Preparing and running user identity service components on a device

You need to add the files (certificates and configuration files) for each component to the corresponding separate directory. After that, you can load component containers to Docker and run them using the Docker Compose tool. For more information about the tool, refer to the official Docker Compose documentation.

Docker containers of the user identity server components are included in the distribution kit of Kaspersky NGFW.

To start the components of the user identity service:

1. Install Docker and Docker Compose:

   apt install -y docker.io docker-compose-v2

2. Create directories to store configuration files and certificates for the components of the user awareness service:

   mkdir -p /var/lib/uaws/collector/ssl

   mkdir -p /var/lib/uaws/mapapp/ssl

   mkdir -p /var/lib/uaws/groupapp/ssl

3. Prepare the configuration files:
   • For the Collector component: move the collector_config.yml file to the /var/lib/uaws/collector directory.
   • For the MapApp component: move the mapapp_config.yml file to the /var/lib/uaws/mapapp directory.
   • For the GroupApp component: move the groupapp_config.yml file to the /var/lib/uaws/groupapp directory.
4. Place the certificates created earlier in their appropriate component directories:
   • For the Collector component: copy the root certificate ca.p12 and the user certificate uaws.p12 to the /var/lib/uaws/collector/ssl directory.
   • For the MapApp component: copy the root certificate ca.p12 and the user certificate uaws.p12 to the /var/lib/uaws/mapapp/ssl directory.
   • For the GroupApp component: copy the root certificate ca.p12 and the user certificate uaws.p12 to the /var/lib/uaws/groupapp/ssl directory.
5. Load containers of the user identity server components to Docker from the archives that are included in the Kaspersky NGFW distribution kit:
   • For the Collector component, run the following command:

     sudo docker load -i <path to archive>/collector-<version>.cis.amd64_en-US_ru-RU.tgz

   • For the MapApp component, run the following command:

     sudo docker load -i <path to archive>/mapapp-<version>.cis.amd64_en-US_ru-RU.tgz

   • For the GroupApp component, run the following command:

     sudo docker load -i <path to archive>/groupsapp-<version>.cis.amd64_en-US_ru-RU.tgz

6. In the /var/lib/uaws/ directory, create the docker-compose.yml file and copy the component configuration to this file, substituting the necessary values.

   Contents of the docker-compose.yml file

   version: "3.8"

   services:

   mapapp:

   image: "uaws-mapapp-<version>.cis.amd64_en-US_ru-RU"

   hostname: "<FQDN of the MapApp component>"

   ports:

   - "8443:8443"

   environment:

   TZ: "Europe/Moscow"

   USERMAP_CONFIG: "/uaws/mapapp-config.yml"

   USERMAP_KEY_STORE: "/uaws/ssl/uaws.p12"

   USERMAP_KEY_STORE_PASS: "<password>"

   USERMAP_TRUST_STORE: "/uaws/ssl/ca.p12"

   USERMAP_TRUST_STORE_PASS: "<password>"

   sysctls:

   - net.ipv6.conf.all.disable_ipv6=1

   volumes:

   - "/var/lib/uaws/mapapp:/uaws/"

   collector:

   image: "uaws-collector-<version>.cis.amd64_en-US_ru-RU"

   hostname: "<FQDN of the Collector component>"

   ports:

   - "8900-8901:8900-8901"

   environment:

   TZ: "Europe/Moscow"

   AGENT_CONFIG: "/uaws/collector-config.yml"

   AGENT_KEY_STORE: "/uaws/ssl/uaws.p12"

   AGENT_KEY_STORE_PASS: "<password>"

   AGENT_TRUST_STORE: "/uaws/ssl/ca.p12"

   AGENT_TRUST_STORE_PASS: "<password>"

   AGENT_JOURNALNAME: "<Name of the log, for example, Application or ForwardedEvents>"

   sysctls:

   - net.ipv6.conf.all.disable_ipv6=1

   volumes:

   - "/var/lib/uaws/collector:/uaws/"

   groupapp:

   image: "uaws-groupsapp-<version>.cis.amd64_en-US_ru-RU"

   hostname: "<FQDN of the GroupApp component>"

   ports:

   - "8444:8443"

   environment:

   TZ: "Europe/Moscow"

   GROUPAPP_CONFIG: "/uaws/groupapp-config.yml"

   GROUPAPP_KEY_STORE: "/uaws/ssl/uaws.p12"

   GROUPAPP_KEY_STORE_PASS: "<password>"

   GROUPAPP_TRUST_STORE: "/uaws/ssl/ca.p12"

   GROUPAPP_TRUST_STORE_PASS: "<password>"

   sysctls:

   - net.ipv6.conf.all.disable_ipv6=1

   volumes:

   - "/var/lib/uaws/groupapp:/uaws/"

7. Start the components of the user awareness service:

   docker-compose -f /var/lib/uaws/docker-compose up -d

This completes the deployment of the user identity service on a single device. You can use the user identity functionality in Kaspersky NGFW.