BastionXP Enterprise On-Prem

In this guide, we'll discuss how to download and setup the BastionXP Enterprise On-Prem version using a 14-day free-trial enterprise license or a paid enterprise license.

Prerequisites:

• A Linux VM or server
• Open up TCP port 443 (BastionXP web app will be available at this port)

BastionXP Download and Install

Download and install the BastionXP server software from the download page (opens new window).

Free version and enterprise version of the binary is one and the same. There is no separate binary provided for enterprise version.

Note:

BastionXP server when run without a license file is considered a free version and will support only basic features with limited scalability. Free version is intended for individuals, learners, students or any non-commercial users.

To turn on the enterprise features and get access to the priority enterprise support, you need an enterprise license file. A 14-day free-trial enterprise license is available for download from our BastionXP Cloud Web Portal (opens new window).

License File Download

Visit BastionXP Cloud Web Portal (opens new window) and register using your company email ID. You could also register using your personal email ID.

After a successful login, go to the "Enterprise Version" tab, and click the "Start Free Trial" button.

Provide all the required information such as: your company name, company website URL and usecases etc. Click the "Create Free Trial License" button.

It will take just a few seconds, after which you'll notice that the "Download License File" button is enabled now. Click the button to download the license file (in PEM encoded format) to a local directory.

Copy over the license file to the /var/lib/bastionxp folder in the server where the BastionXP server has been downloaded and installed.

BastionXP Enterprise Configuration

Create a directory named bastionxp under /etc in your system as shown below:

sudo mkdir -p /etc/bastionxp

Create a configuration file named config.json in the /etc/bastionxp directory with the following contents.

{
    "mode": "auth",
    "email": "[email protected]",
    "gateway_domain": "ca.example.com",
    "ssh_ca_enable": true,
    "license_file": "license.pem",
    "oidc_provisioner": {
            "name":"microsoft",
            "client_id": "38asdf232erwefasdf",
            "secret": "abcdefghicjadfasdfasdf2342334234dsadf234"
    }
}

By default, bastionxp will look for a license file named license.pem in the default data directory: /var/lib/bastionxp. If one is available it will use the license file to verify the license with the BastionXP Cloud License Server.

Tip:

BastionXP CA server will not start if an expired license file is found at /var/lib/bastionxp/license.pem. Check the log file at /var/lib/bastionxp/bastionxp.log to see any license expiry related logs.

To continue running the server in the free version mode, without any enterprise features, delete the license file and restart the server.

For additional configuration settings, please refer to our Configuration guide.

Restart the Server

Now restart the BastionXP service already running in the background, to pickup the above configuration changes.

sudo systemctl restart bastionxp

Your BastionXP CA's web portal can be accessed at: https://ca.example.com. Please ensure that no other web server or application is running at port: 443 on your server. If not, stop the other web app and restart the BastionXP CA instance.

You can check the bastionxp logs as shown below:

tail -f /var/lib/bastionxp/bastionxp.log

You'll see the following logs in the log file:

Using config file: /etc/bastionxp/config.json
Creating TLS Root CA certificate at:  /var/lib/bastionxp/tls_root_ca.crt
Root CA Fingerprint:  35a85a609a703ab0984ba652ce0d3e0da1397aadc992b0139205f5c45dfd73a5
Creating TLS Intermediate CA certificate at:  /var/lib/bastionxp/tls_intermediate_ca.crt
Creating Auth Server Host Certificate at:  /var/lib/bastionxp/server.crt
...
...

Note the Root CA fingerprint 35a85a609a703ab0984ba652ce0d3e0da1397aadc992b0139205f5c45dfd73a5 in the above log. You'll use this fingerprint later to establish trust with this CA.

Download Cerfiticates from the CA

Now that the BastionXP Certificate Manager is up and running, you can request server and client SSL or SSH certificates.

Certificates for SSL/TLS X.509 server and client applications:

• Server Setup
• Client Setup

Certificates for SSH hosts/VMs and SSH clients:

• SSH Host VM Setup
• SSH Client Setup

Please replace the BastionXP domain name in the examples used in these documentations, with the subdomain uniquely created for you. For eg: https://your-company-name.bastionxp.com. You should download the bsh client from your BastionXP instance's download link.