Ways to Install the VEN
In general, there are two main ways to install VENs. The methods have much in common and achieve the same goal: VEN installation and upgrade.
Using the VEN Library integrated into the PCE. See VEN Installation & Upgrade Using VEN Library.
Manual VEN installation on individual workloads and endpoints using your own software deployment tools. See VEN Installation & Upgrade with VEN CTL.
About VEN Installation Using the VEN Library
Note
For Server VENs, the VEN Library installation and upgrade feature in the PCE is available for the RPM, Debian, and Windows distributions of the VEN software. Other operating systems are not supported for Server VENs.
For Endpoint VENs, the VEN Library installation and upgrade feature in the PCE is available for Windows and macOS versions of the VEN software. Other operating systems are not supported for Endpoint VENs.
Using the VEN Library in the PCE to install the VEN is a more automated approach than installing the VEN CTL but it gives you less control over optional aspects of VEN installation and upgrade.
The VEN Library method of installation utilizes a VEN software bundle. The bundle is a collection of a particular VEN software version for all supported workload and endpoint operating systems.
In the PCE, you load a VEN software bundle into the VEN library. The VEN library is a collection of all VEN software versions you have loaded.
For VEN installation:
In the PCE web console, you set a default VEN version.
In the PCE web console, you generate a pairing script to install and activate the VEN on target workloads and endpoints.
You copy the pairing script to the target workload or endpoint and run it.
The pairing script:
Determines the OS and CPU architecture of the target workload or endpoint.
Securely transfers the VEN software to the target workloads or endpoints.
Installs the VEN software.
Pairs the VEN with its PCE.
For VEN upgrade, use the VEN Library in the PCE to upgrade all or some of your workloads or endpoints.
Some features are not available with the VEN Library method, such as Kerberos-based authentication and custom settings with environment variables.
Note
Setting up the VEN Library in the PCE is required only for Illumio On-premises customers. If you are an Illumio Cloud customer, Illumio Operations performs this task for you.
About VEN Installation Using the VEN CTL
For installation procedures, see VEN Installation & Upgrade with VEN CTL.
This method gives you greater control over optional aspects of VEN installation, pairing, and upgrade.
The VEN installation method using the CTL starts with downloading a VEN package. A VEN package includes the VEN software for a single supported workload or endpoint OS and CPU architecture. Installation and upgrade rely on package managers, which are standard native OS tools.
For VEN installation with this method:
Determine the OS and CPU architecture of the target workloads or endpoints.
Download the appropriate VEN packages.
For example, installing a Server VEN on CentOS 8 x86-64 requires you to download the VEN package
illumio-ven-XXX.c8.x86_64.rpm.Note
You are responsible for securely transferring the VEN software to the target workload or endpoint with your own software deployment mechanisms.
Optionally, set the following environment variables or command-line options:
Custom installation directories
Custom user and group names
Kerberos-based authentication for VEN-to-PCE communications
Run the native OS installation mechanism.
For example:
rpm -ihv illumio-ven*.rpmPair the VEN with its PCE.
You can pair the VEN during installation or after installation using the VEN CTL activate command (
illumio-ven-ctl activate <options>)You can use a “prepare script” to install the VEN software on machine images and activate it at the next boot.
If you installed the VEN with the VEN CTL and packaging CLI and customized installation options (such as, a custom installation directory or alternate VEN user), you cannot later upgrade the VEN by using the VEN Library in the PCE. You must upgrade the VEN using the workload or endpoint's OS package upgrade process.
Tip
If you try to upgrade a VEN using the VEN Library in the PCE but nothing happens, verify whether the VEN was installed by using the VEN CTL.
When to Use Which Method
You can use both methods at different stages of your VEN installation.
Installation Method | Use Cases |
|---|---|
VEN Library in the PCE |
|
VEN CTL | To obtain more control over VEN installation and upgrade with a proprietary software distribution method |
VEN-to-PCE Authentication
Illumio Core provides the following mechanisms for authentication between the VEN and the PCE:
VEN pairing with the PCE
Kerberos authentication with the PCE
While you can use one or both mechanisms across your organization, note that they are mutually exclusive for the same workload.
Important
This guide assumes that you already have a functional Kerberos service with which to authenticate.
VEN Authentication by Pairing with PCE
This is the default mechanism. When you install a VEN on a workload, the VEN is activated with an activation code generated by the PCE. The activation code is an identifier passed to the VEN software at activation.
After the VEN is activated, it communicates with the PCE over a secure connection. This process of activating a VEN is referred to as pairing it with the PCE. The term activation also applies when installing the VEN package directly on a workload by using the VEN CTL.
About the VEN Activation Code
The activation code is an identifier passed to the VEN software at activation. It is obtained from the pairing key. An activation code can be created for one-time use for a single workload or multiple uses for many workloads.
You can get an activation code in the following ways:
In the PCE web console, create a Pairing Profile. In the profile, you can specify one-time use or unlimited use for the activation code.
With the REST API. For information, see "Create a Pairing Key" in the REST API Developer Guide.
Activation Details
An activation code is used only after initially installing the VEN. During activation, the PCE generates an agent token. The VEN stores the agent token in a local file on the workload. The PCE stores the hash of the agent token. The VEN uses the agent token to uniquely authenticate itself to the PCE. From that point forward, only the agent token is used in VEN-to-PCE communication.
The VEN communicates with the PCE using HTTPS over Transport Layer Security (TLS) for REST calls and TCP over TLS for the events channel. Additionally, a clone token is generated. If an agent token is mistakenly or maliciously reused on another workload, the clone token is used to detect the condition and disambiguate the hosts. The clone token is periodically rotated. The agent token is never rotated.
VEN Authentication via Kerberos
You can configure the PCE and VEN to rely on authentication by a pre-configured Kerberos-based system such as Microsoft Active Directory.
Note
Kerberos-based authentication is supported when you install the VEN by using the VEN CTL. It is not supported when you use the VEN Library in the PCE to install the VEN.
The Key Distribution Center (KDC) is your pre-configured Kerberos service; the VEN is a Kerberos client; and the PCE is a Kerberos resource.
The VEN requests a session key or passes its ticket granting ticket (TGT).
The KDC returns a service ticket and session key.
The VEN passes the authenticated service ticket to the Kerberos-protected PCE.
For information about setting up Kerberos for VEN authentication with the PCE, see.Set up Kerberos Authentication on PCE
For information about pairing workloads via Kerberos for each operating system, see the "Kerberos for Windows VEN-to-PCE Authentication" and "Kerberos for Linux VEN-to-PCE Authentication" topics.
Additionally, you can use the Illumio Core REST API to set up VEN authentication with the PCE via Kerberos. See the "Workload Operations" and "Bulk Traffic Loader" topics in the REST API Developer Guide for information.
VEN-unactivated Golden Masters
When you create machine images for faster deployment of the VEN, consider preparing them to pair the VEN with the PCE the first time the workload is booted. See Prepare Golden Master for Workload Installation for information.
Upgrading from pre-20.2 to Later Versions
When upgrading from a PCE version pre-20.2 to a later version, stopped VENs that have sent a goodbye message to the PCE will have their status value set to stopped. During the upgrade, this procedure can cause a burst of events to be emitted to the PCE event stream.
Reduced Banners During VEN Upgrades
The user interface experience on VENs has been enhanced. You will no longer see multiple banners during VEN upgrades. In lieu of an additional banner being displayed, a tally will indicate current upgrade status, show what process is suspended, or display what process is experiencing issues during the upgrade.