Post Installation Configurations

This section describes the processes that must be performed after GigaVUE-FM is installed. Refer to the instruction in this chapter if you wish to install custom certificate or Rabbit MQ certificate.

• How to install custom certificates instead of default Self-signed certificates loaded in GigaVUE-FM: Install Custom Certificate
• How to Install Rabbit MQ Certificate
• How to establish communication between the load balancer and web server: Post Installation Configurations

Install Custom Certificate

To install a third-party certificate on GigaVUE‑FM, refer to the following sections:

• Pre-requisites
• Steps

Pre-requisites

Refer to the following pre-requisites:

• Take a backup of the default system self-signed certificate and key contents before replacing them with third-party certificate and key. The files are available in the following folders:
  • localhost.crt: /etc/pki/tls/certs/localhost.crt
  • localhost.key: /etc/pki/tls/private/localhost.key
• When replacing the certificate key and file ensure to adhere to the following naming convention:
  • For Certificate: localhost.crt
  • For Certificate Key: localhost.key
• If the private key is encrypted, you must decrypt it before replacing the localhost.key file. You can use the following openssl command to decrypt the private key:
  

openssl rsa -in [original.key] -out [new.key]

• When you copy the contents of the certificate file, do not delete the EOL characters at the end of each line. If there is no EOL character at the end of certificate file, insert one.
  
• In case of chain of certificates, bundle the server, intermediate, and root certificates into a single certificate file before replacing the localhost.crt.
• You must bundle the certificates in the following order without any space:

o

Server certificate (at the top)

o

Intermediate certificates

o

Root certificate (at the bottom)

• For chain of certificates, add the SSLCertificateChainFile directive to /etc/httpd/conf.d/ssl.conf: sudo vim /etc/httpd/conf.d/ssl.conf. Add the following line:SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt.

Steps

Generate the certificate and a private key file in pem format. Use the following command on Linux or a Linux app (such as Cygwin) for generating the files:

sudo openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -x509 -nodes -keyout privatekey.pem -days 365 -out certificate.pem

Note:  Until software version 6.4.00, GigaVUE-FM supported RSA based certificates. Starting from software version 6.5.00, GigaVUE-FM supports ECDHE based certificates. However, you can configure the certificate as per your need.

Copy the contents of the certificate file.

To install the certificates:

1.

Log in to the GigaVUE‑FM CLI.

2.

Execute the following steps from the shell prompt as a root user (sudo):

o

Replace SSLCertificateFile: /etc/pki/tls/certs/localhost.crt

o

Replace SSLCertificateKeyFile: /etc/pki/tls/private/localhost.key

o

Provide access to certificate file: chmod 644 /etc/pki/tls/certs/localhost.crt

o

Provide access to key file: chmod 600 /etc/pki/tls/private/localhost.key

o

Configure GigaVUE‑FM load balancer functionality:

cat /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.pem

systemctl reload haproxy.service

o

When using GigaVUE Cloud Suite, run the following commands to ensure that GigaVUE-FM continues to communicate securely with all the fabric components after certificate replacement.

Note:  Ensure that you run the following commands before restarting the Apache server.

curl --location 'https://<FM-IP>/api/v1.3/cloud/nodes/certificate/clientCa' \

--header 'Authorization: Bearer <YOUR_TOKEN>' \

--form 'caCertificate=@</path/to/localhost.crt>'

o

Restart apache as root: systemctl restart httpd.service

o

After restarting, ensure tomcat is up and running: sudo systemctl status tomcat@cms.service

The system will now start using the newly installed certificate.

GigaVUE‑FM uses a public key (cms.p12 file) to encrypt the Security Assertion Markup Language (SAML) messages. You can either use the default public key available in GigaVUE‑FM or generate a new public key using the following command:

sudo openssl pkcs12 -export -name CMS -out /etc/gigamon/cms.p12 -inkey /etc/pki/tls/private/localhost.key -in /etc/pki/tls/certs/localhost.crt -passout pass:cms123

You will be prompted for a pass phrase for the localhost.crt.

After the public key (cms.p12 file) is generated, place the file in the /etc/gigamon directory. Change the access rights to chmod 644.

Install Rabbit MQ Certificate

To update the Rabbit MQ certificate, generate the certificate and a private key file in pem format. Use the following command on Linux or a Linux app (such as Cygwin) for generating the files:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.pem -out certificate.pem

Copy the contents of the certificate file.

To update the RabbitMQ files:

1. Log in to the GigaVUE-FM CLI.
2. Execute the following steps from the shell prompt as a root user (sudo):

   Replace the existing certificate: /var/lib/gigamon/rabbitmq/server/cert.pem

   Example: cp certificate.pem /var/lib/gigamon/rabbitmq/server/cert.pem

   Replace the existing private key: /var/lib/gigamon/rabbitmq/server/key.pem

   Example: cp privatekey.pem /var/lib/gigamon/rabbitmq/server/key.pem

   Provide access to certificate and key: chmod 644

Note:  It is not required to reload the RMQ service.

Communication between GigaVUE-FM Load Balancer and Web Server

After GigaVUE-FM is installed, communication is established between GigaVUE-FM Load Balancer (HA-proxy service) and the apache web server. By default, Load Balancer uses the IPv4 loopback address to communicate with the webserver present locally.

Refer to the following notes:

To change from IPv4 to IPv6 loopback address use the following command:

curl -XPOST "http://localhost:4466/fmcs/fm/network?pretty" -H "Content-Type: 
application/json" -d '{"haproxy":{"enable_ipv6" : "true"} '

To change from IPv6 to IPv4 loopback address use the following command:

curl -XPOST "http://localhost:4466/fmcs/fm/network?pretty" -H "Content-Type: 
application/json" -d '{"haproxy":{"enable_ipv6" : "false"} '

Disable DNSSEC Updates

You may observe that GigaVUE‑FM connects to the root DNS servers to update the DNSSEC signatures. This process is managed by the unbound-anchor.service, which, along with unbound-anchor.timer, automates the unbound's root trust anchor updates for DNSSEC.

You can disable these services if you prefer that GigaVUE-FM should not connect to the root DNS servers. This prevents automatic root anchor updates, but it may weaken DNSSEC validation. In such cases, you must manually update the root anchor.

Note:  These changes will not persist after a GigaVUE‑FM upgrade. This procedure serves as a temporary workaround if the actions of the unbound-anchor.service are not desirable.

To disable the DNSSEC updates:

1.

Log in to the GigaVUE‑FM CLI.

2.

Run the following commands:

sudo systemctl disable --now unbound-anchor.service

sudo systemctl stop unbound-anchor.timer

sudo systemctl disable unbound-anchor.timer

After completing these steps, GigaVUE-FM will no longer attempt to connect to the root DNS servers for DNSSEC updates. Ensure that you manually update the root anchor as needed to maintain DNSSEC validation.