Prerequisites and requirements for Multi-Node and High-Availability AgileSec Linux installations, including system requirements, firewall rules, etc.
Requirements
Ensure you meet the following requirements prior to AgileSec installation.
Operating System Requirements
The following Linux operating systems are supported:
-
Officially supported: Red Hat Enterprise Linux (RHEL) 9+
-
Compatible (expected to work): CentOS 9+, Alma Linux 9+
System Requirements
This section provides the minimum requirements for each available Node types. Not every AgileSec cluster configuration will use every Node type. For more information see On-Prem Deployment Topologies .
Resource planning for High Availability scenarios:
Backend Nodes: There must always be an even number of Backend Nodes due to clustering considerations.
Frontend Nodes: Additional Frontend Nodes will not have MongoDB Arbiter, OpenSearch Cluster Manager, or Kafka, therefore they need less CPU cores.
|
Requirements |
Backend (Minimum for Test Cases, Proof of Concepts, etc.) |
Backend (Production) |
Scan Node |
Frontend 1 |
Additional Frontends |
Coordinator (Stretch Clusters only) |
|---|---|---|---|---|---|---|
|
CPU cores |
4 |
8 |
2 |
4 |
2 |
2 |
|
Memory |
32GB |
64GB - small scan volume 128GB - large scan volume |
8GB |
16GB |
16GB |
16GB |
|
Disk space |
50GB |
100GB - small scan volume 200GB+ - large scan volume |
50GB |
50GB |
50GB |
50GB |
Install User Requirements
The installing user must have sudo rights on the nodes in order to use required scripts such as tune.sh.
Networking Requirements
The following ports and firewalls should be configured prior to AgileSec install.
Ports
The following defaults ports are used by various internal components. All ports are configurable.
|
Service |
Default Port |
Traffic Type* |
Node Type |
|---|---|---|---|
|
HA Proxy |
8443 |
External |
Frontend |
|
Web UI |
3000 |
Internal |
Frontend |
|
Web API |
7443 |
Internal |
Frontend |
|
OpenSearch Dashboards |
5443 |
Internal |
Frontend |
|
OpenSearch |
9200/9300 |
Internal |
Frontend and Backend |
|
Ingestion Service |
4443 |
Internal |
Backend |
|
Indexing Service |
12443 |
Internal |
Backend |
|
Analytics Manager Service |
3443 |
Internal |
Backend |
|
Secrets Management Service |
2443 |
Internal |
Backend |
|
Kafka |
9092/9093/9094 |
Internal |
Frontend and Backend |
|
MongoDB |
27017 |
Internal |
Frontend and Backend |
*Traffic Types Notes:
-
External: traffic entering the platform through the load balancer or directly.
-
Internal: service-to-service traffic within the platform nodes.
Firewall Rules
Note: This assumes any intra-node (within VM) traffic is allowed. This does not include platform-egress firewall rules, e.g. outgoing traffic going to github, gitlab resources, etc., as those are dependent on end user scanning preferences.
All traffic is on TCP.
The following firewall rules are needed for multi-node clusters, including those with scan nodes or load balancers when using default ports for services.
Note: If ports have been updated from default, ensure you update firewall rules accordingly.
|
Description |
Source |
Destination |
Ports (Default) |
|
|---|---|---|---|---|
|
1 |
Frontend 1 to each Backend Node |
|
|
|
|
2 |
Backend Node to other Backend Node(s) |
|
|
|
|
3 |
Backend Nodes to Frontend Node 1 |
|
|
|
|
4 |
Additional Frontend Nodes to each Backend Node |
|
|
|
|
5 |
Frontend Node(s) to each other Frontend |
frontend-# |
frontend-# |
|
|
6 |
Scan Node(s) to each Backend Node |
|
|
|
|
7 |
Scan Node(s) to Frontend 1 |
|
|
9092 (Kafka clients) |
|
8 |
Load Balancer to each Frontend Node |
|
|
8443 (HAProxy) |
Coordinator Firewall Considerations:
Coordinator firewall rules are equivalent to Primary Frontend Nodefrontend-1.
Post-Installation Network Considerations for Sensor and Connector Scans:
Platform and API Scans: Node will require egress network access to the environments users want to scan.
Remote Scans: Sensors or Connectors will need ingress network access to the node’s ingestion endpoint for data communication. Running scans remotely does not require egress network connectivity from the node.
See Modules for specific Sensor and Connector information.
Ingestion Endpoint information is provided by the platform at the end of installation. The format is https://<analytics_hostname>.<analytics_domain>:<ingestion service port>. With default values, this is https://agilesec.kf-agilesec.com:8443.
Prepare for Installation
Prepare the following prior to install.
Set up SSH key-based password-less access (backend-1 to all nodes)
Certificates and other configuration files will be generated on backend-1. For easier file transfers between nodes, we recommend setting up SSH key-based password-less access from backend-1 to all other nodes.
Tip: Use consistent file names and directory structures on each node when copying files between machines.
Tip: Use Red Hat’s documentation for SSH key-based password-less access, or generate an SSH key on backend-1 and append the public key to ~/.ssh/authorized_keys or your OS’s equivalent on backend-2 and frontend-1 to build password-less SSH trust.
Prepare Installation Files (all nodes)
Ensure your nodes meet the minimum memory, CPU, and disk requirements then prepare AgileSec installer files on each node.
-
Download the installation zip archive from the Keyfactor download portal and place on all nodes.
-
Extract the zip archive
<installer_package>.zipto your preferred locationinstaller_diron each node:unzip <installer_package>.zip export installer_dir = <installer-directory-location> cd $installer_dir
Note: To install unzip on RHEL, run sudo dnf install unzip.
Use unzip -d $installer_dir <installer_package>.zip to choose an alternate location for AgileSec installer files.
-
Ensure the installation script is executable:
cd $installer_dir chmod +x install_analytics.sh
Create .pass File (all nodes)
Creating a .pass file is required to enable non-interactive installation. When running in non-interactive mode, the install_analytics.sh script reads the AgileSec platform admin password from the .pass file.
By default, password requirements include minimum 14 characters, at least 1 uppercase letter, at least 1 number, and at least 1 special character from `@ ! # $ & ?`.
To create the .pass, follow these instructions on each node:
-
Copy the example file:
cp .pass.example .pass.-
To see all files, including files starting with a
., usels -a
-
-
Edit
.passand setadmin_password. Save the file and exit the editor. -
Set secure permissions:
chmod 600 .pass
Note: .pass should be located in $installer_dir, just like .pass.example.
Configuration Decisions
Ensure stakeholders confirm the following configuration items prior to installation. Ensure your configuration file multi_node_config.conf aligns with these decisions during installation.
External Domain Name
Choose your desired external FQDN. A single external FQDN for AgileSec platform access is required. When assigning configuration variables during installation (instructions in provided guides), the external FQDN will be <analytics_hostname>.<analytics_domain>.
The following format is recommended: agilesec.<external domain>
For example: agilesec.dilithiumbank.com.
Do not update your node server’s /etc/hosts file at this time. The tune.sh script will automatically add the needed lines.
BYOC Only: Certificate Management Prerequisites
If you intend to bring your own certificates (BYOC) from a public CA or enterprise PKI rather than using self-signed installer-generated certificates, review BYOC: Prerequisites. Ensure prerequisites are met and determine all required configuration details for proper certificate management.