How do I deploy the Nanitor server?
This document describes the steps required to setup the Nanitor server on-premise. After the installation is complete we need to get a license key from the Nanitor sales team and quote the Server Installation ID.
- A static IP address and fully qualified domain name (FQDN) which resolves in DNS. An IP address is reserved and provided to you by your Network/System Admins with FQDN and resolvable over your corporate DNS. This guide will use the FQDN (fully qualified domain name) nansrv-01.nanlab.nanitor.com as an example.
- An SMTP relay host we can relay through to send out emails.
- For SSL we need a Certification Authority to sign our CSR. In this example we use Microsoft Certification Services. It should be similar using any other CA.
- Nanitor customer portal username and password. On-premise customers get allocated one by the Nanitor sales team.
Nanitor Server is distributed as an OVA image which can be downloaded here. The username and password are the on-premise credentials . Please consult your system administrator as to how to import the OVA into the hypervisor of choice. Once that is done please boot into the image.
- The OVA file expects 2 gigabytes of RAM, 50 gigabyte disk and a single CPU core. We strongly recommend that the RAM gets upgraded to 4 GB.
- The system is preconfigured to automatically download and apply security patches.
- The image is also hardened to CIS standard.
- The image is partioned using LVM and does not use all of the allocated space so it is easy to expand volumes when required using lvextend.
Configuring the system and network
On the console login as user nanadmin and password m4ssFussBall-01
Edit /etc/yum.repos.d/nanitor-server-centos-stable.repo and replace user:pass with the username and password allocated by Nanitor (same password as used to download the OVA image above).
In order for the Nanitor Server to stay healthy and up to date we strongly recommend that it can reach the CentOS update servers and the Nanitor Server either directly or via Proxy. In case a Proxy needs to be configured here are the requirements to configure it.
Get root access
Run this command to get root access. All commands need to be run as root for the installation process:
Run the following commands to set the hostname and re-seed the SSH keys. New ones will be generated on reboot:
hostnamectl set-hostname nansrv-01
Change nanitor to a hostname that suits your organisation or to the hostname allocated by your system/network administrator.
You will want to change the password for the nanadmin and the root user, please run:
passwd root passwd nanadmin
Now set the correct static IP address. Please edit /etc/sysconfig/network-scripts/ifcfg-eth0. For example for IP address 192.168.1.90/24 with default gateway 192.168.1.254 the file would look like:
DEVICE="eth0" BOOTPROTO="static" ONBOOT="yes" IPV6INIT="yes" IPV6_AUTOCONF="yes" NM_CONTROLLED="no" PEERDNS="no" GATEWAY=192.168.1.254 IPADDR0=192.168.1.90 PREFIX0="24"
Then you might want to change the DNS servers by editing /etc/resolve.conf. The image uses the Google DNS servers by default.
Then restart the networking to make sure everything is working as expected:
service network restart
The image comes with pre-generated SSH keys. We will want to remove these and have reboot regenerate them.
rm -f /etc/ssh/*key*
Then reboot the system by running:
shutdown -r now
Once the system is back up and running and should be reachable via SSH. Once logged in via SSH run the following commands to bring the operating system up to date:
yum clean metadata yum -y update
If you are running on top on VMware, you should install VMware tools:
yum -y install open-vm-tools systemctl enable vmtoolsd systemctl start vmtoolsd
Mail server relay
The relay is required so the server can send outbound emails. This example assumes that the IP of the relay is 172.16.154.1. Edit /etc/postfix/main.cf and set the relayhost to the smart host to relay through:
relayhost = [172.16.154.1]
Finally reload postfix.
service postfix reload
A good way to test this is to use the mail command:
yum -y install mailx echo "This is a test email" | mail firstname.lastname@example.org
Then check if you got the email. If it is not working the file /var/log/maillog may contain useful information.
Install and configure Nanitor
Lets setup the environment, we need to be root when we run the commands:
The Nanitor installer automates a lot of things for us. Therefore we need to set environment variables to configure the behaviour.
Fully Qualified Domain Name (mandatory)
First we need to Now we need to configure the fully qualified domain name for the install script. Assume our FQDN will be nansrv-01.nanlab.nanitor.com.
This will put the Nanitor server on https://nansrv-01.nanlab.nanitor.com. Both the web browsers and all devices in our network will be talking to this address so it has to stay the same.
You will be shown the variables and the server URL. You will be prompted to type yes to continue. Please verify that everything is as you expected and then confirm with yes. The installer will write output details to /root/nanitor_oem_install.out. Please keep record of that file while you need as it contains things like the admin password. If you change that later there is obviously no need to keep the file.
When using SSL, the installer generates a CSR at /etc/ssl/local/nanitor.csr. Please upload it and sign with your Certification Authority.
Microsoft Certification Services
Here is an example how to take the CSR and get back the required files with Microsoft Certification Authority. This assumes a template called NanitorWebServer and a CSR called nanitor.csr:
We use the command prompt to do this:
certreq -submit -attrib "CertificateTemplate:NanitorWebServer" nanitor.csr certutil -ca.cert ca-chain.cer
Now we should have 2 files: nanitor.cer and ca-chain.cer. Please upload them to the Nanitor server e.g. into /home/nanadmin/
We assume the certificate and the CA certificate files are available at:
We need to install them into the Nanitor server.
/usr/lib/nanitor-server/bin/nanitor-server-ctl cert_process --cert /home/nanadmin/nanitor.cer --ca_cert /home/nanadmin/ca-chain.cer
Now we are ready to start the webserver.
systemctl enable nginx.service service nginx start service nginx restart
The last step is to ensure the server was restarted if it was already running before we started the guide.
After the installation has been run there should be a file called /root/nanitor_oem_install.out which got created as part of the installation. This includes the email and password for the administrator user that was created as part of the installation process. Please keep this for your records. The email used in the install is email@example.com.
The full location of the server URL is stored in the /root/nanitor_oem_install.out. Please visit the URL in your browser. If it comes up as trusted in your browser it means that everything has been successful. If not you may need to debug the SSL certificate or add it into your domain or machine store to get it working. We now need to create an organization to finish getting the server up and running.
After logging in with the email firstname.lastname@example.org and password you will get asked to create an organization, please fill in the relevant fields and continue. In order to finish this dialog you will need to contact email@example.com with your Server Installation ID. It is shown in the create organization dialog and also in the /root/nanitor_oem_install.out. Once you have received a valid Nanitor license for your organization you can continue.
After finishing the create organization dialog you should be redirected to the organization you just created.
Benchmarks, agents and other data need to be synced with the Nanitor server to ensure the best results.
Follow this guide to set-up automatic sync with the Nanitor customer portal
When there is no internet connectivity to the customer portal we can download the benchmarks and agents from http://packages.nanitor.com/customer-portal/. Benchmarks from Nanitor come in a .zip format and need to be imported into the system. Under the URL there is benchmarks/ for the benchmarks and products/ for the products. You need to download all the files you want imported in order to do it manually.
- Administration -> System Administration -> Benchmarks is the place to upload the benchmarks downloaded
- Administration -> System Administration -> Products is the place to upload the products downloaded
Your are now ready to continue to the User Guide.