Scan Agents

TrustView can scan endpoints from different places. A connection from within your network may give a different result than one from the cloud.

The Local scan agent is part of the primary TrustView installation. There is also a cloud-based scanner, positioned in the cloud to scan from outside your network. Additional Scan agents can be downloaded for Windows and Linux and installed at other servers in your network. TrustView will create and maintain one SSL endpoint object for each combination of active Scan agent and hostname. If you don’t want TrustView to scan a specific combination, you can ignore the endpoint.

On the Scan agent Settings page, you can activate and deactivate Scan agents. You can also control whether endpoints created with the Scan agent start as:

  • Active - Have the scan agent run on the endpoint by default

  • Ignored - Manually activate the endpoints you want scanned by the agent

In order to avoid clutter with multiple endpoints with the same result from different agents, the connections also have a priority. If a connection gives the same result as a connection with a higher priority, it is set to Auto-filtered and not shown. You can set the priority that the agents give by default, but you can also edit the priority on the individual endpoints on their edit page.

External agents

  • In addition to the 2 agents that are always available, external agents can be set up elsewhere in your network for full coverage.

  • External agents can be installed on a 64/32-bit Windows or Linux server that has Java installed and can reach your primary TrustView URL.

Windows

Installation

Navigate to the Scan agent page that can be found under the settings page and download the zip package for Windows with the external agent. Extract the package where you wish to install it. Navigate to the folder with PowerShell and run:

Command to install the agent
1    .\scanAgentSetup.exe install

This will set up the Scan agent as a Windows service. To ensure that the service will start after a possible server reboot, set the startup to Automatic under properties of the service. With the agent running, you should be able to locate it on the Scan agent page in TrustView and activate it.

How to activate the Scan agent in TrustView

Note

If the Scan agent is not available or visible in TrustView, ensure that the Windows service is running and refresh the browser.

Uninstalling

The agent can be uninstalled by stopping the Scan agent Windows service and navigating to the installation folder, and running:

Command to uninstall the agent
1    .\scanAgentSetup.exe uninstall

Afterwards, the Scan agent folder can be removed, and the agent can be deleted under the Scan agent page in TrustView.

Upgrading

When a new version of the agent is available, first stop the Scan Agent Windows service, navigate to the installation folder with PowerShell, and run:

1    .\scanAgentSetup.exe uninstall

Then download the zip with the new version from TrustView and extract the contents to replace existing files in the installation folder. To reinstall run:

1    .\scanAgentSetup.exe install

Restart the Scan agent Windows service and the new version number should now be shown for the Scan agent in TrustView.

Note

If the Scan agent is not available or visible in TrustView, ensure that the Windows service is running and refresh the browser.

Linux

Navigate to the Scan agent page in TrustView and download the zip package for Linux with the external agent.

Step 1

Install java-11-openjdk:

Command to install Java
1    $ yum install java-11-openjdk

Step 2

Extract the ScanAgent package:

Command to extract the agent
1$ mkdir /opt/trustskills
2$ gunzip -c trustview-scanagent-v1.1.tar.gz | (cd /opt/trustskills; tar xf -)

Important

Make sure trustview-scanagentw.sh is executable:

Command to grant permissions
1    $  chmod 755 /opt/trustskills/trustview-scanagent/trustview-scanagentw.sh

Step 3

Assuming your system in using systemd for managing services, complete the following steps:

  1. Modify examples/trustview-scanagent.service to match your requirements

  2. Copy the modified trustview-scanagent.service to /etc/systemd/system

  3. Start the service and enable automatic start on boot:

Commands to start and enable the scan agent
1$ systemctl start trustview-scanagent
2$ systemctl enable trustview-scanagent

Add certificate to truststore [Optional]

Windows

Copy the cacerts file from the Java directory to the <scan agent installation path> directory and import the CA ROOT certificate with the command:

Import the root certificate into the truststore
1"C:\Program Files\AdoptOpenJDK\jre-8\bin\keytool.exe" -import -keystore Path\cacerts -storepass changeit -file Path\trustedrootcert.cer

Important

Adjust the command parameters to fit your file location etc.

Inside the file scanagentsetup.xml Under Arguments, add the following lines:

1-Djavax.net.ssl.trustStore=<scan agent installation path>\cacerts
2-Djavax.net.ssl.trustStorePassword=changeit
3-Djavax.net.ssl.trustStoreType=JKS <arguments>

Note

Remember to adjust the scan agent installation directory path.

Linux

Copy the cacerts file from the Java directory to the <scan agent installation path> directory and import the CA ROOT certificate with the command:

Import the root certificate into the truststore
1Root "/path/to/jre/bin/folder keytool" -import -keystore Path\cacerts -storepass changeit -file Path\trustedrootcert.cer

Inside the file trustview-scanagentw.sh under JAVA_OPTIONS and add the following lines:

1-Djavax.net.ssl.trustStore=<scan agent installation path>\cacerts
2-Djavax.net.ssl.trustStorePassword=changeit
3-Djavax.net.ssl.trustStoreType=JKS

Note

Remember to adjust scan agent installation directory path: