How do I deploy the Nanitor server?

This document describes the steps required to setup the Nanitor server on-premise. After the installation is complete we need to get a license key from the Nanitor sales team and quote the Server Installation ID.


  1. A static IP address and fully qualified domain name (FQDN) which resolves in DNS. An IP address is reserved and provided to you by your Network/System Admins with FQDN and resolvable over your corporate DNS. This guide will use the FQDN (fully qualified domain name) as an example.
  2. An SMTP relay host we can relay through to send out emails.
  3. For SSL we need a Certification Authority to sign our CSR. In this example we use Microsoft Certification Services. It should be similar using any other CA.
  4. Nanitor customer portal username and password. On-premise customers get allocated one by the Nanitor sales team.

OVA Image

Nanitor Server is distributed as an OVA image which can be downloaded  here. The username and password are the on-premise credentials . Please consult your system administrator as to how to import the OVA into the hypervisor of choice. Once that is done please boot into the image.

  • The OVA file expects 2 gigabytes of RAM, 50 gigabyte disk and a single CPU core. It is a good starting point and can be scaled up when required.
  • The system is preconfigured to automatically download and apply security patches.
  • The image is also hardened to CIS standard.
  • The image is partioned using LVM and does not use all of the allocated space so it is easy to expand volumes when required using lvextend.

Configuring the system and network

On the console login as user nanadmin and password m4ssFussBall-01

Update server

Edit /etc/yum.repos.d/nanitor-server-centos-stable.repo and replace user:pass with the username and password allocated by Nanitor (same password as used to download the OVA image above).

Get root access

Run this command to get root access. All commands need to be run as root for the installation process:

sudo bash


Run the following commands to set the hostname and re-seed the SSH keys. New ones will be generated on reboot:

hostnamectl set-hostname nansrv-01

Change nanitor to a hostname that suits your organisation or to the hostname allocated by your system/network administrator.


You will want to change the password for the nanadmin and the root user, please run:

passwd root
passwd nanadmin


Now set the correct static IP address. Please edit /etc/sysconfig/network-scripts/ifcfg-eth0. For example for IP address with default gateway the file would look like:


Then you might want to change the DNS servers by editing /etc/resolve.conf. The image uses the Google DNS servers by default.

Then restart the networking to make sure everything is working as expected:

service network restart

SSH keys

The image comes with pre-generated SSH keys. We will want to remove these and have reboot regenerate them.

rm -f /etc/ssh/*key*

Then reboot the system by running:

shutdown -r now

Once the system is back up and running and should be reachable via SSH. Once logged in via SSH run the following commands to bring the operating system up to date:

yum clean metadata
yum -y update

If you are running on top on VMware, you should install VMware tools:

yum -y install open-vm-tools systemctl enable vmtoolsd systemctl start vmtoolsd

Mail server relay

The relay is required so the server can send outbound emails. This example assumes that the IP of the relay is Edit /etc/postfix/ and set the relayhost to the smart host to relay through:

relayhost = []

Finally reload postfix.

service postfix reload

A good way to test this is to use the mail command:

yum -y install mailx
echo "This is a test email" | mail

Then check if you got the email. If it is not working the file  /var/log/maillog may contain useful information.

Install and configure Nanitor

Lets setup the environment, we need to be root when we run the commands:

sudo bash

Install variables

The Nanitor installer automates a lot of things for us. Therefore we need to set environment variables to configure the behaviour.

Fully Qualified Domain Name (mandatory)

First we need to Now we need to configure the fully qualified domain name for the install script. Assume our FQDN will be


This will put the Nanitor server on Both the web browsers and all devices in our network will be talking to this address so it has to stay the same.

Use Http (Not recommended)

Nanitor assumes HTTPS by default and it is highly recommended. If for some reason you want to drop the security standard and use HTTP it can be done with this variable:

export NANITOR_USE_HTTP="true"

Install Nanitor

/usr/lib/nanitor-server/bin/nanitor-server-ctl clean_oem_install

You will be shown the variables and the server URL. You will be prompted to type yes to continue. Please verify that everything is as you expected and then confirm with  yes. The installer will write output details to /root/nanitor_oem_install.out. Please keep record of that file while you need as it contains things like the admin password. If you change that later there is obviously no need to keep the file.

Activate SSL

When using SSL, the installer generates a CSR at /etc/ssl/local/nanitor.csr. Please upload it and sign with your Certification Authority.

Microsoft Certification Services

Here is an example how to take the CSR and get back the required files with Microsoft Certification Authority. This assumes a template called NanitorWebServer and a CSR called nanitor.csr:

We use the command prompt to do this:

certreq -submit -attrib "CertificateTemplate:NanitorWebServer" nanitor.csr
certutil -ca.cert ca-chain.cer

Now we should have 2 files: nanitor.cer and ca-chain.cer. Please upload them to the Nanitor server e.g. into /home/nanadmin/

Certificate installation

We assume the certificate and the CA certificate files are available at:

  • /home/nanadmin/nanitor.cer
  • /home/nanadmin/ca-chain.cer

We need to install them into the Nanitor server.

/usr/lib/nanitor-server/bin/nanitor-server-ctl cert_process --cert /home/nanadmin/nanitor.cer --ca_cert /home/nanadmin/ca-chain.cer

Start Webserver

Now we are ready to start the webserver.

systemctl enable nginx.service
service nginx start
service nginx restart

The last step is to ensure the server was restarted if it was already running before we started the guide.

Admin password

After the installation has been run there should be a file called  /root/nanitor_oem_install.out which got created as part of the installation. This includes the email and password for the administrator user that was created as part of the installation process. Please keep this for your records. The email used in the install is


The full location of the server URL is stored in the  /root/nanitor_oem_install.out. Please visit the URL in your browser. If it comes up as trusted in your browser it means that everything has been successful. If not you may need to debug the SSL certificate or add it into your domain or machine store to get it working. We now need to create an organization to finish getting the server up and running.

After logging in with the email and password you will get asked to create an organization, please fill in the relevant fields and continue. In order to finish this dialog you will need to contact with your Server Installation ID. It is shown in the create organization dialog and also in the /root/nanitor_oem_install.out. Once you have received a valid Nanitor license for your organization you can continue. 

After finishing the create organization dialog you should be redirected to the organization you just created.


Benchmarks and agents need to be synced with the Nanitor server.

Automatic sync

To sync and get the available benchmarks and agents from the Nanitor customer portal it is easiest to run the command on the server:

/usr/lib/nanitor-server/bin/nanitor-server-ctl customer_portal_sync

This will try to contact If you require proxy make sure you have set HTTP_PROXY and HTTPS_PROXY in your environment. This can be done like this:

export http_proxy=""
export https_proxy=""

We recommend that the data is synced. When there is no direct internet connectivity we recommend the use of a proxy. The proxy can then have an ACL to restrict what sites are being accessed.


When there is no internet connectivity to the customer portal we can download the benchmarks and agents from Benchmarks from Nanitor come in a .zip format and need to be imported into the system. Under the URL there is benchmarks/ for the benchmarks and products/ for the products. You need to download all the files you want imported in order to do it manually.

  • Administration -> System Administration -> Benchmarks is the place to upload the benchmarks downloaded
  • Administration -> System Administration -> Products is the place to upload the products downloaded 

Installation complete

Your are now ready to continue to the  User Guide.

Still need help? Contact Us Contact Us