Skip to main content

Illumio Install, Configure, and Upgrade Guide 24.2.20

Install a New Standalone NEN

Note

This procedure describes how to perform a new NEN standalone installation where you have not previously installed the NEN as a service on a PCE data node or you have not installed the NEN 2.1.0 standalone service on your own host.

To install a NEN as a standalone NEN:

Note

For standalone NEN hardware requirements, see CPU, Memory, and Storage Requirements.

  1. Download the NEN software from the Illumio Support portal.

  2. Run the following command to install the NEN RPM on the host:

    sudo yum install -y <path_to_Illumio_NEN_rpm>/illumio-nen-<release_number>
-<build_number>.x86_64.rpm

  3. Configure the NEN runtime environment settings in one of the following ways:

    • By running the NEN setup command to launch an interactive installation and answering the prompts to configure the NEN runtime environment. (This method creates the NEN runtime environment file and saves it in the correct NEN directory.)

    • By copying a template of the NEN runtime environment file to the required location and then modifying that file

    To perform an interactive installation:

    1. Enter the following command to start the installation and run the environment set up:

      sudo /opt/illumio-nen/illumio-nen-env setup

    2. Complete the installation by providing the values at the prompts.

    To modify the template runtime environment file:

    1. Copy the NEN runtime environment file from:

      /opt/illumio-nen/illumio/config/templates

    2. Paste it to:

      /etc/illumio-nen/runtime_env.yml

    3. Update the file with the host FQDNs and service discovery certificate information.

    Important

    A standalone NEN cannot communicate with the PCE by using a self-signed service discovery certificate. The NEN requires an X.509 public certificate in PEM format for TLS communication with the PCE.

    # Configuration generated <timestamp>
    install_root: “/opt/illumio-nen”
    runtime_data_root: “/var/lib/illumio-nen/runtime”
    persistent_data_root: “/var/lib/illumio-nen/data”
    ephemeral_data_root: “/var/lib/illumio-nen/tmp”
    log_dir: “/var/log/illumio-nen”
    private_key_cache_dir: “/var/lib/illumio-nen/keys”
    nen_fqdn: <example.com>
    service_discovery_fqdn: <example.com>
    cluster_type: snc0
    service_discovery_private_key: “/var/lib/illumio-nen/cert/server.key”
    service_discovery_certificate: “/var/lib/illumio-nen/cert/server.crt”
    service_discovery_encryption_key: <key>

    Where:

    • nen_fqdn is the hostname of the node where the NEN is installed.

    • service_discovery_fqdn is the hostname of the NEN FQDN.

    • service_discovery_private_key is the directory path of the RSA private key file.

    • service_discovery_certificate is the directory path of the certificate file.

    • service_discovery_encryption_key is a 16 byte hexadecimal base-64 encoded value

    When adding the encryption key to the template runtime environment file, you create your own value. However, if you are using the interactive NEN installation, the NEN CTL setup command automatically creates this value in the file.

    Note

    Beginning in NEN release 2.4.10, you can add a field to the runtime environment file to configure how frequently the NEN polls Server Load Balancers (SLBs) to discover new virtual servers (VS). For details, see Load Balancers and Virtual Servers for the NEN.

  4. Start the NEN and set the runlevel to 5. The option -svw shows the status of the start operation.

    sudo -u ilo-nen /opt/illumio-nen/illumio-nen-ctl start --runlevel 5 -svw

NEXT STEPS

  1. Activate the NEN with a pairing key from the PCE. See Obtain Pairing Key and Activate the NEN.

  2. To enable the NEN to integrate with a load balancer, see Enable Load Balancer Support.

  3. (Optional) To configure the NEN as an HA pair, perform the steps in Configure HA Support for the NEN.

Obtain Pairing Key and Activate the NEN

When the NEN is installed as part of a NEN HA pair, you only pair the NEN primary node with the PCE.

  1. Log into the PCE web console.

  2. From the left navigation menu, choose Workloads and VENS > Workloads.

  3. Click Add > Pair Workload with Pairing Profile.

  4. Select any existing pairing profile from the “Pick a Pairing Profile” drop-down menu.

  5. Copy the pairing Key value (alphanumeric).

  6. Log in to the NEN host and run the illumio-nen-ctl activate command:

    sudo -u ilo-nen /opt/illumio-nen/illumio-nen-ctl activate 
<pairing_key_value> 
--host <pce-address>:<pce-port>
Enable load balancer support

After installing the NEN RPM and activating it with the PCE, enable load balancer support by running the following command on the NEN node:

Note

If the NEN is configured as an HA pair, run this command on the primary node.

sudo -u ilo-nen /opt/illumio-nen/illumio-nen-ctl slb-enable
Move a NEN from one PCE to another PCE