HSM deployment.

Option 2 is similar to Option 1, but this time the Software SM and Key Managers are installed on the customer premises. Notice that both applications are downloaded together from the Symphony Admin Portal and installed on the same server. Customers will typically deploy multiple key manager / Software SMs for resiliency.

In Option 3, the customer deploys SafeNet Luna SA 7000 HSMs – at least two, as well as matching Key Managers. It is also advisable for customers to deploy a backup device for storing keys, as well as a PIN Entry Device (PED) or Remote PED. These are all available from SafeNet and we provide ordering information later in the document. This architecture provides the highest level of reliability, security but it is also the most complex to install – we recommend that customers include a SafeNet installation with their purchase.

Later in this document we describe how to order, install and configure the HSM as part of an Option 3 installation. First however we will focus on the Symphony Key Manager.

Load balancers can be used to front-end multiple key managers and HSMs (hard or soft) in order to protect against a failure of any single system. Later in these instructions we will describe how the address or hostname of the Key Manager must be configured into the Symphony desktop clients using the admin portal. Note: if a load balancer is used, then the address configured in the Symphony Admin Portal should be that of the load balancer rather than the Key Manager servers themselves.

The Key manager server should have the following characteristics:

• 6 GB of memory should be made available to Key Manager and Software SM.  It is more likely to be CPU-bound than memory-bound. (see note below)

• CPU cores: 4

• Disk 250 GB

• Operating System: Linux RHEL 6.5 or higher or CentOS 7.1 (used in our example below)

• Privileges: root access is required to install the Symphony RPM

• JVM: Java 7 Standard Edition, Enterprise Edition - a Java development kit (JDK) is recommended – you should create an environment variable pointing to your JDK. Example: JAVA_HOME="/usr/java/jdk1.7.0_55/"

• Install JCE extensions for JDK or JRE

• JVM 64-bit is recommended

• Virtual Servers: both on-premises and cloud-hosted are supported

• Install Java Cryptography Extension (JCE)

  • Go to http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html,

  • accept the license agreement and download "Java Cryptography Extension (JCE) Unlimited

  • Copy this package to the server where you will run KeyManager and unzip it. UnlimitedJCEPolicyJDK7.zip contains 3 files

    1. local_policy.jar

    2. README.txt

    3. US_export_policy.jar

  • Copy local_policy.jar and US_export_policy.jar to one of the following:

    • JDK installation: $JAVA_HOME/jre/lib/security

    • JRE installation: $JAVA_HOME/lib/security

• If you plan to use the Safenet luna SA HSM, you need to install the HSM client on the key KeyManager. We describe how to do this in the HSM installation section.

  centos@Dev8 - HSMControl2:~ $ vtl verify
  The following Luna SA Slots/Partitions were found:
  Slot          Serial #    Label
  ====          ========    =====
   1            472949007   hapg-8f56e43a_472949

• You will need to define your Key Manager domain name and communicate this to Symphony – please contact your account engineer or Symphony support.

  keymanager domain name/potential keymanager domain name.

  Sample: mykeymanager.com

  -Dsession.cookie.domain=.pubmy.mykeymanager.com \
  -Daccess.control.allow.origin=symphony.com,mykeymanager.com \
  -Dhost.name=pubmy.mykeymanager.com \

• java tomcat.keystore file with passwords for the keystore. It should contain an RSA private key under the “tomcat” alias. Sample: keystorePassword=changeit, truststorePassword=changeit

  -Djavax.net.ssl.keyStore=$DATA_BASE/certs/tomcat.keystore \
  -Djavax.net.ssl.keyStorePassword=password \

  By default java uses .$JAVA_HOME/jre/lib/security/cacert truststore. But we can use a custom one.

  -Djavax.net.ssl.trustStore=$DATA_BASE/certs/tomcat.keystore \
  -Djavax.net.ssl.trustStorePassword=password \

Software SM file(hsm.jck) and password for it. Or Luna SA HSM with bootstrapped keys in it(use wenger tools to bootstrap hsm and follow the admin guide).

Sample Luna HSM mode settings:

"mode": "HSM",
"partitionName": "ha-mk2015-1",
"ha-mk2015-1": "Xmp9mcupFNw6QGcKdbn2WEudAq4CwD", 
"ha-mk2015-2": "Xmp9mcupFNw6QGcKdbn2WEudAq4CwD",

Software SM mode settings

"mode": "Software SM",
"keystorePassword": "Xmp9mcupFNw6QGcKdbn2WEudAq4CwD",
"keystoreName": "hsm.jck",

General KM configuration. Get the following from ES/Security team(it will be on admin page later):

symphony pod base URL. Sample: qa3.symphony.com

"applicationurl": "https://qa3.symphony.com/client/index.html", 
"baseurl": "https://qa3.symphony.com",
"loginbaseurl": "https://qa3.symphony.com",

KeyManager shared secret key(you can get it from admin page):

Sample: 

"secret": "RAr67in5QhTWAS7q98PfdeVE/xLGboCo3g/+iLQ5gvY="

Keymanager entity key.

Sample: 

"enablekeymanagersession" : "true",
"sessionencryptionkey": "kxHpEh3ddcjNrxOXpuSbR5fvNUh8yl21/mmS5W

CentOS Installation: the Community Enterprise Operating System or CentOS is a Linux distribution that attempts to provide a free, enterprise class community-supported computing platform. We will install the Full ISO image of CentOS version of Linux (v7.1). Note that the full ISO image comes equipped with Java SDK version 1.7 and GNOME. To check the version of Java installed, use the following command.

$:> java –version

Using the browser on your new Key Manager server:

• Log in to the Admin Portal and select Create a User from the left Nav. in the user detail, select Service Account (see the section on managing Service Accounts). We named our account “keymanager”.

• Copy and store the system-generated security key (you will need this for configuring your Key Manager)

We package keymanager rpm's in *.zip, which includes:

• on-prem-keymanager-0.11.2.zip

  • wenger.tar.gz

  • symphony-external-relay-centos65-0.11.2-22.x86_64.rpm

  • symphony-external-relay-centos70-0.11.2-22.x86_64.rpm

  • tomcat-8.0.24-13.x86_64.rpm

• 2 versions of keymanager's rpms(one for rhel 6.0 - 6.9 and one for rhel 7.0 +)

• The latest version of tomcat we support and an internal services tool called "wenger" needed to bootstrap keys in the HSM.

Select DOWNLOAD option located in the left navigation pane of the Symphony Admin Portal and download the Key Manager file. The download is comprised of 4 individual components – Tomcat, Key Manager, Software SM and the Wenger tool used to bootstrap encryption keys. Installation instructions for these files are provided later in the document.

Once the Key Manager has been downloaded, we can begin the installation.

Now run the following command

Go to http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html, accept the license agreement and download "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7” (UnlimitedJCEPolicyJDK7.zip)

Copy this package to the server where you will run KeyManager and unzip it.

UnlimitedJCEPolicyJDK7.zip contains 3 files

1. local_policy.jar

2. README.txt

3. US_export_policy.jar

Copy local_policy.jar and US_export_policy.jar to one of the following:

• JDK installation: $JAVA_HOME/jre/lib/security

• JRE installation: $JAVA_HOME/lib/security

java.security.InvalidKeyException: Illegal key size

If you have already installed your Key Manager and are adding the JCE in a different order, then you need to restart Tomcat.

Install the tomcat and keymanager RPMs that were downloaded. You can use either the sudo or rpm commands as follows

$:> sudo rpm -i tomcat-7.0.61-9.x86_64.rpm
$:> sudo rpm -i keymanager-centos65-0.7.0-49.x86_64.rpm

Create a new directory for the wenger installation and unzip the wenger installation. The wenger installation is named wenger.tar.gz.

$:> mkdir wenger
$:> tar –xvf wenger.tar.gz

For each Symphony on-prem Java-based application (Key Manager, Content Export Bridge, Directory Bridge), we use a tomcat.keystore file as a javax.net.ssl.keyStore value. This file has to contain the full chain of trust so that we can rely on built-in CA bundles, which contain a list of major CA companies, to verify our wildcard certificate.

To import the full chain of trust into the tomcat.keystore perform the following steps

1. Concatenate the RSA private and public keys in PEM format within a single file (symphony-pair.PEM):

   $:> cat symphony-private.pem symphony-public.pem > symphony-pair.pem

2. Concatenate the of CA chain in PEM format within a separate file

   $:> cat symphony-chain.pem gdroot-g2.crt > symphony-ca-chain.pem symphony-chain.pem - GoDaddy G2 intermediate certificate gdroot-g2.crt - GoDaddy G2 root certificate

3. Export results of 1 and 2 into PKCS#12 format (providing alias!). The System will ask you to provide a password, you should use the one used by the tomcat.keystore4. Import results of 3 into the tomcat.keystore

   $:> openssl pkcs12 -export -in symphony-pair.pem -certfile symphony-ca-chain.pem -out symphony-full-chain.p12 –name tomcat

4. Import results of 3 into the tomcat.keystore

   $:> keytool -v -importkeystore -srckeystore symphony-full-chain.p12 -srcstoretype PKCS12 -destkeystore tomcat.keystore -deststoretype JKS

To verify that the new keystore works as expected we created a simple servlet. We configured Tomcat to serve HTTPS using a keystore file constructed in the way described above. We launched this Tomcat on a development server with a public CNAME in the *.symphony.com domain.

We created the following validation curl script:

[centos@centos-vm ~]$ curl -v https://dev8-ausw2-all.symphony.com:8443/hello/helloworld
* About to connect() to dev8-ausw2-all.symphony.com port 8443 (#0)
* Trying 52.11.157.17...
* Connected to dev8-ausw2-all.symphony.com (52.11.157.17) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=*.symphony.com,OU=Domain Control Validated
* start date: Sep 24 21:52:38 2015 GMT
* expire date: Oct 10 20:22:07 2017 GMT
* common name: *.symphony.com
* issuer: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
> GET /hello/helloworld HTTP/1.1
> User-Agent: curl/7.29.0
> Host: dev8-ausw2-all.symphony.com:8443
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Length: 13
< Date: Tue, 06 Oct 2015 03:20:37 GMT
<
Hello world!
* Connection #0 to host dev8-ausw2-all.symphony.com left intact
[centos@centos-vm ~]$

Using the code snippet above, we were able to establish an HTTPS connection and receive the response shown below:

Depending on whether you’re configuring a Software SM or a full HSM, you will use different steps to bootstrap the encryption keys. Please ensure you are using the instructions that relate to your installation.

Please skip this step if Symphony is already managing your Software SM in the Symphony cloud service. Please contact Symphony global services to arrange the transfer of your Software SM and related configuration files.

Navigate to the $Wenger/conf directory. Here you should create a new JSON file and name it keymanager_conf.json (this file was previously called relay_conf.json). You can do this using the following command –

$:> vim keymanager_conf.json

To bootstrap a Software SM you should have following set of values. Insert the following piece of code into the newly created JSON file.

{
	"relay": {
		"mode": "Software SM",
		"keystorePassword": "soft_hsm_password", "keystoreName": "<env>-hsm.jck",
		"account": "keymanager",
		"secret": "keymanager_shared_secret_key", "storagePassword": "session_storage_password", "secureDir": "/data/tomcat/secure/", "entityKey": "entity_key"
	},
	"companyurls": {
		"applicationurl": "https://<env>.symphony.com/client/index.html", "baseurl": "https://<env>.symphony.com",
		"loginbaseurl": "https://<env>.symphony.com",
		"keymanagerurl": "https://<env>.symphony.com/relay"
	},
	"ssoconfig": {
		"idp.entityid": "http://sso- <env>.symphony.com/adfs/services/trust",
		"sp.entityid": "https://<env>.symphony.com", "idp.ssoendpoint": "https://sso-<env>.symphony.com/adfs/ls", "sp.acsurl": "https://<env>.symphony.com/relay/sso/acs", "idp.signingcertificate": "sso-<env>.symphony.com.cer", "ssoenabled": "false"
	},
	"sessionmanagement": {
		"disableSkeyauthentication": "false", "sessionencryptionkey": "session_encryption_key"
	} 
}

Ensure that the Luna HSM has been configured before beginning the bootstrapping process for Luna HSM. Also ensure that the HSM client (installed on the Key Manager) has been configured, using the “vtl verify” command. The configuration procedure and the usage of the “vtl verify” commands are provided later in the document. Finally ensure that the wenger tool is installed on the Key Manager server.

Navigate to the $Wenger/conf directory. Here you should create a new JSON file and name it keymanager_conf.json. You can do this using the following command –

$:> vim keymanager_conf.json

Insert the following piece of code into the newly created JSON file.

{
	"relay": {
		"mode": "HSM",
		"partitionName": "partition_name_for_luna_hsm_only", "ha-mk2015-1": "partition_password_for_luna_hsm_only",
		Administration Guide – Enterprise / Business Version 33 23-May-2016
         
		"account": "keymanager",
		"secret": "keymanager_shared_secret_key", "storagePassword": "session_storage_password", "secureDir": "/data/tomcat/secure/", "entityKey": "entity_key"
	},
	"companyurls": {
		"applicationurl": "https://<env>.symphony.com/client/index.html", "baseurl": "https://<env>.symphony.com",
		"loginbaseurl": "https://<env>.symphony.com",
		"keymanagerurl": "https://<env>.symphony.com/relay"
	},
	"ssoconfig": {
		"idp.entityid": "http://sso- <env>.symphony.com/adfs/services/trust",
		"sp.entityid": "https://<env>.symphony.com",
		"idp.ssoendpoint": "https://sso-<env>.symphony.com/adfs/ls", "sp.acsurl": "https://localhost.symphony.com:8443/relay/sso/acs", "idp.signingcertificate": "sso-<env>.symphony.com.cer", "ssoenabled": "false"
	},
	"sessionmanagement": {
		" disableSkeyauthentication": "false", "sessionencryptionkey": "session_encryption_key"
	} 
}

Assuming you have configured the keymanager_conf.json file correctly for you installation, you can now edit the $WENGER/conf/ServiceConfigurationClient.properties file.

To configure Wenger to work with a local file, input the following code snippet:

#Backend configuration data storage, e.g. ZooKeeper, Memory, File 
#ConfigSource=ZooKeeper
ConfigSource=File 
FileConfigSourceLocation=$WENGER/conf/keymanager_config.json

The code snapshot looks as follows:

Now run the following command to bootstrap the encryption keys.

$:>/sbin/wenger.sh hsm-bootstrap -resultDir /home/Sidv100

where resultDir is an output directory for *.jck file in case of Software SM.

Once the command has been successfully executed, you will see the following screenshot.

You should also be able to navigate to the resultDir folder and see that the *.jck file has been created.

Some organizations may prefer to use an internally approved version of Tomcat. This option will be supported in a future release and customers should work closely with Symphony Global Services to ensure that the internally approved version is compatible with the Key Manager.

#!/usr/bin/env bash
DATA_BASE="/data/tomcat/"
CATALINA_BASE="/opt/tomcat/"
JAVA_HOME="/usr/java/jdk1.7.0_55/"
CATALINA_OPTS="-server -Xms5048m -Xmx5048m -XX:MaxPermSize=256m \
-Djava.util.logging.config.file=$DATA_BASE/config/logging.properties \
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Djava.endorsed.dirs=$CATALINA_BASE/endorsed \
-classpath $CATALINA_BASE/bin/bootstrap.jar:$CATALINA_BASE/bin/tomcat-juli.jar \
-Dcatalina.base=$CATALINA_BASE \
-Dcatalina.home=$CATALINA_BASE \
-Djava.io.tmpdir=$CATALINA_BASE/temp \
-Dsession.cookie.domain=.pubmy.mykeymanager.com \
-Daccess.control.allow.origin=symphony.com,mykeymanager.com \
-Djava.library.path=$CATALINA_BASE/native/ \
-Djavax.net.ssl.keyStore=$DATA_BASE/certs/tomcat.keystore \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=$DATA_BASE/certs/tomcat.keystore \
-Djavax.net.ssl.trustStorePassword=password \
-Dserver.port=8443 \
-Dajp.port=8009 \
-Dserver.command.port=8005 \
-Ddisable.ib=true \
-Dhost.name=host.domain.com \
-Dmax.threads=3000"
PATH=$JAVA_HOME/bin:$JAVA_HOME/jre:$PATH

Dproxy.uri=http:proxy.<Domain>.com:8080

{
	"relay": {
		"mode": "Software SM",
		"keystorePassword": "soft_hsm_password", "keystoreName": "<env>-hsm.jck",
		"account": "keymanager",
		"secret": "keymanager_shared_secret_key", "storagePassword": "session_storage_password", "secureDir": "/data/tomcat/secure/", "entityKey": "entity_key"
	},
	"companyurls": {
		"applicationurl": "https://<env>.symphony.com/client/index.html", "baseurl": "https://<env>.symphony.com",
		"loginbaseurl": "https://<env>.symphony.com",
		"keymanagerurl": "https://<env>.symphony.com/relay"
	},
	"ssoconfig": {
		"idp.entityid": "http://sso- <env>.symphony.com/adfs/services/trust",
		"sp.entityid": "https://<env>.symphony.com", "idp.ssoendpoint": "https://sso-<env>.symphony.com/adfs/ls", "sp.acsurl": "https://<env>.symphony.com/relay/sso/acs", "idp.signingcertificate": "sso-<env>.symphony.com.cer", "ssoenabled": "false"
	},
	"sessionmanagement": {
		"enablekeymanagersession": "false", "sessionencryptionkey": "session_encryption_key"
	}
}

{
	"relay": {
		"mode": "HSM",
		"partitionName": "partition_name_for_luna_hsm_only", "ha-mk2015-1": "partition_password_for_luna_hsm_only", "account": "keymanager",
		"secret": "keymanager_shared_secret_key", "storagePassword": "session_storage_password", "secureDir": "/data/tomcat/secure/",
		"entityKey": "entity_key"
	},
	"companyurls": {
		"applicationurl": "https://<env>.symphony.com/client/index.html", "baseurl": "https://<env>.symphony.com",
		"loginbaseurl": "https://<env>.symphony.com",
		"keymanagerurl": "https://<env>.symphony.com/relay"
	},
	"ssoconfig": {
		"idp.entityid": "http://sso- <env>.symphony.com/adfs/services/trust",
		"sp.entityid": "https://<env>.symphony.com",
		"idp.ssoendpoint": "https://sso-<env>.symphony.com/adfs/ls", "sp.acsurl": "https://localhost.symphony.com:8443/relay/sso/acs", "idp.signingcertificate": "sso-<env>.symphony.com.cer", "ssoenabled": "false"
	},
	"sessionmanagement": {
		"disableSkeyauthentication": "false", "sessionencryptionkey": "session_encryption_key"
	} 
}

First ensure that the linux user running the Tomcat service has full read/write access to /data/tomcat and /data/opt folders or the folders where tomcat and keymanager were installed. (Sample tomcat.keystore, hsm.jck should be under "tomcat" user).

First copy the tomcat certificates from your domain into /data/tomcat/cert folder and configure in the environment.sh file.

To start the tomcat service use the following command

$:> sudo service tomcat start

To stop the tomcat service use the following command

$:> sudo service tomcat stop

If you have a High Availability cluster, repeat the set up process on server cluster. Use the same *.jck file across all components to ensure keymanager compatibility.

$:>tail -f /data/tomcat/logs/livecurrent.log
$:>tail -f /data/tomcat/logs/catalina.YYYY-MM-DD.log
$:>tail -f /data/tomcat/logs/error-livecurrent.log

$:>curl https://KeymanagerURL/relay/HealthCheck

System is healthy: Keymanager URL cname

$:>sudo service tomcat status

The SafeNet Luna SA 7000 is a high performance HSM capable of best in class performance across a breadth of algorithms including ECC, RSA, and symmetric transactions. It also features a dual, hot-swappable power supply that ensures consistent performance and no down time.

We have provided vendor price list information for the SafeNet Luna SA 7000 along with the order numbers to help you estimate the cost of the HSM equipment you plan to deploy.

We repeat our previous guidance concerning Key Managers. We recommend that the people responsible for installing and maintaining the software should have easy access to the equipment during the early phases, especially if the vendor will be providing assistance with the installation.

The ideal permanent location will be to co-locate the Key Manager and HSMs and to place them in similar network locations as email servers/ERP systems or directory services. These locations will have high capacity connectivity and security.

Key Manager servers can be connected to a single HSM or to a High Availability group made up of multiple HSMs. Please review the diagram below:

We show the on-premises key infrastructure in relationship to the other on-premises components and clients below:

Configuration of the Luna SA and application workstation is completed using the Luna SA front panel command console (CLI) RS232 connection and Putty (SSH) connection.

Configuration of the Luna SA consists of the following steps:

1. Configure Luna SA for your network

2. Initialize the HSM and adjust polices

3. Create a partition and adjust policies

4. Set up a network trust link to a client

5. Assign a registered client to the partition

6. Use the partition from the client

Before you begin, gather the following information and write it down:

• Appliance Admin password

• Network Parameters

  • Network Address (IP)

  • Hostname

  • Domain Name*

  • Default Gateway

  • DNS Name Server*

  • Search Domain*

  • Subnet Mask

• HSM Label

• Domain PW

• Security Officer PIN (optional)/PW

• Partition Name

• Partition User PIN (optional)

• Partition Password

* Only required if using DNS. Have your network administrator add an entry to your company’s DNS for the Luna SA.

• Rack Mount

• connect power chord

• Connect Ethernet cable to port eth1 (top port – equates to eth0)

The HSM Luna SA 7000 must be primed with IP address and basic information before it can use network-based management.

Log in as admin and enter the Safenet factory password:

• Local_host login: admin

• Password: PASSWORD

For security, you are immediately prompted to change the factory-default password for the ‘admin’ account. Change the admin password.

To protect Luna SA from vulnerabilities due to weak passwords, new passwords must be at least eight characters in length, must not be based on a dictionary word, and must include characters from at least three of the following four groups:

• lowercase alphabetic (abcd...xyz)

• uppercase alphabetic (ABCD...XYZ)

• numeric (0123456789)

• special (non-alphanumeric,-_!@#$%&*...)

First log into the Admin Portal and download the latest version of the Key Manager RPM distribution by visiting the DOWNLOADS option located in the left Nav.

Copy this file to your Key Manager server:

$> scp symphony-external-relay-centos*.rpm
root@qa8-km:.

stop tomcat and verify that it has bee successfully stopped:

$> service tomcat stop
$> service tomcat status

update the key manager rpm:

$> rpm -U symphony-external-relay-centos65-0.11.0-6.x86_64.rpm

verify your update:

$> rpm -qa | grep sym
symphony-external-relay-centos70-0.11.0-6.x86_64

now restart tomcat:

$> service tomcat start
service tomcat status

The Public pod is a multi-tenant system where businesses are hosted within the same environment. Each business hosted on the shared pod has its own domain managed and controlled by the business’s admin account. We anticipate that the shared pod will mainly host individual accounts, small and medium sized businesses and workgroups of larger organizations.

For company-wide deployments enterprise customers will prefer to use a dedicated pod designed specifically for the needs of global enterprises. The pod you are administering is a private pod, dedicated to your organization.

Compliance officer roles can only be assigned by compliance officers. For this reason the Super Compliance Officer Role is provided separately from the Super Admin Role when the customer pod is first created.

Please refer to the Compliance section for more information on Information barriers.

Super Admins:

• can reset a password (set a string) on any role

• can trigger password reset email on any role

Compliance Officer/Super Compliance Officer/Admin:

• can no longer reset or trigger password reset email on an account. This is to prevent an admin from taking over the account of a user who is theoretically more powerful (CO/SCO), say. Ability to set a password allows them to theoretically take over an account. Hence this is blocked. And some of the customers told us that CO/SCO/A will not be in the business of even triggering a password rest. Hence this is blocked too.

• L1 and L2 should continue to be able to trigger password reset for all roles AND set a password for roles of equal or lesser privilege. i.e. for all roles, the L1 and L2 roles should see the "Email password reset link" button and for some roles see the "Assign new password" link. For example, if you are an L1 support person then you can email a password reset link to anyone but can reset the password for other L1 support people and individual users only, not to L2, Admin, Super Admin, Compliance or Super Compliance users.

Super Compliance Officers will be able to manage and grant additional entitlements to standard Compliance Officers (COs):

• Can monitor wall posts

• Can monitor chats

Select BROWSE ACCOUNTS in the left Nav. Then filter the list by role and select compliance officers. Find the compliance officer who will be granted the additional entitlements and display their user details by clicking on their record in the list. Then use the Role section to grant the additional entitlements (see screenshot below):

To edit a user:

• Select MANAGE USERS from the Admin menu and then highlight the user we want to manage:

You can change the Username in edit mode—you will see a warning before you change it. Remember that if you change the username, the user will not be able to login to Symphony using their old username and password. You must communicate the change to the user.

To deactivate a user account:

• Click the Deactivate button at the top right-hand side of the window to toggle the account —you will be asked for a confirmation:

• Once you confirm the account deactivation, the system will confirm as follows:

  You can re-activate the account using the same process.

To promote a user to admin:

1. Click on the Account Settings tab.

2. Select the Administrator box.

To change a user’s password:

• Select Account Security to modify a user’s password.

• Select to send a password reset link to the user (as shown below) or assign a new password manually.

• If you choose Assign new password then you will be given the option to have Symphony suggest a password for you. Alternatively you can simply type in your own password.

• Remember to copy the password to the clipboard before completing the process. This is important because you need to let your user know what her new password will be.

• Once you’ve done this you can then submit the password change to the system.

For LDAP Sync: When configuring the service account to support LDAP Sync you must configure it as an Admin role.

If you weren’t able to copy the key quickly enough, or need to change the key for any reason, use the Reset Security Key option located top right of the user information form:

You will be asked to confirm the reset:

At which point a new key will be displayed. Again you will have 15 to 30 seconds to copy this new key. Remember, this is the key that will be used by your service application so it needs to be configured in that application.

Disabling file transfer does NOT inhibit the pasting of tables directly into IMs and users will still be able to receive and display files posted by others.

Only disable features at the system-wide level if you intend to disable the feature for ALL users and preferably have informed existing users of the planned change.

Both participants must have External communications activated by their respective admins for this feature to work.

An empty “Allowed file types” field is equivalent to disabling the “Can send files” feature.

There is currently no way to set entitlement features at the point of creating the account (either directly using the CREATE A USER option or indirectly using the BULK MANAGE USERS option). Admin’s must first create the account and then use the MANAGE USERS option in the left nav to edit the user’s account settings.

The desktop client for windows requires .net version 3.5 or 4.0. On Windows 7 system, .net 3.5 is pre-installed with the system and on Windows 8.x .net 4.0 is pre-installed, so nothing should need to be installed. If for some reason neither .net 3.5 nor .net 4.0 is detected, the installer will stop and display a messaging requesting the installation of .net 3.5 or 4.0.

In previous versions of the Desktop client for Windows, two mechanisms were provided for connecting the client to the URL of a private pod. The process (which will be updated) is more complex in this new version of the client and is described below:

1. Login into the Admin Portal of your private pod

2. Select the DOWNLOAD option in the left nav.

3. Select the Desktop client for Windows (this is an MSI file - first download it)

4. Then verify the digital signature of the downloaded MSI file in the Windows file properties menu. If the file is signed by Symphony, then it is a valid file.

5. If the installation is successful, a shortcut is added to the Windows desktop

6. Right click on the shortcut and display Properties

7. Locate the installation path

8. Copy Symphony.pgx located under your <install path>/minuet/symphony/bin/apps to a temp location such as c:\temp

9. Navigate to your temp folder and rename Symphony.pgx to Symphony.zip (Windows may ask you to confirm the renaming of the file extension)

10. Unzip the Symphony.zip file and you will see a new Symphony folder

11. Navigate to the Symphony folder and open config.json using notepad or any text editor and modify the URL to <yourPodURL>.com, and save the file

12. Inside the Symphony folder, select all files and right click, select Send to -> Compressed (zipped) folder, and name the file Symphony.zip

13. Rename Symphony.zip to Symphony.pgx (Again, Windows may ask for confirmation)

14. Copy Symphony.pgx back to <your installed path>/minuet/symphony/bin/apps

Once you have completed these steps you can run Symphony following the instructions below.

It can take up to two minutes for SSO to be activated after you have enabled it.

Admins must have a password to log in to the Admin portal even when SSO has been enabled for the pod.

In this section we list the various tools used for installing, configuring and operating the Directory Bridge:

Admin Portal: used to configure the Service User Account on your Symphony Pod

Setup: Installs UnBoundID and prompts you to set your Directory Bridge password

create-pipes.sh: Uses the config properties file containing your principal configuration information (including authentication with both Symphony Pod and LDAP service) to configure and initiate your pipes

create-attribute-maps.sh: This script initiates your attribute mappings, it also uses the config properties file.

LDAP-Search: Gathers the items that will need to be synchronized

Resync: Runs synchronization

dsconfig: Configuration and operational interface for the Directory Bridge. It can be run in both command line mode as well as menu mode.

Directory Bridge Configuration files:

• directorybridge.properties: used to configure user activation and high level properties

• groupMappings.json: used to configure feature entitlements, Information Barriers and Roles

• userAttributeMappings.json: used to configure user properties like department

Before beginning your installation, you will need to obtain the Directory Bridge server image and install a server (or virtual server) to run the Directory Bridge.

The Directory Bridge interacts with your private pod using a Symphony Service user account. Before proceeding, please make sure you’re familiar with our instructions for creating and configuring service accounts using the Admin Portal. An earlier section describes this in more detail. Service accounts can be created using the CREATE USER option in the left nav.

Once the account has been configured a Security Key will be generated (see below):

You should copy this information immediately for inclusion in your Directory Bridge configuration. The Security code will only be displayed for a brief 15-30 seconds. If you miss it, you can regenerate another security code.

Once installed (see below), the directory bridge is configured by modifying three files:

• directorybridge.properties: used to configure user activation and high level properties

• groupMappings.json: used to configure feature entitlements, Information Barriers and Roles

• userAttributeMappings.json: used to configure user properties like department

Each time these files are modified, the Directory Bridge must be stopped and restarted using the commands below:

$> $syncroot/bin/stop-sync-server
$> $syncroot/bin/start-sync-server

If errors are encountered with your configuration files (typically when you try to restart your bridge) then the Directory Bridge will fail to start and you should consult the error log file:

$syncroot/logs/errors

The Directory Bridge server image can be obtained by using the <DOWNLOAD> option located in the left Nav. of the admin Portal. You should then select the DirectoryBridge-<version>-<date>.RPM file.

1. Run the rpm file as follows. A new directory will be created /opt/directorybridge and for the remainder of this section, we will refer to the directory as $syncroot.

   $gt; sudo rpm --install <file>

   This will create user symphonyldapsync, install the software at /opt/DirectoryBridge, which we will hereafter refer to as $syncroot.

   This application logs to a directory named “logs” in the installation directory (hereafter referred to as $syncroot). It is sometimes desirable to link the “logs” directory to a separate mount.

   For an update of an existing installation: sudo rpm --upgrade <file>

2. After running the RPM script, the following files and directories are available in $syncroot:

   License.txt	Licensing agreement for the Identity Data Store
   README	README file that describes the steps to set up and start the Identity Data Store
   bak	Stores the physical backup files used with the backup command-line tool
   bat	Stores Windows-based command-line tools for the Identity Data Store
   bin	Stores UNIX/Linux-based command-line tools for the Identity Data Store
   classes	Stores any external classes for server extensions
   config	Stores the configuration files for the backends (admin, config) as well as the directories for messages, schema, tools, and updates
   db	Stores the Oracle Berkeley Java Edition database files for the Identity Data Store
   docs	Provides the release notes, Configuration Reference file and a basic Getting Started Guide (HTML)
   import-tmp	Stores temporary imported items
   ldif	Stores any LDIF files that you may have created or imported
   legal-notices	Stores any legal notices for dependent software used with the Identity Data Store
   lib	Stores any scripts, jar, and library files needed for the server and its extensions
   locks	Stores any lock files in the backends
   logs	Stores log files for the Identity Data Store
   resource	Stores the MIB files for SNMP
   revert-update	The revert-update tool for UNIX/Linux systems
   revert-update.bat	The revert-update tool for Windows systems
   setup	The setup tool for UNIX/Linux systems
   setup.bat	The setup tool for Windows systems
   uninstall	The uninstall tool for UNIX/Linux systems
   uninstall.bat	The uninstall tool for Windows systems
   update	The update tool for UNIX/Linux systems
   update.bat	The update tool for Windows systems

3. From this point onwards we will run scripts from the $syncroot directory. Specify the file descriptor limit by executing this command from $syncroot:

   $> echo -n "NUM_FILE_DESCRIPTORS=" > config/num-file-descriptors && ulimit -n >> config/num-file-descriptors

   this will prevent the following warning message from being displayed during your installation:

   WARNING: Unable to set the file descriptor limit to 65535.
   This may interfere with the operation of this process.
   See the Administration Guide for information about
   configuring system file descriptor limits, and for
   configuring the number of file descriptors the server
   should attempt to use.

   Then Specify the maximum number of processes available by executing the command below from $syncroot:

   $> echo -n "NUM_USER_PROCESSES=" > config/num-user-processes && ulimit -u >> config/num-user-processes

4. From $syncroot, run $> ./setup

   This will launch a series of prompts. Some of them will be prepopulated with a default answer (shown within square brackets). To accept a default, simply press “enter” or “return” (depending on your keyboard). For a simple installation, we recommend that you accept the default value for each prompt as shown in the dialogue below (these settings can be changed later).

   Do you accept the terms of this license? Enter 'yes' to accept, 'no' to reject, or press ENTER to display the next page of the license [yes]
   Would you like to add this server to an existing Identity Data Sync Server topology? (yes / no) [no]
   Enter the fully qualified host name or IP address of the local host [xx.xx.xx.xx]
   Create the initial root user DN for the Identity Data Sync Server [cn=Directory Manager]
   Create a password for the initial root user: [Enter your password]
   Re-enter the password for confirmation: [Enter your password]
   On which port should the Identity Data Sync Server accept connections from LDAP clients? [XXXX<port number will change each time, accept default>]
   Do you want to enable LDAPS? (yes / no) [no]
   Do you want to enable StartTLS? (yes / no) [no]
   By default the server listens on all available network interfaces for client connections. Would you like to specify particular addresses on which this server will listen for client connections? (yes / no) [no]
   An adequate amount of memory must be assigned to the server for optimal performance. Choose the option that best characterizes how this installation should be allocated memory:
   For the Memory allocation choice:
   	1. Aggressive – Used for production deployments
   	2. Semi-Aggressive
   	3. Minimal – Used for QA and evaluation deployments
   	4. Manual
   Enter option: [3] for evaluation purposes or [1] for production
   
   Do you want to start the server when the configuration is completed? (yes / no) [yes]
   
   Setup Summary
   =============
   Host Name:                10.86.0.94
   Roos User DN:             cn=Directory Manager
   LDAP Listener Port:       4389
   
   The Identity Data Sync Server will be started after configuration
   What would you like to do?
   
   	1) Set up the server with the parameters above
   	2) Provide the setup parameters again
   	3) Cancel the setup
   Enter option [1]
   
   Configuring Identity Data Sync Server ..... Done
   Starting Identity Data Sync Server ..... Done
   
   This server is now ready for configuration. What would you like to do?
   	1) Start 'create-sync-pipe-config' to configure synchronization between two sets of servers
   	2) Start 'dsconfig' to edit the configuration
   	3) Quit

   At this point, choose quit: 3

5. Next, we will issue an LDAP search request to the source endpoint (LDAP system) to verify LDAP Sync's read access. Go to $syncroot/bin and execute:

   $> /ldapsearch --help

   A few pages of documentation will be displayed, at the end of which are example uses of the ldapsearch utility. Execute the following command, substituting the values for your LDAP system and the password you created during execution of the setup script. Note the use of -ZX, which indicates the use of LDAPS (secure protocol) and blind trust of the LDAP system’s certificate.

   $> $syncroot/bin/ldapsearch --hostname localhost --port 23317 -ZX --bindDN "cn=Sync User,cn=Users,dc=fakecorp,dc=local" --bindPassword NotReallyThePassword --baseDN "dc=fakecorp,dc=local" --searchScope base '(objectclass=domainDNS)'

   If the result of this command is:

   Connect Error
   Result Code: 91 (Connect Error)

   ...then we do not have connectivity to the source LDAP system. Ensure connectivity and try again. If the result is:

   Cannot read the bind response from the server: The connection to the Identity Data Sync Server was closed before the bind response could be read (id=10748693 LDAPAuthenticationHandler.java:385 Build revision=18964)
   Result Code: 82 (Local Error)

   ...then ensure that your LDAP system is configured to accept connections over LDAPS. If all goes well, then the result will look something like this:

   dn: cn=Users,dc=fakecorp,dc=local
   objectClass: top
   objectClass: container
   cn: Users
   description: Default container for upgraded user accounts
   distinguishedName: CN=Users,DC=fakecorp,DC=local
   instanceType: 4
   whenCreated: 20150203201527.0Z
   whenChanged: 20150203201527.0Z
   uSNCreated: 5696
   uSNChanged: 5696
   showInAdvancedViewOnly: FALSE
   name: Users
   objectGUID:: VcT3+EE6zEa36KXS9SCNbw==
   systemFlags: -1946157056
   objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=fakecorp,DC=local
   isCriticalSystemObject: TRUE
   dSCorePropagationData: 16010101000000.0Z

6. Confirm that $syncroot/config/ldapsync.properties contains values appropriate for your system. In the following steps we will run commands that depend on these properties. An example file is provided as a reference: ldapsync-example.properties (see below):

   # The login info for the UnboundID-Synch server
   	 LDAP_SYNC_BIND_DN="cn=Directory Manager"
   	 LDAP_SYNC_PASS="symphony"
   # The login info for the AD server when creating the pipe
   	 SOURCE_SERVER_NAME="symphony-ad-test"
   	 SOURCE_SERVER_HOST="localhost"
   	 SOURCE_SERVER_HOST_PORT="23317"
   # NOTE: to see the full list of servers supported, use the dsconfig utility in the bin directory
   	 SOURCE_SERVER_TYPE=active-directory
   	 SOURCE_SERVER_BASE_DN="dc=fakecorp,dc=local"
   	 SOURCE_SERVER_USERS_DN="cn=Users,dc=fakecorp,dc=local"
   	 SOURCE_SERVER_HOST_BIND_DN="cn=Sync User,cn=Users,dc=fakecorp,dc=local"
   # to get a new hashed password, use the dsconfig utility in the bin directory to set the password -- the hashed password will be displayed
   	 SOURCE_SERVER_HOST_PASS="AACWeEOv7z2jqceYfwsqjC9rWjCBJebE9GE="
   	 SYNC_SRC="Microsoft Active Directory Source"
   	 USERS_SYNC_DEST="Users Destination"
   	 USERS_SYNC_CLASS="Users to Symphony Sync Class"
   	 USERS_SYNC_PIPE="Users to Symphony Sync Pipe"
   	 USERS_ATTRIBUTE_MAP="Users to Symphony Attribute Map"
   	 GROUPS_SYNC_DEST="Groups Destination"
   	 GROUPS_SYNC_PIPE="Groups to Symphony Sync Pipe"
   	 GROUPS_SYNC_CLASS="Groups to Symphony Sync Class"
   	 GROUPS_ATTRIBUTE_MAP="Groups to Symphony Attribute Map"
   	 DISTROLISTS_SYNC_DEST="Distribution Lists Destination"
   	 DISTROLISTS_SYNC_CLASS="Distribution Lists to Symphony Sync Class"
   	 DISTROLISTS_SYNC_PIPE="Distribution Lists to Symphony Sync Pipe"
   	 DISTROLISTS_ATTRIBUTE_MAP="Distribution Lists to Symphony Attribute Map"

7. Create the primary elements of configuration by running the following script using your own version of the example we displayed in section 6 above:

   $> syncroot/bin/create-pipes.sh ../config/ldapsync.properties

   Be sure to look at the output to ensure that all operations were successful. If any operation failed, then undo the script by running:

   $> syncroot/bin/delete-pipes.sh ../config/ldapsync.properties

   If all goes well then the following output will be displayed.

   Creating external servers
   The Active Directory External Server was created successfully
   Creating sync source plugin
   The Third Party LDAP Sync Source Plugin was created successfully
   Creating sync source
   The Active Directory Sync Source was created successfully
   Creating sync destination for users
   The Third Party Sync Destination was created successfully
   Creating sync destination for groups
   The Third Party Sync Destination was created successfully
   Creating sync pipe for users
   The Sync Pipe was created successfully
   Creating sync pipe for groups
   The Sync Pipe was created successfully
   Creating sync class for users
   The Sync Class was created successfully
   Creating sync class for groups
   The Sync Class was created successfully
   Finished.

8. Until LDAP Sync is confirmed to be running smoothly, it is recommended that debug logging be enabled. Do this via the following command:

   $>./dsconfig -n --bindDN "cn=Directory Manager" --bindPassword NotReallyThePassword set-log-publisher-prop --publisher-name "Server SDK Extension Debug Logger" --set enabled:true

9. We will now configure the primary Sync Class for users. This defines how a subset of users will be selected for inclusion in the Directory Sync.

   • Define a specific LDAP attribute in your LDAP server that will “contain” your Symphony users. Example: userparam=symphonyusers

   • Still on your LDAP Server, add this attribute to the users who will have access to Symphony

   • Using the dsconfig command othe LDAP server above – these are the ones who will be synchronized with your Symphony accounts

   $gt; /dsconfig set-sync-class-prop --pipe-name "Users to Symphony Sync Pipe" --class-name "Users to Symphony Sync Class" --hostname "localhost" --bindDN "cn=Directory Manager" --bindPassword --port 1389 -n --set include-base-dn:cn=Users,dc=fakecorp,dc=local --add "include-filter:(useraram=symphonyusers)"

10. Now we are ready to start synchronizing data. Please note that by default LDAP Sync will start at the beginning of the source LDAP system's changelog. For many enterprise LDAP systems, the changelog is extremely long. In such cases, LDAP Sync may take a long time time to work its way through all of the changes. This is especially true if many of the entries in the changelog are not of interest to LDAP Sync. Therefore, it is recommended that we first use LDAP Sync's resync utility to take care of historical data, and then configure LDAP Sync to start at the end of the changelog (before enabling real-time synchronization).

    To do this, start by setting the starting point of each sync pipe as follows (as always, run from $syncroot) and use the password you entered for LDAP_SYNC_PASS above.

    $> ./realtime-sync set-startpoint --end-of-changelog --pipe-name "Users to Symphony Sync Pipe" --bindDN "cn=Directory Manager" --bindPassword NotReallyThePassword --port XXXX ß - default port number from setup
    $> ./realtime-sync set-startpoint --end-of-changelog --pipe-name "Groups to Symphony Sync Pipe" --bindDN "cn=Directory Manager" --bindPassword NotReallyThePassword --port XXXXß- default port number from setup

    The above commands require that the sync pipes are stopped (i.e. disabled). This can be done with the same command; run ./realtime-sync --help for more information. These commands (./realtime-sync set-startpoint...) may take several minutes (especially if the source LDAP system is Microsoft Active Directory) but can be run in parallel. If all goes well, the following output will be displayed.

    Set StartPoint task 2015040819121904 scheduled to start immediately
    NOTE: This tool is running as a task. Killing or interrupting this tool will not have an impact on the task

11. Now that the pipes are all set to start at the end of the changelog, let's synchronize everything up to this point so that we can enable real-time synchronization.

    The following examples should be repeated for each of the sync pipes (i.e. users, and groups). To do this, execute an LDAP search to get all entries that that should be synchronized. Please use a filter that is appropriate for the source LDAP system being used. Here's an example:

    $> ./ldapsearch --hostname localhost --port 23317 -ZX --bindDN "cn=Sync User,cn=Users,dc=fakecorp,dc=local" --bindPassword NotReallyThePassword --baseDN "cn=Users,dc=fakecorp,dc=local" --searchScope sub '(userparam=SymphonyUsers)' dn > entriesToSync.ldif

    Note the use of --simplePageSize 1000. If the source LDAP system has a lower limit on the number of entries returned by an LDAP search, then a lower page size should be used. If all goes well, a file named entriesToSync.ldif will be created with contents similar to this:

    dn: CN=Ruth Reynolds,CN=Users,DC=fakecorp,DC=local
    dn: CN=Super Man,CN=Users,DC=fakecorp,DC=local
    dn: CN=Kelly Flores,CN=Users,DC=fakecorp,DC=local
    dn: CN=Administrator,CN=Users,DC=fakecorp,DC=local
    dn: CN=Jean Warren,CN=Users,DC=fakecorp,DC=local
    dn: CN=Guest,CN=Users,DC=fakecorp,DC=local
    dn: CN=Gary Rodriguez,CN=Users,DC=fakecorp,DC=local

12. Configure LDAP Sync properties by first copying the example file:

    $>cp directorybridge-example.properties directorybridge.properties

    edit this file and enter the name of your Symphony service (replacing fakecorp in the example file)

    # SOURCE SERVER CONFIGURATION
    ldap-user-search-basedn="cn=Users,dc=fakecorp,dc=local"
    #
    # SYMPHONY CONFIGURATION
    # Please replace 'localhost.symphony.com:17443' with the URL and port number identifying your private pod
    symphony-url="https://localhost.symphony.com:17443"
    
    # Enter the service account name
    symphony-user="LDAPSystem"
    # and the shared secret associated with this account
    symphony-auth="123Ro+A2CXsx3GDiKZm2YDawTmfZo4j4gOrheAOMfEE="
    
    # SYNC CONFIGURATION – replace “fakecorp”
    # To configure the “All Symphony Users Group” please edit the following line:
    symphony-users-ldap-group="cn=Symphony Users,cn=Users,dc=fakecorp,dc=local"
    
    # ATTRIBUTE MAPPING
    # The username attribute is used to associate LDAP entries with Symphony users
    ldap-username-attr=sAMAccountName
    
    # Most LDAP systems use "member" as the attribute to store group membership and "memberOf" to store the groups a user is a member of
    ldap-group-member-attr=member
    ldap-memberof-attr=memberOf

13. Configure LDAP Sync group mappings by first copying the example file:

    $>cp groupMappings-example.json
    groupMappings.json

    The groupMappings.json file is used to map groups for roles as well as for managing membership of Information Barrier (IB) groups using the Information Barrier ID for a particular group within the Admin Portal.

    Disabling and Creating IB groups directly using LDAP sync is not currently supported.

    Edit the file groupMappings.json and enter the name of your Symphony service (replacing fakecorp in the example file).

    [
    	{
    		"dn": "CN=ComplianceOfficers,CN=Users,DC=fakecorp,DC=local",
    		"roles": ["COMPLIANCE_OFFICER"]
    	},
    	{
    		"dn": "CN=SuperComplianceOfficers,CN=Users,DC=fakecorp,DC=local",
    		"roles": ["SUPER_COMPLIANCE_OFFICER"]
    	},
    	{
    		"dn": "CN=Entitlements,CN=Users,DC=fakecorp,DC=local",
    		"entitlements": ["sendFilesEnabled"]
    	},
    	{
    		"dn": "CN=Admins,CN=Users,DC=fakecorp,DC=local",
    		"roles": ["ADMINISTRATOR"]
    	},
    	{
    		"dn": "CN=IBGroupA,CN=Users,DC=fakecorp,DC=local",
    		"infoBarrierGroups": ["56e700f6e4b088a70f00a1e5"]
    	},
    	{
    		"dn": "CN=IBGroupB,CN=Users,DC=fakecorp,DC=local",
    		"infoBarrierGroups": ["56e700ffe4b0665dac11e117"]
    	}
    ]

14. Configure LDAP Sync user attribute mappings by first copying the example file:

    $>cp userAttributeMappings-example.json userAttributeMappings.json

    [
    	{
    		"symphony": "deptName",
    		"ldap": "department"
    	},
    	{
    		"symphony": "divName",
    		"ldap": "division"
    	},
    	{
    		"symphony": "location",
    		"ldap": "l"
    	},
    	{
    		"symphony": "givenName",
    		"ldap": "givenName"
    	}
    ]

    The full list of “to-attribute” values is provided in the table below:

    Each time the files mentioned in steps 13, 14 and 15 (above) are modified, the Directory Bridge must be stopped and restarted using the commands below:

    $> $syncroot/bin/stop-sync-server
    $> $syncroot/bin/start-sync-server

15. Before proceeding, it is highly recommended that all pipes are properly configured. If there is any doubt, please review the “Configuring LDAP Directory Sync” section below. For synchronization of user entitlements in Symphony in particular, before executing the next step we should ensure that LDAP groups are mapped to Symphony entitlements as desired.

16. Use the file generated in the previous step as an argument to the resync utility, as follows.

    $> ./resync --sourceInputFile entriesToSync.ldif --pipe-name "Users to Symphony Sync Pipe"

    This will produce information concluding with a status summary similar to the one shown below:

    Status after completing all passes
    [09/Apr/2015:12:38:10 -0400]
    --------------------------------
    Source entries retrieved 18
    Entries in-sync 11
    Entries dropped due to error 7
    Duration (seconds) 25
    Resync completed in 25 s.
    11 entries were in-sync, 0 entries were modified, 0 entries were created, 0 entries are still out-of-sync, 0 entries are still missing, and 7 entries could not be processed due to an error

    As documented in ./resync --help, ./resync log files can be found in $syncroot/logs/tools.

17. Assuming all has gone well up to this point, then we're ready to enable real-time synchronization. Let's do that by turning each of the sync pipes on. The following is an example command that accomplishes this. This command should be run from within $syncroot.

    $> ./dsconfig set-sync-pipe-prop --pipe-name "Users to Symphony Sync Pipe" --set started:true
    $> ./dsconfig set-sync-pipe-prop --pipe-name "Groups to Symphony Sync Pipe" --set started:true

18. From this point forward use the command line interface (i.e. $syncroot/dsconfig) to complete your configuration. You can also view the log files to ensure that LDAP Sync is running smoothly. The log files are located in $syncroot/logs.

    The Directory Bridge is now running and you can verify that the configuration is working as intended by adding users to your SymphonyGroup on your LDAP server and verifying that the user is listed in your Symphony Pod. Before doing this, please read the next section.

Symphony’s LDAP Sync implementation has been designed to be “forward looking.” It cannot for example be used to delete accounts that have already been created. Such accounts should be deactivated rather than deleted and we provide an example below on how to configure ldap-user-deactivation.

A lot of flexibility is provided with the Directory Bridge and supporting utilities. However, care has been taken to ensure that the configuration settings described in this chapter prevent the bulk loading of your entire LDAP directory. If this did occur, as we state in the previous paragraph none of those accounts (even dormant ones) could be deleted from Symphony. If this is unclear, please review the installation instructions above (particularly step 10).

When User Accounts are created using LDAP sync, they receive default Pod-wide entitlements set by the Symphony Admin using the Admin Portal (See Feature Entitlement section in this guide). In this section we explain how these default values can be overridden for specific groups of users.

These examples can be used as references for common LDAP Sync tasks. Please note that corresponding configuration is required on the LDAP Server.

Configuration for LDAP Sync is managed primarily via the following elements: Sync Destinations, Attribute Maps, and Sync Classes. Other elements of configuration should rarely require modification after initial setup: Sync Sources, Sync Pipes.

A Sync Destination defines the destination of a Sync Pipe, where changes to be synchronized are applied. LDAP Sync currently features two Sync Destinations; users and user entitlements:

Each Sync Destination takes a number of arguments. The expectation is that most of these would be pre-populated during installation of LDAP Directory Sync.

A full list of the arguments supported by each Sync Destination follows.

Attribute maps are used to convert entries in the source LDAP system to entries that can be fed as input to Symphony REST API calls.

A Sync Class defines how a type of LDAP entry is synchronized. The following image illustrates a Sync Class for users.

Of particular interest here are "include-base-dn", "include-filter", and "attribute-map". The others are covered in detail in the admin guide. "include-base-dn" specifies the base DNs for the branches of the Sync Source that can be in this Sync Class. In the example above, "cn=Users,dc=fakecorp,dc=local" specifies a branch of the directory that will be included for user synchronization. "include-filter" contains a set of filters that define the source entries that should be included in this Sync Class. In the above example, only directory entries that have "person" as a value for the attribute "objectClass" shall be synchronized. For more information about "attribute-map" please refer to the corresponding section of this article.

The following image illustrates a Sync Class for groups.

A Sync Pipe defines how data is synchronized from a sync source to a sync destination. Sync can be turned on/off by toggling the "started" property of sync pipes (see below).

A Sync Source defines the source of a Sync Pipe, where changes to be synchronized are detected.

Only one Content Export Bridge can be connected to your Pod. The Content Export Bridge should have the following characteristics:

• 8 GB of memory (see note below)

• 4 CPU Cores

• 250 GB disk

• Operating System: Linux RHEL Fedora 2015.03 (This AWS supported OS has been validated by Symphony) or CentOS 7.1 (used in our example below)

• JVM: Java 7 Standard Edition, Enterprise Edition - a Java development kit (JDK) is recommended

• JVM 64-bit is recommended

• CD Drive

• Virtual Servers: both on-premises and cloud-hosted are supported

If you plan to run the Content Export Bridge on the same server as the Key Manager, then 16GB RAM will be required.

CentOS Installation: The “Community Enterprise Operating System” or CentOS is a Linux distribution that attempts to provide a free, enterprise class community-supported computing platform. We will install the Full ISO image of CentOS version of Linux (v7.1). Note that the full ISO image comes equipped with Java SDK version 1.7 and GNOME. To check the version of Java installed, use the following command.

$:> java –version

You can start the Content Export Bridge using the following command:

$> sudo service tomcat start

At this point the CE Bridge should be running, you can check whether this is the case by running:

$> sudo service tomcat status

You can stop tomcat with the following command:

$> sudo service tomcat stop

To upgrade the Content Export Bridge:

Log into the Admin Portal and download the latest CEB distribution using the DOWNLOADS option in the left Nav.

First stop the CEB:

$> sudo service tomcat stop

Then upgrade using the RPM file downloaded from the Admin Portal:

$> sudo rpm -Uvh --prefix=/opt/tomcat --replacefiles single-cecservice-0.0.1-0.x86_64.rpm

and then start the Content Export Bridge again:

$> sudo service tomcat start

To uninstall the Content Export Bridge:

$> sudo rpm -e cecservice 

The export process is activated by selecting CONTENT EXPORT in the Admin portal. You will be guided through the creation of a dedicated SFTP user account for accessing your SFTP server.

To enable content export from the admin portal:

• In the left navigation panel, select CONTENT EXPORT.

  The Configure Content Export window appears.

• Click Enable Content Export.

Legacy installations may still be using the SFTP export process. Select SFTP and he content export feature will be enabled and the preset password for the SFTP account will be displayed.

• To change the password, in the Configure Content Export window, click Reset Password.

• The Reset your content export password popup appears.

• Enter the new password or click Generate.

• Remember to copy the generated password (press ctrl+c).

• Click Submit to confirm the password change.

You can program content export to run at a regular frequency. The default value is 24 hours starting at 23:59:59 UTC. You can also select which format you want to use: Symphony (which contains Read-by information) or Actiance format – see the screenshot below:

You can change the export setting to run more frequently than every 24 hours using the drop-down box. It is important to understand that these settings are relative in that you will get different results depending on when you decide to change the frequency and also, when an export was last run. Here are some examples:

1. It is 03:00 hrs. UTC and you change export frequency from 24 hours to 2 hours. In this case a first export will immediately run and will contain 2 hours worth of information (up to 02:00 hrs. UTC). Your next file will be created at 04:00 hrs UTC.

2. It is 07:15 hrs. UTC and you change export frequency from 24 hours to 2 hours. In this case three exports will be triggered, one for:

   1. 02:00 hrs. UTC

   2. 04:00 hrs. UTC

   3. 06:00 hrs. UTC

   the next job to run would be at 08:00 hrs. UTC

3. Now lets make things a bit more complex. Imagine I work in New York and I actually want my exports to run with a frequency of 24 hours at midnight New York time, which corresponds to 05:00 hrs. UTC. To accomplish this, I make two changes:

   1. At 23:05 hrs. UTC (18:05 hrs. ET) I set the frequency to 6 hours – this will cause an export to run at 05:00 hrs. UTC (midnight in New York) and it will contain 6 hours of data.

   2. At 07:05 hrs. UTC (02:05 hrs. ET) I set the frequency to 24 hours. This second step will cause a 24-hour content export to run every night at midnight in New York. The previous 6-hour frequency is cancelled and replaced with this new schedule.

   In this third example, I waited the extra two hours in order to let the 6-hour job to complete because the Symphony scheduler requires the previous job to have successfully completed in order to book a new start time that uses the previous job’s end time (in our case midnight in New York).

   In this third example we have illustrated:

   1. How smaller frequencies can be used to move the start time to a later time

   2. How partial exports can be interrupted mid-way to reset the start time to the last completed export time

You can run a manual (AD-HOC) export based on a date range (see screenshot below) and as for frequent export, you select either: Symphony (which contains Read-by information) or EML and Actianceformat.

Next, select the start-date and end-date for your export – dates will be shown in mm/dd/yyyy format. The times used will be 23:59:59 UTC to 23:59:59 UTC of the next day. It is important to recognize that the use of UTC may cause unanticipated difference in the way data is retrieved.

Rule 1: Dates are always based on 24hrs starting and finishing at 23:59:59 UTC

Rule 2: No partial days are retrieved – information from the current day will be retrieved only after 23:59:59 UTC of the current day, this corresponds to 6:59:59pm ET.

This means that when testing the feature, admins in New York should enter test data leading up to 7pm ET and then run manual exports at 7pm ET onwards in order to see their test records in the manual export.

When ready, press Start Manual Export. The export will be loaded into your SFTP content export site. Access the information using the machine with the IP address you registered with Symphony Global Services.

Content Export includes an option entitled EXPORTED FILE LOG that will list each content export and flag any error that might have occurred with each export. The checks currently performed include:

• the zip file is not corrupted,

• all content is included in the export,

• content is decrypted.

The screen shot below shows the EXPORTED FILE LOG option:

For legacy installations, the downloaded file is stored on an SFTP server using a similar name structure to other servers described in this document: e.g. <organization-name>-tools.symphony.com. It can be accessed with the SFTP user name (podname-ContentExporter) along with the password that was created during the activation process. The password for the SFTP account is preset but can be changed in the admin portal. This user account is not a Symphony user account and cannot be used to log into the admin portal or Symphony client—it is only used for downloading the exported content. You cannot delete your content from the SFTP server.

The timestamp used for content export is in the form HH:MM:SS:mm where mm represents milliseconds.

The following information is exported:

The Symphony client encodes rich text such as bold, Italics and bullets using a standard markdown syntax. For example, if the user inserts rich text as follows:

testing bold, italics and bullets

then in the xml content export, this is translated to:

<content>
<![CDATA[ - testing **bold**, _italics_ and bullets ]]>
</content>

If on the other hand, the user types a message containing the ‘*’, ‘-’ or ‘_’ characters, then these will be encoded with an escape backslash in the content export file. Original text entered by the user:

testing asterisk *, dash - and underscore _

converted as follows in the XML version:

<content>
<![CDATA[ test of star \*, dash \- and underscore \_ ]]>
</content>

There is currently an issue with the way usage is reported across multiple export periods. If user A sends a message to user B on day 1, then the report will show that user A sent this message on day 1’s export. On day 2, user B reads the message and this event will be reported in the user summary. However, user A will be shown as having sent the message again, even though user A did not send this message on Day 2. This issue will be addressed in a later release.

On the day that CONTENT EXPORT is activated all the content for the 24-hour period (23:59:59 UTC – 23:59:59 UTC) will be included in the first run of the procedure initiated at 9am UTC. This does not include any historical data generated prior to the day of activation.

It may be possible for Symphony Global Services to generate historical data on behalf of early stage customers if required. Contact Symphony Global Services if you need to generate historical data.

Companies will enforce expression filtering to reduce the risk of their employees generating inappropriate content and thus potentially impacting the reputation or compliance of the company. One example is profanity filtering.

First select Expression Filters from the left Nav. and you will be presented with the Dictionary Management interface.

This interface uses simple expressions as well as more complex regular expression rules. You can edit an expression by checking the relevant box to the left of the expression and then pressing the “edit” pen located to the right of the expression:

You can then enter a regular expression. Please note that expression filters are powerful and you run the risk of introducing unexpected filtering if you’re not careful. We strongly recommend that you test your regex to ensure your expression works as you intend.

Words loaded without regex syntax will be interpreted as follows: /\sdang\s/ in other words we assume leading and trailing spaces. Admins seeking to be absolutely sure of the behavior of their expression filters should use regex syntax and test carefully.

Symphony supports JavaScript Regex syntax. Please refer to the following resource for more information:

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions

Control internal information flow between groups of users in order to avoid inappropriate communication and collaboration that could result in compliance violations.

Use the Admin Portal to create internal boundaries between groups. Usage:

First create an IB Group and add users to this groupAssign users to IB Groups

Activate Block Policy between groups

Select an IB Group from the list:

Block members of the IB group from communicating with another group:

When the owner of a room is removed because of a new Information Barrier policy or because of a change to their external communications entitlement. The room will continue after the lone owner is removed by promoting the oldest member who is free of an IB or Entitlement constraint to owner.

Admins and later compliance officers can configure warning messages to be displayed following specific user actions – at this time, this is when users communicate with external users. To configure disclaimers, select Disclaimers from the left Nav.

Disclaimers can also be set for individual users. This is accomplished by first creating a named disclaimer and then assigning the named disclaimer at the user level. In the example below a disclaimer called “External Communications” is being created.

This disclaimer can be set to display based on a specific number of days: every two day etc…Setting this value to ‘0’ will cause the disclaimer to be displayed every time the user posts a message externally.

Admins and Compliance officers can use the All Rooms option in the left Nav. to display a list of rooms created their users. The table includes a Scope tab showing either Internal or External, Member count, whether the room is enabled, the company that created the room and the room creator as well as basic information about activity and status (see the screenshot below for the complete list). More complete searching and sorting options will be delivered in a later release.

The SCO and CO’s with appropriate entitlement will be able to display a room or wall post (per user) and monitor it in real time. First select ALL ROOMS from the left Nav (see above). Then display the room details by clicking on the room from the list and selecting the Monitor Room button located top right of the room details (shown in the screenshot below).

Here is an example of a room monitor in progress:

SCO and CO’s will be prompted to provide an explanation for their session and the description and relevant statistics related to the session will be logged and searchable in the audit trail.

Select SCO/CO SESSION LOG and a list of logins will be displayed as shown below:

Select the username and then Audit Trail from the user detail screen. Each login will be accompanied by an explanation based on what was entered when the compliance officer logged in.

Symphony provides APIs for Extending and Enriching the symphony experience with new functionality and 3^rd–party content. Three partners (Dow Jones, S&P Capital IQ and Selerity) are currently providing free versions of their applications to Symphony users and these as well as any in-house applications developed using the Symphony API’s can be activated using the APP MANAGEMENT option located in the left Nav of the Admin Portal.

Once an application partner has registered a premium app, it can be allocated and installed for users by the Pod Administrator. Users will either see the new App in the App Store from where they can install it, or the admin may prefer to have it installed automatically for their users. This can be configured using the APP MANAGEMENToption in the left Nav. of the admin portal.

In the screenshot below, we show a list of APPLICATIONS being assigned to a specific user. Standard applications are free, whereas Premium applications require a subscription.

When using the APP MANAGEMENT option, the admin can also display their current balance:

• Licenses used

• Licenses remaining (balance)

• Total Licenses (used and remaining)

Audit trails are available to track when applications are assigned to users. The following events are tracked:

• App enabled/disabled

• Licenses granted/removed for a product

• App installation changed - automatic/manual

• App visibility changed - visible/hidden

The audit trail displays, for each event:

• Date of event

• Initiator (internal user, or publisher)

• Product impacted

• User impacted (for installs and subscriptions)

In this section we’ll focus specifically on the password field. So while it is acceptable to create and update other optional fields at the same time, our examples will be limited to password actions.

Creating Users: When we create a user with the CSV import process, we have two options:

• Password: We can either type in a valid password manually (15 characters minimum, uses upper and lower case, includes a number and includes a special character).

• SEND_EMAIL: Enter “SEND_EMAIL” in which case Symphony will generate an email prompting that user to Set password. This second option avoids the burden of coming up with valid passwords on behalf of your users and communicating these passwords to them – and equally importantly, the need to secure or preferably delete the CSV file after use.

companyUserId,surname,firstName,prettyName,emailAddress,password
LBonacci,Bonacci,Leonardo,Leo Bonacci,[email protected],First7Fibonacci#s

companyUserId,surname,firstName,prettyName,emailAddress,password
LBonacci,Bonacci,Leonardo,Leo Bonacci,[email protected],SEND_EMAIL

Updating existing users’ passwords: If we want to make changes to user accounts it is strongly recommended that the admin first generate an up-to-date view of user definitions by downloading the CSV from the admin portal.

The process for doing this is similar to the one we followed when we downloaded the CSV template earlier. This time, select Include all existing users in spreadsheet and then press Download sample CSV:

When you do this, you will notice that any users who have set their passwords will have “starred-out” password information (an asterisk) in their password field. Users who have not set their passwords will have blank null password fields.

companyUserId,surname,firstName,prettyName,emailAddress,password
LBonacci,Bonacci,Leonardo,Leo Bonacci,[email protected],LFib,Fibonacci,Leonardo,Leo Fibonacci,[email protected],*

If SSO has been set, then you should expect to see mostly blank password fields. On the other hand if SSO is not enabled and you used the “SEND_EMAIL” method, then blank values will indicate users who have not yet set their passwords and therefore not yet started using Symphony.

You may decide to trigger an additional email to those users to encourage them to activate their accounts:

companyUserId,surname,firstName,prettyName,emailAddress,password
LBonacci,Bonacci,Leonardo,Leo Bonacci,[email protected],SEND_EMAIL

Using the password field, we have three options with the CSV files:

1. No change to the password: Leave the password field with one or more asterisks, or <null> (if no password had been set).

2. Manually set a new password: Type in a valid password string in the password field.

3. Generate a set password email: enter “SEND_EMAIL” in the password field.

In SSO mode: The third option can still be used if the pod has been configured for SSO. While it may seem redundant to allow a password to be set on an account that will not normally use one, there may be exceptions such as certain mobile scenarios where having a password is needed.

Symphony does not recommend reusing a CSV file and encourages you to delete CSV files after use in order to avoid security issues.

Most such situations have been anticipated but they will still generate error messages when you try to process previously imported rows.

Usage Statistics generated during the first week after your Pod is activated will gradually populate this data. Full 7-day statistics will commence after the first week.

To make it easier to find relevant information and events when displaying the audit trail you can use the three Filter options above the audit trail columns as shown in the screenshot below:

Select a date range using the date picker. Once you’re satisfied with the date range, and have selected Apply, you can hide the picker again by clicking the up arrow located next to the date range at the top of the picker.

You can then add additional filters based on the Action performed on this user’s account and the Admin that performed the action. We show a date filter combined with an Action filter in the screenshot below:

The values for the Audit Trail fields are shown in the table below: