# Getting Started with IBM Cloud ##### last updated April 29, 2022 ## Why IBM Cloud? IBM cloud services are a collection of more than 170 products and cloud computing services deployed around the world. This includes compute and storage services that Access Anywhere supports. ## Overview This Getting Started with IBM Cloud guide provides step-by-step instructions for deploying your own Access Anywhere platform on the IBM Cloud. ### Features The Access Anywhere indexes and allows interacting with your storage as a single global file system. You can add IBM Object Storage and other object and file storage services. The content of your data is not copied. Features of Access Anywhere include: * Search across storage by name, metadata, and keyword (content search) * Remote and at-home users can access from the desktop apps or the web * Data access/stored in native format - no vendor lock-in * Add security to object storage with SSO, ACLs, and 2FA. * Comprehensive audit trail ## Architecture #### Single VM Deployment For evaluation and small to mid-size production environments, Access Anywhere™ solution is typically deployed as a single virtual machine. The virtual machine includes all components need including application and database containers. #### Multiple VM Deployment Access Anywhere solution may also be deployed for High Availability with multiple virtual machines and a separate database. Please contact us for more information on setting up HA deployments on the Exoscale platform. For production deployments see also [[sizingguide]]. ## Requirements You will need the following information before you can complete the setup on IBM Cloud: * A domain name (recommended) * Serial number and Auth Code (required) * Root password (from trial email) * Open Stack machine image in qcow2 format * Outbound mail relay information. (recommended) * Access to IBM Object Storage * An Active Directory service account if you are connecting to AD (optional) ## Launch an Instance To launch a virtual server you will first create a "custom image" through the [[https://cloud.ibm.com/|IBM Cloud]]. ### Create Custom Image The first step is to upload the virtual machine image to IBM Cloud Storage. To enable access to cloud object storage and create a bucket see [[https://cloud.ibm.com/docs/cloud-object-storage|Getting started with IBM Cloud Object Storage]]. Upload the qcow2 image to your bucket. For information on uploading large files to see [[https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-upload|IBM Cloud Docs - Object Storage - Upload data]]. The Access Anywhere qcow2 image is provided in a format that supports creating an [[https://cloud.ibm.com/docs/vpc?topic=vpc-create-linux-custom-image|IBM Cloud Linux custom image]]. ### Create Service Authorization You need to create a service authorization to grant the VPC Infrastructure permission to import the object as a custom image. Do not follow the IBM Cloud documentation on [[https://cloud.ibm.com/docs/vpc?topic=vpc-object-storage-prereq|Granting access to IBM Cloud Object Storage to import images]] as it currently doesn't include the easier user interface option explained below. From within the IBM Cloud console navigate via the top menu to **Manage > Access (IAM)**. From the left-hand menu select Access management > **Authorizations**. Select "**Create**" to bring up the page to "Grant a service authorization". * Source service: Select "VPC Infrastructure Services" * Scope: Select "Resources based on selected attributes" * Add attributes: Select "Resource type" and "Image Service for VPC". * Target service: Select "Cloud Object Storage" * Service access select "All resources" Select "Authorize" to create the grant record. ### Import Custom Image You will import the virtual machine image that's in your bucket as a custom image into the region where you will be deploying the Access Anywhere appliance. From the IBM Cloud console, navigate via the main Menu icon to **VPC Infrastructure > Compute > Custom Images**. Set the Region dropdown to your desired location to see your current images. Select **Create** to bring up the "Custom image for VPC" page. * Location - Choose the location you'll be using for the Access Anywhere appliance * Name - Enter a name such as filefabric-2106-05 * Source - Choose "Cloud Object Storage" and enter the location and name of your bucket. * Name - Select the virtual machine image from the bucket objects listed. * Operating system - Choose "Centos" and "centos-7-amd64" Once the page is completed you'll be able to select "Create custom image" to continue. For more information on this step see [[https://cloud.ibm.com/docs/vpc?topic=vpc-managing-images|IBM Cloud - Importing and managing custom images]] ### Create a Virtual Server Instance You will create a virtual server from the custom image you just imported. From the IBM Cloud console, navigate via the main Menu icon to **VPC Infrastructure > Compute > Virtual server instances**. Set the Region dropdown to your desired location to see your current instances. Select **Create** to bring up the "Virtual server for VPC" page. Fill in the following fields: * **Architecture** - Choose "Intel" * **Hosting type** - Choose either option * **Location** - Select the desired data center and zone. * **Name** - Enter a name such as "filefabric" * **Image > Operating system** - From the dropdown select "custom image". * **Select custom image** - Select the image you just imported and choose "Select" at the bottom of the dialog. * **Profile** - Select **View all profiles** and choose a profile with at least 32 GB RAM and 8 vCPUs. Select "Save" to continue. For more information on sizing see [[/sizingguide]]. * **SSH keys** - Choose at least one existing SSH key or select "Create key" to register an existing SSH Key with IBM Cloud. For more information see [[https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys|IBM Docs - SSH Keys]] * **Networking** - Choose an existing virtual private cloud or create one with "Create VPC". Make sure you"Allow SSH". Once you have entered the required information you'll be able to select "Create virtual server". ### Assign Floating IP A floating IP address allows the virtual server instance to be reachable from the internet. You can reserve and bind floating IPs under **VPC Infrastructure > Network > Floating IPs**. Choose "Reserve" to create and bind an IP address to your server instance. You'll also provide a name such as "filefabric-ip". ### SSH Access The instance can now be accessed at the floating IP address using a standalone SSH client. The username is **smeconfiguser** and you will use the SSH private key. For example: ssh -i ~/.ssh/id_rsa smeconfiguser@169.47.93.111 Check that you can become root. The root password can be found in the trial email. su - This will be required to complete the configuration. ### Change Passwords For security, change the password for root. passwd ## Configure Public Endpoint External applications access Access Anywhere through a public endpoint, a fully qualified domain name (FQDN) that resolves to a static public IP address, the Floating IP address you assigned. The FQDN needs to be associated with or routed to the virtual appliance, SSL certificates applied or generated, and ports opened if needed. #### SSL Configuration (Recommended) The appliance is configured, by default, with DHCP and a self-generated untrusted SSL certificate. In order to use the web, desktop, and mobile apps over SSL you will need a trusted SSL certificate associated with the fully qualified domain name. #### Disabling SSL (Not Recommended) If you do NOT wish to use SSL for the trial you can disable it. 1. Log in as the Appliance Administrator as per the instructions below. 2. Navigate to Settings > Site Functionality 3. Set Always use HTTPS to No. 4. Set Generate secure server-side links to No. 5. Select *Update options* at the bottom of the page. #### Create DNS entries The Access Anywhere uses named-based virtual hosts to provide multiple protocols for the same ports. For single VM installations, the first domain name is typically the name of the host. Choose three fully qualified domain names (FQDNs). For example: * **files**.example.com - Domain name (service endpoint and website) * **files-webdav**.example.com - used for WebDAV service * **files-s3**.example.com - used for S3 service Add DNS type A records that point these domain names to the Elastic IP Address. For example, ^ Type ^ Name ^ Value^ | A | files | 54.194.216.200| | A | files-webdav | 54.194.216.200| | A | files-s3 | 54.194.216.200| Verify that Public DNS records are setup correctly: curl -Lk http://files.example.com | head curl -Lk http://files-webdav.example.com | head curl -Lk http://files-s3.example.com | head These commands should resolve the domain name, connect to port 80, get redirected to port 443 and return (part of) the web login page: Home | NAA Appliance #### Start NAAConfig Server If you are logged in as root leave root privilege: [root@files smeconfiguser]# exit As the smeconfiguser start the configuration server by typing **smeconfigserver**. You should see a confirmation that the config server is running: [smeconfiguser@files ~]$ smeconfigserver Please contact me with a browser on port 8080 Hit Ctrl+C when work is done Now open your browser to: http://:8080 #### Configure Hostname Settings Here you only need to configure the three domain names. Click "**Configuration**" and then "**NAAServer Hostname Settings**". {{ :aws-gettingstarted:server-hostname-settings.png?nolink&600 |}} After Saving go to the "Overview" page and scroll down to the bottom to "Apply". No other changes are required for the appliance. {{ :azure-gettingstarted:apply-changes.png?500 |}} Follow the prompts on the page to reboot the appliance. If you are not doing this immediately stop the Config Server by typing Control-C in the terminal window. {{ :azure-gettingstarted:reboot-server.png?nolink&400 |}} #### Create SSL Certificates This section creates and configures SSL certificates from Let's Encrypt. If you are using your own certificates (or a different service) you can use the smeconfigserver service above to add certificates. Log back into the rebooted appliance. ssh smeconfiguser@files.example.com Log in as the root user. su - Run the following command: certbot --no-redirect --authenticator standalone --installer apache --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd" Note: The appliance will be inaccessible during the request which may be up to a minute. This command will prompt for an email address. It’s important to give this information so that an admin can be notified in the future if there are issues automatically renewing the certificate. Please also agree to the Terms of Service. It is not necessary to share the provided email with the Electronic Frontier Foundation. Certbot will automatically detect what FQDNs are setup for Access Anywhere and prompt for which should be included in the certificate. Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: files.example.com 2: files-s3.example.com 3: files-webdav.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): After successful completion, Access Anywhere will automatically start using the new certificates. These certificates will last for 90 days, so the final step is to setup automated renewal. #### Automatically Certificate Renewal A Let’s Encrypt certificate is valid for 90 days, and can be automatically renewed within 30 days of expiration. A simple cron job will run daily and handle renewals. Please Note: The Access Anywhere will be inaccessible during the renewal. Please ensure that the renewal time is during off hours. Downtime will only occur every 60 days when a renewal is required and may last up to one minute. While still logged in as root run the following command to add a cron job. crontab -e In the example below the renewal attempt will process at 2:30AM. Access Anywhere ships with the timezone set to UTC. You can set the cron jobs to run at the time of your choosing, but do not change Access Anywhere's timezone. 30 2 * * * /bin/certbot renew >> /var/log/letsencrypt/le-renew.log This will create a crontab entry for a cron job that will handle the renewals and write its output to a log file. You can use https://www.ssllabs.com/ to test the certificate after updating the certificate as well as the server's SSL configuration. ## Configure Appliance Open a browser to the domain name you assigned: https://files.example.com If you haven't set a domain name, use your external IP address: https://3.234.139.146 You'll see the following login page: {{ :azure-gettingstarted:azure-fabric-login.png?nolink&300 |}} Log into the appliance as appladmin with a password from your trial license: User name: appladmin Password: appladminpassword ### Change Admin Password (Recommended) Select "Password/Login" from the Main Menu to change the Appliance Administrator password. After you select "Update password" you will be logged out and need to log back in. ### License Key Configure your license key under **Settings > License Key**. A trial key can be requested from https://www.storagemadeeasy.com/appform/. ### Outbound Email (Recommended) An SMTP server is used by the appliance to send registration and notification emails to users. A daily report and error notices are also emailed to the "Notification Email". See [[server/smtp_configuration]]. If you do not initially configure an email server remember not to use email notifications when adding users. ### Change Appliance Admin Email With an SMTP server configured you can change the email of the Appliance Admin which will require a confirmation email. Go to the main menu (Hamburger icon) to Password/Login to change the Account Email. You can also set up Two Factor Authentication (2FA) for the Appliance Admin from this screen. ### Server Notification Email Server errors and a daily report are sent to a notification email that must be configured by the Appliance Administrator. The default is not to email reports. The "Notification Email" setting is on the "SMTP and Filebox Configuration" page that can be found via the menu "Email and Filebox". ## Create an Organization An //organization// is a tenant within the appliance and is created by the Appliance Administrator. ### Review User Package The Access Anywhere platform uses templates for organizations, in order for us to create our organization, we need to pick a template, before we do, let’s review. Login as the Appliance Administrator. Click “User Packages” and then click the pencil to modify “Organisation Cloud 20 Users” This is a good template to start from. Scroll down to the “Extra options” section and add “Content Search Enabled” and Dropfolders. Use “Crtl-Click" to add to the selection. ### Create Organization Login as the Appliance Administrator. In the hamburger menu, select “Users” and then "Add a User". On the Add a User screen create your Organization admin user. (This will also be your organization.) 1. User Login: The Organization short name and superuser's username. We recommend the domain name of your company such as "smestorage.com". 1. E-mail: Email address of organizational admin, must be unique to the system, do not use your own. 1. Password: 1. Name (Company Name): Full organization name. 1. Package: The user package template from earlier. 1. We do not need to split the license between organizations, leave the last field empty. Click Save. {{ :server:applinstallv1901:image014.png?nolink&400 |}} ## Add Storage Log out as the appladmin user, and log back in as the user you just created. You will first see the “Add Storage Provider” screen. You have to add storage before you can continue the setup. The first storage added is the "default storage" used for internal files such as generated image thumbnails. The default storage can be changed in the future. Select Open S3 - S3 Compatible Cloud and follow the instructions on the next couple of screens. Find the endpoint for your region under **Cloud Object Storage > Endpoints**. If you have buckets in different regions you can create multiple storage providers. See [[cloudproviders:s3compatible]] for more information. {{ :exoscale-gettingstarted:exoscale-opens3-addprovider.png?700 |}} ## Single Sign-On (Optional) An authentication provider can be added to allow users to log in using their corporate credentials. See [[iam#authentication_services|Authentication Services]] for more information. ## Next Steps Once this is complete you can: * [[admin/usermanagement|Add users]] For more information see [[index|]]