In this part of tutorial we will show how to install and configure Mixeway.

Requirements

  1. Docker and docker-compose
  2. HashiCorp Vault (Optional)

Preparation

Clone GitHub repo

git clone https://github.com/mixeway/mixewayhub
cd mixewayhub

Prepare environments with script:

gs:mixewayhub gs$ ./setup.sh
Enable integration with Hashicorp Vault? (without it passwords to Vulnerability Scanners will be stored in clear text) [Y/N] N
Generating Key pair..
Generating PKCS12..
Generating environments..
Verifying created configuration ..
Verification successfull.
You can now run --- docker-compose up ---

In case You would like to enable Vault integration, You need to provide informations such as vault address and token:

gs:mixewayhub gs$ ./setup.sh
Enable integration with Hashicorp Vault? (without it passwords to Vulnerability Scanners will be stored in clear text) [Y/N] Y
Enter Vault host [127.0.0.1]:
Enter Vault port [8200]:
Enter Vault http scheme http/https [http]:
Enter Vault Application name [mixeway]:
Enter Vault token:
Generating Key pair..
Generating PKCS12..
Generating environments..
Verifying created configuration ..
Verification successfull.
You can now run --- docker-compose up ---

Result for such operation is generated environments file:

gs:mixewayhub gs$ cat environments
VAULT_HOST=127.0.0.1
VAULT_PORT=8200
VAULT_SCHEME=http
VAULT_APP_NAME=mixeway
VAULT_TOKEN=
KEYALIAS=localhost
TRUSTPASS=changeit
P12PASS=changeit
PROFILE=prod
CERTIFICATE=/pki/cert.crt
PRIVATEKEY=/pki/private.key

where certificates are self-signed and not trusted in any browser. You can skip running setup script and set those values on Your own in this case remember that:

  1. You have to create pki directory under mixewayhub
  2. You have to create #PKCS12 file containing TLS Certificate and Private key in pki directory. This file has to be named: certificate.p12
  3. You have to create JKS as a trust store (set of root CA which will be treated as trusted one) it can be cacerts from JDK. Place this JKS in pki directory with name: trust.jks

Running

If environments and certificates are set just run

gs:mixewayhub gs$ docker-compose up
Pulling MixerBackend (mixeway/backend:latest)...
latest: Pulling from mixeway/backend
e7c96db7181b: Already exists
f910a506b6cb: Already exists
b6abafe80f63: Already exists
8016d8b8a8cc: Pull complete
00c0d0872914: Pull complete
Digest: sha256:c1ae8b43f2bb9482dc9e73ed1e769b2888eb4850cc20d3d10658fdc5d09f7253
Status: Downloaded newer image for mixeway/backend:latest
Pulling MixerFrontend (mixeway/frontend:latest)...
latest: Pulling from mixeway/frontend
Status: Downloaded newer image for mixeway/frontend:latest
Recreating MixerDB          ... done
Creating MixewayVulnAuditor ... done
Recreating MixerBackend     ... done
Recreating MixerFrontend    ... done
Attaching to MixerDB, MixewayVulnAuditor, MixerBackend, MixerFrontend

then just go to browser and use : https://localhost, default port Mixeway is using is 443

Warrnings

If You decide to use Mixeway without configuring HashiCorp Vault, You will be warned with few exceptions and:

MixerBackend | ####################################################################################################################
MixerBackend | # WARRNING! #
MixerBackend | # Vault Configuration is not set #
MixerBackend | # Scanner passwords will be stored #
MixerBackend | # in clear text. It is recommended #
MixerBackend | # To use vault. #
MixerBackend | # Read Mixeway docummentation #
MixerBackend | ####################################################################################################################

We strongly advise against such configuration in the production environment. Without Vault which used as a secure key-value store, passwords needed to be used in order to login to vulnerability scanners will be stored in plain text.

Configuration

Initial configuration is called upon first login into Mixeway

After entering password You will be asked to pass it once again for ‘admin’ user

You are ready to go!

Categories:

Tags:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *