This guide covers most of the advanced installation procedures that you may need to implement.
Modifying the default domain
The default configuration sets "kiuwan.onpremise.local" as the default domain to access Kiuwan On-Premises.
We encourage to change the default domain, but take into account that this means updating the provided certificates to keep your installation connections secure.
Step 1: edit the global configuration file
Using your preferred editor, open the default configuration file located in your config-shared volume:
sudo vim [VOLUMES_DIR]/config-shared/globalConfig/globalConfig.properties
Edit these properties (kiuwan.port is only needed if you want to use https under a different port than the default 443):
- kiuwan.domain
- kiuwan.port
Step 2: update load balancer configuration
Once you have selected your new domain and if you are using the provided Apache load balancer, you should edit the main Apache configuration file:
sudo vim [VOLUMES_DIR]/config-shared/ApacheLoadBalancer/conf/httpd.conf
Edit this line and change the default domain (kiuwan.onpremise.local) to your new domain:
Define kiuwanDomain kiuwan.onpremise.local
If you have externalized the provided Apache load balancer, you should edit the equivalent configuration file to set the new domain.
Step 3: generate new certificates
Please refer to the Managing certificates guide and follow the needed steps depending on your needs.
Once this is done, you should have these files under the [INSTALLER_DIR]/user-content/certs folder:
- cacert.pem
- domainkey.pem
- domaincert.pem
- domainkeystore.jks
- truststore.jks
Step 4: complete your installation
If you are performing a new Kiuwan On-Premises installation, please refer to the steps indicated in the following sections, depending on your installation needs:
If you have already installed Kiuwan On-Premises, you will need to stop your containers, update the deployed configuration and restart them. To do so, execute these commands:
cd [INSTALLER_DIR] sudo ./stop-all.sh cd [INSTALLER_DIR]/docker sudo ./update.sh cd [INSTALLER_DIR] sudo ./start-all.sh
Step 5: update your DNS or hosts files
If you are modifying an existing Kiuwan On-Premises installation, you will need to update your DNS or hosts files.
Note that if you have generated new certificates signed by a different CA than the one that signed the previous ones, you should update your Kiuwan On-Premises clients certificates or truststores.
Please refer to Accessing your Kiuwan On-Premises installation for details on these topics.
Modifying access protocols
Changing exposed ports
Externalizing services
Kiuwan On-Premises uses three main services under its infrastructure's hood:
- Apache: used as a load balancer when multiple Kiuwan frontal instances are running.
- Redis: an in-memory cache to speed up response times.
- MySQL: Kiuwan's main database.
If you want to use your own services for any of the previous ones, Kiuwan On-Premises can connect to them by bypassing their creation at installation time.
Configuring services to externalize
First of all, you will need to edit the main configuration file and mark which services you want to externalize:
- [VOLUMES_DIR]/config-shared/globalConfig/globalConfig.properties
This table shows the properties you should modify when externalizing each service:
Service | Property | Default value |
---|---|---|
Apache | kiuwan.externalize.apacheloadbalancer | false |
Redis | kiuwan.externalize.redis.[cache|storage] | false |
MySQL | kiuwan.externalize.mysql | false |
When setting to "true" any of the previous properties, the corresponding service will be externalized and the installation tool will not manage any related instance. Note that all the configuration will be up to you, as the Kiuwan On-Premise installer will only be able to configure how Kiuwan On-Premise will connect to your own services.
Externalizing Apache
When externalizing this service you should take into account that:
- Each Kiuwan On-Premises frontal instance domain name is wildflykiuwan-f[n], [n] being the frontal instance number. Note that depending on your installation needs you may want to access each instance via IP or its own host name.
- Each Kiuwan On-Premises frontal instance only exposes one port for https/http/ajp traffic. By default, the port 8[n]43, [n] being the frontal instance number will be exposed. If you need to change the exposed ports refer to Changing exposed ports for more information.
- In case you are accessing through https scheme, you should provide your frontal service the needed certificates in order to make https connections available (please refer to Managing certificates for more information):
- domaincert.pem
- domainkey.pem
- cacert.pem
Externalizing Redis
It is mandatory for Kiuwan On-Premises to work with your Redis installation that it complies with these characteristics:
- Redis version must be equal or higher than 5.0.4.
- Redis must be configured as a cluster.
- Eviction policy must be set to "noeviction" (refer to Redis official documentation, maxmemory-policy configuration property).
In case you set Redis as an external service, Kiuwan On-Premises needs to know where the Redis nodes are deployed and which ports to use when connecting to them.
In case you use a special DNS that can resolve the same host to different hosts and ports (DNS Round-Robin or equivalent), you should configure just a single host in the "redis.[cache|store].nodes" properties.
All the needed configuration is located in the main configuration file:
- [VOLUMES_DIR]/config-shared/globalConfig/globalConfig.properties
The following table shows the properties to configure (note that you should set exactly the same configuration for both "cache" and "store" Redis configurations):
Property | Meaning | Example |
---|---|---|
redis.[cache|store].nodes | Comma separated list of host and port for each Redis node | rn1.mydomain.com:6379,rn2.mydomain.com:6379,rn3.mydomain.com:6379,rn4.mydomain.com:6379,rn5.mydomain.com:6379,rn6.mydomain.com:6379 |
redis.[cache|store].timeout | Connection timeout in milliseconds | 2000 |
redis.[cache|store].password | Password to use when connecting to a node (leave empty if you have set no password access) | |
redis.[cache|store].clientName | Name of the client connection (defaults to empty) |
Externalizing MySQL
When externalizing MySQL note that your MySQL installation should comply with these characteristics:
- MySQL version 5.7
- Maximum number of connections: 130 per Kiuwan On-Premises instance.
Step 1: create Kiuwan On-Premises schemas
You should create the needed schemas in your MySQL installation. To do so, please execute this script with a user that has schema creation privileges:
create database opt_activity CHARACTER SET utf8 COLLATE utf8_unicode_ci; create database opt_cinc CHARACTER SET utf8 COLLATE utf8_unicode_ci; create database opt_metamodel CHARACTER SET utf8 COLLATE utf8_unicode_ci; create database opt_qmm CHARACTER SET utf8 COLLATE utf8_unicode_ci; create database opt_transaction CHARACTER SET utf8 COLLATE utf8_unicode_ci; create database opt_insight CHARACTER SET utf8 COLLATE utf8_unicode_ci;
Step 2: create Kiuwan On-Premises user
You should create the user that will be connecting to Kiuwan On-Premises schemas. Please run this script as an admin user to do so:
create user '[USER]'@'%' identified by '[PASSWORD]'; grant all privileges on `opt_%`.* to '[USER]'@'%' identified by '[PASSWORD]'; flush privileges;
Note that you should replace [USER] with the desired user name and [PASSWORD] with the desired password.
Step 3: configure your installation
The following table shows the properties to configure for Kiuwan On-Premises to connect to your own MySQL instance:
Property | Meaning | Example |
---|---|---|
mysql.host | Your MySQL installation host | mysqlkiuwan |
mysql.port | The connection port to access your MySQL installation | 3306 |
mysql.username | The user that will be connecting to Kiuwan On-Premises schemas (should match the one provided in the previous step) | csaas |
mysql.password | The user's password (should match the one provided in the previous step) |
Using Amazon S3 as file repository
Kiuwan On-Premises uses these shared file repositories to store analysis related data:
- kiuwanCentralRepository: stores analysis results files.
- kiuwanSourceCodeRepository: stores source code.
These two Kiuwan On-Premises internal file repositories can be replaced with Amazon S3 buckets.
To do so, you should first configure these properties in the main configuration file ([VOLUMES_DIR]/config-shared/globalConfig/globalConfig.properties):
- centralFileRepository.type=s3
- sourceCodeFileRepository.type=s3
The following table shows the properties you should modify when making Kiuwan On-Premises connect to AWS S3 buckets:
Property | Meaning | Example |
---|---|---|
s3.privateBucket.bucketName | Your AWS S3 bucket name | s3mycompany-us |
s3.privateBucket.subDirectoryName | Your AWS S3 subdirectory name under the configured bucket | mydirectory |
s3.privateBucket.accessKeyId | AWS access key for your bucket | BS3BX35Z27UAQCEACTPQ |
s3.privateBucket.secretKeyId | AWS secret key for your bucket | Aasdfjklwe1234123lkjfasc21ssACasfEq124Da |
s3.dir.centralFileRepository | The main key prefix that will be used to keep the central file repository entries | kiuwanCentralWorkingDirectory/analysisData |
s3.dir.sourceCodeFileRepository | The main key prefix that will be used to keep the source code file repository entries | kiuwanCentralWorkingDirectory/analyzedSourceCode |
Advanced configuration reference
All configuration properties you can edit are located in this file located inside your data-shared volume:
- [VOLUMES_DIR]/config-shared/globalConfig/globalConfig.properties
Here is a complete list of the properties you can configure and their meaning (default passwords are omitted):
Property | Default value | Meaning |
---|---|---|
Access configuration | ||
kiuwan.protocol | https | Kiuwan default access protocol |
kiuwan.domain | kiuwan.onpremise.local | Kiuwan default domain |
kiuwan.port | 443 | Kiuwan default access port |
Mailing configuration | ||
kiuwan.mail.host | Email server host | |
kiuwan.mail.port | Email server port | |
kiuwan.mail.username | Email server username | |
kiuwan.mail.password | Email server password | |
kiuwan.mail.from | Email account you want Kiuwan to use when sending emails | |
kiuwan.default.mail.account | Email account to set to the built-in Kiuwan users | |
Kiuwan instances shared configuration | ||
timezone | Europe/Madrid | Kiuwan servers timezone. Please refer to Supported timezones page for a complete list of supported time zones. |
Kiuwan front instances configuration | ||
kiuwan.nodes.front.max.memory | 1024m | Max memory to set to front instances |
session.timeout | 3600 | Time a session can be inactive before close it (in seconds) |
session.secure | false | Use the secure attribute of the session cookie |
session.httponly | false | Use the httponly attribute of the session cookie |
Kiuwan analyzer instances configuration | ||
kiuwan.nodes.analyzers.max.memory | 1024m | Max memory to set to analyzer instances |
queues.reportsGeneratedQueueSize | 2 | Number of slots enabled for analysis processing |
Kiuwan scheduler instances configuration | ||
kiuwan.nodes.schedulers.max.memory | 1024m | Max memory to set to front instances |
Kiuwan file repositories configuration | ||
centralFileRepository.type | filesystem | Central file repository storage type [filesystem|s3] |
sourceCodeFileRepository.type | filesystem | Source code repository storage type [filesystem|s3] |
Amazon S3 bucket configuration (only applies when using AWS S3 type repositories) | ||
s3.privateBucket.bucketName | S3 bucket name | |
s3.privateBucket.subDirectoryName | S3 subdirectory name | |
s3.privateBucket.accessKeyId | Access key id | |
s3.privateBucket.secretKeyId | Secret key id | |
s3.dir.centralFileRepository | Central file repository directory | |
s3.dir.sourceCodeFileRepository | Source code file repository directory | |
MySQL configuration | ||
mysql.host | mysqlkiuwan | MySQL server host |
mysql.port | 3306 | MySQL server port |
mysql.username | csaas | MySQL server username |
mysql.password | MySQL server password | |
mysql.config.useSSL | false | Enable or disable the use of encryption when connecting to MySQL |
mysql.config.requireSSL | false | Force the use of encryption when connecting to MySQL |
mysql.config.verifyServerCertificate | false | Force the validation of the certificate served MySQL |
Redis Cluster cache and store configuration | ||
redis.[cache|store].nodes | redis_0000[1-6]:6379 | Redis nodes hosts (use the provided single host name when using elasticache) |
redis.[cache|store].timeout | 2000 | Redis connection timeout |
redis.[cache|store].password | Redis password | |
redis.[cache|store].clientName | Redis client name | |
SSL configuration | ||
java.keystore.password | Java keystore password. This must be aligned with the generated keystore password (in case you change the default Kiuwan host name) | |
java.truststore.password | Java truststore password. This must be aligned with the generated truststore password (in case you change the default Kiuwan host name) |