Self-Hosted-GYTPOL 2.0 installation and configuration guide

OVAs Provided by the GYTPOL Team

You will receive the following 2 OVA files from the GYTPOL team to set up your environment:

1. PostgreSQL (Database) Server OVA:

   • This virtual appliance contains the pre-configured PostgreSQL database server required for storing and managing GYTPOL data.

2. GYTPOL Services (Application) Server OVA:

   • This virtual appliance contains the core GYTPOL services and application required to manage and monitor your environment.

Import and Configure the GYTPOL PostgreSQL OVA

1. Open the VMware Console:

   • Launch the VMware vSphere Client or VMware Workstation, depending on your environment.

2. Import the GYTPOL PostgreSQL OVA:

   • Select File > Deploy OVF Template option.

   • Browse to the location of the gytpol-postgres.ova file.

   • Follow the on-screen instructions to complete the import process.

3. Post-Import Configuration:

   • Once the import is complete, locate the newly created VM in your VMware environment.

   • Edit the VM settings to ensure it meets the required specifications -
     please refer to System Requirements for Self-Hosted GYTPOL 2.0 guide.

Steps to Access and Initialize PostgreSQL in the VM

1. Open the Console of the PostgreSQL VM:

   • Use VMware to access the console of the VM where PostgreSQL is installed.

2. Log in to the VM:

   • Enter the following credentials to log in:

     • Username: ubuntu

     • Password: m-33W8]aiUh

3. Initialize PostgreSQL:

   • Once logged in, execute the following command to initialize PostgreSQL: sudo gyt postgres-init

4. Verify the Initialization:

   • Check the output to ensure PostgreSQL has been successfully initialized.

Configure the Network for PostgreSQL VM

1. Follow Network Configuration Prompts:

   • When prompted during the setup process, configure the network settings for the VM.

   • You will be asked to choose between static and DHCP IP address allocation.

2. Recommendation: Use a Static IP:

   • We recommend selecting ‘static’ to manually configure the IP address for better reliability and control.

   • Enter the following details:

     • IP Address: Your desired static IP

     • Subnet Mask: As per your network configuration (e.g., 255.255.255.0/24)

     • Gateway: Your network gateway address

     • DNS Servers: Enter your preferred DNS servers. If you have multiple servers, separate them with commas.

3. Verify the Network Configuration:

   • Once the setup is complete, test the network connectivity:

     • Ping the configured IP from another device on the network to confirm accessibility.

     • If static, ensure the settings align with your network’s configuration to avoid IP conflicts.

Password Configuration During Setup

As part of the setup process, you will be prompted to configure two important passwords. Follow these steps carefully:

1. Wait for Password Prompts:

   • During the initialization process, the setup will ask you to provide passwords for critical components.

2. Passwords to Set:

   • PostgreSQL Master Password:

     • This password secures the PostgreSQL database and will be required for administrative tasks.

     • Choose a strong and secure password. Record it safely for future reference.

   • Keycloak User Password:

     • This password is for managing the Keycloak user database.

     • Again, choose a secure password and store it in a secure location.

3. Input the Passwords When Prompted:

   • When the setup script prompts you, type in the passwords carefully and confirm them when asked.

4. Verify the Passwords:

   • Ensure you see a confirmation message or successful setup output for each password entry.

Recommendations:

• Use a password manager to securely generate and store these credentials.

• Avoid reusing passwords from other systems for added security.

Import and Configure the GYTPOL Services OVA

1. Open the VMware Console:

   • Launch the VMware vSphere Client or VMware Workstation, depending on your environment.

2. Import the GYTPOL Services OVA:

   • Select File > Deploy OVF Template option.

   • Browse to the location of the gytpol-services.ova file.

   • Follow the on-screen instructions to complete the import process.

3. Post-Import Configuration:

   • Once the import is complete, locate the newly created VM in your VMware environment.

   • Edit the VM settings to ensure it meets the required specifications:

   • After the VM is imported, make the following changes:

     • Add a 100 and 20 GB Hard Disks (2 total):

       • Go to Edit Settings for the VM.

       • Add a new hard disk with a size of 100 GB.

       • Add another new hard disk with a size of 20 GB.

     • Set Memory:

       • Allocate 12 GB of RAM.

     • Set CPUs:

       • Assign 6 CPUs to the VM.

4. Power On the VM:

   • Start the VM from the VMware console.

5. Verify DNS Record:

   • Ensure the DNS record for the GYTPOL server is resolvable:

     • Use a command like nslookup <server-name> or ping <server-name> from another machine to confirm.

Access the Services VM Console

1. Open Services VM Console:

   • Switch to the console of the Services VM in VMware.

2. Log in to the Services VM:

   • Use the following credentials to access the VM:

     • Username: ubuntu

     • Password: m-33W8]aiUh

3. Run the command sudo gyt install

Network Configuration for the GYTPOL Services VM

1. Follow the Network Configuration Prompts:

   • During the initial setup of the GYTPOL Services VM, you will be prompted to configure the network settings.

2. Choose an IP Address Configuration:

   • Recommended Option: Static IP:

     • This option provides a fixed IP address, ensuring consistent connectivity.

     • Enter the following details:

       • IP Address: The static IP address you want to assign.

       • Subnet Mask: As per your network configuration (e.g., 255.255.255.0/24)

       • Gateway: Your network's gateway IP.

       • DNS Servers: Your preferred DNS server addresses (e.g., Google DNS: 8.8.8.8).

   • Alternative Option: DHCP with Reservation:

     • If you prefer using DHCP, configure your DHCP server to assign a reserved IP to the VM's MAC address.

     • This ensures the VM always receives the same IP.

3. Verify the IP Address:

   • After completing the network configuration, confirm the VM's connectivity:

     • Use ping <IP Address> or ping <Host Name> from another device to verify.

4. Document the IP Address:

   • Record the assigned IP address for future use, as it will be required in subsequent steps.

Providing Required Information During Setup

When prompted during the setup process, supply the following details carefully:

1. GYTPOL_URL:

   • Enter the DNS name of the GYTPOL server.

   • Example: gytpol.yourdomain.com

2. DB_PASSWORD:

   • Provide the password for the GYTPOL database.

   • Use your own secure password.

3. POSTGRES_HOST:

   • Enter the IP address of the PostgreSQL VM.

   • Example: 192.168.1.100

4. MASTER_PASSWORD:

   • Provide the Master Password created in Password Configuration During Setup section.

   • This is the administrative password for the database.

5. GYTPOL_ADMIN_USER_EMAIL:

   • Enter the email address for the first administrator user in the system.

   • Example: admin@yourdomain.com

6. USER_MANAGEMENT_ADMIN_PASSWORD:

   • Set a password for accessing the User Management Console.

   • Choose a secure and memorable password.

7. USER_MANAGEMENT_DB_PASSWORD:

   • Provide the password for the User Management Database.

   • The password was created in Password Configuration During Setup section.

• The setup will request you to create an Initial User Password for the first user account in the system:

  

• Wait for Installation to Complete:

  

• Send the following details to support@gytpol.com:

  • Access Key ID

  • Secret Access Key

  • GYTPOL_URL

  • GYTPOL Services Server FQDN

• The GYTPOL team will respond with the sensor installation files.

Copying Sensor Installation Files to the Services OVA

To transfer sensor installation files to the services OVA, you can use a file transfer tool like WinSCP (graphical interface) or the scp command (command-line). Both options connect over port 12222.

Option 1: Using WinSCP

1. Launch WinSCP and configure the connection:

   • Host: The IP address of the services OVA.

   • Port: 12222

   • Username: The VM user (e.g., ubuntu).

   • Password: The corresponding password.

2. Transfer Files:

   • Navigate to the desired location on the OVA.

   • Drag and drop the files from your local machine to the target directory on the OVA

Option 2: Using scp Command (Terminal)

1. Open your terminal and use the following command:

2. Copy code example: scp -P 12222 -o StrictHostKeyChecking=no ~/Downloads/gytpol-client_2.4.9.18-18_amd64.deb ubuntu@10.60.0.103:/home/ubuntu

Options Explained:

• -P 12222: Specifies the port 12222.

• -o StrictHostKeyChecking=no: Skips the SSH host key verification for faster connections.

• ~/Downloads/gytpol-client_2.4.9.18-18_amd64.deb: Local path to the file.

• ubuntu@10.60.0.103: Username and IP address of the services OVA.

• /home/ubuntu: The destination directory on the OVA.

Copy and Install Sensor Files in the Services OVA

1. Copy All Sensor Installation Files:

   • Use WinSCP or the scp command (as described earlier) to transfer all sensor installation files you receive to the services OVA.

2. Log in to the Services OVA:

   • Open the VMware console or use SSH to access the services OVA.

   • Use the credentials you configured during the setup.

3. Run the Command for Each Sensor Installation File: sudo gyt copy-client <OS> <VERSION> <FILENAME>, for example:

sudo gyt copy-client linux 2.4.9.18 gytpol-client_2.4.9.18-18_amd64.deb
sudo gyt copy-client mac 2.4.9.18 gytpol-client_2.4.9.18-18_amd64.pkg
sudo gyt copy-client windows 2.36.3.0 gytpolClient_x64.msi

Finalizing Sensor Setup

1. Generate Sensor Links:

   • Run the following command in the services OVA to generate sensor links in the GYTPOL UI:

     sudo kubectl create job --from cj/gytpol-analyzer-periodic-client-signer-cj signer-job -n gytpol

2. Alternatively, Wait:

   • If you do not run the command, the system will automatically generate sensor links within 30 minutes.

3. Access GYTPOL:

   • Once the sensor links are available, you can start using GYTPOL through the configured interface.

Enabling HTTPS for GYTPOL

By default, GYTPOL will run on http if no certificate is added.

To enable HTTPS, you will need to provide SSL certificate files (.crt and .key) for the DNS domain name associated with your GYTPOL server.

• Obtain Certificate Files:

  • Acquire an SSL certificate (.crt file) and its corresponding private key (.key file) for your DNS domain name from a trusted Certificate Authority (CA) or generate self-signed certificates for testing.

• Copy Certificate Files to the Services VM:

  • Use WinSCP or the scp command to transfer the .crt and .key files to the services VM.

  • Example Command: scp -P 12222 -o StrictHostKeyChecking=no /path/to/your/cert.crt /path/to/your/key.key ubuntu@<services-OVA-IP>:/home/ubuntu

• Replace:

  • /path/to/your/cert.crt: Path to the .crt file on your local machine.

  • /path/to/your/key.key: Path to the .key file on your local machine.

  • <services-OVA-IP>: The IP address of the services VM.

Adding SSL Certificate to Enable HTTPS

To enable HTTPS for GYTPOL, you can add the SSL certificate directly to the services OVA by following these steps:

Steps to Add SSL Certificate

1. SSH into the Services OVA:

   • Use an SSH client (e.g., terminal, PuTTY) to connect to the services OVA over port 12222.

     • Example:ssh -p 12222 ubuntu@<services-OVA-IP> (replace <services-OVA-IP> with the IP address of the services OVA).

2. Run the Command to Add SSL Certificate:

   • Once logged in, use the sudo gyt add-ssl-certificate <CRT FILENAME> <KEY FILENAME> command to apply the certificate.

• Replace:

  • <CRT FILENAME>: The full path or name of the .crt file you uploaded.

  • <KEY FILENAME>: The full path or name of the .key file you uploaded.

Restart Services:

• The command will automatically restart the necessary services to apply the certificate.

Access the GYTPOL UI:

• After adding the SSL certificate, you can access the GYTPOL UI securely using HTTPS.

  

Installing the License for GYTPOL

Steps to Fetch the License ID:

1. SSH into the Services VM: ssh -p 12222 ubuntu@<services-OVA-IP>

2. Run the License ID Command: sudo gyt get-license-id

3. Send the License ID:

   • Copy the displayed license ID and send it back to the GYTPOL Licensing Team at license@gytpol.com.

Installing the License:

Once you receive the license file from the GYTPOL team, upload it to the services VM using WinSCP or the scp command: sudo gyt install-license <LICENSE-FILENAME>

Replace <LICENSE-FILENAME> with the full path or name of the license file.

Getting the API Key for GYTPOL User API

To use the GYTPOL User API, you need to retrieve the API key from the services VM. Follow the steps below:

Steps to Retrieve the API Key:

1. SSH into the Services VM: ssh -p 12222 ubuntu@<services-OVA-IP>

2. Run the API Key Command: sudo gyt get-api-key

Adding Users in GYTPOL

Follow these steps to add users to the GYTPOL system:

1. Open a web browser and navigate to https://<gytpol-services-dns>:9093/admin
   Replace <gytpol-services-dns> with the DNS name of your GYTPOL services.

2. Log In:

   • Use the following credentials:

     • Username: admin

     • Password: The password configured as USER_MANAGEMENT_ADMIN_PASSWORD during installation.

3. After logging in, select Users from the left-hand navigation pane.

   

4. Click on Add User button

   

5. Select “Email Verified” and ensure that both the username and email fields are filled with valid email addresses.

   

6. After creating the user, navigate to “Role Mapping” and click on “Assign Role”.

   

7. Assign “gytpol”:

   

8. Navigate to “Credentials” and click on “Set Password”:

   

9. Enter the password and choose whether the user should be required to change it upon their first login by setting it as Temporary or not.

Resetting user password

Follow these steps to add users to the GYTPOL system:

1. Open a web browser and navigate to https://<gytpol-services-dns>:9093/admin
   Replace <gytpol-services-dns> with the DNS name of your GYTPOL services.

2. Log In:

   • Use the following credentials:

     • Username: admin

     • Password: The password configured as USER_MANAGEMENT_ADMIN_PASSWORD during installation.

3. After logging in, select Users from the left-hand navigation pane.

4. Select the user, navigate to Credentials, and click the “Reset Password” button.

Connecting GYTPOL to Active Directory

Before connecting GYTPOL to Active Directory, ensure all your users have a valid email configured.

1. Open the User Management Console:

   • Open a web browser and navigate to https://<gytpol-services-dns>:9093/admin
     Replace <gytpol-services-dns> with the DNS name of your GYTPOL services.

2. Log In:

   • Use the following credentials:

     • Username: admin

     • Password: The password configured as USER_MANAGEMENT_ADMIN_PASSWORD during installation.

3. After logging in, navigate to User Federation from the left-hand navigation pane and click on Add LDAP Provider.

4. On the next screen, enter the Connection URL (in ldap:// or ldaps:// format) and click the Test Connection button.

You should receive a success notification.

5. In Bind DN, enter the distinguished name (DN) of the account GYTPOL will use to authenticate with the Active Directory (AD) server for operations like user searches or group lookups. Enter the account's password in Bind Credentials and click the Test Authentication button.

   

   You should receive a success notification.

   

6. In the LDAP Searching and Updating section:

• Set the Edit Mode to READ_ONLY.

• Enter the Users DN for the OU containing GYTPOL's allowed users.

• For Username LDAP Attribute, enter sAMAccountName.

  

7. Click “Save” once done.

Change session timeouts

1. Open the User Management Console:

   • Open a web browser and navigate to https://<gytpol-services-dns>:9093/admin
     Replace <gytpol-services-dns> with the DNS name of your GYTPOL services.

2. Log In:

   • Use the following credentials:

     • Username: admin

     • Password: The password configured as USER_MANAGEMENT_ADMIN_PASSWORD during installation.

3. After logging in, navigate to Realm settings from the left-hand navigation pane and click on Sessions.

   

4. Change the settings you would like to change and click the Save button

Connecting GYTPOL to Okta

1. Open the User Management Console:

   • Open a web browser and navigate to https://<gytpol-services-dns>:9093/admin
     Replace <gytpol-services-dns> with the DNS name of your GYTPOL services.

2. Log In:

   • Use the following credentials:

     • Username: admin

     • Password: The password configured as USER_MANAGEMENT_ADMIN_PASSWORD during installation.

3. After logging in, navigate to Identity providers

   

4. Select SAML v2.0

   

5. Enter an Alias and then copy the Redirect URI and Service provider entity ID (copy must be done after entering the alias)

   

6. Keep this window open and go to Okta and create a new app integration

   

7. Select SAML 2.0

   

8. Enter the Single sign-on URL (the Redirect URI from step 5) and the Audience URI (service provider entity ID from step 5).

   1. in Name ID format select EmailAddress

   2. in Application username select Email

      

9. continue with the rest of the application setup

10. copy the Metadata URL

    

11. Assign the application to the users you want

    

12. Go back to GYTPO, paste the URL you copied in the SAML entity descriptor

    

13. click on the Add button and you should see a success popup

    

14. You should now be able to login to GYTPOL using Okta