Skip to main content

Illumio Core 21.5 Install, Configure, Upgrade

Install and Activate the NEN

This section describes how to:

  • Install and activate a new standalone deployment

  • Upgrade a standalone NEN 21.2.0 installation to a standalone NEN 2.3.10 installation.

  • Upgrade a PCE-based NEN 2.1.0 to a Standalone NEN 2.3.10

  • (Optional) Configure (or revert) HA Support for the NEN

Illumio recommends that you have the following knowledge before installing and administering the NEN:

  • Your organization's security goals.

  • Thorough understanding of Illumio Core.

  • When integrating the NEN with your organization's load balancers, how to configure and manage these network devices.

NEN Software

For the complete list of OS support for the NEN, see NEN OS Support and Package Dependencies on the Illumio Support portal.

To download the NEN software:

  1. Log into the Illumio Support portal and go to Software > NEN.

  2. From the Download NEN Software page, select the 2.3.10 version.

  3. Click the filename in the table to download the software locally.

Install a New Standalone NEN for 2.3.10

Note

This procedure describes how to perform a new NEN 2.3.0 standalone installation where you have not previously installed the NEN as a service on a PCE data node or you have not installed the NEN 2.1.0 standalone service on your own host.

To install a NEN as a standalone NEN:

Note

For standalone NEN hardware requirements, see CPU, Memory, and Storage Requirements.

  1. Download the NEN software from the Illumio Support portal.

  2. Run the following command to install the NEN RPM on the host:

    sudo yum install -y <path_to_Illumio_NEN_rpm>
/illumio-nen-<release_number>-
<build_number>.x86_64.rpm

  3. Configure the NEN runtime environment settings in one of the following ways:

    • By copying a template of the NEN runtime environment file, modifying that file, and copying it to the correct directory for the NEN

    • By running the NEN setup command to launch an interactive installation and answering the prompts to configure the NEN runtime environment. (This method creates the NEN runtime environment file and saves it in the correct NEN directory.)

    To perform an interactive installation:

    1. Enter the following command to start the installation and run the environment set up:

      cd 
sudo /opt/illumio-nen/illumio-nen-env setup

    2. Complete the installation by providing the values at the prompts.

    To modify the template runtime environment file:

    1. Copy the NEN runtime environment file from:

      /opt/illumio-nen/illumio/config/templates

    2. Paste it to:

      /etc/illumio-nen/runtime_env.yml

    3. Update the file with the host FQDNs and service discovery certificate information.

      Important

      A standalone NEN cannot communicate with the PCE by using a self-signed service discovery certificate. The NEN requires an X.509 public certificate in PEM format for TLS communication with the PCE.

      # Configuration generated <timestamp>
install_root: “/opt/illumio-nen”
runtime_data_root: “/var/lib/illumio-nen/runtime”
persistent_data_root: “/var/lib/illumio-nen/data”
ephemeral_data_root: “/var/lib/illumio-nen/tmp”
log_dir: “/var/log/illumio-nen”
private_key_cache_dir: “/var/lib/illumio-nen/keys”
nen_fqdn: <example.com>
service_discovery_fqdn: <example.com>
cluster_type: snc0
service_discovery_private_key: “/var/lib/illumio-nen/
cert/server.key”
service_discovery_certificate: “/var/lib/illumio-nen/
cert/server.crt”
service_discovery_encryption_key: <key>

      Where:

      • nen_fqdn is the hostname of the node where the NEN is installed.

      • service_discovery_fqdn is the hostname of the NEN FQDN.

      • service_discovery_private_key is the directory path of the RSA private key file.

      • service_discovery_certificate is the directory path of the certificate file.

      • service_discovery_encryption_key is a 16 byte hexadecimal base-64 encoded value

        When adding the encryption key to the template runtime environment file, you create your own value. However, if you are using the interactive NEN installation, the NEN CTL setup command automatically create this value in the file.

  4. Start the NEN and set the runlevel to 5. The option -svw shows the status of the start operation.

    sudo -u ilo-nen /opt/illumio-nen/illumio-nen-ctl start 
--runlevel 5 -svw

NEXT STEPS

  1. Activate the NEN with a pairing key from the PCE. See Obtain Pairing Key and Activate the NEN.

  2. To enable the NEN to integrate with a load balancer, see Enable Load Balancer Support.

  3. (Optional) To configure the NEN as an HA pair, perform the steps in Configure HA Support for the NEN.

Obtain Pairing Key and Activate the NEN

When the NEN is installed as part of a NEN HA pair, you only pair the NEN primary node with the PCE.

  1. Log into the PCE web console.

  2. From the left navigation menu, choose Workloads and VENS > Workloads.

  3. Click Add > Pair Workload with Pairing Profile.

  4. Select any existing pairing profile from the “Pick a Pairing Profile” drop-down menu.

  5. Copy the pairing Key value (alphanumeric).

  6. Log in to the NEN host and run the illumio-nen-ctl activate command:

    sudo -u ilo-nen /opt/illumio-nen/illumio-nen-ctl 
activate <pairing_key_value> 
--host <pce-address>:<pce-port>
Enable Load Balancer Support

After installing the NEN RPM and activating it with the PCE, enable load balancer support by running the following command on the NEN node:

Note

If the NEN is configured as an HA pair, run this command on the primary node.

sudo -u ilo-nen /opt/illumio-nen/illumio-nen-ctl slb-enable