Installation of OneSpan Threat View

  • Published on Oct 28, 2025
  • 3 minute(s) read
Prev Next

The installation of OneSpan Threat View in helm-based / large-scale deployments consists of the steps listed below.

Preparation

To prepare the Threat View installation, you must prepare the system infrastructure and set up the Kubernetes control plane for your production environment.

To set up the system infrastructure and the Kubernetes control plane for production

  1. Prepare a Kubernetes orchestrator.

    For more information, see the Kubernetes documentation1.

  2. Prepare log observability.

    Ensure that the console output (“logs”) of the Threat View microservices, that are deployed in Kubernetes, are aggregated and then sent to an observability service (for example logz.io1).

  3. Ensure that the persistence services are set up correctly.

    These include databases, message broker, session storage, etc.

  4. Ensure that the infrastructure is set up correctly.

    Implement best practices in network security such as using firewalls, monitoring the system for malicious activity and policy violations adequately, scan the system for vulnerabilities etc.

  5. Ensure that the endpoints are exposed as required:

    1. the collector-events endpoint must be public-facing, and must be exposed through an API gateway.

    2. the Administration Interface and the collector-events endpoint must only be exposed via the https protocol.

    3. the endpoints for the Administration Interface and the Identity Management, Tokens, and Visual Renderer services must not be exposed publicly but only internally on your private network.

Installation steps

For an installation and setup of Threat View, implement the following steps.

To install Threat View

  1. Set up Kubernetes as described in the Kubernetes documentation1.

  2. Install the pesistence services:

    1. Install PostgreSQL as described in the PostgreSQL documentation1, and set up 1 instance.

    2. Install MariaDB as described in MariaDB documentation1. You need to set up 3 MariaDB instances because each Threat View micro-service requires its own instance.

    3. Install ActiveMQ as described in the official ActiveMQ documentation (e.g., here1). Set up 2 instances, one for the audit logger and one for the events database table.

    4. Install Redis as described in the Redis documentation1. Set up 1 instance of Redis with TLS enabled.

    Always configure services to use secure communication (e.g., TLS) where supported, especially for databases and message brokers.

  3. Set up SSL to encrypt communication.

  4. Download and prepare Threat View.

    1. Download the latest Threat View package .zip file from your usual distribution channel.

    2. Extract the contents of the .zip file.

  5. Create and configure the environment files: create a .yaml file for each of your environments.

    Use the threat-view.yaml file provided in the examples folder, and change the variables contained therein to match your installation.

    Change the following:

    1. Set the ingressHostTlsSecretName variable to threat-view-tls.

    2. Replace placeholders used in the example file with the applicable values from your set up, including <company-name.com>, <tenant.company-name.com>, <infrastructure.com> etc.

    3. Where required, set the values of the optional variables. Follow the recommendations provided in comments in the threat-view.yaml file.

  6. Set up a Secrets vault to securely store your secrets and other sensitive values.

    Ensure this vault contains your own values for the secrets specified in the deploy.sh deployment script from the examples folder.

    Never explicitly include secrets in scripts. Instead, use environment variables or secret injection mechanisms.

  7. Create a deployment script based on deploy.sh from the example. Your script should

    1. inject the secrets from your vault into the Threat View deployment

    2. call the Helm .tar file, threat-view-version.tgz

    3. use your customized threat-view.yaml file

  8. Upload the Docker images from the threat-view folder of the package:

    1. Push the Threat View Docker images to your Docker repository.

    2. Configure the repository value in your threat-view.yaml file to match that of your docker repository.

  9. Run your deployment script to deploy Threat View to your Kubernetes cluster.

1. Last accessed: September 29, 2025.

Set up encrypted communication

To ensure secure communication between the browser and Threat View, a TLS (Transport Layer Security) / SSL (Secure Sockets Layer) secret must be configured in Kubernetes. This secret will be used by the Threat View Ingresses to secure the communication over SSL. When you configure SSL between the Threat View container and the database, a database client certificate, key, and root certificate volume mount may be required (e.g., for MariaDB).

To set up SSL

  1. Obtain a TLS certificate.

    Use a trusted Certificate Authority (CA) or generate a self-signed certificate for internal use.

  2. Create a TLS secret in Kubernetes:

    kubectl create secret tls threat-view-tls \
--cert=tls.crt \
--key=tls.key \
--namespace=threat-view

    The secret value is used as an argument in your customized threat-view.yaml file.

  3. Redirect HTTP to HTTPS.

    Use annotations or middleware to enforce HTTPS.

  4. (Optional) Automate the certificate management to automatically issue and renew certificates.

Apply the following SSL best practices:

  • Use TLS (Transport Layer Security) 1.2 or later

  • Enable HTTP Strict Transport Security (HSTS)

  • Regularly rotate certificates

  • Use strong ciphers and disable weak ciphers