CA API Gateway Virtual Appliance Getting Started, Rev2.3

CA API Gateway Virtual Appliance Getting Started, Rev. 2.3
CA API Gateway – Virtual Appliance
Getting Started
Contents
Introduction................................................................................................................................ 1
Requirements...................................................................................................................... 2
Starting the Virtual Appliance..................................................................................................... 2
Configuring the Virtual Appliance ............................................................................................... 3
Installing the Gateway License................................................................................................... 8
Next Steps ........................................................................................................................... 9
Getting Assistance ..................................................................................................................... 9
Troubleshooting Password Issues ....................................................................................... 9
Introduction
The CA API Gateway – Virtual Appliance provides the power of the CA API Gateway
conventional hardware appliance with the flexibility of a software application.
This document helps you get the Virtual Appliance up and running on your personal
workstation as quickly as possible.
For complete information on using the Virtual Appliance and its accompanying Policy
Manager, refer to the Gateway online documentation located at wiki.ca.com/Gateway
and download the CA API Gateway Administrators Manual from the CA API
Management Customer Support site.
If you require further assistance, send an email to api-support@ca.com.
Copyright © 2015 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective
companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As
Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or
non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document including, without
limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. Document last updated:
June 2015
CA API Gateway Virtual Appliance Getting Started, Rev. 2.3
Requirements
The CA API Gateway Virtual Appliance will run under any recent version of VMware®
Workstation or vSphere.
For a complete list of requirements, refer to “Requirements and Compatibility” in the
CA API Gateway online documentation located at: wiki.ca.com/Gateway.
Starting the Virtual Appliance
1. Follow the applicable instructions to start the Virtual Appliance:
•
To start the ESXi image: Select File > Deploy OVF Template and then
navigate to the Virtual Appliance image file (*.ova).
•
To start the Workstation image: Select File > Open and then navigate to the
Virtual Appliance image file (*.ova).
2. Verify the following settings:
a.
Select Edit virtual machine settings and then make sure the Hardware tab is
visible.
b. Select Memory from the list and make sure the slider is showing at least 768
MB.
c.
Select Network Adapter from the list and choose the appropriate option:
•
If the Gateway will be connected to a physical network or accessed from
external systems, choose Bridged.
•
If external access is not required or the host system is not connected to
a network, select NAT or Host Only. Select NAT if you are running the
Virtual Appliance for evaluative or training purposes.
d. Click [OK].
3. If using the ESXi Server, you must map the virtual network interface to the
appropriate virtual network switch for your configuration.
4. Click Power on this virtual machine to start the Virtual Appliance. Allow a few
moments for the boot process to complete.
Once the Virtual Appliance has started, proceed to Configuring the Virtual Appliance
below.
Technical Tip: If a “[FAILED]” message appears during the VMware Tools
initialization process, check the irqbalance daemon.
2
CA API Gateway Virtual Appliance Getting Started, Rev. 2.3
Configuring the Virtual Appliance
Tip: The example settings shown are designed to get your Virtual Appliance
up and running as quickly as possible for evaluation purposes. For use in
other environments, see the CA API Gateway online documentation located
at wiki.ca.com/Gateway.for a detailed description of each setting.
Once the image boot process has completed, you can configure the Virtual Appliance.
1. When prompted to log in, type ssgconfig for the user name and 7layer for the
password (both are case sensitive).
2. After your first login, you will be prompted to change the password for ssgconfig.
Follow the prompts to create a new password. Tip: For evaluation purposes, you
can use L7Secure$0@ (“0” = zero).
The Gateway main menu appears once you are successfully logged in.
Welcome to the SecureSpan Gateway
This user account allows you to configure the appliance
What would you like to do?
1)
2)
3)
4)
5)
6)
7)
8)
R)
X)
Configure system settings
Display Layer 7 Gateway configuration menu
Use a privileged shell (root)
Change the Master Passphrase
Display Remote Management configuration menu
Manage HSM
Display Enterprise Service Manager configuration menu
Display Patch Management Menu
Reboot the SSG appliance (apply the new configuration)
Exit (no reboot)
Please make a selection: 1
Figure 1: Gateway main menu
3. Select 3 (Use a privileged shell). This opens a command prompt for root access.
4. Type 7layer as the current password. Upon first access to this shell, you will be
prompted to change the password for the root user. Create a new password that
adheres to “Password Rules” under “Troubleshooting Password Issues” in the
Gateway online documentation. Tip: You can use the same L7Secure$0@
password as shown above.
5. If evaluating the Virtual Appliance, you may want to reset the passwords back to
7layer to make it easier to remember. Tip: For non-evaluation uses of the
Gateway, it is not advisable to weaken the password strength in this manner.
To reset the root password:
a.
Type passwd.
b. Type 7layer and ignore the “Bad Password” warning.
c.
Type 7layer again to confirm. The password is changed.
3
CA API Gateway Virtual Appliance Getting Started, Rev. 2.3
To reset the ssgconfig password:
a.
Type passwd ssgconfig.
b. Type 7layer and ignore the “Bad Password” warning.
c.
Type 7layer again to confirm. The password is changed.
6. If evaluating the Virtual Appliance, type ifconfig and then make a note of the
Gateway’s dynamically assigned IP address on the NAT network and the subnet
mask. See Figure 2.
Figure 2: ifconfig output
Note: By default, the eth0 interface on the Gateway is configured for
DHCP. For evaluation purposes, you will change eth0 to use a static IP
address.
7. If evaluating the Virtual Appliance, you must edit the hosts file to add the fully
qualified host name of the Gateway because the name will likely not be
registered with any configured DNS server.
Tip: You must also modify the hosts file if you want the Gateway to connect to
any other system by host name rather than IP address.
a.
Type vi /etc/hosts (space after “vi”) to load the hosts file into the editor.
Table 1 lists some basic editing commands for the vi editor.
Table 1: Basic vi commands
To…
Do this…
Enter insert mode
Press i.
Create a new line
Use the arrows to position the cursor at the end
of the last line, and then press [Enter].
Type content into the line
Be sure to separate the IP address from the host
name and short name using one or more spaces
(the actual number of spaces does not matter).
Exit insert mode
Press [Esc].
Save and exit vi
Type :wq and then press [Enter].
Exit without saving
Type :q! and then press [Enter].
b. Add the IP address and hostname that you plan to assign to this gateway
during network configuration (described later).
4
CA API Gateway Virtual Appliance Getting Started, Rev. 2.3
For example, this inet address was noted in our example in step 6 above:
192.168.146.128 (dynamically assigned address)
This means our static IP address must begin with “192.168.146”—in this
example, we will use 192.168.146.200. Figure 3 shows a sample hosts file
in the vi editor, using the fictitious hostname “learn.l7tech.com” followed by
the short name “learn”.
Figure 3: Editing /etc/hosts
c.
Save the changes and exit vi, and then type exit to return to the main menu.
8. Select option 1 (Configure system settings) from the main menu
9. Select option 1 (Configure networking and system time settings) to begin
network configuration.
a.
Enter 1 to configure the eth0 interface and then enter y to enable the
interface.
b. Enter y to configure IPv4 networking.
c.
Under boot protocol, select static and then:
•
For the IPv4 address, type the IP address that was added to the
/etc/hosts file in step 7b above. For example: 192.168.146.200.
•
For the default IPv4 gateway, type the VMware NAT network’s default
IPv4 gateway. Normally this is the x.x.x.2 address on the NAT network.
Although presented as optional, it is recommended that you enter one in
this environment as the default IPv4 address will also be used as the
DNS server address later. For example: 192.168.146.2.
Tip: Another way to locate the default Gateway is to run the “route –n”
command. Look for the destination “0.0.0.0.” and the corresponding
entry in the Gateway column is what you need.
•
For the netmask, type the VMware NAT network’s subnet mask that was
noted in step 6 above. For example: 255.255.255.0.
d. Enter n to skip configuring IPv6 networking.
e.
Enter n to skip configuring another interface.
f.
Enter n to skip configuring a default IPv4 gateway and interface.
g.
If prompted to configure a default IPv6 gateway and interface, type n.
5
CA API Gateway Virtual Appliance Getting Started, Rev. 2.3
Tip: To learn more about default gateways, see “Determining Whether a
Default Gateway is Necessary” in the Layer 7 Installation and Maintenance
Manual.
h. Type the fully qualified hostname that was added to the Gateway’s
/etc/hosts file. For example: learn.l7tech.com.
i.
When prompted for the DNS server IP address, you may leave this blank if
you wish to receive the name servers and search domains via DHCP.
j.
Enter y to configure the time zone, and then select your time zone from the
lists presented.
k.
Enter n to skip synchronizing the Virtual Appliance with an NTP server.
Tip: Time synchronization is an essential system setup step for clustering
and replay attack prevention, but it can be omitted for the purposes of
evaluating the Virtual Appliance. If you have an NTP server available, you can
type y and specify the NTP server IP addresses. The image comes
preconfigured with the rhel.pool.ntp.org servers.
l.
Carefully review the configuration settings you are about to apply. If
everything is correct, enter y to continue.
If you are not ready to apply the settings, press < to return to a previous step
or type quit to exit the configurator.
m. Review the results. You should see a message stating that the configuration
was successfully applied. Press [Enter] to exit the configurator.
10. When the network menu reappears, select option X to return to the main menu,
select option R to reboot the Virtual Appliance, and type y to confirm. Rebooting
may take a few minutes to complete.
11. Log in as the ssgconfig user (see step 1), and then select option 2 (Display Layer
7 Gateway configuration menu) from the main menu. The configuration menu in
Figure 4 is displayed.
This menu allows you to configure the Layer 7 Gateway application
What would you like to do?
1)
2)
3)
4)
5)
6)
7)
8)
X)
Upgrade the Layer 7 Gateway database
Create a new Layer 7 Gateway database
Configure the Layer 7 Gateway
Change the Layer 7 Gateway cluster password
Delete the Layer 7 Gateway
Display the current Layer 7 Gateway configuration
Manage Layer 7 Gateway status
Reset Admin password
Exit
Please make a selection: 1
Figure 4: Gateway configuration menu
6
CA API Gateway Virtual Appliance Getting Started, Rev. 2.3
12. Select option 2 (Create a new Layer 7 Gateway database) and then follow Table
2 to complete each step.
Note: Once the new Gateway database is created, you can no longer
use option 2. To modify the configuration afterwards, select option 3
(Configure the Layer 7 Gateway). To delete the Gateway configuration
and start over, select option 5 (Delete the Layer 7 Gateway).
Table 2: Creating a new Gateway database
Step
Description
Set Up the Gateway
Database
1. Press [Enter] to set up the database connection.
2. Press [Enter] to accept localhost as the hostname.
3. Press [Enter] to accept the default port 3306.
4. Press [Enter] to accept the default database name ssg.
5. Press [Enter] to accept the default database username gateway.
6. Type the password for the database user and then retype to confirm.
7. Press [Enter] to accept the default administrative database username root.
8. Type the administrative database password.
Set Up the Gateway
Failover Database
Set Up the Policy Manager
Administration
•
Press [Enter] to skip setting up a Gateway Failover Database.
Note: Database failover connections are used in multi-Gateway clusters. For
evaluation purposes, a single Gateway is deployed and failover does not apply.
This step sets up the account for the Policy Manager administrator (i.e., the “super
user”).
1. Type the user name for the administrator. For example: admin.
2. Type the password for the administrator and then retype to confirm. For example:
7layer.
Set Up the Gateway Cluster
This step sets up the Gateway cluster. Note: This single Virtual Appliance is
considered to be a “cluster” of one.
1. Press [Enter] to accept the cluster hostname offered as the default. Note that the
cluster host cannot be changed once entered.
2. Type the passphrase to protect the cluster and then retype to confirm. For
example: 7layer.
Set Up the Gateway Node
•
Configuration Summary
Carefully review the configuration settings you are about to apply. If everything is
correct, press [Enter] to apply the settings.
Press [Enter] to enable the node. This activates the Virtual Appliance when
configuration is complete. Tip: It may take a few minutes for the node to be fully
up and running.
If you are not ready to apply the settings, press < to return to a previous step or type
quit to exit the wizard.
Configuration Results
The configuration results show either:
•
Success: Press [Enter] to return to the Configure Layer 7 Gateway menu. Enter X
to exit to the main menu.
•
Errors encountered: Copy and paste the log messages from the command window
7
CA API Gateway Virtual Appliance Getting Started, Rev. 2.3
Step
Description
into a text file. Analyze the errors and run the wizard again. If you require
assistance, email api-support@ca.com.
13. Enter x to return to the Gateway main menu, then select option R to reboot the
Virtual Appliance and then type y to confirm.
You will now install the Gateway license using the Policy Manager.
Installing the Gateway License
Once the Virtual Appliance is configured, the next step is to install the license file.
This is done using the CA API Gateway – Policy Manager, which provides a graphical
interface for managing the Virtual Appliance.
The Policy Manager is available in two form factors:
•
As a browser-based application that can run on any supported Web browser. No
installation or additional download are required if using this form factor.
•
As a desktop client for optimal performance. This form factor is a separate
download. For installation instructions, see “Install and Upgrade the Policy
Manager” in the CA API Gateway Administrators Guide.
Note: The browser and desktop versions of the Policy Manager have nearly
identical functionality. The differences between the two are summarized
under “Policy Manager Browser Client” in the Gateway online documentation
located at wiki.ca.com/Gateway.
 To install the Gateway license:
1. Start the Policy Manager:
•
Browser client: Load the URL:
https://<gatewayHostName>:8443/ssg/webadmin
where “<gatewayHostName>” is the hostname entered in the “Set Up the
Gateway Cluster” step of Table 2.
Tip: You may see some security prompts when you start the Policy
Manager for the first time in a browser. Both Internet Explorer and
Firefox will present a series of warnings and authentication
challenges. See “Start the Policy Manager” in the Gateway online
documentation for detailed instructions on how to respond to these
prompts.
8
CA API Gateway Virtual Appliance Getting Started, Rev. 2.3
•
Desktop client:
1) Run the Policy Manager. The Login dialog appears.
2) For the User Name and Password, use the values in the “Set Up the
Policy Manager Administration” step of Table 2.
3) For the Gateway, use the hostname entered in the “Set Up the Gateway
Cluster” step of Table 2.
2. Click [Yes] when prompted to view the license manager.
3. Click [Install License] and then locate the license file provide by Layer 7.
4. Click [I Agree] at the License Agreement; it may take a moment for the license to
fully register. The license is installed when you see “Valid” next to License Status.
5. Click [Close] to return to the Policy Manager interface.
Next Steps
Now that the Gateway is installed and the Policy Manager is up and running, you can
begin to publish services and create policies. For more information, see “Virtual
Appliance Tutorials” in the CA API Gateway online documentation located at:
wiki.ca.com/Gateway.
Getting Assistance
Complete documentation for the CA API Gateway and the Policy Manager is available
from any Web-enabled device by visiting wiki.ca.com/Gateway. For your convenience,
any portion of the online documentation can be saved as ePUB or PDF files.
If you require further assistance, email CA Support at api-support.ca.com.
Troubleshooting Password Issues
Most common password difficulties can be resolved by following the steps under
“Troubleshoot Password Issues” in the CA API Gateway online documentation located
at wiki.ca.com/Gateway. If these steps do not resolve your issue, email CA Support.
9