These softwares are also needed:
- Docker CE >=19.03.2
- Docker-compose >= 1.24.1
- Unzip
- GNU tar
- Java Runtime Environment >=8 (needed to generate keystores for custom hosts).
- Openssl >= 1.1.1 (needed to generate certificates for custom hosts).
Needed internet connections
Please make sure your host machines have connection to these servers when installing Kiuwan on Premises:
Host | Needed when | Purpose |
https://hub.docker.com | Installing | This is the main Docker server where the needed images will be pulled from. |
https://static.kiuwan.com | Installing | This is Kiuwan's static content server, needed by the installer to download needed resources. |
https://api.kiuwan.com | You own a Kiuwan on Premises Insights license, both for installing and running | This is Kiuwan's central API endpoint, needed to update Insights vulnerabilities database. |
CPU and memory minimum requirements
The following table shows the minimum requirements for each service. Note that these are only minimum requirements. You should take care of giving each service enough resources depending on your system demands.
We also recommend using the target installation hosts exclusively for Kiuwan services. If you plan on running other containers than Kiuwan's in a single-host installation, please make sure that none of them are using the following network:
Copy the connector jar file to the user content folder:
language | bash |
Step 5: initialize your volumes
The installation tool comes with the base volumes to boot a first installation of Kiuwan on premises. We provide three volumes:
- config-shared: contains the base configuration, shared between different services.
- data-shared: contains the base data structure, shared between different services.
- data-local: contains the base data structure, independent for each service.
Copy the provided volumes to your desired location:
Code Block | ||
| ||
sudo cp -rp [INSTALL_DIR]/volumes/config-shared [VOLUMES_DIR]/config-shared
sudo cp -rp [INSTALL_DIR]/volumes/data-shared [VOLUMES_DIR]/data-shared
sudo cp -rp [INSTALL_DIR]/volumes/data-local [VOLUMES_DIR]/data-local |
Info |
Take note of the locations you choose for each volume. You will need these paths for the next installation step. |
Step 6: configure the created volume paths
Edit the file located in [INSTALL_DIR]/config/volumes.properties and set the previous paths to each property:
Code Block | ||
| ||
data.local=[VOLUMES_DIR]/data-local |
Please remember that [VOLUMES_DIR] here is just a placeholder for the real path you chose.
Step 7: configure your email server
Kiuwan needs an working and accessible e-mail server to send notifications.
Edit with your preferred editor the main configuration file, found in your [VOLUMES_DIR]:
Edit the following properties under the section named "Kiuwan instances shared configuration":
kiuwan.mail.host: the host of your email server.
kiuwan.mail.port: the port of your email server.
kiuwan.mail.username: the username to use when authenticating with your email server.
kiuwan.mail.password: the password to use when authenticating with your email server.
kiuwan.mail.from: the email account to use as the sender.
- kiuwan.default.mail.account: the email account to set to your default Kiuwan user.
Installation: single-host and minimum configuration
Follow this section if you want to proceed and install Kiuwan on premise with no further customization.
The defaults will install Kiuwan on premise with these characteristics:
- Single-host installation, including these services (see System architecture for more details):
- Apache as a load balancer.
- A Kiuwan front instance.
- A Kiuwan analyzer instance.
- A Kiuwan scheduler instance.
- MySQL database.
- Redis cluster.
- HTTPS support when accessing Kiuwan and between the loadbalancer and Kiuwan instances.
- Kiuwan on Premises deployed in the default domain (https://kiuwan.onpremise.local).
If this is enough for you, just continue with the following steps.
Step 1: deploy user content
On a terminal, navigate to the [INSTALL_DIR] folder and execute this command:
Code Block | ||
| ||
sudo ./deploy-user-content.sh |
This will copy the user-content files to the configured volumes and set the needed permissions.
Step 2: install Kiuwan on premises
On a terminal, navigate to the [INSTALL_DIR] folder and execute this command:
Code Block | ||
| ||
sudo ./install.sh |
This will:
- Download and run the needed Docker images.
- Install the database resources for Kiuwan on premises.
- Download the latest available Local Analyzer, Engine and Kiuwan for Developers to make them available in your installation.
- Install the engine data in your Kiuwan on Premises database.
- Autogenerate the needed configuration for each Kiuwan instance.
- Run all the needed containers.
Once the installation is finisished please refer to the Accessing your Kiuwan on Premises installation section.
Installation: advanced configuration
All configuration properties you can edit are located in this file located inside your data-shared volume:
- [VOLUMES_DIR]/config-shared/globalConfig/globalConfig.properties
Here is a complete list of the properties you can configure and their meaning (default passwords are omitted):
Property | Default value | Meaning |
Access configuration | ||
kiuwan.protocol | https | Kiuwan default access protocol |
kiuwan.domain | kiuwan.onpremise.local | Kiuwan default domain |
kiuwan.port | 443 | Kiuwan default access port |
Mailing configuration | ||
kiuwan.mail.host | Email server host | |
kiuwan.mail.port | Email server port | |
kiuwan.mail.username | Email server username | |
kiuwan.mail.password | Email server password | |
kiuwan.mail.from | Email account you want Kiuwan to use when sending emails | |
kiuwan.default.mail.account | Email account to set to the built-in Kiuwan users | |
Kiuwan instances shared configuration | ||
timezone | Europe/Madrid | Kiuwan servers timezone |
Kiuwan front instances configuration | ||
kiuwan.nodes.front.max.memory | 1024m | Max memory to set to front instances |
session.timeout | 3600 | Time a session can be inactive before close it (in seconds) |
session.secure | false | Use the secure attribute of the session cookie |
session.httponly | false | Use the httponly attribute of the session cookie |
Kiuwan analyzer instances configuration | ||
kiuwan.nodes.analyzers.max.memory | 1024m | Max memory to set to analyzer instances |
queues.reportsGeneratedQueueSize | 2 | Number of slots enabled for analysis processing |
Kiuwan scheduler instances configuration | ||
kiuwan.nodes.schedulers.max.memory | 1024m | Max memory to set to front instances |
Kiuwan file repositories configuration | ||
centralFileRepository.type | filesystem | Central file repository storage type [filesystem|s3] |
sourceCodeFileRepository.type | filesystem | Source code repository storage type [filesystem|s3] |
Amazon S3 bucket configuration (only applies when using AWS S3 type repositories) | ||
s3.privateBucket.bucketName | S3 bucket name | |
s3.privateBucket.subDirectoryName | S3 subdirectory name | |
s3.privateBucket.accessKeyId | Access key id | |
s3.privateBucket.secretKeyId | Secret key id | |
s3.dir.centralFileRepository | Central file repository directory | |
s3.dir.sourceCodeFileRepository | Source code file repository directory | |
MySQL configuration | ||
mysql.host | mysqlkiuwan | MySQL server host |
mysql.port | 3306 | MySQL server port |
mysql.username | csaas | MySQL server username |
mysql.password | MySQL server password | |
mysql.config.useSSL | false | Enable or disable the use of encryption when connecting to MySQL |
mysql.config.requireSSL | false | Force the use of encryption when connecting to MySQL |
mysql.config.verifyServerCertificate | false | Force the validation of the certificate served MySQL |
Redis Cluster cache and store configuration | ||
redis.[cache|store].nodes | redis_0000[1-6]:6379 | Redis nodes hosts (use the provided single host name when using elasticache) |
redis.[cache|store].timeout | 2000 | Redis connection timeout |
redis.[cache|store].password | Redis password | |
redis.[cache|store].clientName | Redis client name | |
SSL configuration | ||
java.keystore.password | Java keystore password. This must be aligned with the generated keystore password (in case you change the default Kiuwan host name) | |
java.truststore.password | Java truststore password. This must be aligned with the generated truststore password (in case you change the default Kiuwan host name) |
Accessing your Kiuwan on Premises installation
In order to access your Kiuwan on premises installation you should follow a few more steps.
Step 1: add your domain to your local network DNS
To access your Kiuwan on Premises installation you should take into account whether the selected domain is available in the DNSs your local network may use.
In order to access Kiuwan you will need to do one of the following options:
- Add kiuwan.onpremise.local to your DNS (recommended option).
- Add kiuwan.onpremise.local to your hosts file.
For testing purposes or if you choose the second option, edit this file in the host where you plan to access Kiuwan from:
- Windows OS: C:\Windows\System32\drivers\etc\hosts
- Linux OS: /etc/hosts
Add the following entry to the previous file:
Code Block |
[kiuwan_on_premise_host_ip] [kiuwan_on_premise_host] |
For example, the previous entry may look like this for an installation pointing to the default host (note that the IP of the example may change in your local network):
Code Block |
---| kiuwan.onpremise.local |
Step 2: add your certificates' CA to your clients
Depending on whether you are using a trusted CA or not to sign your certificates, you may need to add the CA to your client's certificate store to avoid warning messages.
Please refer to the Adding the provided or a custom CA to Kiuwan on premise's clients section for a complete explanation on how to handle this depending on your installation configuration.
Step 3: wait for Kiuwan services to be started
Note that although the installation process may have finished, the Kiuwan servers may need some minutes to start up. Please wait if you receive a "404 - Not Found" error message when accessing Kiuwan on Premises.
Step 4: access Kiuwan on premises
Once the previous steps have been done, you should be able to access Kiuwan on Premises entering your Kiuwan host in your browser:
Default users