Post-Installation Engine-to-Console Pairing

NOTE

This article is intended for users that elected to skip the Engine-to-Console (also referred to as “reverse”) pairing segment during the installation of a distributed Scan Engine.

For documentation on standard pairing and reverse pairing performed during an installation, see the Distributed Scan Engines page.

Distributed Scan Engine install wizards allow you to pair your new engine to your Security Console immediately at install time if you select the Engine-to-Console communication method. However, if you decide to skip this pairing step, you must complete the pairing with a different procedure after the installation completes.

This article details this post-installation reverse pairing procedure.

Reverse Pair (Engine-to-Console)

In order to configure an engine-to-console pairing (also known as a “reverse” pair) on a Scan Engine you have already installed, you must manually add a new Security Console entry to the Scan Engine configuration and confirm the pairing with a console-generated shared secret. Consequently, the first step of all reverse pairing procedures is to generate the shared secret in the Security Console.

Generate a Scan Engine Shared Secret

To generate a shared secret in the Security Console:

  1. On the Administration page, in the Scans > Scan Engines section, click Manage Scan Engines.
  2. In the “Generate Scan Engine Shared Secret” section, click Generate.
  3. Copy the shared secret for now. You will use this shared secret to authenticate the connection between the Scan Engine and the Security Console.

TIP

Multiple Scan Engines can use the same console-generated shared secret for each of their reverse pairing procedures. However, shared secrets are only valid for 60 minutes. If your shared secret expires, you must generate a new one to complete any further reverse pairing procedures.

Add Your Security Console to the Scan Engine

Reverse pairing procedures for both Windows and Linux Scan Engine hosts must be completed using a command line interface. You can pass commands to the Scan Engine in the following ways according to your host operating system:

Windows Command Line Access

To open the Scan Engine command line on a Windows host:

  1. Use Remote Desktop Protocol to log into your Scan Engine host, or access the host directly.
  2. Stop Scan Engine services.
  3. Open your Start menu and browse to the Scan Engine service applet.
  4. Re-start the Scan Engine service in interactive mode to open the command line interface.

Linux Command Line Access

To open the Scan Engine command line on a Linux host:

  1. Open a terminal and SSH into your Scan Engine host with the following command. Substitute <user> and <address> with the necessary values:
1
ssh <user>@<address>
  1. After you log in to the Scan Engine host, run sudo -i to start a shell with elevated privileges.
  2. Now that your shell has elevated privileges, start a screen or tmux session with the Scan Engine, depending on the type of Linux OS:
For Ubuntu: screen
  1. Confirm whether screen is installed: screen -ls
  2. Install screen, if needed:
    1. Run the installation: sudo apt-get install screen
    2. Restart the engine service: systemctl restart nexposeengine.service
  3. Initiate the screen session: screen -r nexpose
  4. To exit the screen session, press CTRL + A + D.
For Red Hat Enterprise Linux (RHEL): tmux
  1. Confirm whether tmux is installed: tmux ls
  2. Install tmux, if needed:
    1. Run the installation: sudo yum install tmux
    2. Restart the engine service: systemctl restart nexposeengine.service
  3. Initiate the tmux session: tmux a -t nexposeengine
  4. To exit the tmux session, press CTRL + B + D.

Do not use CTRL + C to exit the screen or tmux session

Pressing CTRL + C terminates the engine service, and you will need to restart it.

Scan Engine Commands

Now that you have a screen or tmux session open, you can add the Security Console to the Scan Engine. The following commands apply to Scan Engines on both Windows and Linux hosts:

  1. Add your intended Security Console with the following command. Substitute <address> with the external IP address of the Security Console server, omitting the brackets: add console <address>
  2. List all Security Console entries, including your new addition: show consoles
  3. Locate your Security Console by its external IP address, and note the console ID.
  4. Connect the Scan Engine to your Security Console. Substitute <ID> with the console ID discovered in the previous step, omitting the brackets: connect to console <ID>
  5. Verify that the connectTo value is 1 for the Security Console: show consoles
  6. Add a shared secret to the Scan Engine. Substitute <ID> with the console ID from previous steps: add shared secret <ID>
    • Enter the shared secret, when prompted. A verification message indicates that the shared secret is applied successfully.
  7. Enable the Security Console on the Scan Engine. Substitute <ID> with console ID from previous steps: enable console <ID>
  8. After the pairing completes, exit the screen or tmux session.

Your post-installation Scan Engine pair is finished!

Now that your Scan Engine is paired with the Security Console, refresh your Scan Engine status to confirm that the communication line is open and working.

Engine name and port values

Once paired, the engine name displays in the console GUI with a random set of characters. To identify your newly paired engine, look for the external IP of the engine. You can rename the engine at any time.

The engine port will show 0 on the Scan Engine Configuration page. This is expected behavior