Multi-Node Linux Install Prerequisites

Prerequisites and requirements for Multi-Node and High-Availability AgileSec Linux installations, including system requirements, firewall rules, etc.

Requirements

Ensure you meet the following requirements prior to AgileSec installation.

Operating System Requirements

The following Linux operating systems are supported:

  • Officially supported: Red Hat Enterprise Linux (RHEL) 9+

  • Compatible (expected to work): CentOS 9+, Alma Linux 9+

System Requirements

This section provides the minimum requirements for each available Node types. Not every AgileSec cluster configuration will use every Node type. For more information see On-Prem Deployment Topologies .

Resource planning for High Availability scenarios:

Backend Nodes: There must always be an even number of Backend Nodes due to clustering considerations.

Frontend Nodes: Additional Frontend Nodes will not have MongoDB Arbiter, OpenSearch Cluster Manager, or Kafka, therefore they need less CPU cores.

Requirements

Backend (Minimum for Test Cases, Proof of Concepts, etc.)

Backend (Production)

Scan Node

Frontend 1

Additional Frontends

Coordinator

(Stretch Clusters only)

CPU cores

4

8

2

4

2

2

Memory

32GB

64GB - small scan volume 128GB - large scan volume

8GB

16GB

16GB

16GB

Disk space

50GB

100GB - small scan volume 200GB+ - large scan volume

50GB

50GB

50GB

50GB

Install User Requirements

The installing user must have sudo rights on the nodes in order to use required scripts such as tune.sh.

Networking Requirements

The following ports and firewalls should be configured prior to AgileSec install.

Ports

The following defaults ports are used by various internal components. All ports are configurable.

Service

Default Port

Traffic Type*

Node Type

HA Proxy

8443

External

Frontend

Web UI

3000

Internal

Frontend

Web API

7443

Internal

Frontend

OpenSearch Dashboards

5443

Internal

Frontend

OpenSearch

9200/9300

Internal

Frontend and Backend

Ingestion Service

4443

Internal

Backend

Indexing Service

12443

Internal

Backend

Analytics Manager Service

3443

Internal

Backend

Secrets Management Service

2443

Internal

Backend

Kafka

9092/9093/9094

Internal

Frontend and Backend

MongoDB

27017

Internal

Frontend and Backend

*Traffic Types Notes:

  • External: traffic entering the platform through the load balancer or directly.

  • Internal: service-to-service traffic within the platform nodes.

Firewall Rules

Note: This assumes any intra-node (within VM) traffic is allowed. This does not include platform-egress firewall rules, e.g. outgoing traffic going to github, gitlab resources, etc., as those are dependent on end user scanning preferences.

All traffic is on TCP.

The following firewall rules are needed for multi-node clusters, including those with scan nodes or load balancers when using default ports for services.

Note: If ports have been updated from default, ensure you update firewall rules accordingly.

Description

Source

Destination

Ports (Default)

1

Frontend 1 to each Backend Node

frontend-1

backend-#

  • 2443 SM / Secrets Manager

  • 3443 Analytics Manager

  • 6443 (FluentD)

  • 4443 (Ingestion service)

  • 9092 (Kafka clients)

  • 9093 (Kafka inter-broker)

  • 9094 (Kafka KRaft quorum)

  • 9200 (OpenSearch client)

  • 9300 (OpenSearch inter-node)

  • 27017 (MongoDB client & replication)

2

Backend Node to other Backend Node(s)

backend-#

backend-#

  • 2443 (Secrets Manager)

  • 3443 (Analytics Manager)

  • 4443 (Ingestion)

  • 9092 (Kafka clients)

  • 9093 (Kafka inter-broker)

  • 9094 (Kafka KRaft quorum)

  • 9200 (OpenSearch client)

  • 9300 (OpenSearch inter-node)

  • 27017 (MongoDB client & replication)

3

Backend Nodes to Frontend Node 1

backend-#

frontend-1

  • 9092 (Kafka clients)

  • 9093 (Kafka inter-broker)

  • 9094 (Kafka KRaft quorum)

  • 9300 (OpenSearch inter-node)

  • 27017 (MongoDB client & replication)

4

Additional Frontend Nodes to each Backend Node

frontend-2+

backend-#

  • 2443 SM / Secrets Manager

  • 3443 Analytics Manager

  • 6443 (FluentD)

  • 4443 (Ingestion)

  • 9092 (Kafka clients)

  • 9200 (OpenSearch client)

  • 27017 (MongoDB client)

5

Frontend Node(s) to each other Frontend

frontend-#

frontend-#

  • 3000 (Web UI)

  • 7443 (Web API)

  • 5443 (OpenSearch Dashboards)

  • 9092 (Kafka clients)

6

Scan Node(s) to each Backend Node

scan node

backend-#

  • 2443 (Secrets Manager)

  • 4443 (Ingestion)

  • 9092 (Kafka clients)

  • 9200 (OpenSearch inter-node)

  • 27017 (MongoDB client)

7

Scan Node(s) to Frontend 1

scan node

frontend-1

9092 (Kafka clients)

8

Load Balancer to each Frontend Node

loadbalancer

frontend-#

8443 (HAProxy)

Coordinator Firewall Considerations:

Coordinator firewall rules are equivalent to Primary Frontend Nodefrontend-1.

Post-Installation Network Considerations for Sensor and Connector Scans:

Platform and API Scans: Node will require egress network access to the environments users want to scan.

Remote Scans: Sensors or Connectors will need ingress network access to the node’s ingestion endpoint for data communication. Running scans remotely does not require egress network connectivity from the node.

See Modules for specific Sensor and Connector information.

Ingestion Endpoint information is provided by the platform at the end of installation. The format is https://<analytics_hostname>.<analytics_domain>:<ingestion service port>. With default values, this is https://agilesec.kf-agilesec.com:8443.

Prepare for Installation

Prepare the following prior to install.

Set up SSH key-based password-less access (backend-1 to all nodes)

Certificates and other configuration files will be generated on backend-1. For easier file transfers between nodes, we recommend setting up SSH key-based password-less access from backend-1 to all other nodes.

Tip: Use consistent file names and directory structures on each node when copying files between machines.

Tip: Use Red Hat’s documentation for SSH key-based password-less access, or generate an SSH key on backend-1 and append the public key to ~/.ssh/authorized_keys or your OS’s equivalent on backend-2 and frontend-1 to build password-less SSH trust.

Prepare Installation Files (all nodes)

Ensure your nodes meet the minimum memory, CPU, and disk requirements then prepare AgileSec installer files on each node.

  1. Download the installation zip archive from the Keyfactor download portal and place on all nodes.

  2. Extract the zip archive <installer_package>.zip to your preferred location installer_dir on each node:

    unzip <installer_package>.zip
    export installer_dir = <installer-directory-location>
    cd $installer_dir
    

Note: To install unzip on RHEL, run sudo dnf install unzip.

Use unzip -d $installer_dir <installer_package>.zip to choose an alternate location for AgileSec installer files.

  1. Ensure the installation script is executable:

    cd $installer_dir
    chmod +x install_analytics.sh
    

Create .pass File (all nodes)

Creating a .pass file is required to enable non-interactive installation. When running in non-interactive mode, the install_analytics.sh script reads the AgileSec platform admin password from the .pass file.

By default, password requirements include minimum 14 characters, at least 1 uppercase letter, at least 1 number, and at least 1 special character from `@ ! # $ & ?`.

To create the .pass, follow these instructions on each node:

  1. Copy the example file: cp .pass.example .pass .

    1. To see all files, including files starting with a ., use ls -a

  2. Edit .pass and set admin_password. Save the file and exit the editor.

  3. Set secure permissions: chmod 600 .pass

Note: .pass should be located in $installer_dir, just like .pass.example.

Configuration Decisions

Ensure stakeholders confirm the following configuration items prior to installation. Ensure your configuration file multi_node_config.conf aligns with these decisions during installation.

External Domain Name

Choose your desired external FQDN. A single external FQDN for AgileSec platform access is required. When assigning configuration variables during installation (instructions in provided guides), the external FQDN will be <analytics_hostname>.<analytics_domain>.

The following format is recommended: agilesec.<external domain>

For example: agilesec.dilithiumbank.com.

Do not update your node server’s /etc/hosts file at this time. The tune.sh script will automatically add the needed lines.

BYOC Only: Certificate Management Prerequisites

If you intend to bring your own certificates (BYOC) from a public CA or enterprise PKI rather than using self-signed installer-generated certificates, review BYOC: Prerequisites. Ensure prerequisites are met and determine all required configuration details for proper certificate management.