Access Gateway Appliance is bundled with Configuration console (https://<access_gateway_appliance-IP address>:9443), Common Appliance Framework (CAF). You can use this console for modifying the Access Gateway Appliance configuration.
After installing Access Gateway Appliance, you must configure Access Gateway Appliance using the Configuration console to make it available in Administration Console.
NOTE:If you are using an existing IP address of Access Gateway Appliance and it uses a multiple NIC card in your cluster set up, ensure to configure the primary IP addresses for all the interfaces before configuring Access Gateway Appliance.
Also, ensure that you provide the IP address in the same order to the interfaces as it is in the existing Access Gateway Appliance.
Perform the following steps to configure Access Gateway Appliance:
Access the https://<access_gateway_appliance-IP address>:9443 URL to launch the Configuration console.
Log in as a root user.
Click Access Gateway Configuration under Access Gateway Tools.
Specify the Administration Console URL, username, and password.
Click Save.
You can use the following configuration options in the console based on your requirement:
You can perform the following actions using the Digital Certificates tab:
Add and activate certificates for Access Gateway Appliance.
Create your own certificate and then get it signed by a CA.
Use an existing certificate and key pair.
IMPORTANT:You can manage the certificates only for the Access Gateway Appliance (port 9443).
Access Gateway Appliance is shipped with a self-signed digital certificate. Instead of this self-signed certificate, it is recommended to use a trusted server certificate signed by a trusted CA, such as Digicert or Equifax.
To use and activate the digital certificate, perform the following tasks:
Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the root user.
Click Digital Certificates.
In the Key Store list, select Web Application Certificates.
Click File > New Certificate (Key Pair) and specify the following information:
Alias: Specify a name that you want to use to identify and manage this certificate.
Validity (days): Specify for how long you want the certificate to remain valid.
Key Algorithm: Select either RSA or DSA.
Key Size: Select the preferred key size.
Signature Algorithm: Select the preferred signature algorithm.
Common Name (CN): Specify the name that exactly matches the server name in the URL for browsers to accept the certificate for SSL communication.
Organization (O): (Optional) Specify the organization. For example, My Company.
Organizational Unit (OU): (Optional) Specify the organizational unit as mentioned in the directory, such as a department or division. For example, Purchasing.
Two-letter Country Code (C): (Optional) Specify the two-letter country code. For example, US.
State or Province (ST): (Optional) Specify the state or the province name. For example, Utah.
City or Locality (L): (Optional) Specify the city name. For example, Provo.
Click OK.
After the certificate is created, it is self-signed.
Make the certificate official. See Getting Your Certificate Officially Signed.
On the Digital Certificates page, select the certificate that you just created.
Click File > Certificate Requests > Generate CSR.
Complete the process of emailing your digital certificate to a certificate authority (CA), such as Digicert.
The CA takes your Certificate Signing Request (CSR) and generates an official certificate based on the information in the CSR. The CA then emails the new certificate and certificate chain to you.
After you have received the official certificate and certificate chain from the CA, perform the following actions:
Revisit the Digital Certificates page.
Click File > Import > Trusted Certificate.
Click Browse and select the trusted certificate chain that you received from the CA.
Click OK.
Select the self-signed certificate.
Click File > Certification Request > Import CA Reply.
Click Browse and select the official certificate to be used to update the certificate information.
On the Digital Certificates page, the name in the Issuer column for your certificate changes to the name of the CA that stamped your certificate.
Continue with activating the certificate, as described in Activating the Certificate.
When you use an existing certificate and key pair, use the .P12 key pair format.
Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the root user.
Click Digital Certificates.
In the Key Store menu, select JVM Certificates.
Click File > Import > Trusted Certificate.
Click Browse and select your existing certificate.
Click OK.
Click File > Import > Trusted Certificate.
Click Browse and select your existing certificate chain for the certificate that you selected in Step 4.
Click OK.
Click File > Import > Key Pair.
Click Browse and select your .P12 key pair file and specify your password if required.
Click OK.
Continue with Activating the Certificate.
On the Digital Certificates page, in the Key Store list, select Web Application Certificates.
Select the certificate that you want to make active and click Set as Active, then click Yes.
Select the certificate and click View Info to verify that the certificate and certificate chains are created appropriately.
Click Close, when you have activated the certificate successfully.
Restart the Jetty service by using the systemctl restart vabase-jetty.service command.
You can modify passwords and SSH access permissions for an Access Gateway Appliance root administrator in the Administrative Passwords tab. Depending on your password policy requirements, modify passwords periodically or reassign responsibility of the Access Gateway Appliance administration to another person.
NOTE:vaadmin helps in managing virtual-machine-level settings and service configurations that affect an entire service and its interactions with other services.
On the Administrative Passwords page, the vaadmin user can change the vaadmin user password and root user can change the root password. Perform the following steps to change the password:
Managing the administrative access as the vaadmin user:
Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the vaadmin user.
Click Administrative Passwords.
Specify a new password for the vaadmin administrator. You must also specify the current vaadmin password.
Click OK.
Managing the administrative access as the root user:
Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the root user.
Click Administrative Passwords.
Specify a new password for the root administrator. You must also specify the current root password.
(Optional) Select or deselect Allow root access to SSH.
Click OK.
By default, the var directory is in the boot partition. If the logs fill the space of the var directory, Access Gateway Appliance can stop working. Therefore, you can add hard disk for the var directory.
You can use the additional hard disk that you added before configuring Access Gateway. To use additional hard disk, perform the following steps:
Log in to Configuration console (https://<access_gateway_appliance-IP address>:9443). then click /var Mount Configuration.
Select the appropriate hard disk and the file system type.
Click Save.
Reboot the Access Gateway Appliance.
You might require to shutdown or to restart Access Gateway Appliance for maintenance. It is recommended to use the console options instead of using Power Off/On option in the hypervisor's VM management tool.
Log in to the Configuration console (https://<access_gateway_appliance-IP address>:9443) as the root user.
In the upper right corner of the Appliance Configuration pane, click Reboot or click Shutdown.