Installing the Agent

Ensure to follow the instructions at this page before proceeding the installation. Perform the following steps to install the agent:

1. Open the terminal and run the following command to load the SafeNet App Gateway image:

   docker pull artifactory.thalesdigital.io/docker-public/application-gateway:latest

2. Click here to download the docker-compose.yml file.

3. Update the docker-compose.yml file that you downloaded, as per your preferred configuration. You can modify the following fields:

   • container_name
     Default value: application-gateway

   • ADMIN_CONSOLE_USER
     Default value: admin

   • ADMIN_CONSOLE_PASSWORD
     Default value: admin

   • ENABLE_SSL
     Default value: true

   • [Optional] volumes: Used to mount the custom plugin script to the docker container. You need to uncomment the volumes field in the docker compose file and then modify it.

     <source_directory_path>:/usr/local/thales/safeNetApplicationGateway/src/customPlugins
     

     where, source_directory_path is the path where the custom plugin scripts are stored locally.

   • Default port mappings:

     • 443:9443: Serves requests from users and proxies the connection to internal services.

     • 8443:8443: Used for administrator tasks, for example, for configuring SafeNet App Gateway. Port 8443 must not be publicly exposed. It must allow traffic from authorized networks only or allow access to the SafeNet App Gateway admin console from local server only. It can be mapped to the external port number with localhost, for example, 127.0.0.1:8443:8443.

4. Run the following command to create the container using the docker-compose.yml file:

   docker-compose up -d

   The default protocol is HTTPS. If you want to run the agent on HTTP protocol, you need to update the following in the docker-compose.yml file:
   > Set ENABLE_SSL= "false"
   > Replace port from 443:9443 to 80:8080

5. [Optional] You can edit the iptables rules to restrict access to the admin console based on the IP address. Run the following command on the host machine to:

   1. Restrict access to a specific IP

      sudo iptables -R DOCKER 1 -p tcp --source <source_ip> --destination <destination_ip> --dport 8443 -j ACCEPT

      For example, sudo iptables -R DOCKER 1 -p tcp --source 10.164.44.244 --destination 172.19.0.2 --dport 8443 -j ACCEPT

      The above command restricts access to port 8443 from all IP addresses except 10.164.44.244.

   2. Restrict access to a range of IP addresses

      sudo iptables -R DOCKER 1 -p tcp --source 10.164.44.0/24 --destination <destination_ip> --dport 8443 -j ACCEPT

      For example, sudo iptables -R DOCKER 1 -p tcp --source 10.164.44.0/24 --destination 172.19.0.2 --dport 8443 -j ACCEPT

      The above command will restrict the access to all 10.164.44.* IP address.

      By default, all the IPs are allowed to access the admin console.

6. Run the following command to examine the log file of the container:

   docker logs -f <container-name>

   By default, the agent does not log any sensitive information in the logs. It is recommended not to keep any sensitive data in the logs while admin has full control of the agent.

Installation for High Availability (HA) Setup

The latest version of SafeNet App Gateway can also be installed to meet High Availability (HA) requirements and supports the following two configuration methods:

• Application for a single instance of SafeNet App Gateway

• As a high-availability pair to mitigate the failure points

Thales has tested SafeNet App Gateway with Amazon Beanstalk, but it is expected to work with other cloud provider services.

For more information on configurations and prerequisites, please visit: https://www.thalesdocs.com/sta/operator/applications/app-gateway-aws-beanstalk/index.html.