Loading...

This website provides documentation for administrators of 0th Root Secure Network — 0SNet. To know about the product, kindly visit our product website.

Getting Started

0th Root Secure Network — 0SNet works at the domain level and all subdomains of the chosen domain. For example, if you choose a domain example.com then 0SNet will secure all subdomains of example.com ie., *.example.com. Ideally, a third level domain is chosen, such as corp.example.com to secure *.corp.example.com.

1. Network Firewall

It is important that whichever host you setup 0SNet on, only that host has access to the protected servers and configured applications.

2. Email Address

An administrator email address need to be specified at the time of configuration. This is the email address which will receive the password protected certificate. Only by using the certificate, can 0SNet be accessed. However, 0SNet can be reconfigured, if there were any mistakes made.

3. Operating System

The server hosting 0SNet should be capable of running Apache HTTP server (2.4.3+). Currently, RHEL 7 and its derivatives are supported, such as CentOS 7.

If you're on AWS or GCP or Azure, you can use our public AMI or Custom Image or Azure Compute Gallery to launch a new instance, it comes with 0SNet pre-installed.

Installation

This section will help you through the process of installing 0SNet on your server. Please read Getting Started and have the domain information, administrator email, and the server details ready.

And, open ports 80 (HTTP) and 443 (HTTPS) on the server for 0SNet to work.

Manual AWS GCP AZURE

1. Platform setup

Run the following command and set SELinux to disabled,

sudo sed -i "s/^SELINUX=.*$/SELINUX=disabled/" /etc/selinux/config

Restart the server,

sudo systemctl reboot

Once the server is up, run the following commands to start 0SNet server on boot,

sudo chmod +x /etc/rc.d/rc.local
sudo bash -c 'echo "0snet --start" >> /etc/rc.d/rc.local'

2. Pre-requisites

Install Apache HTTP server, the SSL module and the required tools, as follows,

sudo yum install httpd mod_ssl wget bind-utils cronie lsof rsync

Ensure that default configuration of Apache HTTP server is not used,

sudo systemctl stop httpd.service
sudo systemctl disable httpd.service
sudo systemctl mask httpd.service

Open ports 80 and 443,

sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --reload

3. Installing 0SNet

To install the packages, 0snet and 0snet-uman, we need to directly use the rpm command instead of yum. This is because of the EULA that gets shown at the time of installation. Please run the following command to install 0SNet,

sudo rpm -Uvh https://www.0throot.com/download/x86_64/{0snet,0snet-uman}.el7.rpm

Public AMI

0SNet is available as a public amazon machine image (AMI) in N. Virginia, Mumbai and Singapore regions. If you require the AMI in any other region, we can make it available.1

In AWS console (see image below), choose the correct region,

  • Open services and select EC2
  • On the sidebar, select AMI under Images
  • Select Public Images in the drop down to the left of search bar
  • Search for keyword, 0snet
  • Choose 0th Root Secure Network and click Launch 2
  • Remember to open ports 80 and 443 when configuring Security Group

Once the instance is successfully created, add a wildcard DNS record for the chosen domain, such as *.corp.example.com, to its Elastic IP.

[1] You can also bear the minor costs and copy the AMI.
[2] To login to the new instance, SSH as ec2-user@Elastic-IP.

Custom Image

0SNet is available as a publicly shared custom image. gcloud CLI can be used to create a new instance from this custom image. The uri of the image family is listed below,

https://www.googleapis.com/compute/v1/projects/id-0snet/global/images/family/stable-0snet

The following command1 creates a new instance from the custom image, with HTTP (80) and HTTPS (443) ports open,

gcloud compute instances create INSTANCENAME --image-family https://www.googleapis.com/compute/v1/projects/id-0snet/global/images/family/stable-0snet --tags http-server,https-server

On successful run of the above command, a new instance is created. Now, add a wildcard DNS record for the chosen domain, such as *.corp.example.com, to the displayed External IP.2

[1] choose zone and machine type with options --zone and --machine-type
[2] remember to make the external IP static

There are two approaches available to setup 0SNet in Azure, ie., by creating a virtual machine directly or through Azure Compute Gallery. At the moment, it is easier to directly create the virtual machine and do the installation.

Virtual Machine [RECOMMENDED]

Go to create Virtual Machine page and follow the steps below

  • Under BASICS Tab,
    • Choose New Resource Group eg:- snet
    • Choose Region
    • Choose Image "CentOS-based 7.9 Gen 1" (Search: centos)
    • Choose Instance Size (Minimum 1GB RAM, Recommended 4GB RAM)
    • Inbound Port Rules, Choose SSH, HTTP and HTTPS
  • Under NETWORKING Tab,
    • Choose Virtual Network (should be same as Application) [IMPORTANT]
  • Go to REVIEW + CREATE and create the virtual machine

Once the virtual machine is created, add a wildcard DNS record for the chosen domain, such as *.corp.example.com, to the server's Public IP. After which, login over SSH and follow the manual steps.

Azure Compute Gallery

0SNet is available as an image in azure compute gallery. To access the image across tenants, authorization is required. The steps below require access to azure CLI,

1. Create a new Resource Group

az group create --location <location> --name myVM_group

2. Identify your tenant ID

az account show --query "tenantId"

3. Open the following authorization URL, after substituting <tenantId>

https://login.microsoftonline.com/<tenantId>/oauth2/authorize?client_id=0f844e19-3145-4179-9c89-7b1b60901481&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F

4. Authorize access to the resource group (myVM_group), as shown in the images below,




5. To install from the image, run the commands listed below. Reach out to us at support@0throot.com to get <Your-Password> (expires in a few days)

az account clear
az login --service-principal -u "0f844e19-3145-4179-9c89-7b1b60901481" -p "<Your-Password>" --tenant 08480fa8-ba9f-4101-9723-366c81d85da4
az account get-access-token
az login --service-principal -u "0f844e19-3145-4179-9c89-7b1b60901481" -p "<Your-Password>" --tenant <tenantId> 
az account get-access-token
az vm create --resource-group myVM_group --name myVM --image "/subscriptions/64ad2f3a-04fd-497f-818b-db5793b0e828/resourceGroups/images/providers/Microsoft.Compute/galleries/0snet/images/stable/versions/latest" --admin-username azureuser --size Standard_B1s --ssh-key-name mykey --vnet-name myVM_vnet

6. Remove Authorization (IMPORTANT)

Once az vm create command executes succesfully, add a wildcard DNS record for the chosen domain, such as *.corp.example.com to the VM's public IP.

(The above method is NOT RECOMMENDED as it uses Contributer role)

0SNet is provided as per these terms of use and privacy policy .

If you face any problems, please feel free to contact us.

Configuration

If you have chosen a domain such as .corp.example.com. You should configure your nameserver (DNS) to resolve the wildcard entry *.corp.example.com to the IP address of 0SNet server.

When Google Sign-In or Microsoft Sign-In is enabled, 0SNet will require login through the corresponding user account. Hence, don't use group email address or a mailing list during configuration.

If 0SNet is hosted on a server without public IP, change the Let's Encrypt mode to DNS with the command: sudo 0snet --letsencrypt mode dns

Setup (1/3)

Type the following command,

sudo 0snet --configure

This should bring up the following screen,

Fill out the form with your domain name, organization name, email ID and user ID. TLS certificate for the administrator will be sent to the specified email address. Choose your user ID carefully, because it will not be possible to modify this later.

IMPORTANT: Note down the password. In case you don't remember it, you can reconfigure 0SNet using,

sudo 0snet --configure

After the Setup Complete message, you should receive an email at the specified address, check your spam/bulk folder if necessary. The email should contain one attachment, sign.p12. It is your personal certificate encrypted using the password and it should be imported into your browser under personal certificates. If you are unsure, as to how to import the certificate, kindly follow the steps here.

Admin Console (2/3)

Once the certificate is imported, you will be able to access the admin console. A special subdomain 0snet is reserved for this purpose. For example, If you have configured your domain as .corp.example.com, you should open https://0snet.corp.example.com.

On successful connection, Browser will ask for a client certificate to be selected. On choosing the correct one, a login page for 0SNet will be shown. Enter the generated password, and set a new one for successful login.

Apps (3/3)

App Manager should be used to add subdomains, along with IP address / Hostname of origin server, as shown in the image below,

After adding the subdomain, go to Pending Apps and click on Validate Now to validate the domain. The new subdomain will be ready to use within 5 mins.

Certificates

0SNet sends an email to users containing their personal certificate file. In this section, the steps to import the certificate has been provided in detail,

Windows Mac Linux / Firefox / Other

Android / iOS / Windows / Mac

On most devices, simply opening the sign.p12 file (double-click or tap to open) is sufficient to import the certificate.

Preferences

On Linux / Firefox / Opera browser, Search for "certificates" in the browser settings or preferences, and you will likely find "Manage Certificates" or "View Certificates". On opening it, click the Import button under "Your Certificates" or "Personal Certificates" tab and choose the certificate file, sign.p12.

On Google Chrome, you can use the direct link chrome://settings/certificates.

When prompted for a password, type the generated password that has been provided by the administrator.

The certificate should be imported successfully.

To protect the imported certificates, it is recommended that you set a Master Password for the browser.

Roles

By default, all users have equal access to the applications, for example: *.corp.example.com. To differentiate users and grant access only to specific application(s), for example: webapp.corp.example.com, roles should be used.

There are two distinct type of roles, ie., System and User roles.

System Role

The default permissions to applications is maintained by the System role. It uses a combination of mode and permissions, as shown in the image below,

On save, the permissions are immediately applied.

Mode

By default you can grant users access to All Apps (or) Nothing. When All Apps is selected, as the name suggests, all applications will be accessible. However, in case Nothing is selected, opening an application will show unauthorized error page.

Permissions

To alter the default behavior of selected mode, permissions can be used. The syntax of a permission is as follows,

<deny or allow> <subdomain> [</url> or </urlprefix>]

All permissions in the example below are valid, they collectively define access for users,

 allow myapp.corp.example.com
 deny myapp.corp.example.com /this/path/*
 deny webapp.corp.example.com /this/file.php

URL path prefix or an absolute path to file can be optionally specified, as shown in the example above. However, query string and anchor element cannot be matched.

User Role

New roles can be created by clicking on Create a new role. Only after creation, the permissions can be added and groups can be assigned.

Groups

Roles are assigned to groups. It is straight forward to create a group and add/remove users.

Users can belong to multiple groups and hence can have various roles. Permissions from all the assigned roles, as well as the System role, will be used in authorization. In case of conflicts, longer URL paths and deny permissions take higher precedence.

List of applicable roles and groups can be viewed in Users section, under details of selected user.

Version

Details of last change in roles can be checked with,

sudo 0snet --ac

0SNet maintains a version for every update to mode and permissions. The above command will output details of current version.

Attributes

This feature provides a way for applications to identify the logged in user and their attributes. User attributes can be anything custom, defined by the organization, associated to users. To give a few examples, attributes can be:

  • application roles (user, manager, administrator), or
  • access to features (minimal, new, audit), or
  • associated to a/b testing (alpha, beta, stable)

Configuration

In the example screenshot below, there are three different attributes with 3 values each.

An attribute can have many values and a given user can be associated to only one of those values. Each of the values can be either enabled or disabled. The default state of newly added value is enabled.

Integration

The information about the user and their associated attributes are shared with the application via a HTTP header, X-0SNet-User. The attributes are namespaced by adding the prefix snet: to their names, for example: an attribute app will appear as snet:app in the JWT payload. A sample JWT payload is as follow:

{
    "iss": "0th Root Secure Network",
    "aud": "0th Root",
    "sub": "admin",
    "iat": 1647507494,
    "nbf": 1647507494,
    "exp": 1647509294,
    "email_verified": true,
    "email": "user@example.com",
    "name": "ADMIN: Example User",
    "snet:department": "operations",
    "snet:application": "stable",
    "snet:systems": "admin"
}
	

The JWT payload will include default attributes such as sub, name and email to identify the user along with the custom attributes.

The value of X-0SNet-User header is simply a base64 encoded JWT Payload (only) which can simply be decoded and parsed as a JSON text to access the attributes. A sample code can be found under Integration section.

For the header to be added to the requests, the option Pass User Information should be enabled for the application, under Integration section. Once enabled, all requests to the application will include the X-0SNet-User header.

Any change in user attributes can take up to 30 seconds to reflect in the header due to an in-built cache.

Google Sign-In

Instead of 0SNet password authentication, Google OAuth can be used through the Google Sign-In (GSI) feature. When GSI is used, the user is prompted with a Sign In button, as shown below, instead of the usual username and password,

The email address of the user should match the Google account used for login.

Configuration

Create a new client ID for 0SNet, in Google API Console, and specify the javascript origins. When 0SNet is configured for *.example.com, the javascript origins would be a.example.com, b.example.com and so on. Unlike 0SNet, wildcard is not supported, hence all internal applications and websites need to be added individually.

Enable GSI

The client ID can be set in 0SNet and GSI can be enabled using the command shown below,

sudo 0snet --gsi on [client-id]

Additional client IDs specific to domains can be added as follows,

sudo 0snet --gsi clientid [domain] [client-id]

To disable GSI at any point, the following command should be used,

sudo 0snet --gsi off

Do remember to restart 0SNet for changes to take effect,

sudo 0snet --stop && sudo 0snet --start

Process Changes

The user creation and certificate installation processes remain the same. Only at the time of login, the user is prompted with a Sign-In button instead of user name and password. Hence, with GSI, user doesn't need access to 0SNet password or username, expect at the time of certificate installation.

Related Notes

When GSI is enabled, 0SNet Server requires access to public internet to function. It verifies the connection to external servers using the trusted root certificates available on the server, typically at /etc/pki/tls/certs/ca-bundle.crt. All CAs are treated equally, so it is important to keep the CA bundle upto date.

Microsoft Sign-In

Instead of password authentication method, 0SNet can be configured to use Microsoft OAuth 2.0 through the Microsoft Sign-In (MSI) feature. When MSI is enabled, users will be prompted with a Sign In button to login, as shown below,

The email address of the user should match the Microsoft account used for login.

Configuration

A client-id provided by Microsoft is needed to enable MSI in 0SNet. It can be found in Azure Active Directory.

An application need to be registered, as shown in the images below, Choose “Accounts in any organizational directory” ie., Multitenant, or whichever is relevant,

And, to support Sign-In across all sites configured under 0SNet, they need to be added under Redirect URIs for the application,

Enable MSI

The client-id can be set in 0SNet to enable MSI using the command shown below,

sudo 0snet --msi on [client-id]

To disable MSI at any point, the following command should be used,

sudo 0snet --msi off

Do remember to restart 0SNet for changes to take effect,

sudo 0snet --stop && sudo 0snet --start

Single Tenant

Optionally, if you choose Supported account types as Single tenant, tenant-id can be added with the command shown below,

sudo 0snet --msi tenant [tenant-id]

Do remember to restart 0SNet for changes to take effect,

sudo 0snet --stop && sudo 0snet --start

Process Changes

The user creation and certificate installation processes remain exactly the same. Only at the time of login, users will be presented with a Microsoft Sign-In button. Hence, with MSI enabled, password for the user will need to be used only for certificate installation.

Related Notes

Enabling MSI adds a dependency on Microsoft Login and Microsoft Graph API services. If any of them are down, users will not be able to login to 0SNet. This also essentially means, a public internet connection is required on the 0SNet server.

The connections to Microsoft services are verified using the trusted root certificates available on the server, typically at /etc/pki/tls/certs/ca-bundle.crt. All CAs are treated equally, so it is important to keep the CA bundle upto date.

OpenID Connect Sign-In

Instead of password authentication method, 0SNet can be configured to use any Identify Provider supporting OpenID Connect (OIDC). When OIDC is enabled, users will be prompted with an OpenID button to login, as shown below,

The email address of the user should match the account used for login.

Fallback for Google or Microsoft Sign-In

OpenID Connect can also be used as a backup login for Google or Microsoft Sign-In. This requires setting the UX option to fallback, as follows,

sudo 0snet --oidc config ux fallback

As shown in the image below, a dropdown with option Use Open ID Connect will be displayed in fallback mode. The experience will be similar for both Google Sign-In and Microsoft Sign-In, when enabled along with OpenID connect.

All configuration options are mentioned in quick reference

Configuration

An OpenID configuration URL and a Client ID provided by Identity Provider is needed to enable OIDC in 0SNet.

Redirect URIs

When creating the client-id, it is necessary to add the callback URL under Authorized Redirect-URIs. This enables the identity provider to transmit authentication information.

https://0snet.corp.example.com/.snet-known/oidc-callback

Replace the domain in the above Redirect URI with your configured domain.

Enable OIDC

The client-id and config-url can be set in 0SNet to enable OIDC using the command shown below,

sudo 0snet --oidc on [client-id] [config-url]

To disable OIDC at any point, the following command should be used,

sudo 0snet --oidc off

Do remember to restart 0SNet for changes to take effect,

sudo 0snet --stop && sudo 0snet --start

Authentication flows

By default, the Implicit flow is used for authentication. Optionally, you can change to the Code flow by using the command shown below,

sudo 0snet --oidc config flow code+pkce

If token endpoint requires authentication, the authentication method along with client-secret can be set in 0SNet using the command show below,

sudo 0snet --oidc config auth post:client-secret

Do remember to restart 0SNet for changes to take effect,

sudo 0snet --stop && sudo 0snet --start

Process Changes

The user creation and certificate installation processes remain exactly the same. Only at the time of login, users will be presented with an OpenID button. Hence, with OIDC enabled, password for the user will need to be used only for certificate installation.

Related Notes

Enabling OIDC adds a dependency on the Identity Provider. If they are down, users will not be able to login to 0SNet.

The connections to Identity Provider are verified using the trusted root certificates available on the server, typically at /etc/pki/tls/certs/ca-bundle.crt. All CAs are treated equally, so it is important to keep the CA bundle upto date.

Reports

This page provides an overview of reporting capabilities. 0SNet maintains a detailed log of all activities performed by administrators, as well as users. These logs serve as the basis for generating reports.

There are three types of reports that can be generated —

#TypeContents
1events-userActions performed by regular users, such as signing in
2events-adminActions performed by administrators, such as creating user accounts
3users-activeAll currently active users, along with information such as their last login, creation date

The reporting functionality outputs the reports in CSV format, making it easy to view it in your tool of choice.

Options

To generate a report, please run the following command,

sudo 0snet --report <type> [YYYY-MM-DD [YYYY-MM-DD]]

Where, type is one of the report types listed in the table above. Optionally, the start date and end date can be specified to generate report for a given date range. A few examples are as follows,

sudo 0snet --report events-user 2023-01-01 > user-actions-since-jan-1.csv
sudo 0snet --report events-admin > all-admin-actions.csv
sudo 0snet --report users-active 2022-04-01 2023-03-31 > active-users-in-fy.csv

Fields

The reports that you generate will include the following fields —

events-userevents-adminusers-active
Date/TimeDate/TimeUser ID
EventEventCreation Time
ResultResultDeletion Time
User IDAdmin IDLast Login
Remote IP AddressUser IDStatus
DetailsDetails

License

0SNet incorporates a licensing system for easier distribution and sale of software. Every install of 0SNet comes with a license file which works for upto 3 users. You can review the license information using the following command,

$ sudo 0snet --license info
                                                                        
0throot license file                                      
                                                                        
     License Key : UzXE/CV82m6kysyrtYQfv6X13wX6tWdnR/IPeULoaroR
         Product : 0th Root Secure Network
          Domain : .corp.example.com
    Organization : Example Company Ltd.
  Date of Expiry : Dec 24, 2019 14:17 IST
           Users : 5
      Valid Upto : N/A

Contact us @ support@0throot.com for any queries.

License files are updated periodically (default: 1hr) through a cronjob. To update them manually, please run,

sudo 0snet --license sync

Command Line Interface (CLI)

0snet --cli <action> <arguments>


actions:-
useradd, userreset, userdelete, userstatus, usergroup
arguments:-
    --name "full name"
    --email "email address"
    --userid "user-id"
    --group "group name"
    --nocert
    --enable
    --disable
    --add
    --remove
    --json
        
usage:-
    useradd --name <> --email <> --userid <> [--group <>]
    userreset  (--userid <> | --email <>)
    userdelete (--userid <> | --email <>)
    userstatus (--userid <> | --email <>) (--enable | --disable)
    usergroup  (--userid <> | --email <>) --group <> (--add | --remove)
        

DESCRIPTION

The --cli option of 0snet utility provides a command line interface to manage users within 0th Root Secure Network (0SNet). The utility can output in JSON format for easier integrations, refer to OUTPUT section for more details. And, to know more on possible integrations, refer to INTEGRATION section.

useradd can be used to add new user, it requires the --name, --email, --userid to be specified. user-id should be a single word with one or more of the following characters, a-z A-Z 0-9 - . _ :. Optionally, the newly created user can be added to groups by specifying the group name, with --group argument. Multiple groups can be specified by repeating --group. And, --nocert can be used to add the user without certificate.

By default, newly added users are enabled, and they are not administrators. User manager should be used to set the added user as an administrator, if needed.

userreset will reset user certificate and credentials. The command outputs the new password, and it should be securely communicated to the user. When --email is used, all users matching the email address are reset.

userdelete can be used to delete user(s). All users matching the email address are deleted when using --email.

userstatus should be used when a user needs to be disabled, or when a disabled user needs to be re-enabled. On using the --email argument, all matching users are updated.

usergroup will add or remove user(s) from the specified list of groups. Multiple groups can be specified by repeating the --group argument. In case of a failure, the user(s) may be added or removed from some groups and not all.

The actions userstatus and usergroup are idempotent, and can be safely repeated, in case of any error.

OUTPUT

In case of errors, the exit code of the command will be non-zero. The output format for useradd will be,

<user-id> <password>

And, when --json argument is specified, the output format changes to a JSON text, as follows,

{"status":{"code":0,"message":""},"output":{"<user-id>":"<password>"}}

In case of an error, the above JSON text will have code set to non-zero value and message will contain the description of the error.

For userreset, the output may contain multiple user-ids and passwords, one per line, when --email argument is used. The output JSON text can also have multiple user-ids as keys with corresponding passwords as values.

INTEGRATION

Scripts can be developed to process user information and pass on to 0snet-cli to perform a specific action. This could be a one-time task, such as for bulk addition of users, or could be a cron job for periodically adding and removing users.

A job management system could also be used, to securely login to server and run 0snet-cli to perform a specific action.

Exposing the actions of 0snet-cli as a service is NOT RECOMMENDED.

EXAMPLES

In the examples below, the first line is the command and the below lines are output of the command,

$ sudo 0snet --cli useradd --name "Example User" --email "user@example.com" --userid "example1"
example1 kfuKN16t
        
$ sudo 0snet --cli userstatus --userid "example1" --disable
updated user(s) successfully
        
$ sudo 0snet --cli userreset --userid "example1" --json
{"status":{"code":0,"message":""},"output":{"example1":"Ipt38AY8"}}
        
$ sudo 0snet --cli usergroup --userid "example1" --group "Employee" --add
updated users and groups successfully
        
$ sudo 0snet --cli userstatus --userid "example1" --enable --json
{"status":{"code":0,"message":"updated user(s) successfully"}}
        
$ sudo 0snet --cli userstatus --userid "example1"
example1 enabled
        
$ sudo 0snet --cli useradd --name "Example User (Mobile)" --email "user@example.com" --userid "example2" --group "Sales" --group "Employee" --json
{"status":{"code":0,"message":""},"output":{"example2":"lbLgduIA"}}
        
$ sudo 0snet --cli userreset --email "user@example.com"
example2 RqaHy9zH
example1 Scrn3HJ3
        
$ sudo 0snet --cli userdelete --userid "example2"
deleted user(s) successfully
        
$ sudo 0snet --cli usergroup --userid "example1" --group "Employee" --remove
updated users and groups successfully
        

Quick Reference

BASIC COMMANDS

sudo 0snet --status
Check if server is running
sudo 0snet --start
Start the server
sudo 0snet --stop
Stop the server
sudo 0snet --graceful-stop
Gracefully stop the server
sudo 0snet --reload
Gracefully reload the server
sudo 0snet --stop && sudo 0snet --start
Restart the server

LICENSE MANAGEMENT

sudo 0snet --license info
Show details of current license file
sudo 0snet --license sync
Download new license file
sudo 0snet --license sync status
Display status of license file sync
sudo 0snet --license sync off
Disable automatic sync
sudo 0snet --license sync on
Enable automatic sync

GOOGLE SIGN-IN (GSI)

sudo 0snet --gsi on [client-id]
Enable Google Sign-In
sudo 0snet --gsi off
Disable Google Sign-In
sudo 0snet --gsi method status
Current login method
sudo 0snet --gsi method sign-in
Choose Sign-In method (deprecated)
sudo 0snet --gsi method identity-services
Enable Identity Services (default)
sudo 0snet --gsi clientid
List configured client IDs
sudo 0snet --gsi clientid <domain> <client-id>
Set client ID for domain
sudo 0snet --gsi clientid <domain> unset
Unset client ID for domain
sudo 0snet --gsi openid status
Check OpenID document status
sudo 0snet --gsi openid sync
Download OpenID document and keys
sudo 0snet --gsi openid verify:<mode>
Change verification mode
Available modes: iv, i, v

MICROSOFT SIGN-IN (MSI)

sudo 0snet --msi on [client-id]
Enable Microsoft Sign-In
sudo 0snet --msi off
Disable Microsoft Sign-In
sudo 0snet --msi tenant [tenant-id]
Specify Tenant ID or "common"
sudo 0snet --msi openid status
Check OpenID document status
sudo 0snet --msi openid sync
Download OpenID document and keys
sudo 0snet --msi openid verify:<mode>
Change verification mode
Available modes: aiu, ai, iu, i, a

OPENID CONNECT SIGN-IN (OIDC)

sudo 0snet --oidc on [client-id] [config-url]
Enable OpenID Connect
sudo 0snet --oidc off
Disable OpenID Connect
sudo 0snet --oidc sync
Download OpenID document and keys
sudo 0snet --oidc status
Show OpenID configuration and document status
sudo 0snet --oidc config ux <value>
Change user experience
Available values: fallback, primary
sudo 0snet --oidc config mode <mode>
Change verification mode
Available modes: i, iu
sudo 0snet --oidc config flow <flow>
Change authentication flow
Available flows: implicit, code, code+pkce
sudo 0snet --oidc config auth <auth>[:secret]
Change authentication method
Available methods: none, basic, post

SYNCHRONIZATION BETWEEN SERVERS (RSYNC)

Secondary server actions

sudo 0snet --rsync check
sudo 0snet --rsync check on
sudo 0snet --rsync check off
Check for changes from primary server
sudo 0snet --rsync clean
Clear local state

Primary server actions

sudo 0snet --rsync key
Show SSH public key to add to Secondary servers
sudo 0snet --rsync users             <host> [ssh-options]
sudo 0snet --rsync users,login       <host> [ssh-options]
sudo 0snet --rsync users,login,certs <host> [ssh-options]
Sync data once
sudo 0snet --rsync users <host> :B:<bastion> [ssh-options]
Sync data once via <bastion> server
sudo 0snet --rsync config <host> [ssh-options]
Sync configuration once

LET'S ENCRYPT MANAGEMENT

sudo 0snet --letsencrypt mode
Get current mode
sudo 0snet --letsencrypt mode <mode>
Set Let's Encrypt mode
Values: auto, dns, off
sudo 0snet --letsencrypt 0snet <0snet-?>
Change reserved subdomain
Examples: 0snet-a, 0snet-1
sudo 0snet --letsencrypt 0snet on
Reset reserved subdomain to 0snet
sudo 0snet --letsencrypt hosts
Check current reserved subdomain in the hosts list

MISCELLANEOUS

sudo 0snet --act tlsconfig <key> <cert>
Use custom TLS server certificate instead of Let's Encrypt issued certificates
sudo 0snet --opt authcert
sudo 0snet --opt authcert enforced
sudo 0snet --opt authcert configurable
Enforce TLS Client Certificate Authentication (or) Allow it to be configurable

High Availability

0SNet is a highly flexible and resilient system, it can be deployed on multiple servers across regions to form a cluster of servers. Due to the decentralized architecture, servers can run independently and are resilient to failure on other servers.

Architecture

It uses a Primary-Secondary architecture where the administration happens on the Primary server while the serving happens through one or more Secondary servers. A push mechanism is used to transfer the data periodically to the Secondary servers.

To perform zero downtime maintenance, two or more Secondary servers can be placed under a load balancer. As long as a single Secondary server is running, there will not be any user impact.

Primary Access

0SNet uses rsync in multiple stages to transfer the data reliably to the Secondary servers. This requires the SSH key of Primary to be authorized on the Secondary servers. To obtain the SSH public key of Primary, the following command should be run.

sudo 0snet --rsync key                                    # Run on PRIMARY

The output of the above command needs to be added to /root/.ssh/authorized_keys on Secondary servers.

Initial Setup

Once 0SNet is installed on the Secondary servers, they should be configured using the command below,

sudo 0snet --rsync config <IP1>,<IP2>,...                 # Run on PRIMARY

To push the data to Secondary, the rsync command is as follows,

sudo 0snet --rsync users,login,certs,hosts <IP1>,<IP2>,...# Run on PRIMARY

Also, setup a cronjob to synchronize periodically. A sample cronjob is shown below,

0,30 * * * * root 0snet --rsync users,login,certs,hosts <IP1>,<IP2>,...

Secondary Configuration

On the Secondary servers, the following commands should be run,

sudo 0snet --opt authorigin any                           # Run on SECONDARY
sudo 0snet --rsync check on                               # Run on SECONDARY
sudo 0snet --letsencrypt mode off                         # Run on SECONDARY
sudo 0snet --license sync                                 # Run on SECONDARY

After running above commands, reboot the Secondary servers,

sudo systemctl reboot                                     # Run on SECONDARY

NOTE: If you are using legacy configuration of hosts, you may need to copy /etc/hosts entries to Secondary servers

DNS Configuration

Once a load balancer is configured for the Secondary servers, the DNS entries can be made as shown below,

    *.corp.example.com    A    <Load-Balancer-IP>
0snet.corp.example.com    A    <Primary-IP>

TLS Configuration

If you are using the default Let's Encrypt integration, run the commands below to change to DNS mode.

sudo 0snet --letsencrypt mode dns                         # Run on PRIMARY
sudo 0snet --letsencrypt auto                             # Run on PRIMARY
sudo 0snet --reload                                       # Run on PRIMARY

Alternatively, you can add your own wildcard TLS certificate as follows,

sudo 0snet --letsencrypt mode off                         # Run on PRIMARY
sudo 0snet --act tlsconfig <key-path> <certificate-path>  # Run on PRIMARY
sudo 0snet --reload                                       # Run on PRIMARY

Once the above steps are completed, the system is highly available and additional Secondary servers can be added to horizontally scale the system.

Let's Encrypt

0SNet provides tools for easier integration with Let's Encrypt TLS certificate. It internally uses Certbot client to obtain and manage Let's Encrypt issued TLS certificates.

NOTE: This feature is intended for setups where 0SNet server has a public IP and the default HTTP port 80 is available. In case of private setups, or where port 80 is used by a different program, the necessary domain validation cannot be done to get certificates.

Certbot

Package for Certbot client is available on various distributions. On CentOS/RHEL 7.x, one can run the following command to install the EPEL repository,

sudo yum install epel-release

and install the certbot package,

sudo yum install certbot

In case, the client couldn't be installed through the native package manager, the following command can be used to download and install Certbot client.

The install of Certbot will be local to 0SNet. However, additional dependent packages will get installed, and/or upgraded, during the process. And, in case of any errors, you can attempt an experimental install with the option --debug, but make sure you have taken the necessary backups before using it.

Hosts

0SNet is intended to secure all subdomains of the chosen domain, such as *.example.com. But, since, Let's Encrypt platform currently supports only multi-domain TLS certificates (upto 100 domains) over HTTP-01 challenge, and not wildcards, the list of subdomains used will be gathered by parsing the /etc/hosts file. This list of subdomains can be verified by running the command shown below,

It should be ensured that all required subdomains are part of the list, before fetching the TLS certificate. On adding a new subdomain, a new TLS certificate should be obtained (fetch) and enabled (on).

Certificate

Let's Encrypt certificates are domain validated and are issued immediately. To obtain a new certificate, the fetch command should be run as follows,

During the process, 0SNet server will be stopped and started, with the service being offline for a few minutes.

Enable/Disable

A newly issued certificate is not automatically used by 0SNet. To enable Let's Encrypt certificate, the following command should be run,

sudo 0snet --letsencrypt on

And, to switch back to the previous certificate, ie., stop using Let's Encrypt certificate, run the command below,

sudo 0snet --letsencrypt off

Renewal

0SNet checks the certificate for renewal daily and it gets automatically renewed. During the renewal process, which happen once in 2-3 months, the server may be offline for a few minutes.

The log messages are written to syslog, and is typically available at /var/log/messages, it should be checked for any errors during renewal.

Contact Us

0SNet is a product of 0th Root Software Research. For any questions (or) suggestions, please write to us at support@0throot.com

We are located at,

(Primary Address)
RMZ Latitude Commercial,
10th Floor,
Bellary Rd, Hebbal,
Bengaluru - 560 024. (INDIA)

No.24, Tatia Nagar Phase -3,
Nolambur, Maduravoyal PO,
Chennai - 600 095. (INDIA)
+91 44 2653 2984


0th Root