Installing icom Router Management on Red Hat Enterprise Linux (RHEL)

  • Updated on Jul 3, 2025
  • Published on Mar 26, 2025
Prev Next

Preface

This installation guide is based on Red Hat Enterprise Linux 9. Commands may vary for other Linux distributions. A recent and systemd-based Linux is highly recommended.

Supported Version

This guide refers to the following versions:

Router management

2025.03.0

Autoupdate

2025.03.0

System Requirements

Application Server Red Hat Enterprise Linux 9

Requirements

1 - 1.500 Routers

1.500 - 3.000 Routers

CPU

8 vCPUs

16 vCPUs

RAM

16 GB

32 GB

Storage

100 GB HDD

200 GB HDD

Optional: Dedicated Database Server for Larger Environments

  • Red Hat Enterprise Linux 9 (preferred)

  • 8 vCPUs

  • 16 GB RAM

  • 100 GB HDD

Install needed packages

Install the following packages, that will be needed in later steps of this guide:

sudo yum install postgresql-server unzip nginx policycoreutils-python-utils

Setup PostgreSQL Database

Install a Postgres database server (PostgreSQL 14) onto your application server or dedicated database server.

Install the repository RPM.

sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm

Disable the built-in PostgreSQL module

sudo dnf -qy module disable postgresql

Install PostgreSQL

sudo dnf install -y postgresql14-server

Optionally initialize the database and enable automatic start

sudo /usr/pgsql-14/bin/postgresql-14-setup initdb
sudo systemctl enable postgresql-14
sudo systemctl start postgresql-14

Login to your postgres user, run psql CLI tool and execute the SQL commands.

sudo -u postgres psql

When logged in, run the following queries to create the database and user.

create database insysicomroutermgmt;
create user u4insysicomroutermgmt with encrypted password 'pw4insysicomroutermgmt';
alter database insysicomroutermgmt owner to u4insysicomroutermgmt;
grant all privileges on database insysicomroutermgmt to u4insysicomroutermgmt;
\q

Additional steps for a dedicated PostgreSQL server

You have to allow remote access to access a dedicated PostgreSQL database server from outside. The path depends on your PostgreSQL version; we are currently using Version 14.

sudo vi /etc/postgresql/14/main/postgresql.conf

Look for this line in the file:

#listen_addresses = 'localhost'

Uncomment, and change the value to *; this will allow Postgres' connections from anyone.

listen_addresses = '*'

Save and exit the file. Next, modify pg_hba.conf to also allow connections from everyone.

sudo vi /etc/postgresql/{db-psql-version}/main/pg_hba.conf

Modify this section:

# IPv4 local connections:
host    all             all             127.0.0.1/32            md5

To this:

# IPv4 local connections:
host    all             all             0.0.0.0/0            md5

Please note!

In case of an active firewall, ensure port 5432 is opened.

Restart the database service.

sudo systemctl restart postgresql

Setup application server

Create a directory in your home and copy the installation zip file irm_linux_2024_10_0.zip into this directory. Extract the content and remember the path. You need the router management executable for the next steps.

mkdir dist
cd dist

Copy the installation zip file irm_linux_2024_10_0.zip into this directory. Extract the content and remember the path. You need the router management executable for the next steps.

mv /path/to/irm_linux_2024_10_0.zip .
unzip -j irm_linux_2024_10_0.zip
ls -aFl

The list command should show the following files:

  • insysicom-routermgmt

  • insysicom-autoupdate

  • irm_linux_2024_10_0.zip

cd

Create a service user and all required directories. Populate the directories with the configurations and application binaries.


sudo adduser --home /var/opt/insysicom-routermgmt --no-create-home --gecos --disabled-password insysicom-routermgmt
sudo mkdir -p /opt/insysicom-routermgmt/etc
sudo mkdir -p /opt/insysicom-routermgmt/bin
sudo cp ./dist/insysicom-routermgmt /opt/insysicom-routermgmt/bin
sudo cp ./dist/insysicom-autoupdate /opt/insysicom-routermgmt/bin
sudo chown -R insysicom-routermgmt:insysicom-routermgmt /opt/insysicom-routermgmt
sudo mkdir /var/opt/insysicom-routermgmt
sudo chown insysicom-routermgmt:insysicom-routermgmt /var/opt/insysicom-routermgmt

Setup routermanagement-installation

We’re about to initialize the application for the first time. You have to change your current user to the previously added user insysicom-routermgmt and then change to the /opt/insysicom-routermgmt/etc directory. In this directory, we are placing our generated configuration file. The environment variables are necessary for the database connection. The initialization process prepares the database and afterwards dumps the configuration file into the current directory. The configuration file includes several application settings.

Please note!

If you run a dedicated database server, change BARRACUDA_DATABASE_ARGS to match your database server hostname or IP address, e.g.: BARRACUDA_DATABASE_AGRS="…​ host=mydbserver port=5432 …​"

sudo -i -u insysicom-routermgmt
cd /opt/insysicom-routermgmt/etc/
export BARRACUDA_DATABASE_DIALECT="postgres"
export BARRACUDA_DATABASE_ARGS="user=u4insysicomroutermgmt password=pw4insysicomroutermgmt dbname=insysicomroutermgmt host=localhost port=5432 sslmode=disable"
/opt/insysicom-routermgmt/bin/insysicom-routermgmt system upgrade --init --dump-config=insysicom-routermgmt.conf

Change the specified settings in the insysicom-routermgmt.conf file in order to allow communication between this service and the autoupdate service:

Open the configuration file.

vi /opt/insysicom-routermgmt/etc/insysicom-routermgmt.conf

/opt/insysicom-routermgmt/etc/insysicom-routermgmt.conf

barracuda_admin_api_port: 9201
barracuda_admin_api_host: "127.0.0.1"
bonaventure_grpc_server_port: 50052
bonaventure_grpc_server_host: "127.0.0.1"
barracuda_service_port: 9202
barracuda_service_host: "127.0.0.1"
barracuda_api_port: 9203
barracuda_api_host: "127.0.0.1"
barracuda_swagger_host: localhost
barracuda_swagger_port: 9203
barracuda_data_path: /var/opt/insysicom-routermgmt
...

Now, the configuration is adapted to fit the environment.

These settings ensure that the router management daemon is only accessible on your localhost and doesn’t conflict with common IP ports, because the application is protected with a front-facing NGINX web server. The barracuda_data_path setting has to be adjusted, because the init process adds the hidden directory .barracuda. This is not necessary in case of an application server.

Setup autoupdate-installation

To configure the autoupdate service, you need to create an environment file in the same directory as the router management configuration file.

vi /opt/insysicom-routermgmt/etc/insysicom-autoupdate.env

Add the following content:

AUTOUPDATE_HTTP_PORT=8082
AUTOUPDATE_GRPC_PORT=50052
AUTOUPDATE_HTTP_READ_TIMEOUT=60s
AUTOUPDATE_SHUTDOWN_TIMEOUT=10s
FILE_STORAGE_TYPE=filesystem

Settings, that already exist in the routermanagement configuration file, are added to the environment file.

echo "MASTER_KEY=$(grep -oP '(?<=barracuda_master_key: ).*' /opt/insysicom-routermgmt/etc/insysicom-routermgmt.conf)" >> /opt/insysicom-routermgmt/etc/insysicom-autoupdate.env
echo "DATABASE_ARGS=\"$(grep -oP '(?<=barracuda_database_args: ).*' /opt/insysicom-routermgmt/etc/insysicom-routermgmt.conf) $(grep -oP 'dbname=.*' /opt/insysicom-routermgmt/etc/insysicom-routermgmt.conf)\"" >> /opt/insysicom-routermgmt/etc/insysicom-autoupdate.env
echo "DATA_DIRECTORY=$(grep -oP '(?<=barracuda_data_path: ).*' /opt/insysicom-routermgmt/etc/insysicom-routermgmt.conf)" >> /opt/insysicom-routermgmt/etc/insysicom-autoupdate.env

Execute the following command to prepare the database for the autoupdate service.

set -a
source /opt/insysicom-routermgmt/etc/insysicom-autoupdate.env
set +a
/opt/insysicom-routermgmt/bin/insysicom-autoupdate -migrate

The result should be Migration completed successfully or No pending migrations, depending on the current state of the database.

Create the systemd services

Switch back to your administrative user.

exit

Create a systemd service for the routermanagement.

sudo vi /etc/systemd/system/insysicom-routermgmt.services

Please note!

If Postgres does not run on the same machine, please remove the line After=postgresql.service from the Unit section of your service

/etc/systemd/system/insysicom-routermgmt.service

[Unit]
Description=INSYS icom Router Management
After=postgresql.service
Wants=postgresql.service

[Service]
Type=simple
User=insysicom-routermgmt
Group=insysicom-routermgmt
WorkingDirectory=/var/opt/insysicom-routermgmt
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=insysicom-routermgmt
ExecStart=/opt/insysicom-routermgmt/bin/insysicom-routermgmt serve all -c /opt/insysicom-routermgmt/etc/insysicom-routermgmt.conf

[Install]
WantedBy=multi-user.target

Create a systemd service for the autoupdate.

sudo vi /etc/systemd/system/insysicom-autoupdate.service

Please note!

If Postgres does not run on the same machine, please remove the line After=postgresql.service from the Unit section of your service

/etc/systemd/system/insysicom-autoupdate.service

[Unit]
Description=INSYS icom Autoupdateserver
After=postgresql.service
Wants=postgresql.service

[Service]
Type=simple
User=insysicom-routermgmt
Group=insysicom-routermgmt
WorkingDirectory=/var/opt/insysicom-routermgmt
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=insysicom-autoupdate
EnvironmentFile=/opt/insysicom-routermgmt/etc/insysicom-autoupdate.env
ExecStart=/opt/insysicom-routermgmt/bin/insysicom-autoupdate -serve-autoupdate

[Install]
WantedBy=multi-user.target

Create a systemd timer for the icom Router Management

sudo systemctl edit --force --full insysicom-routermgmt-system@.timer

and add the following lines to the file:

[Unit]
Description=Run insysicom-routermgmt system %I Daily

[Timer]
OnCalendar=Daily
Persistent=true
AccuracySec=1us
RandomizedDelaySec=12h
Unit=insysicom-routermgmt-system@%I.service

[Install]
WantedBy=timers.target

Create a systemd service for the icom Router Management

sudo systemctl edit --force --full insysicom-routermgmt-system@.service

and add the following lines to the file:

[Unit]
Description=Run insysicom-routermgmt system %I

[Service]
Type=oneshot
User=insysicom-routermgmt
Group=insysicom-routermgmt
ExecStart=/opt/insysicom-routermgmt/bin/insysicom-routermgmt system %I -c /opt/insysicom-routermgmt/etc/insysicom-routermgmt.conf

Start the systemd services

sudo systemctl daemon-relaod
sudo systemctl enable --now insysicom-routermgmt.service insysicom-autoupdate.service insysicom-routermgmt-system@fetchDeviceInfo.timer insysicom-routermgmt-system@updateLicenseStatus.timer

Check if the systemd services are running. The status should be active (running) and the indicator should be lit green.

sudo systemctl status insysicom-routermgmt.service
sudo systemctl status insysicom-autoupdate.service

Setup NGINX web server

Please note!

We highly recommend to start with the following HTTP-only setup and check the proper operation of the routermanagement application first, before you setup TLS.

Create a new NGINX server config

sudo vi /etc/nginx/sites-available/insysicom-routermgmt

*/etc/nginx/conf.d/insysicom-routermgmt.conf

server {
    listen 80;
    listen [::]:80;
    server_name _;

    client_max_body_size 300M;
    client_header_timeout 600;
    client_body_timeout 600;
    send_timeout 600;
    proxy_read_timeout 600;

    location = / {
        return 301 /ui;
    }
    location /ui/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:9203;
    }
    location /api/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:9203;
    }
    location /auth/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:9203;
    }
    location /graphql {
        proxy_read_timeout 180s;
        proxy_connect_timeout 180s;
        proxy_send_timeout 180s;
        send_timeout 180s;
        proxy_pass http://127.0.0.1:9203/graphql;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
    }
}

server {
    listen 8081;
    listen [::]:8081;
    server_name _;
    location /devicecontrol {
        proxy_read_timeout 180s;
        proxy_connect_timeout 180s;
        proxy_send_timeout 180s;
        send_timeout 180s;
        proxy_pass http://127.0.0.1:9202/devicecontrol;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    location /autoupdate/ {
        proxy_pass http://127.0.0.1:8082;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }
}

Warning!

Since SELinux reserves special ports, we need to use port 8081 for the inventory connection. Please ensure that this port is available.

Adjust the server settings

sudo vi /etc/nginx/default.d/nginx.conf

/etc/nginx/nginx.conf

...
worker_rlimit_nofile 40000;
events {
        worker_connections 20000;
        # multi_accept on;
}

http {
    ...
    server_names_hash_bucket_size 64;
    ...
}
...

Validate the config and restart the webserver

sudo nginx -t
sudo systemctl restart nginx

SELinux configuration

Red Hat Enterprise Linux uses Security-Enhanced Linux (SELinux) to enforce security policies. The following commands allow NGINX to connect to the router management backend processes.

sudo semanage port -a -t http_port_t -p tcp 8082
sudo semanage port -a -t http_port_t -p tcp 9202
sudo semanage port -a -t http_port_t -p tcp 9203

setsebool -P httpd_can_network_connect 1

Adjust system settings

To setup a router connection, changes to the System settings are needed. Otherwise the download of a routers startup configuration will fail.

Open your web browser and navigate to the installed application: http://myserver_or_ip_address

Login with the default credentials (you can change username and password later).

Username: default
Password: secret

Navigate to System AdministrationSystem settings and adjust the following three setting as shown:

Name

Value

DEVICECONTROL_SERVER_CERT

NONE

AUTOUPDATE_SERVER_CERT

NONE

INVENTORY_CONNECTION_PROFILE_HOSTNAME

IP-address or FQDN of your application server

INVENTORY_CONNECTION_PROFILE_PORT

8081

Fully Qualified Domain Name (FQDN)

Check if your setup is working properly

Navigate to the router list, register a new router, use dummy values and try to download the startup-configuration.

NOTE: If you’re encountering difficulties downloading the startup configuration or registering a new router, it may indicate an issue with the application setup. If you cannot access the web application, please check your network and/or firewall settings. For specific help please contact our support team.

Extract the tarball archive and open the file ConnectionProfile_xxx.txt in your preferred text editor. The content of the file should look similar to the following output.

-----LUA-----
host = "164.90.225.14"
path = "devicecontrol"
active_https = "0"
port = "8081"
device_id = "9a201fa4-c022-49ae-a5ba-86ee79acbbdd"
realm_uri = "devices.insys-tec.net"
-- configure the remote management service
cli("administration.remote_management.active=1")
cli("administration.remote_management.host=" .. host)
cli("administration.remote_management.path=" .. path)
cli("administration.remote_management.port=" .. port)
cli("administration.remote_management.device_id=" .. device_id)
cli("administration.remote_management.realm_uri=" .. realm_uri)
cli("administration.remote_management.active_https=" .. active_https)
cli("administration.remote_management.client_cert=" .. cert_name)
cli("administration.remote_management.client_key=" .. key_name)

-- activate profile
cli("administration.profiles.activate")
-----LUA-----

The parameter host should match the IP-address of your application server. In case you’re using a FQDN the host parameter should contain the corresponding FQDN.

Finally check if the websocket is accessible. Otherwise your routers cannot connect to the router management application. Change to a different machine and try the following command. Please adjust the IP address to match your application server’s IP address (or FQDN). The given port 8081 matches our current NGINX configuration.

curl http://164.90.225.14:8081/devicecontrol

If you receive the error handshake error: bad "Upgrade" header, everything is working as expected. In case of any other errors, please check your network and/or firewall settings.

Router Management in HTTP-only mode is ready for operation

The router management application is now prepared to handle router management exclusively through HTTP.

If the network infrastructure is entirely private or inaccessible from external sources, or if routers are connected through secure VPN tunnels (such as IPSec) to a corporate network, there is no need to implement additional TLS encryption and authentication. In such cases, the current setup can remain unchanged.

However, if the network configuration does not meet these criteria, it is advisable to proceed with the TLS configuration as described.

Securing with TLS

As router management is a fully web-based application, there are various methods to secure the application using TLS. This installation guide outlines the use of private certificates while separating the application and router connections (web sockets) through different IP ports, all utilizing the same application server IP address. The HTTP-only NGINX configuration mentioned earlier illustrates this setup. The application operates on port 80, while the routers connect to the backend through port 8081.

The ports will be changed to 443 and 8443, as these are commonly used for TLS authentication and encryption.

Please note!

For those interested in using public certificates or managing router connections via a dedicated IP address or setting up NGINX DNS-based virtual hosts, please reach out for further assistance.

Issuing the server certificate

Warning!

We do not support self-signed server certificates!

A server certificate matching the specific environment is needed to continue.

The common name should correspond to the FQDN of the application server. If an IP address-based connection is preferred, include an IP Subject Alternative Name (SAN) in the certificate. The example provided includes both elements.

The following certificate authority is used to sign the server certificate (the output has been trimmed to show only the relevant content):

CA

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5909721596463708658 (0x52038c7b1eac79f2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, L=Regensburg, O=INSYS MICROELECTRONICS GmbH, CN=iRM Install Guide Certificate Services
        Validity
            Not Before: May 24 12:40:00 2022 GMT
            Not After : May 24 12:40:00 2032 GMT
        Subject: C=DE, L=Regensburg, O=INSYS MICROELECTRONICS GmbH, CN=iRM Install Guide Certificate Services
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign

The resulting server certificate (with the output trimmed to display only the relevant content) is utilized in the forthcoming configuration. Additionally, the private key associated with this certificate is required.

Server Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3573560371971845316 (0x3197d6398acb6cc4)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, L=Regensburg, O=INSYS MICROELECTRONICS GmbH, CN=iRM Install Guide Certificate Services
        Validity
            Not Before: May 24 12:41:00 2022 GMT
            Not After : May 24 12:41:00 2024 GMT
        Subject: C=DE, L=Regensburg, O=INSYS MICROELECTRONICS GmbH, CN=irmop1.icomcloud.net
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:irmop1.icomcloud.net, IP Address:164.90.225.14

For the following instructions 3 PEM files are needed.

  • Certificate Authority (or chain) (in this guide called: iRM_Install_Guide_Certificate_Services.crt)

  • Server Certificate (in this guide called: irmop1.icomcloud.net.crt)

  • Server Private Key (in this guide called: irmop1.icomcloud.net.key)

Setup NGINX SSL

Please note!

For TLS version 1.3 is recommended. If especialy needed, version 1.2 can also be used.

The file ssl-params.conf can be modified to meet specific security requirements. The sample configuration below is currently in use within our own cloud environment. Given that router management is a fully web-based application, it supports all standard features associated with such.

sudo vi /etc/nginx/snippets/ssl-params.conf

/etc/nginx/snippets/ssl-params.conf

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

Create Diffie-Hellman (DH) parameters based on the configurations specified in ssl-params.conf.

openssl dhparam -out /etc/nginx/dhparam.pem 4096

The certificates must be chained in the order expected by NGINX.

sudo mkdir /etc/nginx/ssl
sudo cat irmop1.icomcloud.net.crt iRM_Install_Guide_Certificate_Services.crt > /etc/nginx/ssl/insysicom-routermgmt.crt
sudo cp irmop1.icomcloud.net.key /etc/nginx/ssl/insysicom-routermgmt.key
sudo chmod 600 /etc/nginx/ssl/insysicom-routermgmt.key

The snippet should be configured to add the certificate chain and the private key to the NGINX configuration.

sudo vi /etc/nginx/snippets/insysicom-routermgmt-ssl.conf

/etc/nginx/snippets/insysicom-routermgmt-ssl.conf

ssl_certificate /etc/nginx/ssl/insysicom-routermgmt.crt;
ssl_certificate_key /etc/nginx/ssl/insysicom-routermgmt.key;

Finally, SSL support should be added to the NGINX configuration.

sudo vi /etc/nginx/sites-available/insysicom-routermgmt

/etc/nginx/sites-available/insysicom-routermgmt

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    include snippets/insysicom-routermgmt-ssl.conf;
    include snippets/ssl-params.conf;
    server_name _;

    client_max_body_size 300M;
    client_header_timeout 600;
    client_body_timeout 600;
    send_timeout 600;
    proxy_read_timeout 600;

    location = / {
        return 301 /ui;
    }
    location /ui/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:9203;
    }
    location /api/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:9203;
    }
    location /auth/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:9203;
    }
    location /graphql {
        proxy_read_timeout 180s;
        proxy_connect_timeout 180s;
        proxy_send_timeout 180s;
        send_timeout 180s;
        proxy_pass http://127.0.0.1:9203/graphql;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
    }
}

server {
    listen 8443 ssl;
    listen [::]:8443 ssl;
    include snippets/insysicom-routermgmt-ssl.conf;
    include snippets/ssl-params.conf;
    server_name _;

    location /devicecontrol {
        proxy_pass http://127.0.0.1:9202/devicecontrol;
        proxy_http_version 1.1;
        proxy_read_timeout 180s;
        proxy_connect_timeout 180s;
        proxy_send_timeout 180s;
        send_timeout 180s;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    location /autoupdate/ {
        proxy_pass http://127.0.0.1:8082;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}

The NGINX SSL setup should now be checked to ensure it is functioning correctly before proceeding with the TLS configuration.

sudo nginx -t
sudo systemctl restart nginx
curl --cacert iRM_Install_Guide_Certificate_Services.crt https://164.90.225.14:8443/devicecontrol

The expected response is a handshake error: bad "Upgrade" header.

Please note!

The parameter --cacert should point to the CA-chain PEM file that was used to sign the server certificate. Otherwise, the curl command will fail due to a lack of trust in the private certificates. Alternatively, the parameter -k can be used. For additional details, refer to the man pages of the curl command.

The handshake error will be encountered again. The router connection is functioning as expected and is now secured by TLS.

Open the browser and navigate to your router managements user interface.

The router managements user interface should appear. If the computer does not trust the private certificate authority, the web browser will display an error. This error can be bypassed by continuing to browse to the untrusted site or by adding the certificate authority to the list of trusted certificate authorities.

Add TLS support to router management

Router management requires access to the new server certificate as well. Since NGINX handles the TLS termination, it is only necessary to upload the public TLS certificate, such as irmop1.icomcloud.net.crt.

To import the certificate, navigate to the router management interface in the browser and go to Certificate ManagementCertificates . A certificate with name (and a password if applicable) needs to be uploaded. After uploading, it can be used as server certificate by selecting it and executing Action⇒*Use as server certificate* in the top right.

Navigate to System AdministrationSystem settings and set the appropriate TLS port:

Name

Value

INVENTORY_CONNECTION_PROFILE_PORT

8443

After these system changes, router management is prepared to handle router connections via HTTPS. Access the router list and download the startup configuration again. A router for testing purposes was added in the previous section of the installation guide. If the tarball archive is extracted now and the file ConnectionProfile_xxx.txt is opened, a different configuration should be recognizable, which includes a client certificate, a client private key, and several other commands.

Please note!

If the download of the startup configurations fails, it indicates that something was missed during the configuration process.

Add TLS client-authentication

When a new router is registered in the router management application, a client certificate for the router is automatically generated. This client certificate is included in the router’s startup configuration and will be installed on the router.

Please note!

It is highly recommended to create a separate certificate authority (CA) for signing client certificates, rather than using the pre-installed CA. During initialization, router management will automatically create a CA and set it as the default for client certificates. However, this CA includes various attributes referencing INSYS icom GmbH properties. In this installation guide, an internal PKI is used to generate a new certificate authority. Alternatively, an existing PKI can be used, and a signing CA can be uploaded. For assistance with using an existing PKI, please contact support.

Please note!

The HTTPS protocol shall never be used for the CRL distribution endpoint, as this can lead to download failures. Always use plain, unsecured HTTP. Since the CRL does not contain sensitive information and is signed by the associated CA, there are no security concerns.

Go to the router management interface in the browser and navigate to Certificate ManagementCertificate Authorities . Click on Upload, select the CA (referred to in this guide as your_client_authentication-ca.crt), and choose New certificate authority with key (Format: PKCS#12). Provide a name (and a password if applicable).

After the upload, select the CA and click on Select actionConfigure client CA in the top right. Read the information boxes and confirm that all the described requirements have been met. Since router management is using the default certificate authority, the new CA needs to be introduced.

Navigate to Routers in the router management interface and delete all registered routers. Register a router for testing purposes. The router management now creates a new client certificate that is signed by our new certificate authority.

If the router registration fails, an error in the setup may have occurred. Please contact support for further assistance.

Return to the console to set up NGINX.

Download the new certificate authority in PEM format.

In order to enable TLS client-authentication within the NGINX web server, we have to change the current configuration.

Copy the previously uploaded CA file your_client_authentication-ca.crt into the NGINX SSL folder.

sudo cp your_client_authentication-ca.crt /etc/nginx/ssl

Adjust the NGINX server configuration for the server running on port 8443.

sudo vi /etc/nginx/sites-available/insysicom-routermgmt

/etc/nginx/sites-available/insysicom-routermgmt

server {
    listen 8443 ssl;
    ...
    ssl_client_certificate /etc/nginx/ssl/your_client_authentication-ca.crt;
    ssl_verify_client on;
    ...
}

Verify and enable the new NGINX configuration.

sudo nginx -t
sudo systemctl restart nginx

Attempt to connect to the web socket endpoint without a client certificate.

curl https://164.90.225.14:8443/devicecontrol

This should result in an error.

<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.18.0</center>
</body>
</html>

Attempt to connect to the web socket endpoint using a valid client certificate. For that, access the router managements user interface and download the startup configuration for the previously added router.

Extract the tarball archive and open the file ConnectionProfile_xxx.txt. This file contains two PEM blocks: a certificate and a private key. Copy these PEM blocks (excluding the square brackets) into separate files (client.crt and client.key) on the local PC. These files will be needed for the subsequent curl command.

curl --cert client.crt --key client.key --cacert iRM_Install_Guide_Certificate_Services.crt https://164.90.225.14:8443/devicecontrol

If you receive a handshake error: bad "Upgrade" header, the TLS client authentication is working.

Forward client certificate to router management for further processing

The following configuration is required for your routers to download associated update-packets.

sudo vi /etc/nginx/sites-available/insysicom-routermgmt

/etc/nginx/sites-available/insysicom-routermgmt

server {
    listen 8443 ssl;
    ...
    location /devicecontrol {
        ...
        proxy_set_header X-Forwarded-Client-Cert $ssl_client_cert;
    }
    location /autoupdate/ {
        ...
        proxy_set_header X-Forwarded-Client-Cert $ssl_client_cert;
    }
}

Check and enable the new NGINX configuration.

sudo nginx -t
sudo systemctl restart nginx

Notes for connecting an icom OS router

Since private certificates are being used in this example, the icom OS router does not trust the CA that signed the NGINX server certificate. Before applying the startup configuration on the router, the CA certificates must be installed.

Open the routers user interface and navigate to AdministrationCertificates.

Upload the CA certificate that was used to sign the server certificate. If a CA hierarchy is being used, begin with the Root CA and then add the Intermediate CAs in the correct order.

Now, the router is ready to be connected to the router management application. Ensure that the network settings allow a connection from the router to the router management server. Test the connection using a ping. Navigate to AdministrationDebugging in the routers user interface and send a ping to the IP address or FQDN of the router management application server.

Please note!

Ensure that NTP is configured on the routers. The date and time must be set correctly to allow connections via certificates.

Access the router managements user interface and register the icom OS router. Download its startup configuration and return to the routers user interface. Navigate to Administrationicom Router Management. Select and upload the startup configuration.

If everything is set up correctly, the router should connect to the router management, and the connection status will change to online.

Installation approval

NOTE: The installation is only considered complete upon approval from the support team. A checklist for prior verification can be downloaded: Post installation checklist.