Linux install, update

Introduction

This document describes the steps required to install or update from the version LBL Rel.9.1.0 and later, to the version Oplon Rel.10.x.x

If you have Internet connectivity, you can install or update with automatic package downloads using the procedure "INSTALL OR UPDATE VIRTUAL APPLIANCE FROM INTERNET (ALL IN 1 STEP)"

Backup

Before anything else, make sure you have a backup if you restore your previous situation.

INSTALL OR UPDATE VIRTUAL APPLIANCE FROM INTERNET (ALL IN 1 STEP)

If you have the Internet, you can install OPLON VAPP using the following procedure from an installation of a LINUX Operating System with a CentOS 7 or higher deployment or Ubuntu 16.04 or higher.

NB: To perform this procedure, you must have access to the private download area login and password. OPLON.net.

1) Log in as root in the LINUX operating system

2) Navigate to the /

cd /

3) Execute

 mkdir /share

The share directory will also be used for subsequent updates

4) Run

 chmod 777 /share

5) Make sure you have the necessary internet connection to the installer to download the necessary packages

6) Place in the /share directory

cd /share

7) Run the following command to download the unattended setup script:


wget --no-cache -N "https://www.oplon.net/OPLON_INSTALL_LASTUPDATE.sh"

8) To run the command you just downloaded, type as below and answer the questions:

bash OPLON_INSTALL_LASTUPDATE.sh

image1

VIRTUAL APPLIANCE INSTALLATION (ALL IN 1 STEP)

OPLON VAPP installation is possible using the following steps from an installation of a LINUX Operating System with a CentOS 7 or higher deployment or Ubuntu 16.04 or higher.

  1. Log in as root in the LINUX operating system

  2. Navigate to the /

    cd /
    
  3. Execute

    mkdir /share
    

    The share directory will also be used for subsequent updates

  4. Run

    chmod 777 /share
    
  5. Make sure you have the necessary internet connection to the installer to download the necessary packages

  6. Place the following packages in the /share directory of the virtual appliance:

    1. 010xxxyyy_OPLON_NETWORKS_SUITE.zip
    2. 010xxxyyy_OPLON_NETWORKS_SUITE.zip.MD5
  7. From/share execute unzip 010xxxyyy_OPLON_NETWORKS_SUITE.zip

  8. From root /share execute ($ sudo –i):

    bash OPLON_INSTALL_UPDATE_FROM_009001000_TO_01000X00x.sh
    

A) If the file jce_policy-8.zip is present, the updater will ask you to confirm the JCE Unlimited Stength Jurisdiction installation.

B) If the Internet is present, the program will ask whether to update the kernel (N.B.: In the case of installation, the Internet must be present and you must confirm it)

C) The system detects whether ADC module templates exist. If they do not exist it will require if you want to proceed with the installation of the templates, if they exist the system will ask if you want to replace with the new templates. In any case, if you exist and decide to replace them with new ones the update program will save the previous version of the template in a tar.gz.

D) When the update is complete, set the management ip address, login, and password of the root user and the delegation user. Exit the graphical interface (logout) and re-enter to regain the full use of the start of the tools through the icons.

image3

E) At the end Oplon GDG will start and be ready to be configured.

image2

Attention: This It's THE ONLY STEP YOU NEED TO CREATE A VIRTUAL APPLIANCE

UPDATE VIRTUAL APPLIANCE (ALL IN 1 STEP)

  1. Place the following packages in the /share directory of the virtual appliance:
  2. 010xxxyyy_OPLON_NETWORKS_SUITE.zip
  3. 010xxxyyy_OPLON_NETWORKS_SUITE.zip.MD5
  4. From/share execute
    unzip 010xxxyyy_OPLON_NETWORKS_SUITE.zip
    
  1. From root /share execute ($ sudo –i):

    bash OPLON_INSTALL_UPDATE_FROM_009001000_TO_01000X00x.sh
    

    A) The update system will require you to back up before proceeding with the upgrade.

    B) If the file jce_policy-8.zip is present, the updater will ask you to confirm the JCE Unlimited Stength Jurisdiction installation.

    C) If you have the Internet, the program will ask whether to update the kernel

    Q) The system detects whether ADC module templates exist. If they do not exist it will require if you want to proceed with the installation of the templates, if they exist the system will ask if you want to replace with the new templates. In any case, if you exist and decide to replace them with new ones the update program will save the previous version of the template in a tar.gz.

When the upgrade is complete, exit the GUI (logout) and re-enter to regain full use of the start of the tools through the icons.

Attention: The classes of Rewrite templates are overwritten. If you have changed and not renamed, you should pay attention to saving and restoring after the upgrade.

Attention: This It's THE ONLY STEP REQUIRED FOR VIRTUAL APPLIANCES VERIFY SSL AND INTERCEPTORS NOTES

DATABASE UPDATES

If you are configuring with a centralized database, you must perform the following steps sequentially to update the database schema with the new schema:

a- If TML update the virtual appliance as specified in the previous paragraphs.

b- From root console, stop modules using the command

oplonstop

c- Connect to database with any DBMS tool (for example, for MySQL mySQLWorkbench)

d- From the LBL_HOME/legacyBin/DatabasesScript directory, run the following scripts in dependency of your database (e.g. for MySQL)

  • GUIRT_TABLES_MYSQL.sql

  • MySQL_LBLDBTables.sql

  • MySQL_LBLWAF_Objects.sql

TLS PERFECT FORWARD SECRECY

Oplon GDG implements the latest security directives, which is why the following SSL protocols are disabled by default with new releases.

However, it is possible to re-enable deprecated SSL protocols to allow some applications that still need to use them to work.

To change the choice of default SSL protocols, simply enter the following values in ADCs > Edit:

image4

These settings can also be changed per group, domain, or endpoint.

CipherSuites are also part of this issue. In order not to block any use of CipherSuite by applications that are not yet adequate to maximum security, we have chosen at this stage to extend the use of CipherSuite enabled by default from Java 1.6.0_144.

If you want to apply the maximum security currently available, simply do the following:

1) Set SSL protocols Listeners: TLSv1.2 TLSv1.3

2) SSL setting cipherSuites :

    CipherSuitesListeners TLS_AES_128_GCM_SHA256
    TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

UPDATE NOTES - SOME TROUBLESHOOTING

1) Is a global module start variable has been added.

If you are upgrading from version 9.1 to 9.5, check if the global variable exists LBL_GLOBAL_ALL_PROCESSES: Modules > Edit

image5

... Node Variables

image6

If the variable is not present, place it in all Node Variables with the following values:

LBL_GLOBAL_ALL_PROCESSES-XX:-AlwaysPreTouch -XX:CompressedClassSpaceSize-128m -XX:MaxMetaspaceSize-48m

Check the start of the previous modules to make sure that the variable is inserted into:

Start Command LBL_GLOBAL_ALL_PROCESSES:

image7

For maximum performance, the system must have the following parameters:

LBL_GLOBAL_ALL_PROCESSES-XX:-AlwaysPreTouch -XX:CompressedClassSpaceSize-128m -XX:MaxMetaspaceSize-48m
LBL_GLOBAL_GARBAGE_COLLECTOR_LOADBALANCER-XX:-UseParallelGC -XX:-UseParallelOldGC
LBL_GLOBAL_GARBAGE_COLLECTOR_WEB_CACHE_DWH-XX:-UseParallelGC -XX:-UseParallelOldGC

NOTE UPDATE - INTERCEPTORS (Rewrite classes) ENHANCEMENTS

Interceptor classes are enriched with some of the following features. If you have implemented new custom rules, you must add the following methods and make the following small changes, otherwise you do not need to read this chapter.

L4 TCP-UDP / L7 HTTP/S

Is you can now manage the entire life cycle of interceptor classes. Two new methods have been added that are invoked immediately after the object is created and before it is destroyed. This allows you to handle asynchronous events within the interceptor class and optionally save or read contextualized data to the directory of the process that ran the rewriter class.

@Override
public void interceptorInit(String processHomePath){
    initialization instructions
}

@Override
public void interceptorEnd(String processHomePath){
    finalization instructions
}

L4 TCP

Is a new method was introduced to intercept the first response from the service, if it does not exist, to be implemented. In addition, methods can return uon true if the logical reading of the content is finished, otherwise it can return false if it needs to continue reading until a logical stream (e.g.: HEADER) completes to move to the next step in the packet forward:

@Override
public boolean doPrimerFromEndpoint(LBLTCPRewriteInterceptorFragment
tcpFragment){
    return true;
}

All other methods can return true or false to complete logical sequences without being able to temporarily buffer values before the forward.

@Override
public boolean doPrimerFromClient(LBLTCPRewriteInterceptorFragment
tcpFragment){
    return true;
}

@Override
public boolean doPacketFromClient(LBLTCPRewriteInterceptorFragment
tcpFragment){
    return true;
}

@Override
public boolean doPacketFromEndpoint(LBLTCPRewriteInterceptorFragment
tcpFragment){
    return true;
}

@Override
public boolean doPrimerFromEndpoint(LBLTCPRewriteInterceptorFragment
tcpFragment){
    return true;
}

L4 UDP

Is has completely rewritten the module for so that you can apply the same rewriting logic as layer 4 UDP protocols. As with layer 4 TCP, you can induce a session based on the contents of the protocol trigger packets, and you can intercept both streams: client request and service response.

@Override
public void interceptorInit(String processHomePath, String address, int
port)

@Override
public void interceptorEnd(String processHomePath, String address, int
port)

@Override
public void
doAfterReceivedUDPPacketFromClient(LBLUDPRewriteInterceptorFragment
udpFragment)

@Override
public void
doAfterReceivedUDPPacketFromEndpoint(LBLUDPRewriteInterceptorFragment
udpFragment)