Quick start configuration steps
This section describes the Quick Start steps for configuring the gateway to get it up and running, once you have created an admin user. (See Creating an admin user in initial setup mode.)
For an overview of the CLI hierarchy as used in the Quick Start configuration steps, see About the CLI navigation.
All CLI command examples in this section assume that you are logged into the gateway in configuration mode, designated by a percent sign ("%") in the command prompt. To enter configuration mode from operational mode (designated by a ">" in the command prompt), enter configure.
Step 1: Configure the management/private port
Configure the management/private port (ethernet0) to obtain network access to the gateway. This port is used for both hosting management traffic (such as SSH from a terminal host to the gateway CLI) and forwarding mobile app data to the private network.
When the gateway first receives the tunneled/encrypted mobile app data through its public interface, it decrypts the encrypted data before forwarding it to the private interface. The private interface then routes the decrypted mobile app data to the intended network port.
Syntax
% set ports ethernet0 address IP_address element attributeConfigure your elements or attributes to match your network topology. The examples only show the minimum elements and attributes to configure for the gateway.
Note: This page assumes you named the private and public virtual adapters when you installed the gateway. See Installing the Blue Cedar Connect Gateway with vSphere or Installing the Blue Cedar Connect Gateway with OVF Tool.
Example
% set ports ethernet0 address 192.168.30.202 gateway 192.168.30.1 netmask 255.255.255.0
% commit
Commit succeeded.Note: Use command completion to find out the names of ports on your physical machine:
% set ports ?Step 2: (Optional) Disable SSH access to the management port
The Gateway allows SSH access to the management port by default. If you plan to use only the serial port console and not SSH to administer the gateway, you can disable SSH access. Otherwise, you can skip this step.
Syntax
% set system ssh enable true/falseExample
% set system ssh enable false
% commitStep 3: Configure the CLI's administrator
Configure an administrative account, if you have not already done this with the Initial Setup.
Note: This administrative account is required when configuring the ports for the gateway's public and private interfaces.
To set up an administrative user, perform these steps:
Define the administrator group
Syntax
% set aaa auth-provider local group admin_group administrator trueDefine a user as a member of the administrator group
Syntax
% set aaa auth-provider local user username password pwd_string group admin_group Note: Make a note of the admin_group: you use this string in the command to set up a local group element.
Example
% set aaa auth-provider local user joesmith password lucky13 group admin
% commit
Commit succeeded.
Data configured:
auth-provider {
local {
user joesmith {
password $6$Kg4e1og5$xNR2OvXhp15uqg3DJF2eEzrWRQjXkFY66TWw2zc/cE4WEFmqeIcw1ONcRioI3Q1vQIe2gXDsVuauO0XJHr2cN1;
group admin;
}
}
} Note: The gateway stores the password with a hash function applied to it, which is why the original password "lucky13" is not visible in the output.
Step 4: Configure the system protocols (NTP, SSH, Syslog, and DNS)
For more information about configuring NTP, SSH, and Syslog, see Configuring system protocols and services .
For more information about configuring DNS, see Setting up authentication providers .
Step 5: Configure the AAA subsystem
Setting up the AAA (Authentication, Authorization, and Accounting) subsystem involves configuring the identity certificate, trusted certificates, and the certificate revocation policy.
Configure identity certificate
The identity certificate is a PKCS12 encoded certificate plus a private key pair (passphrase) that the gateway uses to identify itself to the client. You can obtain the base64-encoded data on most Unix or Linux systems by running the command "cat cert.p12 | base64", where cert.p12 is an exported PKCS12 container with the certificate and private key.
Note: The correct value for the “identity-certificate” parameter is https. If you set this certificate to an arbitrary string, the CLI command fails, and the identity certificate for the gateway is not configured.
For details about these parameter values, see Configuring AAA Public Key Infrastructure > "Configuring identity certificates".
You must execute these commands to configure the identity certificate (and then commit the settings):
Set the PKCS12 encoded certificate:
Syntax
BASH% set aaa pki identity-certificate https p12-pem-data BASE64_encoded_P12_certificate/key_containerSupply the BASE64-encoded P12 certificate as the value of p12-pem-data—when you end the command line with this element, you are prompted to enter the data for the certificate:
CODEEnter/paste Base64 PEM data. Enter Ctl-D to completeSet the passphrase:
Syntax
BASH% set aaa pki identity-certificate https passphrase passphrase_for_encrypted_p12_fileCommit the certificate settings:
BASH% commit Commit succeeded
Configure trusted certificates
The trusted certificate list is a list of trusted issuers, typically a certificate authority that issues root certificates. The gateway uses this list to authenticate clients.
Syntax
% set aaa pki trusted-certificate-authority name_of_CA certificate-pem-data Supply the BASE64-encoded DER certificate as the value of certificate-pem-data—when you end the command line with this element, you are prompted to enter the data for the certificate:
Enter/paste Base64 PEM data. Enter Ctl-D to complete
----BEGIN CERTIFICATE---
MIIDUzCCAjugAwIBAgIIDz3ujuueapEwDQYJKoZIhvcNAQEFBQAwNzEPMA0GA1UEAwwGQm9sdEN
BMRMwEQYDVQQLDApDZWRhciBIaWxsMQ8wDQYDVQQKDAZNb2NhbmEwHhcNMTMw NDIzMTUxNTE4Wh
cNMjMwNDIxMTUxNTE4WjA3MQ8wDQYDVQQDDAZCb2x0Q0ExEzAR BgNVBAsMCkNlZGFyIEhpbGwxD
zANBgNVBAoMBk1vY2FuYTCCASIwDQYJKoZIhvcNAQE BBQADggEPADCCAQoCggEBAKiYrcp0i0zf
5bUDfn4DGzLZNGCew0Pm94pX+QsqRdQgoNl /YddqWB2gygGhUMS67GFs+WZ0I3d8exaupFVtWJ3
lU/jI3jk7lqE4g/+EgShR82D9d08nx2glqq 6v46/pLcyVmRwZ4gpt7X+741/S6VSF4ldROnNIGw
zkZUHDDKRKYyXjS4IFA7bDvxc9qK9yY Cg0l6deUw+DA/jIHEBRq3kz0AGFs1ObK/RyfoIvIwTZp
9/OZNl1E4gDR692ebUGG7VX1vke1T79ThjF2W8vjVc0tZITXrCyd3B1MMpsjVTfsaTm9wu6Q9O+
oaq9X7ibqdpRzBxGfAE9e
----END CERTIFICATE---Configure certificate revocation policy (optional)
If you have a CRL infrastructure: The gateway can be configured to check external Certificate Revocation Lists (CRLs) that are published using LDAP or HTTP for client certificates that have been revoked.
Syntax
% set aaa pki certificate-revocation crl policy required cache-size size override-url crl_URL| Element | Description |
|---|---|
| policy setting | Values:
|
| cache-size size | Size in megabytes for the Certificate Revocation List. If you change the value of the cache-size element, this clears the cache. Range: 0–5 MB. |
| override-url crl_URL | URL address of another Certificate Revocation List server that overrides the revocation server URL passed in the certificate. If the override URL is empty, the URL for the CRL Distribution Point is extracted from the client certificate. Only http:// and ldap:// URLs are supported for both override-url and automatically extracted CRL locations |
Examples
% set aaa pki certificate-revocation crl policy required cache-size 5 override-url http://192.168.25.56/CRL_Location
% set aaa pki identity-certificate gatewaycert p12-pem-data
MIITwAIBAzCCE4cGCSqGSIb3DQEHAaCCE3gEghN0MIITcDCCCJ8GCSqGSIb3DQEHBqCCCJAwggi
MAgEAMIIIhQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIeqfRSvKdHFcCAggAgIIIWFmnmQ
eAFnUKnTGntDlCQgCI1mf3rYYfxUF3JpV2eGYtC52/CYNllhGP4x2VAsyno5kiuMDt81L2jfA8Z
Jp8AedhOCTMuGZfZJ8IIf7Cdv/RuuYzHKflj88/44ejCQ09gIwQ7WmeoTKgRCLr2Z5
% set aaa pki identity-certificate gatewaycert passphrase mySecretPassphrase
Enter import passphrase:
Verify:
% commit
Commit succeeded. Step 6: (Optional) Enable lockout recovery
To enable lockout recovery, perform these steps:
Enable lockout recovery on the gateway:
Example
BASH% set aaa auth-group default lockout-recovery-enable true % commitConfigure the passphrase for keystore access:
BASH% set aaa lockout-recovery-passphrase string % commit
Note: Enabling lockout recovery is only required for the Local App Authentication policy of the Blue Cedar Enforce Accelerator, but you should enable it during initial configuration. For more information, see Managing lockout recovery .
Step 7: Connect the gateway to a tunneled client by configuring the IP address pool
Connect the gateway to a tunneled mobile client by configuring the type of IP address pool for the gateway to assign to its mobile clients. You have these choices for configuring the IP address pool. See below for details.
- Using static pool: Configure a pool of IP addresses for assignment to a tunneled app.
- Using DHCP: Specify a DHCP (Dynamic Host Configuration Protocol) server for assigning "inner" IP addresses to a tunneled app.
- Using NAT: Choose NAT (Network Address Translation) to route all tunnel traffic through an internal NAT so that connections appear on the private network as a single address.
Choose one of the following methods:
Using static pool
Set the type of IP-address pool as static and the nameserver to the DNS server that is used to resolve internal hostnames:
Example
% set addressing pool-type static nameserver ip-addressSet the range of IP addresses in the static pool:
Syntax
% set addressing address-pool name_of_address-pool start ip-address end ip-addressExample
% set addressing address-pool hammerclients start 123.25.6.0 end 123.25.6.9
% commit
Commit succeeded.Using DHCP
Set nameserver to the DHCP server that issues the IP addresses to be used for mobile devices when establishing IPSec tunnels.
Syntax
% set addressing pool-type dhcp nameserver ip-address domain domain_name Example
% set addressing pool-type dhcp nameserver 123.25.678.90 domain acmehardware.com
% commit
Commit succeeded.Data configured
addressing {
address-pool StaticPool {
start 172.16.32.50;
end 172.16.63.254;
enabled true;
gateway 0.0.0.0;
priority 100;
nameserver 0.0.0.0;
}
pool-type dhcp;
nameserver 123.45.678.90;
domain acmehardware.com;
}Using NAT
Set nameserver to the DNS server that is used to resolve internal hostnames. Use 0.0.0.0 to use the system's nameserver.
Syntax
% set addressing pool-type nat nameserver ip-address Example
% set addressing pool-type nat nameserver 0.0.0.0
% commit
Commit succeeded.Data configured
addressing {
pool-type nat;
nameserver 0.0.0.0;
address-pool 1 {
enabled true;
start 192.168.50.2;
end 192.168.50.255;
gateway 192.168.50.1;
netmask 255.255.255.0;
priority 100;
nameserver 0.0.0.0;
}
}Step 8: Configure the gateway for IKE settings
The gateway supports IKE phase 1 parameters to set up a secure tunnel between the gateway and client. IKE phase 2 parameters are for setting up the authenticated/privatized transfer from the client to the gateway. For more information about all available parameters for configuring IKE phase 1 and phase 2, see Configuring IPsec using IKEv2 protocol.
Syntax
% set security ike ike_parameter_name ike_parameter_value Example
% set security ike cipher aes_192 admin-state up
% commit
Commit succeeded.Step 9: (Optional) Configure the public interface
If you are using static addressing for your public interface (ethernet1), configure the public interface to allow a secured app to connect to the gateway (create an IPSec tunnel). For example:
Example
% set ports ethernet1 address 192.168.3.79 netmask 255.255.255.0 gateway 192.168.3.1
% commit
Commit succeeded.If you are using DHCP, you do not need to configure this interface.