Post Installation Configurations

This section describes the processes that must be performed after GigaVUE-FM is installed. Refer to the instruction in this chapter if you wish to install custom certificate or Rabbit MQ certificate.

• How to install custom certificates instead of default Self-signed certificates loaded in GigaVUE-FM: Install Custom Certificate
• How to Install Rabbit MQ Certificate
• How to establish communication between the load balancer and web server: Post Installation Configurations

Install Custom Certificate

To install a third-party certificate on GigaVUE‑FM, refer to the following sections:

• Pre-requisites
• Steps

Pre-requisites

Refer to the following pre-requisites:

• Take a backup of the default system self-signed certificate and key contents before replacing them with third-party certificate and key. The files are available in the following folders:
  • localhost.crt: /etc/pki/tls/certs/localhost.crt
  • localhost.key: /etc/pki/tls/private/localhost.key
• When replacing the certificate key and file ensure to adhere to the following naming convention:
  • For Certificate: localhost.crt
  • For Certificate Key: localhost.key
• When you copy the contents of the certificate file, do not delete the EOL characters at the end of each line. If there is no EOL character at the end of certificate file, insert one.
• In case of chain of certificates, bundle the server, intermediate, and root certificates into a single certificate file before replacing the localhost.crt.
• For chain of certificates, add the SSLCertificateChainFile directive to /etc/httpd/conf.d/ssl.conf: sudo vim /etc/httpd/conf.d/ssl.conf. Add the following line:SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt.

Steps

Generate the certificate and a private key file in pem format. Use the following command on Linux or a Linux app (such as Cygwin) for generating the files:

sudo openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -x509 -nodes -keyout privatekey.pem -days 365 -out certificate.pem

Note:  Until software version 6.4.00, GigaVUE-FM supported RSA based certificates. Starting from software version 6.5.00, GigaVUE-FM supports ECDHE based certificates. However, you can configure the certificate as per your need.

Copy the contents of the certificate file.

To install the certificates:

1.

Log in to the GigaVUE‑FM CLI.

2.

Execute the following steps from the shell prompt as a root user (sudo):

o

Replace SSLCertificateFile: /etc/pki/tls/certs/localhost.crt

o

Replace SSLCertificateKeyFile: /etc/pki/tls/private/localhost.key

o

Provide access to certificate file: chmod 644 /etc/pki/tls/certs/localhost.crt

o

Provide access to key file: chmod 600 /etc/pki/tls/private/localhost.key

o

Configure GigaVUE‑FM load balancer functionality:

cat /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.pem

systemctl reload haproxy.service

o

Restart apache as root: systemctl restart httpd.service

o

After restarting, ensure tomcat is up and running: sudo systemctl status tomcat@cms.service

The system will now start using the newly installed certificate.

GigaVUE‑FM uses a public key (cms.p12 file) to encrypt the Security Assertion Markup Language (SAML) messages. You can either use the default public key available in GigaVUE‑FM or generate a new public key using the following command:

sudo openssl pkcs12 -export -name CMS -out /etc/gigamon/cms.p12 -inkey /etc/pki/tls/private/localhost.key -in /etc/pki/tls/certs/localhost.crt -passout pass:cms123

You will be prompted for a pass phrase for the localhost.crt.

After the public key (cms.p12 file) is generated, place the file in the /etc/gigamon directory. Change the access rights to chmod 644.

Install Rabbit MQ Certificate

To update the Rabbit MQ certificate, generate the certificate and a private key file in pem format. Use the following command on Linux or a Linux app (such as Cygwin) for generating the files:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.pem -out certificate.pem

Copy the contents of the certificate file.

To update the RabbitMQ files:

1. Log in to the GigaVUE-FM CLI.
2. Execute the following steps from the shell prompt as a root user (sudo):

   Replace the existing certificate: /var/lib/gigamon/rabbitmq/server/cert.pem

   Example: cp certificate.pem /var/lib/gigamon/rabbitmq/server/cert.pem

   Replace the existing private key: /var/lib/gigamon/rabbitmq/server/key.pem

   Example: cp privatekey.pem /var/lib/gigamon/rabbitmq/server/key.pem

   Provide access to certificate and key: chmod 644

Note:  It is not required to reload the RMQ service.

Communication between GigaVUE-FM Load Balancer and Web Server

After GigaVUE-FM is installed, communication is established between GigaVUE-FM Load Balancer (HA-proxy service) and the apache web server. By default, Load Balancer uses the IPv4 loopback address to communicate with the webserver present locally.

Refer to the following notes:

To change from IPv4 to IPv6 loopback address use the following command:

curl -XPOST "http://localhost:4466/fmcs/fm/network?pretty" -H "Content-Type: 
application/json" -d '{"haproxy":{"enable_ipv6" : "true"} '

To change from IPv6 to IPv4 loopback address use the following command:

curl -XPOST "http://localhost:4466/fmcs/fm/network?pretty" -H "Content-Type: 
application/json" -d '{"haproxy":{"enable_ipv6" : "false"} '