...
...
...
...
...
...
...
These software is also needed:
- Docker CE >=19.03.2
- Docker-compose >= 1.24.1
- Java Runtime Environment >=8
- Openssl >= 1.0.2
- Unzip
- GNU tar
...
We also recommend using the target installation hosts exclusively for Kiuwan services. If you plan running other containers than Kiuwan's in a single-host installation, please make sure that non of them is using the following network:
172.172.0.0/16
Needed internet connections
Please make sure your host machines have connection to this servers when installing Kiuwan on premises:
Host | Needed when | Purpose |
---|---|---|
https://hub.docker.com | Installing | This is the main Docker server where the needed images will be pulled from. |
https://static.kiuwan.com | Installing | This is Kiuwan's static content server, needed by the installer to download needed resources. |
https://api.kiuwan.com | You own a Kiuwan on premises Insights license, both for installing and running | This is Kiuwan's central API endpoint, needed to update Insights vulnerabilities database. |
CPU and memory minimum requirements
The following table shows the minimum requirements for each service. Note that these are only minimum requirements. You should take care of giving each service enough resources depending on your system demands.
Service | Memory | CPU cores |
---|---|---|
wildfly-f[n] | 2GB | 2 cores |
wildfly-a[n] | 2GB | 2 cores |
wildfly-s[n] | 2GB | 2 cores |
mysql | 5GB | 4 cores |
loadbalancer | 1GB | 1 core |
redis_0000[n] | 2GB | 2 cores |
Note: CPU clock speed and disk speed will affect overal response time.
With the configuration above a system with the following load should give continuous service without problems:
- Parallel processing of 2 analyses (any additional parallel analysis request will be enqueued, and it will be executed as soon as any of the running analyses finishes)
- 50 concurrent web users or REST API calls.
Given the table above, for a single-host installation where no service is externalized the minimum system requirements are:
- 14GB of RAM and a processor with 8 cores for Kiuwan on premises.
It is recommended that you overscale these characteristics for the OS to have resources available for itself.
The Kiuwan on premise installation tool (kiuwan-cluster)
Kiuwan on premise installation process is carried out by our "kiuwan-cluster" tool.
The tool is provided as a tar.gz file. The following table summarizes the resources you will find once the tool distribution is extracted:
Resource | Purpose |
---|---|
/config/volumes.properties | Configuration file to set where your persistent volumes will reside. |
/docker/*.sh | Advanced shell scripts to interact with your Kiuwan on premise installation. |
/logs | The folder where the tool will write installation logs. |
/ssl | Tools that ease the certificate creation to keep Kiuwan on premise under a secure environment. |
/user-content | The folder where you will have to put some resources the installation process will need. |
/volumes | The base persistent volumes (that may be copied to different locations depending on your installation needs). |
*.sh | Main shell scripts to interact with your Kiuwan on premise installation. |
The following sections will guide you through the installation process.
Installation: common steps
This guide will reference two important folders:
- [INSTALL_DIR]: where the installation tool (kiuwan-cluster) will be located.
- [VOLUMES_DIR]: where the persistent volumen will be located.
Sometimes this folders will be referenced inside command line examples. Please make sure you replace any of them with the needed real path.
Note that it is up to you where this folders will be located.
Step 1: download kiuwan-cluster
The first step is to download kiuwan-cluster, the Kiuwan on premises installation tool. It can be downloaded directly from a terminal like this:
Code Block | ||
---|---|---|
| ||
wget https://static.kiuwan.com/download/onpremise/kiuwan-cluster.tar.gz |
This will download to the current directory the latest available installation tool.
Step 2: untar kiuwan-cluster
Once downloaded you should untar the provided gz file:
Code Block | ||
---|---|---|
| ||
tar xvzpf kiuwan-cluster_master.tar.gz |
This will untar the installation tool to a folder with extended version information of the tool. For example:
/home/user/kiuwan-cluster_master.XXXX-2.8.YYMM.V
This folder will be referred to as [INSTALL_DIR] through this guide.
Step 3: copy license files
In order to be able to start a Kiuwan on premises installation, you will need two license files:
- configq1.zip
- license.zip
Copy these files to the user-content folder of your installation tool directory (please replace [INSTALL_DIR] with the real location of your installation directory):
Code Block | ||
---|---|---|
| ||
cp configq1.zip [INSTALL_DIR]/user-content
cp configq1.zip [INSTALL_DIR]/user-content |
Step 4: download and copy the needed driver version for MySQL
Kiuwan on premise needs this exact MySQL driver:
mysql-connector-java-5.1.39-bin.jar
You can download it by executing this command:
Code Block | ||
---|---|---|
| ||
wget http://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.39.tar.gz |
Copy the downloaded jar file to the user content folder:
Code Block | ||
---|---|---|
| ||
cp mysql-connector-java-5.1.39.tar.gz [INSTALL_DIR]/user-content |
Step 5: initialize your volumes
The installation tool comes with the base volumes to boot a first installation of Kiuwan on premises. We provide three volumes:
- config-shared: contains the base configuration, shared between different services.
- data-shared: contains the base data structure, shared between different services.
- data-local: contains the base data structure, independent for each service.
Copy the provided volumes to a location of your desire:
Code Block | ||
---|---|---|
| ||
sudo cp -rp [INSTALL_DIR]/volumes/config-shared [VOLUMES_DIR]/config-shared
sudo cp -rp [INSTALL_DIR]/volumes/data-shared [VOLUMES_DIR]/data-shared
sudo cp -rp [INSTALL_DIR]/volumes/data-local [VOLUMES_DIR]/data-local |
Take note of the locations you choose for each volume. You will need these paths for the next installation step.
Step 6: configure the created volume paths
Edit the file located in [INSTALL_DIR]/config/volumes.properties and set the previous paths to each property:
Code Block | ||
---|---|---|
| ||
config.shared=[VOLUMES_DIR]/config-shared
data.shared=[VOLUMES_DIR]/data-shared
data.local=[VOLUMES_DIR]/data-local |
Please remember that [VOLUMES_DIR] here is just a placeholder for the real path you chose.
Step 7: configure your email server
Kiuwan needs an working and accessible e-mail server to send notifications.
Edit with your favourite editor the main configuration file, found in your [VOLUMES_DIR]:
Code Block |
---|
sudo vim [VOLUMES_DIR]/config-shared/globalConfig.properties |
Note that this is the file located in your [VOLUMES_DIR], not in the [INSTALLER_DIR], which only contains the base volumes.
Edit the following properties under the section named "Kiuwan instances shared configuration":
kiuwan.mail.host: the host of your email server.
kiuwan.mail.port: the port of your email server.
kiuwan.mail.username: the username to use when authenticating with your email server.
kiuwan.mail.password: the password to use when authenticating with your email server.
kiuwan.mail.from: the email account to use as the sender.
- kiuwan.default.mail.account: the email account to set to your default Kiuwan user.
Installation: single-host and minimum configuration
Follow this section if you want to proceed and install Kiuwan on premise with no further customization.
The defaults will install Kiuwan on premise with these characteristics:
- Single-host installation, including this services (see System architecture for more details):
- loadbalancer
- 1 kiuwan front instance
- 1 kiuwan analyzer instance
- 1 kiuwan scheduler instance
- mysql
- redis
- HTTPS support when accessing Kiuwan and between the loadbalancer and kiuwan instances.
- Kiuwan on premises deployed in the default domain (https://kiuwan.onpremise.local).
If this is enough for you, just continue with the following steps.
Step 1: deploy user content
On a terminal, navigate to the [INSTALL_DIR] folder and execute this command:
Code Block | ||
---|---|---|
| ||
sudo ./deploy-user-content.sh |
This will copy the user-content files to the configured volumes and set the needed permissions.
Step 2: install Kiuwan on premises
On a terminal, navigate to the [INSTALL_DIR] folder and execute this command:
Code Block | ||
---|---|---|
| ||
sudo ./install.sh |
This will:
- Download and run the needed Docker images.
- Install the database resources for Kiuwan on premises.
- Download the latest available Local Analyzer, Engine and Kiuwan for Developers to make them available in your installation.
- Install the engine data in your Kiuwan on premises database.
- Autogenerate the needed configuration for each kiuwan instance.
- Run all the needed containers.
Once the installation is finisished please refere to the Installation guide section.
Installation: advanced configuration
Installation: externalizing services
Installation: clustered environments
Accessing your Kiuwan on premises installation
To access your Kiuwan on premises installation you should take into account whether the selected domain is available in the DNSs your local network may use.
In order to access Kiuwan you will need to do one of the following options:
- Add kiuwan.onpremise.local to your DNS (recommended option).
- Add kiuwan.onpremise.local to your hosts file.
For testing purposes or if you choose the second option, edit this file in the host where you plan to access Kiuwan from:
- Windows OS: C:\Windows\System32\drivers\etc\hosts
- Linux OS: /etc/hosts
Add the following entry to the previous file:
Code Block |
---|
[kiuwan_on_premise_host_ip] [kiuwan_on_premise_host] |
For example, the previous entry may look like this for an installation pointing to the default host (note that the IP of the example may change in your local network):
Code Block |
---|
192.168.0.56 kiuwan.onpremise.local |
Once the previous steps have been done, you should be able to access Kiuwan on premises entering your Kiuwan host in your browser:
Handling trusted certificates warning messages in your browser and clients
Kiuwan on premises installer tool provides default certificates for the default host name, signed by a supplied CA (Certificate Authority).
The CA public certificate is provided in this file:
- [INSTALL_DIR]/ssl/ca/cacert.pem
In order to make your browser trust the supplied certificates, you will need to add this CA to your browser, and Java clients that access your Kiuwan on premises installation:
- Fixefox, Chrome, Edge: import cacert.pem by using the tools provided by the browsers.
- Java clients (Kiuwan for developers Eclipse, Kiuwan for developers JetBrains, Jenkins, KLA, etc): add the provided cacert.pem to the JRE keystore used by the client. Please refer to the official documentation of your JRE distribution about the Java keytool program.
- Windows clients (Kiuwan for developers VisualStudio): import cacert.pem by using the tools provided by Windows (certmgr.msc).
- Multiplatform clients (Kiuwan for developers VisualStudioCode): import cacert.pem by using the tools provided by your OS.
For more details on this topic, please refer to XXXXXXXXXX.
Default users
...