This section describes the Quick Start steps for configuring the gateway to get it up and running, once you have created an admin user. (See Creating an admin user in initial setup mode.)

For an overview of the CLI hierarchy as used in the Quick Start configuration steps, see About the CLI navigation.

All CLI command examples in this section assume that you are logged into the gateway in configuration mode, designated by a percent sign ("%") in the command prompt. To enter configuration mode from operational mode (designated by a ">" in the command prompt), enter configure.

Step 1: Configure the management/private port

Configure the management/private port (ethernet0) to obtain network access to the gateway. This port is used for both hosting management traffic (such as SSH from a terminal host to the gateway CLI) and forwarding mobile app data to the private network.

When the gateway first receives the tunneled/encrypted mobile app data through its public interface, it decrypts the encrypted data before forwarding it to the private interface. The private interface then routes the decrypted mobile app data to the intended network port.

Syntax

% set ports ethernet0 address IP_address element attribute
BASH


Configure your elements or attributes to match your network topology. The examples only show the minimum elements and attributes to configure for the gateway.

Note: This page assumes you named the private and public virtual adapters when you installed the gateway. See Installing the Blue Cedar Connect Gateway with vSphere or Installing the Blue Cedar Connect Gateway with OVF Tool.

Example

% set ports ethernet0 address 192.168.30.202 gateway 192.168.30.1 netmask 255.255.255.0
% commit
Commit succeeded.
BASH


Note: Use command completion to find out the names of ports on your physical machine: 

% set ports ?
BASH

Step 2: (Optional) Disable SSH access to the management port

The Gateway allows SSH access to the management port by default. If you plan to use only the serial port console and not SSH to administer the gateway, you can disable SSH access. Otherwise, you can skip this step.

Syntax

% set system ssh enable true/false
BASH

Example

% set system ssh enable false
% commit
BASH

Step 3: Configure the CLI's administrator

Configure an administrative account, if you have not already done this with the Initial Setup.

Note: This administrative account is required when configuring the ports for the gateway's public and private interfaces.

To set up an administrative user, perform these steps:

Define the administrator group

Syntax

% set aaa auth-provider local group admin_group administrator true
BASH

Define a user as a member of the administrator group

Syntax

% set aaa auth-provider local user username password  pwd_string  group admin_group 
BASH

Note:  Make a note of the admin_group: you use this string in the command to set up a local group element.

Example

% set aaa auth-provider local user joesmith password lucky13 group admin
% commit
Commit succeeded.
      
Data configured:
auth-provider {
  local {
    user joesmith {
      password $6$Kg4e1og5$xNR2OvXhp15uqg3DJF2eEzrWRQjXkFY66TWw2zc/cE4WEFmqeIcw1ONcRioI3Q1vQIe2gXDsVuauO0XJHr2cN1;
      group admin; 
    }
  }
} 
BASH

Note: The gateway stores the password with a hash function applied to it, which is why the original password "lucky13" is not visible in the output.

Step 4: Configure the system protocols (NTP, SSH, Syslog, and DNS)

For more information about configuring NTP, SSH, and Syslog, see Configuring system protocols and services .

For more information about configuring DNS, see Setting up authentication providers .

Step 5: Configure the AAA subsystem 

Setting up the AAA (Authentication, Authorization, and Accounting) subsystem involves configuring the identity certificate, trusted certificates, and the certificate revocation policy.

Configure identity certificate

The identity certificate is a PKCS12 encoded certificate plus a private key pair (passphrase) that the gateway uses to identify itself to the client. You can obtain the base64-encoded data on most Unix or Linux systems by running the command "cat cert.p12 | base64", where cert.p12 is an exported PKCS12 container with the certificate and private key.

Note: The correct value for the “identity-certificate” parameter is https. If you set this certificate to an arbitrary string, the CLI command fails, and the identity certificate for the gateway is not configured.

For details about these parameter values, see Configuring AAA Public Key Infrastructure > "Configuring identity certificates".

You must execute these commands to configure the identity certificate (and then commit the settings):

  • Set the PKCS12 encoded certificate:

    Syntax

    % set aaa pki identity-certificate https p12-pem-data BASE64_encoded_P12_certificate/key_container
    BASH

    Supply the BASE64-encoded P12 certificate as the value of p12-pem-data—when you end the command line with this element, you are prompted to enter the data for the certificate:

    Enter/paste Base64 PEM data. Enter Ctl-D to complete
    CODE
  • Set the passphrase:

    Syntax

    % set aaa pki identity-certificate https passphrase passphrase_for_encrypted_p12_file
    BASH
  • Commit the certificate settings:

    % commit
    Commit succeeded
    BASH

Configure trusted certificates

The trusted certificate list is a list of trusted issuers, typically a certificate authority that issues root certificates. The gateway uses this list to authenticate clients.

Syntax

% set aaa pki trusted-certificate-authority name_of_CA certificate-pem-data 
BASH

Supply the BASE64-encoded DER certificate as the value of certificate-pem-data—when you end the command line with this element, you are prompted to enter the data for the certificate:

Enter/paste Base64 PEM data. Enter Ctl-D to complete

----BEGIN CERTIFICATE---
MIIDUzCCAjugAwIBAgIIDz3ujuueapEwDQYJKoZIhvcNAQEFBQAwNzEPMA0GA1UEAwwGQm9sdEN 
BMRMwEQYDVQQLDApDZWRhciBIaWxsMQ8wDQYDVQQKDAZNb2NhbmEwHhcNMTMw NDIzMTUxNTE4Wh
cNMjMwNDIxMTUxNTE4WjA3MQ8wDQYDVQQDDAZCb2x0Q0ExEzAR BgNVBAsMCkNlZGFyIEhpbGwxD
zANBgNVBAoMBk1vY2FuYTCCASIwDQYJKoZIhvcNAQE BBQADggEPADCCAQoCggEBAKiYrcp0i0zf
5bUDfn4DGzLZNGCew0Pm94pX+QsqRdQgoNl /YddqWB2gygGhUMS67GFs+WZ0I3d8exaupFVtWJ3
lU/jI3jk7lqE4g/+EgShR82D9d08nx2glqq 6v46/pLcyVmRwZ4gpt7X+741/S6VSF4ldROnNIGw
zkZUHDDKRKYyXjS4IFA7bDvxc9qK9yY Cg0l6deUw+DA/jIHEBRq3kz0AGFs1ObK/RyfoIvIwTZp
9/OZNl1E4gDR692ebUGG7VX1vke1T79ThjF2W8vjVc0tZITXrCyd3B1MMpsjVTfsaTm9wu6Q9O+
oaq9X7ibqdpRzBxGfAE9e
----END CERTIFICATE---
TEXT

Configure certificate revocation policy (optional)

If you have a CRL infrastructure: The gateway can be configured to check external Certificate Revocation Lists (CRLs) that are published using LDAP or HTTP for client certificates that have been revoked.

Syntax

% set aaa pki certificate-revocation crl policy required cache-size size override-url crl_URL
BASH


ElementDescription
policy setting

Values:

  • off: Certificate revocation lists are not used.
  • required: A certificate must be authenticated against the server. If a CRL server cannot be contacted, secured apps may fail to connect.
cache-size sizeSize in megabytes for the Certificate Revocation List. If you change the value of the cache-size element, this clears the cache. Range: 0–5 MB.
override-url crl_URLURL address of another Certificate Revocation List server that overrides the revocation server URL passed in the certificate. If the override URL is empty, the URL for the CRL Distribution Point is extracted from the client certificate. Only http:// and ldap:// URLs are supported for both override-url and automatically extracted CRL locations

Examples

% set aaa pki certificate-revocation crl policy required cache-size 5 override-url http://192.168.25.56/CRL_Location 
% set aaa pki identity-certificate gatewaycert p12-pem-data 
MIITwAIBAzCCE4cGCSqGSIb3DQEHAaCCE3gEghN0MIITcDCCCJ8GCSqGSIb3DQEHBqCCCJAwggi
MAgEAMIIIhQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIeqfRSvKdHFcCAggAgIIIWFmnmQ
eAFnUKnTGntDlCQgCI1mf3rYYfxUF3JpV2eGYtC52/CYNllhGP4x2VAsyno5kiuMDt81L2jfA8Z
Jp8AedhOCTMuGZfZJ8IIf7Cdv/RuuYzHKflj88/44ejCQ09gIwQ7WmeoTKgRCLr2Z5
 
% set aaa pki identity-certificate gatewaycert passphrase mySecretPassphrase 
Enter import passphrase: 
Verify:
% commit 
Commit succeeded. 
BASH


Step 6: (Optional) Enable lockout recovery 

To enable lockout recovery, perform these steps:

  • Enable lockout recovery on the gateway:

    Example

    % set aaa auth-group default lockout-recovery-enable true  
    % commit
    BASH
  • Configure the passphrase for keystore access:

    % set aaa lockout-recovery-passphrase string  
    % commit
    BASH

Note: Enabling lockout recovery is only required for the Local App Authentication policy of the Blue Cedar Enforce Accelerator, but you should enable it during initial configuration. For more information, see Managing lockout recovery .

Step 7: Connect the gateway to a tunneled client by configuring the IP address pool  

Connect the gateway to a tunneled mobile client by configuring the type of IP address pool for the gateway to assign to its mobile clients. You have these choices for configuring the IP address pool. See below for details.

  • Using static pool: Configure a pool of IP addresses for assignment to a tunneled app.
  • Using DHCP: Specify a DHCP (Dynamic Host Configuration Protocol) server for assigning "inner" IP addresses to a tunneled app.
  • Using NAT: Choose NAT (Network Address Translation) to route all tunnel traffic through an internal NAT so that connections appear on the private network as a single address.

Choose one of the following methods:

Using static pool

Set the type of IP-address pool as static and the nameserver to the DNS server that is used to resolve internal hostnames:

Example

% set addressing pool-type static nameserver ip-address
BASH


Set the range of IP addresses in the static pool:

Syntax

% set addressing address-pool name_of_address-pool start ip-address end ip-address
BASH

Example

% set addressing address-pool hammerclients start 123.25.6.0 end 123.25.6.9
% commit
Commit succeeded.
BASH

Using DHCP

Set nameserver to the DHCP server that issues the IP addresses to be used for mobile devices when establishing IPSec tunnels.

Syntax

% set addressing pool-type dhcp nameserver ip-address domain domain_name 
BASH

Example

% set addressing pool-type dhcp nameserver 123.25.678.90 domain acmehardware.com 
% commit 
Commit succeeded.
BASH

Data configured

addressing { 
   address-pool StaticPool { 
    start 172.16.32.50; 
    end 172.16.63.254; 
    enabled true;
    gateway 0.0.0.0; 
    priority 100;
    nameserver 0.0.0.0; 
   } 
  pool-type dhcp; 
  nameserver 123.45.678.90; 
  domain acmehardware.com; 
}
BASH

Using NAT

Set nameserver to the DNS server that is used to resolve internal hostnames. Use 0.0.0.0 to use the system's nameserver.

Syntax

% set addressing pool-type nat nameserver ip-address 
BASH

Example

% set addressing pool-type nat nameserver  0.0.0.0
% commit 
Commit succeeded.
BASH

Data configured

addressing {
  pool-type    nat;
  nameserver   0.0.0.0;
  address-pool 1 {
    enabled    true;
    start      192.168.50.2;
    end        192.168.50.255;
    gateway    192.168.50.1;
    netmask    255.255.255.0;
    priority   100;
    nameserver 0.0.0.0;
  }
}
BASH

Step 8: Configure the gateway for IKE settings

The gateway supports IKE phase 1 parameters to set up a secure tunnel between the gateway and client. IKE phase 2 parameters are for setting up the authenticated/privatized transfer from the client to the gateway. For more information about all available parameters for configuring IKE phase 1 and phase 2, see Configuring IPsec using IKEv2 protocol.

Syntax

% set security ike ike_parameter_name ike_parameter_value 
BASH

Example

% set security ike cipher aes_192 admin-state up 
% commit
Commit succeeded.
BASH

Step 9: (Optional) Configure the public interface 

If you are using static addressing for your public interface (ethernet1), configure the public interface to allow a secured app to connect to the gateway (create an IPSec tunnel). For example:

Example

% set ports ethernet1 address 192.168.3.79 netmask 255.255.255.0 gateway 192.168.3.1
% commit
Commit succeeded.
BASH

If you are using DHCP, you do not need to configure this interface.

On this page