Completing the initial setup (virtual appliances)

Obtain an open virtual appliance (OVA) image file and virtual appliance license from your Tanium Technical Account Manager (TAM).

Requirements

License A special virtual appliance license type must be issued. The same license file is used to activate all of the Tanium appliances in your deployment. Your TAM must know the fully qualified domain names (FQDN) for each of them in order to generate your license file.
Hypervisor VMware ESXi
Network Be ready to specify the static IP address, subnet mask (dotted-decimal), default gateway IP address, hostname, domain name, primary and secondary DNS servers, NTP server(s), and time zone settings.

Deploy the OVA to the hypervisor

  1. Add the OVA to vSphere or vCenter Server:
    • In vSphere, right-click the resource pool and select Deploy OVF Template.
    • In vCenter Server, right-click Virtual Machines and select Create/Register VM.
  2. Select the Tanium OVA file and enter a unique name for the virtual machine.
  3. Optional. Some environments might require changes to network adapter settings or other changes to the OVA template settings. If necessary, make the changes before starting the virtual machine.
  4. Start the virtual machine.
  5. The boot prompt has an option to load the active or inactive partition. Load the active partition (selected by default).

Configure temporary bootstrap network settings

Optional. In some virtual infrastructure environments, only the VM administrator has access to the VM console to set up new VMs. If necessary, the VM administrator can use the tanuser account to set up bootstrap network settings.

Before you begin

  • You must be able to access the VM console.
  • Obtain an IPv4 address from your network administrator and be prepared to specify the IP address, subnet mask (dotted-decimal), and default gateway IP address.

Configure the temporary settings

  1. In the VM host console, at the TanOS login prompt, specify the user name tanuser and the default password Tanium1.
  2. When prompted, indicate that you want to configure temporary settings.
  3. Specify the IPv4 address, subnet mask, and default gateway IP address.

    The TanOS console confirms that the settings are applied and logs you out.

Remote access to TanOS

Network and host settings enable the appliance to establish connections with other computers in your local network and with other servers and hosts on the Internet. Specify appropriate settings for the network in which the appliance is deployed.

  • Your local "management computer" must be connected to a subnet that can reach the appliance IP address.
  • Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
  • You must have an SSH client such as PuTTY to log into the TanOS console. The latest version of PuTTY was used in testing. Issues have been reported when using earlier versions of PuTTY.
  • You must have an SSH key generator such as PuTTYgen to generate keys for the tancopy user.
  • You must have an SFTP client such as WinSCP to copy files to and from the appliance. The latest version of WinSCP was used in testing.

Configure network and host settings

  1. Open the VM host console for the Tanium appliance or use an SSH client to connect to the TanOS console as the user tanadmin with the default password Tanium1.
  2. When prompted, indicate that you want to complete the initial configuration.
  3. Use the spacebar to page through the end-user license agreement (EULA); enter your email address to accept it.

    The email address is stored locally only. It is not used externally for any reason.

  4. Specify network and host configuration settings.
  5. When prompted, specify whether you want to enable and configure the tanfactory user. The tanfactory user is a special account that has one capability—performing a factory reset. If you do not enable the tanfactory account, and you later forget the tanadmin password, you will have to reinstall the virtual appliance.
  6. When prompted, enter the one-time password that is displayed on the screen for the tanadmin and tanuser users.
  7. Make a note of the one-time password. You must provide it the next time you log in. At that time, you will be prompted to specify a new password.

    The console displays a notice that the initial configuration workflow has been completed and that the session will be terminated.

Configure user access

TanOS has a few built-in user accounts that you use to access the appliance operating system and perform tasks.

Before you install a Tanium Appliance role, you must configure new passwords or add SSH keys to authenticate access for the following accounts:

  • tanuser: Can make an SSH connection with password authentication to the TanOS console and access temporary settings and status menus only.
  • tanadmin: Can make an SSH connection with password authentication to the TanOS console and access all menus.
  • tancopy: Can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.

Before you begin

  • Be ready to specify new passwords for the tanuser and tanadmin accounts. The password string must be at least 10 characters long and have at least 1 uppercase character, 1 lowercase character, 1 numeric character, and 1 nonalphanumeric character.
  • You must have an SSH client to log into the TanOS console and an SFTP client to copy files to and from the appliance.
  • You must have an SSH key generator to generate keys for the tancopy user.

Change the default passwords

  1. Open an SSH connection to the TanOS console as tanuser and then follow the prompts to change the password.

    To complete the change, the session is terminated.

  2. Open an SSH connection to the TanOS console as tanadmin and then follow the prompts to change the password.

    To complete the change, the session is terminated.

Add SSH keys for the tancopy account

This procedure adds an authorized key for the tancopy user to the appliance configuration. The purpose of this key is to enable you to use an SFTP client on your management computer to copy files to the /incoming and from the /outgoing directories on the appliance. In the Tanium Module Server and HA active-active installations, you are instructed to add a different authorized key for the tancopy user. Be careful not to mistake one for the other. The authorized keys serve different purposes. Both are required.
  1. Use an SSH key generator such as PuTTYgen to generate a public/private key pair.
  2. In PuTTYgen, select all of the text in the Public key for pasting into OpenSSH authorized_keys file box and copy it to the clipboard.

    In an SSH key exchange, the keys must match precisely as expected, including line endings. For this reason, the PuTTy documentation recommends loading the key in PuttyGen and copying it from the Public key for pasting... box instead of copying it from an open file.

  3. Log into the TanOS console as the user tanadmin.

    The TanOS console displays the tanadmin menu.

  4. Enter C to go to the User Administration menu.
  5. Enter 3 to go to the SSH Key Management menu.
  6. Enter the line number for the tancopy user to display the key management menu for this user.
  7. Enter 3 to go to the Authorized Keys menu.
  8. Enter 2 and then follow the prompts to paste the public key generated in Step 1.
  9. To test it, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
    1. Specify tancopy for user name.
    2. Click the Advanced button.
    3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.

    You should be able to connect to the appliance /incoming and /outgoing directories.

 

You might see permission denied messages because WinSCP attempts to read the listing of the /incoming directory. This is expected. The user tancopy has permission to write to /incoming but not read /incoming.

Upload the license file

After you complete the initial network configuration, you are prompted to upload a valid Tanium license file or request an activation key from Tanium. Until you complete the activation process, you have limited access to TanOS menus. You can manage the network and user configuration, but you do not have access to menus for Tanium roles until you have completed activation.

Upload a valid license to activate the virtual appliance and gain access to all of the TanOS menus.

Before you begin

  • Obtain a valid license from your Tanium technical account manager (TAM). The same license file is used to activate all of the Tanium appliances in your deployment. Your TAM must know the fully qualified domain names (FQDN) for each of them in order to generate your license file.
  • You can activate an appliance with a license file if:
    • The license file is named tanium.license.
    • The license is not expired.
    • The FQDN that was specified in the Tanium license generator matches the FQDN of the appliance.
  • You must have added the public key for the tancopy user to the appliance so you can use SFTP to upload the license file.

Upload the license file

  1. On your management computer, set up an SFTP client such as WinSCP to connect to the appliance.
  2. Use SFTP to copy your license file (tanium.license) to the /incoming directory on the appliance.

TanOS detects the license and copies it to the appropriate location in order to activate the appliance.

When you go to the main menu, notice that the activation notice has been cleared, and you can access all menus. On the tanadmin menu, the Activation line indicates the appliance was activated with a License File.

Add TanOS system users

Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles. It is useful to have more than one privileged user in case you forget the password for the initial tanadmin user.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter C to go to the User Administration menu.
  3. Enter A to go to the System Users menu.
  4. Enter 1 and follow the prompts to add a system user.

What to do next

  • To save time, Tanium recommends you complete advanced network configuration, such as NIC teaming and static routes, before you install Tanium servers. See Reference: Appliance configuration.
  • When these steps are completed, or if none of them apply, you can continue with the installation of a Tanium role (for example, All-in-One, Tanium Server, Tanium Module Server, or Tanium Zone Server).

Last updated: 11/8/2018 3:04 PM | Feedback