DAM KVM Installation Guide

DAM KVM Installation Guide

DAM KVM Installation Guide 1

 Contents

Contents
About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SecureSphere Specifications - Linux KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Deployment Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Obtaining the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Deploying the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SecureSphere First-Time Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Performing First-Time Login for the Management Server (MX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
First-Time Login for the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Confirming the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Proprietary Rights Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
End User License and Services Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

DAM KVM Installation Guide 2

 DAM KVM Installation Guide

About This Document

Kernel-based Virtual Machine (KVM) is a virtualization infrastructure for the Linux kernel that turns it into a hypervisor.
KVM builds on the power of hardware-based virtualization to deliver outstanding performance.

This Configuration Guide is intended as a guide for administrators tasked with configuring SecureSphere on Linux KVM.

Note: Imperva DAM assumes that you configure and manage the environment. Therefore, Imperva
provides generic guidelines that should be configured differently in each environment rather than
specific step by step for each environment. Imperva DAM KVM was verified over a VMWARE ESXI running
ubuntu with libvirt and QEMU installed. Imperva assumes that the KVM image is able to be loaded
properly and you performed the prerequisites steps on your environment.

DAM KVM Installation Guide 3

 DAM KVM Installation Guide

SecureSphere Specifications - Linux KVM

A fully-functional version of a SecureSphere appliance is available for virtual environments.

Note: Only distributed deployments (management servers and gateways on separate virtual machines)
are supported by Imperva SecureSphere Virtual Appliance.

The baseline specifications for a SecureSphere v6500 Gateway on a Linux KVM is 8 cores and 32GB of memory.

Table 2: SecureSphere Virtual Appliances

Gateways Management Server

Specification

V2500 V4500 V6500 VM150

Performance

Supported SecureSphere Products Database Activity Monitoring MX Management Server

Minimum Requirements for Physical Host

KVM installed on Centos-7 ( Virtualization extensions (Intel VT-x or AMD-V)

KVM
are required for full virtualization)

Processor Minimum 12 virtual CPUs

24GB Memory and 400GB disk space. See requirements for guest
Memory
appliances below.

Network Interface Bridge

DAM KVM Installation Guide 4

 DAM KVM Installation Guide

Gateways Management Server

Specification

V2500 V4500 V6500 VM150

Guest SecureSphere Virtual Appliance Specifications

CPU 4 8 8 4

Memory 8 GB 16GB 32 GB 8 GB

Minimum Disk Space1 160 GB 160 GB 250 GB 160 GB

DAM KVM Installation Guide 5

 DAM KVM Installation Guide

Deployment Modes
Imperva SecureSphere Virtual Appliance supports the same deployment modes as the physical SecureSphere appliances:

• As a Gateway
• As a management server (MX)
• As a SOM

High availability deployments are available exactly as with physical appliances. See the DAM Administration Guide for
details.

Some possible deployments are depicted in the following sections.

• Management Server

Management Server

The SecureSphere gateways managed by the virtual MX can be on other physical machines (as in the figure above) or on

DAM KVM Installation Guide 6

 DAM KVM Installation Guide

the same host machine with SecureSphere MX (as in the figure below).

The SecureSphere MXs managed by the virtual SOM can be on other physical machines (as in the figure above) or on the
same host machine with SecureSphere SOM (as in the figure below).

DAM KVM Installation Guide 7

 DAM KVM Installation Guide

Obtaining the Software

The Imperva DAM Virtual Appliance software package is provided on a disk. The most recent version is available from
Imperva Customer Portal.

Note: Your "Welcome Imperva Customer" email includes a username and password that enable you to access the
Imperva Customer Portal.

To download the software, from the Imperva Customer Portal, click Downloads, then navigate to /Downloads/
Imperva_DAM/Setup/v14/v14.14/patch<latest patch number>/KVM.

There is only one qcow2 in this directory, and it is for all products and models.

DAM KVM Installation Guide 8

 DAM KVM Installation Guide

Deploying the Software

Imperva SecureSphere Virtual Appliance for KVM environment is deployed in the Linux environment.

To deploy SecureSphere Virtual Appliance for KVM on a Linux environment:

1. Connect to your KVM server and log in using your root credentials.
2. Upload the relevant qcow2 file to /var/lib/libvirt/boot.
3. Verify you have an X server application installed on your PC and if not, install one.
4. Run the command
export DISPLAY=<your PC IP Address>:0
5. Run the command
virt-manager.
The Virtual Machine Manager window appears.
6. Click File > New Virtual Machine. The Create new virtual machine wizard appears.
7. Select Import existing disk image and click Forward.
8. Click Browse and navigate to the qcow2 file located in /var/lib/libvirt/boot.
9. For OS type, select Linux and for Version, select Centos 7.
10. Click Forward.
11. Select the relevant RAM and CPU settings and click Forward.
12. Enter a name for the machine.
13. Expand Network selection and change the network to your desired network.
14. Click Finish. The KVM server is created.
15. Connect via SSH to the server and perform the FTL procedure described in SecureSphere First-Time Login.

DAM KVM Installation Guide 9

 DAM KVM Installation Guide

SecureSphere First-Time Login

To perform the SecureSphere First Time Login:

1. If you are configuring a Gateway, make sure the Gateway’s Management Server (MX) is up and running.
2. Power on the virtual machine (the instance of SecureSphere) you have just installed. For instructions on
installing (deploying) the software, see Deploying the Software.
3. Open SecureSphere in a console window. You are prompted to login.
4. Complete first time login as required for the component you're installing as follows:
◦ First-Time Login for the Management Server (MX)
◦ First-Time Login for the Gateway
5. Once you've completed first time login and configuration, open an internet browser and navigate to the IP
address of the MX Server you configured via HTTPS. For example: https://<IP address of MX>:8083. The End User
License Agreement (EULA) is displayed.
6. Read the EULA, then click Accept. You are asked to configure an Admin password for the GUI. See the Note
below.
7. Follow the instructions to set the GUI's Admin password. The Upload License window appears.
8. In the Upload License window, click the hyperlinked word here, as shown in the following:

The Imperva Activation Portal appears.

DAM KVM Installation Guide 10

 DAM KVM Installation Guide

The Challenge is automatically filled-in.

9. Type your Enterprise License Code. You receive this from the "Welcome Imperva SecureSphere Customer"
email you had received after purchasing the product.
10. Type your email address. The license file will be sent to this email address as an attachment. The End User
License Agreement (EULA) is displayed.
11. Read the EULA, then enable the Accept checkbox.
12. Type the Verification strings as required.
13. Click Activate.
14. Check your email for the email with the license file, and when it arrives, save the license file.
15. Return to the Upload License window and click Browse to browse to the license file you just saved.
16. Click Upload.
17. Continue as prompted.

Note:

Make sure your password has the following characteristics:

◦ It must have no fewer than 10 characters and no more than 14 characters.

◦ It must have at least one number, one capital letter, and one special character from:

* + = # % ^ : / ~ . , [ ] _

DAM KVM Installation Guide 11

 DAM KVM Installation Guide

◦ It cannot have more than two characters repeated in succession.

Note: Your "Welcome Imperva SecureSphere Customer" email includes the following information:

• username and password to access the Imperva FTP site

• License Code

Performing First-Time Login for the Management Server (MX)

To activate the appliance, you need to define the system configuration by performing the procedures below.

Notes:

• If you configure a DNS client during the first-time login, make sure you specify the IP address
of a real DNS server that is available during the setup.
• Some procedure steps include yes/no options. The selections that appear are examples only.
For any no selection, you may select yes and specify the related values. Note that the system
operates more efficiently when you select yes in procedures that are marked recommended.
• Some options are displayed only when specific selections are made in previous steps.
• For full descriptions of the configuration options, see Imperva On-Premises Administration
Guide.
• You can automate the first-time login process to configure the gateway in sniffing mode. For
more information, see Automating First Time Login in the Imperva On-Premises
Administration Guide.
• If installing as a SOM, use the First Time Login for Management Server (MX) procedure.

To log into the appliance for the first time:

1. Open up the DAM virtual appliance instance in a console window.

2. Log in with the username admin and the password admin.
3. Change the admin password.

Note: Make sure your new password has the following characteristics:

◦ It must have no fewer than 10 characters and no more than 14 characters.

◦ It must have at least one number, one capital letter, and one special character from:

* + = # % ^ : / ~ . , [ ] _

DAM KVM Installation Guide 12

 DAM KVM Installation Guide

◦ It cannot have more than two characters repeated in succession.

4. Run the command
ftl
. The Imperva configuration tool is displayed and you can begin the initial setup. You are displayed one or more
Component types.

To set the SecureSphere component:

A numbered list of options to configure the appliance is displayed as shown below. Type 1 to configure an Management
Server (MX) or 2 to configure a SOM, then press Enter.

To set the management interface:

1. The configuration tool displays the default "management" interface for the appliance. On the Do you want to
change it? line, enter n.
2. On the IP Address [IP Address/CIDR] line, enter the IP address/number of bits. For example: 192.168.1.1/24
3. On the Do you want to set IPv6 Address as well? line, enter n.

To set the LAN interface:

1. On the Do you want to set a LAN interface? line, enter y.

2. The configuration tool displays the default LAN interface for the appliance. On the Do you want to change it?
line, enter n.
3. On the IP Address [IP Address/CIDR] line, enter the IP address/number of bits. For example: 192.168.5.5/24
4. On the Do you want to set IPv6 Address as well? line, enter n.

(Recommended) To set the default gateway:

1. On the Do you want to set an IPv4 default gateway? line, enter y.

2. On the Gateway [IPv4 Address reachable from onboard interface] line, enter the IPv4 address. For example:
192.168.1.254
3. On the Do you want to specify a device? line, enter n.

To set the DNS client option:

• On the Do you want to configure a DNS client? line, enter n.

To set the password for the Linux root user:

1. On the Enter password line, enter a new password for the Linux root user. This password will also be used as
the grub bootloader password.
◦ Minimum password length: 10 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [
_]
2. On the Re-enter password line, enter the same password again.

To set the password for the SecureSphere administrative user:

The SecureSphere administrative user is used to log into the management server using impcfg, and its password must be
identical on all appliances managed by the same MX.

1. On the Enter password line, enter a new password for the SecureSphere administrative user.

DAM KVM Installation Guide 13

 DAM KVM Installation Guide

◦ Minimum password length: 10 characters

◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [
_]
2. On the Re-enter password line, enter the same password again.

To set the password for the system user (database administrator):

The System user is occasionally used for logging into the database to make changes and for troubleshooting during
support cases.

1. On the Enter password line, enter a new password.

◦ Minimum password length: 10 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [
_]
2. On the Re-enter password line, enter the same password again.

To assign a name to the host:

• On the Host name line, enter a name for the host.

The host name may be short or in FQDN format.

• If you use FQDN format:

• Use a period (.) to separate the parts.
• Each part must start with a letter.
• Each part must include at least two of the following: letter, digit, underscore, dash

To enable Large Scale MX:

A Large Scale MX works only with Large Scale Gateways, but can handle up to fifty such Gateways. If your setup does not
have the limitations summarized in Understanding Large Scale Gateways and Large Scale MX, you should enable Large
Scale MX.

• On the Do you want this MX to work in large scale mode? [y/n] line, enter y.

To set the time zone:

1. Please select a continent or ocean is displayed, followed by a numbered list of areas. Enter the number for
your location, or enter 11 to specify a time zone using the Posix TZ format.
2. Please select a country is displayed, followed by a numbered list of countries. Enter the number for your
country.
3. Your selection and the local time are displayed. Next, Is the above information OK? is displayed followed by a
numbered yes/no list. Enter a number to indicate whether the information is correct.

(Recommended) To set the network time protocol:

1. On the Do you want to configure an NTP client? line, enter y.

2. On the NTP servers line, enter one or more IPv4 addresses. For example: 192.168.2.250

Use a space between multiple addresses.

DAM KVM Installation Guide 14

 DAM KVM Installation Guide

To apply the system configuration:

Notes related to applying the system configuration are displayed.

Note: The process of applying the system configuration may take about 10 minutes. Do not reboot the
appliance during system configuration processing.

• On the Press <ENTER> to continue line, press Enter to apply the system configuration.

First-Time Login for the Gateway

To activate the appliance, you need to define the system configuration by performing the procedures below.

Notes:

• If you configure a DNS client during the first-time login, make sure you specify the IP address
of a real DNS server that is available during the setup.
• Some procedure steps include yes/no options. The selections that appear are examples only.
For any no selection, you may select yes and specify the related values. Note that the system
operates more efficiently when you select yes in procedures that are marked recommended.
• Some options are displayed only when specific selections are made in previous steps.
• For full descriptions of the configuration options, see Imperva On-Premises Administration
Guide.
• You can automate the first-time login process to configure the gateway in sniffing mode. For
more information, see Automating First Time Login in the Imperva On-Premises
Administration Guide.
• If installing as a SOM, use the First Time Login for Management Server (MX) procedure as
described in First-Time Login for the Management Server.

To log into the appliance for the first time:

1. Open up the DAM virtual appliance instance in a console window.

2. Log in with the username admin and the password admin.
3. Change the admin password.

Note: Make sure your new password has the following characteristics:

◦ It must have no fewer than 10 characters and no more than 14 characters.

◦ It must have at least one number, one capital letter, and one special character from:

* + = # % ^ : / ~ . , [ ] _

DAM KVM Installation Guide 15

 DAM KVM Installation Guide

◦ It cannot have more than two characters repeated in succession.

4. Run the command
ftl
. The Imperva configuration tool is displayed and you can begin the initial setup. You are displayed one or more
Component types.

To set the SecureSphere component:

• A numbered list of options to configure the appliance is displayed as shown below. Type 3 to configure a
gateway, then press Enter.

1) Management Server only.

2) SOM Server only.

3) Gateway only.

4) Discovery and Assessment Server (DAS).

To set the management port:

1. The configuration tool displays the default "management" interface for the appliance. On the Do you want to
change it? line, enter n.
2. On the IP Address [IP Address/CIDR] line, enter the IP address/number of bits. For example: 192.168.1.1/24
3. On the Do you want to set IPv6 Address as well? line, enter n.

To set the LAN interface:

1. On the Do you want to set a LAN interface? line, enter y.

2. The configuration tool displays the default LAN interface for the appliance. On the Do you want to change it?
line, enter n.
3. On the IP Address [IP Address/CIDR] line, enter the IP address/number of bits. For example: 192.168.5.5/24
4. On the Do you want to set IPv6 Address as well? line, enter n.

(Recommended) To set the default gateway:

1. On the Do you want to set an IPv4 default gateway? line, enter y.

2. On the Gateway [IPv4 Address reachable from onboard interface] line, enter the IPv4 address. For example:
192.168.1.254
3. On the Do you want to specify a device? line, enter n.

To set the DNS client option:

• On the Do you want to configure a DNS client? line, enter n.

To set the passwords for the Linux root and grub users:

1. On the Enter password line, enter a new password for the Linux root user. This password will also be used as
the grub bootloader password.
◦ Minimum password length: 10 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [
_]

DAM KVM Installation Guide 16

 DAM KVM Installation Guide

2. On the Re-enter password line, enter the same password again.

To set the password for the SecureSphere administrative user:

The SecureSphere administrative user is used to log into the management server using impcfg.

1. On the Enter password line, enter a new password for the administrative user.
◦ Minimum password length: 10 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [
_]
2. On the Re-enter password line, enter the same password again.

To set the password for the imperva user:

The imperva user is responsible for communication with remote agents.

1. On the Enter password line, enter a new password.

◦ Minimum password length: 10 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [
_]
2. On the Re-enter password line, enter the same password again.

To assign a name to the host:

• On the Host name line, enter a name for the host.

• The host name may be short or in FQDN format.
• If you use FQDN format:
• Use a period (.) to separate the parts.
• Each part must start with a letter.
• Each part must include at least two of the following: letter, digit, underscore, dash

To set the gateway's management server IP:

• On the Enter the Management Server's IP Address line, enter IPv4 Address. For example: 10.1.1.205

To set the gateway operation mode:

• A numbered list of gateway operation modes is displayed. Enter the number for your operation mode
preference.

To set the time zone:

1. Please select a continent or ocean is displayed, followed by a numbered list of areas. Enter the number for
your location, or enter 11 to specify a time zone using the Posix TZ format.
2. Please select a country is displayed, followed by a numbered list of countries. Enter the number for your
country.
3. Your selection and the local time are displayed. Next, Is the above information OK? is displayed followed by a
numbered yes/no list. Enter a number to indicate whether the information is correct.

(Recommended) To set the network time protocol:

DAM KVM Installation Guide 17

 DAM KVM Installation Guide

1. On the Do you want to configure an NTP client? line, enter y.

2. On the NTP servers line, enter one or more IPv4 addresses. For example: 192.168.2.250

Use a space between multiple addresses.

You can (optionally) set this Gateway to work in Large Scale Gateway mode, also known as Sonar Only mode. Large Scale
Gateways can monitor more traffic.

With Large Scale Gateways, DB audit data is sent only to Sonar, and a Gateway can handle up to three times the traffic of a
standard Gateway. If your setup does not have the limitations summarized in Understanding Large Scale Gateways and
Large Scale MX, you should enable Large Scale Gateways.

• On the Do you want this Gateway to work in Sonar Only mode line, enter y.

To apply the system configuration:

Notes related to applying the system configuration are displayed.

Note: Note: The process of applying the system configuration may take about 5 minutes. Do not reboot
the appliance during system configuration processing.

• On the Press <ENTER> to continue line, press Enter to apply the system configuration.

DAM KVM Installation Guide 18

 DAM KVM Installation Guide

Confirming the Configuration

Once you have completed the First Time Login, you can use standard networking tools to confirm that you have correctly
configured the Imperva SecureSphere Virtual Appliance.

To confirm that you have correctly configured the Imperva SecureSphere Virtual Appliance:

• Other Configurations: Use the standard networking tools to confirm that the Imperva SecureSphere Virtual
Appliance is properly monitoring and/or intercepting traffic.

DAM KVM Installation Guide 19

 DAM KVM Installation Guide

Proprietary Rights Notice

© 2002 - 2023 Imperva, Inc. All Rights Reserved.

Follow this link to see the copyright notices and certain open source license terms:

https://docs.imperva.com/bundle/z-kb-articles-km/page/656407b1.html

This document is for informational purposes only. Imperva, Inc. makes no warranties, expressed or implied.

No part of this document may be used, disclosed, reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language in any form or by any means without the written permission of Imperva, Inc. To obtain this
permission, write to the attention of the Imperva Legal Department at: 3400 Bridge Parkway, Suite 200, Redwood Shores,
CA 94065.

Information in this document is subject to change without notice and does not represent a commitment on the part of
Imperva, Inc. The software described in this document is furnished under a license agreement. The software may be used
only in accordance with the terms of this agreement.

This document contains proprietary and confidential information of Imperva, Inc. This document is solely for the use of
authorized Imperva customers. The information furnished in this document is believed to be accurate and reliable.
However, no responsibility is assumed by Imperva, Inc. for the use of this material.

TRADEMARK ATTRIBUTIONS

Imperva and SecureSphere are trademarks of Imperva, Inc.

All other brand and product names are trademarks or registered trademarks of their respective owners.

PATENT INFORMATION

The software described by this document is covered by one or more of the following patents:

US Patent Nos. 7,640,235, 7,743,420, 7,752,662, 8,024,804, 8,051,484, 8,056,141, 8,135,948, 8,181,246, 8,392,963,
8,448,233, 8,453,255, 8,713,682, 8,752,208, 8,869,279 and 8,904,558, 8,973,142, 8,984,630, 8,997,232, 9,009,832, 9,027,136,
9,027,137, 9,128,941, 9,148,440, 9,148,446, 9,401,927, and 11, 579, 859..

Imperva Inc.

3400 Bridge Parkway

Redwood Shores, CA 94065

United States

Tel: +1 (650) 345-9000

Fax: +1 (650) 345-9004

• Website: http://www.imperva.com
• General Information: info@imperva.com
• Sales: sales@imperva.com

DAM KVM Installation Guide 20

 DAM KVM Installation Guide

• Professional Services: consulting@imperva.com

• Technical Support: https://support.imperva.com/s/

Imperva-SecureSphere-v14.16-DAM-Virtual-Appliance-Installation-Guide

DAM KVM Installation Guide 21

 DAM KVM Installation Guide

End User License and Services Agreement

To view the End User License and Service Agreement for this product, please visit http://www.imperva.com/Other/
LicenseAgreement

DAM KVM Installation Guide 22