On-Premise PoC Deployment Guide for Gatekeeper
This guide is intended only for Proof-of-Concept (PoC) deployments of Gatekeeper on an on-premises environment. It is not suitable for production use.
Important Notice
- This is a single-VM deployment (one Xshield and one Gatekeeper) with no redundancy.
- The PoC supports securing up to 15 assets only.
- Intended strictly for evaluation of the Xshield platform and Gatekeeper in on-prem environments.
Pre-requisites
Ensure that you have the following resources available to deploy the VM:
- 8 vCPU
- 32 GB RAM
- 256 GB Disk
OVA links
- Ubuntu 22.04 Xshield v25.2 Download OVA
- RedHat 9.5 Xshield v25.2 (Federal Use Case - FIPS hardened) Download OVA
Platform Deployment Options
Important Follow this doc to deploy Xshield management platform in an on-premise environment POC deployment guide.
There are 3 options for installing Xshield management platform on-premise:
- IP-Based Deployment (HTTP) – Default
- Domain-Based Deployment with trusted root
- Custom Domain with imported certificate
Choose the appropriate option based on your requirements
If using Domain Based Deployment:
colortokenspoc.com is the recommended domain.
It is recommended you do not take the random generated sub-domain for ease of use/typing.
Gatekeeper Deployment Steps
1. Create the VM
Deploy the OVA (link above)
2. Configure Network
The OVA will obtain an address via DHCP
It is highly recommended you assign an IP address:
Manually configure static IP, DNS, and gateway:
cd $HOME/onprem-infrastructure/single-node
bash setup-static-ip.sh
As of 7/25/2025, you must enter gateway and DNS server even if none exist.
3. SSH Into the VM
Default credentials:
Username: ctuser
Password: colors321
Gatekeeper Configuration for On-Premise
On boot up, you must change the admin password. Ensure that you save this in a safe place. It must be a complex password:
- Non-dictionary word
- 8 or more characters
- Upper and lower case letters
- At least 1 number
- At least 1 special character
The menu is then displayed. If you ever need to exit the menu system, the command to get back to the menu from the command line is ctconfig. It must be entered as superuser:
sudo ctconfig
Step 1 - Assign Appliance Name and IP
Select menu item 1. Appliance Information Configure a meaningful name for the gatekeeper appliance it will be used in the management interface.
Enter the static IP address you determined in POV prep. As of 7/25/2025, the gatekeeper must have a reachable gateway address even if the gatekeeper and XShield are on the same subnet. A DNS entry is needed even if there is no DNS.
Validate the information displayed
Step 2 - Register the Appliance
Select menu item 3. Register Appliance
IP Based Deployment:
Enter the IP address as Colortokens site during registration. Use a dummy domain name.
Domain Based Deployment:
The deployment key is found in the Xshield UI.
The gatekeeper configuration can follow the traditional documents from here: Gatekeeper Deployment Guide.
Troubleshooting
Run the below script to check the cluster/services health if experiencing any issues:
cd $HOME/onprem-infrastructure/single-node
bash status.sh
For detailed troubleshooting information, refer to the PoC deployment guide.