CAP High Availability Installation
Prerequisites
Infrastructure
- RHEL 7 VMs for CAP processes (web and worker).
- Optional: Certificate and private key for internal TLS.
- Load balancer to distribute traffic across CAP web VMs.
- URLs of the CAP web VMs.
- Optional: CA certificate to authenticate the CAP web VMs with TLS.
- Redis 5+
- URL (containing credentials) to connect to the service.
- PostgreSQL 12+
- URL (containing credentials) to connect to the database.
- Optional: CA certificate to authenticate the server with TLS.
- Object Storage (S3-compatible)
- URL to connect to the object storage service.
- Bucket name.
- Credentials (Access key ID and secret access key).
- Optional: CA certificate to authenticate the server with TLS.
- Known compatible implementations: AWS S3, MinIO, NetApp StorageGRID.
Software packages
The following files are needed (where <version>
is your version of CAP, which must be
the same for all packages to be installed):
analyzer.cs-license
(if you need to install or renew the license)cryptosense-analyzer-web-<version>.rpm
cryptosense-analyzer-worker-<version>.rpm
Installation or upgrade
- If necessary, make a backup of the database and object storage service.
- Disable HTTP access to the CAP web processes (e.g. maintenance mode) and wait for worker processes to be idle.
- Install the CAP web and CAP worker packages on every VM:
- For web VMs:
yum install cryptosense-analyzer-web-<version>.rpm
- For worker VMs:
yum install cryptosense-analyzer-worker-<version>.rpm
- For web VMs:
- If necessary, create or update the configuration files (see next section).
- Choose any of the VMs that were just setup and connect to it.
- If this is a new installation of CAP, run
cs database init
- Otherwise, run
cs database migrate
- If this is a new installation of CAP, run
- Restart all the CAP workers and web clients by running
cs restart
on each VM. - Re-enable access HTTP access to the CAP web processes.
Configuration
On each CAP VM, the configuration is stored at /etc/cryptosense-analyzer/config
.
Each CAP VM must have the same configuration, with the following parameters:
REDIS_URL
: URL of the Redis service. Userediss://<hostname>
if the Redis connection is secured by TLS, orredis://<hostname>
otherwise. Currently, no custom server certificate path can be specified.DATABASE_URL
: URL of the database, including credentials. See dedicated section for further details.S3_ENDPOINT
: URL of the object storage service.S3_TRACE_AWS_ACCESS_KEY_ID
: Access key ID used by CAP. Note: this doesn't have to refer to a key in AWS, other providers are supported.S3_TRACE_AWS_SECRET_ACCESS_KEY
: Secret access key used by CAP. Note: this doesn't have to refer to a key in AWS, other providers are supported.S3_TRACE_BUCKET
: Name of the bucket for CAP to use.SECRET_KEY
: Secret key used to sign and authenticate session cookies.- Suggestion: generate 32 bytes and use their hex-encoding as the key (with Python 3,
you could use
python -c 'import secrets; print(secrets.token_hex(nbytes=32))
to get a new key). - Key rotation: overwrite the configured key and restart web processes on all VMs
(
cs restart
). This will invalidate all current sessions.
- Suggestion: generate 32 bytes and use their hex-encoding as the key (with Python 3,
you could use
Configure Database Connection
The database connection is configured using a single URL containing all the different parameters required for a secure connection. The format should be the following:
postgres://<username>:<password>@<host>/<database-name>?<parameter1>=<value1>&<parameter2>=<value2>&<...>
Adding parameters is optional. The following parameters are supported:
sslmode
: Define the level of SSL verification. The following values are supported:disable
: No SSLprefer
: Try to establish a SSL connection, but if it fails, fall back to unsecured connections (default).require
: Require SSL, but don’t verify certificates.verify-ca
: Require SSL and verify the certificate.
sslcert
: Path to the client certificate.sslkey
: Path to the file containing the key used with the client certificate.sslrootcert
: Path to the file containing the Certificate Authority used by the server.
License activation
- Upload the provided
analyzer.cs-license
file to/etc/cryptosense-analyzer/analyzer.cs-license
on one of the CAP VMs. - Run
cs license synchronize
on that VM.
If no error was reported, your new license is now in effect. You can confirm that in the CAP web GUI by checking the date on the trace upload page of any project you have access to.