When the Edge Gateway Cluster appliance is started for the first time, an initial machine configuration wizard appears. This wizard allows you to initialize the system-specific configuration as well as those specific to the use of cyberelements Cleanroom.
The wizard begins by asking you to select a language:
Information
The language you choose will affect both the system display language and the keyboard layout. In English, the keyboard will have a QWERTY layout, while in French it will be AZERTY.
The wizard then asks you to add a new password for the root system account (make sure it meets the required complexity):
Next, you need to change the systancia system user account password (make sure it meets the required complexity):
Once the system settings have been applied, the wizard switches to the machine's network settings.
The first panel asks you to choose between a static configuration and a dynamic configuration via DHCP:
Recommendation
It is recommended that you use a static configuration for the machine's network settings, particularly for the direct access feature.
DHCP can also be used if the IP address is set at the DHCP server level.
If the static configuration is chosen, the wizard will ask for the following network settings:
Tip
Several DNS servers can be entered (3 maximum) by separating them with spaces. Similarly, several DNS suffixes can be added by separating them with a space.
The initial configuration menu now prompts you to continue with the Edge Gateway pairing mechanism.
For this documentation, it will not be used, so it is necessary to disable the appearance of this menu at login and disable auto-connection to root.
To do this, start by exiting the initial configuration menu, either by selecting the Cancel button or by using the Ctrl+C key combination.
Then execute the following commands:
Settings specific to cyberelements Cleanroom operation¶
Once the network settings have been applied, you still need to connect the Edge Gateway and HTML5 Gateway instances to the Mediation Controllers.
To do this, the first Edge Gateway and HTML5 Gateway instances will connect to the MASTER Mediation Controller, while the second instances will connect to the SLAVE Mediation Controller.
Attention!
If the Edge Gateway installation is not located within the LAN and therefore the addresses RIP_MED_SSL_MASTER and RIP_MED_SSL_SLAVE are not accessible (even with NAT).
In that case, you will only need to configure the first instance of Edge Gateway and HTML5 Gateway, which will be set up to connect to VIP_MED_SSL.
In this context, the Standalone virtual appliance can be used. The Cluster virtual appliance is preconfigured with two instances, whereas its Standalone counterpart is preconfigured with a single instance.
Before continuing with the following instructions, make sure you have the following items:
Certificate for the Edge Gateway and HTML5 Gateway instances to be connected
Copy the certificate file from the Edge Gateway to the /etc/ipdiva/gateway/ssl/ and /etc/ipdiva/gateway-slave/ssl/ directories. You can do this by running commands similar to the following as root (replace <CERT_NAME> with the name of the certificate for the Edge Gateway):
Configure the Edge Gateway instances to allow them to connect to the Mediation Controllers.
The configurations differ depending on the Mediation Controller to be contacted. Perform both settings:
Edit the file /etc/ipdiva/gateway/gateway.xml and fill it in using the following information (several sections have been omitted and are indicated by […]):
_FILL_ME_WITH_SERVER_ADDRESS_:: must be replaced with the RIP_MED_SSL_MASTER address, the : character, and the SSL router's listening port, which is normally set to 443
keyfile.pem: must be replaced with the name of the certificate file
PASSWORD: must be replaced with the certificate password
??? example “Example”
Taking into account the following information:
Finally, start the Edge Gateway instance to load the new settings and connect it to the MASTER Mediation Controller:
1
/usr/local/ipdiva/gateway/bin/start
Edit the /etc/ipdiva/gateway-slave/gateway.xml file and complete it using the following information (several sections have been omitted and are indicated by […]):
Move the certificate for the recording service to the /etc/ipdiva/careserver/ directory with a command similar to this (replace <CERT_NAME> with the name of the intended certificate):
1
mv/tmp/<CERT_NAME>/etc/ipdiva/careserver/
Next, configure the service by modifying the following file: /etc/ipdiva/careserver/careserver.xml. The configuration of the file should be something like this (the following section omits many lines in the file marked with […]):
If the HTML5 Gateway instance needs to be configured, run the following command on the Edge Gateway server as root to enable automatic startup of the instance:
1
chmod+x/etc/ipdiva/services/50html5gateway*
Copy the certificate file from the HTML5 Gateway to the /etc/ipdiva/html5gateway/ssl/ and /etc/ipdiva/html5gateway-slave/ssl/ directories. You can do this by running commands similar to the following as root (replace <CERT_NAME> with the name of the certificate for the HTML5 Gateway):
Configure the HTML5 Gateway instances to allow them to connect to the Mediation Controllers.
The configurations differ depending on the Mediation Controller to be contacted. Perform both settings:
Edit the /etc/ipdiva/html5gateway/html5gateway.xml file and complete it using the following information (several sections have been omitted and are indicated by […]):
_FILL_ME_WITH_SERVER_ADDRESS_:: must be replaced with the RIP_MED_SSL_MASTER address, the : character, and the SSL router's listening port, which is normally set to 443
keyfile.pem: must be replaced with the name of the certificate file
PASSWORD: must be replaced with the certificate password
??? example “Example”
Taking into account the following information:
Finally, restart the HTML5 Gateway instance to load the new settings and connect it to the MASTER Mediation Controller:
1
/usr/local/ipdiva/html5gateway/bin/start
Edit the /etc/ipdiva/html5gateway-slave/html5gateway.xml file and complete it using the following information (several sections have been omitted and are indicated by […]):
- `RIP_MED_SSL_SLAVE` is equal to: `10.0.10.13`
- SSL Router listening port: `443`
- Certificate file name: `html5-gateway.p12`
- Certificate password: `Str0ngP@ssw0rd`
- Available RPC port: `9089`
The `/etc/ipdiva/html5gateway-slave/html5gateway.xml` file would be configured as follows:
``` xml hl_lines="2 5 6 10"
<gateway>
<server>10.0.10.13:443:ssl</server>
[…]
<ssl>
<cert>/etc/ipdiva/html5gateway-slave/ssl/html5-gateway.p12</cert>
<password>Str0ngP@ssw0rd</password>
[…]
</ssl>
[…]
<rpc-listen>127.0.0.1:9089</rpc-listen>
[…]
</gateway>
```
??? example "Complete file"
``` xml hl_lines="2 20 21 31"
<gateway>
<server>10.0.10.13:443:ssl</server>
<pipe>
<ping-timeout>60000</ping-timeout>
<rout-max-lock>20000</rout-max-lock>
</pipe>
<timeout>
<reconnect>15000</reconnect>
</timeout>
<ticket><hmac></hmac></ticket>
<proxy>
<type>no</type>
<address></address>
<login></login>
<password></password>
<domain></domain>
</proxy>
<ssl>
<cert>/etc/ipdiva/html5gateway-slave/ssl/html5-gateway.p12</cert>
<password>Str0ngP@ssw0rd</password>
<ca-dir>/etc/ipdiva/html5gateway-slave/ssl/ca</ca-dir>
<min-version>tls1.3</min-version>
<max-version></max-version>
<cipherlist>!ADH:!AECDH:!MD5:kEECDH+AES:kEDH+AES:AES256+RSA:3DES+RSA</cipherlist>
<cipherlist-tls1.3>TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256</cipherlist-tls1.3>
<verify-cert>true</verify-cert>
<verify-certhostnamematch>true</verify-certhostnamematch>
</ssl>
<rpc-listen>127.0.0.1:9089</rpc-listen>
<network-id></network-id>
<compression>zlib</compression>
</gateway>
```
Finally, restart the HTML5 Gateway instance to load the new settings and connect it to the SLAVE Mediation Controller:
1
/usr/local/ipdiva/html5gateway-slave/bin/start
Configurations prior to connecting HTML5 Gateways¶
In order for HTML5 applications to work, additional settings must be configured on the Mediation Controller servers. Log in to the MASTER and SLAVEMediations Controllers servers as root.
Create or edit the /etc/ipdiva/httpd/commonParameters.extra.conf file to add a section equivalent to the following for the HTML5 Gateway:
URL_HTML5 must be replaced with the content of the URL field for the HTML5 Gateway configured in the administration console during the HTML5 Gateway declaration (for a cluster, this is generally HTML5-1 and HTML5-2).
GW_NAME must be replaced by the name of an Edge Gateway located on the same server as the HTML5 Gateway. The | character at the end of the line must be kept.
ORGANIZATION_NAME must be replaced by the name of the organization to which the previous Edge Gateway connects.
??? example “Example”
For a platform with the following settings:
- Organization name: `my-organization-name`
- Declaration of the first HTML5 Gateway in the administration console:
- Name: `html5-gateway-1`
- URL: `HTML5-1`
- Protocol: `WebSocket`
- Declaration of the second HTML5 Gateway in the administration console:
- Name: `html5-gateway-2`
- URL: `HTML5-2`
- Protocol: `WebSocket`
- An Edge Gateway server on the first HTML5 Gateway has:
- An Edge Gateway service named `edge-gateway-1`
- An HTML5 Gateway service named `html5-gateway-1`
- An Edge Gateway server on the second HTML5 Gateway has:
- An Edge Gateway service named `edge-gateway-2`
- An HTML5 Gateway service named `html5-gateway-2`
The configuration file `/etc/ipdiva/httpd/commonParameters.extra.conf` created will be set up as follows:
``` apache hl_lines="1 5-6 12 16-17 23 27-28 34 38-39"
<Location /HTML5-1/>
Order allow,deny
Allow from all
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-IPdiva-Gateway edge-gateway-1|
RequestHeader set X-IPdiva-Orgname my-organization-name
RequestHeader set X-IPdiva-Service 127.0.0.1:8080
ProxyPass http://127.0.0.1:9016/systanciaHTML5-6.0/ flushpackets=on
</Location>
<Location /HTML5-1/websocket-tunnel>
Order allow,deny
Allow from all
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-IPdiva-Gateway edge-gateway-1|
RequestHeader set X-IPdiva-Orgname my-organization-name
RequestHeader set X-IPdiva-Service 127.0.0.1:8080
ProxyPass ws://127.0.0.1:9016/systanciaHTML5-6.0/websocket-tunnel
</Location>
<Location /HTML5-2/>
Order allow,deny
Allow from all
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-IPdiva-Gateway edge-gateway-2|
RequestHeader set X-IPdiva-Orgname my-organization-name
RequestHeader set X-IPdiva-Service 127.0.0.1:8080
ProxyPass http://127.0.0.1:9016/systanciaHTML5-6.0/ flushpackets=on
</Location>
<Location /HTML5-2/websocket-tunnel>
Order allow,deny
Allow from all
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-IPdiva-Gateway edge-gateway-2|
RequestHeader set X-IPdiva-Orgname my-organization-name
RequestHeader set X-IPdiva-Service 127.0.0.1:8080
ProxyPass ws://127.0.0.1:9016/systanciaHTML5-6.0/websocket-tunnel
</Location>
```
Before applying the new settings, you must check that the new configuration does not cause any blocking errors for the Apache2 web server.
To do this, run the following command:
1
apache2ctlconfigtest
If the response is Syntax OK then the changes can be applied with the command below. Otherwise, check your configuration in the /etc/ipdiva/httpd/commonParameters.extra.conf file.
