Skip to main content
Version: 3.21

Orbit Command Line Interface

Introduction

To facilitate the administration of the operating system that hosts the senhasegura , the integration with basic network services and even updates the binaries that make up the entire system architecture, from version 3.2 of senhasegura the administrator can use the command line tool orbit that centralizes the main maintenance and configuration operations of the platform.

These operations need privilege elevation. Therefore only the user root and mt4adm is allowed to use the binary.

Symbols used in this cookbook

This book uses the following symbols to highlight information that should be taken into account for the best use of senhasegura :

info

Info - useful information that can make the use of the solution more dynamic

caution

Caution - actions and items that cannot be ignored

  • commands : data that must be entered in the same way as described in this book

  • URLs : paths to access web pages.
  • <KEYS> : keyboard paths that will be used to perform actions.

Available commands

The orbit command if executed without any instructions will display its default syntax. Several modules are available for use, and each of these modules will act on different services or intra-grains of the senhasegura .

caution

If you are in a cluster architecture, it is important to know that the actions performed in one instance are not reflected in all other instances. For the commands that can affect the operation of the cluster, it is necessary that you manually execute the commands in each of the instances.

caution

The commands below can restart services essential to the operation of the application generating a momentary unavailability. Invalid settings can cause irreversible unavailability.

You will always be alerted of the possibility of unavailability and asked if you wish to proceed with the execution of commands.

If you try to run without lifting, you will receive a warning message.

mt4adm@vmdf-giskard:~$ orbit
This program must be run with root permissions!

With the privilege upgrade you will see the modules available. The same result can be obtained by 'orbit --help'.

mt4adm@vmdf-giskard:~$ orbit
Usage: orbit <command>

Orbit is the MT4:senhasegura cli created to provide tools for system
configuration and administrative routines.

Flags:
--help Show context-sensitive help.

Commands:
application Application settings tools.
network Network settings tools
hostname Change the server hostname. Changing the hostname you
will need reboot of the server.
dns The Domain Name System (DNS) management tools
ntp The Network Time Protocol (NTP) management tools
tuning Application tuning configuration
upgrade Upgrade the system by installing/upgrading packages
backup Application backup settings
cluster High Availability and Disaster Recovery settings tools
webssl Webserver SSL certificates management tools
locale Language and locale settings
partition File system partitions management tools
disk Disks management tools
zabbix Zabbix client configuration
proxy Application access proxy settings
fajita Fajita access proxy management tools
snmp Simple Network Management Protocol (SNMP) management
tools
firewall System Firewall management tools
shutdown Power-off or reboot the machine safely.
service Send commands to the systemd manager
security System security management tools
version Print version information and quit

Run "orbit <command> --help" for more information on a command.

You can display the help of each module using the syntax orbit <command> –help where <command> should be replaced by the desired module. Example: orbit dns –help.

We will now present module by module with its features and examples.

Getting the platform version

You can get the version of the senhasegura platform using the command orbit version. It is important that all members of a cluster are in the same version. And version information should be forwarded in the support request.

mt4adm@vmdf-giskard:~$ sudo orbit version
senhasegura Orbit Console
Version 1.1.0-28

Application
Orbini 5.10.9.3
senhasegura 3.2.0.1

Managing the Application

caution

It is possible to visualize application logs saved in files to be recorded and indexed in elasticsearch. There is a second instance in the cluster that makes the log files visualization possible, and those logs are up to 10.000 registers.

If you try to run without lifting, you will receive a warning message. You can manage the senhasegura application status of this instance with the command orbit application.

mt4adm@vmdf-giskard:~$ sudo orbit application --help
Usage: orbit application [<command>]

Application settings tools.

Arguments:
[<command>] Control the application services status:
[start|stop|restart|status|master|version]

Flags:
--help Show context-sensitive help.

--version Show the application components versions
--force Force the command execution, never prompt
--show
  • start: Activates the instance for users' use.

  • stop: Inactivates the instance for users' use.

  • restart: Restart the services used to distribute the Web application, with the exception of the database, proxy systems and services started by Cron.

  • status: Displays the status of this instance.

  • master: Sets this instance to Master in a cluster scenario.

  • version: Displays the installed version of the Orbini platform and senhasegura .

Application status

The orbit application status command displays the status of each primary function of the instance. Being:

  • Application: Status of the instance as to its activation. "Active" to be available for users use and "Inactive" to be unavailable for users use;

  • Replication: Replication/cluster status of this instance. "Active" to indicate you are a cluster member and "Inactive" to indicate you are not part of a cluster;

  • Instance: Role of the instance in the cluster. "Primary" for main instance (Master), "Secondary" for support instance (Slave);

mt4adm@vmdf-giskard:~$ sudo orbit application status

Application: Active
Replication: Inactive
Instance: Primary

Inactivating use of the instance

The orbit application stop command inactivates the application for user use. This action does not affect the activation of the license or the execution of the robots in the instance.

This action is equivalent to activating the instance in the menu Orbit ➔ Settings ➔ Application.

mt4adm@vmdf-giskard:~$ sudo orbit application stop
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y

Application: Inactive
Replication: Inactive
Instance: Primary

Activating the use of the instance

The orbit application start command activates the application for user use. This action does not affect the activation of the license or the execution of the robots on the instance.

This action is equivalent to activating the instance in the menu Orbit ➔ Settings ➔ Application.

mt4adm@vmdf-giskard:~$ sudo orbit application start
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y

Application: Active
Replication: Inactive
Instance: Primary

Defining the instance as master

The orbit application master command configures the instance as Master instance. If the instance is inactive, it will be automatically activated and raised to Master.

caution

The Master instance is responsible for the execution of unique services that are not executed in the other instances of the Cluster.

mt4adm@vmdf-giskard:~$ sudo orbit application master
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y

Application: Active
Replication: Inactive
Instance: Primary

Restarting application services

The orbit application restart command restarts the services used to distribute the Web application, with the exception of the database, proxy systems and services started by Cron.

Basically restarts only the services used by the Webserver.

mt4adm@vmdf-giskard:/home/mt4adm## sudo orbit application restart
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y█

Application: Active
Replication: Inactive
Instance: Primary

Getting the installed version

The orbit application version command presents the Orbini platform and framework version. Its operation is similar to the orbit version command, described above.

mt4adm@vmdf-giskard:~$ sudo orbit application version
Applications
Orbini 5.10.13.27
senhasegura 3.2.0.1

Configuring network interfaces

Configure the primary senhasegura network interface that is used to reach the Web interface, Proxies and Webservices.

caution

This functionality replaces the need for localhost login with the user 'orbit'.

When configuring the network interface you will need to restart the server for the settings to be applied.

mt4adm@vmdf-giskard:~$ sudo orbit network --help
Usage: orbit network

Network settings tools

Flags:
--help Show context-sensitive help.

-i, --interface=STRING
-a, --address=STRING
-m, --netmask=STRING
-g, --gateway=STRING
--reboot Reboot the machine
--force Force the command execution, never prompt
--show

Listing current configuration

The orbit network –show command displays the network settings that are currently applied.

mt4adm@vmdf-giskard:~$ sudo orbit network --show
Networking interface status
============================================================================
Interface eth0
MAC Address = 00:15:5d:3e:73:1c
MTU = 1500
Type = ether

IPv4
Address = 172.17.182.204
Broadcast = 172.17.182.207
Gateway =
============================================================================
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Ifac
0.0.0.0 172.17.182.193 0.0.0.0 UG 0 0 0 eth0
172.17.182.192 0.0.0.0 255.255.255.240 U 0 0 0 eth0
============================================================================

Without the arguments the user is presented to a sequence of fields to configure the desired network interface.

In this example we show how the primary interface is configured with DHCP.

mt4adm@vmdf-giskard:~$ sudo orbit network
Use the arrow keys to navigate: ↓ ↑ → ←
? Choose an interface to configure:
▸ eth0

? Network settings:
static
▸ dhcp

? Are you sure you want to proceed? [y/N] y
Done!
No errors reported

In this second example we show how the interface with fixed IP is configured.

mt4adm@vmdf-giskard:~$ sudo orbit network
Use the arrow keys to navigate: ↓ ↑ → ←
? Choose an interface to configure:
▸ eth0

? Network settings:
▸ static
dhcp

✔ IP Address: 172.17.182.204
Netmask: 255.255.255.240
Gateway: 172.17.182.193

? Are you sure you want to proceed? [y/N]

Done!
No errors reported

You can also provide the configuration details as command line arguments. This way the interaction is reduced.

mt4adm@vmdf-giskard:~$ sudo orbit network  
--interface=eth0
--address=172.17.182.204
--netmask=255.255.255.240
--gateway=172.17.182.193

Use the arrow keys to navigate: ↓ ↑ → ←
? Choose an interface to configure:
▸ eth0

? Network settings:
▸ static
dhcp

? Are you sure you want to proceed? [y/N]

Done!
No errors reported

Restarting the server to apply settings

Use the command orbit network –reboot so that the server is immediately restarted after the network configuration is entered. Use with caution.

mt4adm@vmdf-giskard:~$ sudo orbit network --reboot

Use the arrow keys to navigate: ↓ ↑ → ←
? Choose an interface to configure:
▸ eth0

? Network settings:
static
▸ dhcp

? Are you sure you want to proceed? [y/N] y
Done!
No errors reported
Stopping database service...

Hostname definitions

The orbit hostname command allows to work the hostname of the operating system of this instance of the senhasegura .

mt4adm@vmdf-giskard:~$ sudo orbit hostname --help
Usage: orbit hostname [<hostname>]

Change the server hostname. Changing the hostname you will need reboot
of the server.

Arguments:
[<hostname>] Setting the server hostname

Flags:
--help Show context-sensitive help.

--reboot Reboot the machine
--force Force the command execution, never prompt
--show

You can determine a new hostname by providing the new hostname as the last argument, as described in the command help.

mt4adm@vmdf-giskard:~$ sudo orbit hostname vmdf-giskard
Are you sure you want to proceed: y
Done!
No errors reported

DNS Settings

Configure the DNS servers that this instance will query using the command orbit dns.

mt4adm@vmdf-giskard:~$ sudo orbit dns --help
Usage: orbit dns

The Domain Name System (DNS) management tools

Flags:
--help Show context-sensitive help.

-s, --servers=SERVERS,... Domain servers list
--search=SEARCH,... The domain search list
-d, --domain=STRING Domain name
--force Force the command execution, never prompt
--show

You can list which servers are active by using the –show argument.

mt4adm@vmdf-giskard:~$ sudo orbit dns --show
DNS configuration
DNS Servers:
- 172.17.182.193
Domain: mshome.net
Search:
- mshome.net

To configure the DNS server string you can use the other arguments. The DNS servers will be applied immediately.

mt4adm@vmdf-giskard:~$ sudo orbit dns  
--servers=172.17.182.10,172.17.182.11
--search=mshome.net
--domain=mshome.net
Are you sure you want to proceed: y
Done!
No errors reported

NTP servers

Configure which NTP servers the instance should consult to keep the time synchronized, through the command orbit ntp. This configuration will be applied immediately.

Changing NTP servers may affect the use of OTP tokens.

mt4adm@vmdf-giskard:~$ sudo orbit ntp --help
Usage: orbit ntp

The Network Time Protocol (NTP) management tools

Flags:
--help Show context-sensitive help.

-s, --servers=SERVERS,... NTP servers list
-l, --listen-interface=STRING NTP listen interface
--force Force the command execution, never prompt
--show

To list the active configuration, just use the –show argument.

mt4adm@vmdf-giskard:~$ sudo orbit ntp --show
NTP Status
Servers

a.ntp.br
b.ntp.br
Listen interface eth0

remote refid st t when poll reach delay offset jitter
==========================================================================
*a.ntp.br 200.160.7.186 2 u 34 128 377 5.196 -0.647 0.585
+b.ntp.br 200.160.7.186 2 u 2 128 377 47.750 -3.436 8.249
Tue 09 Jun 2020 04:49:55 PM -03

To configure new servers that will replace the current configuration, use the other arguments as in the example.

mt4adm@vmdf-giskard:~$ sudo orbit ntp  
--servers=a.ntp.br,b.ntp.br --listen-interface=eth0
Are you sure you want to proceed: y
Done!
No errors reported

Tuning

The tuning of the environment is performed by changing environment properties of the PHP webserver, database and engine. This way, all service architecture will work in a way more adequate to the hardware resources available in this instance.

Tuning settings should always be performed at the end of a new instance deployment, or when there is a hardware resizing that could affect the server's CPU and RAM.

This same configuration can be done through the menu Orbit ➔ Server ➔ System tuning.

info

If you are not aware of the variables handled by this command, we recommend that you use tuning via the Orbit web interface. Through the web interface Orbit itself will calculate the best server usage scenario.

caution

This command will restart the PHP Webserver, Database and Engine services. Improper configuration of values may stop the operation.

mt4adm@vmdf-giskard:~$ sudo orbit tuning --help
Usage: orbit tuning

Application tuning configuration

Flags:
--help Show context-sensitive help.

--db-max-conn=INT The maximum number of simultaneous client
connections
--db-buffer-pool=INT DB buffer pool size (MB)
--db-thread=INT Number of threads used to apply write sets
when in cluster.
--ws-workers=INT The number of worker processes
--ws-workers-children=INT The maximum number of connections that each
worker process can handle simultaneously
--force Force the command execution, never prompt
--show

By default the senhasegura is installed with a tuning profile for two CPUs and 4G RAM. You can list the applied tuning values with the argument –show.

mt4adm@vmdf-giskard:~$ sudo orbit tuning --show
DB Connections: 750
DB Buffer Pool Size: 768M
Number of threads: 8
Worker processes: 2
Process connections: 75

You can define all the variables through the other arguments.

mt4adm@vmdf-giskard:~$ sudo orbit tuning  
--db-max-conn=750
--db-buffer-pool=768
--db-thread=8
--ws-workers=2
--ws-workers-children=75

The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y
Done!
No errors reported
DB Connections: 750
DB Buffer Pool Size: 768M
Number of threads: 8
Worker processes: 2
Process connections: 75

You can even change only a few parameters if necessary. But regardless of which parameter is affected, all services will be restarted.

mt4adm@vmdf-giskard:~$ sudo orbit tuning --db-thread=4
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y
Done!
No errors reported
DB Connections: 750
DB Buffer Pool Size: 768M
Number of threads: 4
Worker processes: 2
Process connections: 75

Updating the platform

Behind the orbit upgrade command you will be able to update all the senhasegura platform packages. This includes the operating system packages, proxy, web application and security settings.

info

Validate that the instance has access to the official mirror servers of the senhasegura .

Preparing the update

Run the command sudo apt-get update to update the list of available packages on the official mirror.

Use the –show or –check arguments to list which packages will be installed.

mt4adm@vmdf-giskard:~$ sudo orbit upgrade --check
Listing...
fajita-server-senhasegura-image/updates-buster 1.0.9-10~buster amd64
[upgradable from: 1.0.9-9~buster]
orbini/buster 5.10.13-28~buster all [upgradable from: 5.10.13-27~buster]
orbit-cli/buster 1.1.0-22~buster all [upgradable from: 1.1.0-21~buster]
senhasegura-app/buster 3.1.11-8~buster all [upgradable from: 3.1.11-7~buster]
xrdp-senhasegura-image/updates-buster 1.0.9-10~buster amd64
[upgradable from: 1.0.9-9~buster]
Updating the instance

To update the instance just run the command orbit upgrade. Orbit will initially validate the binary version orbit, and if the need to update it is acted upon before starting the other updates, a message will be displayed containing the update instructions.

mt4adm@vmdf-giskard:~$ sudo orbit upgrade
A new version of your system will be installed.
Are you sure you want to proceed: y

Checking for new versions. Please wait...

A new version of orbit-cli is available.

Run apt-get install orbit-cli before continue.

Once the binary orbit is updated, run the orbit upgrade command again to update all other updates.

info

See the Getting Started Cookbook to understand how to do offline updating.

The update process will display several messages related to the tasks being performed, and will restart the services several times during the process. If the update cannot be performed, an error message will be displayed at the end. Otherwise, a success message will be displayed.

info

Always run the orbit version command to validate the version that was installed after the upgrade process.

mt4adm@vmdf-giskard:~$ sudo orbit upgrade
A new version of your system will be installed.
Are you sure you want to proceed: y█

Checking for new versions. Please wait...

...

[2020-06-17 16:17:18]: Checking firewall...
Firewall normalized
No errors reported

[2020-06-17 16:17:29]: Restarting robots...
Done!
No errors reported

Duration: 4m3.881937248s

Running and restoring backup

Through the backup module you can run new backups and restore a specific backup.

caution

The senhasegura backup files are encrypted. Restoring a backup can cause damage to a cluster structure and even prevent access to inside information. If there is a need to restore a backup, please contact our support team so that we can support this critical activity.

mt4adm@vmdf-giskard:~$ sudo orbit backup --help
Usage: orbit backup <command>

Application backup settings

Arguments:
<command> Perform or Recovery data backup: [create|recover]

Flags:
--help Show context-sensitive help.

--file=STRING Backup file for recovery
--database="senhasegura" The database name to recovery backup.
Default: senhasegura
--force Force the command execution, never prompt
--show

Creating a backup

The senhasegura will back up two databases managed by MariaDB1.

  • mt4: Database with information from the Orbini platform

  • senhasegura: Database with platform information senhasegura

Execute the orbit backup create command to run a backup on both databases. Some information has been deleted from this log. But you will see where the backup runs and where it is copied to at the end of the process.

mt4adm@vmdf-giskard:~$ sudo orbit backup create
Are you sure you want to perform a data backup now: y
Orbini Backup 1.0.3.0
[2020-06-09 20:28:57]: BACKUP INFO Utilizando arquivo de configuracao ******
[2020-06-09 20:28:57]: senhasegura DB INFO Iniciando backup mysql
para arquivo
[2020-06-09 20:28:57]: senhasegura DB INFO Comando dump: *** mt4
[2020-06-09 20:28:58]: senhasegura DB INFO Iniciando backup mysql
para arquivo
[2020-06-09 20:28:58]: senhasegura DB INFO Comando dump: *** senhasegura
[2020-06-09 20:29:00]: senhasegura DB INFO Backup MySQL efetuado com sucesso
[2020-06-09 20:29:00]: senhasegura DB INFO Limpando arquivos de
backup antigos
[2020-06-09 20:29:00]: senhasegura FILE INFO Iniciando backup arquivos por
rsync do diretorio ******
[2020-06-09 20:29:00]: senhasegura FILE INFO Comando: rsync -a ****** ******
[2020-06-09 20:29:00]: senhasegura FILE INFO Backup diretorio ******
efetuado com sucesso
Duration: 2.318238474s

Restoring a backup

caution

Warning. This procedure will restore all database data and schema to the desired past time. You should restore all other binaries if performed a system upgrade was between the current time and the selected backup file. The binary application files can be restored using the Debian APT tool.

To restore the backup you must have the original backup files available and make sure that the information to be restored is from a nearby time so as not to impact the range of the devices and ensure the integrity of the inside information.

You must first restore the base mt4 and then the base senhasegura.

mt4adm@vmdf-giskard:~$ sudo orbit backup recover  
--database=mt4
--file=/******/senhasegura-db-2020-06-09_203007mt4.sql.gz

Restoring this file you will replace all the database data.
Are you sure you want to restore this backup file: y

mt4adm@vmdf-giskard:~$ sudo orbit backup recover
--database=senhasegura
--file=/******/senhasegura-db-2020-06-09_203007senhasegura.sql.gz

Restoring this file you will replace all the database data.
Are you sure you want to restore this backup file: y

Managing the Cluster

The complete cluster configuration and status check process can be performed with the command cluster. In addition to the process, we will use the command application to initiate instances and define a master instance.

mt4adm@vmdf-giskard:~$ sudo orbit cluster --help
Usage: orbit cluster <command>

High Availability and Disaster Recovery settings tools

Arguments:
<command> Control the application services status:
[start|stop|restart|config|status]

Flags:
--help Show context-sensitive help.

--ip=STRING The local node IP
-n, --nodes=NODES,... Cluster nodes list
-s, --segment=0 Define which network segment this node is in
-l, --latency="low" Latency between nodes: [low|medium|high]
--force Force the command execution, never prompt
--show

Creating the cluster

To create the cluster you need at least two instances. As an example, we will call the instances "A" and "B". Follow the following order to assemble the cluster.

  • Activate instance A both in activation license and application activation;

  • Start the application in instance A with the command orbit application start;

  • The –ip argument must be used with the IP of the instance that the command is running

  • Configure the cluster in instance A by entering the parameter –ip with the IP of instance A and the parameter –nodes with the IP's of instance A and B respectively;

  • Determine instance A as master using the command orbit application master

  • Start the cluster in instance A with the command orbit cluster start and wait at least 1 minute for normalization;

  • Activate instance B with the activation license and keep the application inactive;

  • Configure the cluster in instance B by entering the parameter –ip with the IP of instance B and the parameter –nodes with the IP's of instance A and B respectively;

  • Start the cluster in instance B with the command orbit cluster start and wait at least 1 minute for normalization;

Instance A
mt4adm@vmdf-giskard:~$ sudo orbit application master
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y

Application: Active
Replication: Inactive
Instance: Primary
mt4adm@vmdf-giskard:~$ sudo orbit cluster config  
--ip=172.18.77.184
--nodes=172.18.77.184,172.18.77.186
--segment=0
--latency="low"

Are you sure you want to proceed: y
Done!
No errors reported
mt4adm@vmdf-giskard:~$ sudo orbit cluster start --ip=172.18.77.184
Are you sure you want to proceed: y
Done!
No errors reported
Instance B
mt4adm@vmdf-giskard:~$ sudo orbit cluster config  
--ip=172.18.77.186
--nodes=172.18.77.184,172.18.77.186
--segment=1
--latency="low"

Are you sure you want to proceed: y
Done!
No errors reported
mt4adm@vmdf-giskard:~$ sudo orbit cluster start --ip=172.18.77.186
Are you sure you want to proceed: y
Done!
No errors reported
caution

For the proper functioning of the cluster, the network latency between nodes must be at most 30ms.

Cluster status

Using the orbit cluster status command you can observe several properties of the cluster. As there is a lot of information, we will not list all the details in the manual. But we will present the essential information to understand if the cluster is active and problem-free.

Pay attention to the final block of the status, called "Cluster nodes". In this block you will see who are the cluster members and the timestamp of synchronization between them. There is also the status of the current instance that should be marked as "synced".

mt4adm@vmdf-giskard:~$ sudo orbit cluster status

...

============================================================

Cluster nodes

Cluster member: ID [0] - UUID [64661644-b0df-11ea-80b2-8ee23c1303c0] -
Hostname [vmdf-giskard-3232290344] - Timestamp [1592428528]
Cluster member: ID [1] - UUID [9dff00d8-b0df-11ea-86c4-83725d654e03] -
Hostname [vmdf-giskard-3232290348] - Timestamp [1592428528]

Cluster UUID: 64679b9f-b0df-11ea-a6e5-67ba900fecc0

vmdf-giskard details: status=synced
vmdf-giskard is primary node ?: 1

============================================================

Web Application SSL Certificate

See the details of the certificate being used by the web application and install new certificates.

mt4adm@vmdf-giskard:~$ sudo orbit webssl --help
Usage: orbit webssl

Webserver SSL certificates management tools

Flags:
--help Show context-sensitive help.

-c, --cert=STRING Specifies a file with the certificate
-k, --key=STRING Specifies a file with the certificate secret key
--save Save files on ssl directory
--force Force the command execution, never prompt
--show

Use the orbit webssl –show command to list the details of the SSL certificate being used by the web application.

Installing a new certificate

To install the certificate you must transfer the certificate files into the senhasegura server and execute the orbit webssl command with the –cert arguments to the certificate file and the –key argument with the certificate key. Take the example.

mt4adm@vmdf-giskard:~$ orbit webssl  
--cert=selfsigned.crt
--key=selfsigned.key
Are you sure you want to proceed: y
Done!
No errors reported

Setting up instance location

Using the orbit locale command you can define the settings for location, server time zone and internal browser language.

caution

The language settings of the web interface and proxy systems are changed through user preferences and through dedicated commands from the proxy systems.

:::WARNING:IMPORTANT Restart the server after executing the command to apply the new language to the database system. :::

mt4adm@vmdf-giskard:~$ sudo orbit locale --help
Usage: orbit locale

Language and locale settings

Flags:
--help Show context-sensitive help.

--timezone=STRING Timezone string
--force Force the command execution, never prompt
--show

To list the active configuration, use the –show argument.

mt4adm@vmdf-giskard:~$ sudo orbit locale --show
Timezone
Timezone is 'America/Sao_Paulo'

To set the language of the internal browser, use the argument –browser-locale

mt4adm@vmdf-giskard:~$  sudo orbit locale --browser-locale en-gb

See the following table for valid language codes for this configuration:

achAcoliafAfrikaansallAll packages for Firefox ESR (meta)
anAragonesearArabicastAsturian
azAzerbaijanibeBelarusianbgBulgarian
bnBengalibrBretonbsBosnian
caCatalanca-valenciaCatalan (Valencia)cakKaqchikel
csCzechcyWelshdaDanish
deGermandsbLower Sorbianen-caEnglish (Canada)
en-gbEnglish (United Kingdom)eoEsperantoes-arSpanish (Argentina)
es-clSpanish (Chile)es-esSpanish (Spain)es-mxSpanish (Mexico)
etEstonianeuBasquefaPersian
ffFulahfiFinnishfrFrench
fy-nlWestern Frisian (Netherlands)ga-ieIrish (Ireland)gdScottish Gaelic
gdEstonianglGaliciangnGuarani
gu-inGuzerate (Índia)heHebrewhi-inHindi (India)
hrCroatianhsbUpper SorbianhuHungarian
hy-amArmenian (Armenia)iaInterlinguaidIndonesian
isIcelandicitItalianjaJapanese
kaGeorgiankabKabylekkKazakh
kmCentral KhmerknKannadakoKorean
lijLigurianlijLigurianltLithuanian
lvLatvianmkMacedonianmrMarathi
msMalaymyBurmesenb-noNorwegian Bokm?l (Noruega)
ne-npNepali (Nepal)nlDutchnn-noNorwegian Nynorsk (Noruega)
ocOccitanpa-inPanjabi (Índia)plPolish
pt-brPortuguese (Brasil)pt-ptPortuguese (Portugal)rmRomansh
roRomanianruRussiansiSinhala
skSlovakslSloveniansonSonghais
sqAlbaniansrSerbiansv-seSwedish (Suécia)
taTamilteTeluguthThai
tlTagalogtrTurkishtrsChicahuaxtla Triqui
ukUkrainianurUrduuzUzbek
viVietnamesexhXhosazh-cnChinese (China)
zh-twChinese (Taiwan)elModern GreeksriBrahmic
DevanagariDevanagari ExtendedVedic Extensions

To set up a new location you must first be aware of the possibilities. The available locations are in the directory /usr/share/zoneinfo.

mt4adm@vmdf-giskard:~$ sudo orbit locale --timezone=Europe/Paris
Are you sure you want to proceed: y
Done!
No errors reported

Restarting the database service. Please wait...
Are you sure you want to proceed: y
Done!
No errors reported

Setting up remote partitions

The orbit partition command allows you to list, add, or remove remote partitions that are used to forward the backup database, session files, and encrypted information with the master key.

mt4adm@vmdf-giskard:~$ sudo orbit partition --help
Usage: orbit partition

File system partitions management tools

Flags:
--help Show context-sensitive help.

-l, --local="/srv/backup_remoto" Local path to mount point
-h, --remote-host=STRING Remote host address
-r, --remote-path=STRING Remote path to mount
--type="cifs" The filesystem type: [nfs|cifs]
-o, --options=STRING Adcional options to mount
-u, --user=STRING Samba credentials username
-p, --password=STRING Samba credentials password
-d, --domain=STRING Samba credentials domain
--remount Remount the local partition
--umount Unmount the partition configuration
--delete Unmount and delete the partition configuration
--force Force the command execution, never prompt
--show

Adding a remote CIFS partition

You should be familiar with the CIFS protocol and mounting options available for Linux environment. In the case of security passwords we use the Debian2 package cifs-utils. This package is maintained by SAMBA3 developers. More details on the mounting options can be found in your official manual4.

caution

When using the CIFS protocol, the orbit command will create an authentication file located at /root/.smbcred that contains the authentication data for the assembly. Use this file in the options argument.

The argument –remote-path should start with the bar and contain only the target directory.

mt4adm@vmdf-giskard:~$ sudo orbit partition  
--local="/srv/backup_remoto"
--remote-host="192.168.214.37"
--remote-path="/backup"
--type="cifs"
--user="senhasegura"
--password="@qwemaster88"
--domain="sandbox.local"
--options="credentials=/root/.smbcred,uid=1001,gid=1001,file_mode=0750,dir_mode=0750,noexec"

Are you sure you want to proceed: y
Done!
No errors reported

Reattach a registered remote partition

To reattach a partition, if the target server has been inaccessible for a while generating an error on the remote partition, use the command orbit partition –remount.

mt4adm@vmdf-giskard:~$ sudo orbit partition --remount
Are you sure you want to proceed: y█
Partition remounted with success
- domain=sandbox.local
mount.cifs kernel mount options: ip=192.168.214.37,
unc=\\192.168.214.37\backup,file_mode=0750,dir_mode=0750,
uid=1001,gid=1001,user=senhasegura,domain=sandbox.local,pass=********

Detach a registered remote partition

To detach the remote partition, use the command orbit partition –umount. This command will unmount the partition but will keep it on the /etc/fstab file.

mt4adm@vmdf-giskard:~$ sudo orbit partition --unmount
Are you sure you want to proceed: y
Done!
No errors reported

Detach and remove a registered remote partition

To detach the remote partition, use the command orbit partition –delete. This command will unmount the partition and remove it from the /etc/fstab file.

mt4adm@vmdf-giskard:~$ sudo orbit partition --delete
Are you sure you want to proceed: y
Done!
No errors reported

Disk management

You can expand the disk and get information from your partitions through the orbit disk command

mt4adm@vmdf-giskard:~$ sudo orbit disk --help
Usage: orbit disk

Disks management tools

Flags:
--help Show context-sensitive help.

--expand Process of disk expansion
--force Force the command execution, never prompt
--show

Use the –show argument to view the partitions and file system settings.

Through the argument –expand you can expand the virtual disk to consume new spaces allocated in the hypervisor.

caution

The disc expansion procedure is very delicate. It is recommended that the instance is under maintenance and that the backup and snapshot of the virtual machine have been performed.

mt4adm@vmdf-giskard:~$ sudo orbit disk --expand

The disk expansion process is extremely delicate, be sure to take a snapshot
of the server before performing this procedure.

All previously unallocated disk resources will be distributed across current
partitions.

Are you sure you want to expand the disk: y
Done!
No errors reported

Zabbix Monitoring

You can configure which Zabbix servers will be able to receive the read data from the senhasegura by the command orbit zabbix.

mt4adm@vmdf-giskard:~$ sudo orbit zabbix --help
Usage: orbit zabbix

Zabbix client configuration

Flags:
--help Show context-sensitive help.

--server=STRING
--port=4443
--listen=STRING
--lport=10050
--tls
--force Force the command execution, never prompt
--show

To configure a new server, use the arguments as in the example. The argument must be filled with the IP of the Zabbix server. And the –listen argument must be filled with the network interface that the Zabbix Agent installed on the instance must monitor.

The –tls argument will generate the authentication key that will be registered on the host inside Zabbix Server.

mt4adm@vmdf-giskard:~$ sudo orbit zabbix  
--server=172.18.77.185
--port=4443
--listen=172.18.77.184
--lport=10050
--tls

Are you sure you want to proceed: y
Done!
Zabbix TLS parameters
Identity = RZniGpvKUJOGvuxWLAPi
Pre-shared key = b59b8a040a063feb8752b7e9dc543ed68a0eea1e9f840245d1e10bce88f

To list the active configuration, use the –show argument.

mt4adm@vmdf-giskard:~$ orbit zabbix --show
Zabbix informations
Server=172.18.77.185
ServerActive=172.18.77.185:4443
ListenIP=172.18.77.184
ListenPort=10050
TLSPSKIdentity=RZniGpvKUJOGvuxWLAPi
Pre-shared-key=b59b8a040a063feb8752b7e9dc543ed68a0eea1e9f840245d1e10bce88f

SNMP Monitoring

Use the orbit snmp command to configure the server that will receive the MIB reading from senhasegura .

mt4adm@vmdf-giskard:~$ sudo orbit snmp --help
Usage: orbit snmp

Simple Network Management Protocol (SNMP) management tools

Flags:
-h, --help Show context-sensitive help.

-c, --community=STRING
-u, --username=STRING SNMPv3 username
-s, --server=STRING Listen server ip address
-a, --allowed-ips=ALLOWED-IPS,...
Allowed servers to query SNMP
-v, --version=2
--force Force the command execution, never prompt
--show
caution

The following arguments are mandatory:

  • community: -c

  • server: -s

  • allowed-ips: -a

  • version: -v

caution

In addition to these arguments for SNMPv3 it is mandatory to insert username: -u

To configure the list of allowed servers, use the arguments as in the example. The –server argument must be filled with the IP of the senhasegura interface. The –allowed-ips argument is filled with the list of servers that can read SNMP.

Configure SNMPv2

mt4adm@vmdf-giskard:~$ sudo orbit snmp -c public -s 192.168.86.86 -a 192.168.86.73 -v 2

? Are you sure you want to proceed? [y/N] y█
Done!
No errors reported

To list the current configuration, use the –show argument.

mt4adm@vmdf-giskard:~$ sudo orbit snmp --show

SNMP informations
SNMP Listen address = 192.168.86.86
Community public
Allowed IPs
192.168.86.73

SNMPv3 username = N/A
SNMPv3 authentication pass (SHA) = N/A
SNMPv3 encryption pass (AES) = N/A
SNMPv3 level = authpriv

Configure SNMPv3

mt4adm@vmdf-giskard:~$ sudo orbit snmp -c public -s 192.168.86.86 -a 192.168.86.73 -v 3 -u mymonitor

? Are you sure you want to proceed? [y/N] y█
Done!
Run 'orbit snmp --show' to view authentication and encryption settings
Example: snmpwalk -v 3 -u mymonitor -a SHA -A iRYRWHXhMHlY -x AES -X jWSqOdVtXwyz -l authPriv 192.168.86.86

To list the current configuration, use the –show argument.

mt4adm@vmdf-giskard:~$ sudo orbit snmp --show
SNMP informations
SNMP Listen address = 192.168.86.86
Community
Allowed IPs
192.168.86.73

SNMPv3 username = mymonitor
SNMPv3 authentication pass (SHA) = iRYRWHXhMHlY
SNMPv3 encryption pass (AES) = jWSqOdVtXwyz
SNMPv3 level = authpriv
mt4adm@vmdf-giskard:~$

Firewall Management

Using the orbit firewall command you can manage the source blocking that is performed by HIDS, and normalize firewall rules for running services.

Until the current version (senhasegura v3.2) the blocking of a host occurs when this host exceeds the login attempt via SSH.

mt4adm@vmdf-giskard:~$ sudo orbit firewall --help
Usage: orbit firewall [<command>]

System Firewall management tools

Arguments:
[<command>] Run security commads: [block|unblock|normalize|status]

Flags:
--help Show context-sensitive help.

-h, --host=HOST,... Host IP or Network list
--force Force the command execution, never prompt
--show

Use the –show argument or the status action to list the IPs that are blocked from this instance of senhasegura .

mt4adm@vmdf-giskard:~$ sudo orbit firewall --show
Currently blocked hosts
172.18.77.185

mt4adm@vmdf-giskard:~$ sudo orbit firewall status
Currently blocked hosts
172.18.77.185

To release access from a specific IP, use the unblock action with the argument –host.

mt4adm@vmdf-giskard:~$ sudo orbit firewall unblock  
--host=172.18.77.185
Are you sure you want to proceed: y
Done!
No errors reported

If there is a need to block a specific IP, you can use the block action.

mt4adm@vmdf-giskard:~$ sudo orbit firewall block  
--host=172.18.77.185
Are you sure you want to proceed: y
Done!
No errors reported

To normalize the firewall rules based on the installed services, with each system update Orbit itself executes the command orbit firewall normalize. This command can also be executed by the administrator.

mt4adm@vmdf-giskard:~$ sudo orbit firewall normalize
Are you sure you want to proceed: y
Firewall normalized
No errors reported

Manipulating operating system services

To be able to start, stop and restart the operating system services, you must use the command orbit service.

mt4adm@vmdf-giskard:~$ sudo orbit service --help
Usage: orbit service <service> <command>

Send commands to the systemd manager

Arguments:
<service> The service name
<command> Systemd command: [start|stop|restart|status]

Flags:
--help Show context-sensitive help.

--force Force the command execution, never prompt
--show

As an example, let's see the status of the SNMP service.

mt4adm@vmdf-giskard:~$ sudo orbit service snmpd status
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor
preset: enabled)
Active: active (running) since Fri 2020-06-12 21:18:21 CEST; 41min ago
Process: 11119 ExecStartPre=/bin/mkdir -p /var/run/agentx (code=exited,
status=0/SUCCESS)
Main PID: 11120 (snmpd)
Tasks: 1 (limit: 3489)
Memory: 7.7M
CGroup: /system.slice/snmpd.service
└─11120 /usr/sbin/snmpd -Lsd -Lf /dev/null -u Debian-snmp -g
Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid

To restart a service just use the command restart. The same syntax as in the example can be used for the commands start and stop, which will start and stop services respectively.

mt4adm@vmdf-giskard:~$ sudo orbit service snmpd restart
Are you sure you want to proceed: y

Changing default passwords

Using the orbit security command you can change the default password for users mt4adm and senhasegura. But only the user password mt4adm will be displayed or indicated by the administrator.

mt4adm@vmdf-giskard:~$ sudo orbit security --help
Usage: orbit security <command>

System security management tools

Arguments:
<command> Security action: [password]

Flags:
--help Show context-sensitive help.

--pwgen Genarate a ramdom password for the system's default user account

To change the password of mt4adm indicating a new value, use the password command.

mt4adm@vmdf-giskard:~$ sudo orbit security password
This action will change the password for the system default user account
Changing password: mt4adm
New password: *********
Retype new password: *********
Are you sure you want to proceed: y
Done!
No errors reported
Changing password: senhasegura
Done!
No errors reported

To change the password requesting that a random password be generated and presented during the process, use the –pwgen argument.

mt4adm@vmdf-giskard:~$ sudo orbit security password --pwgen
This action will change the password for the system default user account
Changing password: mt4adm
Are you sure you want to proceed: y
Done!
No errors reported

The random generated password was: a*Y9z75#
Changing password: senhasegura
Done!
No errors reported

Shutting down or restarting the server

To shutdown or restart the server use the command orbit shutdow.

caution

The shutdown is immediate. No scheduling. The shutdown procedures performed by this command ensure that services will be shut down correctly avoiding problems in cluster environments.

mt4adm@vmdf-giskard:~$ sudo orbit shutdown --help
Usage: orbit shutdown

Power-off or reboot the machine safely.

Flags:
--help Show context-sensitive help.

-r, --reboot Reboot the machine

To shut down the server, just use the command orbit shutdown.

mt4adm@vmdf-giskard:~$ sudo orbit shutdown
The server system will shut down. Are you sure you want to proceed: y
Stopping database service...

To reboot the server, use the –reboot argument together with the orbit shutdown command.

mt4adm@vmdf-giskard:~$ sudo orbit shutdown --reboot
The server system will shut down. Are you sure you want to proceed: y
Stopping database service...

Proxy System Settings

Proxy system configurations can be performed using the orbit proxy command. Each proxy has particularities, so some arguments have effect only on some systems.

mt4adm@vmdf-giskard:~$ sudo orbit proxy --help
Usage: orbit proxy <proxy> [<action>]

Application access proxy settings

Arguments:
<proxy> The proxy name: [fajita|jumpserver|rdpgate|nss]
[<action>] Systemd command: [start|stop|restart|status]

Flags:
--help Show context-sensitive help.

--api-cons=STRING The Consumer Key
--api-token=STRING The Token
--rdp-encryption="high" The proxy name: [none|low|high|medium|fips]
--language="en_US" The proxy language
--enable-sudo Enable sudo automation
--fajita-block-interface
--fajita-unblock-interface
--force Force the command execution, never prompt
--show

Starting, restarting or stopping a proxy system

Use the start, stop and restart commands to control the status of proxy systems. Use the status command to see the current status of the service.

mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita stop
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y

mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita start
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y

mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita status
● fajita.service - fajita service
Loaded: loaded (/lib/systemd/system/fajita.service; enabled;
vendor preset: enabled)
Active: active (running) since Thu 2020-06-18 17:10:39 -03; 2s ago
Main PID: 13842
Tasks: 6 (limit: 3489)
Memory: 29.6M
CGroup: /system.slice/fajita.service

Listing active settings

To list the configuration of each proxy system, use the –show argument for each system.

mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita --show
The Consumer Key: 88122cce2d14d5cbd57f77c552e80843d97ff4be
The Token: b25abee1b365458a9d719608bda85f6eb4900885
Access proxy language: en_US
SUDO automation: true

mt4adm@vmdf-giskard:~$ sudo orbit proxy jumpserver --show
The Consumer Key: c97c7f976153753b1065a57214853dc5630436c0
The Token: 150cd77aba427d4e4de5ce070b4c5dfe526c941b
Access proxy language: en_US
SUDO automation: True

mt4adm@vmdf-giskard:~$ sudo orbit proxy rdpgate --show
The Consumer Key: ea3d21730571e3ba03ba9812e2579bd0b439643b
The Token: 16c017bb51d2581f7f4eea9c5d851d8fe1d6c10c
Access proxy language: en_US
RDP encryption level: high
Security Layer: rdp
SSL Ptotocols:
TLS Ciphers:

mt4adm@vmdf-giskard:~$ sudo orbit proxy nss --show
The Consumer Key: "a4d63bc9392880fc24358795c9f1615164d4dfa4"
The Token: "40f1d439fd38466fe4bd61e9c96330541d258f04"

Changing the language

To change the language of a proxy system, use the –language argument. Restart the proxy after configuration.

mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita --language="en_US"
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y
The Consumer Key: 88122cce2d14d5cbd57f77c552e80843d97ff4be
The Token: b25abee1b365458a9d719608bda85f6eb4900885
Access proxy language: en_US
SUDO automation: false

Enabling the Use of Automated SUDO

caution

This feature is only available for proxies.

Activation in one system is not reflected in the other.

The segregation of this functionality through the web interface concerns the use during the session within the security criteria of access groups, devices and credentials. But if the functionality is inactive in the proxy system, the user will not be able to perform the independent automated lifting if he has the necessary permission.

Use the –enable-sudo argument to allow the use of automated SUDO in the senhasegura Web Proxy or senhasegura Terminal Proxy proxies. Restart the proxy after configuration.

mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita  
--enable-sudo=false
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y
The Consumer Key: 88122cce2d14d5cbd57f77c552e80843d97ff4be
The Token: b25abee1b365458a9d719608bda85f6eb4900885
Access proxy language: en_US
SUDO automation: false

Blocking and Enabling the Embedded Browser Interface

The embedded browser that allows proxy access to web pages can have its interface blocked or enabled to users.

caution

By enabling the interface, users will be able to open new tabs and access other systems besides the one that the credential grants access to.

mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita  
--fajita-unblock-interface
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y


mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita
--fajita-block-interface
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y

Determining the RDP encryption level

For proxy systems dealing with RDP protocol you can determine the encryption level of the connection. Restart the proxy after configuration.

mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita  
--rdp-encryption=low
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y
The Consumer Key: 88122cce2d14d5cbd57f77c552e80843d97ff4be
The Token: b25abee1b365458a9d719608bda85f6eb4900885
Access proxy language: en_US
SUDO automation: false

mt4adm@vmdf-giskard:~$ sudo orbit proxy rdpgate
--rdp-encryption=high
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y
The Consumer Key: ea3d21730571e3ba03ba9812e2579bd0b439643b
The Token: 16c017bb51d2581f7f4eea9c5d851d8fe1d6c10c
Access proxy language: en_US
RDP encryption level: high
Security Layer: rdp
SSL Ptotocols:
TLS Ciphers:

Setting up the WebService A2A token for a system

The WebService A2A authentication keys to the proxy systems can be determined through the arguments –api-cons and –api-token. Restart the proxy after configuration.

mt4adm@vmdf-giskard:~$ sudo orbit proxy fajita  
--api-cons=88122cce2d14d5cbd57f77c552e80843d97ff4be
--api-token=b25abee1b365458a9d719608bda85f6eb4900885
The application services will be stopped or restarted during the process.
Are you sure you want to proceed: y

The Consumer Key: 88122cce2d14d5cbd57f77c552e80843d97ff4be
The Token: b25abee1b365458a9d719608bda85f6eb4900885
Access proxy language: en_US
SUDO automation: false

WebService A2A application management

WebService A2A applications have security features that can only be administered via Orbit Command Line.

mt4adm@vmdf-giskard:~$ sudo orbit api --help
Usage: orbit api <cmd>

A2A settings tools.

Arguments:
<cmd> Configuration option: [forward]

Flags:
-h, --help Show context-sensitive help.

-a, --allowed-origns=ALLOWED-ORIGNS,... Allowed Origns servers list
--enable
--disable
--show

Enabling proxy or loadbalancer IPs

If a proxy or loadbalancer system is being used, senhasegura will observe and identify the application client IP using the variable X-Forwarded-For. In these cases, the allowed IP of the WebService A2A token must remain the application's IP, but you must register the proxy/loadbalancer IP using the command forward.

mt4adm@vmdf-giskard:~$ sudo orbit api forward -a 192.168.10.5
mt4adm@vmdf-giskard:~$ sudo orbit api forward --enable
mt4adm@vmdf-giskard:~$ sudo orbit api forward --show
Status Enable
Allowed Origns 192.168.10.5

You can add more comma-separated IPs. And to inactivate, use the disable option.

mt4adm@vmdf-giskard:~$ sudo orbit api forward -a 192.168.10.5,192.168.10.6
mt4adm@vmdf-giskard:~$ sudo orbit api forward --enable
mt4adm@vmdf-giskard:~$ sudo orbit api forward --show
Status Enable
Allowed Origns 192.168.10.5,192.168.10.6

mt4adm@vmdf-giskard:~$ sudo orbit api forward --disable
mt4adm@vmdf-giskard:~$ sudo orbit api forward --show
Status Disable
Allowed Origns 192.168.10.5,192.168.10.6

Running senhasegura services manually

senhasegura services are responsible to execute the async tasks from all senhasegura modules.

By default, only the primary cluster instance has condition and permission to execute all services. The others cluster members can only execute tasks related to operational modules. Tasks related to backup and master key can only be executed by the primary member.

If you need to manually runs a service to see it behavior or debug, use the following command at the primary instance.

mt4adm@vmdf-giskard:~$ sudo orbit execution
Usage: orbit execution --code=STRING

Application execution process tool.

Flags:
-h, --help Show context-sensitive help.

-c, --code=STRING The Execution Process ID
-t, --task=STRING The Execution Task ID
-o, --option=STRING The Execution Process extra options
-v, --verbose Enable verbose mode
-d, --debug Enable debug mode
--force Force the command execution, never prompt

The code parameter is the numeric service ID, listed at Settings ➔ Execution process ➔ Processes.

The task parameter can be used only if the target service has a scheduled task into Settings ➔ Services ➔ Robots and tasks ➔ Tasks report.

The verbose and debug flags will increase the procedure output given more details about the operation.

mt4adm@vmdf-giskard:~$ sudo orbit execution --code 56 --verbose --debug
[2021-01-10 20:55:48 9.34Mb]: Preparing execution. PID 13158
[2021-01-10 20:55:49 9.84Mb]: Starting the change schedule for expired passwords
[2021-01-10 20:55:49 10.17Mb]: Finished
[2021-01-10 20:55:49 10.16Mb]: Finishing PID 13158
mt4adm@vmdf-giskard:~$

Configuring Domum Gateway

Using the command orbit domum-gateway you can set the gateway settings for the Domum module.

mt4adm@vmdf-giskard:~$  sudo orbit domum-gateway -h
Usage: orbit domum-gateway <action>

Domum Gateway settings tools

Arguments:
<action> Domum gateway action: [challenge|setup|rotate|status]

Flags:
-h, --help Show context-sensitive help.

-a, --activation=STRING Activation string
-c, --challenge=STRING Challenge string
--force Force the command execution, never prompt
--show

To list the current state of the communication between senhasegura instance and the Domum Gateway use the command –show or status.

mt4adm@vmdf-giskard:~$ sudo orbit domum-gateway status

Connection with Domum Gateway is UP!

PING 16.202.217.165 (16.202.217.165) 56(84) bytes of data.
64 bytes from 16.202.217.165: icmp_seq=1 ttl=64 time=48.5 ms
64 bytes from 16.202.217.165: icmp_seq=2 ttl=64 time=48.5 ms
64 bytes from 16.202.217.165: icmp_seq=3 ttl=64 time=48.7 ms
64 bytes from 16.202.217.165: icmp_seq=4 ttl=64 time=48.4 ms
64 bytes from 16.202.217.165: icmp_seq=5 ttl=64 time=53.4 ms

--- 169.254.251.125 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 9ms
rtt min/avg/max/mdev = 48.403/49.489/53.356/1.950 ms

interface: Domum
public key: 3pnqyBznY9Jxise6PneZRALBJwUfgASTpkUVtHOV6VU=
private key: (hidden)
listening port: 46008

peer: Z+yzMY4Z9kcA1FfaCEu5dXk+qR4ke73jhspDKjAuswg=
endpoint: 52.27.111.109:51820
allowed ips: 16.202.217.165/32
latest handshake: 15 seconds ago
transfer: 2.23 KiB received, 2.29 KiB sent
persistent keepalive: every 25 seconds

If no configuration has been performed the command will print an error message:

mt4adm@vmdf-giskard:~$  sudo orbit domum-gateway status
This instance is not connect to any Domum Gateway
Setup needed

To configure the Domum Gateway first use the argument challenge, this action will generate a unique certificate for the instance that must be sent to our Support team, which will perform the configuration between the company VPN and the Domum Gateway.

mt4adm@vmdf-giskard:~$  sudo orbit domum-gateway challenge

Are you sure you want to proceed: y█
Your Domum gateway challenge

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZRekNDQXl1Z0F3SUJBZ0lVZktU
SHpIWGFPeWNxazFaR0FIYkxlZkdJUjVFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd01URU9N
QXdHQTFVRUNnd0ZSRzl0ZFcweEh6QWRCZ05WQkFzTUZrTm9ZV3hzWlc1blpTQmpaWEow
YVdacApab3RWeFgza3ZYaFg2eVZsM3V5bXU4OFdkd255SE1QekNCOVJMOWFpTmlhcndI
cHZHMy81dHFzek43eFByM2IwCjVQYmpmYzdJSWFSMlRGVDlNd3RvL3NTYmpza2tGZC9B
ZjNRN0x4Yzg4am5PTEgvNmoydW5iRHVTUmdSdjhRei8KbEd1SFljVUR3TWY4ZGFDM2Nj
YnpJd2x2YkcwSjdtTTN2ME5DZ0pnT3Y0Q1plSG5LM2tUdE1RWFV5VDRzdXcyawpxbjFz
SERnbmlyRyt0ZDFwNUNVUWdaeVduTEFsL0ordCtFS0ZVUVlqSDFTSU9Hb214eTBBbVRD
dkZWUE1yZEZHCmZXM0pvS09MNDhtV210U0Vkd3hXb05nUTFwVDByODRmcG5abVljVEEr
elVWaVM1RE53Y1F5UmVtdStGVmhxY0EKZkMrYytPVlJLQjk3NXpRQkpHbnJDK3VyalR4
YzkzT0F1ajljR0I0YUdUTW5TNWh3MEdFTExQb1FITkh2Q1QwdgpjUXY3TDh0OFI5N3lk
RCtwWW1LN2tIcE5Zc1dOMnh1SFRUcmprd1FnSFN2enR4dWtXQksyMkVKdVQvZ2dUVFBa
ClIrUVYxRzM1WHIzQ1RtN0Z0eFNsaDg4elRxcllKc2daRTZoUUVvYkk1czhZZS9NVXJq
WjZLNWt0VDNTN05Zc2gKcWc3OFVZQ0NlL3BLSTVIUmJqZm5sK1pvaTFpeGlCZi9TMFNI
SStWcGNnNHduNExDcnAyK1NjZG5ta0VKQkNzLwpUUFpWWDhWRTRmQm9UUlZzMmkzZnJ0
TlBoS1V0WXlzK1p5eHlSbE9RNzVXL1lKd1pmV1cyNEdUeFFlY2pCM2dCClkyRjBaWE13
SGhjTk1qRXdOakE0TVRReU5URXhXaGNOTWpFd056QTRNVFF5TlRFeFdqQXhNUTR3REFZ
RFZRUUsKWkpXdjNITnNDTWdWdWxaclM1WEhUckVNSmphL2REZ1A2czZGVENKM1FSRGJr
em5hallCT3hFOUVwZWRiQlJGUwpXckZGZDZYMGVPY1doL3U5RXUvUkdMYXlaK05NdHh3
cUhnUmdSNHUwUkpZVVQvL2FmUFNwZWV2QUNMZTFsQzdCClJOTlhtd3lzZFlDM1VMUCtu
WTA3QU9QS05jaSsxNGtFMGxscXVnL3liR01QeXd6bmtoaXVpNTFjTjczL3NzV2EKNEVv
L0VrVkRCSWFxcysybzQwQmZJYVRWdFR4WjFZbzNhVXN2dGk0WDhuT0cyUWM1b3ErUDln
ZEtwalVTNmxRUQo5VEFlTVp3VzBsRDVFbTRYdDgwekhsYnp2bVdDcXNDd0Rmc0F1dzBk
K3JsRW9EalRUT003VHd2RndVZTRNNjlRCkFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0
SUNBUUNrQTZZZE12djdwUWpFaDMxQmZQaGZkK1o3VnNtNDhhRjUKNkJBeUdHMWt5TFRL
NHJ0c0ZLeEo3ME1Mbmd5RlN6eWNzQko2RDZNQWtHUG1zUUlOT0d6UkFNUzdVamhUdzhj
MgpEQVZFYjIxMWJURWZNQjBHQTFVRUN3d1dRMmhoYkd4bGJtZGxJR05sY25ScFptbGpZ
WFJsY3pDQ0FpSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU12
ZnFTcXUwU1NLNzVkdVYra2tDVU1aSno0TGoyVS8KdlorbldubmVMNXdiQWdNQkFBR2pV
ekJSTUIwR0ExVWREZ1FXQkJSWHBEUWVIY2w5NklacC9QWVE0VVdmZWFaZwpTekFmQmdO
VkhTTUVHREFXZ0JSWHBEUWVIY2w5NklacC9QWVE0VVdmZWFaZ1N6QVBCZ05WSFJNQkFm
OEVCVEFECkVIb2hCZ0ZadlRtWnNRZ3BPRnJFZzhzQjZHcGNmaC9JNTRGZ0NMTTlnbkt0
ZHpzbVNwVks0d1hrNUJ4MFliVmMKWTNOemFFay90anN2azA0WWdoUkdrN0o3bWQ2T2Rr
RTh0Rm5pRS92cWpvNUJoejkxZllxdEN5T09TTjVHamVxdAo3d1A4amNoL1NIdFJVOTlO
bnVqM1hCZVU5OWJUMnlONVpUYkpBM2hMUVFreEJqTE03cXZGRHhTd3NFNUZDdFVyCm9k
UXd4eDV4RFhOTGg4MXVXaWZlTWlKcHppSG94TFpXNnRqaVJJcGVoM2pFRU9iUkppNHJV
ZGhOWXJFL21HSFUKWitQRDhyS1Zrdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

Next our team will send a configuration string, with this string in hand, paste it next to the argument setup –activation.

mt4adm@vmdf-giskard:~$  sudo orbit domum-gateway setup --activation=MIIFgQYJKoZIhvcNAQcDoIIFcjCCBW4CAQAxggJlMIICYQIBADBJMDExDj
AMBgNVBAoMBURvbXVtMR8wHQYDVQQLDBZDaGFsbGVuZ2UgY2VydGlmaWNhdGVzAhR8pMfMd
do7JyqTVkYAdst58YhHkTANBgkqhkiG9w0BAQEFAASCAgAGt7dmmcGLjrX1rFcu+znkpsPo
0ucsKvbe3DeIt5RSsxW5yL6WEPvSeurYZ6wuenfI8p2U+LBATZOQ1bTygWx8V+4+bcrYdoI
uF7RtMKycZwv7oIpceDvWP+XoSfQqHJrXALoY+w1IfeB1KhealdQvr46YpIxZrwE3q5mc4Z
LbjU4pC8awGoJB3TO2dbSjY5PwIvE2Mo7Umu8r8yw1085Rohy8MDz6/eaRjyCdBvysijgqt
VAOf+yi4uUn6At6UkCFDL1Kny6RVlnAhIkuGVA4IJqgh64H9SaG4UtFfhIiSBa9urbj44pL
gjumiZB/rZN+Rjm1NirusrKeIRhg87RgrlebFE26VgFTIRTROLyn3N2c0J3ANXUf4okihti
jcrDAbdOa5B6y65UOB3LwR/bzWLazHnFk9Ddg05SzTLmCNXt1fOv60NieWpew9xyLa34kx5
bFGebbowvkgYGel/llvKiOXSzpi/TpDfqtcHz91NRbmg/mJmisTy61/NDbfVseqoTTCW+s5
4pH+/dt97rhH9HVHcEFtuczM5pe18oGnkXDXv7I3wmkseejaSjm0UnLbfoDNgYb77b1e1W4
nO9DXJt7+u7ziErPzZCg77zly8jZhhXc4BMvh5VcOXINZoXnRcahX/UieIt20KC2uxx0Rfu
mWd09aC8IpBuhkH/d0TCCAv4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEG3p8x0CI5FvmI
zDivfC52mAggLQhELSTxX/wfNg4p/Gj/9HN4l6THmQ8cHe5GcMO2PfVz7Wy3geoLC5pMByu
zvI3l+2vAcaLfwT7/ZZDCVsIZHbFM7hV5BHSWN8oAFzdgtZgKBqgD/khOEXdRnsSSItU5Te
p6ZO6Qp4VgFUH/OEWfEgpW4T3cas1e6FR/bBlxIlLFIme1KRRi2l8XyfexQ1080EDbmnZPc
iCC3kkT30BsULdOru3uSqf5MGH4R2upH9aTzPIQIZFN+KhezfZO3wOEmAD6kwysPEn0efKa
1tjeYG72Qj9xc8Bb1SqcBzZwm3Cjgx9MtsKxiCSa3D3dfekOdnmi+F9Wo+wfqkM7CnOLR/c
+NF5r1mCjWVvoX3ztuMaTl+rhHHyjWRjHEGFpC4c8h0AVFdKN7PPOOAmEbA/svELuyz2Hcc
PV5wQ67M4nceCICysNHqm8EyGAMGJ1FOElYg4c3+Hsg9s4D83qaDoNUa7nJOfTvcMGgPrCY
2OIM/Mrw6xhkxkx4mJ0fCTN7i+JIDGD8r2TcGQemsQ+GuNDffG6OhSoJlLNLFRfCX9cJaOq
Ab2oCv3u5s/Q64Qho1qTCBfmdDzxVt7DmiyOUXjMwJQpwmVwMHfELpipj8t6HR/DEt6uZJM
eLQjtO03MasC2tR0gcOEbpadTUjeEASnsVuYlBC8P9x7yKacjmiPtgWXva9qaymtwfGsgIY
gqKPm/P3b9rjhC/Bq4kXjsOPu/GkorM0RqGAuC5lYRKmUC2tnBbBw/h0Fnw6PQ9yIlLGFRb
llJoQxjGhw4HBWxx0VLwRBH7/A4Wfz7fheWrSTL2udkFanEVLXe5KrubWV8+wJqsyXuGfXz
9PWhqyGB4emlhgDJ9dHuMAlPmOtVdfrP93OG5S4OvBfgKU+1As8CuBPkvIIepm2Bry80QvB
dhweWFu5R+VNjo+qoTWN4TvT/RmbNOu+YK81TSCiAW4oP3wv7Hw

Are you sure you want to proceed: y█
Done!
No errors reported

With these steps the configuration is done.

Once you have set up the instance with the gateway, you can request the keys to be changed.

To perform a rotation use the argument rotate.

caution

Using this argument will restart all active connections.

mt4adm@vmdf-giskard:~$ sudo orbit domum-gateway rotate

Are you sure you want to proceed: y█
Connection with Domum Gateway is UP!

PING 16.202.217.165 (16.202.217.165) 56(84) bytes of data.
64 bytes from 16.202.217.165: icmp_seq=1 ttl=64 time=48.0 ms
64 bytes from 16.202.217.165: icmp_seq=2 ttl=64 time=48.0 ms
64 bytes from 16.202.217.165: icmp_seq=3 ttl=64 time=48.1 ms
64 bytes from 16.202.217.165: icmp_seq=4 ttl=64 time=48.2 ms
64 bytes from 16.202.217.165: icmp_seq=5 ttl=64 time=47.6 ms

--- 16.202.217.165 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 47.581/47.977/48.220/0.352 ms

interface: Domum
public key: KTucX7gwxCCGKzuU63DccQ/J5eQtGkSEoCnQ+K+s4C8=
private key: (hidden)
listening port: 49538

peer: 7CqAnT/YsFnqCBQRbwybeIB4C6XMh6BcIQGBjDhfxgo=
endpoint: 52.27.111.109:51820
allowed ips: 16.202.217.165/32
latest handshake: 5 seconds ago
transfer: 828 B received, 1.42 KiB sent
persistent keepalive: every 25 seconds
mt4adm@vmdf-giskard:~$