Skip to content

System Requirements

The following sections detail the capacity and configuration requirements for the deployment of Runecast Analyzer. Customers can deploy the application on supported platforms:

  • VMware vSphere as a pre-packaged OVA image available on the Runecast Portal or the VMware Marketplace
  • Amazon AWS as a pre-built AMI image available on the AWS Marketplace
  • Microsoft Azure as a pre-built image available on the Azure Marketplace
  • Kubernetes via Helm chart hosted in the Runecast Helm chart repository

To access the Runecast Analyzer Web Interface after deployment, please use one of the supported browsers.

VMware vSphere

  • VMware vSphere infrastructure should already be deployed. ESXi hosts must be v6.x and above, and these must be managed by vCenter v6.x or v7.x.
  • The Runecast Analyzer appliance is typically deployed into an existing vSphere infrastructure. Appropriate resource allocation for the appliance is selected during the deployment process. The standard sizing options are small/medium/large; with resources allocated as follows:

    Note

    If you plan to use OS analaysis, use Medium or Large sized appliance.

    • Small (use this configuration for small environments: up to 50 Hosts)

      • 2 vCPU
      • 6 GB RAM
      • 120 GB Storage
      • 100 Mbit network (1 Gbit or above recommended)
    • Medium (use this configuration for medium environments: up to 150 Hosts)

      • 4 vCPU
      • 8 GB RAM
      • 120 GB Storage
      • 100 Mbit network (1 Gbit or above recommended)
    • Large (use this configuration for large environments: up to 1200 Hosts)

      • 8 vCPU
      • 32 GB RAM
      • 120 GB Storage
      • 100 Mbit network (1 Gbit or above recommended)
  • Internet Connectivity - Runecast Analyzer is packaged as a virtual appliance in OVA format that is deployed into your virtual infrastructure. All data and logic necessary for full operation are contained in the appliance. No data is transmitted from the Runecast Analyzer outside of your datacenter. Optionally, customers can connect the Runecast Analyzer to the Internet to download zero-touch updates for knowledge definitions and application updates. An entirely off-line update mechanism is provided using files (.ISO and .bin) made available from the user portal.

AWS

  • An active AWS account is required to deploy Runecast Analyzer.
  • Deployment requires the following resources (customers can reuse existing resources):
    • VPC
    • Network subnet with Internet Gateway attached
    • Security Group allowing the following incoming communication:
      • Ports TCP 443 (HTTPS) and TCP 22 (SSH)
      • If OS Analysis is used, port TCP 8443 (HTTPS) for agents communication

Azure

  • An active Microsoft Azure cloud account is required to deploy Runecast Analyzer.
  • Deployment requires the following resources (customers can reuse existing resources):
    • Azure Active Directory
    • Active subscription
    • Virtual Network
    • Subnet
    • Public IP for accessing over internet
    • Network Security Group with the following incoming communication allowed:
      • TCP 443 (HTTPS) for accessing the web interface and TCP 22 (SSH) for the remote management
      • If OS Analysis is used, port TCP 8443 (HTTPS) for agents communication

Kubernetes

  • Any K8s cluster that supports Helm - on-premises upstream open-source Kubernetes version based cluster, or commercial solutions like HPE Ezmeral, Amazon EKS, Microsoft AKS or Google GKE.

  • Helm 3 (Helm 2.2.0+ should work but is not validated)

    Tip

    To find out how to install and use Helm, please visit the Helm website on https://helm.sh/.

  • By default, the application is deployed with the following settings:

    • Requests
      • 2.5 CPU
      • 6.9 GB RAM
    • Limits
      • 5.5 CPU
      • 12 GB RAM
    • 60 GB persistent storage


Runecast is an HPE Technology Partner, and Runecast Analyzer is validated for deployment on HPE Ezmeral Container Platform. To find more about Runecast Analyzer on HPE Ezmeral please see the HPE Ezmeral Marketplace page https://www.hpe.com/us/en/software/marketplace/runecast.html.

Analyzed System Privileges

VMware vCenter Server

A user with the following privilege at the vCenter level is required to connect to a VMware vCenter Server:

Minimum requirement

  • Read Only

Note

The minimum required permission for the Analyzer to perform scanning is Read Only. However, in this case, collection will not be fully comprehensive and it will not be possible to report issues related to some areas of the configuration, such as device-specific info from ESXi hosts (driver, firmware). This is due to the way specific data is exposed through the vSphere permissions model.

To provide a fully comprehensive analysis, the additional privileges provided below will ensure that sufficient information is collected for 100% of the checks performed by Runecast Analyzer.

vCenter privilege Description
Host > CIM > CIM interaction CIM collection
Global > Settings vSAN configuration collection
Host > Configuration > Firmware Host files collection
Host > Configuration > Change settings Kernel modules collection
Host > Configuration > Advanced settings
Host > Configuration > Change settings
Host > Configuration > Security profile and firewall
Automatic ESXi Syslog configuration
Virtual Machine > Configuration > Advanced Automatic VM Syslog configuration
Extension > Register extension
Extension > Update extension
Automatic Web Client registration
Host profile > View
Host profile > Edit
Automatic Host Profile collection
Host > Configuration > Change settings
Global > Settings
HW Compatibility

Tip

A PowerCLI script to automatically create Runecast Role with the above permissions is available at https://github.com/Runecast/public/blob/master/PowerCLI/createRunecastRole.ps1.

Warning

Hardware Compatibility checks are performed on ESXi v6.0 and above.

VMware NSX-V

NSX-V is supported by connecting to an NSX-V Manager when paired with a vCenter instance. Runecast Analyzer supports NSX-V Manager v6.2 and above.

For connection to NSX-V, a user with the following privileges in NSX Manager is needed:

Minimum requirement

  • Auditor
  • Security administrator – required to leverage the NSX-V Custom Dashboard Widget for Runecast.

Note

Due to NSX-V Manager’s constraints before v6.3.3, Runecast Analyzer cannot automatically validate that an NSX-V Manager is registered to a specific vCenter. You will be asked to confirm during the connection process.

Authentication source

Domain

Domain users are supported on NSX-V 6.4 and later.

Local

Local CLI user can be created following the below procedure:

  1. Open console session to NSX-V Manager and log in with the Administrator account
  2. Switch to Privilege mode using the enable command
  3. Switch to Configuration mode using the configure terminal command
  4. Add a CLI user account using the user <username> password (hash | plaintext) <password> command

    Example: user cliuser password plaintext abcd1234

  5. Save the configuration with write memory command

  6. Allow the created CLI user to run the REST API calls using the user <username> privilege web-interface command
  7. Issue POST request to https://<NSX-IP>/api/2.0/services/usermgmt/role/<username>?isCli=true endpoint with user having administrator privileges to assign a role to the newly created CLI user. Example of the body content assigning auditor privilege:
    <accessControlEntry>
    <role>auditor</role>
    <resource>
    <resourceId>globalroot-0</resourceId>
    </resource>
    </accessControlEntry>    
    
  8. Now you'll be able to use the new CLI user for connection to NSX-V Manager

VMware NSX-T

VMware NSX-T Data Center is supported by connecting to an NSX-T Manager or Cluster Virtual IP. Runecast Analyzer supports NSX-T Manager version 2.4 and above.

For connection to NSX-T, a user with the following privileges in NSX-T Manager is needed:

Minimum requirement

  • Auditor

VMware Horizon

VMware Horizon is supported by connecting to a Connection Server. For Connection Servers that are part of a single replication group, it is required to establish the connection to only one Connection Server which belongs to the group. Also, if there is a Load Balancer configured with session persistence, it can be used to connect to a Connection Server in a replication group. Runecast Analyzer supports Horizon v6.x and above.

For connection to a Connection Server, a user with the following privileges in Horizon is needed:

Minimum Requirement

  • Administrators (Read-only).

VMware Cloud Director

VMware Cloud Director is supported by connecting to the provider portal. Runecast Analyzer supports VMware Cloud Director version 10.0 and above.

For connection to VMware Cloud Director, a user with the following privileges on the vCD provider level is needed:

Minimum Requirement

  • A role with View-only permissions.

AWS

Amazon Web Services is supported by connecting to an AWS Account.

For connection to an AWS Account, a user with the following privileges is needed:

Minimum Requirements

  • We recommend using an account with Programmatic access only. To limit the operational overhead, we suggest using the AWS managed ReadOnlyAccess policy. This will cover future functionality and analysis capability provided by Analyzer, without the need to adjust the policy very often.

Microsoft Azure

Azure AD is supported by connecting an Azure Application. To create the Azure Application and assign the required permissions, please follow these steps:

  1. Login to the Azure Portal
  2. Navigate to Azure Active Directory
  3. From the left side menu, click on App registrations then click on New Registration

  4. Provide a name for the application and select Accounts in this organizational directory only (Demo-directory only - Single tenant). Leave Redirect URI empty

  5. Once the application is created, make a note of the Application (client) ID and Directory (tenant) ID shown in the application Overview page

  6. Click on Certificates & secrets under Manage in the left side menu of the app

  7. Under the Client secrets section, click on New client secret

  8. Provide a suitable description for the client secret and select the expiration as per your organization policy. We recommend 1 year expiry for client secrets

  9. Make a note of the newly created client secret value
  10. Click on the API permissions under Manage in the left side menu of the App
  11. Under Configured permissions section, add application permission for Directory.Read.All from Graph API and click on Grant Admin Consent for Demo-directory

    If you do not have admin privileges, please refer to the below link.
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal

    With the help of your administrator, you can change User consent settings.

  12. Navigate to the Subscriptions page and select the subscription for which you want to scan from Runecast Analyzer

  13. From the left side menu of subscription, click on Access control (IAM) and select Role assignments then click on Add and select Add role assignment
  14. Select Reader as a role and set Assign access to to option User, group, or service principal. Under Select provide the name of your app created in step 5 and click on Save

Kubernetes

Kubernetes is supported by connecting to API server address using service account token authentication.

Info

Runecast Analyzer follows an extended version of the Kubernetes lifecycle policy, testing and validating against the current Kubernetes release, as well as the three previous releases. Managed Kubernetes environments, including Amazon EKS, Microsoft AKS, Google GKE, and HPE Ezmeral Container Platform are supported. However, as these services may limit access to the control plane, Runecast Analyzer cannot provide results for the control plane (as such, results in these environments are for the customer deployed clusters or workloads only).

Runecast Analyzer can connect to the API via a load balancer address or directly to one of the master nodes. To get the service account token, you need to create a service account first. The service account can have limited permissions and needs to be bound to a cluster role.

List of required permissions
cluster role option cluster role option values
verbs get
list
watch
resources nodes
namespaces
pods
replicationcontrollers
serviceaccounts
services
daemonsets.apps
deployments.apps
replicasets.apps
statefulsets.apps
cronjobs.batch
jobs.batch
networkpolicies.networking.k8s.io
podsecuritypolicies.policy
clusterrolebindings.rbac.authorization.k8s.io
clusterroles.rbac.authorization.k8s.io
rolebindings.rbac.authorization.k8s.io
roles.rbac.authorization.k8s.io

To obtain the API address, port, and service account token, from the management workstation where K8s access is configured, follow the next steps:

  1. Switch to the context of the cluster you are going to connect to in Runecast Analyzer:

    kubectl config use-context <context name>
    

    Tip

    In VMware Tanzu, use kubectl vsphere login --server=<KUBERNETES-CONTROL-PLANE-IP-ADDRESS> --vsphere-username <VCENTER-SSO-USER> to log in to the cluster and then the above-mentioned command to switch to the context of the required workload cluster. To find out more information about connecting to Tanzu Kubernetes Cluster, please see the official documentation.

  2. Issue the following commands to find out the API address and port:

    CURRENT_CONTEXT=$(kubectl config view -o jsonpath="{.current-context}")
    CURRENT_CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name=='$CURRENT_CONTEXT')].context.cluster}")
    echo $(kubectl config view -o jsonpath="{.clusters[?(@.name=='$CURRENT_CLUSTER')].cluster.server}")
    
    $CURRENT_CONTEXT=(kubectl config view -o jsonpath="{.current-context}")
    $CURRENT_CLUSTER=(kubectl config view -o jsonpath="{.contexts[?(@.name=='$CURRENT_CONTEXT')].context.cluster}")
    Write-Host (kubectl config view -o jsonpath="{.clusters[?(@.name=='$CURRENT_CLUSTER')].cluster.server}")
    
  3. Create a service account and read its token. You can use the following commands to perform the task:

    # set the namespace where the service account will be created
    NAMESPACE="kube-system"
    
    # create the service account
    kubectl create serviceaccount runecast-analyzer-scan -n ${NAMESPACE}
    
    # create clusterrole
    kubectl create clusterrole runecast-analyzer-scan --verb=get,list,watch --resource=nodes,namespaces,pods,replicationcontrollers,serviceaccounts,services,daemonsets.apps,deployments.apps,replicasets.apps,statefulsets.apps,cronjobs.batch,jobs.batch,networkpolicies.networking.k8s.io,podsecuritypolicies.policy,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io
    
    # bind the clusterrole
    kubectl create clusterrolebinding runecast-analyzer-scan --clusterrole=runecast-analyzer-scan --serviceaccount=${NAMESPACE}:runecast-analyzer-scan
    
    # output the service account token
    kubectl get serviceaccounts runecast-analyzer-scan -n ${NAMESPACE} -o jsonpath='{.secrets[].name}' | xargs kubectl get secret -n ${NAMESPACE} -o jsonpath='{.data.token}' | base64 -d | awk '{print "copy the service account token:\n"$1"\n"}'
    
    # set the namespace where the service account will be created
    $namespace = "kube-system"
    
    # create the service account
    kubectl create serviceaccount runecast-analyzer-scan -n $namespace
    
    # create clusterrole
    kubectl create clusterrole runecast-analyzer-scan --verb=get,list,watch --resource=nodes,namespaces,pods,replicationcontrollers,serviceaccounts,services,daemonsets.apps,deployments.apps,replicasets.apps,statefulsets.apps,cronjobs.batch,jobs.batch,networkpolicies.networking.k8s.io,podsecuritypolicies.policy,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io
    
    # bind the clusterrole
    kubectl create clusterrolebinding runecast-analyzer-scan --clusterrole=runecast-analyzer-scan --serviceaccount="$($namespace):runecast-analyzer-scan"
    
    # output the service account token
    $secretname = kubectl get serviceaccounts runecast-analyzer-scan -n $namespace -o json | ConvertFrom-json | % { $_.secrets.name }
    $token = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($(kubectl get secret $secretname -n $namespace -o json | ConvertFrom-Json | % { $_.data.token})))
    $token | Set-Clipboard
    Write-Host "the service account token was copied to clipboard:`n$($token)`n"
    

Operating Systems

Operating Systems (OS) Analysis consists of two components:

  • OS analysis service running on Runecast Analyzer appliance,
  • OS agents running on operating systems, collecting data and reporting to OS Analysis service.

Before activating OS Analysis in Runecast Analyzer:

  • make sure you are running OVA with the size of medium or large to fulfill the performance needs. Please see the System Requirements chapter for more information.
  • prepare a DNS hostname or FQDN record pointing to Runecast Analyzer, that will be used by the OS agents to communicate with the OS analysis service. Alternatively, you can use the Runecast Analyzer IP address.

After the OS analysis service is enabled, you will need to download the OS agent installation packages and deploy them to target operating systems. The packages are preconfigured to connect to the OS analysis service and contain a service certificate for trust verification and enrollment secret to allow the agent to register with the service.

To deploy OS agents:

  • you will need administrative rights on the target computer to install agents,
  • the agent is running under SYSTEM account on Windows, root account on Linux.

Note

Please refer to the OS agents chapter on the Deployment page for more information about OS agent deployment.

When the OS agent is started for the very first time, it tries to connect to the OS analysis service using a user-defined hostname or FQDN (provided when enabling the service), verifies the service certificate is trusted and performs the enrollment. After the OS agent is enrolled, it will periodically send a status message to the OS analysis service and will collect data on-demand.

Network connectivity

Source Destination Protocol Port Description Comment
RCA vCenter TCP 443 Collection of data using vSphere SDK (vCenter, ESXi, VMs configuration settings) required for core product functionality
RCA ESXi TCP 443 Collection of data from ESXi servers (file-level configuration settings) required for file-level checks
RCA ESXi TCP 5988, 5989 CIM data collection from ESXi servers required for CIM data
RCA NSX Manager TCP 443 Collection of data using NSX-v REST API (NSX configuration settings) required for core product functionality (in case NSX-v functionality is required)
RCA NSX-T Manager TCP 443 Collection of data using NSX-T REST API (NSX-T configuration settings) required for core product functionality (in case NSX-T functionality is required)
RCA AWS TCP 443 Collection of data using AWS REST API (AWS configuration settings) required for core product functionality (where AWS functionality is required)
RCA Horizon TCP 443 Collection of data using Horizon API (Horizon configuration settings) required for core product functionality (in case Horizon functionality is required)
RCA Kubernetes API TCP 6443 Collection of data using Kubernetes API (Kubernetes configuration settings) required for core product functionality (in case Kubernetes functionality is required)
RCA Cloud Director TCP 443 Collection of configuration data using vCD API required for core product functionality (in case vCD functionality is required)
OS agents RCA TCP 8443 Collection of OS agents data required for Operating Systems data collection
ESXi RCA UDP 514 Syslog data collection required for log analysis
RCA updates.runecast.com TCP 443 Application and rules definition updates required for online updates only
User browser RCA TCP 80, 443 RCA web interface HTTP always redirects to HTTPS
vSphere Web Client RCA TCP 443 Web client plugin communication to RCA required for displaying results in WebClient
REST API client RCA TCP 443 Runecast API client’s communication required for REST API
Enterprise Console (EC) RCA TCP 443 Single pane of Glass to RCA communication required for displaying results from multiple Analyzers
RCA DC TCP 88 RCA communication to DC required for Kerberos authentication
RCA LDAP TCP 389 RCA communication to AD required for connection to a DC on a regular LDAP port
RCA LDAP SSL TCP 636 RCA communication to AD required for connection to a DC on a protected LDAPS port
RCA DNS TCP 53 RCA communication to DNS required for core product functionality