Setup
- Download the Linux (64 bit version)
- Setup instructions:
- Create a user account
- Log in and extract the downloaded file, Generate your Licensed file by following the steps outlined in Machine Token Utility (hexaeight.mac).
- Linux Version of Token Server DOES NOT SUPPORT FACE AUTHENTICATION. If you plan to use Face Authentication, switch to the Windows Version of Token Server
umask 077
curl "https://github.com/HexaEightTeam/HexaEight-Token-Server/releases/download/Production-1.6.8/linux.zip" -O -J -L
unzip ./HexaEight_Token_Issuer-linux-x64.zip
chmod 700 ./HexaEight_Token_Issuer
-
Ensure the License environment variables have been set:
- HEXAEIGHT_RESOURCENAME
- HEXAEIGHT_MACHINETOKEN
- HEXAEIGHT_SECRET
- HEXAEIGHT_LICENSECODE
- HEXAEIGHT_ALLOW_CAPTCHA_FOR=ANYONE
- ENABLE_HEXAEIGHT_FACERECOGNITION=False
Use the
exportcommand as described in the Machine Utility section upon obtaining your License.
Configuration
1) Generate Captcha configuration files: - This will create the required configuration files: captchapolicy.csv & captchamodel.conf
$ ./HexaEight_Token_Issuer -y
Captcha Configuration CSV Files - Generated Successfully
$ ls -al cap*
-rw-rw-r-- 1 resourceuser resourceuser 512 Sep 12 23:20 captchamodel.conf
-rw-rw-r-- 1 resourceuser resourceuser 967 Sep 12 23:20 captchapolicy.csv
2) Generate the Timecode required for Token validation.
$ ./HexaEight_Token_Issuer.exe -t
Enter Synchronization Time Code : [Press Enter To Generate a New Time Code]
Generating New Time Code ...
New Time Code : 28768365
Attempting to Set This Token Server To Use This Time Code ...
Succeded.
$ ls -altr clients
total 44
-rw-rw-r-- 1 releaseuser releaseuser 987 Aug 28 03:29 auth.hexaeight.dns-dynamic.net.slf
drwxrwxr-x 2 releaseuser releaseuser 4096 Sep 12 23:19 .
drwxr-x--- 22 releaseuser releaseuser 4096 Sep 12 23:19 ..
- The .slf file in clients directory indicates that the Time code Key was successfully generated
3) Advanced Security : Edit captchapolicy.csv to specify only allowed email domains (Optional)
# Captcha Sample Policy File
# -----------------------------------------------------
# Allow Any Email Address to request for a Captcha
# Denying a captcha for a user might result in the user
# not being able to complete the login process.
# -----------------------------------------------------
# -------------------------------------------------------------------
# EMAILUSER | AUTHSERVER | REQUEST | PERMISSION
# -------------------------------------------------------------------
p, /*@gmail.com, auth.hexaeight.dns-dynamic.net, CAPTCHA, enable
p, /*@yahoo.com, auth.hexaeight.dns-dynamic.net, CAPTCHA, enable
p, /*@microsoft.com*, auth.hexaeight.dns-dynamic.net, CAPTCHA, enable
p, /*@photonemail.com*, auth.hexaeight.dns-dynamic.net, CAPTCHA, enable
4) Open up Firewall Ports
firewall-cmd --zone=public --add-port=8080/tcp
firewall-cmd --zone=public --add-port=8443/tcp
5) Custom port and HTTPS (Optional)
- Modify appsettings.json to change the default HTTP port (5000) or add HTTPS support.
"Kestrel": {
"Endpoints": {
"Http": {
"Url": "http://0.0.0.0:8080"
},
"HttpsInlineCertFile": {
"Url": "https://0.0.0.0:8443",
"Certificate": {
"Path": "certificate.pfx",
"Password": "CertificatePassword"
}
},
}
}
}
6) Start the Token Server by Enabling Quick and Enterprise mode flags: - The Quick mode uses faster encryption algorithm while the enterprise mdoe ensures it can support multiple Token Servers in the same environment
$ ./HexaEight_Token_Issuer.exe -q -e
Token Server Quick Mode Enabled.
Enterprise Mode Enabled.
Current Resource Owner:auth.hexaeight.dns-dynamic.net
----------------------
Note: Ensure to verify the permissions of the current Directory
and remove everyone except Service owner for Security purposes.
HexaEight Tokens
----------------
Default Swagger URL : http://hostname:PORT/swagger/index.html
If you do not have a appsettings.json file the default PORT is 5000
Determining and Completing List of External Resources For Fetching ASK Keys... Done
HexaEight Token Server Started Successfully
7) Configure systemd to launch HexaEight Token Server at boottime (Optional)