Installation of the Mediation Controller server¶

Note

As a reminder, switching to root on Debian machines must be done with the following command:

su -

Downloading the mirror and necessary tools¶

The cyberelements Cleanroom 4.6 mirror and the Systancia repository signature key can be downloaded from this link (requires the creation of a client account): Systancia Marketplace

In addition to the mirror and key, third-party tools will be required for the upgrade process:

An SSH client (on Windows, you can use PuTTY)
An SCP client (on Windows, the WinSCP or FileZilla tools can be used)

Use the SSH client to connect remotely to your server.

Use the SCP client to transfer files to your remote machine.

Preparing for installation¶

Configuration of the network¶

It is essential to configure a static network address for the Mediation Controller. To do this, you first need to retrieve the name of your machine's network interface. Run the following command as root:

ip -br a | grep -ve "^lo"

This command displays the name of the network interface, its status, and the IP addresses assigned to the interface.

??? example “Example” After the command is executed, the following output is displayed:

```
ens192           UP             10.0.10.10/24
```

The name of the network interface is `ens192`.

Once the network interface name has been obtained, it is now possible to edit the machine's network configuration.
Edit the /etc/network/interfaces file to modify it using the following template:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto INTERFACE_NAME
iface INTERFACE_NAME inet static
    address IP_MED_WEB
    netmask NETMASK
    gateway NETWORK_GATEWAY
    dns-nameservers IP_DNS_1 IP_DNS_2
    dns-search DNS_SUFFIX

# The secondary network interface
auto INTERFACE_NAME:1
iface INTERFACE_NAME:1 inet static
    address IP_MED_SSL
    netmask NETMASK

Where:

INTERFACE_NAME must be replaced by the name of the network interface previously retrieved.
IP_MED_WEB must be replaced by the server's main IP address, which will be the IP address through which the web consoles can be accessed.
NETMASK must be replaced by the network mask associated with the IP address.
NETWORK_GATEWAY must be replaced by the default network gateway.
IP_DNS must be replaced by the IP address of the DNS server. If several servers need to be configured (3 maximum), separate them with a space.
DNS_SUFFIX must be replaced by the DNS suffix to be used. If no suffix needs to be entered, delete the line.
IP_MED_SSL must be replaced by the secondary IP address of the server. This will be the IP address through which the SSL Router will be accessible.

??? example “Example”

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 10.0.10.10
    netmask 255.255.255.0
    gateway 10.0.10.254
    dns-nameservers 10.0.10.100 10.0.10.101
    dns-search domain.local

# The secondary network interface
auto eth0:1
iface eth0:1 inet static
    address 10.0.10.11
    netmask 255.255.255.0

Before applying the configuration, there are three more steps to complete.

The first is to install the resolvconf package so that the DNS configuration specified in the previous file can be applied:

apt install -y resolvconf

The second is to check the configuration of the /etc/hosts file with regard to the machine's primary IP address (IP_MED_WEB).
To do this, edit the /etc/hosts file and check that the second line is in the following format:

2	`IP_MED_WEB FQDN MACHINE_NAME`

??? example “Example” If the machine is named MEDIATION-CONTROLLER without belonging to a domain and its IP address IP_MED_WEB is 10.0.10.10, then the file would be completed as follows:

``` linenums="2"
10.0.10.10  MEDIATION-CONTROLLER
```

If the machine belongs to the `DOMAIN.LOCAL` domain, then the file would be completed as follows:

``` linenums="2"
10.0.10.10  MEDIATION-CONTROLLER.DOMAIN.LOCAL   MEDIATION-CONTROLLER
```

Attention!

An incorrect configuration of the file may cause an error when installing the collectd package.

Finally, all that remains is to restart the networking service in order to load the new network configuration:

1	`systemctl restart networking`

Configuring the APT package manager¶

Upload the files downloaded from the Systancia Marketplace to the /tmp/ directory on the server using an SCP client:

systancia.gpg
cleanroom-4.6.1-build33.1096.D12-full.tgz

Log in to the server as root, then run the following commands to unzip the Systancia repository, configure its use in APT, and authenticate it.

mv /tmp/systancia.gpg /etc/apt/trusted.gpg.d/
mkdir -p /opt/systancia/repository/
tar xvzf /tmp/cleanroom-4.6*.tgz -C /opt/systancia/repository/
echo "deb file:///opt/systancia/repository/ bookworm ipdiva" > /etc/apt/sources.list.d/systancia.list
apt update

We strongly recommend disabling the installation of unnecessary packages when running apt commands. To do so, run the following command:

echo -e 'APT::Install-Recommends false;\nAPT::Install-Suggests false;' > /etc/apt/apt.conf.d/99norecommends

Checking for the presence of the `en_US.utf8` locale¶

Installing the Mediation Controller server requires the generation of en_US.utf8 locales.
To check whether they have already been generated on the server, run the following command as root:

locale -a  | grep en_US.utf8

If the command response displays en_US.utf8 then proceed to the next step of the GRUB configuration.
Otherwise, run the following commands to add this locale to the machine:

sed -i "s/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/" /etc/locale.gen
locale-gen

Configuring the GRUB boot program¶

Once these commands have been executed, you must restart the machine after applying a setting in the GRUB boot program:

sed '9s/quiet/quiet vsyscall=emulate/' -i /etc/default/grub
update-grub
reboot

Installation of the cyberelements Cleanroom Mediation Controller server¶

Installation of basic components¶

Start installing the components using the following command as root:

apt install -y ipdiva-base

After downloading all dependencies, a window will open asking you to select the server type. Select mediation:

Then select the standalone installation mode:

Then you will need to enter the port that the SSL Router will listen on. This listening port is usually set to 443 but the 8443 port can also be used if only one IP is used by the mediation server:

Then enter the web access address for the Mediation Controller server (corresponds to IP_MED_WEB in the network configuration):

Finally, enter the IP address of the SSL router (corresponds to IP_MED_SSL in the network configuration):

What should I do if there is an error?

If there is an error in the information you entered, continue installing the ipdiva-base package and then use the following command to reconfigure the server:

1	`dpkg-reconfigure ipdiva-base`

Installation of specific components¶

Start installing the components specific to the Mediation Controller server using the following command:

apt install -y ipdiva-safe-server

The server must be restarted to complete the installation (use the reboot command).

Installation of drivers for connecting to Microsoft SQL Server databases¶

If you want to connect to an external database and it is a Microsoft SQL Server, then additional ODBC drivers must be installed.

Two versions are available: version 17 and version 18.

TLS connection required for drivers in version 18

Using ODBC 18 drivers requires that the connection be encrypted using TLS. To do this, you need to configure MS SQL Server for connection encryption.

Before starting the installation of ODBC drivers, you must install the necessary packages for preparation, then prepare the Microsoft repository for the package installation:

apt install -y curl apt-transport-https gpg
curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor -o /usr/share/keyrings/microsoft-prod.gpg
curl https://packages.microsoft.com/config/debian/12/prod.list > /etc/apt/sources.list.d/mssql-release.list
apt update

Next, install the drivers according to the selected version and configure the system to use the sqlcmd command:

ODBC drivers version 17ODBC drivers version 18

ACCEPT_EULA=Y apt install -y msodbcsql17 mssql-tools python3-pip
pip install mssql-scripter --break-system-packages
ln -sfn /opt/mssql-tools/bin/sqlcmd /usr/bin/sqlcmd

ACCEPT_EULA=Y apt install -y msodbcsql18 mssql-tools18 python3-pip
pip install mssql-scripter --break-system-packages
ln -sfn /opt/mssql-tools18/bin/sqlcmd /usr/bin/sqlcmd

The ODBC drivers are now correctly installed.
If the Mediation Controller server has access to an MS SQL server, the following command should allow the connection to the remote server:

1	`sqlcmd -S SERVER\INSTANCE_NAME,PORT -U USER`

Where:

SERVER should be replaced with the DNS name or IP address of the MS SQL server.
INSTANCE_NAME should be replaced with the name of the instance to connect to; if not necessary, also remove the \ character.
PORT should be replaced with the connection port to the MS SQL database instance.
USER should be replaced with the username for establishing the connection.

Examples

If the Mediation Controller server has access to an MS SQL database server via the IP address 10.0.10.100, the instance to be accessed is listening on the port 1433, and the access account is sql-user. Then the connection command is as follows:

1	`sqlcmd -S 10.0.10.100,1433 -U sql-user`

If the connection instance named MSSQLINSTANCE had to be specified, the command would be modified as follows:

1	`sqlcmd -S 10.0.10.100\MSSQLINSTANCE,1433 -U sql-user`

Configuration of an NTP time server¶

It is recommended to set up a time server to keep the system clock up to date. The necessary steps are described on the NTP configuration page.

Initial configurations on cyberelements Cleanroom¶

The Mediation Controller server components are installed. Now you need to configure the Mediation Controller.

Change the default passwords

Change the default passwords for the system consoles.

Modify
Installation of certificates and licenses

The Mediation Controller requires various certificates and a license to be operational.

Install the certificates and the license
Configuration of certification authorities

Add the certification authority (CA) or authorities that do not belong to Systancia and that will be used for Edge Gateway and HTML5 Gateway certificates.

Configure trusted CAs
Configure the Web certificate

Configure the web certificate used to connect to web interfaces

Configure
Declare a DNS name

Add a DNS name authorized to connect to web interfaces.

Add
Configure the SSL virtual host

Configuration of the cyberelements Cleanroom SSL virtual host, which allows you to specify the connection address to the SSL router for clients and the Edge Gateway pairing mechanism.

Configure
Configure the organization

Configuration of the cyberelements Cleanroom organization.

Configure
Declare the Edge Gateways

Declare the Edge Gateways or HTML5 Gateways to be installed and generate a pairing token.

Create pairing tokens
Create a logical site

Create and configure a logical site that groups together Edge Gateways and HTML5 Gateways that can access local resources.

Create a site
Install an Edge Gateway

Install and configure a new Edge Gateway with the newly installed Mediation Controller server.
An HTML5 Gateway instance will also be configured.

Install