As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

📙 You will learn

By default, ThreadFix installs with a database deployed inside a container with the appropriate values already set. The following instructions cover installation of ThreadFix with an external database or other advanced database configurations.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 25 minutes
Tools required: SQL Server Management Studio or Kubernetes cluster with mssql-tools container

Requirements:

  • Microsoft SQL Server >= 2017

  • FQDN or IP for the SQL server

  • Account with Administrative access to SQL Server

  • Account with permissions to modify SQL Server configuration

Helm installations are configured with yaml files that override default properties. The following examples would need to be invoked with the command -f .yaml appended to the helm installation command. For example, if the yaml file is namedappsec-db.yaml, invoke with ‘helm install tf denimgroup/threadfix -f appsec-db.yaml.

Infrastructure Database only supports MySQL, with the MySQL requirements being the same as AppSec’s.

Configuring External AppSec Database

The following properties must be set for the database to function correctly. Consult vendor guides for how to properly set these values.

  1. Log into SQL Server

    1. If SQL Server Management studio is installed, it may be run directly

    2. If SQL Server Management Studio CLI is not installed, the ThreadFix Kubernetes cluster may be leveraged to run the SQL Server CLI

      kubectl run -it --restart=Never --rm=true --image=mcr.microsoft.com/mssql-tools mssql-tools -- /bin/bash
      When a bash prompt appear, run the MySQL CLI (replace values in angle brackets, <> with their appropriate value)
      sqlcmd -U <user> -S <hostname>

  2. Create the ThreadFix database.

    CREATE DATABASE threadfix;
    GO

  3. Set the following values for the ThreadFix database.

    ALTER DATABASE threadfix SET READ_COMMITTED_SNAPSHOT ON
    GO
    ALTER DATABASE threadfix SET ALLOW_SNAPSHOT_ISOLATION ON
    GO

  4. Create the ThreadFix user (replace values in angle brackets, <> with appropriate values).

    CREATE LOGIN ThreadFix WITH PASSWORD = '<threadfix-user-password>';
    GO

  5. Grant access to the ThreadFix user.

    USE threadfix;
    GO
    CREATE USER ThreadFix FOR LOGIN ThreadFix;
    GO
    exec sp_addrolemember 'db_owner', 'ThreadFix';
    GO

  6. Exit SQL Server.

Create External Database Helm Values

To review the pre-requisites for hosting an SQL Server ThreadFix database externally, please refer to the Windows SQL Server Configuration guide.

  1. Create two files, username.txt and password.txt, containing the username and password credentials respectively for the external database.

    • Warning: The external database must already contain the database threadfix, and the username and password configured above must be granted ownership permissions on that database.

    • Warning: Many text editing tools insert a trailing newline character, \n, to text files by default. If the text editor being used has this property, consult the documentation on how to disable this functionality.

  2. Validate no newline characters have been added to the username and password files. The following should output 0 for both files.

    wc -l username.txt password.txt

  3. Create a kubernetes secret for the external database:

    kubectl create secret generic db-user-pass --from-file=username=./username.txt --from-file=password=./password.txt

  4. Remove the previously created files.

    rm username.txt
    rm password.txt

  5. Set the FQDN or IP of the database (replace <hostname> with the FQDN or IP of the database):

    DB_HOSTNAME=<hostname>

  6. Set the name of the ThreadFix database (default threadfix).

    DB_NAME=<db_name>

  7. Create myValues folder (if it does not exist).

    mkdir -p myValues

  8. Create appsec-db.yaml.

    echo "appsec:
      db:
        type: sqlserver
        existingSecret: db-user-pass
        hostnameOverride: $DB_HOSTNAME
        database: $DB_NAME
    auth:
      db:
        type: sqlserver
        existingSecret: db-user-pass
        hostnameOverride: $DB_HOSTNAME
        database: $DB_NAME
    
    ## 3.1 only
    appsecdata:
      db:
        type: sqlserver
        existingSecret: db-user-pass
        hostnameOverride: $DB_HOSTNAME
        database: $DB_NAME
    appsecimporter:
      db:
        type: sqlserver
        existingSecret: db-user-pass
        hostnameOverride: $DB_HOSTNAME
        database: $DB_NAME
    appsecvip:
      db:
        type: sqlserver
        existingSecret: db-user-pass
        hostnameOverride: $DB_HOSTNAME
        database: $DB_NAME
    queue:
      db:
        type: sqlserver
        existingSecret: db-user-pass
        hostnameOverride: $DB_HOSTNAME
        database: $DB_NAME
    jobcoordinator:
      db:
        type: sqlserver
        existingSecret: db-user-pass
        hostnameOverride: $DB_HOSTNAME
        database: $DB_NAME
    " > myValues/appsec-db.yaml

  9. Finish any other tasks from the Installation Checklist , then Install with Helm.

Table of Contents

  • No labels