Install Deep Security Manager
- Before you begin
- Install the manager
- Test the installation (log in to the manager)
- Replace the self-signed certificate
You can find the supported deployment models for Deep Security Manager in section 3.3 of the Deep Security Best Practice Guide (PDF). Please note that auto-scaling of manager nodes is not supported.
Make sure you have completed these pre-installation tasks:
- Check system requirements for the manager: See System requirements.
- Prepare a database: See Database requirements, Install a database server, and Configure the database.
- Open ports: Make sure you allow inbound and outbound communication to and from the manager on the appropriate port numbers. See Deep Security port numbers.
- Allow URLs: If you are planning on restricting the URLs to or from the manager server, make sure you allow the URLs described in Deep Security URLs.
- Synchronize clocks: Synchronize the OS clock of the manager's server with the clock of the database. Both computers should use the same NTP service.
- Configure DNS: Configure DNS with the appropriate records so that the manager, agents, appliances, and relays can perform DNS lookup queries. Alternatively, use IP addresses, or add entries to the manager's hosts file. The server's DNS name cannot start with a number, such as 0000-dsm.example.com. If it does, the install log shows:
java.io.IOException: DNSName components must begin with a letter
- Download the manager software: It's available at https://help.deepsecurity.trendmicro.com/software.html.
- Check the digital signature on the manager's installer file: See Check the signature on installer files (EXE, MSI, RPM or DEB files).
- Run the readiness check: See Run a readiness check.
After completing the tasks in Before you begin, you are ready to install the manager. You can use either:
- Graphical, interactive installer (follow the steps below)
- Silent installer (see Install Deep Security Manager silently)
To run the graphical, interactive installer:
- If you're installing on Linux, make sure X Windows System is installed so you can see the GUI.
- Run the installer as root, superuser, or (on Windows) Administrator.
- For details about how to fill out specific sections of the installer, read the sections below.
If the installer detects an existing installation of the manager, you are prompted to select a fresh install or an upgrade.
- Fresh install (can use existing or new database): This option installs Deep Security software and initializes the database.
- Upgrade: This option installs new Deep Security software, but keeps existing computer details, policies, intrusion prevention rules, firewall rules, and so no. The database schema is updated, if required. Data is migrated to new formats, if required.
- On the Database screen, select either Microsoft SQL Server, Oracle Database, or PostreSQL, whichever you have configured in Configure the database.
- In the Host name field, enter the database host name.
- In the Database name field, enter the name of the empty database you created for use with Deep Security.
- If you selected Microsoft SQL Server, then the manager's connection settings vary by authentication type:
- SQL Server authentication: Enter the User name and Password of the SQL user.
- Active Directory authentication: Enter the User name(no domain) and Password of an Active Directory user, and then click Advanced and enter the Domain separately. Active Directory authentication is also known as Kerberos or Windows domain authentication.
With Microsoft SQL Server, Windows workgroup authentication is not supported.
- If you selected Oracle Database or PostgreSQL, enter the user name and password of a database user who has permissions to the empty database you created for use with Deep Security.
On the Master Key screen, configure a master key. This key will be used to encrypt the passwords in the manager's database, dsm.properties file, and configuration.properties file. Choose one of the following options:
- Configure later. With this option, no master key is generated. Instead, the installer uses a hard-coded seed to encrypt the passwords mentioned above. Encrypted passwords are prefixed with $1$, for example, database.Oracle.password=$1$***. If you decide later that you'd like to use a master key instead of a hard-coded seed, you can use the dsm_c -action masterkey command to switch. See Command-line basics for details.
- Use Amazon Web Services (AWS) Key Management Service (KMS). This is the recommended method to provision a key because it does not rely on local files. With this option, the installer communicates with AWS KMS to obtain a 256-bit symmetric customer master key (CMK), which is then used to encrypt the passwords mentioned above. If you don't yet have a CMK in AWS KMS, follow these AWS instructions to create one. Specify the CMK's ARN in the Amazon Resource Name (ARN) field in the manager's installer. To find the ARN, follow these AWS instructions. Encrypted passwords are prefixed with $DMK$, for example, database.Oracle.password=$DMK$***.
- Use a local environment variable (automatically created). With this option, the installer generates a master key and uses it to encrypt the passwords mentioned above. Encrypted passwords are prefixed with $DMK$. The installer encrypts the master key with the secret that you specify in the Secret field, and then places the encrypted key in a local environment variable with a 'name' of 'LOCAL_KEY_SECRET'. The secret must include:
- a capital letter
- a lower cased letter
- a number
- a special character
- between 8-64 characters
The secret must not be deleted, as it's required when Deep Security Manager initiates and when installing additional manager nodes.
The LOCAL_KEY_SECRET value is a salt (a unique piece of additional data provided to the key generation process) for the purpose of generating an actual master key to encrypt the database. Without the key, someone who steals the database can't decrypt it, and without the salt, the key itself can't be recalculated. This client-managed portion of the secret is offered as an option for you to customize the key generation process with additional data of your own, that you mange. But with or without the salt, the actual key is not stored in clear text. In addition, this string is stored in a file with root read-only permissions.
When you run the Deep Security Manager installer, it searches its local directory for a full ZIP package of the agent installer. (Relays are agents whose relay feature is enabled.) If the ZIP is not found, then the manager's installer will try to download it from the Trend Micro Download Center on the Internet.
If an agent installer is found in either location, the manager's installer will offer to install the newest relay.
Trend Micro recommends that you install a local relay to:
When the manager's installer adds an agent to its server, it only enables the relay feature. It does not apply any default security settings. To protect the server, in Deep Security Manager, apply a security policy to its agent.
- Provide a relay that is local to the manager
- Ensure that at least one relay is always available, even when you decommission old computers with relays
- If no agent installer is found, you can download and install an agent or relay later.
The "Trend Micro Deep Security Manager" service starts automatically when you finish its installer. To log into Deep Security Manager's GUI, open a web browser and go to:
where [host_name] is the IP address or domain name of the server where you installed Deep Security Manager, and [port] is the Manager Port you specified during installation.
When installing Deep Security for the first time, the installer creates a self-signed server certificate that Deep Security Manager uses to identify itself during secure connections with agents, appliances, relays, and your web browser. It is valid for 10 years. However, because it is not signed by a trusted Certificate Authority (CA), your web browser will display warnings. To eliminate these warnings and improve security, consider replacing Deep Security's server certificate with one signed by a trusted CA. For details, see Replace the Deep Security Manager TLS certificate.