CTAS stands for Commercial Transform Application Server and is almost an exact copy of Paterva’s public CTAS except it can be hosted internally within your organisation. This means you can run all Paterva’s standard OSINT transforms without having your requests going over Paterva’s infrastructure.
This page will cover setting up your own internal CTAS server. Some of the sections in this guide are applicable to all Maltego servers and some sections are specific to the CTAS.
Maltego servers require some initial setup and fundamentals that are described in the following sections
maltego / tasxYou may wish to change to the root user by typing
$ sudo –s
By default the server is configured to use DHCP. If you want to give the server a static IP address you will need to manually set that up. Once you’ve set up an IP address you will be able to access the server via SSH.
The CTAS server needs to have Internet access. The transforms running on the server will need to make connections to various services on the Internet. These include port 80, 443, 25, 53 and 3306. This list will increase in the future as more transforms are created and we recommend that you do not limit the server from making outgoing connections to the Internet.
Incoming connections need only to be on TCP ports 80, 443, 8081 and from the various clients IP addresses that wish to use the server. We recommend that you firewall all incoming connections to the server apart from TCP ports 80, 443, 8081 and only from the IP addresses of client machines running the Maltego clients.
Your server is now ready to go – but it needs to be activated using the license certificate. Activating an iTDS, MDS or CTAS server follows a similar process.
Paterva uses client side certificates for authorisation and authentication on the MDS, CTAS and iTDS. Within the CTAS the certificates are used to activate the seed server (also called a runner). On the MDS and iTDS server the client side certificate is used with a browser to both activate and provide access to the administrative section of the web application.
For all Maltego servers you will initially need to have your .pfx or .key certificate file on hand. This is usually provided via email but is also available on the Server Portal. Once you know the IP address of your server, browse to the interface on the server's IP address.
The first step you’d want to do is to upload the certificate file to the server. Click ‘Choose File’ then choose the certificate file from your local filesystem and click on Submit. Certificate details will be shown to you:
Next click on the ‘Activate’ button. This will move the file into the correct area and it will also restart the webserver – using this certificate. This means you might need to reload the page after a few seconds. If the certificate was good and everything went according the plan you’ll see a screen similar to this:
In February 2017 we released a CTAS patch that adds support for Bing's new Web Search API which is now part of Microsoft's Cognitive Services. Microsoft will be dropping support for the Azure Marketplace "Bing Web Search" which is what was used previously in the CTAS server for our search engine transforms. If you are hosting your own internal CTAS server you will need to sign up for a Bing Web search API key from Microsoft's Cognitive Services to continue using CTAS's search engine transforms. Because Maltego private servers are outside of Paterva’s control we’ve implemented a solution whereby the server administrator can use their own Bing API key with their transform server.
You can sign up for a Bing API key from Micorsoft's Cognitive Services website . Pricing for the Bing Web Search API can also be found on the same page. Ensure that you use the Bing Web search and not the Bing search as the pricing and functionality is different. After registering you will be supplied with a API key. Typically, this looks as follows:
SSH into your private CTAS server. Create a file in /etc/ called BingWebSearch.keys. For this you can use your favorite Unix based editor. Inside the file you want to create one line with tags that look like this:
When you are done you should save the file. You can now test your setup by running one of the Maltego search engine transforms on your CTAS server. You can use any Maltego transform that has the words [Using Search engine] in the description to test the setup. The transform will let you know if there any problems.
The second commercial API that the CTAS server uses for a few of its transforms is AlchemyAPI which is used for entity extraction from text documents as well as for sentiment analysis. If you are hosting your own internal CTAS server you will need to sign up for a Alchemy API key in order to use these transforms.
You can sign up for a Alchemy API key from IBM Bluemix website here. After registering you will be supplied with an API key that will provide you with 1000 free daily API calls after which the key will need to be upgraded to a commercial key. An AlchemyAPI key typically looks as follows:
To add your Alchemy API key to the CTAS server the same process can be followed as for adding your Bing Web search API key. First SSH into the private CTAS server and then create a file in /etc/ called AlchemyAPI.keys. For this you can use your favorite Unix based editor. Inside the file you want to create the line with tags that look like this:
When you are done you should save the file and your CTAS server will be ready to run the AlchemyAPI transforms.
The Maltego clients need to be configured to use the particular server you have configured above.
The very first time the client starts up you’ll be prompted to select if you want to use the public CTAS or a internal/private CTAS (your own server). The seed of your CTAS server will always be:
Check the Local TAS option and enter your CTAS server’s IP address as shown in the image above. If you also want to have the public transform servers installed to your Maltego client you can leave the Maltego public servers checked as well. Then click Next> and follow the wizard until the transform server is added to your Maltego client. All the transforms, entities, machines and configurations will be installed from your internal CTAS to your Maltego client and they will become available to run from the context menu when you start a new graph.
If you have already added the public CTAS server to your Maltego client and you now wish to add an internal one, this can be done from the transform hub by manually adding the seed url as another transform hub item.
From time to time we will issue our server patches for the Maltego server modules. These will be delivered as a .tgz file that can be downloaded from your Server Portal account.
To manually install new patches follow these steps:
If you received a patch file:
If you want to use the automatic update:
Updating process in progress
Once this is done your Maltego server will be patched.
© Copyright 2017, Paterva PTY Limited