Skip to main content

Illumio Core 22.2 Install, Configure, Upgrade

Install the PCE and UI

Install the PCE and UI
Configure PCE as a SNC (Single Node Cluster)

The following section describes how to install and configure the PCE in the evaluated configuration as a Single Node Cluster (SNC).

When installing the PCE and UI packages together, you perform the following high-level steps:

  1. Prepare for installation by planning your deployment and reviewing the prerequisites, such as capacity planning and OS setup. See PCE Installation Planning for information.

  2. Download the software.

  3. Install the PCE and UI software.

  4. Configure the PCE.

  5. (Optional) Validate TLS certificate and private key.

  6. Install the TLS certificate and private key.

  7. Verify the runtime environment was configured correctly.

  8. Start the PCE.

  9. Initialize the PCE.

  10. Install Virtual Enforcement Nodes (VENs) to enable the PCE to manage your workloads as described in the VEN Installation and Upgrade Guide

    At this point, the PCE is up and running, receiving communication about workloads from the VENs.

    After installing the PCE software, perform these additional procedures to complete your PCE deployment.

  11. Configure backups.

  12. (Optional) Configure the internal syslog. See (Optional) Configure PCE Internal syslog for information.

Note

The following tasks describe installing the PCE as an MNC. When you install the PCE as an SNC, you do not repeat the steps on the additional nodes. You can disregard those instructions in the following tasks.

Download the Software

For a multi-node cluster:

  1. Download the software from the Illumio Support portal (login required).

  2. On the core nodes only, copy the Illumio PCE UI RPM file to the /tmp folder. The following steps refer to this file as illumio_ui_rpm.

  3. On each node in the cluster, copy the Illumio PCE software RPM file to the /tmp folder. The following steps refer to this file as illumio_pce_rpm.

For a single-node cluster:

  1. Download the software from the Illumio Support portal (login required).

  2. Copy the Illumio PCE UI RPM file to the /tmp folder. The following steps refer to this file as illumio_ui_rpm.

  3. Copy the Illumio PCE software RPM file to the /tmp folder. The following steps refer to this file as illumio_pce_rpm.

Install the PCE as an SNC

As root, run the following command to install the PCE software:

$ rpm -ivh illumio-pce-22.2.30x.x86_64.rpm

Set operating shell for console:

$ usermod -s /sbin/nologin ilo-pce

Reboot the OS:

$ reboot

Install the PCE and UI Packages

The packages to install depend on the type of PCE node:

  • Core nodes: Two packages, the PCE RPM and UI RPM.

  • Data nodes: One package, the PCE RPM.

  1. On each core node in the cluster, log in as root and install the PCE RPM:

    $ rpm -Uvh illumio_pce_rpm

    For illumio_pce_rpm, substitute the path and filename of the software you downloaded from the Illumio Support portal.

  2. On each core node in the cluster, log in as root and install the UI RPM:

    $ rpm -Uvh illumio_ui_rpm

    For illumio_ui_rpm, substitute the path and filename of the software you downloaded from the Illumio Support portal.

  3. On each data node in the cluster, log in as root and install the PCE RPM:

    $ rpm -Uvh illumio_pce_rpm

    For illumio_pce_rpm, substitute the path and filename of the software you downloaded from the Illumio Support portal.

  4. After installing the RPMs, configure the software using the PCE setup wizard. See Configure the PCE for information.

Values for Your PCE SNC

Runtime Parameter

Value to Use

$ service_discovery_fqdn: x.x.x.x

# IP address of PCE (this node)

$ cluster_public_ips/cluster_fqdn:

# Auto-generated

$ node_type: snc0

# Use snc0

$ datacenter [dc1]:

# Leave as default (dc1)

$ front_end_https_port: 8443

# 8443 is default port

$ web_service_private_key:

# SNC domain key; for example, /etc/pki/tls/private/your_snc_domain.key

$ web_service_certificate:

# Certificate bundle; for example, /etc/pki/tls/certs/good_cert_bundle.crt

$ trusted_ca_bundle:

# Certificate bundle; for example, /etc/pki/tls/certs/good_cert_bundle.crt

$ email_address:

# noreply@your-snc-domain

$ email_display_name: noreply

# noreply should be the default

$ service_discovery_encryption_key:

# Leave blank or just press enter

$ smtp_relay_address: 127.0.0.1:587

# Use the default 127.0.0.1:587

$ reporting_datastore: data_dir:

# Leave default and press enter

$ reporting_datastore: data_dir:

# Leave default and press enter

$ syslog_event_export_format: json

# Use json default

$ insecure_tls_weak_ciphers_enabled [true]:

# Enter false

$ standby_management_database: data_dir:

# Leave default and press enter

$ Save to configuration /etc/illumio-pce/runtime_env.yml [Y/n]?

# Enter Y

After completing the prompts listed above in the PCE setup wizard, additional runtime environment parameters must be configured by editing the PCE runtime_env.yml file. Set each of the following parameters with specified value below:

Runtime Parameter

Value to Use

common_criteria_events_enabled

true

Enables TLS events messages.

min_tls_version

tls1_2

Sets the minimum TLS version.

max_failed_login_attempts

5

The number of failed authentication attempts to allow before locking out the user.

account_lockout_duration_minutes

15

(Minutes) How long to deny further authentication attempts after the maximum number of attempts has been used.

By setting the minimum TLS version configuration to “tls1_2” all communications to and from the PCE are protected by TLS v1.2. This includes communications between the PCE and the VEN, PCE and web console and PCE and remote syslog servers. When new security policies are created or updated on the PCE, the policies are transmitted to the VEN’s over a trusted channel using TLS v1.2.

Runtime Parameter

Value to Use

server_load_balancer

Enable HTST

strict_transport_security_max_age_in_seconds

31536000

Sets the time in seconds.

If the IP address of the PCE is a public IP address, then configure an internal_service_ip and add it to the same file. (Not required if private IP is assigned to the NIC of the PCE node.)

Runtime Parameter

Value to Use

internal_service_ip

Enter the node public IP address.

To add a customized login warning banner, configure the runtime parameter login_banner.

Runtime Parameter

Value to Use

login_banner

Sets up a warning banner that appears when logging in to the PCE. Enter any desired string. For example:

login_banner: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

Save the changes and exit /etc/illumio-pce/runtime_env.yml.

See also: