Versions Compared

Old Version 5

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Eric Cuevas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

📙 You will learn

By default, ThreadFix installs with a database deployed inside a container with the appropriate values already set. The following instructions cover installation of ThreadFix with an external database or other advanced database configurations.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 25 minutes
Tools required: SQL Server Management Studio or Kubernetes cluster with mssql-tools container

Requirements:

  • Microsoft SQL Server >= 2017

  • FQDN or IP for the SQL server

  • Account with Administrative access to SQL Server

  • Account with permissions to modify SQL Server configuration

Helm installations are configured with yaml files that override default properties. The following examples would need to be invoked with the command -f .yaml appended to the helm installation command. For example, if the yaml file is namedappsec-db.yaml, invoke with ‘helm install tf denimgroup/threadfix -f appsec-db.yaml.

Info

Infrastructure Database only supports MySQL, with the MySQL requirements being the same as AppSec’s.

Configuring External AppSec Database

The following properties must be set for the database to function correctly. Consult vendor guides for how to properly set these values.

  1. Log into SQL Server

    1. If SQL Server Management studio is installed, it may be run directly

    2. If SQL Server Management Studio CLI is not installed, the ThreadFix Kubernetes cluster may be leveraged to run the SQL Server CLI

      kubectl run -it --restart=Never --rm=true --image=mcr.microsoft.com/mssql-tools mssql-tools -- /bin/bash
      When a bash prompt appear, run the MySQL CLI (replace values in angle brackets, <> with their appropriate value)
      sqlcmd -U <user> -S <hostname>

  2. Create the ThreadFix database.

    Code Block
    CREATE DATABASE threadfix;
GO

  3. Set the following values for the ThreadFix database.

    Code Block
    ALTER DATABASE threadfix SET READ_COMMITTED_SNAPSHOT ON
GO
ALTER DATABASE threadfix SET ALLOW_SNAPSHOT_ISOLATION ON
GO

  4. Create the ThreadFix user (replace values in angle brackets, <> with appropriate values).

    Code Block
    CREATE LOGIN ThreadFix WITH PASSWORD = '<threadfix-user-password>';
GO

  5. Grant access to the ThreadFix user.

    Code Block
    USE threadfix;
GO
CREATE USER ThreadFix FOR LOGIN ThreadFix;
GO
exec sp_addrolemember 'db_owner', 'ThreadFix';
GO

  6. Exit SQL Server.

Create External Database Helm Values

To review the pre-requisites for hosting an SQL Server ThreadFix database externally, please refer to the Windows SQL Server Configuration guide.

  1. Create two files, username.txt and password.txt, containing the username and password credentials respectively for the external database.

    • Warning: The external database must already contain the database threadfix, and the username and password configured above must be granted ownership permissions on that database.

    • Warning: Many text editing tools insert a trailing newline character, \n, to text files by default. If the text editor being used has this property, consult the documentation on how to disable this functionality.

  2. Validate no newline characters have been added to the username and password files. The following should output 0 for both files.

    Code Block
    wc -l username.txt password.txt

  3. Create a kubernetes secret for the external database:

    Code Block
    kubectl create secret generic db-user-pass --from-file=username=./username.txt --from-file=password=./password.txt

  4. Remove the previously created files.

    Code Block
    rm username.txt
rm password.txt

  5. Set the FQDN or IP of the database (replace <hostname> with the FQDN or IP of the database):

    Code Block
    DB_HOSTNAME=<hostname>

  6. Set the name of the ThreadFix database (default threadfix).

    Code Block
    DB_NAME=<db_name>

  7. Create myValues folder (if it does not exist).

    Code Block
    mkdir -p myValues

  8. Create appsec-db.yaml.

    Code Block
    echo "appsec:
  db:
    type: sqlserver
    existingSecret: db-user-pass
    globallyQuoted: true
    hostnameOverride: $DB_HOSTNAME
    database: $DB_NAME
auth:
  db:
    type: sqlserver
    existingSecret: db-user-pass
    globallyQuoted: true
    hostnameOverride: $DB_HOSTNAME
    database: $DB_NAME

## 3.1 only
appsecdata:
  db:
    type: sqlserver
    existingSecret: db-user-pass
    globallyQuoted: true
    hostnameOverride: $DB_HOSTNAME
    database: $DB_NAME
appsecimporter:
  db:
    type: sqlserver
    existingSecret: db-user-pass
    globallyQuoted: true
    hostnameOverride: $DB_HOSTNAME
    database: $DB_NAME
appsecvip:
  db:
    type: sqlserver
    existingSecret: db-user-pass
    globallyQuoted: true
    hostnameOverride: $DB_HOSTNAME
    database: $DB_NAME
queue:
  db:
    type: sqlserver
    existingSecret: db-user-pass
    globallyQuoted: true
    hostnameOverride: $DB_HOSTNAME
    database: $DB_NAME
jobcoordinator:
  db:
    type: sqlserver
    existingSecret: db-user-pass
    globallyQuoted: true
    hostnameOverride: $DB_HOSTNAME
    database: $DB_NAME
" > myValues/appsec-db.yaml

  9. Finish any other tasks from the Installation Checklist , then Install with Helm.

Table of Contents

Table of Contents