Appendices
IPsec certificate generation for base stations traffic
If you need to set your own PKI, you can generate the certificate and its key using the following procedure:
Do not set any passphrase when generating your own certificate; ThingPark Enterprise does not handle this feature.
-
Connect to the server's console.
-
Create a configuration file for OpenSSL:
cd /home/support
vi openssl.cnf.CACopy and paste the content of this configuration example: openssl.cnf.CA
-
Go to /home/support/ and execute the following commands:
openssl genrsa -out CA_PKI_Root.key 2048
openssl req -new -extensions v3_ca_root -key CA_PKI_Root.key -out CA_PKI_Root.csr -subj '/C=FR/ST=/L=Paris/O=Actility/OU=/CN=CA_RCA_Root' -config openssl.cnf.CA
openssl x509 -req -extensions v3_ca_root -days 9125 -in CA_PKI_Root.csr -signkey CA_PKI_Root.key -out CA_PKI_Root.crt -extfile openssl.cnf.CA -
Retrieve the CA_PKI_Root.crt file (certificate) and the CA_PKI_Root.key file (key) with a SFTP client on port 2222 with the «support» user.
Sample: File openssl.cnf.CA
dir = /etc/pki/CA
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/cert.idx
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
crl = $dir/crl/crl.pem
crlnumber = $dir/crl/crl_serial
default_crl_days = 365
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = key.pem
default_md = sha256
string_mask = nombstr
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
countryName_default = FR
############ Profiles AC ############
[ v3_ca_root ]
basicConstraints = CA:TRUE, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid:always,issuer:always
Generation of a local media on USB key
The local media package is available as a 5.4GB ISO file
(tpe-localmedia-<version>.iso
). To create a USB key that can be used during the
Local Repository Installation phase, you must directly burn the ISO file
on the USB key.
Create a USB key on Windows
You can use a tool like isotousb that can directly flash the iso file on the USB key (select FAT32)
Or you can just format your USB key in FAT32, open the ISO file using Explorer and copy the content of the ISO file to the USB key.
Create a USB key on Linux
On Linux, you can directly use the dd command to burn the ISO file to the USBkey :
dd if=./tpe-localmedia-6.1-x.y.iso of=/dev/<your device>
When using that USB key on cockpit, it will be referenced as CDROM (media type iso9660) and the mount point will be /run/media/support/CDROM
Policy-based routing implementation
The following configuration files are involved in policy-based routing:
/etc/iproute2/rt_tables
: This file defines the mappings if you want to use names instead of numbers to refer to specific routing tables./etc/sysconfig/network-scripts/route-<interface>
: This file defines the IPv4 routes. Usetable
option to specify the routing table./etc/sysconfig/network-scripts/rule-<interface>
: This file defines the rules for which the kernel routes traffic to specific routing tables.
For example, you may want to route base station flows and administration flows
differently on your self-hosted TPE instance.
For this example, we assume a self-hosted TPE instance with two network interfaces,
ens192
for base station flows and ens224
for administration flows. Note that ens192
interface is configured with the default gateway.
+---------------------------+
| |
| |
| |
| Self-hosted TPE |
| |
| |
| |
+----------+ default +-------+ +------+ +----------+
| Prod +-------------------+ ens192| |ens224+------------------+ Admin |
| network | route +-------+ +------+ | network |
+----------+ | | +----------+
+---------------------------+
-
Optionally, you can use name instead of number to refer to specific routing table, for example:
sudoedit /etc/iproute2/rt_tables
5000 admin_rt
-
Configure routes for
ens224
interface to a separate routing table:sudoedit /etc/sysconfig/network-scripts/route-ens224
0.0.0.0/0 via <admin gateway> table admin_rt
-
Configure the rules for routing administration flows to the specific routing table:
sudoedit /etc/sysconfig/network-scripts/rule-ens224
ipproto tcp sport 2222 lookup admin_rt
ipproto tcp sport 9090 lookup admin_rt
ipproto tcp sport 443 lookup admin_rt -
Restart the network service:
systemctl restart network