Skip to content

CAP High Availability Installation

Prerequisites

Infrastructure

  • RHEL 7 VMs for CAP processes (web and worker).
    • Optional: Certificate and private key for internal TLS.
  • Load balancer to distribute traffic across CAP web VMs.
    • URLs of the CAP web VMs.
    • Optional: CA certificate to authenticate the CAP web VMs with TLS.
  • Redis 5+
    • URL (containing credentials) to connect to the service.
  • PostgreSQL 12+
    • URL (containing credentials) to connect to the database.
    • Optional: CA certificate to authenticate the server with TLS.
  • Object Storage (S3-compatible)
    • URL to connect to the object storage service.
    • Bucket name.
    • Credentials (Access key ID and secret access key).
    • Optional: CA certificate to authenticate the server with TLS.
    • Known compatible implementations: AWS S3, MinIO, NetApp StorageGRID.

Software packages

The following files are needed (where <version> is your version of CAP, which must be the same for all packages to be installed):

  • analyzer.cs-license (if you need to install or renew the license)
  • cryptosense-analyzer-web-<version>.rpm
  • cryptosense-analyzer-worker-<version>.rpm

Installation or upgrade

  • If necessary, make a backup of the database and object storage service.
  • Disable HTTP access to the CAP web processes (e.g. maintenance mode) and wait for worker processes to be idle.
  • Install the CAP web and CAP worker packages on every VM:
    • For web VMs: yum install cryptosense-analyzer-web-<version>.rpm
    • For worker VMs: yum install cryptosense-analyzer-worker-<version>.rpm
  • If necessary, create or update the configuration files (see next section).
  • Choose any of the VMs that were just setup and connect to it.
    • If this is a new installation of CAP, run cs db init
    • Otherwise, run cs db migrate
  • Restart all the CAP workers and web clients by running cs restart on each VM.
  • Re-enable access HTTP access to the CAP web processes.

Configuration

On each CAP VM, the configuration is stored at /etc/cryptosense-analyzer/config.

Each CAP VM must have the same configuration, with the following parameters:

  • REDIS_URL: URL of the Redis service. Use rediss://<hostname> if the Redis connection is secured by TLS, or redis://<hostname> otherwise. Currently, no custom server certificate path can be specified.
  • DATABASE_URL: URL of the database, including credentials. See dedicated section for further details.
  • S3_ENDPOINT: URL of the object storage service.
  • S3_TRACE_AWS_ACCESS_KEY_ID: Access key ID used by CAP. Note: this doesn't have to refer to a key in AWS, other providers are supported.
  • S3_TRACE_AWS_SECRET_ACCESS_KEY: Secret access key used by CAP. Note: this doesn't have to refer to a key in AWS, other providers are supported.
  • S3_TRACE_BUCKET: Name of the bucket for CAP to use.
  • SECRET_KEY: Secret key used to sign and authenticate session cookies.
    • Suggestion: generate 32 bytes and use their hex-encoding as the key (with Python 3, you could use python -c 'import secrets; print(secrets.token_hex(nbytes=32)) to get a new key).
    • Key rotation: overwrite the configured key and restart web processes on all VMs (cs restart). This will invalidate all current sessions.

Configure Database Connection

The database connection is configured using a single URL containing all the different parameters required for a secure connection. The format should be the following:

postgres://<username>:<password>@<host>/<database-name>?<parameter1>=<value1>&<parameter2>=<value2>&<...>

Adding parameters is optional. The following parameters are supported:

  • sslmode : Define the level of SSL verification. The following values are supported:
    • disable : No SSL
    • prefer : Try to establish a SSL connection, but if it fails, fall back to unsecured connections (default).
    • require : Require SSL, but don’t verify certificates.
    • verify-ca : Require SSL and verify the certificate.
  • sslcert : Path to the client certificate.
  • sslkey : Path to the file containing the key used with the client certificate.
  • sslrootcert : Path to the file containing the Certificate Authority used by the server.

License activation

  • Upload the provided analyzer.cs-license file to /etc/cryptosense-analyzer/analyzer.cs-license on one of the CAP VMs.
  • Run cs license synchronize on that VM.

If no error was reported, your new license is now in effect. You can confirm that in the CAP web GUI by checking the date on the trace upload page of any project you have access to.