NFS Storage

Axidian Privilege supports file storage based on the NFS Network Access Protocol (Network File System).

Preparing storage on Linux OS

RPM

1. Install the required packages:

   sudo dnf install nfs-utils

2. Start NFS server services:

   sudo systemctl start nfs-server.service
   sudo systemctl enable nfs-server.service
   sudo systemctl status nfs-server.service

3. Create file systems for export or sharing on NFS server and set the owner and group:

   sudo mkdir -p /mnt/data_storage/
   sudo chown -R 23041:23041 /mnt/data_storage/

4. Export filesystems to the NFS server configuration file, /etc/exports, to define local physical filesystems accessible to NFS clients:

   Path template

   /mnt/data_storage/ <Client IP/Network/Mask/*>(rw,sync,all_squash,anonuid=23041,anongid=23041)
   Path example

   /mnt/data_storage/ 192.168.131.0/24(rw,sync,all_squash,anonuid=23041,anongid=23041)

5. Once you have made your changes, run the command to make them take effect:

   sudo exportfs -arv

6. Bypassing built-in security utilities:

   In RPM-based distros (e.g. CentOS, RHEL, Fedora), the SELinux security utility may block NFS access if it is not configured properly.

   • To disable SELinux temporarily for testing:

     sudo setenforce 0

   • To configure SELinux to work with NFS:

     sudo setsebool -P nfs_export_all_rw 1
     sudo setsebool -P nfs_export_all_ro 1

   Also make sure that your firewall is not blocking ports required for NFS to work. Open required ports:

   sudo firewall-cmd --permanent --add-service=nfs
   sudo firewall-cmd --permanent --add-service=rpc-bind
   sudo firewall-cmd --permanent --add-service=mountd
   sudo firewall-cmd --reload

DEB

1. Install the required packages:

   sudo apt update
   sudo apt install nfs-kernel-server

2. Start NFS server services:

   sudo systemctl start nfs-kernel-server.service
   sudo systemctl enable nfs-kernel-server.service
   sudo systemctl status nfs-kernel-server.service

3. Create file systems for export or sharing on NFS server and set the owner and group:

   sudo mkdir -p /mnt/data_storage/
   sudo chown -R 23041:23041 /mnt/data_storage/

4. Export filesystems to the NFS server configuration file, /etc/exports, to define local physical filesystems accessible to NFS clients:

   Path template

   /mnt/data_storage/ <Client IP/Network/Mask/*>(rw,sync,all_squash,anonuid=23041,anongid=23041)
   Path example

   /mnt/data_storage/ 192.168.131.0/24(rw,sync,all_squash,anonuid=23041,anongid=23041)

5. Once you have made your changes, run the command to make them take effect:

   sudo exportfs -arv

6. Bypassing built-in security utilities:

   On DEB based distros (e.g. Ubuntu, Debian) you may also need to configure your firewall to allow NFS access.

   • To check the firewall status and, if necessary, open ports for NFS:

     sudo ufw status
     sudo ufw allow from <Client IP> to any port nfs
     sudo ufw allow 2049/tcp
     sudo ufw allow 111/tcp
     sudo ufw allow 111/udp

   • If you are using AppArmor, make sure that the profiles for NFS are configured properly. In some cases, you may need to adjust or temporarily disable them.

     sudo aa-status

     If AppArmor interferes with NFS, you can temporarily disable it for testing:

     sudo systemctl stop apparmor
     sudo systemctl disable apparmor

Configuring PAM to work with NFS

The storage is configured after installing Axidian Privilege.

Linux

1. Create a folder for mounting media storage on the server. You can also use a ready-made folder, for example, /etc/axidian/axidian-pam/media-temp.

   sudo mkdir -p /mnt/pamstorage/

2. Install NFS mount client:

   • RPM:

     sudo yum install nfs-utils

   • DEB:

     sudo apt install nfs-common

3. Mount the storage:

   Command template

   sudo mount -t nfs <fqdn_or_ip_nfs_server>:/path/to/media_storage /path/to/mount/folder
   Command example

   sudo mount -t nfs 192.168.131.200:/mnt/data_storage/ /mnt/pamstorage/

4. Add storage mount to autostart:

   To automatically mount NFS on system startup, add an entry to the /etc/fstab file:

   Command template

   <fqdn_or_ip_nfs_server>:/path/to/media_storage /path/to/mount/folder nfs defaults 0 0

   File example:

   Command example

   192.168.131.200:/mnt/data_storage/ /mnt/pamstorage/ nfs defaults 0 0

   To verify the mount, run the command:

   sudo mount

5. Edit the volumes section in the docker-compose files for Core and Gateway-Service:

   • Core: Path to the file on the management server: /etc/axidian/axidian-pam/docker-compose.management-server.yml
   • Gateway-Service: Path to the file on the access server: /etc/axidian/axidian-pam/docker-compose.access-server.yml

   You need to add the path to the mounted storage to the volumes section:

   - /path/to/mount/folder:/mnt/storage:rw,z

   Example for Core:

   core:
     image: nexus.axidian-id.hq:5050/pam/axidian-pam-core:${TAG}
     container_name: pam-core
     extends:
       file: docker-compose.common-services.yml
       service: base
     pids_limit: 5000
     depends_on:
       - ca-certificates
       - pgsql
     environment:
       - COMPlus_EnableDiagnostics=0
     user: root
     read_only: false
     security_opt:
       - apparmor=pam-management
     volumes:
       - ./core/events:/var/lib/axidian/axidian-pam/events:rw,Z
       - ./core/appsettings.json:/app/appsettings.json:ro,z
       - ./keys/shared/protector:/etc/axidian/axidian-pam/keys/shared/protector:ro,z
       - ./keys/core:/etc/axidian/axidian-pam/keys/core:ro,Z
       - ./logs/core:/app/logs:rw,Z
       - /mnt/pamstorage:/mnt/storage:rw,z  # NFS mount example
       - pam-core-temp-data:/var/lib/axidian/axidian-pam:rw
       - pam-ca-cert-store:${CERT_STORE}:ro
     tmpfs:
       - /tmp
     networks:
       - pam-core-network
       - pam-ls-network

6. Edit the Storage section of the Core and Gateway-Service configuration files:

   • Core: Path to the configuration file on the management server: /etc/axidian/axidian-pam/core/appsettings.json
   • Gateway-Service: Path to the configuration file on the access server: /etc/axidian/axidian-pam/gateway-service/appsettings.json

   In both files you need to specify the path to the mounted storage:

   "Storage": {
     "Type": "FileSystem",
     "Settings": {
       "Root": "/mnt/storage"
     }
   }

7. Restart containers using the following command:

   sudo bash /etc/axidian/axidian-pam/scripts/run-pam.sh

Windows

1. Install NFS mount client:

   1. Click Start → Server Manager in the lower left corner.
   2. Click Add Roles and Features.
   3. On the Features page, enable the Client for NFS checkbox and click Next.
   4. Confirm the settings by clicking Install.

2. Mount the storage and add it to autostart:

   Use PowerShell without elevated privileges.

   Command template

   New-PSDrive -PSProvider FileSystem -Name <drive_letter> -Root \\<fqdn_or_ip_nfs_server>\path\to\media_storage -Persist
   Command example

   New-PSDrive -PSProvider FileSystem -Name Z -Root \\192.168.131.200\mnt\data_storage\ -Persist

3. Edit the Storage section of the Core and Gateway-Service configuration files:

   • Core: Path to the configuration file on the management server: C:\inetpub\wwwroot\core\appsettings.json
   • Gateway-Service: Path to the configuration file on the access server: C:\Program Files\Axidian\Axidian Privilege\Gateway\Pam.Gateway.Service\appsettings.json

   Change the Storage section to:

   Section template

   "Storage": {
     "Type": "FileSystem",
     "Settings": {
       "Root": "\\\\<fqdn_or_ip_nfs_server>\\path\\to\\media_storage"
     }
   },
   Section example

   "Storage": {
     "Type": "FileSystem",
     "Settings": {
       "Root": "\\\\192.168.131.200\\mnt\\data_storage\\"
     }
   },

4. Restart IIS and Gateway-Service:

   • Restart IIS on the management server:

     Open IIS Manager and run the Restart command on the server.

   • Restart Gateway-Service:

     Open Task Manager, find the PAM.Gateway.Service and restart it.