Skip to content

Customer-Provided Operating System for Virtual Appliances

Limited Availability

Functionality available to select customers upon request. Visit SailPoint Product News for more information.

Important

Installing your own operating system on the Virtual Appliance (VA) requires that your organization sign additional legal documents, including an addendum acknowledging assumption of increased liability and responsibility. Contact your Customer Success Manager for information.

Additionally, this updated Documentation supersedes and governs any previously incorporated Documentation agreed to by you or your organization with respect to updating the VA, your operating system, and associated support, maintenance, and other responsibilities.

Your organization has the option to create VAs on the Linux distribution of your choice where you can use your preferred vulnerability management, monitoring, and log management tools. This option is currently offered for the following OS versions:

  • RedHat Enterprise Linux: 8.10, 9.x and 10.x
  • Ubuntu: 22.04 LTS and 24.04 LTS
  • Amazon Linux 2023

To implement this option, SailPoint provides a script to allow your organization to download and access the VAs on the applicable operating system elected by your organization.

Customer Responsibilities

By opting to provide your own OS, you are agreeing to expand your organization’s responsibilities regarding the OS and VA setup, maintenance, and upkeep.

You and your organization are responsible for the following:

  • Ensure the virtual appliance hardware meets or exceeds the minimum published specifications. For customers that require specific /home, /var, or /opt partitioning, meet the following minimum requirements:

    • /var/lib/docker - 40 GB
    • /opt/sailpoint - 20 GB
    • /home/sailpoint - 60 GB

  • Monitor and implement all OS-level updates and patching and otherwise provide all relevant support and maintenance for the OS.

    • Validate with SailPoint before making OS major version upgrades. You will be responsible for all OS reboots.
    • Harden the OS using the CIS benchmarks.

  • Provision the VMs from an allowed OS (see above), as supported by your organization, which include:

    • Consult SailPoint Support for initial VA cluster setup.
    • Configure your organization settings such that these VMs serve as dedicated VAs for SailPoint software or services.
    • For clarity, the supported OS server should be dedicated to running the VAs for SailPoint software or services and ancillary tools or software used to support the primary function of the VAs or security for the VAs.

  • Manage installations, troubleshoot, and maintain all required, non-SailPoint tools on the box.

  • Allow, and configure all applicable organization settings to accept automatic updates by SailPoint to any SailPoint-provided software running on the VA (subject to your election of the separately-provided change control option by SailPoint).

By electing this option, you acknowledge and agree that except for the SailPoint software and services installed therein, your organization will be solely responsible for issues related to the setup, maintenance, update, and upkeep of the OS and VA. In most instances, a VA rebuild will be the default solution when troubleshooting issues related to the VA functions.

Installing the VA on Your Operating System

The Customer-Provided Operating System (CPOS) VA installer is a bash script (sp-va-install) appended with the docker images required to bootstrap the VA. By default, the installer includes the latest released versions of charon, va_agent, canal, and toolbox. Once online and bootstrapped, the VA will pull the remaining images along with any updates from Elastic Container Registry (ECR) just as it does on Flatcar OS.

OS type detection is done in the script, so the install package works for all supported OS types.

Note

A new VA can be saved to the cluster without pairing, but is not operational until you enter the time-sensitive pairing code and wait for configuration to finish.

To install the VA on your supported OS:

  1. Create a VA cluster.

  2. Select Edit on the VA cluster you want to work with.

  3. Select Virtual Appliances.

  4. Select Add New > VA with custom OS.

  5. Select Download the installer.

  6. Copy the sp-va-install script to the host.

  7. Make the script executable with the following command:

    $ chmod +x sp-va-install

  8. Run the script with any of the following options:

    • Check requirements and exit: $ sudo ./sp-va-install
    • Install rpm/deb dependencies and exit: $ sudo ./sp-va-install -d
    • Perform the full installation: $ sudo ./sp-va-install -i
    • Specify the uid and gid if your preference differs from the default. (The default is the next available numeric IDs for the SailPoint user and group):
      $ sudo ./sp-va-install -i --uid 1011 --gid 1011

  9. Sign in with User Name: sailpoint, Password: S@ilp0int, and then change the password immediately.

  10. Enter the command to setup your passphrase:
       va-bootstrap set-passphrase

    Note

    Your passphrase must be identical for every VA in the cluster. The passphrase cannot start with a special character, and cannot include !, /, , or spaces.

  11. Enter the command to get a pairing code:

    va-bootstrap pair

  12. Enter the pairing code within 4 hours and select Pair.

  13. Wait about 30 minutes for configuration to finish. When VA configuration is complete, the VA Status will change to Connected.

If the VA connection is successful, you can now connect the VA cluster to a source and enable Transport Layer Security if the source supports it.

Security Requirements

Customers opting to provide their own operating system (OS) have additional responsibilities for maintaining the security of the OS they chose to use. These include:

  • OS hardening to your company standards.
    • We recommend using the CIS benchmarks for hardening the OS.
    • FedRAMP customers should use STIG.
  • All OS-level updates and patching.
    • We recommend patches be applied at least weekly or anytime a critical patch is released by the OS vendor.
  • Vulnerability scanning and remediation.
    • We recommend running a vulnerability scanning tool continuously or at least daily to identify any new vulnerabilities.
    • Vulnerabilities should be remediated as soon as possible by either applying an available patch or removing the vulnerable OS package if it is not needed.
  • Log collection and monitoring.
    • Customers can either use their SEIM tool or Fluent, which is installed as part of the VA installation.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.