Connect to Manager, REST API server
Connect to UI
Open a browser window, connect to the manager using HTTPS. After accepting the EULA, the user is able to access the UI.
Depending of the deployment method you chose, the manager address will be as follow |
-
Docker
-
Kubernetes without LoadBalancer or Ingress
-
LoadBalancer or Ingress configured
https://<manager_host_ip>:8443
https://<node_host_ip>:<NodePort>
https://<FQDN|IP>/
You can manage SUSE® Security from the Console or by using the REST API.
See below for cases where your corporate firewall blocks 8443. |
If your Chrome browser blocks the SUSE® Security self-signed certificate, see the next section on Chrome Certificate Upload. |
Connect to REST API Server
All operations in SUSE® Security can be invoked through the REST API instead of the console. The REST API server is part of the Controller/Allinone container. For details on the REST API, please see the section on Workflow and Automation.
Default username and password
admin:admin
After successful login, the admin user should update the account with a more secure password.
Creating Additional Users
New users can be added from the Settings → Users & Roles menu. There are predefined global roles in SUSE® Security:
-
Admin. Able to perform all actions except Federated policies.
-
Federated Admin. Able to perform all actions, including setting up Master/Remote clusters and Federated policies (rules). Only visible if Multi-cluster is enabled.
-
View Only (reader). No actions allowed, just viewing.
-
CI Integration (ciops). Able to perform CI/CD scanning integration tasks such as image scanning. This user role is recommended for use in build-phase scanning plug-ins such as Jenkins, Bamboo etc and for use in the REST API calls. It is limited to scanning functions and will not be able to do any actions in the console.
Users can be restricted to one or more namespaces using the Advanced Settings.
See the section Users & Roles for advanced user management and creation of custom roles.
Connection Timeout Setting
You can set the number of seconds which the console will timeout in the upper right of the console in My Profile → Session timeout. The default is 5 minutes and the maximum is 3600 seconds (1 hour).
Enabling HTTP for Manager
To disable HTTPS and enable HTTP access, add this to the Manager or Allinone yaml section in the environment variables section. For example, in Kubernetes:
- name: MANAGER_SSL
value: "off"
For OpenShift, also remove this setting from the Route section of the yaml:
tls:
termination: passthrough
This is useful if putting the manager behind a load balancer.
Enabling Access from Corporate Network Which Blocks 8443
If your corporate network does not allow access on port 8443 to the Manager console, you can create an ingress service to map it and allow access.
The SUSE® Security UI console is running as non-root user in the container, so it cannot listen on a port less than 1024. This is why it can’t be changed to 443. |
If you are trying to access the console from your corporate network. Here is the way to use the ClusterIP service and ingress HTTPS redirect to achieve that.
First, create a certificate for HTTPS termination. Here is an example:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=mycloud.domain.com" kubectl create secret tls neuvector-ingress-tls -n neuvector --key="tls.key" --cert="tls.crt"
Then, use the following yaml file to expose the 443 port that redirects the HTTPS connection to the manager.
apiVersion: v1
kind: Service
metadata:
name: neuvector-cluster-webui
namespace: neuvector
spec:
ports:
- port: 443
targetPort: 8443
protocol: TCP
type: ClusterIP
selector:
app: neuvector-manager-pod
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-ingress-webui
namespace: neuvector
annotations:
ingress.mycloud.net/ssl-services: ssl-service=neuvector-cluster-webui
spec:
tls:
- hosts:
- cloud.neuvector.com
secretName: neuvector-ingress-tls
rules:
- host: cloud.neuvector.com
http:
paths:
- path:
backend:
serviceName: neuvector-cluster-webui
servicePort: 443
You will need to change the annotation for the ingress address from ingress.mycloud.net to your appropriate address.
This example uses the URL cloud.neuvector.com. After the ingress service is created, you can find it’s external IP. You then can configure the hosts file to point cloud.neuvector.com to that IP. After that, you should be able to browse to https://cloud.neuvector.com (the url you choose to use).
Using SSL Passthrough Instead of Redirect
To use TLS/SSL passthrough instead of the redirect example above (supported on some ingress controllers such as nginx), make sure the ingress controller is configured appropriated for passthrough, and the appropriate annotation is added to the ingress. For example,
annotations:
ingress.kubernetes.io/ssl-passthrough: "true"
Replacing the SUSE® Security Self-signed Certificates
Please see the next section Replacing the Self-Signed Certificates for details. The certificate must be replaced in both the Manager and Controller/Allinone yamls.
Configuring AWS ALB with Certificate ARN
Here is a sample ingress configuration using the AWS load balancer with the certificate ARN (actual ARN obfuscated).
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
# https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#healthcheck-path
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:596810101010:certificate/380b6abc-1234-408d-axyz-651710101010
alb.ingress.kubernetes.io/healthcheck-path: /
alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/success-codes: "301"
alb.ingress.kubernetes.io/target-type: instance
external-dns.alpha.kubernetes.io/hostname: eks.neuvector.com
kubernetes.io/ingress.class: alb
labels:
app: neuvector-webui-ingress
name: neuvector-webui-ingress
namespace: neuvector
spec:
tls:
- hosts:
- eks.neuvector.com
rules:
- http:
paths:
- backend:
serviceName: neuvector-service-webui
servicePort: 8443
path: /*