Installing the Invicti Network Traffic Analyzer

This document is for:

Invicti Enterprise On-Demand

This feature is available with Invicti API Security Standalone or Bundle.

The Invicti Network Traffic Analyzer (NTA) is deployed to your Kubernetes cluster using a helm chart. Helm is an open-source packaging tool that helps you install and manage the lifecycle of Kubernetes applications.

This guide explains how to install the Invicti NTA helm chart via CLI to detect API traffic in your Kubernetes cluster and reconstruct OpenAPI3 specification files. It also explains how to configure and enable the Istio Service Mesh Envoy to discover encrypted traffic, and how to update or reinstall the Invicti NTA.

NOTE: The Network Traffic Analyzer is currently unavailable for Invicti Enterprise On-Premises.

Overview

There are two ways to capture Kubernetes traffic with the Invicti NTA:

Integrating with Istio Service Mesh (this captures both HTTP & HTTPS traffic)
Integrating with a Kubernetes namespace interface natively (this captures HTTP traffic only)

The Invicti NTA helm chart contains three images: Reconstructor, Tap Plugin (traffic sensor), and Istio Service Mesh Envoy. These are the configuration files that you need to install into your Kubernetes cluster in order for the Invicti NTA to work.

How to install the Invicti Network Traffic Analyzer in your Kubernetes cluster

To install the Invicti Network Traffic Analyzer in your Kubernetes cluster, first, ensure you have established the prerequisites listed below. Then, follow the steps in this section to:

Retrieve your registration token and password
Prepare the installation command
Log in to Invicti's public registry
Deploy the Invicti NTA helm chart into your Kubernetes cluster

PREREQUISITES:

A Kubernetes cluster
Install the Helm CLI (version 3+)
Configure your local kubectl environment to point to your cluster. You can use the Get-AksHciCredential PowerShell command to access your cluster using kubectl.
Create a namespace for the Invicti Network Traffic Analyzer in your Kubernetes cluster

MINIMUM SYSTEM REQUIREMENTS:

1 GB RAM
2-core CPU 64-bit processor
2GB available HDD

Step 1: Retrieve your registration token and password

In this step, you will retrieve two important access codes that must be used in the installation command. First, you will retrieve your registration token for the Invicti NTA. Second, you will retrieve your password for the Invicti public registry.

Log in to Invicti Enterprise.
Select APIs > Sources from the left-side menu.

Click Add new source.

Enter a name for the source configuration that will help you identify it later in your list of API sources.
Select Invicti Network Traffic Analyzer as the Source type.
Click Generate token.

Click the copy icon next to the newly generated registration token.
Select Save at the bottom of the page. Do not skip this step!

Paste the copied registration token in a place where you will be able to retrieve it easily when you prepare the installation command in step 2.
Select Agents > Manage Agents from the left-side menu.

Click + Configure New Agent.

In the Docker CLI & Openshift section, click the copy icon next to 2- When prompted, enter the password below. This is the password you will use to access Invicti's public registry.

Paste the copied password in a place where you will be able to retrieve it easily in step 2 when you prepare the installation command.

Continue with the instructions below to use the registration token and password you just copied to prepare the installation command.

Step 2: Prepare the installation command

Edit the installation command below to add the following information:

-n default: This sets the namespace where the Invicti NTA will be installed. Replace default with the namespace you created for the Invicti NTA as part of the prerequisites.
email-address: Replace email-address with the email address you use for your Invicti Enterprise account.
password: Replace password with the password you copied from Invicti Enterprise (Step 1.12 above).
registration-token: Replace registration-token with the registration token you copied from Invicti Enterprise (Step 1.7 above). Note that the registration token must be placed between the double quotation marks (between " and ").

INSTALLATION COMMAND:

helm install invicti-api-discovery oci://registry.invicti.com/invicti-api-discovery --version 24.7.0 -n default --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set trafficSource.tap.enabled=true --set reconstructor.JWT_TOKEN="registration-token"

Step 3: Log in to Invicti's public registry

Open the Helm CLI that you installed as part of the prerequisites.
Execute the following command: helm registry login registry.invicti.com
When prompted for a username, enter the email address you use for your Invicti Enterprise account.
When prompted for a password, enter the password you copied from Invicti Enterprise (Step 1.12 above).

Step 4: Deploy the Invicti NTA helm chart into your Kubernetes cluster

Copy the installation command that you prepared in step 2 above.
In the Helm CLI, paste and run the installation command.

The Invicti NTA is now installed and the Tap Plugin is enabled. For more information about the Tap Plugin, refer to Network Traffic Analyzer: Tap Plugin FAQs.

How to configure and enable the Istio Service Mesh Envoy

To discover encrypted traffic, you need to enable and configure the Istio Service Mesh Envoy to specify which service mesh traffic will be watched and sniffed by the WASM filters.

Label the target namespaces that are to be watched by the Istio Service Mesh Envoy using the following command:

kubectl label namespaces your-namespace istio-injection=enabled

Set the WASM filter as enabled for your namespace using the following command:

helm upgrade --install api-disco oci://registry.invicti.com/invicti-api-discovery --version 24.7.0 --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set trafficSource.envoyWasm.enabled=true --set trafficSource.envoyWasm.namespaces="your-namespace" invicti-api-discovery . -n your-namespace

email-address: Replace email-address with the email address you use for your Invicti Enterprise account.
password: Replace password with the password copied from Invicti Enterprise (Step 1.12 above).
your-namespace: Use the name of the namespace you created as part of the prerequisites. Note that the first instance of your-namespace must be placed between the double quotation marks (between " and ").

How to update or reinstall the Invicti Network Traffic Analyzer

Updating or reinstalling the Invicti NTA requires pulling the latest version of the helm chart from the Invicti registry and installing it again. If you have previously uninstalled the Invicti NTA and now wish to install it again or want to update an existing installation to the latest version, follow the instructions below:

Follow the instructions in step 1 above to retrieve your access token and password.
Prepare the update command:

email-address: Replace email-address with the email address you use for your Invicti Enterprise account.
password: Replace password with the password copied from Invicti Enterprise (Step 1.12 above).
registration-token: Replace registration-token with the registration token copied from Invicti Enterprise (Step 1.7 above). Note that the registration token must be placed between the double quotation marks (between " and ").
your-namespace: Use the name of the namespace you created as part of the prerequisites

UPDATE COMMAND:

helm upgrade --install api-disco oci://registry.invicti.com/invicti-api-discovery --version 24.7.0 --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set reconstructor.JWT_TOKEN="registration-token" --set trafficSource.tap.enabled=true invicti-api-discovery . -n your-namespace

Follow step 3 above to log in to Invicti's public registry.
Using the Helm CLI, run the update command in your Kubernetes namespace to install the latest version of the helm chart.

The Invicti NTA is now installed and the Tap Plugin is enabled.