On-premises Scanner Configuration

1.0 Introduction

This article describes the minimum configuration requirements for successfully scanning keys, certificates, resources, and cryptographic assets in on-premises infrastructure types on the Linux platform.

It also describes:

Installing the Fortanix On-premises Scanner.
Configuring the scanner through the configuration file parameters.
Executing the Fortanix On-premises Scanner.

For detailed information about each on-premises infrastructure type, refer to Infrastructure Types.

2.0 Scanning Permissions

For detailed information on on-premises connection scanning permissions, refer to On-premises Connection Permissions.

3.0 Prerequisites

The following are the prerequisites to configure an on-premises connection on the Linux platform:

Server Specifications
- The server hosting the scanner must have at least 2 virtual Central Processing Units (vCPUs) allocated.
- The server must have a minimum of 8 GB of Random Access Memory (RAM) to support the scanner.
- The server should have at least 20 GB of storage capacity for temporarily storing scanned data.
Operating System and Libraries
- Supported operating systems include Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, and RHEL 9 (or Rocky Linux 9). The necessary packages are available in .deb or .rpm formats.
Network Requirements
- Outbound (Fortanix On-premises Scanner → External Services)
  The Fortanix On-premises Scanner must be allowed to make outgoing connections to:
  - armor.fortanix.com on port 443
  - Databases on their configured ports
  - The following Internet Protocol (IP) range to communicate back to Fortanix Key Insight:
    - 216.180.120.0/24
    IP whitelisting is not mandatory. It is required only if your on-premises environment enforces outbound firewall restrictions.
- Inbound (File System Scanner Agent → Fortanix On-premises Scanner)
  The Fortanix On-premises Scanner must be reachable from the File System Scanner Agent:
  - Must accept inbound connections from the File System Scanner Agent’s IP on the configured port. For example, 8080 or 1443.
  - Firewall or security group rules must allow this traffic.
  - The service must bind to 0.0.0.0 or its external or private IP, not just 127.0.0.1.
NOTE
Although inbound connectivity is required, the Fortanix On-premises Scanner itself does not expose any ports externally.
Configuration File
The Fortanix On-premises Scanner requires a configuration file that includes a list of databases, source code, and file systems with their corresponding credentials, as well as the Fortanix DSM on-premises credentials. This configuration file is in plain text, and it is your responsibility to secure the file and its credentials.

4.0 On-premises Scanner Installation

You must install the Fortanix On-premises Scanner package to manage your databases, source code, file system, and Fortanix DSM on-premises keys and resources on a Linux host.

Download the scanner package to your local machine. The deb or rpm package is provided with the downloaded package for the supported operating systems.
Run the following command to install the scanner package:
- Ubuntu 20.04
```
sudo apt install ./fortanix-scanner_<version>-focal_amd64.deb
```
- Ubuntu 22.04
```
sudo apt install ./fortanix-scanner_<version>-jammy_amd64.deb
```
  NOTE
  You can ignore the message N: Download is performed unsandboxed as root as file '..../fortanix-scanner_<version>-jammy_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) during the installation of the scanner package.
- Ubuntu 24.04
```
sudo apt install ./fortanix-scanner_<version>-noble_amd64.deb
```
- RHEL9
```
sudo dnf install ./fortanix-scanner-<version>-1.x86_64.rpm
```
Generate the scanner configuration file as detailed in Section 5.0: On-premises Scanner Configuration.
NOTE
- You must create the configuration file in the /opt/fortanix/scanner/conf directory.
- A sample configuration file is present in /opt/fortanix/scanner/conf/fortanix-scanner.yaml.example.
Initiate the scanning process as detailed in Section 6.0: On-premises Scanner Execution.

NOTE
After you start the scanner, any changes made to the scanner configuration file require a restart of the scanner to apply the latest updates.
Installing a new version of the Fortanix On-premises Scanner package for Linux will overwrite the following default files in the /opt/fortanix/scanner/conf/ directory:
fortanix-scanner.yaml.example
fortanix-scanner.service.example
However, any custom files (for example, user-created configurations) in the same directory will not be removed during the upgrade.
To avoid potential loss of important settings, it is recommended to back up your configuration files before proceeding with the installation.

5.0 On-premises Scanner Configuration

For detailed information on how to configure the Fortanix On-premises Scanner for both Linux and Windows platforms, including authentication methods, database, source code, and file system infrastructures, and secure credential management using environment variables or configuration files, refer to On-premises Scanner Configuration File.

6.0 On-premises Scanner Execution

After the Fortanix On-premises Scanner is configured, refer to the following sections to initiate the scanner for on-premises infrastructures on a Linux host.

NOTE
The scanner commands require the configuration file to be named config.yaml. If you are using the provided example file (fortanix-scanner.yaml.example), ensure to copy or rename it to config.yaml before running any of the scanner commands in the following sections.

6.1 Prerequisites for Oracle Scan

To enable the scanner to connect to an Oracle database, install the Oracle Instant Client package by performing the following steps:

Open the Oracle Instant Client version 23.5.0.
Download the instantclient-basic-linux.x64-23.5.0.24.07.zip file.
Run the following command to create folders for installing Oracle Instant Client:
```
mkdir -p /opt/oracle
```

Run the following commands to extract the files: This would create a directory instantclient_23_5 in /opt/oracle:

sudo cp instantclient-basic-linux.x64-23.5.0.24.07.zip /opt/oracle
cd /opt/oracle
sudo unzip instantclient-basic-linux.x64-23.5.0.24.07.zip

Run the following command to modify or create /etc/ld.so.conf.d/oracle.conf file and add it to the directory instantclient_23_5:
```
echo /opt/oracle/instantclient_23_5 | sudo tee /etc/ld.so.conf.d/oracle.conf
```
Run the following command to update the dynamic link:
This allows the Oracle Cloud Infrastructure (OCI) libraries to be accessible to other applications on the host, ensuring that they can find and use these shared libraries when needed.
```
sudo ldconfig
```

6.2 Run the On-premises Scanner

You must run the Fortanix On-premises Scanner to start scanning Oracle, MSSQL, Fortanix DSM (on-premises), source code, and file system environment resources.

NOTE
If you are scanning an Oracle database, ensure the Oracle client libraries are installed as described in Section 6.1: Prerequisites for Oracle Scan.
If the scan is interrupted or closed before completion, then the next scan will start from the beginning.

6.2.1 Run the Scanner Manually

Run the following command to start the Fortanix On-premises Scanner:

sudo -u fortanix -E -H /opt/fortanix/scanner/bin/fortanix-mssql-scanner start -c /opt/fortanix/scanner/conf/config.yaml

6.2.2 Run the Scanner as a Systemd Service

To ensure the Fortanix On-premises Scanner runs automatically at startup and restarts if it stops unexpectedly, configure it as a systemd service. A sample unit file is provided at /opt/fortanix/scanner/conf/fortanix-scanner.service.example.

Perform the following steps to configure the systemd service:

Run the following command to copy the example unit file into the systemd directory:
```
sudo cp /opt/fortanix/scanner/conf/fortanix-scanner.service.example /usr/lib/systemd/system/fortanix-scanner.service
```
NOTE
If you make any changes to the fortanix-scanner.service file in the systemd directory, you must run the following command to reload the systemd daemon before restarting the service:
```
sudo systemctl daemon-reload
```
Run the following command to enable the service to start automatically on boot:
```
sudo systemctl enable fortanix-scanner
```
Run the following command to start the service:
```
sudo systemctl start fortanix-scanner
```
Run the following command to confirm the status of the service:
```
sudo systemctl status fortanix-scanner
```

7.0 Additional References

After configuring the Fortanix On-premises Scanner, refer to the following:

Getting Started With On-Premises Connection for guidance on onboarding an on-premises connection in Fortanix Key Insight.
On-Premises Connection Troubleshooting for guidance on troubleshooting steps for common issues encountered while configuring and running Fortanix Key Insight in on-premises environments.

On-premises Scanner Configuration - Linux

1.0 Introduction

2.0 Scanning Permissions

3.0 Prerequisites

4.0 On-premises Scanner Installation

5.0 On-premises Scanner Configuration

6.0 On-premises Scanner Execution

6.1 Prerequisites for Oracle Scan

6.2 Run the On-premises Scanner

6.2.1 Run the Scanner Manually

6.2.2 Run the Scanner as a Systemd Service

7.0 Additional References

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6