Installation
All components of OpenCTI are shipped both as Docker images and manual installation packages.
Production deployment
For production deployment, we recommend to deploy all components in containers, including dependencies, using native cloud services or orchestration systems such as Kubernetes.
To have more details about deploying OpenCTI and its dependencies in cluster mode, please read the dedicated section.
-
Use Docker
Deploy OpenCTI using Docker and the default
docker-compose.ymlprovided in the docker. -
Manual installation
Deploy dependencies and launch the platform manually using the packages released in the GitHub releases.
Using Docker
OpenCTI can be deployed using the docker-compose command.
Deploy FIPS 140-2 compliant components
We provide FIPS 140-2 compliant images. Please read the dedicated documentation to understand how to deploy OpenCTI in FIPS-compliant mode.
Pre-requisites
Linux
Windows and MacOS
Just download the appropriate Docker for Desktop version for your operating system.
Clone the repository
Docker helpers are available in the Docker GitHub repository.
mkdir -p /path/to/your/app && cd /path/to/your/app
git clone https://github.com/OpenCTI-Platform/docker.git
cd docker
Configure the environment
ElasticSearch / OpenSearch configuration
- We strongly recommend that you add the following ElasticSearch / OpenSearch parameter:
- Check the OpenCTI Integration User Permissions in OpenSearch/ElasticSearch for detailed information about the user permissions required for the OpenSearch/ElasticSearch integration.
Before running the docker-compose command, the docker-compose.yml file should be configured. By default, the docker-compose.yml file is using environment variables available in the file .env.sample.
You can either rename the file .env.sample as .env and enter the values or just directly edit the docker-compose.yml with the values for your environment.
Configuration static parameters
The complete list of available static parameters is available in the configuration section.
Here is an example to quickly generate the .env file under Linux, especially all the default UUIDv4:
sudo apt install -y jq
cd ~/docker
(cat << EOF
OPENCTI_ADMIN_EMAIL=admin@opencti.io
OPENCTI_ADMIN_PASSWORD=ChangeMePlease
OPENCTI_ADMIN_TOKEN=$(cat /proc/sys/kernel/random/uuid)
OPENCTI_BASE_URL=http://localhost:8080
MINIO_ROOT_USER=$(cat /proc/sys/kernel/random/uuid)
MINIO_ROOT_PASSWORD=$(cat /proc/sys/kernel/random/uuid)
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=guest
ELASTIC_MEMORY_SIZE=4G
CONNECTOR_HISTORY_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_CSV_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_TXT_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_DOCUMENT_ID=$(cat /proc/sys/kernel/random/uuid)
SMTP_HOSTNAME=localhost
EOF
) > .env
If your docker-compose deployment does not support .env files, just export all environment variables before launching the platform:
As OpenCTI has a dependency on ElasticSearch, you have to set vm.max_map_count before running the containers, as mentioned in the ElasticSearch documentation.
To make this parameter persistent, add the following to the end of your /etc/sysctl.conf:
Persist data
The default for OpenCTI data is to be persistent.
In docker-compose.yml, you will find the list of necessary persistent volumes for the dependencies at the end:
volumes:
esdata: # ElasticSearch data
s3data: # S3 bucket data
redisdata: # Redis data
amqpdata: # RabbitMQ data
Run OpenCTI
Using single node Docker
After changing your .env file run docker-compose in detached (-d) mode:
Using Docker swarm
In order to have the best experience with Docker, we recommend using the Docker stack feature. In this mode you will have the capacity to easily scale your deployment.
Put your environment variables in /etc/environment:
# If you already exported your variables to .env from above:
sudo cat .env >> /etc/environment
sudo bash -c 'cat .env >> /etc/environment'
sudo docker stack deploy --compose-file docker-compose.yml opencti
Installation done
You can now go to http://localhost:8080 and log in with the credentials configured in your environment variables.
Manual installation
Prerequisites
Installation of dependencies
You have to install all the needed dependencies for the main application and the workers. The example below is for Debian-based systems:
Download the application files
First, you have to download and extract the latest release file. Then select the version to install depending of your operating system:
For Linux:
- If your OS supports libc (Ubuntu, Debian, ...) you have to install the
opencti-release_{RELEASE_VERSION}.tar.gzversion. - If your OS uses musl (Alpine, ...) you have to install the
opencti-release-{RELEASE_VERSION}_musl.tar.gzversion.
For Windows:
We don't provide any Windows release for now. However it is still possible to check the code out, manually install the dependencies and build the software.
mkdir /path/to/your/app && cd /path/to/your/app
wget <https://github.com/OpenCTI-Platform/opencti/releases/download/{RELEASE_VERSION}/opencti-release-{RELEASE_VERSION}.tar.gz>
tar xvfz opencti-release-{RELEASE_VERSION}.tar.gz
Install the main platform
Configure the application
The main application has just one JSON configuration file to change and a few Python modules to install
Change the config/production.json file according to your configuration of ElasticSearch, Redis, RabbitMQ and S3 bucket as well as default credentials (the ADMIN_TOKEN must be a valid UUID).
Install the Python modules
Start the application
The application is just a NodeJS process, the creation of the database schema and the migration will be done at starting.
Please verify that yarn version is greater than 4 and node version is greater or equals to v19. Please note that some Node.js version are outdated in linux package manager, you can download a recent one in https://nodejs.org/en/download or alternatively nvm can help to chose a recent version of Node.js https://github.com/nvm-sh/nvm
Once Node.js is setup, you can build and run with (from inside opencti folder):
The default username and password are those you have put in the config/production.json file.
Install the worker
The OpenCTI worker is used to write the data coming from the RabbitMQ messages broker.
Configure the worker
Change the config.yml file according to your OpenCTI token.
Start as many workers as you need
Installation done
You can now go to http://localhost:4000 and log in with the credentials configured in your production.json file.
Community contributions
Terraform
-
Multi-clouds Terraform scripts
This repository is here to provide you with a quick and easy way to deploy an OpenCTI instance in the cloud (AWS, Azure, or GCP).
-
AWS Advanced Terraform scripts
A Terraform deployment of OpenCTI designed to make use of native AWS Resources (where feasible). This includes AWS ECS Fargate, AWS OpenSearch, etc.
Helm Charts
-
Kubernetes Helm Charts
OpenCTI Helm Charts for Kubernetes with a global configuration file. More information how to deploy here on basic installation and examples.
Deploy behind a reverse proxy
If you want to use OpenCTI behind a reverse proxy with a context path, like https://domain.com/opencti, please change the base_path static parameter.
APP__BASE_PATH=/opencti
By default OpenCTI use websockets so don't forget to configure your proxy for this usage, an example with Nginx:
location / {
proxy_cache off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
chunked_transfer_encoding off;
proxy_pass http://YOUR_UPSTREAM_BACKEND;
}
Additional memory information
Platform
OpenCTI platform is based on a NodeJS runtime, with a memory limit of 8GB by default. If you encounter OutOfMemory exceptions, this limit could be changed:
Workers and connectors
OpenCTI workers and connectors are Python processes. If you want to limit the memory of the process, we recommend to directly use Docker to do that. You can find more information in the official Docker documentation.
ElasticSearch
ElasticSearch is also a JAVA process. In order to setup the JAVA memory allocation, you can use the environment variable ES_JAVA_OPTS. You can find more information in the official ElasticSearch documentation.
Redis
Redis has a very small footprint on keys but will consume memory for the stream. By default the size of the stream is limited to 2 millions which represents a memory footprint around 8 GB. You can find more information in the Redis docker hub.
MinIO / S3 Bucket
MinIO is a small process and does not require a high amount of memory. More information are available for Linux here on the Kernel tuning guide.
RabbitMQ
The RabbitMQ memory configuration can be find in the RabbitMQ official documentation. RabbitMQ will consumed memory until a specific threshold, therefore it should be configure along with the Docker memory limitation.