Server Configuration¶
This section covers the information needed to login to the running NIM VM server and configure the network and server connections.
Login Credentials¶
After starting the NIM VM you will be presented with the NIM prompt.
Enter the username: nim
The default password is: password
You may change the default user password using the following command:
passwd
The default root password is: password
You may change the default root password using the following command:
sudo passwd
Networking¶
NIM needs a static IP address to be accessable on your network. You must change the default settings to reflect your network settings. Please check with your network administrator to obtain a static IP range, default subnet, gateway, and DNS server information.
Setup Network Script¶
For easy network configuration use the nim-setup-network
script to configure the VM network settings.
At the NIM server prompt enter:
sudo /home/nim/nim-setup-network
IMPORTANT - Be sure that the IP Address you select is unique on your network and is outside any available DHCP range.
In a typical configuration the Subnet Mask, Gateway, and DNS Servers will match those of the host computer.
Leaving a field blank and pressing enter will reset the entry to its default value.
You will be prompted to enter the following information:
IP Address - the IP address you wish to assign to the NIM VM (Default: 192.168.1.200)
Netmask (Subnet Mask) - the subnet mask of the network the NIM VM will reside on (Default: 255.255.255.0)
Gateway (Router) - the gateway address for the network the NIM VM will reside on (Default: 192.168.1.1)
DNS Nameservers - the DNS servers available on the Network (Default: 8.8.8.8,8.8.4.4)
- After entering all data you will be shown the proposed updates and prompted if you would like to make these changes.
Press
y
to confirm your changes orn
to cancel.
Available Flags:
-h : Help Mode - This flag displays a description of the script as well as the current network settings
-d : DHCP - This flag sets the network interface to use DHCP
Mounting Servers¶
If you plan on using NIM to manage your project structures and use the 3rd party connectors to organize your files you will want to mount your file servers on the NIM server. A single file server is all that is needed, however you can mount multiple servers as needed per your facilities needs. Typically facilities with multiple locations will want to mount each of their file servers and assign it a location in the Administrative panel.
Create Mount Points¶
You can manually mount any share type that Ubuntu natively supports. The NIM VM is delivered with NFS and CIFS support.
IMPORTANT: By default, NIM runs as the www-data
user. The www-data
user will need read/write permissions for any project location. You can change the user that NIM runs as by following the instructions in the NIM Knowledge Base article: How to run apache as an alternate user
NFS Mounts¶
Here is an example command to mount an nfs share:
mount -t nfs 192.168.1.24:/ifs/raid /n/isilon
The above example assumes your servers IP address is 192.168.1.24
and is sharing a folder at /ifs/raid
. On the NIM server this share will be accessible at the /n/isilon
folder. Replace the IP address and directories with the information that matches your network configuration.
To make this share permanent you will need to edit the /etc/fstab
file (with root privilages). You can edit the file using the vi editor by typing the command:
sudo vi /etc/fstab
For a basic nfs mount using the above example, add the line below to the bottom of the file and save:
192.168.1.24:/ifs/raid /n/isilon nfs defaults 0 0
To test the mount issue this command:
sudo mount -a
If there are no errors try rebooting the VM. The new share should mount automatically.
As with the command line example replace the sample information with the information that matches your network configuration.
CIFS Mounts¶
Here is an example command to mount an cifs (Windows) share:
//wserver/share /ubuntushare cifs uid=www-data,username=server-username,password=server-password,iocharset=utf8,sec=ntlm 0 0
wserver - the server you wish to share… ie your windows share
ubuntushare - this is the mount point (folder) for the share on the NIM VM.. ie /media/myWindowsShare
www-data - this is the actual username that NIM uses to access data and needs read/write permission to the share (should NOT be changed)
server-username - this is the username for the windows share allowing the NIM VM to access the share
server-password - this is the password for the windows share allowing the NIM VM to access the share
For example:
If you have a Windows server with the IP of 192.168.1.110 and a shared folder called PRJ and on the NIM VM you want that folder to be accessible at /media/windowsPRJ and the username and password that has access to the windows share is Jim and jimsPassword
To make this share permanent edit your /etc/fstab
file (with root privilages) and add this line:
//192.168.1.110/PRJ /media/windowsPRJ cifs uid=www-data,username=Jim,password=jimsPassword,iocharset=utf8,sec=ntlm 0 0
To test the mount issue this command:
sudo mount -a
If there are no errors try rebooting the VM. The new share should mount automatically.
Please refer to the official Ubuntu documentation for specific details on adding different types of shares to the server. http://www.ubuntu.com
VM Security Lockdown¶
The NIM VM is provided with security that fits most in-house installations on a trusted network behind a firewall. If you plan to expose the NIM VM to the outside world via HTTPS we have some recommendations to follow to secure the VM and your data.
phpMyAdmin Access¶
NIM ships with phpMyAdmin available to directly administrate the database if desired. You will want to limit access to this page to either a predefined IP address, address range, or to deny all access.
- On the NIM VM edit the following file:
/etc/phpmyadmin/apache.conf
- Navigate to the section starting with:
<Directory /usr/share/phpmyadmin>
- To allow access from an IP or IP range, add the following line to the section replacing 192.168.X.X with the IP address/subnet mask you wish to allow access from:
Require ip 192.168.X.X/32
OR
- To restrict all access, add the following line to the section:
Deny from all
- Restart Apache to apply the changes:
sudo service apache2 restart
HTTPS Access¶
Turn off HTTP access on the NIM VM restricting all traffic to HTTPS. We provide a script on the VM “nim-ssl” that will allow you to do this easily. For more information on modifying the accessible web ports, please refer to the nim-ssl section of the documentation.
Firewall Configuration¶
If you are planning to allow NIM to be accessible from outside of your network, you will need to open ports 443 (HTTPS) and 8081 (Messaging Service) from your firewall to the NIM VM.
SSL Certificates¶
The NIM VM comes pre-installed with a self-signed SSL certificate. To install your own certificate, copy your .crt and .key files to the following locations renaming the files to match the following:
/etc/ssl/certs/nimlabs_server.crt
/etc/ssl/private/nimlabs_server.key
Important
The .crt and .key files must use this exact naming convention as the files are referenced directly by other areas of NIM.
Optionally, you can include a server certificate chain file. NIM does not come with this file pre-installed, so in addition to placing the file on the VM, you will need to modify the Apache configuration file.
Copy your server certificate chain file to the following location:
/etc/apache2/ssl.crt/server-ca.crt
Once the files have been placed on the VM, you will need to edit the Apache configuration file:
/etc/apache2/sites-available/default-ssl.conf
First, add a line within the <VirtualHost _default_:443> section directly below the ServerAdmin entry similar to the following, replacing my.domain.com with your domain name:
ServerName my.domain.com
Next, find the section that begins with Server Certifcate Chain and uncomment the line that reads:
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
To uncomment this setting, remove the # at the start of the line so that it matches the following:
SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
Your certificate chain file maybe be named differently and include different extensions including “.ca-bundle” for example. The certificate chain file can be named anything you like, but we recommend keeping the default naming convention.
Once the default-ssl.conf file has been updated, the syntax can be validated prior to restarting Apache using the following command:
apachectl -t
If everything is correct, the following message will be displayed:
Syntax OK
For the settings to take effect you will need to restart the Apache server. This can be done by issuing the following command:
sudo service apache2 restart
API Keys¶
By enabling NIM API Keys, anyone accessing the NIM API is required to have a generated API key that is created per user. These keys can optionally have expiration dates. Anyone without an API key can not access the NIM API or use the NIM Connectors. Additionally, when API Keys are enabled, user access will be restricted by any established permission and security groups. When API Keys are disabled, API requests are fully accessible and not filtered by applied user permissions. For more information on activating API Keys, please refer to the API Keys section of the documentation.
Security Update¶
Run the latest security updates for Ubuntu. Security updates are not part of NIM’s updates and can be run at anytime by the user using the command “sudo unattended-upgrade”. For more information on running VM security updates, please refer to the VM Security Updates section of the documentation.
Password Strength¶
Set a minimum length and required characters to enforce stronger user passwords. For more information on running VM security updates, please refer to the Password Strength section of the documentation.
CLI Password¶
Change VM command line password for the “nim” and root user:
To do this first login to the NIM VM command line as the “nim” user:
Use the following command to change the nim CLI password:
passwd
Use the following commands to change the root CLI password:
sudo -i passwd