Quick Start Single-Node Linux Installation

Quickly deploy a complete single-node instance with all platform services on one machine. Single-node installations are suitable for testing, proof-of-concept, and small-scale environments.

The single-node installation steps for v3.5.1 are identical to v3.5.0. If you have previously installed v3.5.0 using this guide, the same steps apply for v3.5.1 with the v3.5.1 installer package.

Overview

The single-node installation sets up all components (Frontend Node, Backend Nodes, and Scan Node) on a single machine. This configuration is recommended for:

  • Small deployments with limited data volume

  • Testing environments

  • Proof-of-concept


Prerequisites

Operating System Requirements

The following Linux operating systems are supported for the node server:

  • Officially supported: Red Hat Enterprise Linux 9+

  • Compatible (expected to work): CentOS 9+, Alma Linux 9+

System requirements

The node server needs to meet the following minimum requirements:

Requirements

Minimum

CPU cores

4

Memory

32GB

Disk space

50GB

Install User

The installing user must have sudo rights on the node in order to use required scripts such as tune.sh.

Network and Firewall

Review the following network and firewall considerations:

Internal Services: There are no network requirements for internal service traffic as all services are contained on a single node in this configuration.

Post-Installation Network Considerations for Sensor and Connector Scans:

Platform and API Scans: Node will require egress network access to the environments users want to scan.

Remote Scans: Sensors or Connectors will need ingress network access to the node’s ingestion endpoint for data communication. Running scans remotely does not require egress network connectivity from the node.

See Sensors for specific Sensor and Connector information.

Ingestion Endpoint information is provided by the platform at the end of installation. The format is https://<analytics_hostname>.<analytics_domain>:<ingestion service port>. With default values, this is https://agilesec.kf-agilesec.com:8443.

Optional: Provide Your Own Certificate Requirements

The platform uses mutual TLS (mTLS) for secure authenticated communication between all services and server components.

All required certificates can be generated and self-signed, or you can provide your own certificates.

If you intend to bring your own certificates (BYOC) from a public CA or enterprise PKI rather than using self-signed installer-generated certificates, review BYOC: Prerequisites. Ensure prerequisites are met and determine all required install configuration details for proper certificate management.

External Domain Name Requirements

A single external FQDN for AgileSec platform access is required. When assigning configuration variables during installation instructions in provided guides, the external FQDN will be <analytics_hostname>.<analytics_domain>.

The following format is recommended: agilesec.<external domain>

For example: agilesec.dilithiumbank.com.

Do not update your node server’s /etc/hosts file at this time. The tune.sh script will automatically add the needed lines.

Prepare Installation Files

Ensure your node meets the minimum memory, CPU, and disk requirements.

  1. Download the installation zip archive from the Keyfactor download portal to the node server.

  2. Extract the zip archive <installer_package>.zip to your preferred install location installer_dir:

    unzip -d $installer_dir <installer_package>.zip
    cd $installer_dir
    

    Note: To install unzip on RHEL, run sudo dnf install unzip.

  3. Ensure the installation script is executable:

    Java
    cd $installer_dir
    chmod +x install_analytics.sh
    

Create a .pass Password file

It is highly recommended users create a .pass file for non-interactive mode. When running in non-interactive mode, the install_analytics.sh script reads the admin password from a .pass file.

By default, password requirements include minimum 14 characters, at least 1 uppercase letter, at least 1 number, and at least 1 special character from `@ ! # $ & ?`.

  1. Copy the example file: cp .pass.example .pass .

    1. To see all files, including files starting with a ., use ls -a

  2. Edit .pass and set admin_password. Save the file and exit the editor.

  3. Set secure permissions: chmod 600 .pass

Note: .pass should be located in installer_directory.


Installation Overview

The installation can be performed in two modes: Interactive (default) or Non-Interactive (for automated/CI-CD deployments).

Non-Interactive Mode

All key installation scripts support an optional --non-interactive (or -n) flag to skip confirmation prompts, enabling fully automated deployments.

Script

Non-Interactive Flag

Behavior

generate_envs.sh

--non-interactive

Overwrites existing env files without prompting.

generate_certs.sh

-n / --non-interactive

Overwrites existing certificate files without prompting.

install_analytics.sh install

-n / --non-interactive

Skips all confirmation prompts; overwrites existing files in agilesec_install_dir without prompting; requires .pass file for admin password.

uninstall.sh

-n / --non-interactive

Skips uninstall confirmation prompt.


Step 1: Prepare the Environment

Ensure you have the installer package and your node meets the minimum memory and CPU requirements.

Update Single-Node Configuration

Environment configuration is required before starting the installation. A configuration file with default values for a single-node installation is available at generate_envs/single_node_config.conf. This file will be used by generate_envs.sh.

You may use the default values for all settings. However, it is recommended to review and update the following settings for single-node installations:

single_node_config.conf Setting

Purpose

Default

organization_name

Organization name used by the platform

Keyfactor

analytics_hostname

Primary external-facing hostname (FQDN host portion) for the platform.

agilesec

analytics_domain

Primary external-facing domain for the platform. analytics_domain may include a subdomain.

kf-agilesec.com

org_domain

Domain name for creating org to map to indexes in OpenSearch.

Note: The default admin username will be admin@org_domain after installation. There is no expectation for users to be able to receive communication to this email.

The default admin user is a Platform Admin, the highest permissioned role. Post-installation, Platform Admins may reset passwords, add additional users, set up SSO logins via UI, and more.

Note: OpenSearch does not support subdomains. If analytics_domain includes a subdomain, org_domain should be updated to follow the format domain.tld.

Equal to analytics_domain:

${analytics_domain}


analytics_port

External-facing port for accessing the platform.

8443

server_certificate_subject

Base Distinguished Name (DN) used to generate server certificates.

OU=Server,O=Keyfactor,ST=Ohio,C=US

client_certificate_subject

Base DN used to generate internal client certificates.

OU=Client,O=Keyfactor,ST=Ohio,C=US

v2_sensors

Enables support for v2 sensors. When enabled, Fluentd (td-agent) is installed alongside the Indexing Service for backward compatibility with v2 sensor data ingestion.

disabled

analytics_internal_domain

Internal domain used for internal node communication and certificate file folder name when generating certificates.

kf-agilesec.internal

[Optional] Using Port 443 (HTTPS Standard Port)

To run the platform on the standard HTTPS port (443) instead of the default 8443, set analytics_port=443 in generate_envs/single_node_config.conf before running generate_envs.sh. Then proceed with the normal installation steps.

When using port 443, be aware of the following post-install behavior:

  • Since port 443 is a privileged port (< 1024), HAProxy requires root privileges to bind to it.

  • ./manage.sh start as a regular user will start all services except HAProxy.

  • Post-installation, HAProxy must be started or restarted with sudo in agilesec_install_dir:

Bash
cd $agilesec_install_dir
sudo ./scripts/manage.sh start haproxy
  • However, stopping HAProxy does not require sudo:

Bash
cd $agilesec_install_dir
./scripts/manage.sh stop haproxy
  • The platform URL simplifies to https://<analytics_hostname>.<analytics_domain> (no port number needed, since 443 is the default HTTPS port).

Generate Configuration File for Single-Node Installation

Run the following command:

cd $installer_dir
./generate_envs/generate_envs.sh -t single-node

generate_envs.sh will copy $installer_dir/generate_envs/generated_envs/env.backend-1env.single_node to $installer_dir/.env.

The script has the following additional option flags available. Installation options can also be found by running ./generate_envs/generate_envs.sh --help.

generate_envs.sh short flag

Required

Description

-t <installation type>

Yes

Specify installation type: single-node or multi-node.

-n

No

Multi-node installs only: specify a specific node to generate.

-c <path>

No

Path to a previous, older config file for upgrade. Merges customer values from old config into new template.

--non-interactive

No

Non-interactive mode: no prompts, overwrite files.

Setup Certificates

Either generate and self-sign all required certificates using generate_certs.sh, or use certificates issued by your own CA. For POCs and first-time installations, it is recommended you use installer-generated certificates.

Run the following command to generate and self-sign all required certificates:

cd $installer_dir/certificates/
./generate_certs.sh
cd ..

This command will populate the required certificate files under the certificates directory.

Note: The .env config file is required to generate certificates. By default, the script looks for the .env file under <installation directory>.

For additional Certificate Management options and details, including using your own certificates, see On-Prem Certificates Management Guide.

External Browser FQDN Access Setup

Ensure external computer(s) where you will be accessing the AgileSec Platform UI from have at least one of the following for browser access:

  1. Recommended for general multi-computer access: A DNS entry for <analytics_hostname>.<analytics_domain> pointing to the node’s IP address.

  2. For quick proof of concept, test cases, or single computer access: An entry in your /etc/hosts for <analytics_hostname>.<analytics_domain> pointing to the node’s IP address.

Create a .pass Password file

It is highly recommended users create a .pass file for non-interactive mode. When running in non-interactive mode, the install_analytics.sh script reads the admin password from a .pass file. To set this up:

  1. Copy the example file: cp .pass.example .pass .

    1. To see all files, including files starting with a ., use ls -a

  2. Edit .pass and set admin_password. Save the file and exit the editor.

  3. Set secure permissions: chmod 600 .pass

The .pass file should be located in the installer_dir top level.


Step 2: Install the Platform

Check Environment Setup

Make sure settings file $installer_dir/.env is present.

Tip: Use ls -a to see files beginning with a .

Run tune.sh Script

cd $installer_dir
sudo ./scripts/tune.sh -u <username>

tune.sh updates the following:

  1. System settings for Sysctl settings. Recommended values are:

    1. vm.max_map_count = 262144

    2. fs.file-max = 65536

  2. Security settings in /etc/security/limits.conf for file descriptors and number of threads. These settings are needed by OpenSearch:

    1. <non-root-user> - nofile 65536

    2. <non-root-user> - nproc 65536

    3. <non-root-user> soft memlock unlimited

    4. <non-root-user> hard memlock unlimited

  3. Adds /etc/hosts entries on node server to support internal and/or external communication.

    1. Note: Only entries with private IP addresses for internal nodes are added to /etc/hosts by tune.sh

  4. Installs internal CA chain into the node trust stores used by AgileSec components.

  5. Install git binary

Alternately, you can perform the above steps manually.

The script has the following additional option flags available. Installation options can also be found by running sudo ./tune.sh --help.

tune.sh short flag

Required

Description

-u <username>

Yes

Username to apply system tunings for.

-r <role>

No

Multi-node installation only. Specifies the node role. scan is the only currently supported role.

-e <path>

No

Path to .env file. Defaults to $installer_dir/.env

Run Installation Script

Note about install script backwards compatibility:

For fresh installations in versions 3.5.0+, use the install sub-command for performing fresh installations with install_analytics.sh:

Bash
./install_analytics.sh install [OPTIONS]

For backwards compatibility, running ./install_analytics.sh [OPTIONS] without the install sub-command continues to work as in previous versions.

install_analytics install installs the software for the AgileSec node.

To run interactively (will prompt for admin password on console):

Bash
./install_analytics.sh install -u <user> -p $agilesec_install_dir

To run non-interactively (will use .pass file for password):

Bash
cd $installer_dir
./install_analytics.sh install -u <user> -p $agilesec_install_dir --non-interactive

Note: $agilesec_install_dir is a new, separate directory where AgileSec is installed to.

If any required parameters are omitted, the script will prompt you to enter them interactively.

The script has the following option flags available. Installation options can also be found by running ./install_analytics.sh install --help.

install_analytics.sh install short flag

Required

Description

-u <username>

Yes

Specify the username to run processes as

-p <path>

Yes

Specify the installation path agilesec_install_dir. The script will create directory if it does not already exist.

-g <groupname>

No

Specify the group name to run processes as. Defaults to username.

-r <role>

No

Multi-node installation only. Specifies the node role. scan is the only currently supported role.

-n

No

Non-interactive mode: no prompts, overwrite files.

-v

No

Verbose mode: Enables verbose debug output.

URL and Login Info

After successful installation, the installer will output an install summary with login URLs and login info. This information can also be found in $installer_dir/INSTALL_SUMMARY.txt.

Web UI information example:

  • Login URL: https://<analytics_hostname>.<analytics_domain>:<analytics_port>

  • Username: admin@<org_domain>

  • Password: <the admin password you entered at the beginning of install>

Example: End-to-End Non-Interactive Single-Node Install

Bash
cd $installer_dir

# Generate env config
./generate_envs/generate_envs.sh -t single-node --non-interactive

# Generate certificates
cd certificates/
./generate_certs.sh --non-interactive
cd ..

# Prepare .pass file
cp .pass.example .pass
# Edit .pass and set admin_password
chmod 600 .pass

# Run system tuning
sudo ./scripts/tune.sh -u <user>

# Install
./install_analytics.sh install -u <user> -p $agilesec_install_dir --non-interactive

After installation, the following scripts can be used from agilesec_install_dir/scripts:

  • manage.sh: Manage services. See Managing Services for details.

  • uninstall.sh: Uninstalls the AgileSec platform. cleans up ports, cron, /etc/hosts, installation directory, etc.

  • startup.sh: Enables auto-start after reboot.

  • health_check.sh: Checks services and attempts to start any with “Not running” status.


Post-Installation Verification

Verify Service Health

From agilesec_install_dir, run ./scripts/manage.sh status to check the status of all services. If any service shows Not running, try restarting it. See Managing Services for instructions on starting and restarting services.

The following services should have Running status:

Java
$ ./scripts/manage.sh status
SERVICE                   DESCRIPTION                              STATUS              
------------------------  ---------------------------------------- --------------------
opensearch                OpenSearch Search Engine                 Running (PID: 1450891)
opensearch-dashboards     OpenSearch Dashboards                    Running (PID: 1452817)
indexing                  Indexing Microservice                    Running (PID: 1451400)
haproxy                   HAProxy Load Balancer                    Running (PID: 1451285)
mongodb                   MongoDB Server                           Running (PID: 1451281)
kafka                     Kafka Server                             Running (PID: 1451295)
webui                     Web UI Microservice                      Running (PID: 1451316)
api                       Web API Microservice                     Running (PID: 1452924)
cbom                      CBOM Exporter Microservice               Running (PID: 1453074)
sm                        Security Manager Microservice            Running (PID: 1453083)
analytics-manager         Analytics Manager Microservice           Running (PID: 1451408)
ingestion                 Ingestion Microservice                   Running (PID: 1451419)
scheduler                 Scheduler Microservice                   Running (PID: 1451450)

*Note: If v2_sensors is enabled in the .conf prior to install, you should also see td-agent Fluentd Data Collector service running.

After installation completes, allow approximately 30 seconds for all services to fully initialize before accessing the UI. Attempting to log in immediately may result in a 503 Service Unavailable error. If this occurs, wait 30 seconds and refresh the page.

Access the Platform UI

To log into the new Web UI, use the URL displayed at the end of the install or in $installer_dir/INSTALL_SUMMARY.txt:

For example, using the default settings:

  • Login URL: https://agilesec.kf-agilesec.com:8443

  • Username: admin@kf-agilesec.com

  • Password: HelloWorld123456!

You will see a login screen like this:

login-screen.png

After logging in, the Overview Dashboard should show 0 across all charts, as shown in the screenshot below:

overview-dashboard-empty.png