DarkSite Installation

Overview

The Anyware Trust Center can be installed in darksites, without a connection to the public internet.

Requirements

Existing Requirements for Preparing Trust Center

The requirements to install a Trust Center listed here, are identical to the requirements for running the command to prepare a Trust Center Darksite bundle, with a few additional pre-requisites:

• DNF software package manager is installed
• Docker CE 25.0.1 or greater is required (v25.0.0 had a bug with the "docker save" command)
• Internet connection is required

Info

For darksite installation, the host preparing the bundler must have the following software:

• Docker v25.0.1+
  The Trust Center installer automatically installs Docker if it is not available on the machine.

• cURL

• DNF

High-level Overview of Darksite Installation

Darksite installation involves these general steps:

1. Create a new VM to host the Anyware Trust Center.
2. Choose a domain name for connections to the Anyware Trust Center.
3. Configure DNS for the new machine.
4. Allowlist IP addresses that Cloudsmith uses for their content delivery network.
5. Create dummy gateway, if the machine does not already have a default gateway.
6. Create a temporary VM that will download the required files.
7. Get the installation script from our website.
8. Prepare Trust Center
9. Transfer the files to the production VM.
10. Run the installation script on the Anyware Trust Center machine.

Info

• Ensure that there is no default route before running the commands.
• The FQDN entered as part of running the prepare command must be accessible within a local network.

1. Create the Darksite Machine

Deploy a dedicated server to host the Anyware Trust Center. You must be able to transfer files to this machine, using USB drives, SSH, or another acceptable method.

The Anyware Trust Center requires a dedicated server with the following specifications (note that the network and software requirements are different from standard installations):

Requirement
Operating System	• RHEL 8, 9 • Rocky Linux 9 • CentOS Stream 9
CPUs	4 vCPUs
Memory	16GB RAM
Disk	120GB+, including 80GB+ disk space on /var for persistent volumes. On ESXi or similar hypervisors, the Trust Center does not support installation on Sparse (thin) provisioned disks. Please use raw or thick provisioned disks.
Network	A default gateway is required, even without an internet connection. If the machine does not have one, a dummy route is required for installation. See Checking for a Default Gateway for instructions.
Software	DNF

Test Environment Specifications

The above minimum requirements were tested with the following specifications and hardware.

Requirement
vCPUs	4
Memory	16GB RAM
Memory per vCPU	4GB
Physical Processor	AMD EPYC 7571
Clock Speed	2.5GHz
CPU Architecture	x86_64

Older or slower servers may experience issues during installation, upgrades, or general use of the Trust Center. For optimal performance, we recommend using a modern CPU or allocating additional vCPU cores.

2. Choose a Domain Name

The Anyware Trust Center requires 5 domain names added to your DNS records. In this step, you're creating the base domain for the Anyware Trust Center, which will be used to construct the other 4 subdomains. You'll use this value in multiple locations during setup, so record the value and be ready to copy it.

In this procedure, we will use trust-center.example.com to demonstrate the domain name, and how it is leveraged to create the other required values.

3. Create DNS Records

Once your new dedicated server has been created, you must set up the following DNS A records that point to it. For each of the following items, replace <domain-name> with the domain name you recorded in the previous step.

• <domain-name>

  This is the root domain for your Trust Center. This is what is entered on Trusted Zero Clients if anywaretrustcenter is not configured on your LAN.

• api.<domain-name>

  The api subdomain is used by Endpoint Management Systems to control the Trust Center. Sometimes, the EMS requires the api subdomain to be specified, but often only the { domain-name } is required.

• endpoint-connector.<domain-name>

  The endpoint-connector subdomain is used by Trusted Zero Clients to register and communicate with the Trust Center.

• ota.<domain-name>

  The ota subdomain is used by Clients to retrieve Over-the-Air updates from the Trust Center.

• register.<domain-name>

  The register subdomain is used by Trusted Zero Clients to onboard with the Trust Center.

Info

If you manually enter the Trust Center address, you can either:

• Provide the root domain name like this: register.<domain-name>.
• Provide the root domain name without "register". In this scenario, "register" is added to the address as a prefix.

Important: Supporting automatic Anyware Trust Center discovery

If you plan to support automatic Anyware Trust Center discovery by endpoints, you must also create a CNAME record that redirects anywaretrustcenter to register.<domain-name>.

Example Illustrating Use of trust-center.example.com

Using trust-center.example.com as the base domain, you would create DNS records for the following:

• trust-center.example.com
• api.trust-center.example.com
• endpoint-connector.trust-center.example.com
• ota.trust-center.example.com
• register.trust-center.example.com

This example shows a different DNS configuration using Windows DNS Manager:

4. Allowlist Cloudsmith IP Addresses

If you use an IP-based allowlist, we recommend your IT team add the following IP addresses to your allowlist:

• 34.252.163.216
• 52.208.86.0
• 108.129.59.129
• 18.224.75.239
• 18.216.17.80
• 3.135.162.154
• 35.163.82.210
• 52.24.213.62
• 54.203.138.156
• 3.104.99.235
• 52.62.115.207
• 13.55.231.43

These IP addresses are required by Cloudsmith for its content delivery network, and if they are not allowed, the Trust Center installation script cannot be downloaded from our website.

5. Verify or create a default gateway on the darksite machine

The Anyware Trust Center requires a default gateway even when an internet connection is not present. If you are not sure whether your machine already has one, see Checking For a Default Gateway. below, for steps to check and to create one if necessary.

If the machine already has a default gateway, this step is not required.

6. Create a temporary internet-connected machine

This machine will be used to download files and create an installer. The bundler machine must meet minimum requirements.

7. Download the installation package and scripts

This procedure is completed from the temporary internet-connected machine:

1. Go to the download website.
2. If you are not already logged in, click Log in to download and authenticate your session.
3. Click Downloads and scripts.

4. Read and accept the End-User License Agreement. Once the agreement has been accepted, the download form is shown:

   

5. Provide your chosen FQDN—recorded earlier—in the Trust Center Hostname (FQDN) field, and click Get installation script.

   Note: FQDN field is optional

   The FQDN value is required to run the installer, but you do not have to supply it here. If you leave this field blank, you must manually add the actual FQDN to the script command before executing it.

6. Under Dark site installation, copy the entire command displayed. There are two parts, and both are required: a curl command that downloads the installation script, and second command that executes the script.

   

   The following command prepares a Trust Center darksite bundle for installation:

   sudo ./trust-center-ctl prepare install --fqdn {trust-center-FQDN} --token {jwt token}

8. Running the Trust Center Prepare Command

1. Obtain a JWT token from https://docs.teradici.com/find/product/anyware-trusted-endpoints/2023.12/anyware-trust-center.
2. Provision a VM for running the TC prepare command.
3. Use SCP to copy trust-center-ctl binary into VM, and then SSH into VM.

4. Run the following command:

   sudo ./trust-center-ctl prepare install --fqdn <an fqdn> --token <JWT token from Step 1> --save-path <path to save the darksite bundle>

   The --save-path flag is optional.

5. Once the operation completes, you should see 2 files in the current directory (or in the path specified by --save-path):

   • anyware-trust-center-bundle.tar
   • anyware-trust-center-bundle.sha

   Important: This script is time-limited

   The generated command is valid for 1 hour. If the token expires before you run it, return to the download page and generate a new command. The time limit applies to running the prepare command, not installing the package. Once you have successfully generated the installation bundle, you can install the package at any time.

Sample output of TC Prepare Command:

sudo ./trust-center-ctl prepare

Additional Notes for TC Prepare Command

• Depending on the original setup of the VM, container-selinux package may or may not be installed.
  • k3s-selinux package has container-selinux as a dependency. however, we are locking the version of k3s-selinux, but not the version of container-selinux. This is only an issue if the latest version of container-selinux pulled is not compatiable with v1.4.1 (the current version of k3s-selinux)
  • if the correct repo with k3s-selinux, is already added (this is not implemented within the prepare command), then the prepare command will automatically pull the latest stable version of k3s-selinux
  • Failed to download k3s-selinux from repository, trying alternate provider - This is the step that checks whether k3s-selinux is available from one of the repositories added. If not, downloads directly from a remote repo.
• Run sestatus to verify that SELinux is enabled on the VM and running. This is a requirement to enable k3s-selinux for K3s server.
• There are a few long running operations without a progress indicator, we can decide whether it is necessary.
• We use the sha256sum linux tool to generate the checksum of the tarball. We can add this as a requirement if it is not installed by default.
• The JWT token obtained from the Onboarding JWT Issuer is immediately used by the prepare command to retrieve the TC Reg Cert. That means that there is no expiry for the Trust Center Darksite bundle that is generated i.e. it can be run anytime.

9. Copy downloaded files to the darksite machine

The following files are created by the preparation script. Transfer all three files to the isolated machine that will host the Anyware Trust Center using any acceptable method, such as USB drive or SSH:

• trust-center-ctl
• anyware-trust-center-bundle.tar
• anyware-trust-center-bundle.sha

Place these files in a clearly identified location on the new machine; this will become your installation directory, and subsequent commands will be run there.

Once these files are transferred, the temporary machine is no longer needed.

10. Install Trust Center on the Darksite Machine

Open a terminal window and navigate to your installation directory (the location you used when you copied the installation files). Run the following command:

sudo ./trust-center-ctl install darksite

The command installs a new darksite Trust Center.

To validate the installation after it completes, run the following command:

sudo ./trust-center-ctl diagnose

All services should report healthy.

If the diagnostic process finds that the installation completed successfully, you will see log output as shown below, where all service information is indicated as "Health=Healthy". You will not see any "error" in the log.

If the diagnostic process finds that the installation did not complete successfully, you will see log output as shown below, where one or more services indicate an error with "ERROR ...... Health=Unhealthy".

The Trust Center may be unhealthy for the following reasons:

• Some databases used in the Trust Center are not compatible with Sparse (thin) Virtual Disks. This incompatibility can lead to installation failures without clear error messages. If you encounter an installation failure and are using Sparse Disk Images, switch to Thick Disk Provisioning.

• The firewall may be blocking k3s functionality. If this is the case, disable any firewall rules that could be obstructing k3s local network communications.

Sample output of Trust Center Darksite install:

sudo ./trust-center-ctl install darksite

After Installing

After installation completes, you can set up your management tool to interact and manage Trusted Zero Clients via the Anyware Trust Center.

Refer to the API documentation installed with the Anyware Trust Center for complete details.

Note: The administrator password is automatically generated

The administrator password is automatically generated by the Anyware Trust Center installer, and has the ability to create service account keys. The generated password is placed in the config.yaml file in your installation directory.

<installation_folder>/config.yaml:

global:
images:
    registry: "docker.cloudsmith.io/teradici/trust-center"
    username: "teradici/trust-center"
    password: <repository password>
tc:
    domain: <your domain>
    password: <this is the auto-generated password>
    endpointUpdate: 
      accessKey: <repository password>
      repository: "teradici/trusted-zero-client"

After installation, run the following command to prepare a Trust Center darksite bundle for upgrade:

trust-center-ctl prepare upgrade

To upgrade an existing darksite Trust Center, run the following command:

trust-center-ctl upgrade darksite

Checking for a Default Gateway

The Anyware Trust Center requires a default gateway to be set on the darksite machine, even without an internet connection.

To check whether a default gateway exists:

1. Open a console window, and run:

   ip route | grep default
   

   If the response looks similar to this example, then a default route already exists, and you can continue with installation:

   default via 10.X.X.X dev ens5 proto dhcp src 10.X.X.X metric 100
   

2. If the response indicates that no default gateway is present, run the following commands to create a dummy route:

   ip link add dummy0 type dummy
   ip link set dummy0 up
   ip addr add 203.0.113.254/31 dev dummy0
   ip route add default via 203.0.113.255 dev dummy0 metric 1000