Just purchased an on-site license with us? Here's a helpful guide to get you started with your deployment!
We refer to your setup of Corellium as your domain. Your domain contains users (including the administrator user), projects and virtual devices. Your domain must be assigned a human-readable name (e.g. the name of your company) and a machine-readable name (e.g. your-company.corellium.net).
Users access Corellium through a web interface. This web interface is served on the traditional HTTP and HTTPS ports of 80 and 443 on the controller node (see Server Roles in Corellium).
Although users can access the web interface directly by the IP address of the controller node, it is preferred for you to configure their DNS settings so that they may access it through the domain name (e.g. your-company.corellium.net).
Note that although we give “corellium.net" as the example suffix for your domain name, we do not and cannot actually publish the local, private IP address of your Corellium controller node to public DNS, so you must add that as an entry in your private DNS.
Corellium requires HTTPS. A self-signed certificate is automatically generated and must be accepted by your users. Alternately, you may provide a certificate and key for Corellium to use.
Virtual devices are the core of Corellium (pun intended).
Virtual devices each have a virtual interface that they can use to access the outside world. Corellium has its own internal DHCP server that exclusively gives IPs to virtual devices. In addition to the IP assigned to the virtual device’s wi-fi interface, Corellium also allocates a per-device IP that users can interact with the device with. Many services are hosted on this per-device IP, such as the ability to connect USB devices to the virtual device using USBIP.
The simplest way to configure Corellium is to have Corellium use a DHCP server you already have setup on your network to determine the IP addresses to use for the Wi-Fi and service IPs. This has the drawback of having each device have semi-randomly assigned IP addresses that are not memorable.
Corellium can also be used in virtual device static IP mode. In this mode, each project in Corellium has its own /23 IP space, and virtual devices within the project are assigned addresses within that /23 IP space. For example, if the project has the IP space 10.11.2.0/23, the first virtual device would have a wi-fi IP of 10.11.2.1 and a services IP of 10.11.3.1.
In other words, each project is given a consecutive range of 512 IP addresses, starting from an IP address whose 3rd part must be an even number. For example, 10.11.4.0 would be a valid starting address for the project’s range, but not 10.11.5.0.
This system makes it easy for users to quickly remember the IP addresses of their devices and be able to easily access them with their tools, streamlining their process.
Virtual devices are organized into projects. Projects are the basic resource allocation and access control unit in Corellium. Users are created by the administrator and given permission to access projects. Projects are assigned certain amounts of resources by the administrator and users with permission to access projects can freely use them to create virtual devices.
The more projects you wish to add to Corellium, the greater amount of IP space Corellium will need in virtual device static IP mode. Before installing Corellium, you must estimate how many projects you will need to create and figure out how much IP space (and where) to assign to Corellium’s projects. For more discussion on this, see Virtual Device Network in the Networking in Corellium section.
Corellium allocates the IP ranges for each project starting from a value you, the administrator, configures. For example, if you configure 10.15.14.0, the first project created will have a range of 10.15.14.0 -> 10.15.15.255, the second will have a range of 10.15.16.0 -> 10.15.17.255, etc. Note that because of this, Corellium needs one contiguous IP space for its projects and virtual devices.
There are two possible roles in Corellium: The compute role and the controller role. Each server (or node) can take on one or more of these two roles. Note that in some cases, one physical chassis can contain two logical servers (e.g. when we ship what is called “dual-node” servers). In this case, each logical server (or node) must be treated as an entirely separate server.
Nodes that serve the compute role are the ones that actually run the virtual devices. These nodes necessarily have to be ARM servers running our proprietary hypervisor.
Nodes that serve the controller role are the ones that run the front-facing Corellium software. Compute nodes report to the controller nodes, which coordinate the cluster. The controller nodes take care of the allocation and scheduling of virtual devices onto the compute nodes. They also store the virtual device firmware and serve it to compute nodes that request them. They also store custom kernels and other images uploaded by users.
In the Multi-Node setup, Corellium configures one of the servers to be a controller node as well as a compute node. It comes equipped with extra disks in order to store the large virtual device firmware files.
The Controller Node will be your single point of contact with the Corellium software. It runs the Corellium user interface. Additionally, the Controller Node can be used to upgrade, reconfigure or reset Corellium if necessary since it contains credentials necessary to alter the other servers.
In the Single-Node setup, Corellium configures the same server to be both a controller node and a compute node. When we refer to the Controller Node in the document, we are referring to that server, even though it serves both as a controller and a compute node.
Corellium servers are all connected together on a single Layer 2 network. The 1Gb port on the Corellium server should be connected to a switch.
On Layer 3, Corellium uses two networks: the virtual device network and the control network. It is possible for Corellium to be configured in such a way that the two are in fact the same Layer 3 network. Configuring both networks to be the same network as the main network users are on allows users to easily access both the Corellium user interface and their virtual devices. However, Corellium requires large blocks of IP addresses so this setup is not always practical.
Corellium uses static IP addresses and large blocks of IP space for virtual devices, so a network administrator is required to setup Corellium.
The control network is how nodes communicate with each other and to the outside world. The controller node runs a web server listening on the traditional ports of 80 and 443. This web server is the one users use to access the Corellium UI. The IP address assigned to each node must be static and fixed at the time Corellium is configured since Corellium discovers and identifies itself through these IP addresses.
Each Corellium server needs a static IP address, netmask, and optionally a gateway. The netmask determines what Layer 3 network the server will be on. The gateway allows Corellium servers to reach external addresses. This is required if Corellium is on a different network than users or if virtual devices are required to be able to reach the Internet. Optionally, DNS servers may be specified to allow Corellium servers to access the Internet in order to download updates for virtual device firmware and Corellium software. All Corellium servers share the same netmask, gateway and DNS Servers.
Since each node identifies and authenticates itself to each other using its IP address, changing the IP addresses of Corellium servers will require a reset of the entire Corellium setup.
It is up to you to decide which IP addresses, netmask and gateway to assign the servers on the network. We recommend placing Corellium on your main internal network for ease of configuration and access and configuring your DHCP server to honor a static reservation for the Corellium servers. To make things a bit easier, we’ve included the MAC Address in your Initial Networking Configuration and Passwords document.
Once you have determined which IP addresses to give the Corellium servers, you must make provisions for your users to be able to access the Corellium Controller Node.
First, users must be able to access the Corellium control network. This can be done by merely placing Corellium on the same network users use (e.g. your main internal network). If you wish to put Corellium on another network, you must configure the router on your main internal network to route packets to and from the Corellium control network to and from your main internal network.
For example, you could plug the router physically into both the Corellium control network and your main internal network. You would assign an IP address on the router on your main internal network and an IP address on the router on the Corellium control network.
Then you could enable IP forwarding on the router to transfer packets between the networks. This setup would work as long as machines on the main internal network uses the router’s main internal network IP address as their gateway, and you configured Gateway under Networking Information in Corellium to be the router’s Corellium control network IP address.
Second, users must be able to discover and access the Corellium Controller Node. If your organization has its own internal DNS server, you could configure the DNS server to return the IP address of the Corellium Controller node when users request a certain domain name. You could also ask users to put the domain name into their /etc/hosts file, or access the Corellium Controller Node by its IP address directly.
The virtual device network is the network all the virtual devices are on. For our on-premise setups, all the virtual devices are on a single network. The simplest way to configure Corellium is to have Corellium use a DHCP you already have setup on your network to determine the IP addresses for virtual devices to use on the network. This has the drawback of having virtual devices get semi-random IP addresses that are not organized or memorable.
A more organized way to do it is to assign a specific range of static IP addresses to Corellium. As described above in Projects and Devices, virtual devices are assigned IPs from their project’s range of IPs. The projects themselves are assigned ranges based on the “Virtual Devices IP Address” setting in the configuration.
In addition to configuring the network range via the Virtual Devices IP address and Virtual Devices Netmask, a gateway can be configured to allow virtual devices to reach external addresses. If you are not putting the virtual devices on the same network as the users, the gateway will be required for users to access the virtual devices. If not and internet access for virtual devices is not required, then the gateway is not required.
Note that the gateway is not a “virtual gateway”. It is a gateway for virtual devices. The gateway is not a facility Corellium provides or configures. It is something a network administrator must provide and configure as its configuration must be specific to the network of each organization.
For similar reasons, Corellium also cannot provide DNS servers for virtual devices to use. If you are configuring the network for virtual devices to access the public Internet, you may simply use public DNS servers such as 220.127.116.11 or 18.104.22.168 for this purpose.
It is not required that control network and virtual devices network be the same or be reachable from each other.
In static IP range mode, Corellium reserves the last IP address in the virtual device network, so it cannot be used as the IP address of the gateway for virtual devices.
It is up to you to decide which range of IP addresses you give to the projects. You can pick any range that does not conflict with your existing networks. However, you must make sure the range is large enough to accommodate all the projects you wish to create now and in the future. You must also make provisions for your users to access this network.
It is possible to place the Corellium virtual device network on the same network users use (e.g. your main internal network). This way, the users could access the virtual device network but you might be constrained on how large of a range you can assign Corellium.
If you wish to put the Corellium virtual devices on another network, you must configure the router on your main internal network to route packets to and from the Corellium virtual device network to and from your main internal network. For example, you could plug the router physically into both the Corellium virtual device network and your main internal network. You would assign an IP address on the router on your main internal network and an IP address on the router on the Corellium virtual device network.
Then you could enable IP forwarding on the router to transfer packets between the networks. This setup would work as long as machines on the main internal network uses the router’s main internal network IP address as their gateway, and you configured Virtual Devices Gateway under Virtual Device Static Networking Information in Corellium to be the router’s Corellium virtual device network IP address. Again, Corellium does not provide the router/gateway required to connect the virtual device network to your main network in static IP mode, nor can Corellium configure it for you.
We recommend setting aside a /16 space for all of Corellium’s virtual devices and configuring your router to be able to route packets between that network and your main network. For example, you could setup Corellium’s Virtual Devices IP address to be 10.11.2.0, netmask to be 255.255.0.0. The first project will take up the range 10.11.2.0 -> 10.11.3.255. You could then put your router at 10.11.0.1 and the Corellium control network in the 10.11.0.2 -> 10.11.1.255 range.
If you will have multiple installations of Corellium, they may not share the same virtual device IP range. In this case, each installation of Corellium must have its own range (though they may be on the same network).
Corellium is shipped configured to use a specific static IP address and netmask. In case the configured static IP address conflicts with your institution’s network, we advise you to complete the setup with Corellium machines not initially connected to your institution’s network. Corellium servers require the use of static IP addresses. Corellium servers cannot operate with DHCP. The Controller Node will output a setup URL on serial console as it boots up, so it is advisable to have serial console connected when booting the Controller Node for the first time.
Going to the URL provided will allow you to provide the configuration settings Corellium needs to set itself up. Even after Corellium is setup, on future reboots of the Controller node, the setup URL will be printed on the serial console, and still may be used to change configuration settings and rerun setup. It is also possible to entirely reset Corellium using this interface if something goes wrong. After initial setup however, the setup interface will require the administrator’s username and password (which is configured during initial setup).
During reconfiguration, due to the fact that the authentication server itself needs to be brought down and setup again, the progress indicator may not be accurate. Setup will be complete when the controller node reboots.
We will provide you shell login and passwords to the root accounts of all the machines we send you, though we recommend not modifying the software configuration manually. SSH access via password authentication is enabled on all the machines.
If you have a Multi-Node setup, the Corellium controller node uses the SSH password authentication to connect to the other nodes in order to update and setup the configuration on each of them. The correct password to the root accounts of each node other than the controller node must be provided during updates and (re)configurations.
First up, here's what's included with your Ampere Altra Single-Node Server:
Note: servers can take 3-5 minutes to boot.
Obtain your Laptop IP Address, Netmask and Controller IP Address from the Initial Networking Configuration and Passwords document. Configure the laptop with the following networking information:
In a command line on the laptop, enter:
ping [Controller IP Address]
Wait until the server starts responding, then use the web browser on the laptop to go to: https://[Controller IP Address]:8088/. Then, do the following:
You may have to refresh the page from time to time to get updated progress information. Because you may have changed the servers’ networking information, the server may become unreachable during the process unless you also change your laptop’s networking information. In any case, the installation will proceed without the web browser being connected.
Wait for the process to finish and the servers to all reboot.
If you move the service IP, you have to delete the project and recreate it. The IP ranges assigned to projects happen when they’re created.
Corellium will provide updates to you via the Control Panel. The URL and login details can be found in your Initial Networking Configuration and Passwords document.
To install an update, download the update package file from the Control Panel.
We have some fantastic related guides available on getting the most out of your Corellium deployment, such as how to upload custom IPSWs. We also have a Support Center covering topics such as how to manage your devices, projects and teams. If you're stuck on something, check out our Troubleshooting and FAQs.