Skip to content

Air-gapped Install#

In an 'air-gapped' network generally refers to a network that is physically isolated from other networks as a security measure.  In the context of a cloud-hosted installation, it is also used to refer to a virtual network configured without direct access to the internet, and logically isolated from other virtual networks.

A standard installation of the Privacera Platform requires that the Privacera Manager installation host has access to the internet, first to install Docker and Docker Compose, and then, in a second step, to download Privaera components from Privacera component servers.

Once Privacera is installed and running, it requires communication with each target data resource or repositories, as well as attached authentication and directory services. However, it does not require internet access.  That is once the Privacera Platform is fully installed using Privacera Manager, outgoing internet Ports 80 and 443 may be blocked.  

Thus, the easiest approach for running in an isolated or tightly controlled network is to proceed with a 'normal' installation, allowing downloads directly to the Privacera Manager host and only then isolating it after the initial downloads and installation. If this option is open to you, follow all instructions for installation and run Privacera Manager (CLI or GUI) as normal.  Once installed, you can block or disconnect internet ports.

Using Intermediate System#

If opening your Privacera Manager host to the internet, even temporarily, is not an option, you will start by downloading all necessary Privacera Platform, and Docker and Docker-Compose components to an intermediate system, and then convey these components to your Privacera Manager host.  Docker and Docker Compose must also be installed to the Privacera Manager host.   In summary, the steps are:

  1. Create or provide a Privacera Manager host machine, as described in Create Privacera Manager Host, for your cloud or on-premises environment.

  2. Using an intermediate system that does have sufficient internet access:

    1. Download Docker and Docker Compose and install these to your Privacera Host machine.

    2. Download Privacera Manager and Privacera Platform components.

  3. Convey these components to your Privacera Manager host system or an internal repository such as Docker Hub repository.

  4. Configure Privacera Manager to use the local Docker repository for Privacera Platform components.

These steps are expanded below.

Download Packages and Images of Privacera Manager#

  1. Obtain the following values from your Privacera technical sales representative:

    • PRIVACERA_HUB_USER
    • PRIVACERA_HUB_PASSWORD
    • PRIVACERA_IMAGE_TAG
    • PRIVACERA_BASE_DOWNLOAD_URL
    • PRIVACERA_MGR_TAG
    • PRIVACERA_MGR_BASE_DOWNLOAD_URL
  2. Obtain and install Docker and Docker Compose to the Privacera Manager host by first downloading an appropriate package to your intermediate system.

  3. On your intermediate system, download the following script. The script allows you to download all the images required for installing Privacera Manager, and upload them to an internal repository.

    wget https://privacera.s3.amazonaws.com/public/pm-scripts/airgap-pkg-download.sh
    
  4. Using the script, download Privacera Platform components (packaged as 'Docker images') to your intermediate system.  You may choose to download the complete set or in consultation with your Privacera sales advisor, elect to download select a subset based on your licensing and local requirements.

    Core Components

    Image Name Description Filename
    privacera-manager Privacera Manager (Installation Update) privacera-manager.docker.gz
    privacera Privacera Portal - Centralized Dashboard privacera.docker.gz
    privacera_solr Search engine for privacera privacera_solr.docker.gz
    zookeeper Coordination and synchronization service zookeeper.docker.gz
    ranger Authorization and Authentication ranger.docker.gz
    ranger-usersync Data access user LDAP/AD importer ranger-usersync.docker.gz
    ranger-tagsync Discovery to Access Manager tags synchronization ranger-tagsync.docker.gz
    auditserver Audit/log server abstraction layer auditserver.docker.gz

    Internal Database

    Image Name Description Filename
    mariadb Default configuration database mariadb.docker.gz

    Access Manager

    Image Name Description Filename
    dataserver Proxy server based access control service privacera_dataserver.docker.gz
    policysync Policy-based access control service privacera_policysync.docker.gz

    Discovery

    Image Name Description Filename
    discovery Discovery / Spark service for scanning and tagging data discovery.docker.gz
    Kafka Kafka service for real-time scanning privacera-kafka.docker.gz

    Encryption & Masking

    Image Name Description Filename
    ranger-kms Apache Ranger KMS ranger-kms.docker.gz
    privacera-peg Privacera Encryption Gateway (PEG) Service privacera-peg.docker.gz

    Metrics and Monitoring

    Image Name Description Filename
    grafana Statistics and monitoring grafana.docker.gz
    graphiteapp Statistics and monitoring graphite.docker.gz

    Other Components

    Image Name Description Filename
    flowable BPMN Engine for Access Request workflow privacera_flowable.docker.gz
    fluentd Fluentd log/audit management privacera_fluentd.docker.gz

    Run the script.

    sudo chmod +x airgap-pkg-download.sh
    ./airgap-pkg-download.sh
    

    First, the script requests for the Privacera Base and Privacera Manager download URLs, and then it allows you to select which set of images you prefer to be downloaded and move them to the Privacera Manager Host machine.

    The following is the sequence in which the script is executed:

    1. Enter the Privacera Base Download URL.
    2. Enter the Privacea Manager Download URL.
    3. Choose whether you want to download the images of Core Components.
    4. Choose whether you want to download the image of Internal Database.
    5. Choose whether you want to download the images of Access Manager.
    6. Choose whether you want to download the images of Discovery.
    7. Choose whether you want to download the images of Encryption and Masking.
    8. Choose whether you want to download the images of Statistics & Monitoring.
    9. Choose whether you want to download the images of Other Components.

      In the next two steps, you can choose either of the following:

      • Download packages and images to the PM host directly.

      • Download packages and images to an internal repository.

    10. Choose whether you want to copy the downloaded images to the PM host.

      1. Choose whether the the remote user has passwordless access to the PM host.
      2. Enter the host name of the PM host.
      3. Enter the name of the remote user.
    11. Choose whether you want to upload the downloaded images to an internal repository such as Docker Hub repository.

      1. Enter the Docker login URL.
      2. Enter the username.
      3. Enter the password.

Configure Privacera Manager#

  1. Create a Privacera Manager host.

  2. Configure core services.

    1. In a terminal window, connect to the cloud Linux instance using an SSH client. Follow the steps given in the links below.

    2. If you're going to use an internal repository to install Privacera, then log onto the internal Docker repository. Get the <PRIVACERA_HUB_REPO_NAME>, and replace it and <PRIVACERA_HUB_USER> below.

      docker login <PRIVACERA_HUB_REPO_NAME> -u <PRIVACERA_HUB_USER>
      
    3. Replace <PRIVACERA_MGR_BASE_DOWNLOAD_URL>, <PRIVACERA_MGR_TAG> and PRIVACERA_HUB_REPO_NAME below:

      export PRIVACERA_MGR_BASE_DOWNLOAD_URL=<PRIVACERA_MGR_BASE_DOWNLOAD_URL>
      export PRIVACERA_MGR_TAG=<PRIVACERA_MGR_TAG>
      export PRIVACERA_HUB_REPO_NAME=<PRIVACERA_HUB_REPO_NAME>
      
    4. Default installation folders for Privacera and Privacera Manager are '~/privacera', and '~/privacera/privacera-manager',  (If you use a different folder, you will need to adjust the commands and sequences accordingly. )

      Use the following sequence to first create the installation folder, then using wget, download and extract the privacera-manager components as shown

      mkdir -p ~/privacera/downloads
      cd ~/privacera/downloads
      wget $PRIVACERA_MGR_BASE_DOWNLOAD_URL/privacera-manager.tar.gz -O privacera-manager.tar.gz
      cd ~/privacera
      tar -zxf ~/privacera/downloads/privacera-manager.tar.gz
      

      The folder '~/privacera/privacera-manager' will contain all the required components.

    5. Create 'pm-env.sh', a shell script for future Privacera Manager upgrades.

      cd ~/privacera/privacera-manager/config
      echo '#!/bin/bash' > pm-env.sh
      echo "export  PRIV_MGR_PACKAGE=$PRIVACERA_MGR_BASE_DOWNLOAD_URL/privacera-manager.tar.gz" >> pm-env.sh
      echo "export  PRIV_MGR_IMAGE=$PRIVACERA_HUB_REPO_NAME/privacera-manager:$PRIVACERA_MGR_TAG" >> pm-env.sh
      
  3. Configure the environment.

  4. Configure the deployment mode.

  5. Configure the cloud platform.

  6. Configure Privacera Manager to use Air-Gap installation:

    1. If you are using Docker without an internal repository, then run the following command:

      cd ~/privacera/privacera-manager
      cp config/sample-vars/vars.airgap.install.yml config/custom-vars/
      
    2. If you are using internal repository,then run the following command:

      cd ~/privacera/privacera-manager
      cp config/sample.vars.privacera.yml config/vars.privacera.yml
      vi config/vars.privacera.yml
      

      Add the following property and enter your internal repository URL.

      privacera_hub_url: "www.your.internal.repo.url.com"
      
  7. Run the following commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Upgrade Privacera Manager#

A) If you are using Docker without an internal repository, then do the following:

  1. From your PM host, remove the all files in the downloads folder (~/privacera/downloads) and images folder (~/privacera/downloads/images).

  2. On the intermediate system, download the latest PM packages and copy them to the PM host.

  3. Verify that all the PM packages and images are latest in their respective folders. Also, verify that release tag is updated in the pm-env.sh and vars.privacera.yml files.

  4. Run the commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh upgrade-manager
    
  5. Run the commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

B) If you are using an internal repository, then do the following:

  1. On the intermediate system, download the latest PM packages and upload them to the internal repository.

  2. Update the package URL and image tag with the new build number.

    Run the following command.

    cd ~/privacera/privacera-manager
    vi config/pm-env.sh
    

    Get the URLs for <PRIVACERA_PACKAGE_URL> and <PRIVACERA_HUB_REPO_NAME> from Privacera Sales Rep, and then modify the build number for the following properties.

    export PRIV_MGR_PACKAGE=<PRIVACERA_PACKAGE_URL>/rel/rel_x.x.x.x/cloud/pm/privacera-manager.tar.gz
    export PRIV_MGR_IMAGE=<PRIVACERA_HUB_REPO_NAME>/privacera-manager:rel_x.x.x.x
    
  3. Update the download URL and image tag with the new build number.

    Run the following command.

    cd ~/privacera/privacera-manager
    vi config/vars.privacera.yml
    

    Edit the following properties

    PRIVACERA_IMAGE_TAG: "<PLEASE_CHANGE>"
    PRIVACERA_BASE_DOWNLOAD_URL: "<PLEASE_CHANGE>"
    
  4. Run the commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh upgrade-manager
    
  5. Run the commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Upgrade Solr Image from 8.5.1 to 8.7.0#

A) Using Docker without an internal repository

  1. In the intermediate system, get the latest Solr image by downloading the privacera_solr.gz package. To download the latest packages, click here.

  2. Sync/copy the latest privacera_solr.gz package to the ~/privacera/downloads/images folder in PM host.

  3. On the PM host, add the following variable in config/vars.privacera.yml.

    SOLR_IMAGE_TAG: "8.7.0"
    
  4. Run the following command.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

B) Using the Internal Repository

  1. In the intermediate system, get the latest Solr image by downloading the privacera_solr.gz package. To download the latest packages, click here.

  2. Upload privacera_solr.gz package to the internal repository URL.

  3. On the PM host, add the following variable in config/vars.privacera.yml.

    SOLR_IMAGE_TAG: "8.7.0"
    
  4. Run the following command.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Last update: July 30, 2021