Enterprise Node Gateway Install Guide

  • 3 minute(s) read
Prev Next

Node Gateway Installation Guide

  1. Install all .NET Core 2.1 prerequisites for CentOS-x64. See https://dotnet.microsoft.com/download/linux-package-manager/centos/runtime-2.1.0

NOTE: CommEng requires that the [.NET Core 2.1 Runtime] be installed. It is set as a dependency in the CommEng RPM and should also be installed along with all its dependencies.

  1. Update yum tools:
    $ sudo yum update

  2. Download the Node Gateway RPM from the link below:
    $ wget https://repo.catchpoint.net/repo/custom/CommEng-0.0.0.2-x86_64.rpm

  3. Install the Node Gateway package from the RPM copied in the previous step:
    $ sudo yum localinstall <path-to-rpm-file>

  4. Copy the server certificate file to CommEng the execution directory. The file must be a PKCS#12 binary certificate container containing both the server certificate and private key and must be named servercert.pfx. OpenSSL may be used to construct the PKCS#12 container.
    $ sudo cp path/to/your/servercert.pfx /opt/CatchPoint/Agent/Services/CommEng/servercert.pfx
    Please restart the CommEng to confirm the certificate changes.
    $ sudo systemctl restart CommEng

  5. (Only if PFX is using a passphrase) Export PFX file passphase as an obfuscated environment variable.
    NOTE: This is for the v0.2 pre-production release only and will not be the long-term methodology for securing secrets. This step will create the obfuscated passphrase text. Copy the output to use in the next step.
    $ echo <your PFX passphrase> | rev | base64
    Using a text editor, save this obfuscated passphrase to the KestrelWebHost_ServerPfxCertificatePassword entry in the CommEng.env file, which is located under the /opt/CatchPoint/Agent/Services/CommEng directory.

  6. Enable and Start the CommEng Gateway service. It is set up under systemd. Please restart the CommEng to
    $ sudo systemctl enable CommEng
    $ sudo systemctl start CommEng

Linux RPM Install Guide

  1. Set hostname for the machine. This will be the machine name in Catchpoint Node settings and should be set before installing SyntheticAgent the software. Use unique keywords to name you hostname since these must be unique across the Catchpoint System.

  2. Add the Node Gateway URL to your /etc/hosts:

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4      ::1 localhost localhost.localdomain localhost6 localhost4.localdomain6      ::1      [[Node Gateway IP Address]] your.gateway.server.box

To verify if this was updated correctly, try pinging the gateway server box
$ ping your.gateway.server.box

  1. Follow the instructions to install Catchpoint’s Linux Enterprise Node.

  2. We need one final step to ensure Enterprise Nodes are communicating through the Node Gateway. To do this stop the Catchpoint services:
    $ sudo catchpoint stop

  3. If using custom certificates; add your custom root and/or intermediate CA certificates:
    $ sudo catchpoint cert -i <path to certificate>
    Note: Import public certificate(.crt) on the node

  4. Configure Node Gateway:
    catchpoint node-gateway --add --host=https://node-gateway-address

  5. Start Catchpoint services
    $ sudo catchpoint start

  6. Follow the steps to Activate the Linux Enterprise Node
    Note that it will not be able to communicate with Catchpoint servers until the CommEng software is running on the gateway box. You can confirm traffic is flowing from Node through the CommEng gateway to Catchpoint servers by tailing the `CommEng` log on the gateway box.

  7. Follow the steps to activate the Linux Enterprise Node

Note: For Node Gateway, you need Linux Enterprise Agent version 1.10.1.157 and above.

Generating Certificates using openssl

Node Gateway communicates only over secure HTTP. If you do not have access to certificates; you can generate a self-signed certificate using openssl.

Note: Replace [[placeholder]] values with your specific values.

  1. Generate an RSA private key:
    $ sudo openssl genrsa -out [[private_key]].key 2048

[[private_key]].key is the desired filename for the private key file. 2048 is the key length. The length could be either 1024, 2048, or 4096.

  1. Generate a Certificate Signing Request:
    $ sudo openssl req -new -key [[private_key]].key -out [[certificate_signing]].csr
    [[private_key]].key is the input filename of the previously generated private key (step 1). [[certificate_signing]].csr is the output filename of the certificate signing request.
    Note: Follow the on-screen prompts for the required certificate request information. Ensure that you remember these values.

  2. Generate a self-signed public certificate based on the request:
    $ sudo openssl x509 -req -days 3650 -in [[certificate_signing]].csr -signkey [[private_key]].key -out [[certificate]].crt

[[private_key]].key is the input filename of the previously generated key (step 1). [[certificate_signing]].csr is the input filename of the certificate signing request (step 2). [[certificate]].crt is the output filename of the public certificate.

Note: The certificate generated is already in ASCII format i.e. a valid PEM format.

  1. Generate a PKCS#12 file:
    $ sudo openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in [[certificate]].crt -inkey [[private_key]].key -out [[PKCS#12_key]].pfx -name "[[display_name]]"
    [[private_key]].key is the input filename of the previously generated key (step 1). [[certificate]].crt is the input filename of the public certificate (step 3). [[PKCS#12]].pfx is the output filename of the PCKS#12 format file. [[display_name]] is the desired name that will sometimes be displayed in user interfaces.