## This should not go into production with license and token .
## This should not go into production with license and token
## Twistlock under DSOP
## Twistlock under DSOP
The Twistlock Platform provides vulnerability management and compliance across the application lifecycle by scanning images and serverless functions to prevent security and compliance issues from progressing through the development pipeline, and continuously monitoring all registries and environments.
The Twistlock Platform provides vulnerability management and compliance across the application lifecycle by scanning images and serverless functions to prevent security and compliance issues from progressing through the development pipeline, and continuously monitoring all registries and environments.
This installation follows the Twistlock documented guidance. Twistlock documentation can be found at:
This installation follows the Twistlock documented guidance. Twistlock documentation can be found at:
The Twistlock Console is deployed as a part of the gitops. Once deployed the process of setting up daemonsets is currently a manual process. For this installation the following information is needed:
The Twistlock Console is deployed as a part of the gitops. Once deployed the process of setting up daemonsets is currently a manual process. For this installation the following information is needed:
...
@@ -18,13 +18,17 @@ The Twistlock Console is deployed as a part of the gitops. Once deployed the pr
...
@@ -18,13 +18,17 @@ The Twistlock Console is deployed as a part of the gitops. Once deployed the pr
* Elasticsearch and Kibana deployed to Kubernetes namespace
* Elasticsearch and Kibana deployed to Kubernetes namespace
The application needs a administrator, the license file needs to be installed, then a defender.yaml needs to be generated and deployed, then logging needs to be enabled. This has been consolidated in a script called twistlock_setup.sh.
The application needs a administrator, the license file needs to be installed, then a defender.yaml needs to be generated and deployed, then logging needs to be enabled. This has been consolidated in a script called twistlock_setup.sh.
This process requires kubectl to be installed and able to communicate with the DSOP cluster.
This process requires kubectl to be installed and able to communicate with the DSOP cluster.
#### Add an Administrator
#### Add an Administrator
Initially there is no users associated with twistlock console. Go to the external URL and add an Administrator account and a password. Alternatively, run the following script:
Initially there is no users associated with twistlock console. Go to the external URL and add an Administrator account and a password. Alternatively, run the following script:
```
``
//Add Administrator
//Add Administrator
if ! curl -k -H 'Content-Type: application/json' -X POST \
if ! curl -k -H 'Content-Type: application/json' -X POST \
@@ -66,9 +73,10 @@ if ! curl -k -H 'Content-Type: application/json' -X POST \
...
@@ -66,9 +73,10 @@ if ! curl -k -H 'Content-Type: application/json' -X POST \
echo "Error creating Twistlock Console user $TWISTLOCK_CONSOLE_USER"
echo "Error creating Twistlock Console user $TWISTLOCK_CONSOLE_USER"
exit 1
exit 1
fi
fi
```
``
#### Install the license
#### Install the license
The License can be added directly from the TWISTLOCK_EXTERNAL_ROUTE. When first logging in the admin user will be prompted for a license. The following script will install the license:
The License can be added directly from the TWISTLOCK_EXTERNAL_ROUTE. When first logging in the admin user will be prompted for a license. The following script will install the license:
```
```
...
@@ -78,31 +86,35 @@ if ! curl -k \
...
@@ -78,31 +86,35 @@ if ! curl -k \
-H 'Content-Type: application/json' \
-H 'Content-Type: application/json' \
-X POST \
-X POST \
-d "{\"key\": \"$TWISTLOCK_LICENSE\"}" \
-d "{\"key\": \"$TWISTLOCK_LICENSE\"}" \
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/license; then
https://$TWISTLOCK_EXTERNAL_ROUTE/api/v1/settings/license; then
echo "Error uploading Twistlock license to console"
echo "Error uploading Twistlock license to console"
exit 1
exit 1
fi
fi
```
```
#### Install Defender with Twistcli
#### Install Defender with Twistcli
This can be found in the Manage/System/Download. After download ensure the file is made executable.
This can be found in the Manage/System/Download. After download ensure the file is made executable.
```
```
$ chmod +x twistcli
chmod +x twistcli
```
```
The "Bearer" token can be found in the twistlock application Manage/Authorization/User Certificates. Alternatively, run the following commands
The "Bearer" token can be found in the twistlock application Manage/Authorization/User Certificates. Alternatively, run the following commands
#####Download the daemonset.yaml. The default Image is set to teh Prisma server. We need to pull images from Platform 1. The image URL needs to be changed:
##### Download the daemonset.yaml. The default Image is set to teh Prisma server. We need to pull images from Platform 1. The image URL needs to be changed
Integrating Prisma Cloud with SAML consists of setting up your IdP, then configuring Prisma Cloud to integrate with it. for keycloak integration we will use use ADFS as the IdP.
Setting up Prisma Cloud in Keycloak
1. Follow the keycloak instructions under docs/keycloak named `configure-keycloak.md`
2. In Keycloak select the baby-yoda realm
3. On the left column, select "Clients", then new client.
4. Select load file and choose the "client.json" if available. If not, use the 'saml_example.json.md' for the correct settings. The client info can be manually entered if the client isn't available. Go into the configuration and select "Save".
5. In the left column Create a `Client Scope` for twistlock with a SAML Protocol. Return to yout twistlock client and Add the Client scope to the `Your twistlock client` client.
6. Back in the Client configuration, under "Scope" Add the twistlock scope just created.
7. Select the "Installation" tab, the download the connection file in `Mod Auth Mellon format`
_This is needed for the keycloak connection string._
8. Create a user in keycloak for twistlock. Add the user to the IL2 Group.
### The following is required for manual configuration
1. Navigate to the Twistlock URL and create an admin user, then add a license key.
2. Navigate to "Manage" -> "Authentication" in the left navigation bar.
3. Select "SAML" then the enable switch.
4. Open the installation file from keycloak.
a. The Identity Provider SSO is `https://keycloak.fences.dsop.io/auth/realms/your-realm/protocol/saml`
b. The Identity Provider is `https://keycloak.fences.dsop.io/auth/realms/your-realm`
c. The root URL is `https://twistlock.fences.dsop.io`
5. Paste the client certificate token in the x509 area. The certificate must be in pem format and include the header and footer. When completed select "Save".
If this fails, the certificate is not formatted correctly. Copy the cert to a file and test its validity.
Copy the certificate into a vi session and ensure there are three lines:
-----BEGIN CERTIFICATE-----
(certificate from step 7 keycloak install file)
-----END CERTIFICATE-----
*note: when SAML is added, the twistlock console will default to keycloak. If you need to bypass the saml auth process add "#!/login" the the end of the root url.*
6. Create a twistlock user using the same name as in step
7. There should be a "SAML box to select. If this selection is not visible, go to a different tab, then return to users.
