Provision an App node to provide extra storage, memory, and CPU resources for your apps without impacting the processing capacity of your JSA Console. Applications such as UBA (User Behavior Analytics) require more resources than are currently available on the JSA Console.
Install an App Node by using the Node Management window on the JSA Admin tab. You can use any computer that runs RHEL 7.3 or CentOS 7.3 as an App Node. The node setup process installs and configures all the required software. Apps that are installed on the JSA Console are transferred to the App Node when you add the App Node.
JSA managed hosts cannot be used as App Nodes. You must use an external host with its own repository access for your App Node.
App Node Set-up Overview
Several steps are required to set up the App Node server and to transfer the apps from the JSA Console to the App Node.
The following steps provide an overview of setting up the App Node:
- Install the minimal version of Centos 7.3 or RHEL 7.3
on a host that meets the App Node requirements.
Ensure that you allow 80% of disk space for the /store partition.
- Configure a packages repository for yum installation.
Consider making the local DVD drive a packages repository for yum
installations, and then create a directory for the mount point.
Verify that your repository works by typing the yum repolist command.
- Verify that the date and time are synchronized between
the App Node and the JSA Console.
You can use the timedatectl command to reset the time or configure NTP.
- Log in to the JSA Console and list your docker containers
by typing the following command:
Type the following command to list your apps on the JSA Console:
These apps are transferred to the App Node when you run the App Node setup. Run the same commands on the App Node to verify that the apps are transferred.
- Create an App Node user name and password on the App Node
and then configure password-less sudo access for this user.
Test the user name and password and then test sudo access.
- Verify that AllowTcpForwarding is configured as yes in the /etc/ssh/sshd_config file on the App Node.
- Follow the instructions for adding an App Node. The software that the App Node requires to manage the apps is installed during the setup. After you add the App Node, the App Node host name changes to control-01.
- Verify that the App Node is running the apps that were transferred from the JSA Console.
App Node Setup Requirements
To set up an App Node server that is separate from your JSA Console to offload the processing of apps in your deployment, your server must adhere to the minimum system requirements, such as required software, open ports, and operating system versions.
The App Node software is installed from the JSA Console. Any apps that are installed on the JSA Console are transferred onto your App Node when you first add a node.
You must not make configuration changes on the App Node such as SSH or firewall configuration changes that are not specified in this document because it causes the App Node installation to fail.
To set up a physical server or VM as an App Node, use the following requirements:
App Node server specification
The server must have at least:
12 GB of memory
256 GB of storage
The operating system must be Red Hat Enterprise Linux (RHEL) 7.3 or CentOS 7.3. Use the minimal installation option because you connect to repositories for dependencies.
Operating System Repositories
Your App Node server must be able to access RHEL or Centos repositories. Use yum to install OS package dependencies. Verify yum access by running the following command to connect to the repository: yum install<package>.
The protobuf RPM (RPM Package Manager) is not included in your enabled repositories for RHEL installations. You must ensure that the optional repositories is enabled to install the protobuf RPM.
Type the following command to enable optional repositories:
subscription-manager repos --enable=rhel-7-server-optional-rpms
To list the repositories that you’re subscribed to, type the following command:
subscription-manager repos --list
Unlike the managed host, the App Node requires access to repositories for dependencies, which are downloaded from external sources, so it’s acceptable to install the minimal ISO for the operating system. This requirement contrasts with the managed host where all dependencies are included in the product installation media and software fixes.
A /store partition that uses approximately 80% of the available storage capacity.
App Node User Account
A dedicated App Node user account with passwordless sudo access for all commands that are run on the App Node. The App Node user account has a password but you configure sudo to work without a password.
The JSA Console uses the App Node user account and password to connect to the App Node. It's more efficient for the console to run commands on the App Node by using password-less sudo access.
You can use the root user account to access the App Node; but one advantage of using sudo over the root user account is that commands that are run are recorded in the system security audit log.
Time zone synchronization
The App Node server must be configured with the same time and time zone as your JSA Console.
Ports to open on the JSA Console and the App Node
Ports 1443 and 5443 must be open on any external firewalls from your JSA Console to the App Node.
Ports 5443 and 5444 must be open on any external firewalls from your App Node back to the JSA Console.
Umask value for the App Node user
You must not change the default umask value of 0022 for the App Node user. A different umask value might change the user read, write, execute, and search permissions for some files and directories on the app node, which might cause it to function incorrectly. Verify the umask value for the app user by using the umask command.
Federal Information Processing Standards (FIPS)
The App Node server does not work in Federal Information Processing Standard (FIPS) mode.
JSA Console and App Node performance
Place your App Node server and JSA Console in the same data center for the best performance.
Network Address Translation (NAT)
If you have an environment that uses Network Address Translation (NAT), both the JSA Console and the App Node must exist within the same NAT Group.
Verify that the AllowTcpForwarding parameter in the /etc/ssh/sshd_config file is configured as yes, which is the default setting.
Either of the following entries in the /etc/ssh/sshd_config file are acceptable:
AllowTcpForwarding yes #AllowTcpForwarding yes
The App Node installation fails when the AllowTcpForwarding parameter is configured as no.
App Nodes and web proxy configuration
When your App Node is configured to use a web proxy, you must add a NO_PROXY configuration to the /etc/environment file to prevent the localhost and services, such as consul.service.consul and vault.service.consul, from making calls to the web proxy.
Add the following line (continuous) to the /etc/environment file:
NO_PROXY="<IP_Address_app_node_host>, localhost,127.0.0.1,zookeeper.service.consul,vault.service.consul, docker-registry.service.consul,marathon.service.consul, consul.service.consul,framework_app_proxy.service.consul, service-launcher.service.consul"
Creating the App Node User and Configuring password-less Sudo Access
Create the App Node user and password, and then configure sudo to be password-less for the App Node user for increased efficiency and security.
- Create an App Node user by typing the following commands:
- Type visudo to edit the /etc/sudoers file, and add the
following line at the end of the file:
<app_node_user> ALL=(ALL) <tab> NOPASSWD: ALL
The sudoers file contains the rules that users must follow when they use the sudo command.
- Save and close the file.
App Node Setup Help
During the setup you can use various commands to list and verify the status of Docker and your apps on JSA Console, and on the App Node when the setup is finished.
The following list shows helpful commands that you can use to help you with the App Node setup and to verify the app status:
Verify that sudo works without a password on the App Node
For example, sudo cat /etc/hosts
To test sudo access by using the root user account, type the following command:
sudo -u <appnodeuser> cat /etc/hosts
Connect to the App Node from the JSA Console
Use an SSH client such as Putty to connect to the App Node from the JSA Console.
For example, ssh email@example.com
The following prompt for the App Node is shown: [appnodeuser@control-01 ~]$ or [root@control-01 ~]$ if you log in as the root user.
List your apps
Go to the /opt/qradar/support/ directory on the JSA Console and type the following command to list the installed apps:
Here's an example where the command is run from the /opt/qradar/support/ directory on the JSA Console:
[root@my_console support]# ./qapp_utils_730.py ps
Collecting app data........ Complete! Id Name Container Container Image Container ip:port Host ip:port ABCDEFGHI 1053 QRadar App Editor 5dca41d9e5e1 qregi...1053:2.0-release 169.254.3.5:5000 126.96.36.199:25568 +++++++++ 1054 Hello World - 3455555f3070 qregi.../qapp/1054:1.0.2 169.254.3.6:5000 188.8.131.52:7072 +++++++++ 1055 QRadar Vuln app b79118c4cb0 qregi...44/qapp/1055:1.0 169.254.3.3:5000 184.108.40.206:25600 +++++++++
When the apps are transferred to the App Node the Host ip:port reference changes from the JSA Console to the App Node.
Verify that docker containers are created on the App Node
On the App Node, type the following command:
Here's an example of the output:
3455555f30703c7641e042e1ddba9c3294174c2d4ed7a0108ef5d9282fcc1d49 364ee70aaee7237676a36ccf007d3664786b6192c545ca328c5512810606fe06 447142c433f59e2937ae4bae2395e23f90db0335deb8287fe6743ca0a864e14b
You can also run this command on your JSA Console before you set up the App Node to list your docker containers.
Verify that docker services are running
systemctl status docker
Accessing your app's command line
Access the command line of your installed apps by using the app's container ID.
Type the command /opt/qradar/support/qapp_utils_730.py ps to display a list of running app containers. The following output example shows an app that is installed and is running.
Id Name Container Container Image Container ip:port Host ip:port ABCDEFGHI 1053 QRadar App Editor 5dca41d9e5e1 qregi...1053:2.0-release 169.254.3.5:5000 220.127.116.11:25568 +++++++++
Type the following command to connect to an app:
/opt/qradar/support/qapp_utils_730.py connect <app_ID>
Here’s an example of the output:
Collecting app data........ Complete! bash-4.1#
Go to the /store directory to view the app logs.
bash-4.1# ls app celery_worker etc lib64 proc sbin src_deps store usr app_template celeryd.conf home media qpython secret_env_unwrap.sh srv sys var bin dev init mnt root selinux start_container.sh tmp boot dump.rdb lib opt run.py service_port_locator.py start_flask.sh upgradePath.sh bash-4.1# cd store bash-4.1# ls log bash-4.1# cd log bash-4.1# ls app.log celery.log startup.log supervisord.log bash-4.1#
Adding an App Node
To offset the processing capacity that is done by the JSA Console for apps, add an App Node to your deployment. The App Node is an unmanaged host that is dedicated to running apps. You use the Node Management window in the JSA console Admin tab to add an App Node.
Before you can add an App Node:
You must install a host on your network that runs Red Hat Enterprise Linux version 7.3 or CentOS version 7.3.
You must provide the IP address of the host and a user account with sudo access.
For more information about setting up a server to act as an App Node, see App node set-up.
- On the Admin tab, click Node Management.
- To add an App Node, click Add on the Node
Management window and add the Node IP address, user and password
The product then requires you to confirm host ssh key information for the node you are creating. The installation process takes up to 30 minutes to complete. For more information about the installation process as it is happening, click Details.
The App Node setup process moves any apps that you installed on the JSA console to the App Node.
The App Node changes the status of all apps that were running or stopped on the JSA console to a running state when they are moved.
You use the Extension Management window to install apps on the App Node that you set up. Any apps that you install in future are installed on the App Node, and not on the JSA console.
Removing an App Node
If you are doing maintenance, or are consolidating servers, you can remove an App Node from your deployment. Use the Node Management window on the Admin tab to remove App Nodes.
In the Node Management window, select the node that you want to remove in the Node Management table and click Remove.
To move apps from the App Node back to the JSA console, select the Revert to Console removal type.
The product attempts to move apps onto the JSA console if there is disk space available for them. The order in which apps are moved is determined by their size (including any associated data). The smallest apps are moved first. Because the available space for apps on the JSA console is likely to be less than on the App Node, you might not be able to transfer all your apps. Use the Extension Management window to delete any apps that you no longer require from the App Node before you select the Revert to Console removal option.
By default, up to 10% of the available memory on the JSA console, and up to 90% of the
/storepartition on the JSA console is available for apps. If you revert many, or particularly resource intensive, apps to the console, you might use up all of the available memory for apps.
To retain your apps on the App Node, select the Maintenance Mode removal type. Maintenance Mode removes the App Node entry from the Node Management table and stops the apps on the App Node. The apps are restarted when you add the App Node again.
For more information about the removal process as it is progressing, click Details.