Skip to content

Organization — Prerequisites

Packages

sudo apt update
sudo apt install -y \
  dnsutils \            # dig command
  uuid-runtime \        # Generating UUIDs
  docker.io \           # Container runtime
  docker-compose-v2 \   # Compose file management
  unzip \               # Extracting the installation package
  nginx \               # Reverse proxy and TLS passthrough routing
  libnginx-mod-stream   # nginx stream module for SNI-based routing

Docker

Add your user to the docker group and authenticate with the Synkzone registry:

sudo usermod -aG docker $USER
docker login registry.synkzone.com

Info

Registry credentials are provided by Synkzone. Contact your Synkzone sales representative to obtain access.

Email (optional)

Ensure SMTP credentials are available and the SMTP server is configured to accept connections from the Organization Server. See server.config and mailservice-credentials.properties for configuration details.

Note

Email is used to send login credentials to new users. If disabled, the responsibility of distributing credentials falls on the user creating the account.

Remote Storage (optional)

Ensure an S3-compatible bucket is created and that access credentials are available. See server.config and remote-storage-credentials.properties for configuration details.

Note

Only AWS Signature Version 2 is supported.

Identity Provider (optional)

Ensure the OIDC client is registered at the identity provider with the required redirect URLs, and that the client ID and client secret are available. See server.config for configuration details.

Note

Supported identity providers are Generic OIDC and Swedish BankID. The implementation is based on OIDC 1.0 with support for OAuth 2.1.

DNS

The Organization FQDN must match a domain owned by your company or the end customer. The World Server FQDN is reserved and cannot be used as an Organization FQDN.

Record Type Record Name Record Value Purpose
A sz<main-UUID-without-hyphens>.world.synkzone.example.com IP of Organization Server Organization (szDNS)
CNAME acme.example.com sz<main-UUID-without-hyphens>.world.synkzone.example.com Web services
CNAME szworld.acme.example.com world.synkzone.example.com Organization registration in World

Note

The <main-UUID-without-hyphens> in the szDNS record corresponds to the main component UUID generated in Installation — step 3.

Warning

DNS records must be in place before installation begins.

Info

For a complete example, see Examples.

Web Certificate

The web component requires a trusted TLS certificate. If you don't have one, you can issue it via Let's Encrypt:

Example

sudo apt install -y certbot
sudo certbot certonly --webroot -w /var/www/html -d acme.example.com

Note

The certificate must be issued for the same domain as SynkzoneWebAddress in main/config/server.config.

Firewall

The Organization requires TLS passthrough routing (port 443). For the reference installation, nginx is used in stream mode with SNI-based routing to forward traffic based on the TLS hostname.

Source Destination Port Purpose
0.0.0.0/0 IP of Organization Server 80 HTTP challenge for certificate renewal
client network(s) IP of Organization Server 443 TLS routes to Organization or web/API based on SNI

Example

sudo iptables -A INPUT -p tcp -m tcp --dport 80 -m comment --comment LetsEncrypt -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -m comment --comment SynkzoneOrganization -j ACCEPT

Info

For a complete example, see Examples.