How do I deploy the Nanitor server?
This document describes the steps required to setup the Nanitor server on-premise. After the installation is complete we need to get a license key from the Nanitor sales team and quote the Server Installation ID.
- A static IP address and fully qualified domain name (FQDN) which resolves in DNS. An IP address is reserved and provided to you by your Network/System Admins with FQDN and resolvable over your corporate DNS. This guide will use the FQDN (fully qualified domain name) nansrv-01.nanlab.nanitor.com as an example.
- An SMTP relay host we can relay through to send out emails.
- For SSL we need a Certification Authority to sign our CSR. In this example we use Microsoft Certification Services. It should be similar using any other CA.
- Nanitor customer portal username and password. On-premise customers get allocated one by the Nanitor sales team.
Nanitor Server is distributed as an OVA image which can be downloaded here. The username and password are the on-premise credentials . Please consult your system administrator as to how to import the OVA into the hypervisor of choice. Once that is done please boot into the image.
- The OVA file expects 2 gigabytes of RAM, 50 gigabyte disk and a single CPU core. It is a good starting point and can be scaled up when required.
- The system is preconfigured to automatically download and apply security patches.
- The image is also hardened to CIS standard.
- The image is partioned using LVM and does not use all of the allocated space so it is easy to expand volumes when required using lvextend.
Configuring the system and network
On the console login as user nanadmin and password m4ssFussBall-01
Edit /etc/yum.repos.d/nanitor-server-centos-stable.repo and replace user:pass with the username and password allocated by Nanitor (same password as used to download the OVA image above).
Get root access
Run this command to get root access. All commands need to be run as root for the installation process:
Run the following commands to set the hostname and re-seed the SSH keys. New ones will be generated on reboot:
hostnamectl set-hostname nansrv-01
Change nanitor to a hostname that suits your organisation or to the hostname allocated by your system/network administrator.
You will want to change the password for the nanadmin and the root user, please run:
passwd root passwd nanadmin
Now set the correct static IP address. Please edit /etc/sysconfig/network-scripts/ifcfg-eth0. For example for IP address 192.168.1.90/24 with default gateway 192.168.1.254 the file would look like:
DEVICE="eth0" BOOTPROTO="static" ONBOOT="yes" IPV6INIT="yes" IPV6_AUTOCONF="yes" NM_CONTROLLED="no" PEERDNS="no" GATEWAY=192.168.1.254 IPADDR0=192.168.1.90 PREFIX0="24"
Then you might want to change the DNS servers by editing /etc/resolve.conf. The image uses the Google DNS servers by default.
Then restart the networking to make sure everything is working as expected:
service network restart
The image comes with pre-generated SSH keys. We will want to remove these and have reboot regenerate them.
rm -f /etc/ssh/*key*
Then reboot the system by running:
shutdown -r now
Once the system is back up and running and should be reachable via SSH. Once logged in via SSH run the following commands to bring the operating system up to date:
yum clean metadata yum -y update
If you are running on top on VMware, you should install VMware tools:
yum -y install open-vm-tools systemctl enable vmtoolsd systemctl start vmtoolsd
Mail server relay
The relay is required so the server can send outbound emails. This example assumes that the IP of the relay is 172.16.154.1. Edit /etc/postfix/main.cf and set the relayhost to the smart host to relay through:
relayhost = [172.16.154.1]
Finally reload postfix.
service postfix reload
A good way to test this is to use the mail command:
yum -y install mailx echo "This is a test email" | mail email@example.com
Then check if you got the email. If it is not working the file /var/log/maillog may contain useful information.
Install and configure Nanitor
Lets setup the environment, we need to be root when we run the commands:
The Nanitor installer automates a lot of things for us. Therefore we need to set environment variables to configure the behaviour.
Fully Qualified Domain Name (mandatory)
First we need to Now we need to configure the fully qualified domain name for the install script. Assume our FQDN will be nansrv-01.nanlab.nanitor.com.
This will put the Nanitor server on https://nansrv-01.nanlab.nanitor.com. Both the web browsers and all devices in our network will be talking to this address so it has to stay the same.
Use Http (Not recommended)
Nanitor assumes HTTPS by default and it is highly recommended. If for some reason you want to drop the security standard and use HTTP it can be done with this variable:
You will be shown the variables and the server URL. You will be prompted to type yes to continue. Please verify that everything is as you expected and then confirm with yes. The installer will write output details to /root/nanitor_oem_install.out. Please keep record of that file while you need as it contains things like the admin password. If you change that later there is obviously no need to keep the file.
When using SSL, the installer generates a CSR at /etc/ssl/local/nanitor.csr. Please upload it and sign with your Certification Authority.
Microsoft Certification Services
Here is an example how to take the CSR and get back the required files with Microsoft Certification Authority. This assumes a template called NanitorWebServer and a CSR called nanitor.csr:
We use the command prompt to do this:
certreq -submit -attrib "CertificateTemplate:NanitorWebServer" nanitor.csr certutil -ca.cert ca-chain.cer
Now we should have 2 files: nanitor.cer and ca-chain.cer. Please upload them to the Nanitor server e.g. into /home/nanadmin/
We assume the certificate and the CA certificate files are available at:
We need to install them into the Nanitor server.
/usr/lib/nanitor-server/bin/nanitor-server-ctl cert_process --cert /home/nanadmin/nanitor.cer --ca_cert /home/nanadmin/ca-chain.cer
Now we are ready to start the webserver.
systemctl enable nginx.service service nginx start service nginx restart
The last step is to ensure the server was restarted if it was already running before we started the guide.
After the installation has been run there should be a file called /root/nanitor_oem_install.out which got created as part of the installation. This includes the email and password for the administrator user that was created as part of the installation process. Please keep this for your records. The email used in the install is firstname.lastname@example.org.
The full location of the server URL is stored in the /root/nanitor_oem_install.out. Please visit the URL in your browser. If it comes up as trusted in your browser it means that everything has been successful. If not you may need to debug the SSL certificate or add it into your domain or machine store to get it working. We now need to create an organization to finish getting the server up and running.
After logging in with the email@example.com email and password you will get asked to create an organization, please fill in the relevant fields and continue. In order to finish this dialog you will need to contact firstname.lastname@example.org with your Server Installation ID. It is shown in the create organization dialog and also in the /root/nanitor_oem_install.out. Once you have received a valid Nanitor license for your organization you can continue.
After finishing the create organization dialog you should be redirected to the organization you just created.
Benchmarks and agents need to be synced with the Nanitor server.
To sync and get the available benchmarks and agents from the Nanitor customer portal it is easiest to run the command on the server:
This will try to contact https://packages.nanitor.com. If you require proxy make sure you have set HTTP_PROXY and HTTPS_PROXY in your environment. This can be done like this:
export http_proxy="http://proxy.mycompany.com:8080/" export https_proxy="http://proxy.mycompany.com:8080/"
We recommend that the data is synced. When there is no direct internet connectivity we recommend the use of a proxy. The proxy can then have an ACL to restrict what sites are being accessed.
When there is no internet connectivity to the customer portal we can download the benchmarks and agents from http://packages.nanitor.com/customer-portal/. Benchmarks from Nanitor come in a .zip format and need to be imported into the system. Under the URL there is benchmarks/ for the benchmarks and products/ for the products. You need to download all the files you want imported in order to do it manually.
- Administration -> System Administration -> Benchmarks is the place to upload the benchmarks downloaded
- Administration -> System Administration -> Products is the place to upload the products downloaded
Your are now ready to continue to the User Guide.