Configure Cortex Xpanse engines to change the number of workers, access communication tasks, notify users if engine disconnects, and remove server from group.
You can Edit the Engine Configuration File either by modifying the d1.conf
file on the engine or in when managing engines. You can only configure an engine in if you have installed the engine using the shell installer.
You can configure the server and engine to do the following:
Edit the Engine Configuration File
Edit engine configurations by modifying d1.conf or specific properties in the JSON formatted configuration section.
You can edit the engine configuration by either modifying the d1.conf
file on the engine, or in Cortex Xpanse by modifying specific properties in the JSON formatted configuration dialog box (Shell installations only).
Modify the
d1.conf
file.On the machine on which you installed the engine, navigate to the
d1.conf
file:Installation Type
Location
RPM, DEB, Shell
/usr/local/demisto
If using multiple engines, the location is
/usr/local/demisto/
. For example,name of the engine>
/usr/local/demisto/d1_e1
ZIP
Same folder as the binary.
Modify the file as required. See Common Properties When Editing an Engine Configuration.
You can also Configure the Engine to Use a Web Proxy.
Modify the configuration in Cortex Xpanse.
Ensure that the data is in JSON format. The properties that you specify override the values defined in the
d1.conf
file. A use case for modifying the engine configuration is if you want to generate engine logs for a specific log level.From the engines table, select the engine for which you want to modify the configuration.
Click Edit Configuration.
In the JSON formatted configuration dialog box, modify the properties as required. For more information, see Common Properties When Editing an Engine Configuration.
Common Properties When Editing an Engine Configuration
Edit the engine configuration by changing the common properties in the JSON formatted section of the d1.config file.
The following table describes the common properties when editing an engine configuration using the d1.conf
file (located by default at /usr/local/demisto/
) or in the JSON formatted configuration dialog box in Cortex Xpanse.
Property | Type | Values | Edit |
---|---|---|---|
| String | The IP address of the HTTP proxy through which the engine communicates. | The engine |
| String | The IP address of the HTTP/s proxy through which the engine communicates. | The engine |
| String |
| The engine |
| String | The port on which the engine listens for agent connection requests and communication task responses. | The engine |
| String array | An array of tenant addresses to which the engine tries to connect. If you change the tenant URL, you need to update this parameter. | The engine |
| String | Path to the | The engine |
| String | Disables the option to send communication task forms through the engine.
| The engine |
Configure the Engine to Use a Web Proxy
Configure an engine to use a web proxy by editing the d1.conf file.
The engine uses a web proxy if the following environment variables are set:
http_proxy
https_proxy
If the environment variables are not set, or you wish to use a different settings than those specified in the environment variables, set the configuration with your specific proxy details in the d1.conf
file. For example:
{"http_proxy": "http://proxy.host.local:8080", "https_proxy": "https://proxy.host.local:8443"}
Configure the Engine to Call the Server Without Using a Proxy
Configure an engine to call the server without using a proxy.
In some cases, due to specific environment architecture, you may need to configure the engine to use a proxy when working with integrations, but not use a proxy when calling the Cortex Xpanse tenant.
On the computer where you have installed the engine, go to the directory for
d1.conf
file.For RPM, DEB, Shell go to
/usr/local/demisto
.Add the following configuration:
Key
Value
engine.to.server.proxy
false
(default istrue
)
Use NGINX as a Reverse Proxy to the Engine
Use NGINX as a reverse proxy to the Cortex Xpanse engines.
NGINX can act as a reverse proxy that sits between internal applications and external clients, forwarding client requests to the appropriate application. Using NGINX as a reverse proxy in front of the engine enables you to provide network segmentation where the proxy can be put on a public subnet (DMZ) while the engine can be on a private subnet, only accepting traffic from the proxy. Additionally, NGINX provides a number of advanced load balancing and acceleration features that you can utilize.
The following topics describe how to install NGINX, how to use a Self-Signed Certificate for non-production environments, and how to configure NGINX.
Use Engines Through the NGINX Reverse Proxy
If you want to use an engine (d1) through the reverse proxy, you need to modify EngineURLs
in the d1.conf
file to point to the host and port the NGINX server is listening on.
Install NGINX on the Engine
Install NGINX on Cortex Xpanse Red Hat/Amazon and Ubuntu Linux distributions.
You can install NGINX on the Red Hat/Amazon (yum) and Ubuntu Linux distributions. For full instructions and available distributions, see NGINX documentation.
On the engine machine, run one of the following commands according to your Linux system:
RedHat/Amazon:
sudo yum install nginx
Ubuntu:
sudo apt-get install nginx
(Optional) Verify the NGINX installation by running the following command:
sudo nginx -v
Generate a Certificate for NGINX
Generate a certificate for NGINX for non-production set ups.
You should not use self-signed certificates for production systems. It is recommended to use a properly signed certificate for production systems. These instructions are intended only for non-production setups.
To use OpenSSL to generate a self-signed certificate, on the engine machine run the following command:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
When prompted, complete the on-screen instructions to complete the required fields.
Configure NGINX on an Engine
Configure NGINX on a Cortex Xpanse engine.
Follow these instructions to configure NGINX on an engine.
Open the following NGINX configuration file with your preferred editor:
/etc/nginx/conf.d/demisto.conf
Use the following configuration template:
Replace
DEMISTO_ENGINE
with the appropriate hostname.# Replace DEMISTO_ENGINE with the appropriate hostname. If needed, change port 443 to the port on which the engine is listening. upstream demisto { server DEMISTO_ENGINE:443; } # Uncomment to redirect http to https (optional) # server { # listen 80; # return 301 https://$host$request_uri; # } server { # Change the port if you want NGINX to listen on a different port listen 443; ssl_certificate /etc/nginx/cert.crt; ssl_certificate_key /etc/nginx/cert.key; ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; access_log /var/log/nginx/demisto.access.log; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass https://demisto; proxy_read_timeout 90; } location ~ ^/(websocket|d1ws|d2ws) { proxy_pass https://demisto; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header Origin ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
Note
For multi-tenant deployments, replace
location ~ ^/(websocket|d1ws|d2ws) {
withlocation ~ ^/(acc_\S+/)?(websocket|d1ws|d2ws)
Restart the NGINX server, by typing the following command:
sudo service nginx restart
Verify you can access the engine by browsing to the NGINX server host.
Configure an Engine to Use Custom Certificates
Replace the self-signed certificate for an engine with a valid CA certificate for communication tasks.
For communication tasks that go through an engine, you can replace the default self-signed certificate for the engine with your own certificate.
Find the two files created by the engine. The default location is
/usr/local/demisto
.d1.key.pem
d1.cert.pem
Replace the contents of these files with your own certificates.
Change file owner to demisto:
chown -R demisto:demisto d1.key.pem
chown -R demisto:demisto d1.cert.pem
Set the file permissions:
chmod 600 d1.key.pem
chmod 644 d1.cert.pem
(Optional) If you are using a key passphrase for your custom certificate, add the passphrase to your engine configuration:
Go to
→ → .Create New Engine and provide an engine name or select an existing engine and Edit Configuration.
Select Use a passphrase for the engine certificate private key.
Click Save.