Illuminate Integration Gateway Installation Using Podman

Modified on Mon, 2 Sep at 9:50 AM


TABLE OF CONTENTS

What is the Illuminate Integration Gateway?

The Illuminate Integration Gateway, also called the Dataport, is a tool used to provide the Illuminate platform with access to data that is located in physically and logically secure configurations, such as behind a firewall in the organization’s data center. The Integration Gateway provides a secure, encrypted channel to transport this data to the Illuminate cloud environment, where Illuminate creates a secure Application Program Interface (API) access platform. 

How it works

N2N provides a Docker container that runs Illuminate's Integration Gateway (IIG). This is installed on a Virtual Machine (VM) that is provided by the University and typically hosted on the University's network. The IIG is used to facilitate secure communication between the University database and the Illuminate Platform without having to allow direct external communication to the actual database. VM setup is operating system specific, please refer to your onsite System Administrator for VM setup. 

What is the current version of the Integration Gateway?

Illuminate Integration Gateway is at Version 4.13

*Note: Prior versions of the Illuminate Integration Gateway were branded "Illuminate Dataport"

What do we provide?

N2N provides a Podman image with the following software packages included:

  • Tomcat 9.0.20
  • JVM 11.0
  • Illuminate Integration Gateway Project 4.13 (the N2N application code)

General System Requirements

General system requirements for installing the Integration Gateway:

Software

  • Podman

Hardware (VM)

  • 4 to 8 CPU Cores (processors)

  • 8GB to 16GB RAM

  • Enough disk space to run the OS and other supporting software (recommended disk space 40+ GB)



  • Typically an 8 GB Ram server with 4 Core Processor can serve about 700-800 transactions per second.

  • For more information about Docker, prerequisites visit this Docker page


Prerequisites

  • An SSL certificate ready (self-signed is not supported) which includes .crt file (the .crt file must have the public, root, and

           intermediate certs, with public cert on top of the file) and a private key.

  • Ports 443, 80, need to be open on the VM instance where Docker and Integration Gateway are installed

  • Firewall rules need to set up by this time. Whitelist N2N NAT IPs below


.

QA: 23.20.165.255

PROD54.204.165.208



What is Podman?

  • Podman is an open source Open Container Initiative-compliant container management tool from Red Hat used for handling containers, images, volumes, and pods on the Linux operating system, with support for Mac OS and Microsoft Windows via a virtual machine

Installation


Note:  This installation applies only to RHEL 7. x + versions only


  • Login to the VM instance as root

  • Update the default packages on the server
sudo yum update -y
  • Install Podman on the server
sudo yum install podman  /* then verify the displayed output and enter "yes" */


  • Verify the Podman installation
podman version



Integration Gateway Installation using podman


Installing The Integration Gateway

Note: If you do not have an Illuminate account please contact appsupport@n2nservices.com 


  • Goto “Connections” tab and Add integration Gateway



  • Click on the IIG Container Key(on Top right corner) tab and use those credentials to download IIG Podman images



podman login -u='n2n_iig' -p='xxxxxxxxxxxxxxxxxxxxxxxxxx' quay.io
  • Once you get the success note then lets pull the required images from quay.io

podman pull quay.io/n2ndevops/illuminatedataport:4.13
podman pull quay.io/n2ndevops/illuminatedataportnginx:1.24.0
  • Next, create Podman network in order to establish the communication between Nginx and dataport(IIG) containers

podman network create n2n_iig

  • Run Podman containers

podman run -it --name dataport -d --network n2n_iig quay.io/n2ndevops/illuminatedataport:4.13

podman run -it --name nginx -d --network n2n_iig -p 80:80 -p 443:443 quay.io/n2ndevops/illuminatedataportnginx:1.24.0

  • Now copy all your SSL certificate files (such as the .crt and .key files*) to the “certs” folder inside the Nginx container

podman cp <your file name>.crt nginx:/certs/<your file name>.crt 
podman cp <your file name>.key nginx:/certs/<your file name>.key
  • Update the default.conf with appropriate details

podman exec -it nginx bash


  • vim /etc/nginx/conf.d/default.conf



Note:
  • Add SSL keyword in line 3

  • Update the server_name at line 4 and 46 and 

  • Add ssl_certificate (.crt and .key) with valid name details at line 5 and 6.


  • Test nginx configuration

nginx -t


  • Restart nginx



  • Run the status API



  • Login to Illuminate account again and then go to Connections > Add integration Gateway>Establish Connection tab to continue with this process



  • Provide the URL/DNS where the Integration Gateway is connected/installed. After providing the URL, the user will then click on the Validate button, which will verify the host connection and installation of IIG via Illuminate application



  • Upon successful validation of the URL, confirming both the host and Integration Gateway installation, the subsequent screen will be displayed



  • Once you click on 'SUBMIT' the url will be saved. scroll down and click on 'ADD DATABASE PROVIDER' to access a list of database providers. Here, you can the add, edit, or delete providers.



  • Once all the information entered in the Provider section above, click on 'SAVE' a popup will appear with the authorization token and copy this token, use it in the below curl format command
Note: This token is valid for five minutes
  • Form the curl command using the below format along with the authorization token from illuminate which is copied and run this formed curl on the server to establish connection between dataport and database
curl -X POST 'http://yourdns/idp/addDBproperties' -H 'Authorization:Token from Illuminate connections page in Step 2' -H 'Content-Type: application/json' -d '{"DBHost": "0.0.0.0","port": "1234","SID": "","ServiceName": "servicename","DBUsername": "username","DBPassword": "***********"}'

APPENDIX-1: Integration Gateway setup for PROD on the same QA host/server


If the client wants to set up a PROD integration gateway on the QA host, they need to follow these steps

Generic
Generic
  • Create prod integration Gateway Podman container

podman run --network=n2n_iig --name dataportProd -it -d quay.io/n2ndevops/illuminatedataport:4.12
Generic
  • Uncomment lines from 16-23 in default.conf file of the Nginx Podman container



  • Test Nginx configurations

nginx -t
Generic
  • Reload Nginx configurations
service nginx reload
Generic
  • Test the connection using curl. It should “return a response status as not a valid request”. Note that you need to configure the command below to match organizational nomenclature

curl -X GET https://{server_name(or)host_name}/idp2
Generic
  • Now jump to "Establishing a connection between Illuminate, Integration Gateway, and the SIS Database"
Note: use the below container-dataport.service format to create an service to auto start the dataportProd container, replace the 'dataport' container name with name of the prod container name 'dataportProd' in the service and run the below commands
systemctl daemon-reload

systemctl enable container-dataportProd.service

systemctl start container-dataportProd.service

systemctl status container-dataportProd.service



APPENDIX-2: Optional step to autostart the containers after a server reboot


If a server is rebooted, restarted, or start/restart, the Podman must be restarted. To accomplish that automatically follow the steps below

  • Create an Systemd service for both dataport and nginx
cd /etc/systemd/system
vi container-dataport.service
vi container-nginx.service


  • The systemd service of dataport(container-dataport.service)
[Unit]
Description=Podman Container dataport
Wants=network-online.target
After=network-online.target

[Service]
#dataport
ExecStart=/usr/bin/podman start -a dataport
ExecStop=/usr/bin/podman stop -t 10 dataport
ExecReload=/usr/bin/podman restart dataport

Restart=on-failure
RestartSec=60s
KillMode=none
Type=simple


[Install]
WantedBy=multi-user.target
  • The systemd service of nginx(container-nginx.service)
[Unit]
Description=Podman Container nginx
Wants=network-online.target
After=network-online.target

[Service]
#nginx
ExecStart=/usr/bin/podman start -a nginx
ExecStop=/usr/bin/podman stop -t 10 nginx
ExecReload=/usr/bin/podman restart nginx

Restart=on-failure
RestartSec=60s
KillMode=none
Type=simple


[Install]
WantedBy=multi-user.target
  • Reload the systemd daemon
systemctl daemon-reload
  • Enable the Services, this will create an symbolic link to auto start the Podman container on server boot
systemctl enable container-dataport.service

systemctl enable container-nginx.service
  • Start both the services(dataport and Nginx)
systemctl start container-dataport.service

systemctl start container-nginx.service
  • Check the status of the services
systemctl status container-dataport.service

systemctl status container-nginx.service

Generic
Gen

APPENDIX-3: SSL Certs In Dataport/IIG


If a client wants to update SSL certs in Nginx, they can go through these instructions for more details

What is an SSL certificate?


An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology. Encryption is the process of scrambling data into an undecipherable format that can only be returned to a readable format with the proper decryption key.

What are Certificate Chains?


A certificate chain (or Chain of Trust) is made up of a list of certificates that start from a server’s certificate and terminate with the root certificate.

What is SSL Certificate Chain Order?


The SSL certificate chain order consists of root certificates, intermediate certificates, and a server’s certificate. Root CAs are a trusted source of certificates. Intermediate CAs are bridges that link the server’s certificate to the root CA.

There are three parts to the chain certificates

  • Server Certificate: The server certificate is issued to the specific domain the user needs coverage for.

  • Intermediate Certificate: Intermediate certificates act as middle-men between the protected root certificates and the server certificates issued out to the public. There will always be at least one intermediate certificate in a chain, but there can be more than one.

  • Root Certificate: A root certificate is a digital certificate that belongs to the issuing Certificate Authority. It comes pre-downloaded in most browsers and is stored in what is called a “trust store.” The root certificates are closely guarded by CAs.

For an SSL certificate to be authenticated by the web browsers, it must be authentic and issued by a trusted certificate authority embedded in the browser’s trusted store. If your SSL certificate isn’t issued by a trusted certificate authority, i.e., if it isn’t issued by a Root CA, then the connecting device or web browser will continue to check if the issuing CA was issued by a root CA. It will keep going back down the SSL certificate chain order to find the root CA. If it finds a root CA, a secure connection will be established. If it doesn’t find a root CA, then the connection will be dropped, and your web browser will display an error message that reads “invalid certificate” or “certificate not trusted.”

How To Update SSL Certs In Dataport

  • Ensure you have a private key

  • Create a full certificate bundle for NGINX using one of the methods below, depending on how your SSL provider delivered the certificates to you.

How To form a bundle .crt file


# Open up a notepad or any text editor.
# Copy-paste the Public cert (public should always be on the top of the file)
# Copy-paste the Intermediate cert
# Copy-paste the Root cert
# Now save the file with the desired name(dataport-test-school-edu.crt) within an extension of the .crt
# You will have to create a .crt(self-signed is not accepted) file and a private key.


(OR)

Example GoDaddy:

cat signed_ssl.crt gd_bundle.crt > dataport-test-school-edu.crt 
Generic
Above gd_bundle assumes both intermediate and root

Other SSL providers with a single intermediate certificate:

cat signed_ssl.crt intermediate1.crt root.crt > dataport-test-school-edu.crt
Generic

Other SSL providers with multiple intermediate certificates:

cat signed_ssl.crt intermediate1.crt intermediate2.crt root.crt > dataport-test-school-edu.crt
Generic

Additional step if the private key is password protected:

If your private key is password-protected, we will need to make a copy without that password to use on the NGINX instance. If you run these commands and are not prompted for a passphrase, your SSL key did not have a passphrase. If you are prompted for a passphrase, enter it when prompted.
  • NGINX will not properly restart if the private key is password protected.
  • Hence, run the below command to turn the password-protected to a file.

openssl rsa -in private.key -out dataport-test-school-edu.key
Generic

Now you have the bundled cert and private key ready, do the below steps to update these files in the Nginx container:

Step 1:

  • Upload the new cert and the key files to the server
  • Copy the new files to the NGINX Docker container to the certs folder.
sudo podman cp dataport-test.school.edu.key nginx:/certs/dataport-test-school-edu.key
Generic

sudo podman cp dataport-test.school.edu.crt nginx:/certs/dataport-test-school-edu.crt
Generic
Step 2:

  • Navigate to the below location
podman exec -it nginx bash
Generic
vi etc/nginx/conf.d/default.conf
Generic
  • You will need to update the following items in the file and save them.
    • Modify the ssl_certificate on line 5 (if you are changing the name of the cert than previous)
    • Modify the ssl_certificate_key on line 6 (if you are changing the name of the cert than previous) Generic

  • Save the changes in the default.conf file
wq!
Generic

Step 3

  • Test NGINX
nginx -t
Generic
  • If NGINX does not come back as successful, then do not proceed to the restart of NGINX. A successful output looks like this.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Step 4:

  • Restart NGINX
service nginx reload
Generic
A successful restart of NGINX looks like below
[user@dataport-test ~]$ Reloading nginx: nginx.
  • Exit from the container
exit
Gneric
Step 5:
  • Verify that the NGINX container is running
podman ps
Generic
  • The output should show two containers


Generic

APPENDIX-4: Integration Gateway upgrade using manual steps

  • Login to the VM instance as root

  • To pull N2N’s Integration Gateway image from the N2N private repository (quay.io), please enter Podman login credentials that are obtained from Illuminate. 

STEP 1) Authorization to Access Integration Gateway Docker Images

     Note: If you do not have an Illuminate account please contact appsupport@n2nservices.com 

  • Get the credentials by following the below steps
    • From the left-side menu, select the connection button.
    • Next, click the button IIG CONTAINER KEY to the right top corner.
    • Copy the username and password within the popup box.


  • Run the below command on the dataport server using the credentials above
podman login quay.io
Generic
enter the username (grab the username from Illuminate as in the screenshot)
Generic
enter the password (grab the password from Illuminate as in the screenshot)
Generic

STEP 2) Find and stop the dataport container

  • Use the following command to show the containers running on the podman
podman ps
Generic
The container name can be seen by typing in `podman ps` as below. The column name NAMES will let you know the container name.


STEP 3) Save the previous version of dataport

  • This command should be used to take the backup. If your dataport container has an alternate name, put that in place of ‘dataport’.
podman rename dataport dataport.bk
Generic

STEP 4) Pull and Run N2N's Integration Gateway image.

* Your network name in the below command could be different.
* You can get your network name by inspect command as below(the entry will be in the 'Networks' array - see the image below)

$ podman inspect nginx (nginx is the container name)

Example:Image below



podman pull quay.io/n2ndevops/illuminatedataport:4.13
Generic
To run this dataport image, the network name 'n2n_iig' should be grabbed as below

podman run --network=n2n_iig --name dataport -it -d quay.io/n2ndevops/illuminatedataport:4.13
Generic

STEP 5: Auto Restart the containers

  • Run the below commands once dataport has been upgraded
systemctl stop container-dataport.service

systemctl start container-dataport.service

systemctl status container-dataport.service

G
  • Test the connection using curl. It should “return a response status as not a valid request.” Note that you need to configure the command below to match organizational nomenclature

curl -X GET https://yourdns/idp/status
{"status":"FAIL","message":"Not a valid request."}

STEP 6) Add Database Credentials.

  • To grab the authorization token from the Illuminate app
    • Login into QA Illuminate app: https://qa.illuminateapp.com/api-universe/login
    • Login into PROD Illuminate app: https://illuminateapp.com/api-universe/login
    • From the left-side menu, select Connections.
    • From Applied Database Providers select the eye icon(as shown in the figure as option 2).
    • Click on GENERATE TOKEN button to the right side of the screen.
    • A popup will appear with authorization details that should be copied and used to run the database curl command

Note: The generated token will expire in 5 mins.



Step 6(i)- Create & run the CURL command

Generic

  • You can use DNS (which is assigned to the Integration Gateway) to add DB properties file 

$ curl -X POST 'https://your_dns_name/idp/addDBproperties' -H 'Authorization:Token from Illuminate connections page in Step 2' -H 'Content-Type: application/json' -d 'Grab the database type from below table'
Generic

Database TypeConnection Info
Banner/Oracle{"DBHost": "0.0.0.0","port": "1234","SID": "","ServiceName": "servicename","DBUsername": "username","DBPassword": "***********"}
SQL Server{ "DBHost": "0.0.0.0", "port": "1234", "databaseName": "", "DBUsername": "username", "DBPassword": "***********" }
SQL Server with no port{ "DBHost": "0.0.0.0","instance":"POWERCAMPUSDB", "port": "", "databaseName": "", "DBUsername": "username", "DBPassword": "***********" }
Informix{ "DBHost": "0.0.0.0", "port": "1234", "databaseName": "", "DBUsername": "username", "DBPassword": "***********","informixServer": "" }
Sybase{ "DBHost": "0.0.0.0", "port": "1234", "databaseName": "", "DBUsername": "username", "DBPassword": "***********"}

Step 6(ii) - Create & run the CURL command

  • Upon successful connection, you will see the following message
{"status":"success","message":"Properties Added"}

Step 6(iiI) - Restart dataport container

  • Upon successful connection, you will need to restart the container
podman restart dataport
Generic

APPENDIX-5: Maintenance steps

Podman Containers -Current Status Check

  • Look for the “healthy” status on the three containers
    • dataportProd
    • Dataport
    • nginx
podman ps
Generic

Checking Logs

podman exec -it dataport bash (replace “dataport” with the name of the container)
Generic
cd logs
Generic
tail -f dataport.log (The log file is named “dataport” for both the prod and test containers)
Generic

Manual Stop/Start/Restart of a Container

Note: You could use below commands if you know the containerId or you could also replace containerId with the container name like: dataport or DataportProd or nginx
podman start containerId
Generic
podman stop containerId
Generic
podman restart containerId
Generic
Generic


Generic


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article