Prerequisites for a cyberelements Cleanroom Standalone platform¶
Machine¶
Both physical and virtual machines can be used to install cyberelements Cleanroom.
The product does not perform any virtualization, so the embedded virtualization option does not need to be enabled for virtual machines.
OS¶
cyberelements Cleanroom runs on 64-bit Debian 12 (Bookworm) machines.
It is recommended to use machines without a graphical interface and to limit the installed components to the SSH server.
CPU¶
A CPU with 4 cores will cover most use cases for the product.
RAM¶
Attention
The RAM values given below are indicative only, as there are many variables that can affect RAM consumption (product features used or elements installed in parallel with the product on the machine).
RAM consumption generally depends on the number of simultaneous users that the platform can accommodate:
- Between 1 and 5 simultaneous users: 2 GB of RAM minimum, 4 GB recommended.
- Between 5 and 20 simultaneous users: 4 GB of RAM minimum.
- For 20 or more simultaneous users: 8 GB of RAM minimum.
RAM consumption depends on the number of simultaneous sessions as well as the types of applications being used.
Typical values are as follows:
- Between 1 and 5 simultaneous users: 2 GB of RAM minimum, 4 GB recommended.
- Between 5 and 20 simultaneous users: 4 GB of RAM minimum.
- For 20 or more simultaneous users: 8 GB of RAM.
Note that an agentless RDP or VNC application can consume up to 400 MB per application launched.
When these types of applications are used extensively, it is recommended to monitor RAM usage in order to adjust its size accordingly.
RAM consumption depends on the number of HTML5 applications open simultaneously.
The base server must have 2 GB for the system to function, plus 50 MB per concurrent HTML5 application.
If the HTML5 Gateway role is combined with an Edge Gateway server, then add 50 MB per concurrent HTML5 application to the RAM recommendation for the Edge Gateway server.
Disk¶
We recommend partitioning the disk using LVM to provide greater flexibility if the machine's size needs to be revised during use.
Different types of servers have different disk usage patterns, with volumes that also differ. Below is the information by server type:
This server will have increasing volume in the following directories:
/var/log/: directory containing the various system logs./var/lib/postgresql/15/main/: directory containing local database data./var/ipdiva/: directory containing product-specific data.
Isolating the different directories in different partitions is not mandatory but recommended. You can follow these instructions:
| Mount point | Options | Minimum size (GB) |
|---|---|---|
/boot |
nosuid,nodev,noexec | 1 |
/opt |
nosuid,nodev | 1 |
/tmp |
nosuid,nodev | 4 |
/srv |
nosuid,nodev | 1 |
/home |
nosuid,nodev,noexec | 6 |
/usr |
nodev | 6 |
/var |
nosuid | 5 |
/var/log |
nosuid,nodev,noexec | 5 |
/var/tmp |
nosuid,nodev,noexec | 2 |
swap |
No option | Depending on RAM (half less) |
/ |
No option | 2 GB or more depending on the available disk space |
Example
For a server with 4 GB of RAM (which requires 2 GB of swap), the disk space required with the previous partitioning is a minimum of 35 GB.
This server will experience increased volume in the following directories:
/var/log/: directory containing the various system logs./var/lib/ipdiva/carerecord/recording/: directory containing archives currently being recorded; this is therefore a temporary storage directory./var/lib/ipdiva/carerecord/archives/: default directory containing the product's graphic archives./var/ipdiva/care/sshrecord/: default directory containing the product's non-graphic (SSH) archives.
Isolating the different directories in different partitions is not mandatory but recommended. You can follow these instructions:
| Mount point | Options | Minimum size (GB) |
|---|---|---|
/boot |
nosuid,nodev,noexec | 1 |
/opt |
nosuid,nodev | 1 |
/tmp |
nosuid,nodev | 4 |
/srv |
nosuid,nodev | 1 |
/home |
nosuid,nodev,noexec | 6 |
/usr |
nodev | 6 |
/var |
nosuid,nodev | 5 |
/var/log |
nosuid,nodev,noexec | 5 |
/var/tmp |
nosuid,nodev,noexec | 2 |
swap |
No option | Depending on RAM (half less) |
/ |
No option | 2 GB or more depending on the available disk space |
Example
For a server with 4 GB of RAM (which requires 2 GB of swap), the disk space required with the previous partitioning is a minimum of 35 GB.
However, it is strongly recommended to allocate more disk space for temporary or long-term graphic archives with the /var mount point unless the archives are outsourced.
This server will have increasing volume in the following directories:
/var/log/: directory containing the various system logs./home/systanciahtml5share/: temporary storage directory for files exchanged with HTML5 applications.
Isolating the different directories in different partitions is not mandatory but recommended. You can follow these instructions:
| Mount point | Options | Minimum size (GB) |
|---|---|---|
/boot |
nosuid,nodev,noexec | 1 |
/opt |
nosuid,nodev | 1 |
/tmp |
nosuid,nodev | 4 |
/srv |
nosuid,nodev | 1 |
/home |
nosuid,nodev,noexec | 6 |
/usr |
nodev | 6 |
/var |
nosuid,nodev | 5 |
/var/log |
nosuid,nodev,noexec | 5 |
/var/tmp |
nosuid,nodev,noexec | 2 |
swap |
No option | Depending on RAM (half less) |
/ |
No option | 2 GB or more depending on the available disk space |
Example
For a server with 4 GB of RAM (which requires 2 GB of swap), the disk space required with the previous partitioning is a minimum of 35 GB.
Network¶
A cyberelements Cleanroom Standalone platform will require:
- 2 IP addresses for the Mediation Controller server (carried by the same network interface)
- 1 IP address per Edge Gateway or HTML5 Gateway machine
The Mediation Controller server are usually placed in a DMZ, but they can also be placed in a private DMZ or hosted on a public cloud. This will depend on the platform's use case (for example: remote access for service providers or securing internal access to protected areas).
Edge Gateway servers are usually placed in the LAN, in VLANs that allow them to communicate with target resources.
HTML5 Gateway servers can be placed either in the LAN or in the DMZ. This documentation provides for the installation of the HTML5 Gateway component on the Edge Gateway server, i.e., in the LAN.
To better identify the different machine addresses, they will be referred to as follows in the documentation:
| IP address name | Signification |
|---|---|
IP_MED_WEB |
Primary IP address of the Mediation Controller server, which enables access to web consoles. |
IP_MED_SSL |
Second IP address of the Mediation Controller server used by the SSL Router component. |
IP_GW |
IP address of the Edge Gateway server. |
IP_HTML5_GW |
IP address of the HTML5 Gateway server. |
Information
The flow information shown assumes that the Mediation Controller server is located in the DMZ and that the Edge Gateway server also has the HTML5 Gateway role located in the LAN.
The IP addresses of the Mediation Controller can either be public IP addresses directly assigned to the Mediation Controller server or public IP addresses that are NATed to private IP addresses (recommended).
| Source | Destination | Destination port | Comments |
|---|---|---|---|
| User workstation | IP_MED_WEB |
TCP 443 (if using the standard port) | Allow access to web consoles and applications running directly in the browser. |
| User workstation | IP_MED_SSL |
TCP 443 (if using the standard port) | Establish a TLS tunnel to encrypt the flow passing through the cyberelements Cleanroom client. |
IP_GW |
IP_MED_WEB |
TCP 443 (if using the standard port) | When the Edge Gateway is located on a remote network. Connection to the Edge Gateway pairing system. |
IP_GW |
IP_MED_SSL |
TCP 443 (if using the standard port) | When the Edge Gateway is located on a remote network. Connect to the SSL router to establish a TLSv1.3 tunnel and route product communications through it. |
| Source | Destination | Destination port | Comments |
|---|---|---|---|
IP_MED_WEB |
Debian repositories | TCP 80 | Required for installing cyberelements Cleanroom dependencies and keeping the system up to date. The documentation and virtual appliances use ftp.fr.debian.org and security.debian.org. |
IP_MED_WEB |
packages.microsoft.com |
TCP 443 | Microsoft repository for installing and updating MS SQL drivers. Only required if access to an MS SQL database is desired (virtual appliances have MS SQL drivers). |
IP_MED_WEB |
NTP time server | UDP 123 | Optional if the server needs to synchronize its clock with a server in the DMZ. By default, the Debian pools are used: 0.debian.pool.ntp.org, 1.debian.pool.ntp.org, 2.debian.pool.ntp.org and 3.debian.pool.ntp.org. |
IP_MED_WEB |
SMTP server | TCP 25, 465, 587 | Required if an SMTP server must be used for sending emails and is located in the WAN. |
IP_MED_WEB |
DNS server | UDP 53 | Required for DNS resolution. It can be located in the WAN or DMZ. |
IP_MED_WEB |
api.neomia.ai |
TCP 443 | (Optional) Connection to the APIs of the Neomia Pulse behavioral biometric MFA product. |
IP_MED_WEB |
EU: keepersecurity.euUS: keepersecurity.comAU: keepersecurity.com.auCA: keepersecurity.caJP: keepersecurity.jp |
TCP 443 | (Optional) Connection to the Keeper EPM vault depending on its location. |
| Source | Destination | Destination port | Comments |
|---|---|---|---|
IP_MED_WEB |
NTP time server | UDP 123 | If the server needs to synchronize its clock with a server in the DMZ. |
IP_MED_WEB |
SMTP server | TCP 25, 465, 587 | Required if an SMTP server must be used for sending emails and is located in the DMZ. |
IP_MED_WEB |
Database server | TCP 1433, 5432, or any other custom port | Required if you want to use an external database located in the DMZ. |
IP_MED_WEB |
DNS server | UDP 53 | Required for DNS resolution. It can be located in the DMZ or the WAN. |
| Source | Destination | Destination port | Comments |
|---|---|---|---|
IP_GW |
Debian repositories | TCP 80 | Required for installing cyberelements Cleanroom dependencies and keeping the system up to date. The documentation and virtual appliances use ftp.fr.debian.org and security.debian.org. |
IP_GW |
DNS server | UDP 53 | Required for DNS resolution. Optional if a DNS server is available on the LAN or DMZ. |
IP_GW |
NTP time server | UDP 123 | Optional if the server needs to synchronize its clock with a server in the LAN or DMZ. By default, the Debian pools are used: 0.debian.pool.ntp.org, 1.debian.pool.ntp.org, 2.debian.pool.ntp.org and 3.debian.pool.ntp.org. |
IP_GW |
SMS provider | TCP 443 | (Optional) Connection to the APIs of SMS providers supported by cyberelements Cleanroom. |
| Source(s) | Destination(s) | Destination port | Comments |
|---|---|---|---|
IP_GWIP_HTML5_GW |
IP_MED_WEB |
TCP 443 (if using the standard port) | Connection to the Edge Gateway pairing system. |
IP_GWIP_HTML5_GW |
IP_MED_SSL |
TCP 443 (if using the standard port) | Connection to the SSL Router to establish a TLSv1.3 tunnel and route product communications through it. |
| Client workstation | IP_MED_WEB |
TCP 443 (if using the standard port) | Connection to the product's various web consoles. |
| Client workstation | IP_MED_SSL |
TCP 443 (if using the standard port) | Establish a TLS tunnel to encrypt the flow passing through the cyberelements Cleanroom client. |
| Administrator workstation | IP_MED_WEB |
TCP 22 | SSH connection to the Mediation Controller server. |
| Source | Destination | Destination port | Comments |
|---|---|---|---|
IP_GW |
DNS Server | UDP 53 | Required for DNS resolution. Optional if a DNS server is used to the WAN or DMZ. |
IP_GW |
LDAP or AD Servers | TCP 389 or 636 | cyberelements Cleanroom connection to an LDAP or AD server. |
IP_GW |
AD Servers | TCP 139 and 445 | AD account password rotation, used only if rotation via LDAPS is not possible. |
IP_GW |
RDP Servers | TCP/UDP 3389 (if using standard port) | Connection from cyberelements Cleanroom to RDP servers. |
IP_GW |
SSH servers | TCP 22 (if using the standard port) | Connection from cyberelements Cleanroom to SSH servers. |
IP_GW |
VNC servers | TCP 5900 (if using the standard port) | Connection from cyberelements Cleanroom to VNC servers. |
IP_GW |
Web servers | TCP 80 or 443 (if using the standard port) | Connection from cyberelements Cleanroom to web servers. |
IP_GW |
Citrix Storefront servers | TCP 443 (if using the standard port) | Connection from cyberelements Cleanroom to Citrix Storefront servers. |
IP_GW |
Citrix application servers | TCP 1494 | Connection from cyberelements Cleanroom to Citrix application servers (launching an application or desktop with the ICA client). |
IP_GW |
File servers | TCP 139 and 445 | Connection from cyberelements Cleanroom to file servers. |
IP_GW |
Database server | TCP 1433, 5432, or any other custom port | Required if you want to use an external database located on the LAN (for example, to transfer the Vault database). |
IP_GW |
RDP servers | TCP 139 and 445 | Deployment of the recording agent via the administration console. |
| Client workstation | IP_GW |
TCP [port defined by the administrator] | Direct SSH access connection. |
| Client workstation | IP_GW |
TCP 3389 | Direct RDP access connection. |
| RDP servers | IP_GW |
TCP 8443 | Connection between the recording agent and the Edge Gateway to upload the user session recording. |
| Administrator workstation | IP_GW |
TCP 22 | SSH connection to the Edge Gateway server. |
Database¶
cyberelements Cleanroom uses different databases (DB) for its operation.
- System configuration database. This database is used to store all the settings for the
/systemadministration interface. In a standalone installation, this database is created and managed directly by the product using a PostgreSQL server installed on the Mediation Controller server. - Organization configuration database. Each organization created on the Mediation Controller server will require a different DB to contain all the organization settings and logs. This database is usually hosted on the Mediation Controller server and its local PostgreSQL database, but it can also be moved to the DMZ or LAN.
- Vault database. Each organization created triggers the creation of a specific DB for the product vault, which is stored by default on the Mediation Controller server. This database can be outsourced to the LAN provided that an Edge Gateway can access it.
When using external databases, the supported database types are:
- PostgreSQL version 15
- Microsoft SQL Server and its supported versions without maintenance extension
License¶
The Mediation Controller server requires a license to function.
The license can be obtained from Systancia using the following license request form: Request a license
Certificates¶
cyberelements Cleanroom uses TLS encryption for internal communications and HTTPS to secure web access, requiring the use of various x509 certificates. The information below summarizes the different certificates required, their purpose, and the minimum settings.
Certificate security constraint
Regardless of the certificate used, ensure that it complies with OpenSSL security level 2, which can be summarized as follows:
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits.
- The certificate signature must not be MD5 or SHA-1 (SHA-512 is preferred).
This server uses four different certificates:
- A web certificate to enable HTTPS.
- A certificate for the SSL Router component responsible for setting up TLS tunnels and routing traffic between them.
- A certificate for the Watchdog component responsible for monitoring the proper functioning of the SSL Router.
- A certificate for the cyberelements Cleanroom client to enable it to connect to the SSL router and establish a TLSv1.3 tunnel.
Web certificate
Recommendation
The web certificate should preferably be issued by a public Certification Authority (CA) that is recognized as trustworthy.
This will ensure that users do not receive any alerts related to the certificate used (provided that it is valid and covers the name with which the user initiated the connection) without any additional action. The use of a certificate issued by an internal PKI requires the deployment of the CA certificate on user workstations.
The web certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 398 days (13 months).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The value of the
Common Nameattribute must be the DNS name (or wildcard) for which the certificate is intended. - The
Key Usageattribute must have the valuescritical,digitalSignatureandkeyEncipherment. - The
Extended Key Usageattribute must have theid-kp-serverAuthvalue (OpenSSL uses theserverAuthvalue). - The
Subject Alternative Nameattribute must contain at least one entry corresponding to the primary DNS name; other entries may be added to cover other DNS names or IP addresses.
Accepted certificate format: P12 or PEM (with two files, one for the certificate and one for the private key).
SSL router certificate
The SSL Router certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The value of the
Common Nameattribute must be the IP address or a DNS name redirecting toIP_MED_SSL. - The
Key Usageattribute must have the valuescritical,digitalSignatureandkeyEncipherment. - The
Extended Key Usageattribute must have the valueserverAuth.
Accepted certificate format: P12.
Watchdog certificate
The Watchdog certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that is an identification name for the Watchdog, for example “Watchdog”. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12.
cyberelements Cleanroom client certificate
The cyberelements Cleanroom client certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that is a customer identification name, for example “cyberelements-cleanroom-client”. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12 with a password of at least 8 alphanumeric characters (special characters, accented letters, or hyphens are not supported).
This server uses two different certificates:
- One certificate for authenticating the Edge Gateway component with the SSL Router.
- A certificate for the recording service so that recording agents can connect to it.
Information
An Edge Gateway server can have multiple Edge Gateway instances, requiring as many certificates as there are Edge Gateway instances (except in the specific case of cluster architecture).
However, an Edge Gateway server has only one recording service, so only one certificate per machine will be required.
Edge Gateway Certificate
The Edge Gateway certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that identifies the logical Edge Gateway. This name takes the following form<GW_NAME>@<ORGANIZATION_NAME>, where<GW_NAME>corresponds to the name of the Edge Gateway (as entered in the administration console) and<ORGANIZATION_NAME>corresponds to the name of the organization to which the Edge Gateway will connect. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12.
Recording service certificate
The recording service certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The value of the
Common Nameattribute must be the FQDN name or at least the name of the Edge Gateway machine. - The
Key Usageattribute must have the valuescritical,digitalSignatureandkeyEncipherment. - The
Extended Key Usageattribute must have the valueserverAuth.
Accepted certificate format: P12.
This server uses a single certificate: the one for authenticating the HTML5 Gateway component with the SSL Router.
Information
An HTML5 Gateway server can have multiple instances of HTML5 Gateways, requiring as many certificates as there are instances of HTML5 Gateways (except in the specific case of cluster architecture).
HTML5 Gateway certificate
The HTML5 Gateway certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that identifies the logical Edge Gateway. This name takes the following form<HTML5_GW_NAME>@<ORGANIZATION_NAME>, where<HTML5_GW_NAME>corresponds to the name of the Edge Gateway (as entered in the administration console) and<ORGANIZATION_NAME>corresponds to the name of the organization to which the Edge Gateway will connect. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12.
For direct access operation, the direct recording agent uses a certificate to authenticate itself with the recording service of an Edge Gateway.
The certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that is the short name, FQDN, or any other name that will uniquely identify the machine. This name is used to identify and track actions performed on the machine. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12.