On-Prem Single-Node Installation Guide

This guide describes how to deploy a complete single-node on-premises instance with all platform services on one machine. Single-node installations are suitable for testing, proof-of-concept, and small-scale environments.

The single-node installation steps for v3.5.1 are identical to v3.5.0. If you have previously installed v3.5.0 using this guide, the same steps apply for v3.5.1 with the v3.5.1 installer package.

Overview

The single-node installation sets up all components on a single machine. This is recommended for:

Small deployments with limited data volume
Testing environments
Proof-of-concept

The following services are installed and run on single node:

Services	Description
OpenSearch	Indexes and stores findings data received from sensors.
OpenSearch Dashboards	Self-service tool to perform advanced searches, create custom visualizations, and build tailored reports for findings.
MongoDB	Stores operational and configuration data for the platform.
Kafka	Central communication backbone for the platform. Carries job requests, execution events, raw findings, processed findings, control messages, and system events for asynchronous processing across platform.
Ingestion Service	Always-on ingestion endpoint for receiving data streams from sensors. Publishes data to the Kafka pipeline for further processing.
Manager Service	Always-on service responsible for job lifecycle management and post-scan orchestration.
Scheduler Service	Always-on orchestration service responsible for initiating jobs.
Secrets Management Service	Always-on service responsible for secure key management, token generation and encryption across the platform.
Indexing Service	Always-on service that consumes raw findings events from Kafka, performs schema validation, applies transformations, and indexes them into the OpenSearch Findings Datastore
FluentD	This service is deprecated. It is only used when `v2_sensors` is set to `enabled`. It consumes data from Kafka on legacy topics for v2 sensors backwards compatibility.
Web UI	External web interface for the platform.
Web API	API services for supporting Web UI.
CBOM Exporter	Handles CBOM export jobs.
HAProxy	Internal load balancer and reverse proxy for routing traffic for all services.

Prerequisites

Operating System Requirements

The following Linux operating systems are supported:

Officially supported: Red Hat Enterprise Linux 9+
Compatible (expected to work): CentOS 9+, Alma Linux 9+

System requirements:

Requirements	Minimum
CPU cores	4
Memory	32GB
Disk space	50GB

Ports:

The following defaults ports are used internally by various components. All ports are configurable.

Service	Default Port	External Ingress
HA Proxy	8443	Yes
Web UI	3000	No
Web API	7443	No
OpenSearch Dashboards	5443	No
OpenSearch	9200/9300	No
Ingestion Service	4443	No
Indexing Service	12443	No
Analytics Manager Service	3443	No
Secrets Management Service	2443	No
FluentD (`deprecated`)	6443	No
Scheduler Service	1443	No
Kafka	9092/9093/9094	No
MongoDB	27017	No
CBOM Exporter	11443	No

Note: Firewall rules must allow ingress traffic.

Certificate Requirements

The platform uses mutual TLS (mTLS) for secure authenticated communication between all services and server components.

All required certificates can be generated and self-signed or you can provide your own certificates. See Certificates Management Guide for detailed information and instructions on various options for certificates.

generate_cert.sh generates the following certificates:

Type	Purpose	Files
CA Cert	For self signing certificates generated by `generate_cert.sh` Location: `<installer_dir>/certificates/ca`	`agilesec-rootca-cert.pem` `agilesec-rootca-key.pem` `agilesec-rootca-cert.srl`
External (user facing) certificate	TLS certificate for frontend proxy. This certificate is presented to anyone accessing the AgileSec Platform and is used for all ingress TLS traffic to the platform endpoint. Ideally, it should be issued by a publicly trusted (public) Certificate Authority to ensure browser and client trust. Location: `certificates/<analytics_domain>`	`agilesec-analytics-server-cert.pem` `agilesec-analytics-server-combo-cert-key.pem` `agilesec-analytics-key.pem`
Client Certificates	mTLS client authentication for internal service-to-service communication. Set config setting `use_single_client_cert` to `false` to generate a separate client cert for each service. Location: `<installer_dir>/certificates/<analytics_internal_domain>`	`agilesec-client-keystore.pass` `shared-client-cert.pem` `shared-client-combo-cert-key.pem` `shared-client-key.pem` `shared-client.p12`
Internal server certificates	TLS certificates for all internal services. By default, a single wild card certificate is generated and used by all internal services. Location: `certificates/<analytics_internal_domain>`	`agilesec-internal-server-cert.pem` `agilesec-internal-server-combo-cert-key.pem` `agilesec-internal-server-key.pem`
Admin client certificates	Admin user for OpenSearch and MongoDB post install setup. Only required during installation or post install setup Location: `certificates/<analytics_internal_domain>`	`admin-user-cert.pem` `admin-user-combo-cert-key.pem` `admin-user-key.pem`
SM service keystore	Required by SM service for storing encryption keys. Location: `certificates/<analytics_internal_domain>`	`sm-service.p12` (cert + key) `sm-service-keystore.pass`
IdP certificate	SAML Identity Provider (IdP) signing certificate Location: `certificates/<analytics_internal_domain>`	`idp-cert.pem` `idp-enc-key.pem` `saml.pass` (`idp-enc-key` password) `sm-service-keystore.pass`

Recommendation: run generate_cert.sh to see list of files and locations.

Domain Name Requirements

A single external FQDN for the platform is required. The following format is recommended:

agilesec.<external domain>

For example: agilesec.dilithiumbank.com

Installation Steps

The installation can be performed in two modes: Interactive (default) or Non-Interactive (for automated/CI-CD deployments).

In this version, install_analytics.sh introduces the install sub-command for performing fresh installations:

BASH

./install_analytics.sh install [OPTIONS]

For backward compatibility, running ./install_analytics.sh [OPTIONS] without the install sub-command continues to work as in previous versions. To see all available install options, run ./install_analytics.sh install --help.

Non-Interactive Mode

All key installation scripts support an optional --non-interactive (or -n) flag to skip confirmation prompts, enabling fully automated deployments.

Script	Flag	Behavior
`generate_envs.sh`	`--non-interactive`	Overwrites existing env files without prompting
`generate_certs.sh`	`-n` / `--non-interactive`	Overwrites existing certificate files without prompting
`install_analytics.sh install`	`-n` / `--non-interactive`	Skips all confirmation prompts; requires `.pass` file for admin password
`uninstall.sh`	`-n` / `--non-interactive`	Skips uninstall confirmation prompt

Pre-requisites for Non-Interactive Install

The install_analytics.sh script reads the admin password from a .pass file when running in non-interactive mode. To set this up:

Copy the example file: cp .pass.example .pass
Edit .pass and set admin_password
Set secure permissions: chmod 600 .pass

Step 1: Prepare the Environment

Ensure you have the installer package and your node meet the minimum memory and CPU requirements.

Download the installation zip archive from the Keyfactor download portal.
Extract the zip archive to your preferred install location, i.e. a agilesec-analytics folder.

JAVA

unzip -d <installer_directory> <installer_package>.zip
cd <installer_directory>

Ensure the installation script is executable:

JAVA

cd <installer_directory>
chmod +x install_analytics.sh

Environment configuration is required before starting the installation. A sample configuration file for a single-node installation is available at generate_envs/single_node_config.conf. You can use the default values for all settings. However, it is recommended to review and update the following settings for single-node installations:

Setting	Purpose	Default
`organization_name`	Organization name used by the platform	`Keyfactor`
`analytics_hostname`	Primary external-facing hostname (FQDN host portion) for the platform	`agilesec`
`analytics_domain`	Primary external-facing domain for the platform	`kf-agilesec.com`
`analytics_port`	External-facing port for accessing the platform	`8443`
`server_certificate_subject`	Base Distinguished Name (DN) used to generate server certificates	`OU=Server,O=Keyfactor,ST=Ohio,C=US`
`client_certificate_subject`	Base DN used to generate internal client certificates	`OU=Client,O=Keyfactor,ST=Ohio,C=US`
`v2_sensors`	Enables support for v2 sensors. When enabled, Fluentd (td-agent) is installed alongside the Indexing Service for backward compatibility with v2 sensor data ingestion	`false`

[Optional] Using Port 443 (HTTPS Standard Port)

To run the platform on the standard HTTPS port (443) instead of the default 8443, set analytics_port=443 in generate_envs/single_node_config.conf before running generate_envs.sh. Then proceed with the normal installation steps.

When using port 443, be aware of the following post-install behavior:

Since port 443 is a privileged port (< 1024), HAProxy requires root privileges to bind to it.
./manage.sh start as a regular user will start all services except HAProxy.
HAProxy must be started or restarted with sudo:

BASH

sudo ./manage.sh start haproxy

However, stopping HAProxy does not require sudo:

BASH

./manage.sh stop haproxy

The platform URL simplifies to https://<analytics_hostname>.<analytics_domain> (no port number needed, since 443 is the default HTTPS port).

Generate config file for single-node installation.

JAVA

./generate_envs/generate_envs.sh -t single-node

Tip: Add --non-interactive to skip overwrite prompts.

generate_envs.sh will copy env.single_node file to <installation_directory>/.env

Generate certificates

You can generate and self-sign all required certificates using <installer_directory>/certificates/generate_certs.sh. Alternately, you can use certificates issued by your own CA. For POCs and first-time installations, it is recommended you generate all certificates using generate_certs.sh.

Run the following command to generate and self-sign all required certificates. The .env file is required to generate certificates. By default, the script looks for the .env file under <installation directory>.

This command will populate the required certificate files under the certificates directory:

JAVA

cd certificates/
./generate_certs.sh

Tip: Add --non-interactive (or -n) to skip overwrite prompts. See On-Prem Single-Node Installation Guide.

[Optional] Using your own certificates

If you are using your own certificates, perform following steps:

Copy your CA cert chain to <installation_directory>/certificates/ca
Copy server and client certificates to <installation_directory>/certificates/<analytics_internal_domain> .
Certificate filenames must match those listed under On-Prem Single-Node Installation Guide.

Step 2: Install the Platform

Ensure you have either a DNS entry for <analytics_hostname>.<external domain> (recommended) pointing to your node's IP address or an entry in your /etc/hosts for <analytics_hostname>.<external domain> pointing to your node's IP address.
Make sure settings file <installer_directory>/.env is present.
Run sudo ./scripts/tune.sh -u <username> to update the following:
1. System settings for Sysctl settings. Recommended values are:
  1. vm.max_map_count = 262144
  2. fs.file-max = 65536
2. Security settings in /etc/security/limits.conf for file descriptors and number of threads. These settings are needed by OpenSearch:
  1. <non-root-user> - nofile 65536
  2. <non-root-user> - nproc 65536
  3. <non-root-user> soft memlock unlimited
  4. <non-root-user> hard memlock unlimited
3. /etc/hosts entries:
  1. <private ip> <node 1 hostname>.<analytics_internal_domain>
  2. Note: Only entries for internal nodes are added to /etc/hosts.
4. Install git binary

Alternately, you can perform the above steps manually

(Recommended) Prepare the .pass file to avoid typing the admin password on the console:

BASH

cp .pass.example .pass
# Edit .pass and set admin_password
chmod 600 .pass

Using the .pass file prevents typos that can occur when entering the password interactively (the password is not echoed back on the console).

Run the installation:

BASH

cd <installer_directory>
./install_analytics.sh install -u <user> -p <installation-dir> --non-interactive

Or to run interactively (will prompt for admin password on console):

BASH

./install_analytics.sh install -u <user> -p <installation-dir>

Note 1: The previous functionality of using ./install_analytics.sh -u <user> -p <installation-dir> without the install sub-command is still supported.

Note 2: <installation-dir> is a new, separate directory where the installed files will reside.

To see additional install options, run ./install_analytics.sh install --help.

Example: End-to-End Non-Interactive Single-Node Install

BASH

cd <installer_directory>

# Generate env config
./generate_envs/generate_envs.sh -t single-node --non-interactive

# Generate certificates
cd certificates/
./generate_certs.sh --non-interactive
cd ..

# Prepare .pass file
cp .pass.example .pass
# Edit .pass and set admin_password
chmod 600 .pass

# Run system tuning
sudo ./scripts/tune.sh -u <user>

# Install
./install_analytics.sh install -u <user> -p <installation-dir> --non-interactive -v

Post-Installation Verification

Verify Service Health

Run ./scripts/manage.sh status to check the status of all services. If any service shows Not running, try restarting it. See Managing Services for instructions on starting and restarting services.

You should see following services in Running status:

JAVA

$ ./scripts/manage.sh status
SERVICE                   DESCRIPTION                              STATUS              
------------------------  ---------------------------------------- --------------------
opensearch                OpenSearch Search Engine                 Running (PID: 1450891)
opensearch-dashboards     OpenSearch Dashboards                    Running (PID: 1452817)
indexing                  Indexing Microservice                    Running (PID: 1451400)
haproxy                   HAProxy Load Balancer                    Running (PID: 1451285)
mongodb                   MongoDB Server                           Running (PID: 1451281)
kafka                     Kafka Server                             Running (PID: 1451295)
webui                     Web UI Microservice                      Running (PID: 1451316)
api                       Web API Microservice                     Running (PID: 1452924)
cbom                      CBOM Exporter Microservice               Running (PID: 1453074)
sm                        Security Manager Microservice            Running (PID: 1453083)
analytics-manager         Analytics Manager Microservice           Running (PID: 1451408)
ingestion                 Ingestion Microservice                   Running (PID: 1451419)
scheduler                 Scheduler Microservice                   Running (PID: 1451450)

After installation completes, allow approximately 30 seconds for all services to fully initialize before accessing the UI. Attempting to log in immediately may result in a 503 Service Unavailable error. If this occurs, wait 30 seconds and refresh the page.

Access the Platform UI

To log into the new Web UI, use the URL displayed at the end of the install.

Login URL: https://<analytics_hostname>.<analytics_domain>:<analytics_port>
Username: admin@<analytics_domain>
Password:

For example, using the default settings:

Login URL: https://analytics.kf-agilesec.com:8443
Username: admin@kf-agilesec.com
Password: HelloWorld123456!

You will see a login screen like this:

After logging in, the Overview Dashboard should show 0 across all charts, as shown in the screenshot below:

Run a Smoke Test

Follow these steps to run a quick smoke test and confirm the platform is working:

Step 1: In the Web UI, go to Sensors -> Network Scan.

Step 2: On the network scan page, enter an HTTPS URL to scan (for example: https://www.google.com), then click Scan to start the scan.

Step 3: While the scan is running, you will see a progress screen similar to the following:

Step 4: Once the scan successfully completes, you will see a Network scanned successfully message and the Scan Information tab will contain information about the scan:

Step 5: At this point, the scan has completed and the pipeline is waiting for the policy execution to finish. Policy execution can take up to 45 seconds. Until policies run, all findings will show a Pending status under the Findings tab:

Step 6: Once policies have run, the Score column show a risk score instead of Pending, as shown in the screenshot below:

Step 7: Shortly after policies run successfully, a backend process performs additional analysis on the findings. Once this process completes, you will see Successful statuses as shown in the screenshot below. This confirms the platform is working as expected.

Managing Services

After installation, you can manage services using the unified service manager script at ./scripts/manage.sh.

The manage.sh script provides a centralized way to manage all platform services:

cd /scripts ./manage.sh [action] [options] [services...]

Actions

Action	Description
start	Start services
stop	Stop services
restart	Stop and then start services
reload	Reload service configuration where supported
status	Check status of services
list	List available services
help	Display help message

Options

Option	Description
-d, --debug	Enable debug mode (show service output in console)
-h, --help	Display help message and exit

Available Services

Service	Description
haproxy	HAProxy Load Balancer
opensearch	OpenSearch Search Engine
opensearch-dashboards	OpenSearch Dashboards
mongodb	MongoDB Server
kafka	Kafka Server
indexing	Indexing Microservice
webui	Web UI Microservice
api	Web API Microservice
sm	Security Manager Microservice
analytics-manager	Analytics Manager Microservice
ingestion	Ingestion Microservice
scheduler	Scheduler Microservice

If no specific services are specified, the action will be applied to all installed services.

Usage Examples

To start all services:

JAVA

./manage.sh start

To start only OpenSearch with debug output:

JAVA

./manage.sh start -d opensearch

To start multiple specific services:

JAVA

./manage.sh start opensearch opensearch-dashboards

The script automatically resolves dependencies, starting OpenSearch first (as it's a dependency for other services) before starting any dependent services.

To stop all services:

JAVA

# Stop all installed services
./manage.sh stop

To stop only specific services:

JAVA

./manage.sh stop haproxy indexing

The script stops services in reverse dependency order to ensure a clean shutdown.

To Restart all installed services:

JAVA

# Restart all installed services
./manage.sh restart

To restart only OpenSearch:

JAVA

./manage.sh restart opensearch

To reload configuration:

JAVA

./manage.sh reload haproxy

To list status of all services:

JAVA

./manage.sh status

To check status of specific services:

JAVA

./manage.sh status opensearch indexing

To list all available services:

JAVA

./manage.sh list

Note: If HAProxy is configured to use a privileged port (< 1000), you will need root privileges to start or stop it. The script will display the appropriate command to run with sudo.

Post Installation Configuration

SAML Setup

For detailed instructions on various SSO integration options see Authentication and Access Control documentation.

Only users with the Platform Admin privilege role for the organization can edit the SAML 2.0 configuration. To access the SAML setup page, do the following:

Step 1: Go to Settings -> Authentication Options.

Step 2: Turn on SAML 2.0 Single Sign-On

Step 3: Open Settings for SAML 2.0 Configuration, then configure the SAML settings for your environment. Details for each configurable option are provided in the Configuration Options table below.

Configuration Options

Service Provider Information

Field	Description	Azure AD SSO configuration equivalent field
Organization SAML ID	Organization's unique SAML internal identifier.	N/A
Callback URL	The URL where the IdP should redirect/post to after authentication.	Reply URL (Assertion Consumer Service URL)
SP Entity ID	Service Provider Entity ID	Identifier (Entity ID)

Authorization Settings

Field	Description	Azure AD SSO configuration equivalent field
Assertions Signed	Indicates if SAML assertions should be signed.	SAML Signing Certificate, Signing Option includes "Sign SAML assertion"
Authentication Response Signed	Indicates if the SAML authentication response should be signed.	SAML Signing Certificate, Signing Option includes "Sign SAML response"

Note: Only SHA256 signing algorithm is supported for now.

Identity Provider Configuration

Field	Description	Azure AD SSO configuration equivalent field
IDP Metadata	Raw XML metadata for the Identity Provider.	SAML Certificates / Federation Metadata XML
Metadata URL	URL to fetch the IdP metadata.	SAML Certificates / App Federation Metadata Url

Note: It is Required to select one of the Identity Provider Configuration options.

Custom Attribute Configuration

Field	Description	Azure AD SSO configuration equivalent field
Claim Name	Case-sensitive claim name provided by the SAML IdP used for role mapping.	Attributes & Claims. Recommended to create a Group claim for role mapping.

Role Mapping Configuration

Field	Description	Note
IDP role	Role assigned by IDP	Mapped group claim name's value
ISG role	Mapped AgileSec role to assigned role	AgileSec role you want to assign to that group

Troubleshooting

If you encounter issues during installation or operation:

Installation Issues

Check the console output for specific error messages.
Verify all prerequisites are met.
Ensure all certificate files are correctly placed and have proper permissions and filename.
Check the .env file to make sure following are correct:
- private_ip
- analytics_hostname
- analytics_domain
- analytics_port
- cluster_frontend_node_ips
- cluster_backend_node_ips
Make sure the analytics FQDN <analytics_hostname>.<analytics_domain> is reachable on <analytics_port>.

Service Issues

Check service logs in the <installation_path>/logs directory.
Verify port availability using netstat or ss commands.
Ensure proper certificate permissions and ownership.
Check disk space with df -h.
Verify memory availability with free -h.

Common Errors

Certificate Issues: Ensure all certificate DNs and CNs match specs from certificates requirements section.
Port Conflicts: Verify no other services are using the required ports.
Permission Denied: Check file and directory permissions.
Memory Errors: Verify you have sufficient memory available (minimum 8GB recommended).