Compatibility

• The virtual appliance supports VMware vSphere 6.5+, and as Oracle VM Virtualbox 6.0+.

• The virtual appliance runs Alpine Linux.

Deploying the Virtual Appliance

Note: The virtual appliance is preconfigured with minimum CPU, RAM, and storage values. Unless instructed otherwise by Veza support, do not adjust the default values.

VMware

From the VMware Host Client Inventory screen, follow these steps to import the virtual appliance:

1. Right-click Host in the VMware Host client inventory and select Create/Register VM

2. In the New Virtual Machine window that appears, on the Select creation type page, select Deploy a virtual machine from an OVF or OVA and click Next

3. On the Select OVF and VMDK files page, provide a unique name for the virtual machine (ex: veza_insight_point)

4. Click the blue pane to begin browsing to the location of the veza_insight_point_v2.ova file on your local system storage

5. Browse to and select the veza_insight_point_v2.ova file, then click Open

6. The file appears in the blue pane in the New Virtual Machine wizard; click Next

7. On the Select storage page, select the storage type (Standard) and choose a datastore for the virtual machine, then click Next

8. On the Deployment options page, select network mappings, disk provisioning, and power-on settings, then click Next

9. On the Ready to complete page, review the virtual machine details and click Finish

Oracle VM Virtualbox

In the Oracle VM VirtualBox Manager, follow these steps to import the virtual appliance:

1. In the File menu, click Import Appliance

2. In the Appliance Import Wizard window that appears, click Choose to select the location of the veza_insight_point_v2.ova file

3. Browse to the location of the veza_insight_point_v2.ova file and click Open

4. Review the Appliance Import Settings displayed in the window and click Import

Generate an Insight Point Registration Key

The Insight Point requires a registration key to authenticate with the Veza platform. To generate an Insight Point registration key, follow these steps:

1. Browse to your Veza Instance and log in as an administrative user.

2. In the left navigation pane, locate Configuration, then click Insight Point in the subpane.

3. Click Generate New Key in the upper-right corner of the main pane.

4. Provide a name for the new Insight Point and set an expiration date and time.

5. Click Generate Key

6. Make note of the key value that is returned; this will be required for configuring the Insight Point below

Configuring the Virtual Appliance

Once the virtual appliance is deployed and powered on, complete the initial configuration from the hypervisor console or using SSH.

Default Credentials

Log in to the virtual appliance with the root account. This account has no password when initially deployed.

Configuration

From the shell prompt, run setup-veza to configure the system. The Message of the Day banner refers to this command when logging in.

After invoking the setup-veza command, follow the prompts:

1. Set the timezone for the virtual machine

   Note: Communication between the Insight Point and the Veza SaaS platform is sensitive to time drift. Ensure that the virtual machine's clock matches the local time.

2. Set an appropriate hostname for the virtual appliance

3. Configure the eth0 interface to use DHCP or static values

4. If using static interface values, configure DNS settings

5. Set a password for the root account

6. Enter the Insight Point Registration Key

   Note: This value is a long base64-encoded string; copy it from the Veza platform and paste the value here

7. The docker daemon will pull the most recent Insight Point image; this might take several seconds to initialize without screen output

8. The command will return to the shell prompt after the Insight Point deploys.

Operation and Troubleshooting

After the Insight Point deploys, verify that it has successfully connected to the Veza platform. Log in to the Veza platform and follow these steps:

1. On the left navigation pane, under Configuration, click Insight Point

2. Verify that a new Insight Point has registered with the platform.

Note: One Insight Point will be named "Veza Insight Point" by default. Ensure at least two are present.

Verifying Container Status

If the newly deployed Insight Point does not appear on the Veza platform, verify the status of the container on the virtual machine:

1. Log into the virtual machine console or use SSH

2. List running Docker processes with the command: docker ps -a --filter="name=veza-insight-point"

3. Examine the output

The Insight Point's container ID should include a Status column showing Running.

Accessing Insight Point Logs

If the Insight Point does not appear to be running, or if requested by Veza support, follow these steps to access the Insight Point logs:

1. Log into the virtual machine console or use SSH

2. Run the following command to output the Insight Point logs: docker logs veza-insight-point

3. The logs are in JSON format and can be output to a file or copied from the terminal for debugging

What is a Veza Insight Point?

An Insight Point is a lightweight connector running in your environment to enable the secure gathering of authorization metadata for resources that Veza cannot access directly. An Insight Point is typically deployed as a Docker container or VM OVA.

Typically, you will want an Insight Point to enable secure discovery of services (such as Active Directory, Oracle Database, or SQL Server) that require connectivity from within your corporate network. The Insight Point will run within your network to query the internal-only data sources for authorization metadata and push that information to Veza securely.

When do I need an Insight Point?

Deploying an Insight Point for Veza is usually not required, but might be necessary:

• When the resources to discover are not exposed publicly.

• To discover databases and other services that do not have cloud-native APIs.

• If your organization prohibits 3rd-party programmatic access to cloud service providers.

Deploying an Insight Point

Generating an Insight Point key

Log in to Veza with an administrator account, and create a registration key by browsing to Integrations > Insight Points:

1. Click Create

2. Enter a Name

3. Click Generate Key

4. Copy the key for use when running the docker image

Save the Insight Point key in a secure location. If lost, there is no way to recover it.

Troubleshooting

Refer to specific deployment guides for troubleshooting steps.

Checking connectivity

The Insight Point automatically checks for connectivity on container start. This includes steps to resolve the DNS and verify TCP and HTTP communication. If there are connection problems, the container logs will indicate if a connection was refused, a host could not be found, or there is another issue.

Monitoring Insight Point availability

Note: If the Insight Point task manager service is restarted, the event can be emitted sooner than the 24-hour window.

To enable email alerts when an Insight Point is unavailable:

1. Use the Veza navigation menu to open Administration > Event Subscriptions

2. Click Create Subscription

3. On the Details tab, enter a descriptive name to communicate the alert purpose.

4. On the Conditions tab:

   • Set Event Type to "Insight Point Unavailable"

   • Set Severity to "Error"

   • Set Category to "Integrations"

5. On the Action → Send Alert tab, select or create an email Veza Action

6. Click Create to save the subscription

Changing an Insight Point

When modifying the Insight Point associated with an integration — for example, if the registration key is lost — you will need to re-enter the credentials and secrets for that integration configuration.

• Follow the instructions to start another Insight Point with a new deployment key

• On the Integrations page, edit the integration configuration to re-enter the credentials for each affected integration.

Ports and connectivity

The Insight Point will communicate out from the container VM to the Veza Tenant and targeted systems. Your implementation must enable traffic to and from the host on the required ports.

Also, the host must be able to communicate out to the ECR repository hosting the insight point image.

• The Insight Point must be able to communicate with https://<your-org>.vezacloud.com on outbound port 443. Ensure that firewalls allow outbound traffic to the Veza tenant domain.

• For Active Directory and SQL Server: The Insight Point must be allowed to communicate with Active Directory Domain Controllers on port 636, and SQL Servers on port 1433.

• For AWS RDS and Trino: To discover AWS RDS or Trino instances, you will need to add the Insight Point egress IP to the Security Groups Inbound rules. Do this for each of the instances to discover.

To add an entry for AWS RDS:

1. Log in to the AWS account containing the resources to discover, and go to RDS > Databases

2. Click the DB identifier and go to Connectivity & security > Security > VPC security groups

3. Click Inbound rules > Edit inbound rules to set the IP address entry

4. Click Add rule > Type (MySQL, Aurora or PostgreSQL) > Source (Custom)

5. Enter the Insight Point egress IP

6. Optionally enter a description and click Save rules

To add an entry for Trino:

1. Log in to the AWS account containing the resources to discover, and go to EC2 > Security Groups

2. Click the Security Group associated with your Trino instances and go to 'Inbound rules' > 'Edit inbound rules' to set the IP address entry

3. Click 'Add rule' > Type (Custom TCP) > Port Range (8080 or your custom port) > Source (Custom) > enter the Insight Point egress IP

4. Optionally enter a description, and save the rules

To ensure a smooth onboarding process, configure your environment to allow communication with essential Veza IP addresses and email domains.

Domain Filtering

The following domains should be allowed through email filters, proxies, and firewalls:

• Email notifications: When a Veza local account is created, an email is sent to the user to create their password. This email comes from noreply@vezacloud.com.

• Veza tenant domain: The domain for your Veza instance will be *.vezacloud.com, where * represents your Veza tenant name.

Firewall Rules and Filters

Veza integrations connect to data sources across your on-premise environment, cloud providers, and SaaS applications. Most integrations use API tokens or other credentials to query for authorization metadata.

By default, integrations run on the Veza SaaS platform. If your organization filters inbound connections to applications you want to integrate with Veza, allow traffic from the following Veza NAT Gateway IP addresses in your firewall rules or filters, depending on the region where Veza is deployed:

• North America regions:

  • 18.221.224.60

  • 3.18.38.252

  • 52.14.66.128

• Europe, Middle East, and Africa regions:

  • 18.133.37.58

  • 18.171.45.61

  • 13.42.176.0

Insight Point Connectivity

When configuring an integration, you can choose to use an Insight Point managed by your organization. An Insight Point allows querying authorization metadata within your environment, with no inbound calls from your Veza tenant to integrated data sources.

Veza maintains a script you can use to quickly install and run an Insight Point with Docker. Follow these steps to set up your environment, run the latest install script, and manage the deployment.

Prerequisites

• Systemd

• Docker (or Podman with Docker compatibility)

Install Docker

sudo dnf install -y docker
sudo systemctl enable docker
sudo systemctl start docker

sudo apt-get update
sudo apt-get install -y docker.io

sudo dnf install -y podman-docker

Install

Generate an Insight Point key from the Veza Integrations > Insight Point page. Store it as an environment variable before downloading and executing the script:

INSIGHT_POINT_KEY="<key>" bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)"

or

export INSIGHT_POINT_KEY="<key>"
bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)"

Remove

Uninstall

Uninstall will remove all components of the Insight Point but will not remove the configuration in /etc/veza-insight-point.

bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)" -- uninstall

Remove

Remove will remove all components of the Insight Point and the configuration in /etc/veza-insight-point. The Insight Point Key will be lost (if not backed up).

bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)" -- remove

Tips & Tricks

Pull from a different registry

The Insight Point image must be pulled from a pull-through cache or private registry (where the image is mirrored). You can override the image repository with the IMAGE_REPOSITORY config setting.

Create or edit the configuration in /etc/veza-insight-point/service.env to set the IMAGE_REPOSITORY configuration:

IMAGE_REPOSITORY="registry.example.com/veza/insight-point"

If pulling some other image version than the default image tag (latest), you need to configure the override using the IMAGE_TAG option:

IMAGE_TAG="myversion1"

After the changes have been made and saved, restart the Insight Point service:

sudo systemctl restart veza-insight-point

Check that the service has started successfully by running the following command:

systemctl status veza-insight-point

Using a proxy server

If you need to use a proxy server, add the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY lines to the Insight Point service configuration.

Create or edit the configuration file /etc/veza-insight-point/config.env to include the proxy server details:

HTTP_PROXY=http://proxy.local:8080
HTTPS_PROXY=http://proxy.local:8080
NO_PROXY=*.domain.local,*.domain2.local

After the changes have been made and saved, restart the Insight Point service:

sudo systemctl restart veza-insight-point

Check that the service has started successfully by running the following command:

systemctl status veza-insight-point

Configuring Insight Point to forward connections to Veza (early access)

An Insight Point can proxy connections to Veza, allowing you to send Open Authorization API (OAA) payloads to a locally accessible server within a VPC instead of directly over the internet.

When a proxy port is enabled in the configuration, applications can push to the Insight Point's internal network address (e.g., http://localhost:8080/api/v1/providers/custom/...), instead of making API calls directly to Veza's cloud service (https://$VEZA_URL/api/v1/providers/custom/...).

Create or edit the configuration file /etc/veza-insight-point/service.env to set the proxy port:

PROXY_PORT=8080

Save the changes. Then, restart the Insight Point service:

sudo systemctl restart veza-insight-point

Proxy server is supported since Veza release 2025.5.x. For older Insight Points, you will need to reinstall before you can enable a proxy port:

bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)" -- reinstall

Using custom certificates

Create or edit the configuration file /etc/veza-insight-point/service.env to mount the custom certificates to the Insight Point container:

CONTAINER_FLAGS="-v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"

After the changes have been made and saved, restart the Insight Point service:

sudo systemctl restart veza-insight-point

Check that the service has started successfully by running the following command:

systemctl status veza-insight-point

Troubleshooting

Status

Retrieve the status of the Insight Point systemd service:

systemctl status veza-insight-point.service

Logs

Retrieve last 500 log lines for the Insight Point service:

journalctl -n 500 -u veza-insight-point.service

Follow logs for the Insight Point service:

journalctl -u veza-insight-point.service -f

Reinstall

Reinstall will remove the currently installed Insight Point service and install it again. All configuration in /etc/veza-insight-point will be preserved.

bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)" -- reinstall

Installation

Follow the instructions to launch a new AWS EC2 instance, install prerequisites, and download and run the Insight Point. You can opt to use an existing EC2 instance, provided that the docker version is 19.09 or later.

• • Ensure that the region where you want to initialize the instance is selected

  • Click Launch Instance

  • Add a name for the instance ("Veza Insight Point")

  • Choose Amazon Linux 2023 OS image

  • Dedicate at least 2 CPU, 4GB RAM for the instance

  • Choose an existing key pair or create a new one

Operation and Troubleshooting

After the Insight Point deploys, verify that it has successfully connected to the Veza platform. Log in to the Veza platform and follow these steps:

1. On the left navigation pane, under Configuration, click Insight Point

2. Verify that a new Insight Point has registered with the platform.

Note: One Insight Point will exist by default, named "Veza Insight Point".

Verifying Container Status

If the newly deployed Insight Point does not appear on the Veza platform, verify the status of the container on the virtual machine:

1. Log into the virtual machine console or use SSH

2. List running Docker processes with the command: docker ps -a

3. Examine the output

The Insight Point's container ID should include a Status column showing Running.

Accessing Insight Point Logs

If the Insight Point does not appear to be in a running state, or if requested by Veza support, follow these steps to access the Insight Point logs:

1. Log into the virtual machine console or use SSH

2. Run the following command: docker ps -a

3. Note the value in the Container ID field

4. Run the following command to output the Insight Point logs: docker logs <container_id>, substituting the actual container ID

5. The logs are in JSON format and can be output to a file or copied from the terminal for debugging

Step 1: Create a Container Instance resource

Step 2: Get the latest Insight Point image

In the creation wizard, use a custom image source. Select Other registry and add the path to Insight Point image: public.ecr.aws/veza/insight_point:latest

Step 3: Assign an appropriate virtual network

Add the Insight Point to the virtual network. Choose Private and enter the virtual network assigned to other resources the Insight Point will connect to:

Step 4: Configure the Registration Key

In the advanced settings, configure the Insight Point registration key:

1. Navigate to the Advanced tab.

2. In the Environment Variables section, add the Insight Point provisioning key to the DP_REGISTER_KEY variable.

3. To generate a new registration key, visit the Integrations -> Insight Point page in the Veza console.

Confirm your settings by clicking Review + create, then deploy the container by selecting Create.

Step 5: Update the Azure integration to use the Insight Point

Finally, update the integration configuration in Veza so that the connection is made using the new Insight Point, instead of the Veza SaaS platform:

1. Log in to Veza, go to the Integrations page, and find the Azure integration on the list of providers.

2. Click Edit to open the configuration.

3. Change the Insight Point from (default) to the one you created.

4. Save the integration.

Configuration Options

The Insight Point Helm chart accepts the following configuration parameters via --set flags. Typically only key is required.

• key is your unique Insight Point registration key, generated in the Veza UI.

  • Create a key in Veza: Integrations > Insight Points > Create

  • Store this value securely as it cannot be recovered if lost

• skipVerify (TLS_INSECURE_SKIP_VERIFY) should only be set to true to disable certificate validation for testing/troubleshooting.

Configuring Proxy CA Certificates

When using an HTTPS inspection proxy:

• Set to addrto your proxy's address if different from the Veza endpoint. This value overrides the default request authority.

• Ensure your proxy can connect to your Veza deployment.

• authority specifies the domain name to use for TLS certificate validation and is only required when addr points to a proxy instead of directly to Veza. Must be a specific domain (wildcards not supported).

To trust an HTTPS proxy, you will need to modify the Helm chart to add a volume for the proxy's CA certificate, mount it into the container, and configure the certificate path:

Requirements

A Kubernetes Helm chart is a package format used to define, install, and upgrade applications in Kubernetes. Helm is often referred to as a package manager for Kubernetes. To install the chart, you will need:

• Insight Point Key: You will need to generate a secret key for the Insight Point. To create one, go to Veza Integrations > Insight Point > Create.

• Access to the Kubernetes Cluster: Ensure you have the necessary permissions and access credentials to interact with the target Kubernetes cluster.

• Your organization security policies must allow chart installation from the VEZA ECR public.ecr.aws/veza

Install Insight Point (Helm Chart)

1. Customize Values and Install the Insight Point:

   Use the helm install command to install the Insight Point into the Kubernetes cluster. Replace <NAME>, <VERSION>, <KEY>, and key with your specific values:

   • --namespace <NAMESPACE>: required if installing the Insight Point into a different namespace than the default.

   • --create-namespace: required if the namespace does not exist yet.

   • --set enableSecrets=true: optional field, required to enable Kubernetes Secrets extraction. Secrets will not be extracted by default.

   An Veza Insight Point Key must be provided. To do this, you can specify the value with the --set key=<registration-key> option when installing the chart.

   Example:
2. Verify Installation:

   Verify the status of the installation by running:

   This command will return a list of Helm releases, including the Insight Point you just installed. Ensure the STATUS is "DEPLOYED."

3. Get Insight Point Logs:

   If the Insight Point fails to initialize or can't connect to Veza, you can get more details by reviewing the container logs. You can retrieve this using the terminal:
4. Upgrade and Maintain:

   Over time, you may need to upgrade the Insight Point to newer versions or adjust its configuration. Use the helm upgrade command to make these changes.

   Example:
5. Uninstall the Insight Point:

   If you need to uninstall the Insight Point, you can do so using the helm uninstall command:

Generating Key Pairs for Workday Integration

To ensure secure communication between Veza and Workday, we adopt an authentication mechanism using public-private key pairs. This approach uses SSL (Secure Socket Layer) technology, which establishes encrypted links between servers and clients, ensuring that all data transmitted remains private and secure. x509 certificates are a standard format for public key certificates, verifying the ownership of a cryptographic public key for secure communication.

Why is this necessary?

1. Security: Public-private key pairs are the foundation of many cryptographic protocols, ensuring the confidentiality, authenticity, and integrity of data.

2. Authentication: Workday can verify that data received is genuinely from Veza, ensuring trusted communication.

3. Non-repudiation: Transactions signed with the private key can be proven to come from Veza.

Installation

Linux

1. Most Linux distributions include OpenSSL by default. If not:

   • Debian or Ubuntu: sudo apt update && sudo apt install openssl

   • Red Hat: sudo yum install openssl

   • Fedora: sudo dnf install openssl

Mac

1. OpenSSL is included with macOS by default. If you need a specific version or updates:

Windows

• OpenSSL Binary:

  • Add OpenSSL's bin directory to your system's PATH.

• Windows Subsystem for Linux (WSL):

  • Run the Linux distribution and install OpenSSL using its package manager (e.g., sudo apt install openssl for Ubuntu).

• Git Bash for Windows:

  • Use OpenSSL directly from the Git Bash terminal.

• Package Manager for PowerShell:

Alternately, you can use the Microsoft Management Console (MMC):

• Use the built-in MMC snap-in to manage certificates:

  1. Press Win + R, type mmc, and press Enter.

  2. File > Add/Remove Snap-in > Certificates > Add.

  3. Follow the wizard to manage personal certificates and trusted root certificates.

Generate Key Pairs with OpenSSL

1. Generate a Private Key:

• The private key is the foundation of your security protocol. Ensure it is secure and never exposed.

  Generate it with OpenSSL in PEM format:

  Copy

  openssl genpkey -algorithm RSA -out private_key.pem

  If you need additional security, encrypt the key file with a passphrase. Save the passphrase in a secure location:

  Copy

  openssl rsa -aes256 -in private_key.pem -out encrypted_private_key.pem

  During Veza integration configuration, you will upload this private key file and, if encrypted, enter its passphrase.

2. Generate a Certificate Signing Request (CSR):

• A CSR is a request for a certificate authority (CA) to validate and certify your public key. The CSR includes information such as your organization and domain.

  Generate the CSR:

  Copy

  openssl req -new -key private_key.pem -out signing_request.csr

  During the process, you'll be prompted to enter details like your organization and common name (CN). These are optional depending on your integration requirements.

  Post generation, you can either:

  • Submit the CSR to a trusted Certificate Authority for a signed certificate.

  • Create a self-signed certificate, which might not be trusted universally but is sufficient for testing or internal use.

3. Generate a Self-Signed Certificate:

• Using the CSR and private key, generate the certificate:

  Copy

  openssl x509 -req -days 365 -in signing_request.csr -signkey private_key.pem -out your_cert.crt

  In this example, days sets the length of time the certificate is valid for.

Paste the contents of this certificate, which includes the public key, when configuring the API client registration in Workday.