secure access link 1.8 gateway implementation guide
Post on 04-Jun-2018
221 Views
Preview:
TRANSCRIPT
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
1/159
Secure Access Link 1.8SAL Gateway Implementation Guide
Doc ID: 143291Sept 2011
Issue Number: 26
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
2/159
ii
2010 Avaya Inc. All rights reserved.NoticeWhile reasonable efforts were made to ensure that the information in this document was complete and accurate atthe time of printing, Avaya Inc. can assume no liability for any errors. Changes and corrections to the information inthis document may be incorporated in future releases.
Documentation disclaimerAvaya Inc. is not responsible for any modifications, additions, or deletions to the original published version of thisdocumentation unless such modifications, additions, or deletions were performed by Avaya. Customer and/or EndUser agree to indemnify and hold harmless Avaya, Avaya's agents, servants and employeesagainst all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications,additions or deletions to this documentation to the extent made by the Customer or End User.
Link disclaimerAvaya Inc. is not responsible for the contents or reliability of any linked Web sites referenced elsewhere within thisdocumentation, and Avaya does not necessarily endorse the products, services, or information described or offeredwithin them. We cannot guarantee that these links will work all of the time and we have no control over the availabilityof the linked pages.
WarrantyAvaya Inc. provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the
limited warranty. In addition, Avayas standard warranty language, as well as information regarding support for thisproduct, while under warranty, is available through the following Web site:http://www.avaya.com/support
CopyrightExcept where expressly stated otherwise, the Product is protected by copyright and other laws respecting proprietaryrights. Unauthorized reproduction, transfer, and or use can be a criminal, as well as a civil, offense under theapplicable law.
Open Source AttributionThe Product utilizes open source and third-party software. For copyright notifications and license text of third-partyopen source components, please see the file named Avaya/Gateway/LegalNotices.txt in the directory in which youhave installed the software.
Avaya supportAvaya provides a telephone number for you to use to report problems or to ask questions about your product. The
support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see theAvaya Web site:http://www.avaya.com/support.
http://www.avaya.com/supporthttp://www.avaya.com/supporthttp://www.avaya.com/supporthttp://www.avaya.com/supporthttp://www.avaya.com/supporthttp://www.avaya.com/supporthttp://www.avaya.com/supporthttp://www.avaya.com/support -
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
3/159
iii
Contents
PREFACE ................................................................................................................................................................... 1Purpose ..................................................................................................................................................................... 1Audience .................................................................................................................................................................. 1Conventions used ..................................................................................................................................................... 1Contacting Avaya technical support ........................................................................................................................ 2
1: INTRODUCTION TO SAL GATEWAY ............................................................................................................. 3
Secure Access Link overview .................................................................................................................................. 3SAL egress model ................................................................................................................................................ 3SAL features ........................................................................................................................................................ 3
SAL Gateway overview ........................................................................................................................................... 4Summary of SAL Gateway features ..................................................................................................................... 4
Other SAL components ............................................................................................................................................ 4Concentrator servers ........................................................................................................................................... 5Secure Access Policy Server................................................................................................................................ 5
How the SAL components work .............................................................................................................................. 5
2: SAL GATEWAY INSTALLATION AND UNINSTALLATION ...................................................................... 7
Software installation prerequisites ........................................................................................................................... 7Hardware and software requirements ................................................................................................................. 7
Preinstallation tasks ................................................................................................................................................. 9Registering SAL Gateway ..................................................................................................................................... 10Customer responsibilities and preconditions.......................................................................................................... 11
Items required for SAL ...................................................................................................................................... 11Optional items for SAL ...................................................................................................................................... 12
Installing the SAL Gateway using the GUI ........................................................................................................... 12
Updating IPtables ................................................................................................................................................... 18Disabling SELinux ............................................................................................................................................ 19Additional firewall rules for remote administration of the SAL Gateway ......................................................... 19Configuring facilities to write logs: GUI or interactive mode .......................................................................... 19Configuring facilities to write logs: Command line or unattended mode ......................................................... 20Changing the owner of the SSL directory to installation user ........................................................................... 31
Restarting SAL Gateway services ...................................................................................................................... 31Installing SAL Gateway in the command line mode ............................................................................................. 35Uninstalling SAL Gateway using the GUI ............................................................................................................. 40
Uninstalling SAL Gateway using the command line mode ................................................................................ 43Postinstallation configuration ................................................................................................................................ 44
Testing the functions of the SAL Gateway ......................................................................................................... 44Testing the functions of the Gateway UI ........................................................................................................... 45
Upgrading the SAL Gateway ................................................................................................................................. 45Modes of SAL Gateway upgrade installations .................................................................................................. 45
3: SAL GATEWAY CONFIGURATIONS ............................................................................................................ 47
Accessing the SAL Gateway interface for configuration ....................................................................................... 47User authentication ........................................................................................................................................... 47SAL Gateway home page................................................................................................................................... 48
Configuring the administration of the SAL Gateway ............................................................................................ 49Configuring SAL Gateway .................................................................................................................................... 49Configuring a managed element ............................................................................................................................ 50
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
4/159
iv
Editing the managed element configuration ...................................................................................................... 53Deleting the record for a managed element ...................................................................................................... 53Exporting managed element data ...................................................................................................................... 53
Viewing SAL Gateway diagnostic information ..................................................................................................... 54Run diagnostics ................................................................................................................................................. 54Refresh .............................................................................................................................................................. 54Show report ....................................................................................................................................................... 55
Configuring with an LDAP server ......................................................................................................................... 55Configuring with a proxy server ............................................................................................................................ 56Configuring SAL Gateway communication with a Secure Access Concentrator Core Server .............................. 57
Editing FQDN values for alarming ................................................................................................................... 58Configuring SAL Gateway communication with a Secure Access Concentrator Remote Server ......................... 59Configuring with a Secure Access Policy Server ................................................................................................... 60PKI ......................................................................................................................................................................... 61
Configuring PKI ................................................................................................................................................ 61Creating mappings ............................................................................................................................................ 62
Configuring local roles........................................................................................................................................... 63Mapping local groups to roles .......................................................................................................................... 64Adding a local role mapping ............................................................................................................................. 64Editing a local role mapping ............................................................................................................................. 65
Configuring OCSP/CRL ........................................................................................................................................ 65Customer authentication and authorization of remote access attempts ............................................................ 65
Configuring an NMS server ................................................................................................................................... 66Managing Service Control ..................................................................................................................................... 68Managing certificates ............................................................................................................................................. 69
Certificate authority .......................................................................................................................................... 69Viewing additional certificate information ....................................................................................................... 69Uploading a certificate...................................................................................................................................... 69
Deleting a certificate ......................................................................................................................................... 70Resetting certificates to factory settings ............................................................................................................ 70
Importing and exporting certificates to the SAL Gateway trust keystore .............................................................. 70Importing certificates ........................................................................................................................................ 71Exporting certificates ........................................................................................................................................ 71
Using Apply Configuration Changes ..................................................................................................................... 71Logging out ............................................................................................................................................................ 72
4: SYSLOG FOR SAL GATEWAY ........................................................................................................................ 73
About Syslog .......................................................................................................................................................... 73Syslogd service .................................................................................................................................................. 73
Syslog for SAL Gateway logging .......................................................................................................................... 74Configuring syslog ................................................................................................................................................. 74
Editing the syslog configuration file ................................................................................................................. 74Viewing logs .......................................................................................................................................................... 75
Log Viewer ........................................................................................................................................................ 75
5: SAL GATEWAY INVENTORY ......................................................................................................................... 78
Inventory collection process .................................................................................................................................. 78Using the SAL Gateway UI to view and control inventory ................................................................................... 79Viewing inventory .............................................................................................................................................. 80
Exporting an inventory report ........................................................................................................................... 80Collecting inventory on-demand for a device ................................................................................................... 80
Adding and updating credentials for inventory collection ..................................................................................... 81Types of credentials ........................................................................................................................................... 81Using credentials delivered from Avaya ........................................................................................................... 82Using user defined credentials .......................................................................................................................... 83
Adding SNMP credentials ................................................................................................................................. 84
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
5/159
v
Editing credentials ............................................................................................................................................ 85Role of the SAL model in inventory collection ..................................................................................................... 85
SAL model ......................................................................................................................................................... 85CIM ........................................................................................................................................................................ 85
Data elements in an inventory report ................................................................................................................ 86Inventory diagnostics ............................................................................................................................................. 86Troubleshooting for inventory ............................................................................................................................... 87
Viewing inventory log files ................................................................................................................................ 87
6: MONITORING THE HEALTH OF MANAGED DEVICES .......................................................................... 91
SAL Gateway heartbeat functionality .................................................................................................................... 91Checking the health of monitored Communication Manager servers .................................................................... 91
Viewing heartbeat monitoring configuration for a managed device ................................................................. 92Starting health status monitoring for a managed device ................................................................................... 92
Suspending health monitoring for a managed device ............................................................................................ 93Starting and stopping monitoring service ......................................................................................................... 93
Configuration for heartbeat monitoring in models ................................................................................................. 93
APPENDIX-1 ............................................................................................................................................................ 95
Backing up and restoring SAL Gateway ................................................................................................................ 95
APPENDIX-2 ............................................................................................................................................................ 97
Installing Red Hat Enterprise Server 5.0 ................................................................................................................ 97Necessary Linux packages (minimum) .............................................................................................................112
APPENDIX-3 ...........................................................................................................................................................115
Installing Java 1.5 .................................................................................................................................................115
APPENDIX-4 ...........................................................................................................................................................117
SNMP traps ...........................................................................................................................................................117List of traps that the SAL Watchdog can generate ................................................................................................118
APPENDIX-5 ...........................................................................................................................................................119
Product alarm configuration ..................................................................................................................................119Communications Manager ...............................................................................................................................119
Modular Messaging Application Server ...............................................................................................................120Enabling SNMP ................................................................................................................................................120Configuring alarming .......................................................................................................................................121Configuring inventory collection......................................................................................................................122
Application Enablement Services .........................................................................................................................123Release 4.2 .......................................................................................................................................................123Administering Product ID ................................................................................................................................123Enabling SNMP ................................................................................................................................................123Release 5.2.1 ....................................................................................................................................................125SNMP components for AE Services ..................................................................................................................125
Administering Product ID ................................................................................................................................125
Enabling SNMP ................................................................................................................................................125G860 High Density Trunk Gateway .....................................................................................................................126
Enabling SNMP ................................................................................................................................................126Voice Portal ..........................................................................................................................................................126
Enabling SNMP ................................................................................................................................................126
APPENDIX-6: REDUNDANCY FOR SAL GATEWAY .....................................................................................127
Redundant gateways for remote access, alarming, and inventory .........................................................................127
APPENDIX-7: SAL GATEWAY DIAGNOSTICS...............................................................................................129
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
6/159
vi
SAL Diagnostics: General concept of operation ...................................................................................................129Complete, annotated, diagnostic output ................................................................................................................130
Data Transport Component Diagnostics..........................................................................................................130HeartBeat Component Diagnostics ..................................................................................................................135Configuration Change Component Diagnostics...............................................................................................136
NmsConfig Component Diagnostics ................................................................................................................136ProductConfig Component Diagnostics ...........................................................................................................136Inventory Component Diagnostics ...................................................................................................................136Alarm Component Diagnostics ........................................................................................................................137Agent Mgmt Component Diagnostics ...............................................................................................................139CLINotification Component Diagnostics .........................................................................................................139
LogManagement Component Diagnostics .......................................................................................................139LogForwarding Component Diagnostics .........................................................................................................140ConnectivityTest Component Diagnostics ........................................................................................................140
AxedaDiagnostics Component Diagnostics .....................................................................................................140Linux Diagnostic Component Diagnostics .......................................................................................................140Additional information that diagnostics returns ..............................................................................................141
Troubleshooting for SAL Gateway diagnostics ....................................................................................................142
GLOSSARY .............................................................................................................................................................149
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
7/159
1
Preface
PurposeThe SAL Gateway Implementation Guide explains how to install and configure a SAL Gateway.
Audience
This document is for the use of service personnel who:
Install the gateway
Configure the gateway for the remote service of managed devices
Conventions used
Font: Boldis used for:
o Emphasis
o User interface labels
Example: Click Next.
Font: Courier New, Bold is used for commands.
Example: Execute the command unzip SAL.zip.
Font: Courier is used for GUI output.
Example: The directory already exists!
Font: Verdana, with expanded character spacing is used for inputs.
Example: You must enter the value abc.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
8/159
2
Contacting Avaya technical support
If you still have questions after reading this manual, or the online help for the SAL Gatewayinstaller, you can contact Avaya Inc. for technical support.
Avaya Support
Mail Avaya Inc. 211 Mt. Airy Road, BaskingRidge, NJ 07920, USA
Internet http://support.avaya.com
Phone +1 (866)-GO-AVAYA
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
9/159
3
1: Introduction to SAL Gateway
Secure Access Link overviewSecure Access Link (SAL) is an Avaya serviceability solution for support and remotemanagement of a variety of devices and products. SAL provides remote access, alarmreception and inventory capabilities. SAL uses the existing Internet connectivity of thecustomer to facilitate remote support from Avaya. All communication is outbound from thecustomers environment over port 443 using HTTPS.
SAL egress model
As egress filtering is considered an important best practice, SAL provides an egress model of
remote access that includes customer policy management of remote access, file transfers, andegress data flow. This gives the customer complete control over whether access to their devices ispermitted or not. All connectivity is fundamentally established from the network of the customer.As SAL facilitates remote access in an egress fashion by having the SAL Gateway send HTTPSrequests to Avaya, customers need not expose open ports on the Gateway to the Internet. SALsupports any TCP-based application layer protocol including the following: SSH, HTTPS, telnet, sftp,ftp, and RDC.
SAL features
SAL provides the following features:
Enhanced availability and reliability of supported products through secure remote accessSupport for service provision from Avaya, partners, system integrators, or customers
Administration of alarming through configuration changes
Elimination of the requirement for modems and dedicated telephone lines at the customersites
Security features:
Communication initiated from customer networks (egress connectivity model)
Detailed logging
Support for Public Key Infrastructure (PKI)-based user certificates for Avaya
support personnel to remotely access managed devicesAuthentication that customers control
Rich authorization management based on policy
Support for local access and management options
Reduced firewall and network security configuration
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
10/159
4
SAL Gateway overview
SAL Gateway is a software package that:
Facilitates remote access to support personnel and tools that need to access supporteddevices
Collects and sends alarm information to a Secure Access Concentrator Core Serveron behalf of the managed devices
Provides a user interface to configure its interfaces to managed devices, ConcentratorRemote and Core Servers, and other settings
The SAL Gateway is installed on a Red Hat Enterprise Linux host in the customer networkand acts as an agent on behalf of several managed elements. It receives alarms fromproducts and forwards them to the Secure Access Concentrator Core Server.
The SAL Gateway polls the Secure Access Concentrator Servers with Hypertext TransferProtocol Secure (HTTPS) for connection requests and authorizes connection requests inconjunction with the Secure Access Policy Server. The use of the policy server is optional.
The SAL Gateway also sends alarms through HTTPSto the Secure Access Concentrator CoreServer as they are received, and periodically polls with HTTPS to report availability status.
The SAL Gateway provides remote access to those devices that are configured for remoteaccess within it. It controls connections to managed elements, new or updated models; andverifies certificates for authentication. The SAL Gateway also communicates with a SecureAccess Concentrator Remote Server.
NNoottee
The SAL model is a collection of the alarming configuration, inventory configuration and SALGateway component configurations that define how a SAL Gateway provides service to aparticular set of remotely managed devices.
Summary of SAL Gateway features
The SAL Gateway user interface provides access to administer the following SAL Gatewaysettings:
Secure Access Concentrator Remote and Core Server host names
Proxy servers
Managed device connectivity
Policy server and LDAP authentication
Network Management Server details
The ability to view SAL Gateway logsSAL Gateway status and diagnostic capabilities
Other SAL components
This section provides descriptions of other SAL components.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
11/159
5
Concentrator servers
There are two Concentrator servers:
Secure Access Concentrator Core Server (SACCS) that handles alarming andinventory
Secure Access Concentrator Remote Server (SACRS) that handles remote access,and updates models and configuration
Secure Access Policy Server
Customers can deploy an optional Secure Access Policy Server (Policy server) that centrallydefines and manages access and control policies. Gateways enforce the policies. The SALGateway polls the Policy server for updates on policies. The Policy server provides activemonitoring and termination of remote access sessions. For more information on the Policyserver, seeAvaya Secure Access LinkSecure Access Policy Server: Installation andMaintenance Guide.
While policy decisions can be made in the SAL Gateway or the Secure Access Policy Server,it is the SAL Gateway that enforces all policies.
Policy server capacity
The policy server can support up to 500 managed devices, regardless of how manygateways are used. The combination can have many variations:
One gateway with 500 managed devices
100 gateways with the gateway and four additional managed devices each
250 gateways, each with only the gateway and one managed device
500 gateways, each with no managed device
How the SAL components work
The SAL Gateway relays alarms and heartbeats to the Secure Access Concentrator CoreServer. A SAL Gateway can collect alarms through the receipt of SNMP traps or the receiptof Initialization and Administration System (INADS) alarms. It provides the collected alarminformation to the upstream Secure Access Concentrator Core Enterprise Server.
NNoottee
For a list of SNMP traps that can help you plan how your Network ManagementSystem (NMS) responds to events, see Appendix-4.
SAL provides remote access to managed devices through HTTPS requests originating insidea customer network. SAL Gateway customers have ultimate control over all SAL facilitatedaccess to their devices. All connectivity is originally established from the network of thecustomer, and customer controlled SAL components enforce authorizations.
When a request for remote access reaches the Avaya Secure Access Concentrator RemoteEnterprise Server, the request is sent to the gateway that authenticates the user anddetermines if the connection should be authorized.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
12/159
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
13/159
7
2: SAL Gateway installation anduninstallation
Customers can install the SAL Gateways on computers they provide and maintain.
Avaya recommends that users back up any critical information or previous SAL Gatewayversions before installing a SAL Gateway. The SAL Gateway software does not provide anybackup capability. For the names of files you may want to back up, see Appendix-1: Backingup and Restoring SAL Gateway.
The SAL Gateway installer can be run interactively from a Linux desktop.
Software installation prerequisites
An installation of SAL 1.8 Gateway must satisfy a minimum set of software and hardwarerequirements. For a list of necessary Linux packages, seeNecessary Linux packages.
NNoottee
The computer that is used to download the software requires the following browserversions: IE 6.0 or IE 7.0, or FireFox 3.x with the FireFTP plug-in. The plug-in is requiredonly if the software is downloaded from:
Linux
An FTP server
Within Firefox
Hardware and software requirements
Component Minimum Recommended
Operating System
ONLY Red Hat EnterpriseLinux Server Release 5.032-bit for standalonegateways.
No other versions are
currently supported.
Processor1 GHz
Hard Drive 40 GB free space
Memory 2GB
Network 100 Mbps Ethernet or NIC
CD-ROM DriveIt may be useful for RedHat installations.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
14/159
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
15/159
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
16/159
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
17/159
11
2. Add managed devices to your SAL Gateway using the Solution Element IDs (SEID)provided to you in Step 1 and Step 3 (if requested).
NNoottee
The first device to be added must be the SAL Gateway itself.
3. When you have added all your managed devices, complete Step 2 of the registrationsheet for each managed device you added to your gateway, and send this sheet tosalreg@avaya.com.
When the SAL Gateway registration sheet with Step 2 completed reaches Avaya, theAvaya Registration team makes the appropriate changes to allow access to yourmanaged devices through the SAL Gateway.
By means of an e-mail Avaya confirms that remote access to your product has beenenabled through your SAL Gateway.
4. This step is applicable if the SAL Gateway supports alarming for the managed device.Change the alarm destination on your managed devices, if necessary, so that alarmsare routed to your SAL Gateway. Consult your product documentation to accomplishthis task. For steps to change alarm destinations for the most common Avaya
applications, seeAppendix-5.
Customer responsibilities and preconditions
The SAL Gateway runs on customer-provided hardware with a customer-installed operatingsystem. The customer owns the control and care of the hardware and the operating system.
A customer has the following responsibilities:
Items required for SAL
Install Red Hat Enterprise Linux 5.0.
NNoottee
For the procedure to install RHEL 5.0, seeAppendix-2.
Install JRE 1.5.
NNoottee
For the procedure to install Java 1.5, seeAppendix-3.
Create user accounts and groups. For details on how to create a user and group forthe SAL Gateway, see the sectionIdentify SAL Gateway panel.
Acquire, maintain, and manage firewalls. General information on firewalls is available aten.wikipedia.org/wiki/Personal_firewall and en.wikipedia.org/wiki/Firewall_(networking).
Set up uninterruptible power supply (UPS). If you want to compare UPS BackupPower Systems from the leading Uninterruptible Power Supply manufacturers, seerelevant information atwww.42u.com/ups-systems.htm.
Back up and restore the SAL Gateway files and directories. For details, see Appendix-1.
http://www.42u.com/ups-systems.htmhttp://www.42u.com/ups-systems.htmhttp://www.42u.com/ups-systems.htmhttp://www.42u.com/ups-systems.htm -
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
18/159
12
Ensure that the Domain Name Server (DNS) is set up for the proper functioning ofthe SAL Gateway on the network.
Ensure the security of the platform for the SAL Gateway: some secure mechanismmust be in place to prevent attacks on the SAL Gateway UI and unauthorized accessto the SAL Gateway UI. One of the simple things you can do is to have proper usernames and passwords for authorized users.
Restart the syslog service after the SAL Gateway installation.
Optional items for SAL
Set up the Pluggable Authentication Modules for Linux (PAM), if you want to usealternate authentication mechanisms such as LDAP.
Configure syslogd, if you want audit log entries to be written to an external server.
Install the Policy server on a different host, if you want to restrict remote access to acertain time window, set of people, a set of managed devices, or want to controlautomatic update of the product support models of the Gateway. For information on
the Policy server, seeAvaya Secure Access LinkSecure Access Policy Server:Installation and Maintenance Guide.
Install the required certificates if you want to use a Policy server.
Install the proxy server if the SAL Gateway needs to use a proxy to communicatewith the Secure Access Concentrator Core and the Secure Access ConcentratorRemote servers on the Internet.
Install the LDAP server, if you want to use LDAP-based authentication to the Gateway.You can also employ group-based policies for remote access.
Set up anti-virus software, if you want such protection for the SAL Gateway host.
Enter an appropriate system warning message. A text box on the SAL Gateway UI
Log on page displays the default system usage warning:
This system is restricted solely to authorized users for legitimatebusiness purposes only. The actual or attempted unauthorized access,use, or modification of this system is strictly prohibited. Unauthorizedusers are subject to company disciplinary procedures and or criminal andcivil penalties under state, federal, or other applicable domestic andforeign laws. The use of this system may be monitored and recorded foradministrative and security reasons. Anyone accessing this systemexpressly consents to such monitoring and recording, and is advised thatif it reveals possible evidence of criminal activity, the evidence ofsuch activity may be provided to law enforcement officials. All usersmust comply with all corporate instructions regarding the protection ofinformation assets.
The /etc/issue file holds the text for the warning. It is the system administrator whoedits this file and enters appropriate messages for system users.
Installing the SAL Gateway using the GUI
To install SAL Gateway in the GUI mode:
1. Download the SAL Gateway software. It is available at:
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
19/159
13
https://plds.avaya.com/poeticWeb/avayaLogin.jsp?ENTRY_URL=/esd/viewDownload.htm&DOWNLOAD_PUB_ID=SAL00000003
2. Log in to the system on which you want to install the SAL Gateway. Useadministrator privileges from the GUI and open a new console on the GUI.
NNoottee
Before you start, ensure that the JAVA_HOME variable is set on the machine onwhich you want to install the SAL Gateway. Set it at the same location as the JREinstallation.
3. Create a directory in your home directory and copy the SAL.zip file there.
4. Execute the command unzip SAL.zipfrom the command line to unzip the SAL
installable file.
5. Execute the command ./runInstaller.shfrom the command line. The command
invokes the installer GUI.
Using the installation panels
The system displays the Language selection panel. The default language is English.
1. Click OK.
The system displays the installation Welcome panel.
2. Click Next.
Avaya global software license terms
The system displays the Avaya global software license terms panel (Figure 2-1).
https://plds.avaya.com/poeticWeb/avayaLogin.jsp?ENTRY_URL=/esd/viewDownload.htm&DOWNLOAD_PUB_ID=SAL00000003https://plds.avaya.com/poeticWeb/avayaLogin.jsp?ENTRY_URL=/esd/viewDownload.htm&DOWNLOAD_PUB_ID=SAL00000003https://plds.avaya.com/poeticWeb/avayaLogin.jsp?ENTRY_URL=/esd/viewDownload.htm&DOWNLOAD_PUB_ID=SAL00000003https://plds.avaya.com/poeticWeb/avayaLogin.jsp?ENTRY_URL=/esd/viewDownload.htm&DOWNLOAD_PUB_ID=SAL00000003https://plds.avaya.com/poeticWeb/avayaLogin.jsp?ENTRY_URL=/esd/viewDownload.htm&DOWNLOAD_PUB_ID=SAL00000003 -
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
20/159
14
Figure 2-1: Avaya global software license terms
1. Click the I accept the terms of this license agreementoption.NNoottee
You must accept the terms of the license agreement to continue with the installation.Until you accept the terms of the license agreement, the Nextbutton on the panelremains unavailable.
2. Click Next.
Preinstall configuration audit
The system displays the Pre-install configuration audit panel (Figure 2-2).
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
21/159
15
Figure 2-2: Pre-install configuration audit
The system checks the configuration settings and displays the status of the following:
OS Version
RAM
WWaarrnniinngg
Even with the Avaya recommended 2-GB RAM memory, your SAL Gateway may failto format the alarms that reach it. If so, edit the startup timeout value in the file:
vi /SpiritAgent/wrapper.config
Install_Dir_Path is the location where the SAL Gateway is installed.
The default startup timeout value in the file is 90 seconds. Edit the value so that the
file displays the following value: wrapper.startup.timeout=180.CPU Speed
Java Version
Java Vendor
Crucial checks
If the following checks fail, the installer cancels the installation.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
22/159
16
Check for the availability of the JAVA_HOME environment variable
Check to discover whether the JAVA_HOME variable is set correctly
Check to discover whether the JAVA_HOME variable is set in the PATH variable andwhether the version is 1.5, or a version higher than 1.5
The JAVA_HOME variable is set at the location where the JRE is installed.
Check to discover whether the /etc/hosts, /etc/sysconfig/network, and hostnamecommands have the same host name
Check to discover whether port 7443 is free
If the following check fails, the installer displays a warning and proceeds with theinstallation.
Check to discover whether the syslog, iptables and ntpd services are active
NNoottee
Ensure that you have the required Java version and Java vendor, as these are mandatoryrequirements for the installation. Also ensure that there is adequate disk space on the
system for the SAL Gateway pack.Click Nexton thePre-install configuration audit panel.
Selecting the installation path
The system displays the Installation path panel. The panel displays the default installationpath.
1. If this is the path you want, click Nextto install the files in the default directory.
If the default path directory already exists, the system displays a warning: Thedirectory already exists! Are you sure you want to install here andpossibly overwrite existing files?
2. Click Yesor No.
Option Result
Yes Overwrites the directory.
NoThe system displays the SAL GatewayPack selection page.
3. Click Browseto select the location details for the installation, if you need to changethe default path.
NNoottee
Avaya recommends that you select a new folder for the installer. To create a targetdirectory on the system, specify a directory name. Click OK on the box that thesystem displays.
4. ClickNext.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
23/159
17
Selecting packs
The system displays the Packs selection panel (Figure 2-3).
Figure 2-3: Packs selection
1. Select the AgentGatewaycheck box if it is not already selected.
When you select the pack, the system displays the size of the pack, the SAL Gatewaydescription, and details of the required space and the available space.
2. Click Next.
Changing system configuration files
The system displays the Change system configuration files panel (Figure 2-4).
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
24/159
18
Figure 2-4: Change system configuration files
1. Select the Iptablecheck box.CCaauuttiioonn
Failure to update the IPTables renders the SAL Gateway user interface inaccessible andprevents SNMP traps from reaching the Gateway.
1. Select the Syslogcheck box.
NNoottee
Syslog is the logging tool for SAL Gateway. The Gateway installer edits the/etc/syslog.conf file if you select the Syslogcheck box. If you clear the check box,you must edit the /etc/syslog.conf file. Failure to do this might result in the Gatewaycomponents not writing syslog and logging after the installation.
2. Click Next.
Updating IPtables
1. If you clear the Iptablecheck box on the Change system configuration files panelduring a SAL Gateway installation, update the IPtables with the following commands:
/sbin/iptables -I INPUT -i lo -j ACCEPT
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
25/159
19
/sbin/iptables -I INPUT -p udp -m udp --dport 8162 -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 5108 -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 5107 -j ACCEPT
/sbin/iptables -I INPUT -p udp -m udp --dport 162 -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 7443 -j ACCEPT
/sbin/iptables -I INPUT -m state --state RELATED,ESTABLISHED -jACCEPT
/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 162 -jREDIRECT --to-ports 8162
2. Execute the following command to save the iptables configuration:
service iptables save
Disabling SELinux
Disable SELinux on the SAL Gateway. Even with the Iptables rules provided in this section,the SAL Gateway fails to function properly if SELinux is in the enforcingmode.
1. To disable SELinux, login to the SAL Gateway and execute the command:
system-config-securitylevel-tui
2. For SELinux, select the option Disabled, and click OK.
Additional firewall rules for remote administration of the SALGateway
The SAL Gateway requires additional firewall rules for its remote administration. These rules
are not required for the proper functioning of the SAL Gateway, but are necessary forremote access and troubleshooting.
1. To allow remote administration of the SAL Gateway, execute the followingcommands:
/sbin/iptables -I INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT
2. Execute the following command to save the iptables configuration:
service iptables save
Configuring facilities to write logs: GUI or interactive mode
If you select the SYSLOGcheck box on the Change system configuration files panel duringa SAL Gateway installation, the SAL Gateway installer automatically edits the/etc/syslog.conf file if Local0, Local4 and Local5 are not already configured. If the facilitiesare configured, the installer displays the following warning on the Installation Progresspanel: Do you want to continue? The box also displays the explanation: SAL Gateway sysloglog files are mixing with the customer syslog log files.The panel provides two options:
No: Rolls back the installation
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
26/159
20
Yes: Continues the installation
Configuring facilities to write logs: Command line or unattendedmode
In the command line mode of SAL Gateway installation, the installer logs the warningregarding the configuration of facilities and rolls back the installation.You can choose either of two options to continue with the installation:
Option 1
1. In the AgentGateway_Response.properties file for the command line installation,change the value to SYSLOGSelect=false.
2. Edit the syslog configuration file manually.
Option 2
Install the SAL Gateway in the GUI or interactive mode.
Identifying the SAL Gateway
The system displays the Identify SAL Gateway panel (Figure 2-5).
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
27/159
21
Figure 2-5: Identify SAL Gateway
1. Enter the credentials for the SAL Gateway server identification: Solution Element ID,Alarm/ Inventory ID, andIP Address.
Field Name Description
Solution Element IDAvaya Solution Element ID is a uniqueidentifier in the form (xxx)xxx-xxxxwhere x is a digit.
Alarm/Inventory ID
Avaya Alarm ID, also called Product ID,is a unique 10-character ID assigned to adevice, for example, this SAL Gateway,and is used to report alarms to Avaya.
IP AddressIP address of the server where the SALGateway is being installed
If you fail to enter a value for the Solution Element IDfield, the system displaysthe Input Problem message: Please provide valid Solution Element ID.
If you fail to enter a value for the Alarm/Inventory IDfield, the system displaysthe Input Problem message: Please provide valid Alarm ID.
2. Click Next.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
28/159
22
NNoottee
If you have not yet submitted your request to Avaya for your Avaya SolutionElement ID and Product/Alarm/Inventory ID, see step 2 inRegistering SAL Gateway,in Chapter 2. You may not proceed past this point until you have an Avaya SolutionElement ID and product/Alarm/Inventory ID. Your SAL Gateway starts operationsonly if you perform this step and enter these values.
The SAL Gateway and the Concentrator Servers, if deployed, are assigned SolutionElement IDs and Product IDs and are treated as managed devices. These values helpAvaya Services to uniquely identify your managed device if it raises an alarm. Thesevalues also help the Avaya Secure Access Concentrator Enterprise Remote Serverfacilitate remote access to these products.
Identifying the SAL Gateway user
The system displays the Identify SAL Gateway user panel (Figure 2-6).
Figure 2-6: Identify SAL Gateway user
The User Namefield displays the default SAL user name, saluser.
The User Groupfield displays the default SAL user group, salgroup.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
29/159
23
Click Next.
NNoottee
You can edit the default user and user group names. The installer uses the names enteredhere to create a user and user group with these names. The SAL Gateway employs theseusers to start its components. The saluserowns the Gateway file system.
Configuring the Concentrator Core Server
The system displays Concentrator Core Server configuration panel.
The SAL Gateway requires the following information to establish a connection to a SecureAccess Concentrator Core Server for delivery of alarms and inventory information. If youuse the default values, your SAL Gateway establishes a connection to the Avaya SecureAccess Concentrator Core Server. The panel displays the Primary and Secondary locationdetails for theSecure Access Concentrator Core Server.
The Platform Qualifierfield displays the default value: Enterprise-production.Unless you are explicitly instructed, you must not change the default.
The Primary destinationfield displays the default host name:secure.alarming.avaya.com. The fully qualified host name of the Secure AccessConcentrator Core server is the host name that the SAL Gateway first contacts.
The Portfield displays the default port number for the primary destination: 443.
The Secondary destinationfield displays the default host name.
The Portfield displays the default port number for the secondary destination.
Click Next.
NNoottee
Entries for the secondary destination server and port are mandatory.
Configuring the Concentrator Remote Server
The system displays the Primary and Secondary location details for the ConcentratorRemote Server configuration (Figure 2-7).
The SAL Gateway requires the information you provide here to contact the Secure AccessConcentrator Remote Server (SACRS) for remote access.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
30/159
24
Figure 2-7: Concentrator Remote Server Configuration
The Primary destinationfield displays the default host name:sl1.sal.avaya.com.
NNoottee
The hostname sl1has a lower case letter Land the number 1following the letter s.
The Portfield displays the default port number: 443.
The Secondary destinationfield displays the default host name.
The Portfield displays the default port number.
NNoottee
You can edit the default values on the panel if the defaults are not required.
Click Next.
Proxy settings
The system displays the Proxy settings panel (Figure 2-8).
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
31/159
25
Figure 2-8: Proxy settings
1. Select the Proxy Requiredcheck box for Internet access outside the firewall of thecustomer.
The system displays the Proxy server details.
NNoottee
The use of the customer proxy server is optional and depends on the localconfiguration. This proxy works the way a proxy that is required for browsing does. Ifyou have a company proxy in your Web browser, it is likely that you will need one inthis context too.
You need a proxy server if there is no direct communication between the SALGateway and the Concentrator Servers. The SAL Gateway then uses the proxy serverfor communication with the Concentrator Servers.
2. Enter your proxy server details.
a. Select the HTTP, Authenticated HTTP or the SOCKS proxy type.
b. Enter the host name or the IP address of the proxy server.
If you fail to enter a host name for the proxy, the system displays thefollowing Input Problem message: Please provide valid Host Name forCustomer proxy.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
32/159
26
c. Enter the port number of the proxy server.
If you fail to enter a port number for the proxy, the system displays thefollowing Input Problem message: Please provide valid Port forCustomer proxy.
SAL does not support SOCKS proxies that use authentication.
3. Click Next.
Proxy authentication settings
If you select the Authenticated HTTP option on the Proxy settings panel, the system displaysthe Proxy authentication settings panel (Figure 2-9).
1. In the Userfield, enter the user name.
If you fail to enter a user name for the proxy, the system displays the followingInput Problem message: Please provide valid User Name for Customer proxy.
2. In the Passwordfield, enter the password to be associated with the user name.
If you fail to enter a password for the proxy, the system displays the following InputProblem message: Please provide valid Password for Customer proxy.
3. Click Next.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
33/159
27
Figure 2-9: Proxy authentication settings
Configuring the Policy server
The system displays the Policy server configuration panel (Figure 2-10).
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
34/159
28
Figure 2-10: Policy server configuration
The use of the policy server is optional. A policy server can be used without an LDAP server.If you decide to use a Policy server, enter the values for the host name and the port fields.
1. In the Hostnamefield, enter the host name or the IP address of the Policy server.
2. In the Portfield, enter the port number of the Policy server.
3. Click Next.
Configuring the LDAP server
The system displays the LDAP server configuration panel (Figure 2-11).
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
35/159
29
Figure 2-11: LDAP server configuration
An LDAP server is necessary if you want group-based policies such as whitelists andblacklists. You must enter the details for the LDAP server.
1. In the Server Addressfield, enter the host name or the IP address of the LDAPserver.
2. In the Portfield, enter the port number of the LDAP Server.
3. In theBind DNfield, enter the Bind Distinguished Name of the LDAP Server.
This is the DN to use in binding to the LDAP server. The Bind operation authenticatesthe SAL Gateway to the LDAP server.
4. In the Passwordfield, enter the password to be used in conjunction with the BindDistinguished Name.
5. In the Base DNfield, enter the Base Distinguished Name of the LDAP Server.
Base = base object search.
This is the DN of the branch of the directory where all searches should start. At thevery least, this must be the top of your directory tree, but could also specify asubtree in the directory.
Example of Base DN: uid=people,dc=stanford,dc=edu
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
36/159
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
37/159
31
Changing the owner of the SSL directory to installation user
During a SAL Gateway installation, if you use the SAL Gateway Truststore Directory panel toselect a location for the SSL directory other than the default AgentGateway installationdirectory, the saluser or the installation user requires certain permissions to make the SALGateway functional.
The saluser or the installation user requires these permissions to:Read and write the spirit-trust.jks file located in the SSL directoryCopy any new file from the Certificate Management page of the SAL Gateway UI intothis directory
Depending on preferences, SAL Gateway users can adopt any of several methods to providethese permissions, one of which is outlined. This method assumes the SSL directory chosenwas /usr/local/ssl and changes the owner and group.
1. To change the owner and group of the SSL directory to the installation user andgroup, log in as root and execute the following command:
chown R saluser:salgroup /usr/local/ssl/
2. If you want to provide permissions only for the files within the folder, execute the
following command:
chown saluser:salgroup /usr/local/ssl/
This change helps the SAL Gateway administrator upload certificates from the CertificateManagement page.
CCaauuttiioonn
Ensure you grant these permissions immediately after you install the SAL Gateway. A SALGateway installation with insufficient permissions for the SSL folder adversely affects SALGateway services. Without these permissions, the Gateway UI and the Axeda Agent fail tostart, and the SAL Agent fails to function properly.
Restarting SAL Gateway services
Restart the SAL Gateway services after you grant necessary permissions for the SSL folder.1. Execute the following command to restart the Gateway UI service:
/sbin/service gatewayUI restart
2. Execute the following command to restart the Spirit Agent service:/sbin/service spiritAgent restart
3. Execute the following command to restart the Axeda Agent service:/sbin/service axedaAgent restart
Administration access for Avaya
The system displays the Administration access for Avaya panel (Figure 2-13).
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
38/159
32
Figure 2-13: Administration access for Avaya
The panel displays the Rolefield.
1. Enter a role for the Avaya technician.
You can select from the following roles:
Administrator
This role grants the user all permissions on all the UI pages except the followingones:
LDAP (Read only)Policy Server (Read only)PKI Configuration (Read only)OCSP/CRL Configuration (Read only)
Certificate Management (Read only)The Administrator role excludes permissions to edit security settings. Only aSecurity Administrator can change security settings and this role is not availableto Avaya support personnel.
Browse
This role grants the user the Read only access permission to all pages.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
39/159
33
NNoottee
If you select Denyfrom the options, the user is denied access to the SAL Gatewayuser interface.
This panel is used to assign a role that defines permissions to the Avaya supportpersonnel who may have to access the managed device to provide service.
2. Click Next.
Pack installation progress
The system displays the Pack installation progress panel (Figure 2-14).
Figure 2-14: Pack installation progress
The bars on the panel display the progress of the installation such as the parsing and theexecuting of files. The installer also creates the uninstaller pack and the uninstaller wrapper.
NNoottee
The system does not display the Nextand the Previousbuttons until the installation iscomplete.
Click Nextwhen all the files are unzipped and installed.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
40/159
34
Installation summary
The system displays the Installation summary panel (Figure 2-15).
Figure 2-15: Installation summary
The panel displays the following information:
The installation status to show whether the installation process is complete or hasfailed
The package or packages that have been installed
The name of the installed SAL Gateway
The location details of the Uninstaller program
If you click Quitduring a SAL Gateway installation, the system displays a box with the
warning: This will cancel the installation!
1. Click Yesonly if you want to quit the installation.
2. Click Done.
The SAL Gateway installer completes the installation procedure and reverts to thecommand mode.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
41/159
35
NNoottee
An Uninstaller directory is created under the installation directory, in the defaultdirectory >/Uninstaller. You can use the Uninstaller if you want touninstall the Gateway. For uninstallation instructions, see the sectionUninstallingSAL Gateway using the GUI.
You may occasionally have to back up the configuration and the data files, or makeregular backups in accordance with company policies. In such cases, use theinherent capabilities of Red Hat Enterprise Linux 5.0 to back up the SAL Gatewayinstallation.
Installing SAL Gateway in the command line mode
Refer to the following sections in this document before you undertake a SAL Gatewayinstallation:
Preinstallation tasks
Customer responsibilities and preconditions
You can also use the command line mode to install the SAL Gateway.
Use the command:
./runInstaller.sh [-m gui/ unattended] [-i ]
[o ]
where:
mis the parameter for mode.
You can specify either the GUI or the unattended mode for the installation.
iis the parameter for the input response file.
This is the response property file with key value pairs that the installer could use in theunattended or GUI mode to override the values specified in the default configuration file.
is the parameter for the output response file.
This is the path of the response file the installer generates and could be used for anunattended installation.
Other options
ris the parameter for rollback with the options, true and false.
You can rollback the installation in the event of an error for the unattended mode ofinstallation.
phas the options abort and ignore.
This continues or cancels the installation in the event of a prerequisite failure in theunattended mode of installation.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
42/159
36
Command for Help
To view Help, use the following command:
./runInstaller.sh --help
Command to continue installation in the event of a preinstall audit failure
Use the following command if you want to ignore a preinstall audit failure during aninstallation:
./runInstaller.sh -m unattended -i AgentGateway_Response.properties
-p ignore
Command to exit an installation in the event of a preinstall audit failure
Use the following command to exit an installation in the event of a preinstall audit failure.
./runInstaller.sh -m unattended -i AgentGateway_Response.properties
AgentGateway_Response.properties file
SAL provides an AgentGateway_Response.properties file with the SAL Gateway software. Ifyou use the command line mode for a SAL Gateway installation, you can use this file toenter values for the SAL Gateway configurations done during an installation.
Information in the file Additional information
# Language selection code
localeISO3=eng
English is the default language theinstaller uses.
# Please read the License Agreement under the'license' folder at the location of 'SAL.zip'extraction
agreelicence=Agree
To continue with the installation, thevalue of the agreelicenceattribute mustbe Agree.
# Installation Path Information
INSTALL_PATH=/opt/avaya/SAL/gateway
You can change the default installationpath, /opt/avaya/SAL/gateway. If youspecify a new directory path, the installercreates the target directory on thesystem.
For more details, see the Installation path
panel in the section Installing SALGateway using the GUI.
# pack name is fixed
packs=AgentGateway
The pack name is fixed. Do not changethis information.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
43/159
37
Information in the file Additional information
# If following values are true then GatewayInstaller update the IPTABLE and SYSLOG
IPTABLESelect=trueSYSLOGSelect=true
Keep the values for IPTABLESelectandSYSLOGSelectas true.
If the installation fails due to some syslogerrors, change the value for
SYSLOGSelectto falseand reinstall SALGateway.
If you set the value for SYSLOGSelecttofalse, you must edit the /etc/syslog.conffile manually after the installation. If youfail to edit the file, the SAL Gatewaycomponents may not write syslog andlogging after the installation. For moreinformation, seeEditing the syslogconfiguration file.
For more details, see the Change SystemConfiguration Files panel in the sectionInstalling SAL Gateway using the GUI.
# Agent Gateway Configuration mandatoryfields
GATEWAY.SOLUTION.ELEMENTID=(777)000-9999SPIRIT.ALARMID=1234567890AGENTGATEWAY_IPADRESS=192.168.1.10
You must replace the representativevaluesfor ELEMENTIDand ALARMIDwiththe actual Solution Element ID and theAlarm or Product ID obtained from Avaya.For the procedure to obtain thesenumbers for your SAL Gateway, seeRegistering SAL Gateway.
You must replace the representative valuefor AGENTGATEWAY_IPADRESSwith theactual IP address of the host server where
the SAL Gateway is being installed.For more details, see the Identify SALGateway panel in the section InstallingSAL Gateway using the GUI.
# Select the USER_ACCOUNT andUSER_GROUP of Agent Gateway mandatoryfields
AGENTGATEWAY_USERNAME=saluserAGENTGATEWAY_USERGROUP=salgroup
The username provided, if existing, musthave the execute permissions to the Bashshell for the Gateway services to runsuccessfully.
For more details, see the Identify SALGateway User panel in the sectionInstalling SAL Gateway using the GUI.
# Avaya Enterprise Configuration mandatoryfields
PRIMARY_AVAYA_ENTERPRISE_PASSPHRASE=Enterprise-production
PRIMARY_AVAYA_ENTERPRISE_URL=secure.alarming.avaya.com
PRIMARY_AVAYA_ENTERPRISE_PORT=443
Unless you are explicitly instructed, donot change these default values.
For more details, see the ConcentratorCore Server Configuration panel and theConcentrator Remote ServerConfiguration panel in the sectionInstalling SAL Gateway using the GUI.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
44/159
38
Information in the file Additional information
PRIMARY_AXEDA_ENTERPRISE_URL=sl1.sal.avaya.com
PRIMARY_AXEDA_ENTERPRISE_PORT=443
# Avaya Enterprise Configuration Optionalfields
SECONDARY_AVAYA_ENTERPRISE_URL=secure.alarming.avaya.com
SECONDARY_AVAYA_ENTERPRISE_PORT=443
SECONDARY_AXEDA_ENTERPRISE_URL=sl1.sal.avaya.com
SECONDARY_AXEDA_ENTERPRISE_PORT=443
If you have secondary Concentrator Coreand Remote Servers for yourenvironment, replace these values withactual values for the secondarydestinations.
# Customer Proxy Configuration Optional fields
ProxySelect=falseCUSTOMER_PROXY_TYPE=HTTPCUSTOMER_PROXY_HOSTNAME=localhostCUSTOMER_PROXY_PORT=
CUSTOMER_PROXY_USER=CUSTOMER_PROXY_PASSWORD=
The use of the customer proxy server is
optional and depends on your localconfiguration.
To use a proxy server, make the followingchanges:
Change the value for ProxySelecttotrue.
According to your requirement, set theCUSTOMER_PROXY_TYPEfields value asone of the following:
- HTTP: For HTTP proxy withoutauthentication
- AuthenticatedHTTP: For HTTPproxy with authentication
- SOCKS: For SOCKS proxy withoutauthentication
For HOSTNAME, PORT, USER, andPASSWORD, specify the valuesaccording to your proxy serversettings.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
45/159
39
Information in the file Additional information
# Model Package Installation fields
MODEL_RADIO_SELECTION=OFFLINE
For model package installation, set one ofthe following two modes as the value ofthe MODEL_RADIO_SELECTIONfield:
ONLINE: When the installation mode is
ONLINE, the SAL Gateway Installercommunicates with the configuredConcentrator Core Server located atAvaya or BP site to download andinstall the latest model packageavailable at the Concentrator CoreServer.
OFFLINE: When the mode is OFFLINE, theSAL Gateway Installer gets the modelpackage from the location specified by thevalue of MODELS_INSTALL_PATH.
#Any local Path to Models package
MODELS_INSTALL_PATH=/var/Models.zip
For the offline installation mode of modelpackage, this key-value pair specifies thefile system path to the model package.
For the offline installation mode of modelpackage, you must replace therepresentative value with the directorypath where you have downloaded themodel package.
You must download the model packagefrom the global URL for the Enterpriseserver, for example,https://secure.alarming.avaya.com/reposi
tory/.
# Policy Server Configuration Optional fields
POLICY_SERVER_HOSTNAME=POLICY_SERVER_PORT=
To use a policy server, enter the hostname and port number of the policyserver in the appropriate fields.Otherwise, keep the values blank.
# LDAP Server Configuration Optional fields
LDAP_SERVER_HOSTNAME=LDAP_SERVER_PORT=LDAP_SERVER_BINDDN=LDAP_SERVER_BINDDN_PASSWORD=LDAP_SERVER_BASEDN=
LDAP_SERVER_GROUP_BASEDN=
To use an LDAP server, enter appropriatevalues in the fields according to yourLDAP server settings. Otherwise, keep thevalues blank.
For more details, see the LDAP ServerConfiguration panel in the section
Installing SAL Gateway using the GUI.
# SNMP SubAgent Configuration Optional fields
SNMP_SERVER_HOSTNAME=127.0.0.1SNMP_SERVER_PORT=705
The SNMP SubAgent needs the host nameor the IP address, and the port number ofthe SNMP Master Agent to register itselfwith the Master Agent.
For more details, see the SNMP SubAgentconfigurarion panel in the sectionInstalling SAL Gateway using the GUI.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
46/159
40
Information in the file Additional information
# Location of the SAL Gateway Truststore
UserPathPanelVariable=/opt/avaya/SAL/gateway/SSL
You can change the default path to/SSL.
For more details, see the SAL Gatewaytruststore directory panel in the section
Installing SAL Gateway using the GUI.
# Assign Role to Avaya Technician
AVAYA_TECH_ASSIGNED_ROLE=Administrator
For details, see the Administration Accessfor Avaya panel in the section InstallingSAL Gateway using the GUI.
Uninstalling SAL Gateway using the GUI
You can also uninstall the SAL Gateway.
WWaarrnniinngg
Do not use the Quitoption on the panel during an uninstallation procedure. If you clickQuit,you can render your system unstable.
If you accidentally click Quit, the system displays a dialog box that seeks confirmation toquit the uninstallation. If you click Yes, the uninstallation process is disrupted and thesystem may be rendered unstable. You may then have to undertake a manual clean-up ofthe disk, and stop services manually.
To uninstall the SAL Gateway:
1. Log in to the system on which the SAL Gateway is installed.
2. From the GUI, use administrator permissions and open a new console on the GUI.
3. Navigate to the directory where you have already installed the SAL Gateway.
4. Browse within the directory and locate the Uninstaller directory. You will find thisdirectory under the specified SAL Gateway installer directory.
5. Locate and execute the ./runUninstaller.shscript by invoking it from the
command line.
The system displays the Welcome panel.
6. Click Next.
The system displays the Language options page.
7. Click OK.
8. Click Next.
The system displays the Uninstall options panel (Figure 2-16).
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
47/159
41
Figure 2-16: Uninstall options
NNoottee
At present, only the Uninstalloption to uninstall the entire application is supported.
9. Click Next.The system displays the Select Installed packs panel (Figure 2-17).
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
48/159
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
49/159
43
Figure 2-18: Removing files
12.Click Next.
The system displays the Uninstallation summary panel. This panel displays the pack,SAL Gateway, which has been uninstalled successfully.
13.Click Done.
The uninstallation is complete.
Uninstalling SAL Gateway using the command line mode
To uninstall the SAL Gateway using the command line mode:
1. Log in to the system on which the Gateway is installed using administratorpermissions from the command line.
2. Navigate to the installation path and locate the Uninstaller directory.
3. Execute the command:./runUninstaller.sh -m unattended -i ../
autoInstall_AgentGateway.properties
4. Wait for the system to perform the uninstallation. It takes about one to two minutesto complete the uninstallation. The system reverts to the command prompt once theuninstallation is complete.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
50/159
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
51/159
45
Testing the functions of the Gateway UI
To check whether the Gateway UI works on the system on which you installed the SALGateway or not:
Use a browser on another computer to reach the URL https://:7443.
Upgrading the SAL Gateway
The SAL Gateway installer supports an upgrade capability so that a predefined lower releasegateway can be upgraded to a higher release one. For example, you can upgrade SALGateway R1.5 to SAL Gateway R1.8.
NNoottee
When you start an upgrade installation of the SAL Gateway with a lower version of thesoftware, the installer performs an audit to detect the availability of an older version.
If the installer detects an older supported version for an upgrade, it communicates theinformation to the user and proceeds with the only upgrade option to a higher version.
If the audit does not detect the availability of an earlier version of the SAL Gateway, theinstaller works the way it does for a new installation.
In cases where the installer detects a lower version of the software that is unsupportedfor upgrade, the installer displays an Error message. In such cases, you must move to ahigher supported version by means of an available upgrade path.
The SAL Release policy currently supports upgrades from n-2 (n minus 2) to n versionand n-1 (n minus 1) to n version. This implies that the n-3 (n minus 3) version of theSAL Gateway cannot be directly upgraded to n version.
Modes of SAL Gateway upgrade installations
You can perform a SAL Gateway upgrade installation in two modes:
Interactive or the GUI mode
Silent or unattended mode
Upgrading the SAL Gateway in the GUI mode or interactive mode
1. Unzip the SAL.zip file at the location where you want to install the SAL Gateway andexecute the following command to start the installation:
./runInstaller.sh script
The system displays the Language panel.
2. Select the default language, English.
The system displays the Welcome panel.
3. On the Welcome panel, click Next.
The system displays the Avaya Global Software License Terms panel.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
52/159
46
4. Click the I accept the terms of this license agreementoption.
You must accept the terms of the license agreement to continue with the installation.
5. Click Next.
The system displays the Pre-install Configuration Audit panel.
6. When the configuration audit is complete, scroll through the audit report.You have the options to continue with the installation or cancel it.
7. Click Next to continue the installation. If you want to cancel the installation, clickQuit.
The system displays the Installation path panel.
8. Click Next.
The system displays all the components needed for an installation. Select thecomponents you want to install. It is preferable for you to select all the components.
9. Click Next.
The installer takes a few minutes to complete the backup of the earlier version of thesoftware and starts the upgrade. The installer copies all the files on to the targetsystem after the backup process.
Once the installation is complete, the installer creates an uninstaller that can helpyou in uninstalling the SAL Gateway whenever required.
10.Click Done.
The installer completes the upgrade installation procedure and reverts to thecommand mode.
Upgrading the SAL Gateway in the unattended mode
The SAL Gateway installer uses the following command:
./runInstaller.sh [-m gui/unattended] [-i ]
[o ] [p ignore]
Use the AgentGateway_Response.propertiesfile when you upgrade SAL Gateway inthe silent mode of installation.
Ensure that the value of the INSTALL_PATH key in the response file is identical to theSAL Gateway path of the previously installed version of the SAL Gateway. If the entry inthe response file does not match the path of the previously installed version, theinstaller cancels the upgrade.
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
53/159
47
3: SAL Gateway configurations
The Secure Access Link (SAL) Gateway includes a Web-based Gateway UI that provides
status information, configuration interfaces, and logging. It provides a means to configureand monitor the gateway as well as the associated devices for alarming and remote access.
The Gateway UI provides SAL users with the following configuration options:
View configurations: Users can view the server configurations done during theinstallation of the SAL Gateway.
Change configurations: Users can edit existing configurations and apply them.
The Gateway UI also provides feedback on the success or status of a configuration.
Prerequisites for the SAL Gateway configurations:
An installed SAL Gateway
An authorized user id for the user to log in to the SAL Gateway
A computer with a browser and network access to the SAL Gateway
Accessing the SAL Gateway interface for configuration
To access the SAL Gateway interface for configurations:
1. Browse to the host name and port that the SAL Gateway has been configured with.
You can access the SAL Gateway either on a local network or through the SecureAccess Concentrator Remote Server after the gateway has established a session with
the Concentrator.2. To access the SAL Gateway on a local network:
https://[host name or IP address of the SAL Gateway]:7443
3. To access the SAL Gateway through the Secure Access Concentrator Remote Server:
https://:7443/
The system displays a login screen.
The SAL Gateway authenticates a user with local credentials.
You may want to use the Secure Access Concentrator Remote Server UI to establisha connection to the Web page as the local port changes if you already have 7443
open on your computer.Your system administrator can provide you with the Linux login credentials to usehere.
User authentication
The SAL Gateway authenticates users in two ways:
-
8/13/2019 Secure Access Link 1.8 Gateway Implementation Guide
54/159
48
Users with local host shell accounts log in with a user name and a password.
Certificate authenticated users log in with e-tokens or certificates. Avaya supportpersonnel usually use certificates for authentication.
Authentication with local credentials
1. Enter your user name and password.
2. Click Log on.
NNoottee
When a user logs in to the SAL Gateway with a username and password, the loginmechanism of the Gateway uses the credentials to establish an SSH connection tothe Gateway. The SSH method of authentication only supports authentication basedon passwords.
SAL Gateway support does
top related