Skip to main content
Version: 4.0.0

Networking Operations

Introduction

This article provides instructions for performing networking operations such as changing the PowerScale IP address, updating appliance network settings, and managing certificates for secure communication.

Change PowerScale IP Address

important

During this procedure, there will be an Eyeglass service interruption. Any configuration items added, updated, or deleted on the source will not be synchronized to the target until the procedure is completed.

  1. Prepare Eyeglass for the IP address change by disabling configuration replication.

    Disable from Eyeglass UI

    1. Log into the Eyeglass web page.

    2. Click Jobs to open the Jobs module.

    3. Select all configuration replication jobs. You can use the checkbox at the top of the Job Name column.

    4. Scroll down the Job list and confirm that all Jobs have the state User Disabled.

      note

      If a job is already in Policy Disabled state because the related SyncIQ policy is disabled, it will remain in this state. Eyeglass also does not run configuration replication for jobs that are Policy Disabled, so this state is acceptable to proceed with the Edit IP address procedure.

    5. Click Select a bulk action.

    6. Select Disable.

    Disable from Command Line

    Alternatively, wait for all running Configuration Replication jobs to finish, then run the following command on the Eyeglass Appliance:

    igls admin schedules set --id Replication --enabled false

  2. Change the IP Address on the PowerScale Cluster itself.

  3. Update Eyeglass for the new IP Address information.

  4. Ensure networking between Eyeglass and the new IP address is set up.

    1. Login to the Eyeglass web page.
    2. Click Inventory View.
    3. Right click your desired cluster.
    4. Click Edit.
    5. Enter the new IP Address in the SmartConnect Service IP field and Submit.
    important

    Once you submit, you cannot edit the IP address again without having run the Eyeglass Replication Task at least once.

  5. Enable Eyeglass configuration replication.

    1. Enable one Configuration Replication job.
      1. Select: Select a bulk action, then select: Enable/Disable.
      2. The Job State will be updated to the last known state.
    2. Wait for the next Replication Task to begin (within 5 minutes it will start)
      1. Check the status of the Configuration Replication job from the Jobs/Running jobs window.
      2. The Job should run without any error related to unknown source or target.
      3. If no errors, enable the remaining Configuration Replication jobs.
    3. Procedure complete.

Update Appliance Network Settings

  1. SSH to the Eyeglass appliance if this access is available, or use the console to the Eyeglass Appliance Virtual Machine from vSphere.
  2. Log in as admin and switch to the root user by using the sudo su command, or log in directly as root.
  3. Enter yast. The YaST2 menu will open, with Software selected by default.
  4. Navigate to Network Devices using the down arrow key. Then:
    • Use the right arrow key to move to the menu on the right side.
    • Use the down arrow key to select Network Settings.
  5. Press the Enter key to confirm the selection of Network Settings.

Change the Eyeglass Appliance IP Address

  1. Open the Network Settings window.
  2. Use the Tab key to highlight the "Edit" option in the Network Settings window and press Enter.
  3. In the Network Card Setup window, use the Tab key to navigate to the field you want to update and make the necessary changes.
  4. Once all required changes are made, use the Tab key to navigate to the "Next" option and press Enter. This will return you to the Network Settings window.
  5. If no further updates are needed, use the Tab key to navigate to "OK" and press Enter to save your changes.
    • If additional updates are needed, follow the instructions in the relevant section.

Change the Eyeglass Appliance DNS Settings

  1. Start at the Network Settings window.
  2. Use the right arrow key to highlight the Hostname/DNS option.
  3. Use the Tab key to navigate to the field that needs to be updated and make the required change.
  4. Use the Tab key to navigate to OK and press Enter to complete.

Eyeglass Root Password

  1. Log in as admin using SSH.
  2. Execute the command sudo -s.
  3. Run the command passwd.
  4. Enter the new password and re-type it to confirm.

Certificate Management

Replace Self-signed Certificate on Appliance GUI - Quick Replace

The following procedure can be used to generate a new self-signed certificate and apply it on the Eyeglass appliance.

Prerequisites

note

This procedure only replaces the 443 main certificate. If you want to replace the certificate used for websockets and the WebUI self-signed certificate, follow the instructions for an external CA signing process.

Configuration Steps

  1. SSH to the Eyeglass appliance as admin

  2. Switch to root user.

  3. Stop the Eyeglass SCA service

    systemctl stop sca

  4. Stop the lighttpd service

    systemctl stop lighttpd

  5. Move the existing SSL files

    mv /opt/superna/sca/.secure/ssl.pem /tmp/ssl.pem.old

  6. Generate new SSL keys

    /opt/superna/bin/create_ssl_keys.sh /opt/superna/sca/.secure/ssl

  7. Change ownership of the new SSL files

    chown sca:users /opt/superna/sca/.secure/*

  8. Restart the Eyeglass SCA service

    systemctl start sca

  9. Restart the lighttpd service

    systemctl start lighttpd

  10. Done.

Create Certificate Authority Root Cert on the Eyeglass Appliance

This procedure can be used if you do not have an external CA within your organization, and need to sign a Cert to change the certificate on Eyeglass without needing use an external CA. These steps will create a CA Root key, and CA Root cert on the appliance, and create a CA signing cert to be used for signing requests for the appliance.

  1. SSH to the Eyeglass appliance as admin user.

  2. Switch to root:

    sudo -s

  3. Create a directory for the CA

    mkdir -p /opt/ca

  4. Change to the CA directory

    cd /opt/ca

  5. Create a Root CA Key for signing other certificates

    openssl genrsa -passout pass:foobar -out rootCA.key 2048
    • Replace foobar with your desired passphrase.
    important

    Store this passphrase securely as it will be required to sign certificates in the future.

  6. At this point, you will have:

    • A private root key (rootCA.key).
    • A Root CA certificate (rootCA.pem).
    • If you need all clients/PCs/browsers to accept your authorized certificate, you will need to add your Root CA in their local trusted stores (e.g., OS’s trusted certificates repositories).

  7. Self-sign the CA's signing certificate

    openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
    • Replace 3650 with the desired validity period in days (e.g., 10 years = 3650 days).
    • During this step, you will be prompted to enter details for the Root CA certificate (e.g., country, province, organization). Provide values specific to your organization.

  8. Create the appliance Certificate Request and Sign it with the Root CA Certificate:

    1. Create the private key:

      openssl genrsa -out eyeglass.key 2048

    2. Create the Certificate Request:

      openssl req -new -key eyeglass.key -out eyeglass.csr
      note

      You will be required to enter information about your environment, such as country, city, company, and email. Optionally, set a passphrase to protect the request.

    3. Sign the request with the Root CA certificate key and signing certificate created earlier:

      openssl x509 -req -in eyeglass.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out eyeglass.cer -days 365
      • Replace 365 with the desired validity period in days to extend or reduce the certificate's validity.

    4. Check the signed certificate:

      openssl x509 -in eyeglass.cer -text -noout

  9. Follow the instructions in this guide to install the certificate into the appliance.

Create Certificate Request in the Eyeglass Appliance for an External Certificate Authority Server

Use this procedure if you have an External CA server to sign certificates for your organization.

  1. Create configuration file

    Create a configuration file inside the /tmp directory. You can name it iglscert.cnf. Below is an example:

    [ req ]
    default_bits       = 2048
    prompt             = no
    encrypt_key        = no
    default_md         = sha256
    distinguished_name = dn
    req_extensions     = v3_req

    [ dn ]
    CN                 = iglscert.superna.local
    emailAddress       = support-team@superna.net
    O                  = SUPRNA
    OU                 = Support Team
    L                  = Ottawa
    ST                 = Ontario
    C                  = CA

    [ v3_req ]
    subjectAltName     = @alt_names

    [ alt_names ]
    DNS.1              = iglscert.superna.local
    DNS.2              = *.superna.local
    • The CN property should use the FQDN of the appliance.
    • The alt_names section should match the FQDN of the appliance and use * to wildcard the hostname.
    • If you want to access by IP address, use IP.1 = x.x.x.x syntax in the CNF file.

  2. Create the Certificate Signing Request (CSR)

    Use the following command to generate a CSR and server key:

    openssl req -new -config /tmp/iglscert.cnf -keyout /tmp/iglscert.key -out /tmp/iglscert.csr

    The path to the private .key file will be needed when installing the signed certificate.

  3. Verify the Certificate Information

    Use the following command to check the certificate requests:

    openssl req -text -noout -verify -in /tmp/iglscert.csr

  4. Sign the CSR

    Take the verified CSR file to your Windows Server CA or other CA to get it signed. The signed certificate must be in Base-64-encoded X.509 format and have the .CER extension.

    Once you have the signed certificate, copy it back to the Eyeglass appliance using a tool like WinSCP.

  5. Follow the instructions in this guide to install the certificate into the appliance.

Install a Signed Certificate in an Eyeglass Appliance

  1. Get the Certificate

    Obtain your certificate in .cer format to complete this procedure.

  2. Locate the Required File

    • Identify the private key (.key file) in the /tmp directory created during the CSR process.
    • Identify the signed certificate file (.cer) from the CA used to sign the CSR request.
    • Ensure the file is in X.509 Certificate CER format.

    Ex.

    • iglscert.key (created from CSR steps above)
    • iglscert.cer (exported signed certificate file from Microsoft CA or third-party CA)

  3. Login to the Eyeglass Appliance

    • SSH into the appliance as the admin user.

    • Switch to root:

      openssl req -text -noout -verify -in /tmp/iglscert.csr

    • Copy the .cer certificate file to Eyeglass using a tool like WinSCP.

  4. Verify the Certificate Format:

    • Run the following command:

      openssl req -text -noout -verify -in /tmp/iglscert.csr

    • If you receive an error such as unable to load certificate, confirm the file is in CER format.

  5. Replace the Certificate:

    • If you did not use an external CA:

      scacli replace-certificate --privateKey=/opt/ca/eyeglass.key --certificate=/opt/ca/eyeglass.cer

    • If you used an external CA:

      • Convert the key file to PEM format:
      openssl rsa -in /tmp/iglscert.key -out /tmp/iglscert.pem
      • Replace the certificate with the new one:
      scacli replace-certificate --privateKey=/tmp/iglscert.pem --certificate=/tmp/iglscert.cer

  6. Browse the Certificate Directory:

    • Navigate to the Eyeglass certificate directory:

      cd /opt/superna/sca/.secure

  7. Backup the Old Certificate:

    • Move the existing .pem file

      cd /opt/superna/sca/.secure

  8. Concatenate the New Certificate:

    • Combine the new key and certificate:

      cd /opt/superna/sca/.secure

  9. Change File Ownership

    • Set the correct ownership for the certificate files:

      chown sca:users /opt/superna/sca/.secure/*

  10. Restart services:

    • Restart the lighttpd and sca services:

      systemctl restart lighttpd sca

  11. Verify in Browser:

    • Log in to the Eyeglass Web UI and verify the certificate using the FQDN. Use a browser to check the certificate’s expiry and validity.

  12. Done

    • The new signed certificate has been installed successfully.

How to Sign a Cert Request and Export a Certificate with Microsoft CA Server

Follow this procedure if you are using a Microsoft CA for signing certificates.

  1. Log in to the Eyeglass Appliance

    SSH to the Eyeglass appliance as the admin user.

  2. Switch to Root:

    Run the following command and enter the admin password when prompted:

    sudo -s

  3. View the CSR File:

    Use the following command to display the contents of the CSR file:

    cat /tmp/iglscert.csr

  4. Prepare the CSR File:

    Copy all the text displayed from the CSR File.

    On a PC with access to the Microsoft Certificate Authority administration GUI, create a new file named iglscert.req.

    Paste the copied contents of the CSR file into this new file and save it.

  5. Submit the CSR to the Microsoft CA:

    Open the Microsoft Certificate Authority administration GUI.

    Right-click the CA server name and select Submit New Request.

    alt text

    Browse to the file you created iglscert.req and submit the request.

  6. Click on the pending folder for the Certificate Authority.

    alt text

  7. Right click the pending request All Tasks and click the Issue option.

    alt text

  8. Click the Issued Certificates folder. Find the Issued Certificate and double click the Cert to display the cert, then select the Details tab.

    alt text

  9. Click the Copy to File option to open the export Cert Wizard. Select the Base 64 x.509 CER format option.

    alt text

  10. Save the CER file as iglscert.cer. Then follow the instructions on how to install a signed certificate above.

Change Appliance Networking Configuration

See Also