OX Broker

OX Broker is a lightweight service deployed in your environment that enables OX Security to securely access and scan your internal resources without requiring any inbound firewall rules or network exposure.

Rather than opening ports to OX Security, OX Broker Client initiates a single outbound HTTPS connection from your environment to the OX Broker Server. OX Security then routes all requests through that established connection, ensuring that your internal resources remain fully isolated from the public internet while still being accessible to the OX platform.

Architecture

1. The broker client initiates an outbound-only HTTPS connection to the OX Broker Server; no inbound firewall rules are required.

2. OX Security routes requests back through the reverse tunnel to the broker client.

3. The broker client forwards the authenticated request to the target internal connector.

Supported Connectors

• GitLab

• GitHub

• Azure TFS

• Harbor

• GitLab Container Registry

• JFrog Artifactory

• Bitbucket Data Center or Server

• Jira

Prerequisites

Before you begin, contact an OX Security Customer Success representative for feature enablement.

OX Broker can be installed using Docker Compose on a Linux host or using a Helm chart on a Kubernetes cluster.

Ensure your environment meets the following requirements based on your chosen method

Linux host or Kubernetes node :

Docker Compose requirements

To verify your machine is configured correctly, download and run the readiness script:

Helm requirements

Installing OX Broker

Choose the method that matches your deployment environment and follow the relevant installation procedure:

• Docker Compose on a Linux host or virtual machine

• Helm chart on a Kubernetes cluster

Install OX Broker Using Docker Compose

To install OX Broker using Docker Compose:

1. Download the installation script.

2. Run the script as root, providing the OX Broker server address supplied by OX Security.

1. If your environment routes traffic through a corporate proxy, add the --proxy flag. The script generates an SSH key pair and credentials, and displays them on screen.

1. Send the public key to OX Security support and save the credentials in a safe location.

2. Once OX Security confirms the key has been registered, press p to proceed. The script starts the OX Broker services automatically.

Install OX Broker Using Helm

This installation method deploys OX Broker into a Kubernetes cluster using a Helm chart.

To install OX Broker using Helm:

1. Add the OX Security Helm repository and update it.

1. Verify the chart is available.

1. Generate authentication keys locally.

1. Send the public key (oxbroker-key.pub) to OX Security and wait for confirmation and the assigned OX Broker server address.

2. Create a Kubernetes namespace and secret containing the authentication keys.

1. Install the Helm chart using the broker server address provided by OX Security.

To configure proxy settings, add the following:

Note: <PROXY_HOST> must be the FQDN only, for example, proxy.company.com. Do not include the protocol or port.

Verifying OX Broker

To confirm that OX Broker is running:

• For Docker Compose installations:

• For Helm installations:

Configuring OX Broker

After installation completes, use with either method:

1. Log in to the OX Security portal.

2. Go to the relevant connector.

3. Select Broker as the connection method.

Provide the following details:

Upgrading OX Broker Using Helm

To upgrade OX Broker using Helm:

1. Update the OX Security Helm repository.

1. Upgrade the deployment.

1. To upgrade to a specific version.

1. Verify the pods are running.

Uninstall OX Broker

Docker Compose

Helm