Skip to main content
Code42 Support

Security Reference

Applies to:
  • CrashPlan PROe

Overview

This article contains a reference guide for settings used to manage security keys, roles, LDAP, Radius, and Single Sign-On.

Keys

Security Keys Reference

Item Description
a Require SSL to access console

Enable this box to force all web requests to use SSL. If enabled, also configure Website protocol, host and port at Settings > Server to use https and port 4285.

b Keystore

Java keystore that contains your key materials.

c Import Keystore

Import your own SSL keystore into this enterprise server. The imported keystore will replace any previously installed SSL certificate. The enterprise server comes with a self-signed SSL certificate. The keystore is stored within the enterprise server's embedded database.

d Export Keystore

Export the currently installed SSL keystore to a file.

e Reset Keystore

Delete existing keystore and randomly generate a new SSL keystore.

f RSA Public Key Public RSA key used for transport security.
g RSA Private Key Private RSA key used for transport security.
h Change RSA Key Pair Change the RSA key pair used for transport security. Modification of this setting will cause all devices to disconnect permanently. All devices must be re-installed in order to reconnect. We recommend that you dump the enterprise server's database before changing the key pair.
i Reset Reset to existing values, and leave unchanged.
j Save Save changes.

Roles

The Roles screen displays all user roles and the specific permissions assigned to each role. You can add, copy, and edit user roles from this screen. To assign user roles, go to the specific user's User Details > Action Menu > Edit > Roles. You may also assign roles within your existing LDAP integration settings, using the role name script.

The SYSADMIN role has full read-write access to all orgs, users, and configuration settings. Users with the SYSADMIN role can grant any permission to themselves and to any other role or user. Other admin users with read-write access are allowed to grant only the permissions granted to themselves. When a permission is removed from an admin role, admins with the updated role can no longer grant the removed permission to any other user.

Security Roles Reference

Item Description
a Roles Lists all currently available roles.
b Copy Role Creates a new role.
c Edit Role Edit the role. Edit option is not available for default roles.
d Delete Role Delete the role. Delete option is not available for default roles.
e Permissions Field Lists the permissions assigned to a role.
f Add Role Create a new role with custom permissions.
g Users Displays the number of users currently assigned the selected role. Click to display a list of those users.

Add Or Edit Roles

Add or Edit Roles Reference.png

Item Description
a Role Name Edit the name of the role
b Permissions Editor Add or remove permissions for this role
c Exit Close without saving or Save the role

Standard Role Reference

The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.

For details about the specific permissions held by each role, review them in your administration console at Settings > Security > Roles.

Role Permission Summary Limitations Recommended Use Case
Admin Restore

Administrative

End user 

  • None
No access to the CrashPlan web app or CrashPlan app Assign in conjunction with a role that has access to the CrashPlan web app and CrashPlan app
Admin Restore Limited

Administrative

End user

  • None
  • Restore limit is configurable from Settings > Organization (250 MB by default)
  • No access to the CrashPlan web app or CrashPlan app

Assign in conjunction with a role that has access to the CrashPlan web app and CrashPlan app

All Org Admin

Administrative

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
No "root" level access

IT staff who need to perform administrative tasks, but who should not have "root" level access

All Org Manager

Administrative

Review statistics about all of the organizations in your Code42 environment and retrieve data​

End user 

  • None
Read-only access to prevent them from mistakenly changing settings or deleting data Executive users who need statistics, but not technical details, about your Code42 environment 
Desktop User

Administrative

  • N/A

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
Cannot interact with other users' data or change settings in your Code42 environment End users in your organization
Org Admin

Administrative

  • Read and write information for users, computers, and organizations within one organization and its children organizations

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
  • Cannot read or write information outside their organization
  • Cannot access administration console command line 
  • Cannot access system logs
Administrators who should only manage users and devices within a specific organization
Org Help Desk

Administrative

  • Read-only access to view users and devices within their organization
  • Restore files to the source user's devices using the administration console

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
  • Cannot change settings
  • Cannot read or write information outside their organization
Help desk staff who can assist others within their organization, but not reconfigure any settings
Org Manager

Administrative

  • Read-only access to view users and devices within their organization
  • Restore files to the source user's devices using the administration console

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
  • Cannot change settings
  • Cannot read or write information outside their organization
Executive users who need statistics, but not technical details, about their organization (not the entire Code42 environment)
PROe User

Administrative

  • Sign in to the administration console

End user

  • None
  • Cannot access other information or functions of CrashPlan PROe
End users in your organization
Push Restore

Administrative

  • Restore files from the administration console
  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will assist others with restoring data. Assign in conjunction with a role that has access to the CrashPlan web app.
Remote File Selection

Administrative

  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will monitor backups. Assign in conjunction with a role that has access to the CrashPlan web app.
Server Administrator

Administrative

  • Read and write information for users, computers, and organizations for your entire Code42 environment
  • Edit all all system information and settings (except tasks reserved for system administrator)

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app

Cannot perform tasks reserved for system administrator, such as editing the local administrator account password

 

IT staff who need administrative privileges for the Code42 environment

SYSADMIN

Administrative

  • Default role for the local administrator account
  • "Root-level" access
  • Read and write all information for all users, organizations, and settings
  • Grant and revoke SYSADMIN role for other users

End user

  • None

Grant with caution! The roles Server Administrator or All Org Admin may be more appropriate.

LDAP

For LDAP information please see the dedicated LDAP page.

Radius

Radius Server Setup

Item Description
a Server Name Your RADIUS server's name as it is displayed in the administration console
b Address Hostname or IP address and port of your RADIUS server
c Shared Secret Your RADIUS server's shared secret
d Attributes RADIUS attributes used to authenticate users
e Timeout seconds Timeout period for all RADIUS requests

Single Sign-On

When Single Sign-On (SSO) is enabled in your master server, your Code42 environment delegates all authentication and authorization to the organization's Identity Provider for a single source of trust. You are able to centrally control all authentication - users never enter a password into the CrashPlan app or the administration console. Authentication and authorization is delegated (redirected) to an Identity Provider, where the login is performed.

The following are required in order to use the SSO feature:

  • External SAML 2.0 based authentication server (Identity Provider), such as Shibboleth or CAS. This is not provided by CrashPlan PROe.
  • Administrative access to the Identity Provider to configure connection to the master server.
  • Customized PROe Client installer with SSO configured in custom.properties.

Considerations

  • SSO currently does not handle logout (single sign-off). Thus, if a user logs out of the Code42 environment, the master server does not notify other service providers, and vice-versa.
  • There is no control available in the administration console or the CrashPlan app to sign out of the SSO system. To force a user to sign out of the SSO identity provider, clear the ldp.c42 cookie from the web browser used to log in.
  • LDAP supports automated user management with the "Active Script", "Org Name Script" and "Role Name Script." However, SSO does not support custom scripts.
  • Multiple identity providers in the same environment are not supported.
  • SSO authentication may fail if the master server does not have a valid SSL certificate. If a self-signed certificate does not work, a certificate from an official Certificate Authority (CA) is required.
  • Your master server validates the SSL certificate of your SSO identity provider. If your identity provider's digital certificate does not contain the signature of a trusted Certificate Authority, validation may fail. To resolve this, install a CA-signed digital certificate on the identity provider.
  • The CrashPlan mobile apps on all platforms do not support SSO at this time.
  • SSO supports the use of the “auto register” option during CrashPlan app installation, using the value '${deferred}' for the password property in the custom installer. However, unlike the case with LDAP, the Code42 environment is not able to verify the user at the time of installation. Instead, the new user is allowed to back up immediately, without authenticating. However, users are not able to sign in to the CrashPlan app or restore unless they have a valid SSO account. If the password property is not set to deferred, the user is prompted to sign in upon first usage, as with LDAP.
  • The following warning message (found in logs on your master server) is normal: “Not syncing SSO metadata at this moment due to rate limiting." Rate limiting prevents syncing with your identity provider more than once per minute.
  • The Code42 environment supports SP (service provider)-initiated SSO. The Code42 environment does not support IdP (identity provider)-initiated SSO at this time. The user agent (either the CrashPlan app or the CrashPlan web app) initiates a session by accessing the enterprise server (acting as the SP), which then issues a SAML 2.0 AuthnRequest for the user to be delivered to the IdP.
  • In the IdP metadata file, the Code42 environment supports HTTP-POST (but not HTTP-REDIRECT).  You must enable HTTP POST bindings in the IdP metadata.

If any of the caveats above are not acceptable, we recommend using LDAP or Radius for authentication and authorization instead of SSO.

Single Sign On Enabled

Item Description
a Enable Enable or disable single sign-on. Additional configuration fields are only presented when SSO is enabled.
b Identify provider name Name of your organization's SSO identity provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the CrashPlan app and administration console.
c Identify provider metadata (URL) URL to the ldP's metadata file. This location is specific to your SSO environment. The master server must be able to access this URL.
d Service provider metadata Once a valid path to the identity provider metadata file has been entered, a link to the enterprise server's service provider metadata file is provided. The data contained at this URL must be used to configure your identity provider so your identity provider is able to accept auth requests from your Code42 environment. You can either configure SAML to use the presented URL or you can include the metadata file in your SAML configuration.
e SSL certificate Link to Settings > Security > Keys. You must have a valid, CA-signed SSL certificate installed both on the master server and your Identity Provider in order to successfully configure your Code42 environment to use SSO.

Storage Server Security Settings 

Reference guide to the security settings for a storage server. 

Storage Server Security Settings

Item  Description 
a Require SSL to access console

Enable this box to force all web requests to use SSL. If enabled, also configure Website protocol, host and port at Settings > Server to use https and port 4285.

b Keystore

Java keystore that contains your key materials.

c Import Keystore

Import your own SSL keystore into this enterprise server. The imported keystore will replace any previously installed SSL certificate. The enterprise server comes with a self-signed SSL certificate. The keystore is stored within the enterprise server's embedded database.

d Export Keystore 

Export the currently installed SSL keystore to a file.

e Reset Keystore

Delete existing keystore and randomly generate a new SSL keystore.