Pairing Profiles and Scripts
Pairing profiles allow you to specify the properties you want workloads to have when you pair them with the PCE. This includes properties such as specific labels, enforcement state, visibility mode, command line overrides, uses per key, maximum key age, and more.
The pairing profile includes the characteristics to create a pairing script to run on workloads. The pairing script installs the VEN software, activates it, and gets the workloads ready to accept security policy from the PCE. “Pairing” is also known as “installation and activation.” The pairing script contains a unique pairing key (activation code) that identifies the VEN securely so it can authenticate with the PCE. You can configure the pairing key to be used one time or multiple times, and you can configure its time and use limit.
Workflow for Using Pairing Profiles
Creating and using pairing profiles follows this general workflow:
Create a pairing profile.
Generate a pairing script.
Copy the script to the workload and run it.
The following conditions apply when installing VENs by using pairing profiles:
An activation code/pairing key is required. In the PCE web console, you can specify either a single, one-time activation code or an unlimited, multi-use activation code.
The pairing script is not absolutely required. It is an alternative to installing VEN software installation and activation with the VEN CTL (
illumio-ven-ctl).
Which VEN Version is Installed
When installing and activating a VEN using a pairing script generated by a pairing profile:
If you set a specific VEN version in the PCE web console for the pairing profile used to generate the pairing script, that specific VEN version is installed on the workload.
Otherwise, if you have set a default VEN version for all workloads, that VEN version is installed on the workload. The PCE web console shows the current default VEN version in the "Initial VEN Version" dropdown. If no default VEN version is specified, the PCE uses the latest VEN version available in the VEN library.
The Default Pairing Profile
Item | Description |
|---|---|
Name | Default |
Labels | Role=<Blank> Application=<Blank> Environment=Production Location=<Blank> |
Workload State | Visibility Only |
Uses per Key | Unlimited |
Maximum Key Age | Unlimited |
Command Line Overrides | Unlocked (CLI can override anything) |
Last Pairing Key Generated and Last VEN Paired
The following information appears on the pairing profile details page:
The last time a pairing key was generated using this pairing profile.
The last time a VEN was paired using this pairing profile.
Filter the Pairing Profiles List
You can filter the pairing profiles list using the properties filter at the top of the list. You can filter the list by entering a label type to show only those pairing profiles that use the selected labels. You can further filter the list by selecting specific properties of the pairing profiles. For example, you can filter the list by a pairing profile's name.
Click Export and select JSON or CSV format to generate the pairing profiles report. Once generated, you can either click the download icon next to Export to download the generated report or select Export > View All Exports to view the report details.
Configure a Pairing Profile
You can configure a pairing profile to set the initial workload policy state at the time of pairing. For example, you might want to pair workloads in the Visibility state so you can view network traffic to build policies before enforcing them.
On the other hand, if you are configuring an auto-scale policy and want to pair workloads automatically based on application demands, you can choose to have workloads paired in Full enforcement state.
Go to Servers & Endpoints > Pairing Profiles.
Click Add.
Enter a name and (optionally) a description for the pairing profile.
Configure the following options:
Enforcement Node Type
Each Pairing Profile includes information about the Enforcement Node. This section controls the type of device you can run the pairing script on, namely servers versus endpoints.
Or, you can choose not to set the type in the Pairing Profile. With this option, the VEN controls the Enforcement Node type used at activation. The node type value is found in the request from the VEN to the PCE. This node type is available as a legacy option for pairing VENs.
Label Assignment
You can specify in the pairing profile which labels you want to assign to workloads when they are paired. Labels group workloads into logical categories for use in rulesets.
The PCE provides four types of labels:
Role: The role or function of a workload. In a simple two-tier application consisting of a web server and a database server, there are two roles: Web and Database.
Application: The type of application the workload is supporting (for example, HRM, SAP, Finance, Storefront).
Environment: The stage in the development of the application (for example, production, QA, development, staging).
Location: The physical, geographic location of the workload (for example, Germany, US, Europe, Asia).
For information on creating labels, see Labels and Label Groups in the Security Policy Guide.
Configure Pairing Key Usage and Lifespan
You can control the usage and lifespan of the pairing key in the pairing profile.
Uses Per Key: Choose if you want the key generated from this pairing profile to be used an unlimited number of times or only once.
Key lifespan: Specify how long you want the pairing key to be valid, either unlimited (forever) or for a specified time frame.
You can choose from these options to define how you want the pairing profile to be used:
Unlimited: This option provides a pairing script that can be used to pair as many workloads in the organization as you want. Each user in an organization is given the pairing script from this profile regardless of the workload, the application the workload is a part of, the location of the workload (data center or country), or the environment (development, testing, QA, production). Unlimited use pairing profiles can present a security risk because they never change; however, if a pairing script is stolen, a workload could be paired into your environment by an untrusted user.
Important
Illumio recommends against configuring unlimited usage of pairing profiles from a security perspective. Instead, determine the appropriate lifespan for the pairing profile to minimize any security risk.
Custom Time Range: If you do not want an unlimited use pairing profile, you can specify that the pairing profile can only be used to pair a workload one time, after which the pairing key cannot be used to pair more workloads.
Key Usage & Lifespan Requirements
The certification Key Usage requirements have changed to
CERT_DIGITAL_SIGNATURE_KEY_USAGE,CERT_KEY_ENCIPHERMENT_KEY_USAGE, andCERT_DATA_ENCIPHERMENT_KEY_USAGE, so that the endpoint certificates can be set in the x.509 Windows environment.Choose Command Line Overrides
For each of these Workload states, you can choose to either allow or block modifications to these settings when the pairing script is executed from the command line:
Command Line Overrides
Locked: The policy state of the workloads being paired cannot be changed when the pairing script is run.
Unlocked: The policy state of the workloads being paired can be changed when the pairing script is run.
Label Assignment
Lock Label assigment: This option prevents a user running the pairing script from assigning labels to workloads during pairing except for what is configured with the pairing profile.
Allow custom Labels: This option permits the user running the pairing script to assign labels to the workloads during pairing using this pairing profile. Selecting this option selects all the Label checkboxes. You can deselect any before saving.
Click Save.
The PCE saves the pairing profile and the page refreshes with the values you specified.
Working with a Pairing Profile
Open a pairing profile to display options to perform the following tasks.
Start/Stop Pairing
To enable or disable the pairing profile, click the pairing profile. The pairing profile details page opens and you can click Stop Pairing or Start Pairing .
Generate Key
Click Generate Key at the top of the page to create a unique pairing key that can be used with the pairing script. The key will not be accessible once you close the Pairing Profile details panel.
Every key that is generated under a pairing profile inherits the properties set in the pairing profile. The script can be used to pair Workloads, according to the parameters and time limits set in the pairing profile.
Delete a Pairing Profile
If you want to completely disable the pairing keys generated with a pairing profile, delete the pairing profile.
From the PCE web console menu, choose Servers & Endpoints > Pairing Profiles.
Select the checkbox of the pairing profiles you want to delete.
Click Remove.
All pairing keys that were associated with this pairing profile are no longer valid for pairing workloads.
The same process applies if you are instantiating new VMs in vSphere or Microsoft Azure. You can use the modified Illumio PCE pairing script for preparing your new VMs for auto scaling.
Pairing Script
When you choose to install VENs on workloads by using the VEN Library, you create the pairing profile in the PCE web console and run the pairing script on workloads. (The CLI VEN installation method bypasses the pairing script altogether. In that method, you use the native tools of the operating system to install the package, followed by the VEN CLI to activate the VEN. See VEN Installation & Upgrade with VEN CTL.)
Add Options to the Pairing Script
You can add additional pairing options to the pairing profile, such as assign labels to the workload, set the workload policy state (Command Line Overrides), and set logging levels for VEN traffic.
For the complete list of options to use with the pairing script, see VEN Pairing and Activation Command Reference.
Example: Linux Pairing Script for VEN Library Installation
For example, if you want to add an Environment label to the workload, such as --env Production, include the option at the end of the pairing script as shown below.
rm -fr /opt/illumio_ven_data/tmp && umask 026 && mkdir - p /opt/illumio_ven_data/tmp && curl "https://example.com:8443/api/v18/software/ven/image?pair_script=pair.sh&profile_id=<pairing_profile_id>" - o /opt/illumio_ven_data/tmp/pair.sh && chmod +x /opt/illumio_ven_data/tmp/pair.sh && /opt/illumio_ven_data/tmp/pair.sh --management-server example.com:8443 --activation-code <code> --env Production
Example: Windows VEN Installation without the VEN Library
Set-ExecutionPolicy -Scope process remotesigned -Force; Start-Sleep -s 3;
(New-Object System.Net.WebClient).DownloadFile("https://repo.illum.io/Z3JldGVsbHVuZHl0aGF0Y2hlcjg1dGgK/pair.ps1",
"$pwd\Pair.ps1"); .\Pair.ps1 -repo-host repo.illum.io -repo-dir Z3JldGVsbHVuZHl0aGF0Y2hlcjg1dGgK/
-repo-https-port 443 ` -management-server pce.example.com:8443 -activation-code <code> –env Production;
Set-ExecutionPolicy -Scope process undefined -Force;Running RHEL 5 Pairing Script with cURL
When using a cURL command to run a pairing script for a RHEL 5 VEN, first perform the following additional configuration.
Downgrade the Transport Layer Security (TLS) version that the PCE uses for VEN-to-PCE communications. In RHEL 5, the normal default minimum version, TLS 1.2, can not be used. Set the default minimum version to TLS 1.0 by setting the parameter min_tls_version to tls1_0 in the PCE configuration file runtime_env.yml. For details, see TLS Versions for Communications.
Update the CA certificate file on the RHEL 5 machine. Download the latest cacert.pem and append it to the ca-bundle.crt file. Use the following steps:
Download the latest
cacert.pemto your RHEL 5 machine from https://curl.se/docs/caextract.html. If the download fails because the certificate is expired, perform the download again on a different machine with a valid certificate and then copy the certificate to the initial machine.Append the certificate using the following command:
sudo cat /tmp/cacert.pem >> /etc/pki/tls/certs/ca-bundle.cr
After changing the TLS version and the CA certificate, pair the VEN using a cURL command as described earlier in this section.