Installing Site Coordinator
  • 6 Minutes to read
  • PDF

Installing Site Coordinator

  • PDF

About this document


This document explains the step-by-step procedure to manually set up a Site Coordinator that can connect to a SAFE Instance. 

Prerequisites


Refer to Prerequisites - Site Coordinator.

Site Coordinator Default Network
The default subnet used for Site Coordinator containers is 10.0.1.0/24. Customers should review if this default network range will conflict with their existing infrastructure and make any adjustments as required.

Install Site Coordinator


Once the above software pre-requisites are installed successfully, you can install Site Coordinator on the machine.

Note
If required, set up a proxy server to access the SAFE URL. The proxy should be set at the OS level before running the command generated in step 4 below. Refer to Configuring Proxy in Site Coordinator.
  1. Login to SAFE. 
  2. Navigate to Administration > Asset Management > Agent & Site Management.
  3. Click on the Install Site Coordinator button.
  4. Copy the entire command displayed on the UI and run it on the machine.
  5. The installation will validate the pre-requisites and download the necessary packages to complete the Site Coordinator Installation.

  6. Once the above command completes, it will connect to the SAFE URL to download the installation script and run it. The installation script will download a set of docker images for the site coordinator. If a proxy server is required to access the SAFE URL, the proxy should be set at the OS level before running this command.
  7. The installation script will ask for the following:
    1. The installation directory.
    2. The proxy settings. This is optional and required if the param --configure:proxy is added in the above installation command for the site coordinator to communicate through a proxy server to SAFE on the cloud.  Refer to Configuring Proxy in Site Coordinator
    3. The agent communication settings. This is required if the Site Coordinator needs to support agent-based assessments. Refer to Configuring Site Coordinator for agent-based communication.

Configuring Proxy in Site Coordinator


Proxy servers are typically used by organizations to route the internet traffic from their networks to the internet. Since the Site coordinator needs to communicate with SAFE on the cloud, the following can be used to set the proxy settings. 

Note
Any internal traffic between the Site coordinator and other on-premise tools that the organization uses, need not be routed through proxy servers and is not supported in the Site coordinator.

For example, the Site coordinator’s communication with an on-prem PIM/PAM like CyberArk or BeyondTrust, should not be routed through the proxy and their IPs should be excluded with NO_PROXY as shown below.

To configure a proxy, we can add --configure:proxy flag at the end of the installation command copied from the SAFE application.

The following values will be asked to enter while configuring proxy:

  1. Proxy IP/Hostname: The IP address/ Hostname of the proxy server to be used.
  2. Proxy Port: The port to be used to connect to the proxy server.
  3. Proxy Username: The username to be used to connect to the proxy. (Optional)
  4. Proxy Password: The password of the username provided. (Optional)
  5. Comma-separated IPs/Hostnames without spaces to be omitted by the proxy (NO_PROXY): Any IPs/Hostnames that the user does not want the Site Coordinator to access via a proxy.  This applies to some of the PIM/PAM tools or Third-Party tools like Arcon, CyberArk, BeyondTrust, e.t.c.  

Configuring Site Coordinator for agent-based communication


The Site Coordinator can support both agentless and agent-based assessments. To enable the Site Coordinator to support agent-based assessment, the following steps need to be completed during installation or post-installation to enable the Gateway functionality.

SAFE Agents can be configured to point to the Site coordinator using the Site coordinator URL as described here Installing SAFE Agent. This will be required where agents do not have direct network connectivity to the SAFE cloud services. 

Pre-requisites 

  1. Port 443 opens inbound to the agent machines that will connect to the Site Coordinator Gateway.
  2. A URL for the Site Coordinator Server that should be resolvable and reachable by the agents
  3. SSL certificate (.crt file) for the Site Coordinator Server URL and its private key (.key file)
  4. CA certificate (.crt file) for the Site Coordinator to validate and trust the above certificates.
  5. All the machines where the SAFE agent is installed should trust the CA certificate. For a well-known public CA, no extra step is required. For an in-house CA, the CA certificate will need to be added to the Trusted Certificate Store of these machines using the appropriate Operating System guidance.

During Site Coordinator installation

  1. As part of the installation steps, you will be asked whether to enable the Site Coordinator Gateway for agent-based communication. If the site coordinator is not required to support agent-based assessments, this can be skipped. 
  2. At prompt, enter the URL of the site coordinator server (including https prefix). This is the URL that the agents will use to communicate with the Site Coordinators Gateway functionality. 
  3. Provide the SSL certificate (.crt) , it’s private key (.key) and the CA certificate (.crt) when prompted.

Post Site Coordinator installation

If the Site Coordinator Gateway setup for agent-based communication is skipped during the installation, it can be configured at a later point by executing the command sh install-site-coordinator.sh --configure:agentGateway. This will require the same inputs as mentioned in steps 2. and 3. above, for the Site Coordinator URL and the certificates.

Site Coordinator status


The status of the Site Coordinator can be validated using the following command: 

sh install-site-coordinator.sh --status

The proxy setup can be checked in the INSTALLATION_DIRECTORY/safe-security/.env, if it is configured.

Info
Please refer to the Example scenario of a Site Coordinator Deployment for better understanding.

Troubleshooting


Info
On a Redhat 8 system, getting multiple package conflicts and package errors on running the installation command for docker.
  • Few packages are installed on a Redhat 8 system that might conflict with the docker installation.
  • At the end of the error, is a suggestion for some arguments.
  • Run the yum install command used to install docker with the arguments --allowerasing --nobest. The overall command should become:
sudo yum install docker-ce docker-ce-cli containerd.io --allowerasing --nobest


Info
After installing docker, and configuring the non-root user. Running docker info gives an error: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
  • Ensure that the docker service is started and enabled. You can check the docker service status by using the following command.
sudo systemctl status docker
  • The service should be in an active (running) state as shown below

  • If it says inactive (dead) try starting/re-starting using a sudo systemctl start docker OR sudo systemctl restart docker.
Info
Docker was installed and the service is in the active (running) state, but getting permission denied on running docker commands: ERROR: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: dial unix /var/run/docker.sock: connect: permission denied.
  • This can happen when the user running the docker commands is not added to the docker group.
  • Verify that the docker installation is correct by running a sudo docker info, if you get the desired output without any permission errors, the installation is okay.
  • Verify that the user is part of the docker group by running the groups command. The output should contain the docker group in the list.
    • If the docker group is not mentioned, follow the Non-root user setup for the Docker section for the required steps.
    • If the docker group is mentioned, still you’re facing permission issues. Log out from the machine once and log in again.
    • If it still persists, please reboot machine one and check.
Info

Getting a No such file or directory while running docker-compose commands and verifying the installation: -bash: /usr/local/bin/docker-compose: No such file or directory

  • Ensure that the docker-compose executable is correctly placed in the /usr/bin directory.
  • Check that there is a symlink present in the /usr/local/bin directory pointing to the executable in the /usr/bin/ directory
  • Run a ls -l /usr/local/bin/docker-compose to verify. If you don’t get an output, run the command sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose to fix and put the correct symlink.
Info
Please refer to the Example scenario of a Site Coordinator Deployment for better understanding.



Was this article helpful?