Installing the Invicti Network Traffic Analyzer

This feature is available with Invicti API Security Standalone or Bundle

The Invicti Network Traffic Analyzer (NTA) is deployed to your Kubernetes cluster using a helm chart. Helm is an open-source packaging tool that helps you install and manage the lifecycle of Kubernetes applications.

This document explains how to install the Invicti NTA helm chart via CLI to detect API traffic in your Kubernetes cluster and reconstruct OpenAPI3 specification files. It also explains how to configure and enable the Istio Service Mesh Envoy to discover encrypted traffic, and how to update or reinstall the Invicti NTA.

PREREQUISITES:

  • A Kubernetes cluster
  • Install the Helm CLI (version 3+)
  • Configure your local kubectl environment to point to your cluster. You can use the Get-AksHciCredential PowerShell command to access your cluster using kubectl.
  • Create a namespace for the Invicti Network Traffic Analyzer in your Kubernetes cluster
  • Your Acunetix license key (visible in Acunetix under Settings > Subscription)

MINIMUM SYSTEM REQUIREMENTS:

  • 1 GB RAM
  • 2-core CPU 64-bit processor
  • 2GB available HDD

Overview

There are two ways to capture Kubernetes traffic with the Invicti NTA:

  • Integrating with Istio Service Mesh (this captures both HTTP & HTTPS traffic)
  • Integrating with a Kubernetes namespace interface natively (this captures HTTP traffic only)

The Invicti NTA helm chart contains three images: Reconstructor, Tap Plugin (traffic sensor), and Istio Service Mesh Envoy. These are the configuration files that you need to install into your Kubernetes cluster in order for the Invicti NTA to work.

How to install the Invicti Network Traffic Analyzer in your Kubernetes cluster

To install the Invicti Network Traffic Analyzer in your Kubernetes cluster, first, ensure you have established the prerequisites listed above. Then, follow the steps in this section to:

  1. Retrieve your registration token
  2. Prepare the installation command
  3. Log in to Invicti's public registry
  4. Deploy the Invicti NTA helm chart into your Kubernetes cluster

Step 1: Retrieve your registration token

  1. Log in to Acunetix.
  2. Select APIs > Sources from the left-side menu.

  1. Click Add New Source.

  1. Enter a name for the source configuration that will help you identify it later in your list of API sources.
  2. Select Invicti Network Traffic Analyzer as the Source type.

  1. Acunetix Premium On-Premises only: In the NTA server url field, enter the URL of the server where the Acunetix Premium web app is running. The default entry is the current host URL from the browser.

IMPORTANT: The Invicti NTA must be able to reach the URL you enter into this field. You cannot use 'localhost'. The NTA Server URL you provide will be embedded in the token you will generate in the next step.

  1. Click Generate token.

  1. Click the copy icon next to the newly generated registration token.
  2. Select Save at the bottom of the page. Do not skip this step!

Continue with the instructions below to use the registration token you just copied to prepare the installation command.

Step 2: Prepare the installation command

  1. Edit the installation command below to add the following information:
  1. -n default: This sets the namespace where the Invicti NTA will be installed. Replace default with the namespace you created for the Invicti NTA as part of the prerequisites.
  2. email-address: Replace email-address with the email address you use for your Acunetix account.
  3. password: Replace password with your valid Acunetix license key.
  4. registration-token: Replace registration-token with the registration token you copied from Acunetix (Step 1.7 above). Note that the registration token must be placed between the double quotation marks (between " and ").

INSTALLATION COMMAND:

helm install invicti-api-discovery oci://registry.invicti.com/invicti-api-discovery --version 24.9.0 -n default --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set trafficSource.tap.enabled=true --set reconstructor.JWT_TOKEN="registration-token"

Step 3: Log in to Invicti's public registry

  1. Open the Helm CLI that you installed as part of the prerequisites. 
  2. Execute the following command: helm registry login registry.invicti.com
  3. When prompted for a username, enter the email address you use for your Acunetix account.
  4. When prompted for a password, enter your Acunetix license key.

Step 4: Deploy the Invicti NTA helm chart into your Kubernetes cluster

  1. Copy the installation command that you prepared in step 2 above.
  2. In the Helm CLI, paste and run the installation command.

The Invicti NTA is now installed and the Tap Plugin is enabled. For more information about the Tap Plugin, refer to Network Traffic Analyzer: Tap Plugin FAQs.

How to configure and enable the Istio Service Mesh Envoy

To discover encrypted traffic, you need to enable and configure the Istio Service Mesh Envoy to specify which service mesh traffic will be watched and sniffed by the WASM filters.

  1. Label the target namespaces that are to be watched by the Istio Service Mesh Envoy using the following command:

kubectl label namespaces your-namespace istio-injection=enabled 

  1. Set the WASM filter as enabled for your namespace using the following command:

helm upgrade --install api-disco oci://registry.invicti.com/invicti-api-discovery --version 24.9.0 --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set trafficSource.envoyWasm.enabled=true --set trafficSource.envoyWasm.namespaces="your-namespace" invicti-api-discovery . -n your-namespace

  • email-address: Replace email-address with the email address you use for your Acunetix account.
  • password: Replace password with your valid Acunetix license key.
  • your-namespace: Use the name of the namespace you created as part of the prerequisites. Note that the first instance of your-namespace must be placed between the double quotation marks (between " and ").

How to update or reinstall the Invicti Network Traffic Analyzer

Updating or reinstalling the Invicti NTA requires pulling the latest version of the helm chart from the Invicti registry and installing it again. If you have previously uninstalled the Invicti NTA and now wish to install it again or want to update an existing installation to the latest version, follow the instructions below:

  1. Follow the instructions in step 1 above to retrieve your access token.
  2. Prepare the update command:
  • email-address: Replace email-address with the email address you use for your Acunetix account.
  • password: Replace password with your valid Acunetix license key.
  • registration-token: Replace registration-token with the registration token you copied from Acunetix (Step 1.7 above). Note that the registration token must be placed between the double quotation marks (between " and ").
  • your-namespace: Use the name of the namespace you created as part of the prerequisites. Note that the first instance of your-namespace must be placed between the double quotation marks (between " and ").

UPDATE COMMAND:

helm upgrade --install api-disco oci://registry.invicti.com/invicti-api-discovery --version 24.9.0 --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set reconstructor.JWT_TOKEN="registration-token" --set trafficSource.tap.enabled=true invicti-api-discovery . -n your-namespace 

  1. Follow step 3 above to log in to Invicti's public registry.
  2. Using the Helm CLI, run the update command in your Kubernetes namespace to install the latest version of the helm chart.  

The Invicti NTA is now installed and the Tap Plugin is enabled.


« Back to the Acunetix Support Page