Prerequisites
This document will guide you through the prerequisite steps needed to get ready for deploying the CSE service in your environment.
Specific steps for this section include:
- Sync your Google Workspace tenant with Virtru
- Follow steps to install and provision the Virtru CKS server (Optional)
- Gather the required information from your IDP
- Generate SSL Certificates
- Provision CSE Server
- Configure firewall rules
- Configure DNS
- Next steps
Sync your Google Workspace tenant with Virtru
If you have not already done so, please follow this guide to sync your Google Workspace domain with Virtru, this is a prerequisite for provisioning your Virtru CKS and CSE servers:
Note:
The CKS is an optional integration to the CSE and is not a requirement for deployment.
Follow steps to install and provision the Virtru CKS server (Optional):
https://support.virtru.com/hc/en-us/sections/115003720408-Virtru-Customer-Key-Server-CKS-
Gather the required information from your IDP
https://support.google.com/a/answer/10743588?hl=en&ref_topic=10742486
Gmail Only:
If you are planning to use CSE for Gmail, follow the link below to Google's documentation to get started. You will need to request S/MIME certificates for each of your users looking to leverage this capability.
https://support.google.com/a/answer/13069736
For the full instruction set on enabling Gmail for CSE with Virtru, please head over to our support article found here:
https://support.virtru.com/hc/en-us/articles/22400974649367-Reference-Virtru-Private-Keystore-for-Google-Workspace-CSE-Configuring-CSE-for-Gmail
Generate SSL Certificates
As part of the Virtru Private Keystore (for Google Workspace CSE) configuration, you will need to include a SSL Certificate and Private key for the domain which will be used for CSE. This step should be completed before you start the CSE deployment.
It is required that you use certificate partner in order to obtain the CA Signed SSL Certificate & Key.
It is important to know what the FQDN will be for the CSE domain, Virtru recommends using https://csesrv.yourdomain.com - this will be the FQDN used in the generation of the Certificate and Key.
Your SSL Certificate will be a combined value of your Certificate, Intermediate, and Root cert(s) that you obtain from your CA in a server.cert file.
If your certs are provided to you by your CA in separate files use the following command to combine them into the expected server.cert
file format.
cat [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-root-cert] > server.cert
Your SSL Private key will be the same key that you used to request your certs in a server.key file.
cat [path-to-private-key] > server.key
Virtru Private Keystore (for Google Workspace CSE) service install options
Provision CSE Server
In order to leverage Virtru as a backend key provider for CSE there are two server-side applications that must be installed and configured. This application must be on separate servers from the CKS server environment . Both of these applications are containerized with Docker and will be pulled down from a private Virtru repository.
-
CKS and CSE must be on separate hosts (CKS Optional)
- Docker supported version of Linux
-
Cloud based or on-premise
-
Example: AWS, GCP
-
-
Minimum specs: 2 cpu, 4gb RAM, 40gb hard drive
- Install docker based on your linux distro
- Quick install
sudo curl -sSL https://get.docker.com/ | sh
- Quick install
Helm install Kubernetes cluster
Follow our Kubernetes Cluster guide
Configure firewall rules
Both servers will have open firewall rules in order to streamline the installation and troubleshoot any issues most effectively.
-
CSE:
-
Inbound:
-
Open on port 443
-
Needed for:
-
Traffic from end users in Drive
-
(Requests come from the end users desktops directly, nothing from Google)
-
-
-
SSH on port 22 (optional)
Note:
As a Google requirement, inbound traffic to the CSE server does need to be accessible and open due to the reasons stated above.
-
-
Outbound
-
Open on port 443
-
Needed for:
-
Download of container image
-
containers.virtru.com/cse:<tag>
- Release notes for latest version
-
-
Access to Virtru ACM endpoints
- api.virtru.com/acm
- api.virtru.com/accounts
- Access to Google Apis
- googleapis.com
- Your IDP
- (accounts.google.com if you are using the Google IDP)
- Access to Customer hosted CKS server (CKS Optional)
- cks.customer.com
-
-
-
-
Configure DNS
For all the services to communicate with one another and CSE to function properly a few DNS entries are required. CKS and CSE both need an A record for the server they are installed on, and CSE needs an additional CNAME for the .well-known file (referenced in the Google documentation Here)
-
CSE:
-
Create an A record that points to the server hosting the application. Needs to be fully qualified domain name, publicly accessible, and needs a CA signed SSL certificate.
-
Example:
-
csesrv.customer.com
-
-
-
Optional: Only needed if following customer identity management,
-
Create a CNAME record for the .well-known/cse-configuration file. This record must be named cse.customer_domain because this is where Google has configured Docs to look for these files.
-
-
Next steps:
Installation steps server
Installation steps Kubernetes
CSE Firewall Access Diagram (with CKS)
CSE Firewall Access Diagram (without CKS)