Illuminate Integration Gateway Installation Using Podman

podman network create n2n_iig

• Run Podman containers

podman run -it --name dataport -d --network n2n_iig quay.io/n2ndevops/illuminatedataport:4.13

podman run -it --name nginx -d --network n2n_iig -p 80:80 -p 443:443 quay.io/n2ndevops/illuminatedataportnginx:1.24.0

• Now copy all your SSL certificate files (such as the .crt and .key files*) to the “certs” folder inside the Nginx container

podman cp <your file name>.crt nginx:/certs/<your file name>.crt 
podman cp <your file name>.key nginx:/certs/<your file name>.key

• Update the default.conf with appropriate details

podman exec -it nginx bash

• Test nginx configuration

nginx -t

• Restart nginx

• Run the status API

• Login to Illuminate account again and then go to Connections > Add integration Gateway>Establish Connection tab to continue with this process

• Provide the URL/DNS where the Integration Gateway is connected/installed. After providing the URL, the user will then click on the Validate button, which will verify the host connection and installation of IIG via Illuminate application

• Upon successful validation of the URL, confirming both the host and Integration Gateway installation, the subsequent screen will be displayed

• Once you click on 'SUBMIT' the url will be saved. scroll down and click on 'ADD DATABASE PROVIDER' to access a list of database providers. Here, you can the add, edit, or delete providers.

• Once all the information entered in the Provider section above, click on 'SAVE' a popup will appear with the authorization token and copy this token, use it in the below curl format command

Note: This token is valid for five minutes

• Form the curl command using the below format along with the authorization token from illuminate which is copied and run this formed curl on the server to establish connection between dataport and database

curl -X POST 'http://yourdns/idp/addDBproperties' -H 'Authorization:Token from Illuminate connections page in Step 2' -H 'Content-Type: application/json' -d '{"DBHost": "0.0.0.0","port": "1234","SID": "","ServiceName": "servicename","DBUsername": "username","DBPassword": "***********"}'

APPENDIX-1: Integration Gateway setup for PROD on the same QA host/server

If the client wants to set up a PROD integration gateway on the QA host, they need to follow these steps

• Create prod integration Gateway Podman container

podman run --network=n2n_iig --name dataportProd -it -d quay.io/n2ndevops/illuminatedataport:4.12

• Test Nginx configurations

nginx -t

service nginx reload

• Test the connection using curl. It should “return a response status as not a valid request”. Note that you need to configure the command below to match organizational nomenclature

curl -X GET https://{server_name(or)host_name}/idp2

systemctl daemon-reload

systemctl enable container-dataportProd.service

systemctl start container-dataportProd.service

systemctl status container-dataportProd.service

APPENDIX-2: Optional step to autostart the containers after a server reboot

If a server is rebooted, restarted, or start/restart, the Podman must be restarted. To accomplish that automatically follow the steps below

• Create an Systemd service for both dataport and nginx

cd /etc/systemd/system
vi container-dataport.service
vi container-nginx.service

• The systemd service of dataport(container-dataport.service)

[Unit]
Description=Podman Container dataport
Wants=network-online.target
After=network-online.target

[Service]
#dataport
ExecStart=/usr/bin/podman start -a dataport
ExecStop=/usr/bin/podman stop -t 10 dataport
ExecReload=/usr/bin/podman restart dataport

Restart=on-failure
RestartSec=60s
KillMode=none
Type=simple


[Install]
WantedBy=multi-user.target

• The systemd service of nginx(container-nginx.service)

[Unit]
Description=Podman Container nginx
Wants=network-online.target
After=network-online.target

[Service]
#nginx
ExecStart=/usr/bin/podman start -a nginx
ExecStop=/usr/bin/podman stop -t 10 nginx
ExecReload=/usr/bin/podman restart nginx

Restart=on-failure
RestartSec=60s
KillMode=none
Type=simple


[Install]
WantedBy=multi-user.target

• Reload the systemd daemon

systemctl daemon-reload

• Enable the Services, this will create an symbolic link to auto start the Podman container on server boot

systemctl enable container-dataport.service

systemctl enable container-nginx.service

• Start both the services(dataport and Nginx)

systemctl start container-dataport.service

systemctl start container-nginx.service

• Check the status of the services

systemctl status container-dataport.service

systemctl status container-nginx.service

APPENDIX-3: SSL Certs In Dataport/IIG

If a client wants to update SSL certs in Nginx, they can go through these instructions for more details

What is an SSL certificate?

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology. Encryption is the process of scrambling data into an undecipherable format that can only be returned to a readable format with the proper decryption key.

What are Certificate Chains?

A certificate chain (or Chain of Trust) is made up of a list of certificates that start from a server’s certificate and terminate with the root certificate.

What is SSL Certificate Chain Order?

The SSL certificate chain order consists of root certificates, intermediate certificates, and a server’s certificate. Root CAs are a trusted source of certificates. Intermediate CAs are bridges that link the server’s certificate to the root CA.

There are three parts to the chain certificates

• Server Certificate: The server certificate is issued to the specific domain the user needs coverage for.

• Intermediate Certificate: Intermediate certificates act as middle-men between the protected root certificates and the server certificates issued out to the public. There will always be at least one intermediate certificate in a chain, but there can be more than one.

• Root Certificate: A root certificate is a digital certificate that belongs to the issuing Certificate Authority. It comes pre-downloaded in most browsers and is stored in what is called a “trust store.” The root certificates are closely guarded by CAs.

For an SSL certificate to be authenticated by the web browsers, it must be authentic and issued by a trusted certificate authority embedded in the browser’s trusted store. If your SSL certificate isn’t issued by a trusted certificate authority, i.e., if it isn’t issued by a Root CA, then the connecting device or web browser will continue to check if the issuing CA was issued by a root CA. It will keep going back down the SSL certificate chain order to find the root CA. If it finds a root CA, a secure connection will be established. If it doesn’t find a root CA, then the connection will be dropped, and your web browser will display an error message that reads “invalid certificate” or “certificate not trusted.”

How To Update SSL Certs In Dataport

• Ensure you have a private key

• Create a full certificate bundle for NGINX using one of the methods below, depending on how your SSL provider delivered the certificates to you.

How To form a bundle .crt file

# Open up a notepad or any text editor.
# Copy-paste the Public cert (public should always be on the top of the file)
# Copy-paste the Intermediate cert
# Copy-paste the Root cert
# Now save the file with the desired name(dataport-test-school-edu.crt) within an extension of     the .crt
# You will have to create a .crt(self-signed is not accepted) file and a private key.

(OR)

Example GoDaddy:

cat signed_ssl.crt gd_bundle.crt > dataport-test-school-edu.crt 

Above gd_bundle assumes both intermediate and root

Other SSL providers with a single intermediate certificate:

cat signed_ssl.crt intermediate1.crt root.crt > dataport-test-school-edu.crt

Other SSL providers with multiple intermediate certificates:

cat signed_ssl.crt intermediate1.crt intermediate2.crt root.crt > dataport-test-school-edu.crt

Additional step if the private key is password protected:

If your private key is password-protected, we will need to make a copy without that password to use on the NGINX instance. If you run these commands and are not prompted for a passphrase, your SSL key did not have a passphrase. If you are prompted for a passphrase, enter it when prompted.

• NGINX will not properly restart if the private key is password protected.

openssl rsa -in private.key -out dataport-test-school-edu.key

Step 1:

• Upload the new cert and the key files to the server
• Copy the new files to the NGINX Docker container to the certs folder.

podman ps

The container name can be seen by typing in `podman ps` as below. The column name NAMES will let you know the container name.

podman pull quay.io/n2ndevops/illuminatedataport:4.13

To run this dataport image, the network name 'n2n_iig' should be grabbed as below

podman run --network=n2n_iig --name dataport -it -d quay.io/n2ndevops/illuminatedataport:4.13

curl -X GET https://yourdns/idp/status

{"status":"FAIL","message":"Not a valid request."}