Darksite Installation¶
The Anyware Trust Center can be installed in Darksites, without a connection to the public internet.
Requirements¶
The requirements to install a Trust Center listed here, are identical to the requirements for running the command to prepare a Trust Center Darksite bundle.
There are a few additional pre-requisites, given below:
- DNF software package manager is installed
- Docker CE 25.0.1 or greater is required (v25.0.0 had a bug with the "docker save" command)
- Internet connection is required
Info
For Darksite installation, the host preparing the bundler must have the following software:
-
Docker v25.0.1+
The Trust Center installer automatically installs Docker if it is not available on the machine. -
cURL
-
DNF
High-level Overview of Darksite Installation¶
Darksite installation involves these general steps:
- Create a temporary machine for preparing Anyware Trust Center for installation.
- Prepare Trust Center for installation
- Choose a domain name for connections to the Anyware Trust Center.
- Create a Darksite machine to host Anyware Trust Center.
- Configure DNS Records.
- Create a dummy gateway, if the machine does not already have a default gateway.
- Copy downloaded files to the Darksite machine
- Run the installation script
Info
- Ensure that there is no default route before running the commands.
- The FQDN entered as part of running the prepare command must be accessible within a local network.
Step I: Create a temporary internet-connected machine¶
This machine will be used to download files and create an installer. The bundler machine must meet minimum requirements.
Allowlist Cloudsmith IP Addresses¶
If you use an IP-based allowlist, we recommend your IT team add the following IP addresses to your allowlist:
- 34.252.163.216
- 52.208.86.0
- 108.129.59.129
- 18.224.75.239
- 18.216.17.80
- 3.135.162.154
- 35.163.82.210
- 52.24.213.62
- 54.203.138.156
- 3.104.99.235
- 52.62.115.207
- 13.55.231.43
These IP addresses are required by Cloudsmith for its content delivery network, and if they are not allowed, the Trust Center installation script cannot be downloaded from our website.
Step II: Prepare Trust Center for Installation¶
This procedure is completed from the temporary internet-connected machine:
- Go to the download website.
- If you are not already logged in, click Log in to download and authenticate your session.
- Click Downloads and scripts.
-
Read and accept the End-User License Agreement. Once the agreement has been accepted, the download form is shown:
-
Provide your chosen FQDN—recorded earlier—in the Trust Center Hostname (FQDN) field, and click Get installation script.
Note: FQDN field is optional
The FQDN value is required to run the installer, but you do not have to supply it here. If you leave this field blank, you must manually add the actual FQDN to the script command before executing it.
-
Under Darksite installation, copy the entire command displayed. There are two parts, and both are required: a curl command that downloads the installation script, and second command that executes the script.
Important: This script is time-limited
The generated command is valid for 1 hour. If the token expires before you run it, return to the download page and generate a new command. The time limit applies to running the prepare command, not installing the package. Once you have successfully generated the installation bundle, you can install the package at any time.
-
Run the following command to prepare a Trust Center Darksite bundle for installation:
Thesudo ./trust-center-ctl prepare install --fqdn <an fqdn> --token <JWT token from Step 1> --save-path <path to save the darksite bundle>
--save-path
flag is optional.
Once the operation completes, you should see 2 files in the current directory (or in the path specified by --save-path
):
- anyware-trust-center-bundle.tar
- anyware-trust-center-bundle.sha
Sample output of TC Prepare Command:¶
sudo ./trust-center-ctl prepare

Additional Notes for TC Prepare Command¶
Info
The correct version of k3s-selinux is now included in the Trust Center Darksite bundle.
-
Run
sestatus
to verify that SELinux is enabled on the VM and running. This is a requirement to enable k3s-selinux for K3s server. -
There is no expiry for the Trust Center Darksite bundle that is generated. It can be run anytime.
Step III: Choose a Fully Qualified Domain Name (FQDN)¶
The Anyware Trust Center requires 5 Fully Qualified Domain Names added to your DNS records. In this step, you're creating the base domain for the Anyware Trust Center, which will be used to construct the other 4 subdomains, which can either be an A record or a CNAME. You'll use this value in multiple locations during setup, so record the value and be ready to copy it.
Step IV: Create the Darksite Machine¶
Deploy a dedicated server to host the Anyware Trust Center. You must be able to transfer files to this machine, using USB drives, SSH, or another acceptable method.
The Anyware Trust Center requires a dedicated server with the following specifications (note that the network and software requirements are different from standard installations):
Requirement | |
---|---|
Operating System | • RHEL 8, 9 • Rocky Linux 9 • CentOS Stream 9 |
CPUs | 4 vCPUs |
Memory | 16GB RAM |
Disk | 120GB+, including 80GB+ disk space on /var for persistent volumes.On ESXi or similar hypervisors, the Trust Center does not support installation on Sparse (thin) provisioned disks. Please use raw or thick provisioned disks. |
Network | A default gateway is required, even without an internet connection. If the machine does not have one, a dummy route is required for installation. See Checking for a Default Gateway for instructions. |
Software | DNF |
Test Environment Specifications¶
The above minimum requirements were tested with the following specifications and hardware.
Requirement | |
---|---|
vCPUs | 4 |
Memory | 16GB RAM |
Memory per vCPU | 4GB |
Physical Processor | AMD EPYC 7571 |
Clock Speed | 2.5GHz |
CPU Architecture | x86_64 |
Older or slower servers may experience issues during installation, upgrades, or general use of the Trust Center. For optimal performance, we recommend using a modern CPU or allocating additional vCPU cores.
Step V. Create DNS Records¶
The Anyware Trust Center equires 5 Fully Qualified Domain Names (FQDN) added to your DNS records. In this step, you're creating the base domain under which all the other records will live.
An example of a base domain is as follows: my-trust-center.example.com A 1.2.3.4
Additionally, 4 other subdomain DNS records must be defined under this base domain name. Those can be either A records or a CNAMEs pointing to the same IP address of the Trust Center, or CNAMEs aliasing to the base Trust Center FQDN.
Example, using A records (all pointing to Trust Center IP 1.2.3.4):
api.my-trust-center.example.com A 1.2.3.4
endpoint-connector.my-trust-center.example.com A 1.2.3.4
ota.my-trust-center.example.com A 1.2.3.4
register.my-trust-center.example.com A 1.2.3.4
api.my-trust-center.example.com CNAME my-trust-center.example.com
endpoint-connector.my-trust-center.example.com CNAME my-trust-center.example.com
ota.my-trust-center.example.com CNAME my-trust-center.example.com
register.my-trust-center.example.com CNAME my-trust-center.example.com
If your organization's policy requires Trusted Zero Clients to be connected to the Trust Center at all times, these records must always be available.
For each of the following items, replace <domain-name>
with the domain name you recorded in the previous step.
-
<domain-name>
This is the root domain for your Trust Center. This is what is entered on Trusted Zero Clients if
anywaretrustcenter
is not configured on your LAN. -
api.<domain-name>
The api subdomain is used by Endpoint Management Systems to control the Trust Center. Sometimes, the EMS requires the api subdomain to be specified, but often only the { domain-name } is required.
-
endpoint-connector.<domain-name>
The endpoint-connector subdomain is used by Trusted Zero Clients to register and communicate with the Trust Center.
-
ota.<domain-name>
The ota subdomain is used by Clients to retrieve Over-the-Air updates from the Trust Center.
-
register.<domain-name>
The register subdomain is used by Trusted Zero Clients to onboard with the Trust Center.
Info
If you manually enter the Trust Center address, you can either:
- Provide the root domain name like this:
register.<domain-name>
. - Provide the root domain name without "register". In this scenario, "register" is added to the address as a prefix.
Important: Supporting Automatic Anyware Trust Center Discovery
If you plan to support automatic Anyware Trust Center discovery by endpoints, you must also create a CNAME record that redirects anywaretrustcenter
to register.<domain-name>
.
Example Illustrating the Use of trust-center.example.com¶
Using trust-center.example.com
as the base domain, you would create DNS records for the following:
trust-center.example.com
api.trust-center.example.com
endpoint-connector.trust-center.example.com
ota.trust-center.example.com
register.trust-center.example.com
This example shows a different DNS configuration using Windows DNS Manager:
Step VI: Verify or create a default gateway on the Darksite machine¶
The Anyware Trust Center requires a default gateway even when an internet connection is not present. If you are not sure whether your machine already has one, see Checking For a Default Gateway. below, for steps to check and to create one if necessary.
If the machine already has a default gateway, this step is not required.
Step VII: Copy downloaded files to the Darksite machine¶
The following files are created by the preparation script. Transfer all three files to the isolated machine that will host the Anyware Trust Center using any acceptable method, such as USB drive or SSH:
- trust-center-ctl
- anyware-trust-center-bundle.tar
- anyware-trust-center-bundle.sha
Place these files in a clearly identified location on the new machine; this will become your installation directory, and subsequent commands will be run there.
Once these files are transferred, the temporary machine is no longer needed.
Step VIII: Install Trust Center on the Darksite Machine¶
Open a terminal window and navigate to your installation directory (the location you used when you copied the installation files). Run the following command:
sudo ./trust-center-ctl install darksite
To validate the installation after it completes, run the following command:
sudo ./trust-center-ctl diagnose
All services should report healthy.
If the diagnostic process finds that the installation completed successfully, you will see log output as shown below, where all service information is indicated as "Health=Healthy". You will not see any "error" in the log.
If the diagnostic process finds that the installation did not complete successfully, you will see log output as shown below, where one or more services indicate an error with "ERROR ...... Health=Unhealthy".
The Trust Center may be unhealthy for the following reasons:
-
Some databases used in the Trust Center are not compatible with Sparse (thin) Virtual Disks. This incompatibility can lead to installation failures without clear error messages. If you encounter an installation failure and are using Sparse Disk Images, switch to Thick Disk Provisioning.
-
The firewall may be blocking k3s functionality. If this is the case, disable any firewall rules that could be obstructing k3s local network communications.
Sample output of Trust Center Darksite install:
sudo ./trust-center-ctl install darksite

After Installing¶
After installation completes, you can set up your management tool to interact and manage Trusted Zero Clients via the Anyware Trust Center.
Refer to the API documentation installed with the Anyware Trust Center for complete details.
Note: The administrator password is automatically generated
The administrator password is automatically generated by the Anyware Trust Center installer, and has the ability to create service account keys. The generated password is placed in the config.yaml
file in your installation directory.
<installation_folder>/config.yaml
:
global:
images:
registry: "docker.cloudsmith.io/teradici/trust-center"
username: "teradici/trust-center"
password: <repository password>
tc:
domain: <your domain>
password: <this is the auto-generated password>
endpointUpdate:
accessKey: <repository password>
repository: "teradici/trusted-zero-client"
After installation, run the following command to prepare a Trust Center Darksite bundle for upgrade:
trust-center-ctl prepare upgrade
To upgrade an existing Darksite Trust Center, run the following command:
trust-center-ctl upgrade darksite
Checking for a Default Gateway¶
The Anyware Trust Center requires a default gateway to be set on the Darksite machine, even without an internet connection.
To check whether a default gateway exists:
-
Open a console window, and run:
ip route | grep default
If the response looks similar to this example, then a default route already exists, and you can continue with installation:
default via 10.X.X.X dev ens5 proto dhcp src 10.X.X.X metric 100
-
If the response indicates that no default gateway is present, run the following commands to create a dummy route:
ip link add dummy0 type dummy ip link set dummy0 up ip addr add 203.0.113.254/31 dev dummy0 ip route add default via 203.0.113.255 dev dummy0 metric 1000
Info
Since a Darksite Trust Center cannot access external internet, OTA updates cannot be retrieved automatically. Therefore, the procedure for uploading OTA packages is slightly different.