• Impex
  • Documentation
  • Installation instructions for the IMPEX family

Installation basics

Installation media can be downloaded from https://portal.sysctl.se as an ISO-file for every installation type or an Azure image for the ICC server. The installation supports only installation from ISO and not any kind of images with the exception for Azure image. Only the ICC server can be installed on Azure cloud infrastructures Azure.

Getting the installation media

All IMPEX products can be installed from ISO, the example below is for the ICC ISO but the procedure is the same for all products.

Download the ICC ISO from https://portal.sysctl.se and verify the SHA256 checksum

sha256sum sysctl-icc-5.0.0.iso

or on Windows system using powershell:

Get-FileHASH sysctl-icc-5.0.0.iso

Most common is to install the servers in a virtualization environment, but it is also possible to install the software on physical hardware. The USBProtect is always installed on physical hardware.

Use the Linux command dd to add the iso to a USB-device, this is most common for the USBProtect installation

dd if=sysctl-usbprotect-5.0.0.iso of=/dev/sdX bs=4096

Note: replace sdX above with the actual device. Probably it is sda but please verify since using the incorrect device here could lead to irreparable harm to your computer.

It may also be possible to burn it with tools like rufus, but ensure the tool uses dd-mode.

Installation

All installations are unattended and require only the root password to be configured with exception for USBProtect which does not have any static root password.

Choose the correct ISO for your installation and if needed, create a bootable USB. Boot the system from the installation media. If this is on a USBProtect you will need press “F12” to get a boot menu where you can choose to boot from the USB. Contact SYSCTL to get the UEFI password for your USBProtect hardware.

The installation will start to install after 60 seconds if no option is selected.

Boot menu for an ICC installation

After one of the options has been selected the installation will begin and the harddrive will be wiped. If the ICC or Repo has been selected it will be possible to set the root password during the installation. If it is a USBProtect installation will the system automatically look for a previous installation and copy the configurations from the old installation. If this is not the desired action one can abort the installation after it created a new filesystem and then boot again on the installation USB drive. This time the system disk will have been wiped and no previous configuration files will be found, making this a new clean installation.

Set a password for the root user if this is an ICC, REPO or Datalock installation.

Set root password

After the installation is completed, press enter to reboot.

Finish installation

Azure

Get the installation image

Download the Azure image from https://portal.sysctl.se

Azure configuration

Create a storage account

Create Storage Account

In the storage account, go to Containers

Storage Account Container

Create a new container

Storage Account Create Container

Upload the VHD-file to a Storage account under Data storage - Containers

Storage Account Upload Container

Go to Virtual machines and click on Create and select Azure virtual machine

Virtual machines Create New

The following configuration works with the image

  • Subscription: Your subscription
  • Subscription - Resource group: The resource for the image
  • Virtual machine name: ICC or similar
  • Image: The container image that was uploaded
  • VM architecture: x64
  • Size: 2vcpu 16GiB memory
  • Authentication type: SSH public key or Password
  • Public inbound ports: Depends on the installation architecture
  • OS type: Linux
  • VM generation: Gen 2
  • Storage blob: the uploaded VHD-file
  • Host caching: Read/write
  • License type: Other

Expand the disk

Go to the Virtual machine and select Settings -> Disks and the click on the Disk name

Virtual machines Select Disk

Select Settings -> Size + performance and select a larger disk and save

Virtual machines Select Large Disk

Start the Virtual machine

Virtual machines start

Initial configuration

This step is only needed for the ICC, Repo and Datalock installations. One needs to configure IP addresses to allow SSH connection for the configuration of the IMPEX solution.

Login to the console with the root user and the root password configured during the installation.

Once logged in one need to configure

  • IP address
  • Expand disks
  • Hostname

Console logins

Configure IP address

Configure the IP address in the file “/etc/NetworkManager/system-connections/enp1s0.nmconnection” with the VI text editor. The interface name “enp1s0” can be another name depending on the hardware.

Edit the ipv4 and ipv6 sections:

[ipv4]

method=manual

address=1.2.3.4/24

gateway=1.2.3.1

dns=8.8.8.8

[ipv6]

method=disabled

IP configuration

After the configuration the network service needs to be restarted with the command “systemctl restart network”.

Verify that the server is reachable with SSH.

Expand the disks

The default partition may be changed depending on the installation

To see the current partition table use the command df -h

Depending on the usage, expand the root partition and the var partition. The following example will expand the partitions with 100Gb

/usr/sbin/lvextend -r -L+100G /dev/mapper/root_vg-lv_root

/usr/sbin/lvextend -r -L+100G /dev/mapper/root_vg-lv_var

Set the hostname

The server needs to have a fully qualified domain name (FQDN) configured. The FQDN should reflect the subject alt name (SAN) in the certificate for the ICC and Repo server installation.

To configure hostname use the following command

/usr/bin/hostnamectl set-hostname servername.domain.tld

ICC backup and restore

Creating a backup

Select the “Backup” view on the left pane in the ICC.

Backup view

Click “Create backup” and then after a while, depending on how much data needs to be archived, the following view should appear.

Successful backup

Download the file, which will be called icc_backup.zip on disk when downloaded. This file contains ICC secrets so make sure that no one not authorized can access it.

Restoring a backup

Go to the “Backup” view, select the previously downloaded file in the “Restore” card and click “Restore”.

The file will then be uploaded and unpacked and verified by the ICC. If all is ok it will then continue to restart the ICC services. Since the database was replaced your login session will be cleared and you will need to login again with the password the account had during the time of the backup.

Successful restore

Migrating ICC to new server

A new machine needs to be installed from the ICC ISO and then a backup from the old ICC can be restored on the new ICC installation.

The steps are:

  1. Create a backup on the old ICC server
  2. Download the backup from the old ICC server. The archive contains secrets and must be well protected.
  3. Install the new ICC server
  4. Login to the admin GUI on the new ICC server and go to backup view
  5. Select the previously backup up file in the Restore card and click “Restore”
  6. Shutdown the old ICC
  7. Update the IP configuration and hostname on the new ICC so it is identical to the old ICC
  8. Reboot the new ICC
  9. Verify that all the stations are still connected by checking the “Last seen” field on the station card. If not, contact SYSCTL support

The backup includes the database, ICC signify keys, logs, quarantined files, ssh keys, yara rules and TLS certificates.

If the migration is from a 4.x.x installation to a 5.x.x installation the repository configuration must be reconfigured

Doing a backup and downloading it

Select the “Backup” view on the left pane in the ICC.

Backup view

Click “Create backup” and then after a while, depending on how much data needs to be archived, the following view should appear.

Successful backup

Download the file, which will be called icc_backup.zip on disk when downloaded. This file contains ICC secrets so make sure that no one not authorized can access it.

Install a new ICC and restore the backup archive on it

Download the ICC iso from https://portal.sysctl.se, boot on it and install a new ICC. Ensure that the disk is large enough.

After the ICC is installed, go to the “Backup” view, select the downloaded file in the “Restore” card and click “Restore”.

The file will then be uploaded and unpacked and verified by the ICC. If all is ok it will then continue to restart the ICC services. Since the database was replaced your login session will be cleared and you will need to login again.

Successful restore

To verify all went well you can for example check that the Station cards have appeared in the Stations view.

Do the swap

If any error messages showed up in the backup or restore logs on the Backup view, contact SYSCTL support, do not proceed with the swap until you have cleared it with SYSCTL support.

Now that the data from the old ICC has been migrated to the new it is time to shut down the old ICC. After it has been shut down, change the IP address and hostname on the new ICC to finish the takeover. Reboot the new ICC and verify that the stations are able to communicate with the new ICC by checking the “Last seen” field on the station cards.

Troubleshooting

If you see “To access ICC you need to use a hostname, FQDN or ip configured in ALLOWED_HOSTS” message in your web browser when surfing to the new ICC you have not configured the IP or/and the hostname correctly. Doublecheck hosts files, IP configuration and hostname. To set a new hostname:

# hostnamectl set-hostname somename.example.org
# systemctl restart impex-icc