Synergy Server Installation Guide

Prerequisites 

A VM or server with the following specifications:

• 8 x CPU cores (x86_64 processor with speed of 2.2 GHz or more). The CPU must support the instructions SSE4.1 SSE4.2 AVX AVX2 FMA

• 32GB RAM

• 500GB Free SSD disk. K3s will be installed in /var/lib/rancher so space should be allocated there. We also need 10-20 GB free space at / and /var.

• Ubuntu 20.04 LTS Server OS is recommended. RHEL 8.6, 8.7, 8.8, & 9.2, and Suse Linux 15.3 are also supported but may need extra configuration.

• Port 443/TCP open

• Outbound internet access to download application artefacts. 100 Mbps download speed recommended

• Domain Name Service (DNS) with public name resolution enabled

• Network Time Protocol (NTP)

• Software Update Service - access to a network-based repository for software update packages.

• Fixed private IPv4 address

• Unique static hostname

Installation

From the command line of your chosen server, apply the following commands as root.

This command instals K3s as well as checks the prerequisites:

curl -sfL https://assets.master.k3s.getvisibility.com/k3s/k3s.sh | INSTALL_K3S_VERSION="v1.26.10+k3s1" K3S_KUBECONFIG_MODE="644" sh -s - server --node-name=local-01

Once complete, copy the cURL command you received when registering the deal. It will look something like this:

read -p "Please type your email address: " user_email && kubectl apply -f https://rancher.forcepointemea.k3s.getvisibility.com/v3/import/8wc8b6dnb9xvlh7grcrjpdwh55ncst2s9fqm96kt8zhc2k2stm7vck_c-m-6skspsgh.yaml && curl -k --location "https://customer-management.master.k3s.getvisibility.com/v1/updateClusterState/40093321-a4e2-4fe2-9493-36dc4b2ba7ab?email=$user_email"

⚠️ Make sure to enter your email address to correctly install the platform and register with our customer service.

For security reasons the registration command can be used only a single time, the command becomes invalid after the first use. In case you need to run it again you must contact the support team for a new registration command.

To monitor the progress of the installation enter the following command: 

watch -c "kubectl get deployments -A" 

The K3s deployment is complete when elements of all the deployments (coredns, local-path-provisioner, metrics-server, traefik and cattle-cluster-agent) show at least "1" as "AVAILABLE"

In case of errors you can inspect the logs of a pod using  kubectl logs , e.g. 

kubectl logs cattle-cluster-agent-d96d648d8-wjvl9 -n cattle-system

When installation is complete go to the rancher site associated with your region.

Rancher

The region and cluster name can be found in the registration email that was sent to you when you registered the deal.

Go to your regional Rancher dashboard and wait for the new cluster to become Active. 

Open

Once Active elect the cluster name and go to Apps > Charts and install the GetVisibility Essentials and  GetVisibility Monitoring Helm charts:

Open

Use default values for both installation

Go to the global (burger) menu Continuous Delivery > Clusters and click on Edit config (three dots) for the cluster you are using:

Add 2 labels  product=synergy environment=prod and press Save.

The cluster is now set up and you can move onto user configuration.

Keycloak

Keycloak is an open-source product that allows Single Sign-On (SSO) and enables Identity and Access Management integration to allow for a quick, safe, and secure integration of authentication within modern applications.

When a cluster is generated via the Getvisibility reseller dashboard, it creates a Keycloak instance within the cluster for managing authentication.

When this cluster is created, a default Keycloak Realm configuration is loaded, and only a few installation steps are required.

This document describes the remaining installation steps required to complete the Keycloak installation setup.

Below are the steps involved in configuring Keycloak, and you may choose to skip the Optional steps based on your preferences:

Logging into Keycloak admin panel

The Keycloak admin URL will consist of the following components:

• The domain that has been configured for your reseller to access the application (E.g. example.com or 10.10.121.127)

• The service path (E.g. auth for Keycloak)

• The keycloak admin path /admin/master/console

An example of the above might look something like this:

https://my-dashboard.com/auth/admin/master/console

Once you have entered the correct address for your cluster Keycloak instance following the above guidelines, you should be able to log in to the Keycloak admin dashboard using the following details:

Username: admin

Password: admin

The access protocol should always be https.

The domain in the example above (e.g. example.com ) might not be applicable if a domain is not configured, in which case you would need to use the server IP address (e.g. 10.10.121.127).

Once logged into the portal, there are a few steps to complete to configure Keycloak.

Completing the Realm Configuration

In Keycloak, a Realm is a top-level authentication domain that contains an isolated authentication configuration.

A good way to imagine this is that each Keycloak Realm might represent a different environment.

We need to have a Realm for managing our cluster authentication, please follow the steps below to do this:

Make sure that the gv realm is selected in the top left, not master.

Click on the left-side menu item Realm settings.

This will load the Gv Realm Settings → General tab, enter your desired user-friendly reseller name into both the Display name and HTML Display name fields.

Click the Save button to commit these changes to the Realm Settings.

⚠️ Do not change the content of Realm ID field, it has to be gv.

Completing the Dashboard Client Configuration

Click on the Clients menu item on the left-side menu, this should load a list of authentication clients.

Click on the name link of the item labelled dashboard to navigate to its client configuration page.

Update the Valid Redirect URIs to include the URL you have configured for the Dashboard UI. This will allow Keycloak to redirect back to your Dashboard UI after authenticating.

Update the Web Origins to include the URL you have configured for the Dashboard UI. This will allow CORS endpoint calls to Keycloak from the Dashboard UI.

Open the dropdown for Login Theme and select the theme created for your reseller (E.g. my-reseller-theme).

Clear the Front-channel logout URL field’s content. This way, instead of the “you are getting logged out” screen, you’ll get straight to the login page upon logout.
Alternatively, you can you can enter the Front-channel logout URL in the following format: https://my-dashboard.com/auth/realms/gv/protocol/openid-connect/logout.

Click the Save button at the bottom of the screen.

(Required for Synergy/Enterprise) Setting up a default Agent user

This step is important and required for the agent to work correctly. This user is only used internally by agents on endpoints to authenticate with the server. This user cannot be used to log in to the dashboard. For dashboard login, you must create your user in the gv realm.

Make sure it’s still the gv realm selected in the top left, not master.

Click on the Users menu item on the left-side menu, this should load the (empty) Users list.

Click the Add user button at the top to open the Add user screen.

It’s only necessary to complete two fields on this form; The Username field should contain agent, and the Email field should contain agent@gv.com

Click the Create button at the bottom of the screen.

(Optional) Completing the Agent Client Configuration

Click on the Clients menu item on the left-side menu, this should load a list of authentication clients.

Click on the name link of the item labelle agent to navigate to its client configuration page.

Update the Valid Redirect URIs value (default is https://localhost:80) to a secure address you know is not vulnerable or exposed.
This is a required field and requires at least one value, so while we have set it to a temporary value, it’s encouraged to change this to something internal.

Click the Save button at the bottom of the screen.

Creating a user to access the Getvisibility dashboard

⚠️ By default, there are no users in the gv realm, meaning that nobody can access the dashboard to view agent activity, use analytics, run scans or create reports.

⚠️ Users must either be created manually as described below, or imported, e.g. via LDAP user federation.

ℹ️ Users created in the gv realm will have full administrative access to the GetVisibility web console.

RBAC implementation for granular management of dashboard user permissions is on our roadmap.

Make sure that it’s still the gv realm selected in the top left, not master:

Click on the Users menu item on the left-side menu, this should load the (empty) Users list.

Click the Add user button at the top to open the Add user screen.

There is only one mandatory field here; The Username field should contain your desired username, e.g. admin.

Click Create. You will automatically get redirected to the User Details page of the user you just created.

Here, click Set password.

Next, choose a strong password for the user. Leave the “Temporary” option on if you want the user to change their password on the first login.

Click Save.

Navigate to the /ui endpoint of the IP of the server or the domain if you configured any. E.g. https://my-dashboard.com/ui or https://10.10.121.127/ui

Confirm that the credentials are working as expected.