Skip to main content

Illumio Core 25.1 Install, Configure, Upgrade

Pairing Script and Package Installation (Linux & Windows)

The following information is provided for your reference so that you understand the process and events that occur when you install a VEN by using a pairing script in the PCE or by installing a package with the CLI.

Linux Pairing Script for VEN Library

The following example shows a typical Linux pairing script. The pairing script works with the VEN Library in the PCE web console:

rm -fr /opt/illumio_ven_data/tmp && \
umask 026 && mkdir -p /opt/illumio_ven_data/tmp && \
curl --tlsv1 "https://example.com:8443/api/v18/software/ven/image?pair_script=pair.sh&profile_id=2" -o /opt/illumio_ven_data/tmp/pair.sh && \
chmod +x /opt/illumio_ven_data/tmp/pair.sh && \
/opt/illumio_ven_data/tmp/pair.sh \
--management-server example.com:8443 \
--activation-code <code>

This pairing script performs the following actions on the workload:

  1. Deletes the /opt/illumio_ven_data/tmp directory, if it already exists.

  2. Changes umask to 026 to prevent the group-write and others-read,write permissions as it creates the /opt/illumio_ven_data/tmp directory.

  3. Uses curl to download the pairing script from the VEN repository and store it in the /opt/illumio_ven_data/tmp directory.

  4. Changes the script permissions to allow execution.

  5. Runs the opt/illumio_ven_data/tmp script with the following command line options:

    6. --management-server to communicate with the PCE

    7. --activation-code to authenticate the VEN to the PCE and authorize the VEN to pair with the PCE

The pair script installs the VEN packages on the workload and pairs the VEN with the PCE. The output of pair is captured in /var/log/illumio_install.log.

Next, the script performs the following operations:

  1. Detects OS release and CPU architecture. Ensure the combination is supported.

  2. Downloads the package to /opt/illumio_ven_data/tmp.

  3. Uses native OS package manager (detected by line 1) to install the package.

    Using native package managers is simpler for newer operating systems. For example, Illumio can use yum to manage package dependencies for the VEN and workloads. For older operating systems, customers have to manage dependencies by manually installing packages.

  4. Verifies installation by invoking installed scripts.

  5. Invokes /opt/illumio_ven/bin/init_Platform start.

  6. Generates the activation file /opt/illumio_ven_data/etc/agent_activation.cfg.

  7. Invokes /opt/illumio_ven/bin/agent_status.sh to activate the VEN.

RPM Installation

RPM installation performs the following operations:

  1. Creates the ilo-ven user and group, unless a custom username is specified at installation.

  2. Prepares and then starts the Illumio Core to perform the following actions:

    1. Loads the necessary kernel modules: ip_tables, iptable_filter, nf_conntrack, nf_conntrack_ipv4, nf_conntrack_ftp, ipt_LOG, ip_set, ip6_tables, ip6table_filter, nf_conntrack_ipv6, ip6t_LOG

    2. Sets net.netfilter.nf_conntrack_tcp_timeout_established to 8 hours (28,800 seconds).

    3. Takes control of the system firewall.

    4. Disables and stops the system firewall service iptables.

      This action is acceptable because the Illumio services act in place of the iptables service.

    5. Saves existing iptables rules if any.

    6. Loads iptables rules computed from PCE firewall policy.

    7. Starts the VEN components described in "Description of VEN Components" in the VEN Administration Guide .

      This step includes monitoring system iptables configuration (similar to the service iptables performed).

Windows Pairing Script

The following example shows a typical Windows pairing script. The pairing script works with the VEN Library in the PCE web console. (Line breaks have been added for readability only.)

PowerShell -Command "& {Set-ExecutionPolicy -Scope process remotesigned -Force; 
Start-Sleep -s 3; 
Set-Variable -Name ErrorActionPreference -Value SilentlyContinue; 
[System.Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([System.Net.SecurityProtocolType], 3072); 
Set-Variable -Name ErrorActionPreference -Value Continue; 
(New-Object System.Net.WebClient).DownloadFile('https://example.com:8443/api/v18/software/ven/image?pair_script=pair.ps1&profile_id=1', (echo $env:windir\temp\pair.ps1)); & $env:windir\temp\pair.ps1 
		-management-server example.com:8443 -activation-code <code> }"

This pairing script performs the following actions on the workload:

  1. Changes execution policy of the host PowerShell process to RemoteSigned.

  2. Configures the .NET framework System.Net class to negotiate TLS 1.2.

    The Windows VEN uses “3072” instead of “Tls12” because the enum value is not defined in older Windows operating systems. When system.net does not support TLS 1.2, the script fallbacks to using the system default.

  3. Using the .NET framework WebClient class, downloads pair.ps1 from the VEN repository and stores it in the $env:windir\temp directory.

  4. Runs the pair.ps1 script with the following command line options:

    • -management-server: Used by the VEN to communicate with the PCE

    • -activation-code: Used by the PCE to authenticate and authorize the VEN during the pairing process

  5. The pairing script installs the VEN packages on the workload and pairs the VEN with the PCE. The output of pair.ps1 is captured in $env:windir\temp\illumio.log or $env:tmp\illumio.log.

    The script performs the following actions:

    1. Downloads the VEN installer from the VEN repository and installs it.

    2. Generates agent_activation.cfg file with PCE information

    3. Retrieves agent activation status and displays it.