Installation

All components of OpenCTI are shipped both as Docker images and manual installation packages.

Production deployment

For production deployment, we recommend to deploy all components in containers, including dependencies, using native cloud services or orchestration systems such as Kubernetes.

To have more details about deploying OpenCTI and its dependencies in cluster mode, please read the dedicated section.

• Use Docker

  ---

  Deploy OpenCTI using Docker and the default docker-compose.yml provided in the docker.

  Setup

• Manual installation

  ---

  Deploy dependencies and launch the platform manually using the packages released in the GitHub releases.

  Explore

Using Docker

Deploy FIPS 140-2 compliant components

We are providing FIPS 140-2 compliant images, please read the dedicated documentation to understand how to deploy OpenCTI in FIPS-compliant mode.

Introduction

OpenCTI can be deployed using the docker-compose command.

Pre-requisites

Linux

$ sudo apt install docker-compose

Windows and MacOS

Just download the appropriate Docker for Desktop version for your operating system.

Clone the repository

Docker helpers are available in the Docker GitHub repository.

$ mkdir -p /path/to/your/app && cd /path/to/your/app
$ git clone https://github.com/OpenCTI-Platform/docker.git
$ cd docker

Configure the environment

ElasticSearch / OpenSearch configuration

• We highly recommend to put the ElasticSearch / OpenSearch following parameter:

thread_pool.search.queue_size=5000

• Check the OpenCTI Integration User Permissions in OpenSearch/ElasticSearch for detailed information about the necessary user permissions for the OpenSearch/ElasticSearch integration.

Before running the docker-compose command, the docker-compose.yml file should be configured. By default, the docker-compose.yml file is using environment variables available in the file .env.sample.

You can either rename the file .env.sample in .env and put the expected values or just fill directly the docker-compose.yml with the values corresponding to your environment.

Configuration static parameters

The complete list of available static parameters is available in the configuration section.

Here is an example to quickly generate the .env file under Linux, especially all the default UUIDv4:

$ sudo apt install -y jq
$ cd ~/docker
$ (cat << EOF
OPENCTI_ADMIN_EMAIL=admin@opencti.io
OPENCTI_ADMIN_PASSWORD=ChangeMePlease
OPENCTI_ADMIN_TOKEN=$(cat /proc/sys/kernel/random/uuid)
OPENCTI_BASE_URL=http://localhost:8080
MINIO_ROOT_USER=$(cat /proc/sys/kernel/random/uuid)
MINIO_ROOT_PASSWORD=$(cat /proc/sys/kernel/random/uuid)
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=guest
ELASTIC_MEMORY_SIZE=4G
CONNECTOR_HISTORY_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_CSV_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_TXT_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_DOCUMENT_ID=$(cat /proc/sys/kernel/random/uuid)
SMTP_HOSTNAME=localhost
EOF
) > .env

If your docker-compose deployment does not support .env files, just export all environment variables before launching the platform:

$ export $(cat .env | grep -v "#" | xargs)

As OpenCTI has a dependency on ElasticSearch, you have to set the vm.max_map_count before running the containers, as mentioned in the ElasticSearch documentation.

$ sudo sysctl -w vm.max_map_count=1048575

To make this parameter persistent, add the following to the end of your /etc/sysctl.conf:

$ vm.max_map_count=1048575

Persist data

The default for OpenCTI data is to be persistent.

In the docker-compose.yml, you will find at the end the list of necessary persitent volumes for the dependencies:

volumes:
  esdata:     # ElasticSearch data
  s3data:     # S3 bucket data
  redisdata:  # Redis data
  amqpdata:   # RabbitMQ data

Run OpenCTI

Using single node Docker

After changing your .env file run docker-compose in detached (-d) mode:

$ sudo systemctl start docker.service
# Run docker-compose in detached
$ docker-compose up -d

Using Docker swarm

In order to have the best experience with Docker, we recommend using the Docker stack feature. In this mode you will have the capacity to easily scale your deployment.

# If your virtual machine is not a part of a Swarm cluster, please use:
$ docker swarm init

Put your environment variables in /etc/environment:

# If you already exported your variables to .env from above:
$ sudo cat .env >> /etc/environment
$ sudo bash -c 'cat .env >> /etc/environment’
$ sudo docker stack deploy --compose-file docker-compose.yml opencti

Installation done

You can now go to http://localhost:8080 and log in with the credentials configured in your environment variables.

Manual installation

Prerequisites

Prepare the installation

Installation of dependencies

You have to install all the needed dependencies for the main application and the workers. The example below is for Debian-based systems:

$ sudo apt-get install build-essential nodejs npm python3 python3-pip python3-dev

Download the application files

First, you have to download and extract the latest release file. Then select the version to install depending of your operating system:

For Linux:

• If your OS supports libc (Ubuntu, Debian, ...) you have to install the opencti-release_{RELEASE_VERSION}.tar.gz version.
• If your OS uses musl (Alpine, ...) you have to install the opencti-release-{RELEASE_VERSION}_musl.tar.gz version.

For Windows:

We don't provide any Windows release for now. However it is still possible to check the code out, manually install the dependencies and build the software.

$ mkdir /path/to/your/app && cd /path/to/your/app
$ wget <https://github.com/OpenCTI-Platform/opencti/releases/download/{RELEASE_VERSION}/opencti-release-{RELEASE_VERSION}.tar.gz>
$ tar xvfz opencti-release-{RELEASE_VERSION}.tar.gz

Install the main platform

Configure the application

The main application has just one JSON configuration file to change and a few Python modules to install

$ cd opencti
$ cp config/default.json config/production.json

Change the config/production.json file according to your configuration of ElasticSearch, Redis, RabbitMQ and S3 bucket as well as default credentials (the ADMIN_TOKEN must be a valid UUID).

Install the Python modules

$ cd src/python
$ pip3 install -r requirements.txt
$ cd ../..

Start the application

The application is just a NodeJS process, the creation of the database schema and the migration will be done at starting.

$ yarn install
$ yarn build
$ yarn serv

The default username and password are those you have put in the config/production.json file.

Install the worker

The OpenCTI worker is used to write the data coming from the RabbitMQ messages broker.

Configure the worker

$ cd worker
$ pip3 install -r requirements.txt
$ cp config.yml.sample config.yml

Change the config.yml file according to your OpenCTI token.

Start as many workers as you need

$ python3 worker.py &
$ python3 worker.py &

Installation done

You can now go to http://localhost:4000 and log in with the credentials configured in your production.json file.

Appendix

Community contributions

Terraform

• Multi-clouds Terraform scripts

  ---

  This repository is here to provide you with a quick and easy way to deploy an OpenCTI instance in the cloud (AWS, Azure, or GCP).

  GitHub Respository

• AWS Advanced Terraform scripts

  ---

  A Terraform deployment of OpenCTI designed to make use of native AWS Resources (where feasible). This includes AWS ECS Fargate, AWS OpenSearch, etc.

  GitHub Repository

Helm Charts

• Kubernetes Helm Charts

  ---

  OpenCTI Helm Charts for Kubernetes with a global configuration file. More information how to deploy here on basic installation and examples.

  GitHub Repository

Deploy behind a reverse proxy

If you want to use OpenCTI behind a reverse proxy with a context path, like https://domain.com/opencti, please change the base_path static parameter.

• APP__BASE_PATH=/opencti

By default OpenCTI use websockets so don't forget to configure your proxy for this usage, an example with Nginx:

location / {
    proxy_cache                 off;
    proxy_buffering             off;
    proxy_http_version          1.1;
    proxy_set_header Upgrade    $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host       $host;
    chunked_transfer_encoding   off;
    proxy_pass                  http://YOUR_UPSTREAM_BACKEND;
  }

Additional memory information

Platform

OpenCTI platform is based on a NodeJS runtime, with a memory limit of 8GB by default. If you encounter OutOfMemory exceptions, this limit could be changed:

- NODE_OPTIONS=--max-old-space-size=8096

Workers and connectors

OpenCTI workers and connectors are Python processes. If you want to limit the memory of the process, we recommend to directly use Docker to do that. You can find more information in the official Docker documentation.

ElasticSearch

ElasticSearch is also a JAVA process. In order to setup the JAVA memory allocation, you can use the environment variable ES_JAVA_OPTS. You can find more information in the official ElasticSearch documentation.

Redis

Redis has a very small footprint on keys but will consume memory for the stream. By default the size of the stream is limited to 2 millions which represents a memory footprint around 8 GB. You can find more information in the Redis docker hub.

MinIO / S3 Bucket

MinIO is a small process and does not require a high amount of memory. More information are available for Linux here on the Kernel tuning guide.

RabbitMQ

The RabbitMQ memory configuration can be find in the RabbitMQ official documentation. RabbitMQ will consumed memory until a specific threshold, therefore it should be configure along with the Docker memory limitation.