Secure Communication between GigaVUE Fabric Components

The Secure Communication feature in GigaVUE-FM uses mutual TLS (mTLS) authentication to improve network security. It ensures all GigaVUE Fabric Components communicate over encrypted, verified connections using certificates issued by a Certificate Authority (CA), without relying on static credentials.

How it Works!

In this setup:

  • GigaVUE-FM establishes an mTLS connection and checks for GigaVUE V Series Proxy availability.

  • If GigaVUE V Series Proxy is unavailable, it directly connects to the GigaVUE V Series Node through mTLS.

  • If a GigaVUE V Series Proxy is available, GigaVUE-FM first connects to the GigaVUE V Series Proxy, establishing an mTLS connection with the GigaVUE V Series Node.

  • GigaVUE-FM also initiates an mTLS connection to the UCT-V Controller, establishing an mTLS connection with UCT-V.

    This structured flow ensures secure communication using mTLS-based authentication across all the fabric components.

 

GigaVUE-FM acts as the PKI

GigaVUE-FM manages all certificates for fabric components. It acts as a private PKI and uses Step-CA with the ACME protocol to issue and renew certificates. This automated process reduces the need for manual certificate handling and avoids external dependencies.

Bring Your Own CA

If your organization already uses a corporate CA, you can import those certificates into GigaVUE-FM. This allows your existing PKI infrastructure to work with Gigamon’s secure communication system.

For more details on how to integrate your PKI infrastructure with GigaVUE-FM, refer to Integrate Private CA

  • The active GigaVUE-FM instance shares intermediate CA files with all standby nodes.

  • Only the active instance handles certificate requests. In case of a failover, a standby node takes over.

  • The root and intermediate CAs are copied to all nodes to ensure continuity.

  • If an instance is removed, it generates a new self-signed CA on restart.

Supported Platforms

  • AWS
  • Azure
  • OpenStack
  • Nutanix
  • Third Party Orchestration
  • VMware ESXi
  • VMware NSX-T

Supported Components

  • GigaVUE V Series Node
  • GigaVUE V Series Proxy
  • UCT-V
  • UCT-V Controller

Rules and Notes

  • If a public IP is revoked in public cloud platforms, you can issue a new certificate to remove the old IP.
  • This feature is optional.
  • Ensure NTP (Network Time Protocol) runs if GigaVUE-FM and components are on different hosts.
  • Applying a certificate may temporarily cause a component to show as Down, but it will auto-recover.
  • In AWS, disable the Source/Destination Check on network interfaces for GigaVUE V Series Proxy.

    Note: Enabling this check may block traffic if the IP address does not match the associated interface.