Installing the Tanium Module Server

This topic describes how to install a Tanium Module Server on a dedicated Windows Server host. For details about the Module Server and its deployment options, see Tanium™ Module Server.

The Module Server installer performs the following actions:

• Opens TCP port 17477 in the local host computer Windows Firewall.
• Installs the Module Server on the host computer and starts the service.

If possible, run the installer and specify connection settings to automatically register with the Tanium Server. Otherwise, complete the manual registration workflow.

Install and automatically register the Module Server

The Module Server installer supports automatic registration with the Tanium Server. Automatic registration performs the following tasks:

• Generates required certificates: trusted.crt on the Module Server host and trusted-module-servers.crt on the Tanium Server host. The servers use these certificates to validate the certificates used for mutual authentication: SOAPServer.crt on the Tanium Server and ssl.crt on the Module Server. For details, see Tanium Core Platform Deployment Reference Guide: SSL/TLS certificates.
• Creates required Windows Registry entries on both the Module Server and Tanium Server host computers.

Before you begin

Ensure the following prerequisites are met and take the following actions:

• Installer version: Ensure that you have the right version of the installer (SetupModuleServer.exe). The installation package for all Tanium Core Platform servers must have the same build number (for example, all must have build number 7.5.6.1095). Contact Tanium Support for details.
• Host requirements: The host system must meet the hardware, software, and network connectivity requirements suitable for your deployment: see Requirements and Reference: Host system resource guidelines.
• Firewall rules: Your network security administrator must configure network firewall rules to allow communication between the Tanium Server and Module Server on TCP port 17477: see Internet access, network connectivity, and firewalls.
• Security exclusions: Your security team must configure exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance: see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
• Certificates and keys: If you want to use a certificate issued by a certificate authority (CA) to secure connections to the Module Server, ensure that the CA-issued certificate and associated private key are present on the Module Server. The certificate file name must be ssl.crt and the key file name must be ssl.key. During installation, you can select a CA-issued certificate or configure the Module Server to generate a self-signed certificate.

  As a best practice to facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues.

  For details and procedures, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

• Secondary Logon service: The Windows Secondary Logon service (seclogon) on the host computer for the Tanium Module Server must have its Startup type set to Automatic or Manual (not Disabled) during installation of the Tanium Module Server . If the Secondary Logon service is disabled, the installation cannot connect to the database server (even if it is being installed locally), and the installation of the Tanium database fails. The Secondary Logon service is required only during installation and upgrades.
• Local Module Server: If a local Module Server is installed on the Tanium Server host computer, perform the following steps on the Tanium Server host computer:
  1. Stop the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Stop.
  2. Stop and disable the Tanium Module Server service in the Windows Services application:
     1. Right-click Tanium Module Server and select Stop.
     2. Right-click Tanium Module Server, select Properties, set the Startup type to Disabled, and click OK.
  3. Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting (value 127.0.0.1) for the Module Server.
  4. Restart the Tanium Server service: in the Windows Services application, right-click Tanium Server, and select Restart.

Run the installer

1. Sign in to the Module Server host system as an administrator user.
2. Copy the installer (SetupModuleServer.exe) to a temporary location on the Module Server host.
3. Right-click SetupModuleServer.exe and select Run as administrator.
4. Complete the installation wizard. The following table provides guidelines for key settings.

Settings	Guidelines
Choose Install Location	The default is C:\Program Files\Tanium\Tanium Module Server.
Postgres Not Found	(Fresh installation only) If the installer does not detect an existing installation of PostgreSQL, you can either install a local instance or configure a connection to an external instance. Even if you connect the Module Server to a remote PostgreSQL instance, you must keep a local instance installed on the Module Server. The Tanium™ Relational Database (RDB) service always requires certain binaries to exist in the local instance, although you can stop the instance from running. Install and configure local Postgres Server: Install the default local instance of PostgreSQL. You can select this option to install a local instance that provides the binaries that the Tanium RDB service requires and still configure a connection to a remote PostgreSQL server. You configure the remote connection in a separate step in the installation wizard. Use remote Postgres Server: Select this option if you want to connect to an external instance of PostgreSQL, and you do not want installer to install a local instance of PostgreSQL. You configure the remote connection in a separate step in the installation wizard. You must install a local instance of PostgreSQL separately, and you must follow the steps in (Optional) Configure a connection between the Module Server and a remote PostgreSQL database to configure external_db.json. To troubleshoot issues related to the default PostgreSQL installation, see Tanium Core Platform Deployment Reference Guide: PostgreSQL installation logs.
Choose Service Account for Tanium Module Server	The security best practice is to specify a service account other than the Local System account to install the Module Server and run the Module Server service on the local host computer. Specify Account (best practice) User Name: Enter only the account name portion of the credentials, such as taniumsvc. Domain: Enter the domain name, such as example.com. Password: Enter the account password. Local System Account
Module Server Port	Specify the Module Server inbound port for traffic from the Tanium Server. The default is 17477.
SSL/TLS Certificate	The Module Server uses the SSL/TLS certificate (ssl.crt) and private key (ssl.key) to secure connections from the Tanium Server. Generate Self-Signed Certificate and Key If you do not have a CA-issued certificate, select this option to make the installer generate a self-signed certificate and private key. For the Server Hostname, specify the FQDN of the Module Server, such as tms1.example.com. Use Existing Certificate and Key To use a CA-issued certificate, select the certificate file and associated private key file. For details, see Tanium Core Platform Deployment Guide: Securing Tanium Console, API, and Module Server access.
Module Postgres Configuration	Configure the connection to the PostgreSQL database server: Server: Specify localhost (default) for a local server, or the FQDN or IP address of the remote server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Options: Specify additional parameters to pass in the connection. Typically, this is dbname and port. For example, dbname=postgres port=5432 user=postgres. You can use any parameter key words that PostgreSQL supports for database connection strings. For more information, see the PostgreSQL documentation. Click Test to test the connection. Any settings you configure in external_db.json override the settings you configure here when you install the Tanium RDB service. For more information, see (Optional) Configure a connection between the Module Server and a remote PostgreSQL database.
Register with Tanium Server	Select Register with the Tanium Server and specify connection information for registration with the Tanium Server: Tanium Server Hostname: Specify the IP address or FQDN of the Tanium Server. In a high availability (HA) deployment, specify only the primary Tanium Server. Admin username: Enter the user name of the Tanium Console administrator that you specified when installing the Tanium Server. Admin password: Enter the password of the Tanium Console administrator that you specified when installing the Tanium Server. For upgrades, you have the option to select Manually specify Tanium Server certificate and use the default Certificate for securing communication between the Tanium Server and Module Server.
Choose Start Menu Folder	(Fresh installation only) Select a folder for the Module Server in the Windows Start menu. The default is Tanium Module Server.
Trust Tanium Server certificate	When the installer displays a dialog that identifies the certificate that the Tanium Server uses to authenticate to the Module Server, verify that the certificate details are correct. On a new installation, the certificate is the SOAPServer.crt file. If you are re-running the installer, the certificate is trusted.crt. The Fingerprint is the hash of the certificate public key. If the certificate is valid, click Yes to register the Module Server with the Tanium Server.

Install and manually register the Module Server

The Module Server installer supports manual registration in case the Tanium Server is unavailable when you run the installer.

Before you begin

Ensure the following prerequisites are met and take the following actions:

• Installer version: Ensure that you have the right version of the installer (SetupModuleServer.exe). The installation package for all Tanium Core Platform servers must have the same build number (for example, all must have build number 7.5.6.1095). Contact Tanium Support for details.
• Host requirements: The host system must meet the hardware, software, and network connectivity requirements suitable for your deployment: see Requirements and Reference: Host system resource guidelines.
• Firewall rules: Your network security administrator must configure network firewall rules to allow communication between the Tanium Server and Module Server on TCP port 17477: see Internet access, network connectivity, and firewalls.
• Security exclusions: Your security team must configure exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance: see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
• Certificates and keys: Copy the SOAPServer.crt file from the Tanium Server host (installation directory) to the Module Server host so that you can select it when you run the installer.

  If you want to use a certificate issued by a certificate authority (CA) to secure connections to the Module Server, ensure that the CA-issued certificate and associated private key are present on the Module Server. The certificate file name must be ssl.crt and the key file name must be ssl.key. During installation, you can select a CA-issued certificate or configure the Module Server to generate a self-signed certificate.

  To facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues.

  For details, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

• Secondary Logon service: The Windows Secondary Logon service (seclogon) on the host computer for the Tanium Module Server must have its Startup type set to Automatic or Manual (not Disabled) during installation of the Tanium Module Server . If the Secondary Logon service is disabled, the installation cannot connect to the database server (even if it is being installed locally), and the installation of the Tanium database fails. The Secondary Logon service is required only during installation and upgrades.
• Local Module Server If a local Module Server is installed on the Tanium Server host computer, perform the following steps on the Tanium Server host computer:
  1. Stop the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Stop.
  2. Stop and disable the Tanium Module Server service in the Windows Services application:
     1. Right-click Tanium Module Server and select Stop.
     2. Right-click Tanium Module Server, select Properties, set the Startup type to Disabled, and click OK.
  3. Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting (value 127.0.0.1) for the Module Server.
  4. Restart the Tanium Server service: in the Windows Services application, right-click Tanium Server, and select Restart.

Run the installer

1. Sign in to the Module Server host system as an administrator user.
2. Copy the installation package file (SetupModuleServer.exe) to a temporary location on the Module Server host.
3. Right-click SetupModuleServer.exe and select Run as administrator.
4. Complete the installation wizard. The following table provides guidelines for key settings.



Settings	Guidelines
Choose Install Location	The default is C:\Program Files\Tanium\Tanium Module Server.
Postgres Not Found	(Fresh installation only) If the installer does not detect an existing installation of PostgreSQL, you can either install a local instance or configure a connection to an external instance. Even if you connect the Module Server to a remote PostgreSQL instance, you must keep a local instance installed on the Module Server. The Tanium™ Relational Database (RDB) service always requires certain binaries to exist in the local instance, although you can stop the instance from running. Install and configure local Postgres Server: Install the default local instance of PostgreSQL. You can select this option to install a local instance that provides the binaries that the Tanium RDB service requires and still configure a connection to a remote PostgreSQL server. You configure the remote connection in a separate step in the installation wizard. Use remote Postgres Server: Select this option if you want to connect to an external instance of PostgreSQL, and you do not want installer to install a local instance of PostgreSQL. You configure the remote connection in a separate step in the installation wizard. You must install a local instance of PostgreSQL separately, and you must follow the steps in (Optional) Configure a connection between the Module Server and a remote PostgreSQL database to configure external_db.json. To troubleshoot issues related to the default PostgreSQL installation, see Tanium Core Platform Deployment Reference Guide: PostgreSQL installation logs.
Choose Service Account for Tanium Module Server	The security best practice is to specify a service account other than the Local System account to install the Module Server and run the Module Server service on the local host computer. Specify Account (best practice) User Name: Enter only the account name portion of the credentials, such as taniumsvc. Domain: Enter the domain name, such as example.com. Password: Enter the account password. Local System Account: Select this option to install software and run the Module Server service in the context of the Local System account.
Module Server Port	Specify the Module Server inbound port for traffic from the Tanium Server. The default is 17477.
SSL/TLS Certificate	The Module Server uses the SSL/TLS certificate (ssl.crt) and private key (ssl.key) to secure connections from the Tanium Server. Generate Self-Signed Certificate and Key If you do not have a CA-issued certificate, select this option to make the installer generate a self-signed certificate and private key. For the Server Hostname, specify the FQDN of the Module Server, such as tms1.example.com. Use Existing Certificate and Key To use a CA-issued certificate, select the certificate file and associated private key file. For details, see Tanium Core Platform Deployment Guide: Securing Tanium Console, API, and Module Server access.
Module Postgres Configuration	Configure the connection to the PostgreSQL database server: Server: Specify localhost (default) for a local server, or the FQDN or IP address of the remote server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Options: Specify additional parameters to pass in the connection. Typically, this is dbname and port. For example, dbname=postgres port=5432 user=postgres. You can use any parameter key words that PostgreSQL supports for database connection strings. For more information, see the PostgreSQL documentation. Click Test to test the connection. Any settings you configure in external_db.json override the settings you configure here when you install the Tanium RDB service. For more information, see (Optional) Configure a connection between the Module Server and a remote PostgreSQL database.
Manually specify Tanium Server certificate	Select Manually specify Tanium Server certificate and select the Certificate that secures communication between the Tanium Server and Module Server. On a new installation, the file is the SOAPServer.crt file that was copied from the Tanium Server. If you are re-running the installer and want to use the Tanium Server certificate created by the previous run of the installer, browse and select the trusted.crt file in the installation directory.
Choose Start Menu Folder	(Fresh installation only) Select a folder for the Module Server in the Windows Start menu. The default is Tanium Module Server.

5. Manually register the Module Server with the Tanium Server: see Tanium Core Platform Deployment Reference Guide: Command-line interface.

   The registration process generates an SSL/TLS certificate file named ssl.crt in the Module Server installation directory.

6. Copy ssl.crt to the Tanium Server installation directory and rename it trusted-module-servers.crt.
7. Configure the Tanium Server to use the remote Module Server:
   1. Sign in to the Tanium Server host.
   2. Open the Windows Services application and stop the Tanium Server service.
   3. Go to the following location in the Windows registry:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server

   4. Find the ModuleServer key and change it to the FQDN of the remote Module Server.
   5. Restart the Tanium Server service in the Windows Services application.

      Note: If you previously installed a local Module Server, leave the Tanium Module Server service stopped and disabled on the Tanium Server. The Tanium Server must use only the remote Module Server.

   6. Sign in to the Module Server host.
   7. Open the Windows Services application and restart the services for the Tanium Module Server and all Tanium modules and shared services.

(Optional) Configure a connection between the Module Server and a remote PostgreSQL database

By default, the Module Server installer creates a local PostgreSQL database instance as the storage system for Tanium solutions. If your organization prefers to use its own database infrastructure, you can connect the Module Server to a remote PostgreSQL instance. The remote instance must use the same major PostgreSQL version as the default local instance. For example, if the local instance uses version 11.6.3, the remote instance can use any 11.x.x version.

You can also specify basic configuration for this connection in the installation wizard when you install the Module Server. If you do not create an external_db.json file, then when you install the Tanium™ Relational Database (RDB) service, it uses the connection settings that you specified in the Module Server installation wizard. If you create an external_db.json file before installing Tanium RDB, the settings that you specify in that file override any settings that you specified during the Module Server installation.

Even if you connect the Module Server to a remote PostgreSQL instance, you must keep a local instance installed on the Module Server. The Tanium™ Relational Database (RDB) service always requires certain binaries to exist in the local instance, although you can stop the instance from running. If you use a local instance separate from the default, you must follow these steps, and you must specify the pg_install_dir property in external_db.json. The location that you specify must contain a bin subdirectory that contains PostgreSQL binaries.

1. Determine how Tanium solutions must authenticate to the remote PostgreSQL instance:

• PostgreSQL administrator credentials: Record the user name and password that are used for administrator access to the PostgreSQL instance.

• SSL/TLS certificates: If the PostgreSQL instance is configured to use TLS for communication with Tanium solutions, acquire the certificate authority (CA) root certificate of the instance. On the database server, the PGSSLROOTCERT environment variable indicates the location of the CA certificate. If the instance is configured for mutual TLS (mTLS) authentication instead of credentials authentication, you must also acquire the TLS certificate and associated private key of the instance. On the database server, the PGSSLCERT and PGSSLKEY environment variables indicates the locations of the certificate and key.

2. Sign in to the Module Server.

3. Create a JSON file named external_db.json with the following contents. The file must reside in the <Module Server installation directory>\services\rdb-files directory. Enter only the values that apply. For example, enter either the administrator user name and password or the contents of the certificates and private key based on whether the PostgreSQL instance is configured for credential or certificate authentication. The default PostgreSQL port is 5432.

   {
      "server": {
      "host": "<IP address or hostname of the PostgreSQL instance>",
      "port": 5432,
      "pg_admin_username": "<PostgreSQL administrator user name>",
      "pg_admin_password": "<PostgreSQL administrator password>",
      "pg_ssl_root_pem": "<contents of the TLS CA certificate>",
      "pg_ssl_key_pem": "<contents of the TLS private key>",
      "pg_ssl_cert_pem": "<contents of the TSL certificate>"
      "pg_install_dir": <absolute path to the local PostgreSQL installation directory>
      }
   }

4. Open the Windows Services application, right-click Tanium RDB Service, and select Restart.

Next steps

If your deployment will include a Tanium Zone Server, install it: see Installing the Tanium Zone Server. Otherwise, verify the deployment: see Verifying the deployment.