Appendices

IPsec certificate generation for base stations traffic

If you need to set your own PKI, you can generate the certificate and its key using the following procedure:

WARNING

Do not set any passphrase when generating your own certificate; ThingPark Enterprise does not handle this feature.

1. Connect to the server's console.

2. Create a configuration file for OpenSSL:

   cd /home/support
   vi openssl.cnf.CA

   Copy and paste the content of this configuration example: openssl.cnf.CA

3. Go to /home/support/ and execute the following commands:

   openssl genrsa -out CA_PKI_Root.key 2048
   openssl req -new -extensions v3_ca_root -key CA_PKI_Root.key -out CA_PKI_Root.csr -subj '/C=FR/ST=/L=Paris/O=Actility/OU=/CN=CA_RCA_Root' -config openssl.cnf.CA 
   openssl x509 -req -extensions v3_ca_root -days 9125 -in CA_PKI_Root.csr -signkey CA_PKI_Root.key -out CA_PKI_Root.crt -extfile openssl.cnf.CA

4. Retrieve the CA_PKI_Root.crt file (certificate) and the CA_PKI_Root.key file (key) with a SFTP client on port 2222 with the «support» user.

Sample: File openssl.cnf.CA

dir = /etc/pki/CA

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/cert.idx
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
crl = $dir/crl/crl.pem
crlnumber = $dir/crl/crl_serial
default_crl_days = 365
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy

[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 2048
default_keyfile = key.pem
default_md = sha256
string_mask = nombstr
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
countryName_default = FR

############ Profiles AC ############
[ v3_ca_root ]
basicConstraints = CA:TRUE, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid:always,issuer:always

Generation of a local media on USB key

The local media package is available as a 5.4GB ISO file (tpe-localmedia-<version>.iso). To create a USB key that can be used during the Local Repository Installation phase, you must directly burn the ISO file on the USB key.

Create a USB key on Windows

You can use a tool like isotousb that can directly flash the iso file on the USB key (select FAT32)

Or you can just format your USB key in FAT32, open the ISO file using Explorer and copy the content of the ISO file to the USB key.

Create a USB key on Linux

On Linux, you can directly use the dd command to burn the ISO file to the USBkey :

dd if=./tpe-localmedia-6.1-x.y.iso of=/dev/<your device>

When using that USB key on cockpit, it will be referenced as CDROM (media type iso9660) and the mount point will be /run/media/support/CDROM

Policy-based routing implementation

The following configuration files are involved in policy-based routing:

• /etc/iproute2/rt_tables: This file defines the mappings if you want to use names instead of numbers to refer to specific routing tables.
• /etc/sysconfig/network-scripts/route-<interface>: This file defines the IPv4 routes. Use table option to specify the routing table.
• /etc/sysconfig/network-scripts/rule-<interface>: This file defines the rules for which the kernel routes traffic to specific routing tables.

For example, you may want to route base station flows and administration flows differently on your self-hosted TPE instance. For this example, we assume a self-hosted TPE instance with two network interfaces, ens192 for base station flows and ens224 for administration flows. Note that ens192 interface is configured with the default gateway.

                               +---------------------------+                              
                               |                           |                              
                               |                           |                              
                               |                           |                              
                               |      Self-hosted TPE      |                              
                               |                           |                              
                               |                           |                              
                               |                           |                              
+----------+      default      +-------+            +------+                  +----------+
|   Prod   +-------------------+ ens192|            |ens224+------------------+   Admin  |
|  network |       route       +-------+            +------+                  |  network |
+----------+                   |                           |                  +----------+
                               +---------------------------+                              

1. Optionally, you can use name instead of number to refer to specific routing table, for example:

   sudoedit /etc/iproute2/rt_tables

   5000 admin_rt

2. Configure routes for ens224 interface to a separate routing table:

   sudoedit /etc/sysconfig/network-scripts/route-ens224

   0.0.0.0/0 via <admin gateway> table admin_rt

3. Configure the rules for routing administration flows to the specific routing table:

   sudoedit /etc/sysconfig/network-scripts/rule-ens224

   ipproto tcp sport 2222 lookup admin_rt
   ipproto tcp sport 9090 lookup admin_rt
   ipproto tcp sport 443 lookup admin_rt

4. Restart the network service:

   systemctl restart network