How do I deploy the Nanitor server?

This document describes the steps required to setup the Nanitor server on-premise. After the installation is complete we need to get a license key from the Nanitor sales team and quote the Server Installation ID.

Prerequisites

  1. A static IP address and fully qualified domain name (FQDN) which resolves in DNS. An IP address is reserved and provided to you by your Network/System Admins with FQDN and resolvable over your corporate DNS. This guide will use the FQDN (fully qualified domain name) nansrv-01.nanlab.nanitor.com as an example.
  2. An SMTP relay host we can relay through to send out emails.
  3. For SSL we need a Certification Authority to sign our CSR. In this example we use Microsoft Certification Services. It should be similar using any other CA.
  4. Nanitor customer portal username and password. On-premise customers get allocated one by the Nanitor sales team.

OVA Image

Nanitor Server is distributed as an OVA image which can be downloaded  here. The username and password are the on-premise credentials . Please consult your system administrator as to how to import the OVA into the hypervisor of choice. Once that is done please boot into the image.

  • The OVA file expects 2 gigabytes of RAM, 50 gigabyte disk and a single CPU core. We strongly recommend that the RAM gets upgraded to 4 GB.
  • The system is preconfigured to automatically download and apply security patches.
  • The image is also hardened to CIS standard.
  • The image is partioned using LVM and does not use all of the allocated space so it is easy to expand volumes when required using lvextend.

Configuring the system and network

On the console login as user nanadmin and password m4ssFussBall-01

Update server

Edit /etc/yum.repos.d/nanitor-server-centos-stable.repo and replace user:pass with the username and password allocated by Nanitor (same password as used to download the OVA image above).

Proxy server

In order for the Nanitor Server to stay healthy and up to date we strongly recommend that it can reach the CentOS update servers and the Nanitor Server either directly or via Proxy. In case a Proxy needs to be configured here are the requirements to configure it.

Get root access

Run this command to get root access. All commands need to be run as root for the installation process:

sudo bash

Hostname

Run the following commands to set the hostname and re-seed the SSH keys. New ones will be generated on reboot:

hostnamectl set-hostname nansrv-01

Change nanitor to a hostname that suits your organisation or to the hostname allocated by your system/network administrator.

Password

You will want to change the password for the nanadmin and the root user, please run:

passwd root
passwd nanadmin

Networking

Now set the correct static IP address. Please edit /etc/sysconfig/network-scripts/ifcfg-eth0. For example for IP address 192.168.1.90/24 with default gateway 192.168.1.254 the file would look like:

DEVICE="eth0"
BOOTPROTO="static"
ONBOOT="yes"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
NM_CONTROLLED="no"
PEERDNS="no"
GATEWAY=192.168.1.254
IPADDR0=192.168.1.90
PREFIX0="24"

Then you might want to change the DNS servers by editing /etc/resolve.conf. The image uses the Google DNS servers by default.

Then restart the networking to make sure everything is working as expected:

service network restart

SSH keys

The image comes with pre-generated SSH keys. We will want to remove these and have reboot regenerate them.

rm -f /etc/ssh/*key*

Then reboot the system by running:

shutdown -r now

Once the system is back up and running and should be reachable via SSH. Once logged in via SSH run the following commands to bring the operating system up to date:

yum clean metadata
yum -y update

If you are running on top on VMware, you should install VMware tools:

yum -y install open-vm-tools systemctl enable vmtoolsd systemctl start vmtoolsd

Mail server relay

The relay is required so the server can send outbound emails. This example assumes that the IP of the relay is 172.16.154.1. Edit /etc/postfix/main.cf and set the relayhost to the smart host to relay through:

relayhost = [172.16.154.1]

Finally reload postfix.

service postfix reload

A good way to test this is to use the mail command:

yum -y install mailx
echo "This is a test email" | mail me@mycompany.com

Then check if you got the email. If it is not working the file  /var/log/maillog may contain useful information.

Install and configure Nanitor

Lets setup the environment, we need to be root when we run the commands:

sudo bash

Install variables

The Nanitor installer automates a lot of things for us. Therefore we need to set environment variables to configure the behaviour.

Fully Qualified Domain Name (mandatory)

First we need to Now we need to configure the fully qualified domain name for the install script. Assume our FQDN will be nansrv-01.nanlab.nanitor.com.

export NANITOR_FULL_HOSTNAME="nansrv-01.nanlab.nanitor.com"

This will put the Nanitor server on  https://nansrv-01.nanlab.nanitor.com. Both the web browsers and all devices in our network will be talking to this address so it has to stay the same.

Install Nanitor

/usr/lib/nanitor-server/bin/nanitor-server-ctl clean_oem_install

You will be shown the variables and the server URL. You will be prompted to type yes to continue. Please verify that everything is as you expected and then confirm with  yes. The installer will write output details to /root/nanitor_oem_install.out. Please keep record of that file while you need as it contains things like the admin password. If you change that later there is obviously no need to keep the file.

Activate SSL

When using SSL, the installer generates a CSR at /etc/ssl/local/nanitor.csr. Please upload it and sign with your Certification Authority.

Microsoft Certification Services

Here is an example how to take the CSR and get back the required files with Microsoft Certification Authority. This assumes a template called NanitorWebServer and a CSR called nanitor.csr:

We use the command prompt to do this:

certreq -submit -attrib "CertificateTemplate:NanitorWebServer" nanitor.csr
certutil -ca.cert ca-chain.cer

Now we should have 2 files: nanitor.cer and ca-chain.cer. Please upload them to the Nanitor server e.g. into /home/nanadmin/

Certificate installation

We assume the certificate and the CA certificate files are available at:

  • /home/nanadmin/nanitor.cer
  • /home/nanadmin/ca-chain.cer

We need to install them into the Nanitor server.

/usr/lib/nanitor-server/bin/nanitor-server-ctl cert_process --cert /home/nanadmin/nanitor.cer --ca_cert /home/nanadmin/ca-chain.cer

Start Webserver

Now we are ready to start the webserver.

systemctl enable nginx.service
service nginx start
service nginx restart

The last step is to ensure the server was restarted if it was already running before we started the guide.

Admin password

After the installation has been run there should be a file called  /root/nanitor_oem_install.out which got created as part of the installation. This includes the email and password for the administrator user that was created as part of the installation process. Please keep this for your records. The email used in the install is support@nanitor.com.

Configuration

The full location of the server URL is stored in the  /root/nanitor_oem_install.out. Please visit the URL in your browser. If it comes up as trusted in your browser it means that everything has been successful. If not you may need to debug the SSL certificate or add it into your domain or machine store to get it working. We now need to create an organization to finish getting the server up and running.

After logging in with the email support@nanitor.com and password you will get asked to create an organization, please fill in the relevant fields and continue. In order to finish this dialog you will need to contact help@nanitor.com with your Server Installation ID. It is shown in the create organization dialog and also in the /root/nanitor_oem_install.out. Once you have received a valid Nanitor license for your organization you can continue. 

After finishing the create organization dialog you should be redirected to the organization you just created.

Benchmarks/Agents/Other data

Benchmarks, agents and other data need to be synced with the Nanitor server to ensure the best results.

Automatic sync

Follow this guide to set-up automatic sync with the Nanitor customer portal

Manually

When there is no internet connectivity to the customer portal we can download the benchmarks and agents from http://packages.nanitor.com/customer-portal/. Benchmarks from Nanitor come in a .zip format and need to be imported into the system. Under the URL there is benchmarks/ for the benchmarks and products/ for the products. You need to download all the files you want imported in order to do it manually.

  • Administration -> System Administration -> Benchmarks is the place to upload the benchmarks downloaded
  • Administration -> System Administration -> Products is the place to upload the products downloaded 

Installation complete

Your are now ready to continue to the  User Guide.

Still need help? Contact Us Contact Us