4.2 Installing Access Gateway Appliance

Access Gateway Appliance is a virtual appliance that is packaged in an OVF format. This makes the deployment of Access Gateway easy and fast.

The OVF is preconfigured with the following hardware:

  • 4 GB RAM

  • Dual CPU or Core

  • A static IP address for your Access Gateway server and an assigned DNS name (host name and domain name).

  • 100 GB hard disk

    8 GB is reserved for swap.

    You can modify the RAM and CPU based on your requirement.

    Linux allows four primary partitions per hard disk. Access Gateway Appliance uses the following partitions:

    Table 4-2 Access Gateway Appliance Partitions

    Partition Type

    Requirements

    root

    This partition is 40% of available disk space. It contains the boot files, system files, and log files. This space should be more than 40 GB.

    swap

    This partition is twice the size of RAM installed on the machine.

    var

    The remaining space is allocated for this partition, which should be more than 50 GB. This partition is used for log files and caching objects of Access Gateway.

    NOTE:If the production environment requires more space for logging the data, you must provide additional disk space before configuring Access Gateway Appliance. You cannot add the hard disk space after configuring Access Gateway Appliance. For information about using the additional hard disk, see Using Additional Hard Disk.

4.2.1 Prerequisites for Installing Access Gateway Appliance

For information about network requirements, see Section 1.3, Network Requirements.

4.2.2 Installing Access Gateway Appliance

Installation time: 15 to 30 minutes, depending upon the hardware.

What you need to know

  • Username and password of the administrator

  • IP address of Administration Console

  • Static IP address for Access Gateway

  • DNS name (host and domain name) for Access Gateway that resolves to the IP address

  • Subnet mask that corresponds to the IP address for Access Gateway

  • IP address of your network’s default gateway

  • IP addresses of the DNS servers on your network

  • IP address or DNS name of an NTP server

IMPORTANT:After Access Gateway Appliance installation, upgrade the Linux kernel to the latest security patch to avoid any security vulnerabilities.

Perform the following steps to install Access Gateway Appliance:

  1. Deploy the Access Gateway Appliance OVF template to your enterprise virtual environment.

    For more information, see Deploy an OVF Template in the vSphere Virtual Machine Administration Documentation.

  2. Select the desired language, review the license agreement, then click Accept.

  3. Specify the following details on the Appliance Passwords and Time Zone page:

    Field

    Description

    root Password

    Specify the password for root.

    NTP Server

    Specify the name of the primary and secondary NTP server.

    Region and Time Zone

    Select a region and time zone.

  4. Specify the hostname for the Access Gateway Appliance server and click Next.

  5. Specify the following network setting details:

    Field

    Description

    IP Address

    The IP address of Access Gateway.

    Network Mask

    The subnet mask of Access Gateway Appliance network.

    Gateway

    The IP address of the default gateway.

    DNS Server

    The IP address of your DNS server. You must configure at least one DNS server.

    Specify the IP address of your additional DNS server, if you have configured. This is an optional configuration.

    Domain Search

    Specify the domain name.

  6. Click Next.

  7. Continue with Configuring Access Gateway Appliance.

    To add a new hard disk to the virtual machine, see Add a New Hard Disk to a Virtual Machine in the vSphere Virtual Machine Administration Documentation.

4.2.3 Configuring Access Gateway Appliance

Access Gateway Appliance is bundled with Configuration console (https://<access_gateway_appliance-IP address>:9443), Common Appliance Framework (CAF). You can use this console for modifying the Access Gateway Appliance configuration.

After installing Access Gateway Appliance, you must configure Access Gateway Appliance using the Configuration console to make it available in Administration Console.

NOTE:If you are using an existing IP address of Access Gateway Appliance and it uses a multiple NIC card in your cluster set up, ensure to configure the primary IP addresses for all the interfaces before configuring Access Gateway Appliance.

Also, ensure that you provide the IP address in the same order to the interfaces as it is in the existing Access Gateway Appliance.

Perform the following steps to configure Access Gateway Appliance:

  1. Access the https://<access_gateway_appliance-IP address>:9443 URL to launch the Configuration console.

  2. Log in as a root user.

  3. Click Access Gateway Configuration under Access Gateway Tools.

  4. Specify the Administration Console URL, username, and password.

  5. Click Save.

You can use the following configuration options in the console based on your requirement:

Managing Digital Certificates

You can perform the following actions using the Digital Certificates tab:

  • Add and activate certificates for Access Gateway Appliance.

  • Create your own certificate and then get it signed by a CA.

  • Use an existing certificate and key pair.

IMPORTANT:You can manage the certificates only for the Access Gateway Appliance (port 9443).

Access Gateway Appliance is shipped with a self-signed digital certificate. Instead of this self-signed certificate, it is recommended to use a trusted server certificate signed by a trusted CA, such as Digicert or Equifax.

To use and activate the digital certificate, perform the following tasks:

Using the Digital Certificate Tool

Creating a New Self-Signed Certificate
  1. Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the root user.

  2. Click Digital Certificates.

  3. In the Key Store list, select Web Application Certificates.

  4. Click File > New Certificate (Key Pair) and specify the following information:

    1. General

      Alias: Specify a name that you want to use to identify and manage this certificate.

      Validity (days): Specify for how long you want the certificate to remain valid.

    2. Algorithm Details

      Key Algorithm: Select either RSA or DSA.

      Key Size: Select the preferred key size.

      Signature Algorithm: Select the preferred signature algorithm.

    3. Owner Information

      Common Name (CN): Specify the name that exactly matches the server name in the URL for browsers to accept the certificate for SSL communication.

      Organization (O): (Optional) Specify the organization. For example, My Company.

      Organizational Unit (OU): (Optional) Specify the organizational unit as mentioned in the directory, such as a department or division. For example, Purchasing.

      Two-letter Country Code (C): (Optional) Specify the two-letter country code. For example, US.

      State or Province (ST): (Optional) Specify the state or the province name. For example, Utah.

      City or Locality (L): (Optional) Specify the city name. For example, Provo.

  5. Click OK.

    After the certificate is created, it is self-signed.

  6. Make the certificate official. See Getting Your Certificate Officially Signed.

Getting Your Certificate Officially Signed
  1. On the Digital Certificates page, select the certificate that you just created.

  2. Click File > Certificate Requests > Generate CSR.

  3. Complete the process of emailing your digital certificate to a certificate authority (CA), such as Digicert.

    The CA takes your Certificate Signing Request (CSR) and generates an official certificate based on the information in the CSR. The CA then emails the new certificate and certificate chain to you.

  4. After you have received the official certificate and certificate chain from the CA, perform the following actions:

    1. Revisit the Digital Certificates page.

    2. Click File > Import > Trusted Certificate.

    3. Click Browse and select the trusted certificate chain that you received from the CA.

    4. Click OK.

    5. Select the self-signed certificate.

    6. Click File > Certification Request > Import CA Reply.

    7. Click Browse and select the official certificate to be used to update the certificate information.

      On the Digital Certificates page, the name in the Issuer column for your certificate changes to the name of the CA that stamped your certificate.

  5. Continue with activating the certificate, as described in Activating the Certificate.

Using an Existing Certificate and Key Pair

When you use an existing certificate and key pair, use the .P12 key pair format.

  1. Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the root user.

  2. Click Digital Certificates.

  3. In the Key Store menu, select JVM Certificates.

  4. Click File > Import > Trusted Certificate.

  5. Click Browse and select your existing certificate.

  6. Click OK.

  7. Click File > Import > Trusted Certificate.

  8. Click Browse and select your existing certificate chain for the certificate that you selected in Step 4.

  9. Click OK.

  10. Click File > Import > Key Pair.

  11. Click Browse and select your .P12 key pair file and specify your password if required.

  12. Click OK.

  13. Continue with Activating the Certificate.

Activating the Certificate

  1. On the Digital Certificates page, in the Key Store list, select Web Application Certificates.

  2. Select the certificate that you want to make active and click Set as Active, then click Yes.

  3. Select the certificate and click View Info to verify that the certificate and certificate chains are created appropriately.

  4. Click Close, when you have activated the certificate successfully.

  5. Restart the Jetty service by using the systemctl restart vabase-jetty.service command.

Setting Administrative Passwords

You can modify passwords and SSH access permissions for an Access Gateway Appliance root administrator in the Administrative Passwords tab. Depending on your password policy requirements, modify passwords periodically or reassign responsibility of the Access Gateway Appliance administration to another person.

NOTE:vaadmin helps in managing virtual-machine-level settings and service configurations that affect an entire service and its interactions with other services.

On the Administrative Passwords page, the vaadmin user can change the vaadmin user password and root user can change the root password. Perform the following steps to change the password:

Managing the administrative access as the vaadmin user:

  1. Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the vaadmin user.

  2. Click Administrative Passwords.

  3. Specify a new password for the vaadmin administrator. You must also specify the current vaadmin password.

  4. Click OK.

Managing the administrative access as the root user:

  1. Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the root user.

  2. Click Administrative Passwords.

  3. Specify a new password for the root administrator. You must also specify the current root password.

  4. (Optional) Select or deselect Allow root access to SSH.

  5. Click OK.

Performing an Online Update

See Section 4.2, Installing Access Gateway Appliance.

Using Additional Hard Disk

By default, the var directory is in the boot partition. If the logs fill the space of the var directory, Access Gateway Appliance can stop working. Therefore, you can add hard disk for the var directory.

You can use the additional hard disk that you added before configuring Access Gateway. To use additional hard disk, perform the following steps:

  1. Log in to Configuration console (https://<access_gateway_appliance-IP address>:9443). then click /var Mount Configuration.

  2. Select the appropriate hard disk and the file system type.

  3. Click Save.

  4. Reboot the Access Gateway Appliance.

Rebooting or Shutting Down the Appliance

You might require to shutdown or to restart Access Gateway Appliance for maintenance. It is recommended to use the console options instead of using Power Off/On option in the hypervisor's VM management tool.

  1. Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the root user.

  2. In the upper right corner of the Appliance Configuration pane, click Reboot or click Shutdown.