Illuminate Integration Gateway Automatic Installation Instructions

Modified on Thu, 18 Apr 2024 at 11:43 AM

TABLE OF CONTENTS

What is the Illuminate Integration Gateway?
General System Requirements
- Software
- Hardware (VM)
What is Docker and why does N2N use this?
Docker Installation Instructions
- Supported Platforms
Detailed instructions for installing Docker & Docker Compose (on CentOS)
Integration Gateway Installation
- Installing The Integration Gateway
- Adding Additional Database Providers
  - Default Script
  - Pre-Configured Script
Load Balancing the Integration Gateway
- Sample load balancing diagram leveraging Docker
Integration Gateway setup for PROD on the same QA host/server
Optional step to autostart the containers after a server reboot
SSL Certs In Dataport/IIG
What is an SSL certificate?
What are Certificate Chains?
What is SSL Certificate Chain Order?
There are three parts to the chain certificates
How To Update SSL Certs In Dataport

What is the Illuminate Integration Gateway?

The Illuminate Integration Gateway, also called the Dataport, is a tool used to provide the Illuminate platform with access to data that is located in physically and logically secure configurations, such as behind a firewall in the organization’s data center. The Integration Gateway provides a secure, encrypted channel to transport this data to the Illuminate cloud environment, where Illuminate creates a secure Application Program Interface (API) access platform.

How it works

N2N provides a Docker container that runs Illuminate's Integration Gateway (IIG). This is installed on a Virtual Machine (VM) that is provided by the University and typically hosted on the University's network. The IIG is used to facilitate secure communication between the University database and the Illuminate Platform without having to allow direct external communication to the actual database. VM setup is operating system specific, please refer to your onsite System Administrator for VM setup.

What is the current version of the Integration Gateway?

Illuminate Integration Gateway is at Version 4.12

*Note: Prior versions of the Illuminate Integration Gateway were branded "Illuminate Dataport"

What do we provide?

N2N provides a Docker image with the following software packages included:

Tomcat 9.0.20
JVM 11.0
Illuminate Integration Gateway Project 4.12 (the N2N application code)

General System Requirements

General system requirements for installing the Integration Gateway:

Software

Docker 17.x version or higher

Hardware (VM)

4 to 8 CPU Cores (processors)
8GB to 16GB RAM
Enough disk space to run the OS and other supporting software (recommended disk space 40+ GB)

Typically an 8 GB Ram server with 4 Core Processor can serve about 700-800 transactions per second.
For more information about Docker, prerequisites visit this Docker page

What is Docker and why does N2N use this?

What is Docker?

Docker is the world's leading software containerization platform. Docker containers wrap a piece of software in a complete file system that contains everything needed to run: code, run time, system tools, system libraries – anything that can be installed on a server. This guarantees that the software will always run the same, regardless of its environment. Containers isolate applications from one another and the underlying infrastructure while providing an added layer of protection for the application.

For more details about Docker please visit this Docker page

What is Docker Compose?

Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration.

For more details about docker-compose please visit the Docker Compose page

Why does N2N use Docker for the Illuminate Integration Gateway?

The Docker platform provides N2N with a simple, effective way to deliver the right package of software to the Illuminate Integration Gateway. Docker allows N2N to combine tested versions of software with validated configuration files into one deployment package. This process greatly reduces the number of manual steps, which improves reliability and robustness, as well as making deployment faster!

Docker Installation Instructions

Docker CE (Community Edition) is available on multiple platforms. Use the following matrix to choose a supported operating system that provides the best installation path for you. Click on the platform to navigate for detailed documentation on the docker site. We provide detailed instructions for installing Docker and the Integration Gateway on CentOS along with other required configurations. Other Linux implementations will be similar.

Supported Platforms

Platform	Docker CE x86_64
CentOS	Yes (Recommended)
Ubuntu	Yes
Debian	Yes
Red Hat Enterprise Linux Version 7 or Below	Yes
Red Hat Enterprise Linux Version 8 or Above	No (Supported by Podman)
Fedora	Yes
Microsoft Windows 10	Yes
macOS	Yes
Microsoft Azure	Yes
Amazon Web Services	Yes
Oracle Linux	Yes
SUSE Linux Enterprise Server	No
Microsoft Windows Server 2016	No

For more details please visit docker supported-platform documentation

Detailed instructions for installing Docker & Docker Compose (on CentOS)

Prerequisites

An SSL certificate ready (self-signed is not supported) which includes .crt file (the .crt file must have the public, root, and intermediate certs, with public cert on top of the file) and a private key. (See SSL Certs FAQs at the end of this document)
Ports 443, 80, 2376 (2376 port is optional) need to be open on the VM instance where Docker and Integration Gateway are installed
Get the authorization credentials from N2N to pull the Docker image

Docker Installation

There are two ways to install Docker Engine

Install using the yum package manager (Recommended)
Install using the instruction from https://docs.docker.com/install/linux/docker-ce/centos/

Install with yum

Log into your VM as a user with sudo rights to install and manage services or root user. If you are logged in as root you do not need to add the "sudo" at the beginning of each command.
Make sure your existing packages are up-to-date using yum

Add the yum repository if it doesn’t exist on your server where you are installing Docker.
We will also need to enable the Redhat "extras" repository for RHEL 7 (The third command to enable the Redhat extras repository will only need to be run if you are running RHEL 7).

sudo yum install -y yum-utils 
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo 
sudo yum-config-manager --enable rhel-7-server-rhui-extras-rpms

Install the Docker package for RHEL 7.

sudo yum install -y docker-ce docker-ce-cli containerd.io

Enable the Docker service. This is needed so docker will start whenever the system is restarted

sudo systemctl enable docker.service

Start the Docker daemon

sudo systemctl start docker

Verify Docker has been installed correctly by running a test image in a container

sudo docker ps

The screenshot below will show the installation is done properly.

Now that Docker installation is complete, the next step is to install Docker compose.

Docker Compose Installation

Run this command to download the current stable release of Docker Compose

sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

If you have problems installing with curl, see Alternate Installation Options

Apply executable permissions to the binary.

sudo chmod +x /usr/local/bin/docker-compose

If the command docker-compose fails after installation, check your path. You can also create a symbolic link to /usr/bin or any other directory in your path

For Example:

sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

For more details about Docker Compose, please visit here

Test the docker-compose Installation

docker-compose --version 
O/P: docker-compose version 1.24.0, build 1110ad01 it will show docker-compose version

Integration Gateway Installation

Note: Firewall rules need to set up by this time. Whitelist N2N NAT IPs below

QA: 23.20.165.255

PROD: 54.204.165.208

Installing The Integration Gateway

Logging into the Illuminate app
- Login into QA Illuminate app: https://qa.illuminateapp.com/api-universe/login
- Login into PROD Illuminate app: https://illuminateapp.com/api-universe/login

Note: If you do not have an Illuminate account please contact appsupport@n2nservices.com

Configure the Integration Gateway details within the Illuminate App's Connection Module by following the below steps
- From the left-side menu, select the connection button.
- Next select New/Upgrade Installation from the list of options
- Click on either Default Script or Pre-Configured Script
  - Opting for the default script results in the availability of a basic tar file
  - Selecting the pre-configured script provides a downloadable custom tar file containing the database details you entered into Illuminate
- Enter the details as prompted in the resulting window

Note: This is an example of the menu provided by selecting Pre-Configured Script
- At this point, you can download the installation tar file from the download button in the upper right

Note: Directions can also be referenced from the Installation Instructions button to the left of the download button
- Untar the copied file on the server with the below command

tar -xvf iig-clienthosted.tar

Run the prerequisites script to install the necessary packages to run the automated scripts, this will ask for the

linux flavor, and enter the flavor ( redhat or ubuntu, etc)

cd iig-automation-clienthosted 

bash install-prereqs.sh

A directory named "iig" will be created in the /opt directory, and it will contain all the scripts
Navigate to the "iig" directory and execute the configure.py script
The configure.py script will ask for account information, system configuration, and database details if the chosen

option in the UI is the default script

cd /opt/iig 

/opt/iig/install/configure.py

Note: If scripts are not able to run due to the insufficient permissions, give the execute permissions to the scripts
Command: chmod +x <script_name>
Example: chmod +x configure.py

Once all the information has been entered, run the following command to install and connect the IIG to the

database

/opt/iig/install.sh

Check whether the installation has been completed successfully or not with the DNS status and in the

Illuminate App

curl -X GET https://{your dns}/idp/status

Adding Additional Database Providers

Default Script

To add one more database provider for the existing setup, run configure-db.py to enter the database details then run the save-multiple-database-connections.yaml script with chosen environment

/opt/iig/install/configure-db.py

cd /opt/iig/install

ansible-playbook save-multiple-database-connections.yaml -e stage_env=qa or prod

Pre-Configured Script

The Illuminate App UI allows for the input of multiple database details by selecting the Confirm & Add More button when

creating or editting the dataport details.

Load Balancing the Integration Gateway

Note: Recommended but optional

Load balancing refers to efficiently distributing incoming network traffic across a group of servers. A Load Balancer acts as the "traffic cop" sitting in front of your servers and routing requests across all servers capable of fulfilling those requests in a manner that maximizes speed and capacity utilization and ensures that no one server is overworked, which could degrade performance.If a single server goes down, the load balancer redirects traffic to the remaining online servers. When a new server is added to the server group, the load balancer automatically starts to send requests to it.

If the Integration Gateway is on a load-balanced network, please ensure appropriate steps are followed to update the database properties in all relevant servers/containers.

For general background information, see this article about Load Balancing

Sample load balancing diagram leveraging Docker

Integration Gateway setup for PROD on the same QA host/server

If the client wants to set up a PROD integration gateway on the QA host, they need to follow these steps

Create a new docker network

docker network create n2ndataport_prod_default

Connect Nginx container to newly created dataport network

docker network connect n2ndataport_prod_default nginx

Create prod integration Gateway Docker container

docker run --network=n2ndataport_prod_default --net-alias dataportProd --name dataportProd -it -d quay.io/n2ndevops/illuminatedataport:4.12

Uncomment lines from 16-23 in default.conf file

Test Nginx configurations

nginx -t

Reload Nginx configurations

service nginx reload

Test the connection using curl. It should “return a response status as not a valid request”. Note that you need to configure the command below to match organizational nomenclature

curl -X GET https://{server_name(or)host_name}/idp2

Now jump to "Establishing a connection between Illuminate, Integration Gateway, and the SIS Database"

Optional step to autostart the containers after a server reboot

If a server is rebooted, restarted, or start/restart, the docker engine must be restarted. To accomplish that automatically follow the steps below

1. chkconfig docker on 
2(i). docker update --restart=unless-stopped $(docker ps -q) Note: This command starts all the containers within the docker engine of the server (OR) (ii) docker update --restart=unless-stopped containerID/ContainerName Note: This command will start only the specified container

SSL Certs In Dataport/IIG

If a client wants to update SSL certs in Nginx, they can go through these instructions for more details

What is an SSL certificate?

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology. Encryption is the process of scrambling data into an undecipherable format that can only be returned to a readable format with the proper decryption key.

What are Certificate Chains?

A certificate chain (or Chain of Trust) is made up of a list of certificates that start from a server’s certificate and terminate with the root certificate.

What is SSL Certificate Chain Order?

The SSL certificate chain order consists of root certificates, intermediate certificates, and a server’s certificate. Root CAs are a trusted source of certificates. Intermediate CAs are bridges that link the server’s certificate to the root CA.

There are three parts to the chain certificates

Server Certificate: The server certificate is issued to the specific domain the user needs coverage for.
Intermediate Certificate: Intermediate certificates act as middle-men between the protected root certificates and the server certificates issued out to the public. There will always be at least one intermediate certificate in a chain, but there can be more than one.
Root Certificate: A root certificate is a digital certificate that belongs to the issuing Certificate Authority. It comes pre-downloaded in most browsers and is stored in what is called a “trust store.” The root certificates are closely guarded by CAs.

For an SSL certificate to be authenticated by the web browsers, it must be authentic and issued by a trusted certificate authority embedded in the browser’s trusted store. If your SSL certificate isn’t issued by a trusted certificate authority, i.e., if it isn’t issued by a Root CA, then the connecting device or web browser will continue to check if the issuing CA was issued by a root CA. It will keep going back down the SSL certificate chain order to find the root CA. If it finds a root CA, a secure connection will be established. If it doesn’t find a root CA, then the connection will be dropped, and your web browser will display an error message that reads “invalid certificate” or “certificate not trusted.”

How To Update SSL Certs In Dataport

Ensure you have a private key
Create a full certificate bundle for NGINX using one of the methods below, depending on how your SSL provider delivered the certificates to you.

How To form a bundle .crt file

Open up a notepad or any text editor.
Copy-paste the Public cert (public should always be on the top of the file)
Copy-paste the Intermediate cert
Copy-paste the Root cert
Now save the file with the desired name(dataport-test-school-edu.crt) within an extension of the .crt
You will have to create a .crt(self-signed is not accepted) file and a private key.

(OR)

Example GoDaddy:

cat signed_ssl.crt gd_bundle.crt > dataport-test-school-edu.crt Note: Above gd_bundle assumes both intermediate and root

Other SSL providers with a single intermediate certificate:

cat signed_ssl.crt intermediate1.crt root.crt > dataport-test-school-edu.crt

Other SSL providers with multiple intermediate certificates:

cat signed_ssl.crt intermediate1.crt intermediate2.crt root.crt > dataport-test-school-edu.crt

Additional step if the private key is password protected:

If your private key is password-protected, we will need to make a copy without that password to use on the NGINX instance. If you run these commands and are not prompted for a passphrase, your SSL key did not have a passphrase. If you are prompted for a passphrase, enter it when prompted.

NGINX will not properly restart if the private key is password protected.

Hence, run the below command to turn the password-protected to a file.

openssl rsa -in private.key -out dataport-test-school-edu.key

Now you have the bundled cert and private key ready, do the below steps to update these files in the Nginx container:

Step 1:

Upload the new cert and the key files to the server

Copy the new files to the NGINX Docker container to the certs folder.

sudo docker cp dataport-test.school.edu.key nginx:/certs/dataport-test-school-edu.key 
sudo docker cp dataport-test.school.edu.crt nginx:/certs/dataport-test-school-edu.crt

Step 2:

Navigate to the below location

docker exec -it nginx bash vi etc/nginx/conf.d/default.conf

You will need to update the following items in the file and save them.
- Modify the ssl_certificate on line 4 (if you are changing the name of the cert than previous)
- Modify the ssl_certificate_key on line 5 (if you are changing the name of the cert than previous)

.

server {

  listen 443 ssl;

  server_name dataport-test.school.edu;

  ssl_certificate /certs/dataport-test-school-edu.crt;

  ssl_certificate_key /certs/dataport-test-school-edu.key;

  underscores_in_headers on;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  add_header X-Frame-Options DENY;

  location /idp {

    proxy_redirect off;

    proxy_set_header Host $host;

    proxy_set_header X-Real-IP $remote_addr;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Host $server_name;

    proxy_pass http://dataport:8080/idp;

}

  # if you want to use same host for two environments(TEST. QA and PROD) uncomment this location block and give appropriate container name

  #location /idp2{

  #    proxy_redirect off;

  #    proxy_set_header Host $host;

  #    proxy_set_header X-Real-IP $remote_addr;

  #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  #    proxy_set_header X-Forwarded-Host $server_name;

  #    proxy_pass http://dataport:8080/idp;

#}

}

server {

  listen 80 default_server;

  listen [::]:80 default_server;

  server_name dataport-test.school.edu;

  return 301 https://$host$request_uri;

}

Save the changes in the default.conf file

wq! (ESC)

Step 3:

Test NGINX

nginx -t

If NGINX does not come back as successful, then do not proceed to the restart of NGINX. A successful output looks like this.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Step 4:

Restart NGINX

service nginx reload

A successful restart of NGINX looks like this

[user@dataport-test ~]$ sudo docker exec -it nginx service nginx reload

[ ok ] Reloading nginx: nginx.

[user@dataport-test ~]$

Exit from the container

exit

Step 5: Verify that the NGINX container is running

sudo docker ps

The output should show two containers

[user@dataport-test ~]$ sudo docker ps CONTAINER ID        IMAGE                                     COMMAND                  CREATED             STATUS              PORTS               NAMES 907b970bfd51        quay.io/nginx                             "/docker-entrypoint.â€¦"   2 months ago        Up 6 days                               nginx a4adc7911498        quay.io/n2ndevops/illuminatedataport:4.4  "catalina.sh run"        4 weeks ago         Up 3 weeks (healthy)    0.0.0.0:8081->8080/tcp   dataport [user@dataport-test ~]$

Dataport Upgrade - Appendix - 5

Integration Gateway upgrade using manual steps

Login to the VM instance as root
To pull N2N’s Integration Gateway image from the N2N private repository (quay.io), please enter Docker login credentials that are obtained from Illuminate.

1) Authorization to Access Integration Gateway Docker Images

Getting the quay credentials through the Illuminate app
- Login into the QA Illuminate app: https://qa.illuminateapp.com/api-universe/login
- Login into the PROD Illuminate app: https://illuminateapp.com/api-universe/login
Note: If you do not have an Illuminate account please contact appsupport@n2nservices.com
Get the credentials by following the below steps
- From the left-side menu, select the connection button.
- Next, click the button IIG CONTAINER KEY to the right top corner.
- Copy the username and password within the popup box.

Run the below command on the dataport server using the credentials above
docker login quay.io
enter the username (grab the username from Illuminate as in the screenshot)
enter the password (grab the password from Illuminate as in the screenshot)

2) Find and stop the dataport container

Use the following command to show the containers running on the docker

docker ps

The container name can be seen by typing in `docker ps` as below. The column name NAMES will let you know the container name.

3) Save the previous version of dataport

This command should be used to take the backup. If your dataport container has an alternate name, put that in place of ‘dataport’.

docker rename dataport dataport.bk

Do this step to validate/compare any custom changes that might have been done to applicationResources.properties, once the new dataport is installed.

>docker exec -it dataport.bk bash

>vi webapps/idp/WEB-INF/classes/applicationResources.properties

>exit

4) Pull and Run N2N's Integration Gateway image.

Your network name in the below command could be different.

You can get your network name by inspect command as below (the entry will be in the 'Networks' array - see the image below)
- `docker inspect nginx` ( nginx is the container name)

Example: Image

docker pull quay.io/n2ndevops/illuminatedataport:4.12 
/* To Run this dataport image */
 /*Note: The network name n2ndataport_default should be grabbed some the above note */ 
docker run --network=n2ndataport_default --net-alias dataport --name dataport -it -d quay.io/n2ndevops/illuminatedataport:4.9.1

Auto Restart the containers

This command helps to auto-restart upon server reboot unless manually stopped.

docker update --restart=unless-stopped dataport

This command then stops the running dataport container. If your dataport container has an alternate name, put that in place of ‘dataport’.

docker stop dataport.bk (dataport is the container name)

When you inspect the docker network the new dataport image and nginx should be in the same “Containers” array as shown below image. If you don’t see them in the same network. Check the note above the run command

docker inspect n2ndataport_default

Test the connection using curl. It should “return a response status as not a valid request.” Note that you need to configure the command below to match organizational nomenclature

curl -X GET https://{server_name(or)host_name}/idp

OptionalStep: Remove the renamed running container. Dataport is the container name

docker rm dataport.bk

5) Add Database Credentials.

Now jump to "Establishing a connection between Illuminate, Integration Gateway, and the SIS Database."

.Appendix 6

***This installation applies only to RHEL 7. x + versions only***

Podman Installation:

Update the default packages on the server

sudo yum update -y

Install Podman on the server

sudo yum install podman  

/* then verify the displayed output and enter "yes"

Verify the Podman installation

podman version

IIG setup process:

Get the access to the IIG setup images(dataport and nginx) using provided quay.io credentials.

podman login -u='n2n_iig' -p='xxxxxxxxxxxxxxxxxxxxxxxxxx' quay.io

Once you get the success note then lets pull the required images from quay.io

podman pull quay.io/n2ndevops/illuminatedataport:4.11 

podman pull quay.io/n2ndevops/illuminatedataportnginx:1.24.0

Consider above mentioned image versions are an example for this document

Next, create Podman network in order to establish the communication between Nginx and dataport(IIG) containers

podman network create n2n_iig

Run Podman containers

podman run -it --name dataport -d --network n2n_iig quay.io/n2ndevops/illuminatedataport:4.11

podman run -it --name nginx -d --network n2n_iig -p 80:80 -p 443:443 quay.io/n2ndevops/illuminatedataportnginx:1.24.0

Update the default.conf with appropriate details

podman exec -it nginx bash

vim /etc/nginx/conf.d/default.conf

Add SSL keyword in line 2
Update the server_name and ssl_certificate (.crt and .key) with valid details.

Test nginx config

nginx -t

Restart nginx

Run the status API

Attachments (1)

yml

docker-compose.yml
373 Bytes