Install Cortex XSOAR for a Multi-Tenant Deployment with Elasticsearch - Multi-Tenant Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-29
Last date published
2023-07-02
End_of_Life
EoL
Category
Multi-Tenant Guide

Ensure you run all commands as root user.

Caution

Multi-tenant deployments are only intended for MSSPs and certain enterprise use cases. If you are not an MSSP and want to deploy a multi-tenant environment, you must first consult with the Cortex XSOAR product management team. If you deploy a multi-tenant environment without approval from the product management team, Cortex XSOAR will not support the deployment.

Files and folders

These are the files and folders created during the multi-tenant installation.

File/Folder

Path

Binaries

/usr/local/demisto

Data

/var/lib/demisto

Logs

/var/log/demisto

Configuration

/etc/demisto.conf (this is not created if defaults are selected during installation).

  1. Download the server package you received from Cortex XSOAR support.

    Note

    When you receive a link to download, ensure that the downloadLink link refers to https://download.demisto.com and not https://download.demisto.works.

    For example, wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept”

    To download the latest vendor affirmed FIPS version, append &downloadName=fips. For example, wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept&downloadName=fips”

  2. Run the chmod +x demistoserver-{version}.sh to make the server package executable.

  3. To install the app server with Elasticsearch, run one of the following commands:

    • If using username and password authentication: sudo ./demisto.sh -- -multi-tenant -elasticsearch-url=<elastic search url address> -elasticsearch-username=<the elasticsearch user name> -elasticsearch-password=<the elasticsearch password>

    • If using API key authentication: sudo ./demisto.sh -- -multi-tenant -elasticsearch-url=<elastic search url address> -elasticsearch-api-key=<the elasticsearch API key>

    Flag

    Type

    Description

    -multi-tenant

    String

    Indicates that the installation is for a Multi-tenant deployment.

    -elasticsearch-url

    String

    Elasticsearch URL addresses (comma-separated). For example, http://test1:9200,http://test2:9200

    -elasticsearch-api-key

    String

    The Elasticsearch API key, which should be used in licensed versions.

    Note: If you use this flag, you do not need to use the -elasticsearch-username and -elasticsearch-password flags.

    -elasticsearch-username

    String

    The Elasticsearch username. This flag is used with the -elasticsearch-password flag.

    Note: If you use this flag, you do not need to use the -elasticsearch-api-key flag.

    -elasticsearch-password

    String

    The Elasticsearch password. This flag is used with the -elasticsearch-username flag.

    Note: If you use this flag, you do not need to use the -elasticsearch-api-key flag.

    -elasticsearch-proxy

    Boolean

    Whether to use a proxy when communicating with Elasticsearch. Can be true or false. Default is false.

    -elasticsearch-insecure

    Boolean

    Whether to trust any certificate when communicating with Elasticsearch. Can be true or false. Default is true.

    -elasticsearch-timeout

    Integer

    The amount of time (in seconds) before Elasticsearch times out. Default is 20 seconds.

    To continue with a high availability configuration, you must install an additional app server.Install Additional App Servers