Post Installation Configurations

Refer to the following sections for details:

• Install Custom Certificate
• Install Rabbit MQ Certificate
• Communication between GigaVUE-FM Load Balancer and Web Server

Install Custom Certificate

To install a third-party certificate on GigaVUE‑FM, refer to the following sections:

• Pre-requisites
• Steps

Pre-requisites

Refer to the following pre-requisites:

• Take a backup of the default system self-signed certificate and key contents before replacing them with third-party certificate and key. The files are available in the following folders:
  • localhost.crt: /etc/pki/tls/certs/localhost.crt
  • localhost.key: /etc/pki/tls/private/localhost.key
• When replacing the certificate key and file ensure to adhere to the following naming convention:
  • For Certificate: localhost.crt
  • For Certificate Key: localhost.key
• When you copy the contents of the certificate file, do not delete the EOL characters at the end of each line.
• In case of chain of certificates, bundle the server, intermediate, and root certificates into a single certificate file before replacing the localhost.crt.
• For chain of certificates, add the SSLCertificateChainFile directive to /etc/httpd/conf.d/ssl.conf: sudo vim /etc/httpd/conf.d/ssl.conf. Add the following line:SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt.

Steps

Generate the certificate and a private key file in pem format. Use the following command on Linux or a Linux app (such as Cygwin) for generating the files:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.pem -out certificate.pem

Copy the contents of the certificate file.

To install the certificates:

1.

Log in to the GigaVUE‑FM CLI.

2.

Execute the following steps from the shell prompt as a root user (sudo):

o

Replace SSLCertificateFile: /etc/pki/tls/certs/localhost.crt

o

Replace SSLCertificateKeyFile: /etc/pki/tls/private/localhost.key

o

Provide access to certificate: chmod 644

o

Provide access to key: chmod 600

o

Configure GigaVUE‑FM load balancer functionality:

cat /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.pem

systemctl reload haproxy.service

o

Restart apache as root: systemctl restart httpd.service

o

After restarting, ensure tomcat is up and running: sudo systemctl status tomcat@cms.service

The system will now start using the newly installed certificate.

GigaVUE‑FM uses a public key (cms.p12 file) to encrypt the Security Assertion Markup Language (SAML) messages. You can either use the default public key available in GigaVUE‑FM or generate a new public key using the following command:

sudo openssl pkcs12 -export -name CMS -out /etc/gigamon/cms.p12 -inkey /etc/pki/tls/private/localhost.key -in /etc/pki/tls/certs/localhost.crt -passout pass:cms123

You will be prompted for a pass phrase for the localhost.crt.

After the public key (cms.p12 file) is generated, place the file in the /etc/gigamon directory. Change the access rights to chmod 644.

Install Rabbit MQ Certificate

To update the Rabbit MQ certificate, generate the certificate and a private key file in pem format. Use the following command on Linux or a Linux app (such as Cygwin) for generating the files:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.pem -out certificate.pem

Copy the contents of the certificate file.

To update the RabbitMQ files:

1. Log in to the GigaVUE-FM CLI.
2. Execute the following steps from the shell prompt as a root user (sudo):

   Replace the existing certificate: /var/lib/gigamon/rabbitmq/server/cert.pem

   Example: cp certificate.pem /var/lib/gigamon/rabbitmq/server/cert.pem

   Replace the existing private key: /var/lib/gigamon/rabbitmq/server/key.pem

   Example: cp privatekey.pem /var/lib/gigamon/rabbitmq/server/key.pem

   Provide access to certificate and key: chmod 644

Note:  It is not required to reload the RMQ service.

Communication between GigaVUE-FM Load Balancer and Web Server

After GigaVUE-FM is installed, communication is established between GigaVUE-FM Load Balancer (HA-proxy service) and the apache web server. By default, Load Balancer uses the IPv6 loopback address to communicate with the webserver present locally. If IPv6 (global, link-local, loopback) is disabled in all the network interfaces, then GigaVUE-FM GUI may not be accessible. Use the following command to access the GigaVUE-FM GUI:

curl -XPOST "http://localhost:4466/fmcs/configureLoadBalancer?pretty" -H "Content-Type: application/json" -d '{"enable_ipv6" : "false"}'

As IPv6 address is not present in the system, the webserver cannot listen/accept any communication through IPv6 address and therefore rejects the request.

This behavior is observed only in GigaVUE-FM software version 5.13.00, and may be noticed after installation/upgrade of GigaVUE-FM, and also any time when GigaVUE-FM is up and running.

Refer to the following notes:

To change from IPv6 to IPv4 loopback address use the following command:

curl -XPOST "http://localhost:4466/fmcs/configureLoadBalancer?pretty" -H "Content-Type: application/json" -d '{"enable_ipv6" : "false"}'

To change from IPv4 to IPv6 loopback address use the following command:

curl -XPOST "http://localhost:4466/fmcs/configureLoadBalancer?pretty" -H "Content-Type: application/json" -d '{"enable_ipv6" : "true"}'

For software version 5.13.01 and higher