Articles in this section

Installation

Stephen de Vries
  • Updated
Follow
Note: Using the Dockerized versions of IriusRisk is the simplest way to get started and to stay updated with the software when using the OnPrem version.
To get access to our docker images you will need a Docker ID, if you don't have one, go to https://hub.docker.com/ and register one. Then send an email to info@continuumsecurity.net with the Docker ID and our team will give you access. 
 

Overview

IriusRisk consists of three major components:

  1. A reverse proxy to terminate SSL connections and implement HTTP header security. I.E: Nginx.
  2. A Servlet 3.0 compliant Java application server to host the .war. I.E: Tomcat.
  3. A PostgreSQL database.

Iriusrisk_Architecture_hor.png

To facilitate easy deployment for the OnPrem version, the reverse proxy and the application server can optionally be provided through Docker images and downloaded from our private Dockerhub repository. However, even if Docker is used for these two components we recommend using an external SQL database instead of a Dockerized DB instance.


Hardware Requirements

  1. Single Server:
    All three components: reverse proxy, application server and database can be deployed on the same server.  The following hardware is recommended for such a deployment:
    • Quad core Intel Xeon at least 3.0Ghz
    • 16Gb RAM
    • 8 GB of disk space for the Application server
    • 230GB SSD available for the database's data volume
  • High Availability configuration:
    The web application is stateful, and either requires a load balancer with sticky sessions enabled, or a clustered Tomcat instance.  We recommend the former due to ease of management and the ability to scale horizontally simply.
    The database can also be deployed in a high availability configuration. You can find PostgreSQL documentation here.
    The general view of the HA configuration would be:
    • Load balancer/reverse proxy with sticky session enabled.
    • Multiple Tomcat instances, either using our docker images or native Tomcat instances.
    • Databases in HA configuration as per the DB vendor guidelines

      The hardware requirements for this setup are:
    • Application servers:
      • Quad core Intel Xeon at least 2.0Ghz
      • 8 GB RAM
    • Database servers:
      • Quad core Intel Xeon at least 2.0Ghz
      • 8 GB RAM
      • 230GB SSD available for the database's data volume

Database size

Regarding the size needed for the volume holding the database, a single Product in IriusRisk could consume between 50Mb to 100Mb. Although this depends on several factors like, if an Issue Tracker is integrated, if Automated Testing tools are integrated, how many artifacts (such as documents and diagrams) are attached to the product, the number of reports created for the product, etc.

 

Supported Installation Options

Iriusrisk can be installed on several ways.

Every major component (Nginx, Tomcat and PostgreSQL) can live on the same machine (single server) or may be individual components on different machines or a combination of both.

Besides PostgreSQL which is a native installation, both Nginx and Tomcat can be dockerized or not depending on your needs.

This allows us the following setup options:

Single server (everything on the same machine):

  1. Nginx (docker) + tomcat (docker) + local postgres (native).
  2. Nginx (native) + tomcat (docker) + local postgres (native).
  3. Nginx (docker) + tomcat (native) + local postgres (native).
  4. Nginx (native) + tomcat (native) + local postgres (native).

Multiple servers (services spread on several machines), from the point of view of tomcat:

  1. External load balancer + tomcat (docker or native) + local postgres (native).
  2. External load balancer + tomcat (docker or native) + external postgres.
  3. Nginx (docker or native) + tomcat (docker or native) + external postgres.
  4. External load balancer + tomcat (kubernetes) + external postgres.

For Kubernetes setup we will provide more details below on his own section.

Optional: Enable AD/LDAP authentication. We will provide more details below on his own section.

 

General PostgreSQL configuration steps

   1. Install the database server following the postgresql official instructions for your distribution: https://www.postgresql.org/download/

Ensure that the database is accessible from the application server (network firewall, security groups, iptables u other security measures)

Edit postgres.conf file inside the postgresql data folder, find the line with the listen_address directive and add the proper listening network interface:

listen_addresses = 'localhost, DB_HOSTS_IP_ADDRESS'

If you are unsure what your interface is or you want postgres to listen on all interfaces you can use:

listen_addresses = '*'

To enable password based authentication, edit the hba.conf file and add at the bottom the line:

host all      all  172.17.0.0/24    md5

Substituting "172.17.0.0/24" with the docker network interface address where the Tomcat server will reside.  If you plan to use the Tomcat in Docker option, then "172.17.0.0/24" is correct as is, since that's the address of the docker containers.

If you are unsure what your interface is or you want postgres to allow password authentication from all sources, you can use: 

host all      all  0.0.0.0/0    md5

 

   2. Run the psql command line tool as the postgres user: 

sudo su - postgres
psql 

 

    3. Create a database user with createdb privileges using the following PSQL command:

create user iriusprod with createdb password 'alongandcomplexpassword2523';

 

   4. Create a database and assign it to this user with the following PSQL command:

create database iriusprod with owner='iriusprod';

 

   5. You may exit psql now and go back to your regular user with:

\q
exit

 

   6. Ensure that the database service is started automatically when the server starts using your operating system specific directives (like systemctl enable or chkconfig on).

 

Single server option 1: Nginx (docker) + tomcat (docker) + local postgres (native).

For the Docker deployments, please provide us with your username on dockerhub so that we can grant it access to the repository.

  1. Install docker using your system repositories or the official docker installation instructions here.
  2. Install docker-compose using the official docker-compose installation instructions here.
  3. Download the docker-compose file here.
  4. Customize the docker-compose file.
    On the Nginx section: You need to edit "NG_SERVER_NAME" with the application endpoint Iriusrisk will be listening (as set in the postgres.conf file, even if the database is installed on the same host as the docker containers, this needs to be a real IP of the DB and not 'localhost').
    On the Tomcat section: You need to edit "IRIUS_DB_URL" with the JDBC string with proper IP and user password to connect to your database and "IRIUS_EXT_URL" with the application endpoint Iriusrisk will be listening (as set in the postgres.conf file, even if the database is installed on the same host as the docker containers, this needs to be a real IP of the DB and not 'localhost').
  5. Create a directory on the server and ensure you have the following files:
$ ls
cert.pem
docker-compose.yml
key.pem

The files for the TLS certificate must be named cert.pem and key.pem and must have the certificate and the key in PEM format generated by a trusted CA authority.

"cert.pem" must contain the certificate with the chain and "key.pem" should contain the private key.
If you are evaluating iriusrisk on localhost and a self signed certificate is enough for you, you can use these (WARNING DO NOT USE THIS ON PRODUCTION, JUST FOR TESTING PURPOSES): cert.pem and key.pem

6. Launch the instances using the command:  
$ docker-compose up -d

Nginx will listen on ports 80 and 443, all requests to port 80 will be redirected to 443. It will terminate the TLS connection and also inject several HTTP security headers, for more info please see the Nginx config file within the container: 

$ docker exec CONTAINER_ID cat /etc/nginx/conf.d/irius.conf 
#You can get the CONTAINER_ID by executing $ docker ps

 

Keep in mind the first time Iriusrisk runs it can take some time at creating the database tables and items it needs.

Iriusrisk_files_and_first_run.gif

Optional: We provide you with Ansible Playbook that is automating this type of IriusRisk deployment. For more info please follow this link.

Single server option 2: Nginx (native) + tomcat (docker) + local postgres (native).

  1. Follow steps 1-4 from "Single server option 1", you can skip the Nginx section configuration.
  2. Delete from the docker-compose.yml file the entire "nginx:" section so only tomcat is launched as a container.
  3. Configure your native Nginx to forward requests to the Tomcat server using the following rules:
Request to reverse proxy     Redirect to Tomcat    
/ /
/VAADIN /VAADIN
/api

/api
/help /help
     
      4. Launch the instances using the command: 
$ docker-compose up -d  

 

Single server option 3: Nginx (docker) + tomcat (native) + local postgres (native).

  1. Follow steps 1-4 from "Single server option 1", you can skip the Tomcat section configuration.
  2. Delete from the docker-compose.yml file the entire "tomcat8:" section so only nginx is launched as a container.
  3. Configure your tomcat accordingly and add the required variables at the end of the catalina.properties file (Beware on catalina.properties it is "grails.env" and not "grails_env" like the docker-compose.yml file): 
     IRIUS_DB_URL=jdbc\:postgresql\://172.17.0.1\:5432/iriusprod?user\=iriusprod&password\=alongandcomplexpassword2523
     IRIUS_EDITION=saas
     IRIUS_EXT_URL=http\://youririusriskendpoint.com
     grails.env=production
  4. Launch the instances using the command:  
    $ docker-compose up -d

 

Single server option 4: Nginx (native) + tomcat (native) + local postgres (native).

  1. Configure your nginx like the step 3 of the "Single server Option 2" option.
  2. Configure your tomcat like the step 3 of the "Single server Option 3" option.
  3. Ensure your nginx and tomcat services are up and running and are started when the machine starts.

 

Multiple servers option 1: External load balancer + tomcat (docker or native) + local postgres (native).

  1. Follow the "Single server Option 2" guide, and use the step 3 configurations as a guideline adapted to your solution.

 

Multiple servers option 2: External load balancer + tomcat (docker or native) + external postgres.

  1. Follow the "Single server Option 2" guide, and use the step 3 configurations as a guideline adapted to your solution.
  2. Ensure your tomcat container can reach your external database. If you need to troubleshoot you can enter the container by using: 
    $ docker exec -it iriusrisk-tomcat8 bash
    And then using psql, telnet or nc to test the connection.

 

Multiple servers option 3: Nginx (docker or native) + tomcat (docker or native) + external postgres.

  1. Follow the single server options for Nginx on docker ("Single server option 3") or native ("Single server option 4").
  2. Follow the single server options for Tomcat on docker ("Single server option 2") or native ("Single server option 3").
  3. Follow the step 2 on the "Multiple servers option 2" option.

 

Multiple servers option 4: External load balancer + tomcat (kubernetes) + external postgres.

 The current supported setup on Kubernetes includes the following configuration:

  • External Load balancer.
  • Deployment definition with tomcat only pod.
  • One or several deployment replicas.
  • External network reachable database.

This section is under construction.

 

AD/LDAP Authentication:

All setups are compatible with enable AD/LDAP authentication.To configure it you need to add an environment variable configuration (either on docker-compose/kubernetes or system-wide if you are using native tomcat).

In the Tomcat instance you should include this configuration in the docker compose file:

tomcat8:
	# [...]
	environment:
	# [...]
		- LDAP_CONFIG_PATH=/etc/irius/LDAP-config.groovy
	# [...]
    volumes:
        - "/etc/irius:/etc/irius"

And ensure that the host has the LDAP-config.groovy file located in the /etc/irius directory of the host machine.

 

 

Updating to the latest release

Warning!

Backup your existing database before performing a release update!!

From the directory where the docker-compose.yml file is, execute:

docker-compose stop && docker-compose pull && docker-compose up

Adding Custom Logos

IriusRisk displays a large logo on the main login form and a smaller logo once logged into the system.  Both of these logos can be customised to point to logos of your own choosing.

The recommended size for the logos are:

  • Large logo on login page -> 440px x 265px
  • Small logo -> 140px x 25px

See: Customizing your own logo on IriusRisk for details on how to do this.

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk