DOMOS6 WebUI

The DOMOS6 WebUI allows you to configure all necessary settings of your appliance and execute system maintenance tasks.

Login

Virtual Machine

To login to the DOMOS6 WebUI, open https://DHCP-IP:10000 in your web browser (default). The default username is admin and the password is secudos. It is recommended to change the password after first log in.

Type	Detail
Default URL	https://DHCP-IP:10000
Default Login	admin
Default Password	secudos

Configure your workstation to an IP address in the same network as the IP adress given to your virtual machine to be able to connect to the DOMOS6 WebUI.

Hardware-Appliance

To login to the DOMOS6 WebUI, open https://192.168.2.1:10000 in your web browser (default). The default username is admin and the password is secudos. It is recommended to change the password after first log in.

Type	Detail
Default URL	https://192.168.2.1:10000
Default Login	admin
Default Password	secudos

Configure your workstation to IP 192.168.2.2(for example) with netmask 255.255.255.0 to be able to connect to the DOMOS6 WebUI.

Default Password Warning

When logging into the DOMOS6 WebUI, you will be informed when default passwords are in enforced. We highly recommend you to change your passwords to more secure passphrases, as default passwords can impend a severe security risk to your system and network.

General Information

In the upper right corner you are able to see who is currently logged in via WebUI. To log out hit Logout.

After changing any configuration, click the Save button which is displayed everywhere you are allowed to make changes. To apply your changes hit Activate Settings. This may take a while. Restarting services return success or failure messages. If you have changed the IP of the appliance you will not receive any response, because your browser will wait for the WebUI to return from the old IP. You will have to log in again on the appliance by directing your browser to the new IP.

Overview

After logging in using the WebUI you will see the overview screen. This screen provides information about hostname, uptime, average CPU load, system time, DOMOS6 version and software as you can see in the following figure.

Network

By clicking on ”Network” in the menu on the left side an overview of the network configuration appears. This overview shows a basic summary of the network settings of your appliance, namely the network ports with their configuration such as IP and netmask, DHCP and an indicator if the interface is up or down.

Interfaces

This screen shows nearly the same information as the network overview, but here you are able to edit your configuration by selecting Edit of the interface.

Modifying Network Configuration

By selecting Edit in the interfaces overview you are lead to the configuration menu of a specific interface. At first basic information about the interface is given: The name. By activating DHCP the interface obtains its IP from a DHCP-Server. Otherwise configure the IP and the netmask manually. If you want to set the Maximum Transfer Unit (MTU) just edit the field beside MTU. The default setting is 1500. You can add multiple IPv4 addresses to an interface by clicking on the Add new IPv4 address button.

note

If you have restored an old DOMOS configuration file (DOMOS5 and older) the Virtual Interface configuration will be converted automatically to additional IPv4 address configuration.

VLAN (IEEE 802.1Q)

DOMOS6 provides the option to add VLAN interfaces to your network. To add a new VLAN interface, click Add new VLAN. You will be presented with a dialogue in which you will be requested to specify which device the VLAN is to be attached to, what VLAN ID the interface is to be configured to, the IP Address, Netmask and MTU. To have the VLAN device brought up at boot, please check the Activate on boot checkbox. Once completed, click save to complete the configuration of the VLAN. Should you like to edit the configuration of an existing VLAN interface, click the Edit button in the “Interfaces” overview. To delete a VLAN interface, click the Del button. Once you have made changes to the interfaces, please click Activate Settings to apply the changes.

note

Your network may need configuration to incorporate VLAN traffic.

Bonding

DOMOS6 allows you to bond interfaces using the Link Aggregation Control Protocol (LACP). This means that you can bind two interfaces together to operate as one. To add a new bond click on Add new bonding interface. You will be prompted to enter a Name - which will later be used to refer to this interface. The Bonding Mode defines the strategy used to run the bond.

Here you can choose between one of the following:

balance-rr - Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

active-backup - Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. This mode provides fault tolerance.

balance-xor - XOR policy: Transmit based on the selected transmit hash policy. This mode provides load balancing and fault tolerance. broadcast Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

802.3ad IEEE - 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

balance-tlb - Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

balance-alb - Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic and does not require any special switch support. The receive load balancing is achieved by ARP negotiation.

Furthermore you will have to specify a value for MiiMon.

miimon - specifies the MII link monitoring frequency in milliseconds. This determines how often the link state of each slave is inspected for link failures. A value of zero disables MII link monitoring. A value of 100 is a good starting point. The default value is 0.

Finally, you will have to select the interfaces you wish to bond. Clicking on Save will conclude the configuration. Click on Activate Settings to apply the changes.

Routing

In the routing screen you can change your default gateway and static routes for IPv4 and IPv6. All routing is disabled by default.

Default Gateway

In order to configure a default gateway enter the IP of your gateway.

Enable routing

To enable or disable routing press the Toggle button next to the option Enable routing.

Autoconfiguration (IPv6)

By default Autoconfiguration is disabled. If this is enabled and your network supports it, your network will provide a configuration for the routing which will be automatically applied.

Static Routes

To add a static route click Add new static route. If you like to Edit or Delete a static route click the according button next to the static route.

Hosts

Here you can define custom hostnames. This is especially useful, if you like to address hosts not covered by DNS. The overview titled “Host addresses” will display all locally defined hostnames. You can Edit existing hostnames or click Del to remove them one by one. By clicking Add a new host address you can add new hostnames. You will be requested to fill in the IP address, an FQDN (Fully Qualified Domain Name) and an Aliases. Clicking on Save will add the new hostname. To apply the changes, please click Activate Settings.

DNS

Here you can configure the hostname of your appliance and the DNS server(s) that will be used. You have to configure at least one working DNS server to allow the appliance to resolve domain names to IP addresses. Add a “Search Domain” to automatically append it to hostnames that are not addressed by its FQDN, which would otherwise fail to resolve.

Ping

You can use Ping to verify that a host is reachable. To do so, please enter the IPv4, IPv6 address or hostname of the target you like to verify the connection to. Optionally you can enter the amount of Ping packets you like to send. The default for this value is 10 packets. To start the ping command, click the Ping button.

The response will take a moment. Your browser will automatically refresh to update the displayed results. In our sample output we have sent four ping packets to a host.

Traceroute

Traceroute is a networking diagnosis tool used to show the route taken by packets across an Internet Protocol (IP) network. To initiate a traceroute, open the Traceroute dialogue, enter a target IPv4, IPv6 address or hostname of a target into the Destination field. If you want, you can adjust the Maximum TTL to a desired value. Clicking Traceroute will initiate the traceroute The response will take a moment. Your browser will automatically refresh to update the displayed results.

Date and Time

Time

This menu section displays information about the system timezone, time and date. If you have specified NTP servers, the button Synchronize now will trigger an NTP time synchronisation.

note

You can only synchronize the time if NTP is enabled

Timezone

Select your timezone here. To apply the changes in the timezone, you will have to click on Save followed by Activate Settings to apply the changes.

note

Changes to the timezone will also affect the current set time.

Clock

Set the time and date on your appliance. Clicking Save will instantly apply the changes. You do not need to click Activate Settings to apply this change.

NTP Client

If you want to synchronize the time and date via Network Time Protocol (NTP) you can select your NTP Servers here. By default, NTP is deactivated. For simplicity, the default time server pool pool.ntp.org is included in the list of time servers. To edit your list of prefered timeservers click Edit timeserver list to add or remove an entry from the list. On the edit page you can select a timeserver to delete it or add a new timeserver by inserting its hostname into the textbox.

User

This screen shows the current user who is logged-in on the WebUI.

System User

Here you can change the passwords for the root and admin users. You will be prompted to enter the current password and the required new password.

caution

With DOMOS6 the old WebUI user was removed and the login on the WebUI uses the password of the system admin user.

SSH Keys

You can enable ssh key authentication for the admin user. These can allow a more secure authentication against the SSH deamon. By clicking on Add new SSH key, you will be prompted to provide a name for the SSH key and to specify the path to the according public SSH key file by clicking on Browse. Upload the key by clicking save. To enable SSH keys, check the “enable SSH key authentification for user admin” checkbox and Save the configuration. Clicking on Activate Settings the configuration will be applied.

caution

It is unwise to use SSH keys without a passphrase. If somebody achieves to obtain a copy of the keyfile, he/she will have access to all accounts that grant access to that key. Please avoid exposure of the private key.

LDAP

This section allows to configure to get authentification data from an LDAP server. So additional users can login into the DOMOS system without having an account on the DOMOS system itself. Next to a normal password even a public SSHKey can be retrieved from LDAP to use passwordless pubkey authentification. After login on the commandline users can use the command sudo to gain root permissions. Users, identified by this way, can login into the DOMOS WebUI using own credentials.

The configuration is splitted into a dialog with the most useful settings and a page for advanced configuration settings.

Settings

Here the basic configuration can be done.

You can find the following configuration settings on this page.

LDAP Authentification - Switch this on to use LDAP authentification

WebUI Login - Allow LDAP users to login into DOMOS WebUI

SSH Login - Allow LDAP users to login via SSH

SSH Login using key authentification - Allow SSH pubkey authentification

Sudo - Allow LDAP users to gain root permissions using sudo

LDAP URI- URI of LDAP server (e.g. ldaps://FQDN:Port)

LDAP Schema - Select LDAP scheme to use. Currently the following are available: rfc2307, rfc2307bis and IPA

LDAP Check TLS Certificate - Select checking mode of TLS certificate

TLS CA Certificate - If needed an own CA certificate can be uploaded here. A short info of an already uploaded CA certificate will displayed here. The Upload New Certificate button allows to upload a new certificate and the Remove button deletes the certificate.

LDAP Search Base - The default base DN to use for performing LDAP user operations

LDAP Default Bind DN - Bind DN to access LDAP server

LDAP Default Authentication Token - Password for Bind DN

LDAP User Search Base - Optional base DN and Filter for users

LDAP Group Search Base - Optional base DN and Filter for groups

LDAP Sudo Search Base - Optional base DN and Filter for sudo access

LDAP Access Order - Access control options

LDAP AccessFilter - Search filter for users (needed if Access Order is set to filter)

The button Configuration leads you the the advanced configuration page.

Advanced Configuration

While the settings page allows a quick configuration of the most important settings, this page can be used to configure the access to the LDAP server in more detail.

tip

Please refer to the manual pages of SSSD (sssd, sssd-ldap, sssd-ssh, sssd-nss, sssd-sudo, sssd-pam) for information about the offered configuration settings.

The page is divided into some sections. Each section shows a table of configuration. The first column show the name of the option, the next column shows the value. The Del buttons removes the option from the configuration und the Edit opens a dialog to change the value of the option.

Below each table you can find the button Add new Option. Pressing this button opens a dialog to select a new option and add a value to it.

Reset SSSD Cache

Sometimes there is need to reset the SSSD cache. Next to use of the sss_cache tool (using the -E flag for all or -u User) DOMOS will flush the cache if it finds the file /run/domos/sssd_clean_cache on Activate Settings.

ARP-GUARD

In this section you can verify if your ARP-GUARD is running.

ARP-GUARD Management

If ARP-GUARD service is running, here you will find a link to the ARP-GUARD management WebUI .

ARP-GUARD EULA

Before you can work with the ARP-GUARD software, you must first accept the EULA (ISL End User License Agreement). Read the license text, then check the ckeckbox below the text and click on the save button.

After that you have to start a reconfiguration by clicking on the Activate Settings button on the top of the page. After a short time the ARP-GUARD service is installed and started.

note

Please note, the EULA acception can’t be reset.

ARP-GUARD Backup

In the Backup section of ARP-GUARD you can configure that DOMOS6 includes ARP-GUARD data in its configuration backup.

SNMP WebUI

The SNMP WebUI allows you to configure the SNMP settings on your appliance. Clicking on the SNMP menu shows the status of the SNMP daemon.

General

On the General page you can enable the SNMP daemon in the SNMP service section. You can decide if you want to activate the version 1/2c and/or version 3 features of SNMP.

In the Common section a location description and a contact can be configured. The last section allows to change the network protocol (tcp or udp) and to bind the SNMP server on an arbitrary network interface. The default is to listen on any interface using the UDP protocol on port 161. The port number is fixed.

Communities

The “Communities” page allows the user to configure SNMP v1/v2c communities. This page has a table of defined SNMP communities, a link to add new SNMP communities and links to edit or delete SNMP communities. SNMP community name and access mode can be specified on this page.

Users

The SNMPv3 users on DOMOS6 are limitated to readonly. Also accessing has to happen using authentication and encryption. Therefore the “Users” page allows you to create SNMPv3 users in one manner. To create a new user click on the Add new SNMPv3 user button and fill in the user data in to the formular. After saving the data using the Save button the new created user will be displayed in the SNMP v3 Users table.

info

Please note that SNMPv3 supports only SHA1-96.

Backup/Restore NG

Last Configuration Backup

Latest Configuration Backup displays the time when the last backup of the system configuration files was done. Below the timestamp of the Latest Data Backup is shown. Below you can find a checkbox. If this is marked (default), the warning Backup is not configured. will be shown in the messages section of the page. The warning disappears if a backup job is configured. If you don’t want to configure a backup job you can disable the warning by unchecking the Display backup warning checkbox.

Config Backup

You can create a backup of your system configuration here by clicking on Create new configuration backup. Your browser will show a download dialog to copy the configuration to your workstation.

Config Restore

Select a configuration backup file from your workstation and upload it to the appliance to restore it. Once Restore is clicked, you will be shown Message: Restore done in the status bar.

Data Backup

This shows an overview of the configured backup jobs. At each backup you will see the following:

Name - a descriptive name for a backup.

Type - type of backup in question.

Target - a name for the backup target.

Furthermore will be displayed three Buttons for every configured Backup Job:

Start Backup - initiates a backup to the according target.

Del - deletes a configured target.

Edit - will let you modify the configuration of a target.

By clicking on Manage Targets, you can manage the configured backup targets. Add Backup Job will allow you to create a new backup procedure, which can be triggered manually or scheduled.

To create a new backup job, you will have to fill out the following:

• Create a new backup job

  Job name - a name for the backup job.

  Description - a short description.

  Type - select if you want to backup the configuration or data or a software partner.

  Target - select the required backup target.

• Scheduling

  Scheduling enabled - if enabled, this task will run at the selected interval

  Hour - selects the hour of a day at which this task is running.

  Minute - selects the minute of a day at which this task is running.

  Day of month - selects the day of a month at which this task is running.

  Month - selects which month this task is running.

  Day of week - selects which week day this task is running

By clicking Save the backup job is saved.

Data Restore

The Data Restore tab gives you an overview of all available backup targets. To see which backups are available on a target the scan starts a scan of the target.

Name - displays the target name.

Type - the type of target.

Host - IP or hostname of the target.

Scan - this button starts a scan of the target for available backups.

The result of the scan is displayed as table below the targets table.

Target - displays the target name.

Backup - name of the backup

Restore - this button starts the restore of the backup.

Targets

Here you can configure your targets to be used in the DOMOS6 backup system. The Targets table lists all currently configured targets:

Name - a descriptive name for a Target.

Type - indicates the type of transport used for the backup. This can be:

• FTPS - File Transfer Protocol using SSL

Host - hostname of the server used to backup to.

Test - this button tests if the backup server is available and the selected resource can be written to.

Edit - by clicking this button you can modify the configuration of a backup target.

Del - deletes a selected backup target.

Adding a Target - To add a Target, please click one of the following:

Add FTPs target - to add a FTPs target.

note

Currently just FTPs targets are possible. Other types will follow in future releases.

Add a target Depending on which type of target you are adding you will have to provide the following details:

Name - a name for the backup.

Description - a short description for personal reference.

Remote host - the remote host to be used for the backup.

TLS Connection - Check the box if certifcate check should be skipped.

TLS Version - If checked TLS v1.2 will be used. Default is to use latest available TLS version (currently TLS 1.3).

Port - Port number to connect to the target service.

Username - a username used to authenticate against the remote host.

Password - a password used to authenticate against the remote host.

Directory - select the directory used to store the backups to. If you backup to a FTP target please keep the following in mind: If no directory is specified, the user directory on the FTP server will be considered. If a directory is specified, the relative path as configured in the ftp server will be used. This could also be influenced by any enforced chroots. The directory must exist on the target server and will not be created by the backup software.

BackupClient

The DOMOS6 backup client, available for Windows and Linux, enables easy pulling of a backup from the DOMOS6 system and writing of a restore to the DOMOS6 system. The backup client must be started on an external system and automatically connects to the DOMOS6 system. The backupclient program is designed to use in batch scripting or running by a backup system automatically.

The backupclient connects to a service on the DOMOS6 system. This service is only available if a corresponding client job is configured. The used default port is 9877, but this can be changed in the DOMOS6 WebUI.

The overview page shows if the Backup service is running.

Server

This page shows the current server configuration. It is important, that the right hostname is used. The hostname is automatically imported from the network settings, so that manual entry is normally not necessary.

Next you can limit the interfaces on which the server is listening. Per default it is listening on all interfaces.

The last option on this page is the port number. Default is port 9877 (TCP).

Please have in mind, that after changing the hostname/IP or the port number all clientconfiguration files must be downloaded again. Otherwise it will not be possible to access the backup server.

Jobs

Before a connect is possible via the backup client, a job must be configured first. This configuration job should be created for each individual backup client, even if they all work with the same data. Each client has its own login credentials inside the configuration file. If each client has its own configuration, then it is easy to revoke the access of a particular client by removing its configuration job.

The jobs table lists all configured client jobs:

Name - name of a job.

Type - type of backup.

Client configuration - Button to download the client configuration.

Del - Delete this job entry.

Edit - Edit this job entry.

The client configuration contains automatically generated login credentials (per client) and the server connection details. The information about the data to backup/restore are just stored on DOMOS6 itself.

To add a new job, please click on the button below the table.

Adding a new Job

The form shows the following fields:

Name name of a job.

Description desciption of the job.

Type type of backup (e.g. DOMOS6 configuration backup).

Click on the Save button to create the new job.

Restore

To prevent unwanted restores from the backup client, the restore process is initially deactivated. The current status of the restore status is shown on this page. Changing the status can be done by clicking on the Toggle button.

After a restore or a system reboot the restore status is set to disabled.

Downloads

On this page you can download the backupclient (currently for MSWindows and Linux (64bit architecture)). Also a short documentation of using the backupclient can be found here.

Usage of backupclient

The backupclient application is a commandline tool, which can be used on all operating systems in the same way. After downloading the right version for the used OS and theconfiguration file the backup can be started with following command:

bakresclient -config PATH-TO-CONFIGFILE -bakdir BACKUP-DIRECTORY

Normally a logfile bakresngclient.log is created in the same directory. Please check it if backup process was finished successfully.

In the same manner you can perform a restore of your DOMOS6 System using the backupclient. Please note, that restore must be enabled in the WebUI first.

bakresclient -config PATH-TO-CONFIGFILE -resdir DIRECTORY-TO-RESTORE

The backupclient has some options to configure the backup or restore process. All options are starting with one single dash.

-config - Path and name of job configuration, downloaded from DOMOS6 WebUI

-bakdir - Path where the backup should be written. Will be created if needed.

-resdir - Path of a backup directory, which should be restored. Restore must be enabled in the DOMOS6 WebUI.

-logfile - Path and name of client logfile.

-loglevel - Level from 0 (no logs) to 7 (all logs). Default is 4.

System

System will show you an overview of the disk usage and indicates when the last backup of the system was done.

System E-Mails

DOMOS6 provides the option of keeping you up to date on the system state by E-Mail. Depending on your configuration, DOMOS6 will send you E-Mails informing you about potentially occurred alerts, errors, warnings and notices.

Overview

Once you click on System E-Mails an overview of the E-Mail configuration will be shown. Please fill in the fields of configuration according to the environment you want to send E-Mails with.

SMTP Relay - specify the IP address or hostname of the E-Mail server you want to use.

Connection - a dropdown menu which lets you select between “SMTP” or “STARTTLS”.

Use different Port - fill in the portnumber into this field, if you like to use a port other than the default port (25 for SMTP).

User Name - fill in this field, if you need to authenticate DOMOS6 at your E-Mail server.

Password - fill in, if a password is needed to authenticate at the target E-Mail server. Please retype the password into the field below as well.

Sender Name - name of the DOMOS6 system.

Sender E-Mail address - sender address of the DOMOS6 system.

Once you have entered the appropriate configuration, please click on Save and Activate Settings to have your settings applied.

Groups of Recipients - Here you can define groups of recipients, add new users to the lists and remove outdated lists. The Name of the recipient list will be shown in theOverview. Recipients will enumerate the recipients assigned to the lists.

Add New Group of Recipients - Here you can setup a new list of recipients. In the Name field you can specify a name for the recipient list. Please fill out the Recipients field with the users you like to add to this recipient list. Please separate the E-Mail addresses with a comma (Example: person1@example.com,person2@example.com). Once all recipients are added to the list, click on Save to keep the new list added.

Delete an existing Group of Recipients - To delete an existing group of Recipients, please click the Del button in the Groups of Recipients overview.

Edit an existing Group of Recipients - To edit an existing group of Recipients, please click on the Edit button. This will show you a list of recipients in the selected list. Edit the list of recipients accordingly and click Save to get your modifications submitted.

Outgoing Queues

This will give you an overview of the currently configured E-Mail notifications. You will be shown a table with the following fields:

Sending Module - This indicates the module used to send E-Mail.

E-mail Types - Describes what E-Mails the specified module will send.

Recipients - Lists the recipients for that E-Mail queue.

Add New Outgoing Queue - To add a new Outgoing Queue of E-Mail notifications, please click on Add New Outgoing Queue. You will be prompted to fill in the following details:

• Sending Module - Please specify which module you want to receive E-Mail notifications from

• E-Mail Types - Specify which E-Mail types you want to have sent in the new Outgoing Queue.

• Recipients List - of recipients When specifying the list of recipients, you can either add groups of recipients by checking the according checkbox in front of the group. You can also add recipients individually. This is especially useful if you like to add custom recipients not added to any specific group.

Delete an existing Queue - To delete an existing Outgoing Queue, click the Del button in the respective column.

Edit an existing Queue - To modify an existing Queue, click on Edit. Here you can modify the recipients of a specific queue as well as change which notifications should be send to the members of the queue.

Testing - To test the configuration of a queue, you can click on Test. As a result a sample E-Mail will be send to all the recipients defined in the Outgoing Queue. This button can be used to verify, that an Outgoing Queue is correctly configured and that DOMOS6 is able to communicate correctly with the E-Mail server.

Update

Here you can update your DOMOS6 installation. There are two options to keep your DOMOS6 system updated - automatically off the Internet or by manually updating.

caution

Updates are only available if a valid license is installed.

Updates from DOMOS6 repository

If your appliance has access to the Internet, you can get DOMOS6 download updates directly from SECUDOS. The DOMOS6 repositories are listening on port 443 and 10000. The list of available DOMOS6 repositories is requested from https://www.secudos.de. Please ensure that the appliance can access www.secudos.de on port 443 and the update server on port 443 or 10000. To verify the availability of new updates, click Check for new Updates. After a few seconds the list of available packages is loaded and you will be informed if there are new applicable updates. The count of available packages is displayed and, if available, information about the installable package can be shown by clicking on the Show Changes button. On a new page information about changes are displayed. At the top a box informs you about a needed reboot. Below you can find information about the updates to install sorted by categories. If available special hints will be shown to assist you to finish the update properly.

To trigger an update click Install Updates. DOMOS6 will then proceed to download the updates and install them.

Update Settings

Should you need to use a proxy to access for HTTP access to the Internet, this can be configured under the Proxy Configuration section.

Use HTTP-Proxy - enables or disables the use of a HTTP proxy

Server IP - IP address of the proxy

Server Port - the port to be used

Proxy-Authentication - enables or disables authentication for the proxy

User Name - the user name used to authenticate with

Password - the password used for authentication

You can configure your automatic updates in the Settings for automatic updates section.

Check for updates - Enables automatic checking or installing for updates.

Update mode - If check is selected, the system will automatically check for updates and if configured will inform by email for new updates. If install is selected, the downloaded packages will also automatically be updated.

DOMOS6 UpdatePackages (ARP-GUARD ONLY)

If you can not directly access the Internet, you can update DOMOS6 manually. Update-Packages are provided by ISL GmbH.

Click Install DOMOS6 UpdatePackage to begin an update. You will be prompted to upload the update package. Once the package is uploaded, you can review its contents before you apply the update. Clicking on Install Update Package starts the update process.

Update Log

Clicking on Show Last Update Log will show you a log of the last update process. This log persists and can be reviewed at any time.

WebUI Certificate

caution

During the initial boot sequence, a self-signed SSL certificate is generated. It will expire within 1 year. We recommend that you replace this certificate in a timely manner.

You can change the server certificate which is used to ensure that communication between the WebUI and the client browser is secure. Use this feature to deploy a custom SSL certificate. To change the SSL certificate in use, click on Change WebUI SSL Certificate to upload your own SSL certificate.

Change WebUI SSL Certificate

Here you can replace the SSL Certificate used in the DOMOS6 WebUI. You will be prompted to provide a private Certificate, a public Certificate Key as well as Certificate Chain file (optional).

The provided keys must be presented in the PEM format. To select each, click on the according Browse keys. Once you have selected the desired SSL certificate and key file, click on Upload. Click Activate Settings once you have uploaded the desired SSL certificate and key.

You can also create a certificate signing request (CSR) by clicking on Create WebUI SSL Certificate Request. The following details are required to fulfill such a request:

• Country Name - 2 letter code
• State or Province Name
• Locality Name - eg. city
• Organization Name - eg. company
• Organizational Unit Name - eg. section
• Common Name - server name
• E-Mail address
• Key length - 1024, 2048 or 4096 bit

After clicking Create, you can download it under the Last Created Certificate Request section by clicking on Certificate Request and Certificate Key.

Client SSL CACertificate

DOMOS6 offers the possibility to secure the WebUI by ensuring that the browser accessing the WebUI is allowed to do so. The browser will have to present a valid SSL client certificate to be granted access to the WebUI. To do this, you will have to add a CA-Certificate by clicking on New Client SSL CA-Certificate. Click on Browse to select the CA-Certificate file and Upload to have it sent to the server. Once the file is uploaded, the WebUI will inform you whether the upload was successful and presents you an acknowledgment.

Message: New CAcertificate uploaded
Message: Issuer: C=DE, ST=NRW, L=Dortmund, O=Secudos GmbH,
CN=Secudos Root CA, emailAddress=support@secudos.de
Message: Valid: Jan 5 03:44:54 2010 GMT to Jan 3 03:44:54 2020 GMT
Message: CACertificate accepted

To enforce client certificates, check the enable using client SSL certificates checkbox, click on save and finally Activate Settings to complete the configuration. Your browser will also need to be configured for this setup. You will need to import a valid client certificate. Please refer to the documentation of your browser to obtain instructions on how to import a certificate.

WebUI Configuration

This section is used for making adjustments to the WebUI.

Login Autocompletion - This option lets you toggle the autocompletion for the DOMOS6 WebUI. This is useful if you work on multiple workstations and want to avoid accidentally loss of your login credentials.

Set button - Decide whether you would like to save your configuration automatically or not

Session timeout - Set a time value (in minutes) for the session timeout

WebUI Interface - Set the network interface(s) on which the WebUI should be available

By clicking on Bind WebUI on Interface you can add a network interface to the list of interfaces on which the WebUI should be available. To delete an entry you can use the Delete button in the table next to the entry.

SSH Configuration

Here you can configure the SSH Server installed on DOMOS6. By default SSH is enabled and is bound to all configured interfaces. You can limit SSH to listen on specific interfaces. This is achieved by clicking on Bind SSH on interface. Select the interface you wish to use and click Save. To remove an interface click the Delete button accordingly.

Customize SSH algorithm

Using special keys in the DOMOS-DB the used SSH algorithm can be changed. For this these keys can be used:

SSH configuration	DOMOSDB key
Ciphers	ssh.sshcustomciphers
MACs	ssh.sshcustommacs
KexAlgorithms	ssh.sshcustomkexa

To set this you have to use the /domosdb/ commandlinetool.

License

DOMOS6 uses licenses which are necessary for the operation and the update of the system. The overview will give you a brief overview of the currently installed license as well as the features it has. A license is comprised of the following data:

Name - The full name of the entity the license was issued to.

UID - A unique identifier for the license.

StartDate - The date the license validity begins.

EndDate - The date a license validity expires.

Features - The features incorporated in the license.

To update your license, you can upload a new license file using the Import new license file selector. Once a valid file has been selected, click Upload to have the file uploaded to the appliance.

Misc

Choose your preferred key mapping for direct console access (like consoles for virtual machines).

Shutdown

Shut down your appliance using the WebUI. Unsaved data will be lost. Never remove the power from your appliance before shutdown is complete.

Reboot

Reboot your appliance using the WebUI. Unsaved data will be lost.

Logs

DOMOS6 includes a log viewer to inspect the system log files directly from the WebUI. You can download the log files by selecting the Download button or click on the Show button to view a specific log. While viewing a log file you can let the WebUI automatically reload the contents of the log file, allowing a continuous view of the log output.

Remote

Logs of the services can be sent to an external syslog server. The configuration dialog contains the following items:

Remote logging - enables the logging to an external server

IP address - IP address of syslog server

Port - port on external server (default is 514)

User TCP - use TCP protocol instead of UDP. This allows a reliable logging to the external server. The syslog server has to support this protocol,too.

Retry Count (TCP) - set count of tries to send a log to the external server if TCP is in use. The default value of -1 means infinite retries.

Settings

Here you will find an option to enable logging of all performed commands on the system. The logged commands are written into the secure log.

DOMOS6 Console / ARP-GUARD

There are two ways to connect to the DOMOS6 Console: Using SSH or a serial console. The default passwords are the following:

Description	Username	Password
Super-User	root	secudos
Normal User	admin	secudos

caution

Please note that a direct login as root user is not possible.

SSH login / VM

For logging into the DOMOS6 system via SSH you need an SSH client on your workstation. For Windows users we recommend using PuTTY. Most Linux or other Unix-like systems have an SSH client installed by default. If you did not change the IP of the appliance you will be able to connect using the IP DHCP-IP.

For example on Linux:

ssh admin@DHCP-IP

Using the default configuration it is not possible to use the root account directly. To get root access you have to connect to the appliance as user admin first and obtain super user rights by using the command su -. To change the password of the user admin or root use the WebUI or change them directly by using the commandline tool passwd.

SSH login / Hardware-Appliance

For logging into the DOMOS6 system via SSH you need an SSH client on your workstation. For Windows users we recommend using PuTTY. Most Linux or other Unix-like systems have an SSH client installed by default. If you did not change the IP of the appliance you will be able to connect using the IP 192.168.2.1.

For example on Linux:

ssh admin@192.168.2.1

Using the default configuration it is not possible to use the root account directly. To get root access you have to connect to the appliance as user admin first and obtain super user rights by using the command su -. To change the password of the user admin or root use the WebUI or change them directly by using the commandline tool passwd.

Serial console

For logging into the DOMOS6 system via the serial console you need a terminal program on your workstation. For Windows users we recommend hyperterminal and for Linux minicom. Configure your terminal programm to use the following settings:

Speed	115200bps
Parity	None
Data	8
Stopbits	1

tip

These settings are often predefined as 115200, 8N1.