Virtual appliance setup, the customer needs to perform the following:
Setting up the networking configuration required for your domain. This includes the DNS, NTP, IP address of the VAs, and external traffic channels used
Key passphrase to generate the public-private encryption key pair that secures communications between the VAs and your IdentityNow tenant
Configure the cloud connector gateway to enable the VA connection
.
Production systems should have 1 VA in a cluster
TRUE
FALSE
.
Which of these steps is involved in connectivity gateway communication between tenant and connected source systems (6)
VA from same cluster poll the cluster queue for work / messages
Tenant submits work by adding messages to VA cluster queue
VA reads messages, removes from queue
VA messages decrypted with private key
VA communicates internally with cloud connector gateway (CCG) to complete work
Communication always initiated by VA as outbound traffic
VA deployed in the DMZ zone
CCG polls the VA / Cluster for work
.
SailPoint supports the virtual appliance image by: (2)
Designing the VAs to continuously make outbound-only calls to the cloud environment to check for patches and updates.
Including built-in monitoring to alert us when the the VA is down.
Designing the VAs to make outbound-only calls at midnight to the cloud environment to check for patches and updates.
Polling the VA continuosly to alert us when the the VA is down.
.
Best practice for deploying & administering VA
Static IP address for simple network & monitoring
Allow inbound communication over SSH port 22
Allow unrestricted outbound traffic on ports 53 DNS, 123 NTP and 443 HTTPS
Configure VA to communicate with connected sources over transport layer security (TLS)
Key passphrases secured in password vault (recommend 1 key for all VA)
.
Tenant can be deployed in SP regional zones for residency
CA central, US central, EU West, EU Central, AP Northeast, AP SouthEast
Asia Pacific, North America, South America, Europe, Central Europe & Africa
.
SailPoint recommends the following best practices related to deploying virtual appliances:
Each VA cluster should be installed in close proximity to the connected source system for on-premise
Each VA cluster should be placed in the Availability Zone as close as possible to the target sources hosting the network gateways for your organization
Each VA cluster should be deployed in separate zones for availability
Each VA cluster should be installed in same server hosting on premise systems
.
SailPoint recommends the following best practices related to deploying virtual appliances:
Minimum Cluster Size - To ensure connectivity during updates, we recommend you deploy at least 2 VAs per cluster because the VAs take turns updating.
VA to Virtual Machine Ratio - To avoid a single point of failure in your environment, we recommend a 1:1 ratio of VA to VM.
Separate Sandbox and Production Clusters
New VAs must be created to switch from one deployment method to another, such as from standard deployment to secure tunnel deployment.
One cluster for sandbox and production clusters
VA cluster to Virtual Machine Ratio - To avoid a single point of failure in your environment, we recommend a 1:1 ratio of VA cluster to VM.
.
The following lists URLs that must be accessible to the VA, regardless of the VA zone.
The primary AWS S3 URL (*.s3.amazonaws.com) as noted in Primary URLs.
The us-east-1 URL for each of these services, even if your region is located elsewhere.
The region-specific URL for each of these services if your tenant is in a region
The eu-central-1 URL for each of these services, even if your region is located elsewhere.
The primary AWS S3 URL (*.amazon.com) as noted in Primary URLs.
.
LOCAL VIRTUAL APPLIANCE DEPLOYMENT STEPS in order
Download the virtual appliance zip file from https://sppcbu-va-images.s3.amazonaws.com/va-latest.zip
Unzip and copy to your virtualization platform
Start the virtual appliance image and change password with Login - User Name: sailpoint Password: S@ilp0int [Optional best practice] Set a static IP address and DNS settings
Create / maintain virtual appliance cluster and save
Create / maintain virtual appliances
From the New Virtual Appliance page in IdentityNow, under Download Configuration File, click Download. This copies the va-config-<va_id>.yaml file to your workstation.
Change the value of keyPassphrase from _ch@ngeMe_ to a unique value for your organization
Copy local .yaml file to the virtual appliance:
scp <download path>/ va-config-<va_id>.yaml sailpoint@<ip_address>:/home/sailpoint/config.yamlsailpoint@<ip_address>:/home/sailpoint/config.yaml & test connection
.
Deployment type for local vsphere, what are the different steps?
Name of your virtual NIC card for your VA
Edit the static.network file
Disable the ESX DHCP bump service: sudo systemctl disable esx_dhcp_bump.service
Reboot the VA: sudo reboot
.
Deployment type for Hyper-V, what are the different steps?
New Virtual Machine needs to be created
Disable the ESX DHCP bump service: sudo systemctl disable esx_dhcp_bump.service
Name of your virtual NIC card for your VA
.
All Hyper-V images currently ship with the waagent Azure service enabled by default. This should be enabled?
This can cause DNS issues and irregular network routing on virtual appliances running on Hyper-V. To prevent these issues, you'll need to disable the waagent service.
This should be enabled so DNS issues and irregular network routing on virtual appliances running on Hyper-V is prevented
.
For VA deployment on cloud AWS, the maintenance window will take place from at what time in the selected time zone.
12 a.m. to 4 a.m
7 a.m. to 11 a.m
12 p.m. to 4 p.m
7 p.m. to 11 p.m
.
For VA deploymeny on cloud AWS, the first step is:
Visit Working with Support and open a support ticket requesting an Amazon Machine Image (AMI) ID to install a VA in AWS. You will need to provide your AWS account number and regions (Ex: 123456789).
SailPoint support will provide an AMI ID.
Download and extract sailpoint-va.vhd from the following .zip file: https://sppcbu-va-images.s3.amazonaws.com/va-azure-latest.zip
.
What are the 3 VA configuration options
Standard
Proxy
Secure Tunnel
Virtual Machine
.
For Standard VA configuration, which ports are required?
53 - DNS - Outbound
123 - NTP - Outbound
22 - SSH - Inbound
443 - HTTPS - Outbound
53 - DNS - Inbound
125 - NTP - Outbound
38 - SSH - Inbound
447 - HTTPS - Outbound
.
For VA HTTP Proxy Configuration, deep packet inspection is supported
FALSE
True
.
For VA Secure Tunnel Configuration, additional setup to gain connectivity is required
True
FALSE
.
SailPoint reserves the IP range 172.16.0.0/22. If any sources reside in this range, implementing this solution will not allow those sources to properly route traffic.
True
FALSE
.
For VA Secure Tunnel Configuration, following ports are required
53 - DNS - Outbound
443 - HTTPS - Outbound
123 - NTP - Outbound
22 - SSH - Inbound
.
For VAs deployed locally, each cluster should be installed in close proximity to the source system it is connecting to
True
FALSE
.
For VAs on AWS or Azure, each cluster should be placed in the Availability Zone as close as possible to the target sources to ensure reliable connections
FALSE
True
.
VA Updates - SailPoint manages VA updates:
Whenever we make improvements to the VA image, we deploy them to the clusters, which then perform rolling updates and reboots on the related VA
At least two VAs per cluster ensures connectivity with your sources during these updates
Applying updates and rebooting one at a time, the VA cluster maintains full availability during the update process.
Register downtime for all updates to process and reboot
Whenever we make improvements to the VA image, we deploy them one by one to each VA
.
Best practices for monitoring Your VA Infrastructure
SailPoint has monitoring built in to alert us if a VA goes down.
Notifications - You can configure IdentityNow to send you email when a VA goes down.
Admin Dashboard - Click the Clusters tile of the system components status panel.
Virtual Appliance Clusters page - Click Admin > Connections > Virtual Appliances to see the status of your VA clusters. Click on a cluster name and select Virtual Appliances to see the status of that cluster's VAs.
System connection, click the overview monitor to view the status
Virtual appliance clusters page, click the healthcheck report
.
VA deployment options
All VA's running
Switch Clusters
Standby reactive deployment
VA's associated to multiple clusters
.
Advantage of the all VA's running deployment
On DR event, no action needed
Full utilization of all VAs
VAs stay up-to-date
Outage Minimization
VAs don’t add latency
.
Disdvantage of the all SWITCH CLUSTERS deployment
No utilization of DR VA Cluster.
IDN reconfiguration needed; re-entering of source passwords.
Not great for large amounts of sources.
Turnaround time can be greater depending on deployment of VA DR.
This depends on readiness.
.
Disdvantage of the standby reactive deployment
Latency
Not great for large amounts of sources
Turnaround time can be greater depending on deployment of VA DR.
This depends on readiness.
.
Advantage of the Switch Cluster deployment
DR VAs stay up-to-date.
VAs don’t add latency, as they aren’t processing anything until DR event.
On DR event, no action needed
.
Why Not Deploy in the DMZ?
Security
Proximity
Connectivity
Performance
.
Log File Locations
/home/sailpoint/log.
/home/sailpoint/log/ccg.log
/home/sailpoint/log/va_agent.log
.
Contains details about the virtual appliance master service, which runs all other services.
/home/sailpoint/log/ccg.log
/home/sailpoint/log/fluent.log
/home/sailpoint/log/charon.log
/home/sailpoint/log/canal.log
/home/sailpoint/log/relay.log
.
Match log to purpose Contains all details involving a source connector (connection, aggregation, authentication, provisioning, etc).
Contains details about the virtual appliance agent, which handles communication between the virtual appliance and IdentityNow.
Contains details about the logging aggregator services on the virtual appliance.
Contains details about the virtual appliance master service, which runs all other services.
Contains details about the Secure Tunnel service on the virtual appliance.
Contains details about the IdentityNow proxy relay for Password Interceptor.
.
To enable debug logging in IdentityNow
Go to Admin > Connections > Virtual Appliance > va_cluster_name, and check Enable Debugging.
Go to Admin > Connections > Virtual Appliance > Check Enable Debugging.
.
Non-TLS
typically on port 389
typically on port 636
.
TLS
typically on port 389
typically on port 636
.
How many VA's should you have in your tenant
Best practice > 2
Best practice > 3
.
VA cluster is assigned to service 1 or more specific sources
TRUE
FALSE.
Can you get detailed logs of VA for debugging
TRUE, when VA Cluster configured
TRUE, when set on the VA and not the cluster FALSE.
Virtual appliance
Deep Packet Inspection & Third-party Monitoring not supported
DNS Servers are required and a VA must connect to your internal DNS servers
NTP Servers are required and the VAs must connect to a network time protocol (NTP) server
Deep Packet Inspection & Third-party Monitoring is required
DNS Servers are optional and a VA does not need to be connected to your internal DNS servers
NTP Servers are not required and the VAs does not need to connect to a network time protocol (NTP) server
.
HTTP Proxy
all HTTP/HTTPS traffic (such as virtual appliance communication and updates) is routed through the proxy
Traffic for all sources connecting to internal endpoints is not routed through the proxy.
Traffic to external sources is routed through the proxy
Traffic to external sources can bypass the proxy
Traffic for all sources connecting to internal endpoints is routed through the proxy.
HTTP/HTTPS traffic (such as virtual appliance communication and updates) is connects directly to the virtual cluster
.
Where is the private key stored?
Each VA contains a 2048-bit RSA asymmetric private key (generated from the chosen key passphrase), which is used to decrypt credentials when talking to various sources
Each VA cluster contains the private key
.
System notifications can be set to monitor the VA health (Admin System Settings System notifications)
VA checks happen every 15 minutes
VA checks happen every hour
VA checks happen at midnight and midday
.
VA communication flow
VA constantly poll cluster queue for work via VA cluster queue (IDN tenant)
Cluster queue is a holding area of messages waiting for VA to grab
VA receives work, decrypts with local private, connects to cloud connector gateway (CCG) to execute work
VA / CCG contains enterprise grade connectors
CCG flow back to SP task processing engine
.
VA’s are deployed in clusters benefits
Redundancy
Load balancing
Security
Flexibility
.
To manage fault tolerance on the virtual appliance
Configuring local VAs in the same cluster to run on different servers whenever possible
VAs in the same cluster running in AWS/Azure be spread out across different Availability Zones.
VAs in the same cluster running in AWS/Azure be spread out across different tenants
Confiture local Vas in different clusters when possible
.
The following table lists URLs that must be accessible to the VA, regardless of the VA zone.
*.flatcar-linux.net
*.flatcar-linux.org
*.identitynow.com
*.s3.<region_code>.amazonaws.com
*.s3.amazonaws.com
*.s3.us-east-1.amazonaws.com
*.sailpoint.com
874540850173.dkr.ecr.us-east-1.amazonaws.com
api.ecr.us-east-1.amazonaws.com
app.datadoghq.com
.
Match the description to URL
*.flatcar-linux.net
*.flatcar-linux.org; *.flatcar-linux.net
*.identitynow.com
*.sailpoint.com app.datadoghq.com
https://aws.amazon.com/s3/
*.s3.amazonaws.com
api.ecr.us-east-1.amazonaws.com; ecr.us-east-1.amazonaws.com; 874540850173.dkr.ecr.us-east-1.amazonaws.com
.
Match AWS regions to the code for the tenant host
US East (N. Virginia)
US West (Oregon)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Canada (Central)
Europe (Frankfurt)
Europe (London)
.
SailPoint’s private container registry. Allows the VA to retrieve service updates. - Elastic Container Registry
api.ecr.us-east-1.amazonaws.com
ecr.us-east-1.amazonaws.com
874540850173.dkr.ecr.us-east-1.amazonaws.com
*.s3.amazonaws.com
*.flatcar-linux.org
app.datadoghq.com
.
If the region-specific URLs that must be accessible to the VA, for region us-east-1 which one is correct
*.s3.us-east-1.amazonaws.com
sqs.us-east-1.amazonaws.com
dynamodb.us-east-1.amazonaws.com
874540850173.dkr.ecr.us-east-1.amazonaws.com
firehose.us-east-1.amazonaws.com
app.datadoghq.com
api.ecr.us-east-1.amazonaws.com
us-east-1.app.datadoghq.com
.
Match region specific URLS services to url
S3
SQS
DynamoDB
Elastic Container Registry
Firehose*
.
Virtual appliance deployment setup process in steps:
Download virtual appliance zip file
Unzip and copy to your virtualization platform
Start the virtual appliance image
Login – User Name: sailpoint Password: S@ilp0int & Change the password
Optional – Set a static IP address and DNS settings
Download va-config-246-699.yaml
Set the value of keyPassphrass (default _ch@ngeMe_ ) in va-config-246-699.yaml to match organisation passphrase
Copy settings to ~/config.yaml on the virtual appliance:
Scp <download path>/va-config-246-699.yaml sailpoint@<ip_address>:/home/sailpoint/config.yaml Test connection by clicking test appliance
.
Set a static IP address and DNS settings process
First you must find the name of your virtual NIC card for your VA
From the list of virtual NICs displayed, find the 2nd one. (2: ens160
Next create the the static.network file:
Enter NICName and network details such as DNS
Disable the ESX DHCP bump service
Reboot the VA: sudo reboot
.
Virtual appliance setup commands match
Create the file static.network command
list of virtual NICs displayed
Reboot the VA
Disable the ESX DHCP bump service
.
New Virtual Appliance page in IdentityNow, under Download Configuration File
Do not leave this page until the download and configuration process is complete and you have clicked Test Appliance.
Each .yaml file is unique and cannot be reused by other virtual appliances.
Copying this file to your workstation might result in a file with a .txt extension. If this occurs, you must rename the file with only a .yaml extension and then copy it into the VA. Otherwise VA will not work correctly.
.
VA local deployment types
vSphere
Hyper-V
AWS Cloud
Azure Cloud
.
VA cloud deployment types
vSphere
Hyper-V
AWS Cloud
Azure Cloud
.
In hyper-V deployment type setup, which of the following steps is unique?
New Virtual Machine needs to be created
All Hyper-V images currently ship with the waagent Azure service enabled by default. This must be disabled.
Disable the ESX DHCP bump service
Set Static IP for your VA must be defined
.
disable the waagent service by running the following commands
sudo systemctl status waagent
sudo systemctl stop waagent
sudo systemctl disable waagent
sudo reboot
.
VA Deployment type AWS
Visit Working with Support and open a support ticket requesting an Amazon Machine Image (AMI) ID to install a VA in AWS. You will need to provide your AWS account number and regions
SailPoint support will provide an AMI ID
Select Launch in the instance and select storage as m4.large or above and click configure instance details
Review & launch
Select an existing key pair or create a new key pair dialog box, select the option appropriate to your company policy
Launch instance
Change the password immediately with password S@ilp0int
.
VA Deployment type Azure Cloud
Download and extract sailpoint-va.vhd from the following .zip file: https://sppcbu-va-images.s3.amazonaws.com/va-azure-latest.zip
Log in to your Azure command line tool
Upload sailpoint-va.vhd to an Azure storage container with the following command
Create a managed disk from the blob
Create the VM from the managed disk
To test the VM, SSH in using the default username/password of sailpoint/S@ilp0int
Change the password immediately with password S@ilp0int
Add the VA in IdentityNow UI in an existing VA cluster or create a new cluster
.
Virtual appliance network configuration types
Standard - Uses the standard traffic generated by the VA.
HTTP Proxy - Routes all HTTP/HTTPS traffic through a proxy.
Secure Tunnel - Strictly limits the outbound connections generated by the VA.
.
In standard VA network configuration, which IP range is reserved?
10.255.255.241/28
172.16.0.0/22 IP
.
In HTTP Proxy Configuration VA network configuration, which IP range is reserved?
10.255.255.241/28
172.16.0.0/22 IP
.
In Secure Tunnel VA network configuration, which IP range is reserved?
10.255.255.241/28
172.16.0.0/22 IP
.
In HTTP Proxy Configuration configuration, which steps is required?
edit the proxy.yaml file and add the http / https proxy comment https_proxy: http://<proxyserver>:<port>/
Disable the ESX DHCP bump service
Set Static IP for your VA must be defined
.
In Secure Tunnel VA network configuration, includes the following:
Allows customers to limit the various outbound connections generated by the virtual appliance
Allows customers unrestricted outbound connections generated by the virtual appliance
All HTTP/HTTPS traffic (VA communication, updates, internal or external) is routed through the secure tunnel
VA must be able to make a secure handshake connection to IdentityNow over port 80
VA must be able to make a secure handshake connection to IdentityNow over port 443
.
In Secure Tunnel VA network configuration, the following additional steps are performed
Install the SSL keys you need to communicate with the tunnel server.
Download the key appropriate for your location:
Copy the SSL package to your VA filesystem
From the New Virtual Appliance page in IdentityNow, under Download Configuration File, click Download. This copies the va-config-<va_id>.yaml file to your workstation
Open va-config-<va_id>.yaml amd change the keypassphrase from _ch@ngeMe_ to a unique value for your organization
Add the following line to the bottom of the file tunnelTraffic: true
Copy local .yaml file to the virtual appliance
Test the virtual appliance connection
Verify connectivity on all sources connected to the virtual appliances
.
To enable debugging in IdentityNow
go to Admin > Connections > Virtual Appliance > va_cluster_name, and check Enable Debugging
go to Virtual Appliance and enable debugging on VA
Logs are recorded for 24 hours
Logs are recorded until the debugging is disabled
.
Use journalctl to view the following log files on the VA:
TRUE
FALSE.
Match the logs to purpose
/home/sailpoint/log/ccg.log
/home/sailpoint/log/va_agent.log
/home/sailpoint/log/fluent.log
/home/sailpoint/log/charon.log
/home/sailpoint/log/canal.log
/home/sailpoint/log/relay.log
.
Match the service to purpose
Cloud Connector Gateway (ccg)
Secure Tunnel (canal)
PWI Proxy (relay)
VA Agent (va_agent)
Charon (charon)
Toolbox (toolbox)
Fluent (fluent/va)
.
Service control commands
systemctl start service_name
systemctl stop service_name
systemctl restart service_name
systemctl status service_name
systemctl issue service_name
systemctl create service_name
.
Reading service logs
Check current service log:
Tail service log:
Get boot events:
.
Most logs will be under
/home/sailpoint/log
/home/sailpoint/audit
/home/sailpoint/files
.
clearing ccg logs before you enable debug and reproduce an issue
sudo truncate -s 0 /home/sailpoint/log/ccg.log
In log directory sudo truncate -s 0 ccg.log
sudo clear -s 0 /home/sailpoint/log/ccg.log
In log directory sudo clear -s 0 ccg.log
sudo delete -s 0 /home/sailpoint/log/ccg.log
In log directory sudo delete -s 0 ccg.log
.
Which VA deployment option has one cluster and both the VA's from the primary and DR data centers
All VA's running
Switch Clusters
Standby reactive deployment
.
Which VA deployment option has two clusters, one for primary and another for DR VA data centers. The sources for the DR VA's need to be reassociated when required.
All VA's running
Switch Clusters
Standby reactive deployment
.
Which VA deployment option has one cluster, VA's of the primary datacenter are running while the DR VA's are not deployed.
All VA's running
Standby reactive deployment
Switch Clusters
.
Commands Systemd (systemctl)Locations Match
systemctl status <service name>
sudo systemctl enable <service name>
sudo systemctl disable <service name>
sudo systemctl start|stop|restart <service name>
sudo systemctl daemon-reload
systemctl show <service name>
.
Commands Docker Match
sudo docker images
sudo docker ps -a
sudo docker tag <existing tag|id> <new tag>
sudo docker start|stop <name>
sudo docker rm <name>
sudo docker rmi <tag>
.
Commands DNS Match
more /etc/resolv.conf
dig +trace <network resource>
.
Commands Match
sudo timedatectl
sudoedit /etc/systemd/timesyncd.conf
netstat -rn
sudo -l
Check open port on remote host
(/usr/bin/ldapsearch)
.
ldapsearch run on VA can be good utility to test following outside IDN
If the bind account/password are correct
If LDAP is actively servicing requests
If the hostname and port in source config are correct
Test that TLS is working correctly
See the actual data that is being pulled directly from the LDAP source (user attributes, group membership, service account privileges)
.
SailPoint Support can assist with SailPoint-created software components
VA network configurations
Static networks
Connector logging
VA client updates
Image import into supported cloud platforms (AWS and Azure)
Network and platform environment configuration in supported cloud platforms (AWS and Azure)
VM deployment and configuration
Deep packet inspection
Image import into unsupported cloud platforms
Network and platform environment configuration in unsupported cloud platforms
.
SailPoint Support cannot assist with SailPoint-created software components
VA network configurations
Static networks
Connector logging
VA client updates
Image import into supported cloud platforms (AWS and Azure)
Network and platform environment configuration in supported cloud platforms (AWS and Azure)
VM deployment and configuration
Deep packet inspection
Image import into unsupported cloud platforms
Network and platform environment configuration in unsupported cloud platforms
.
You can view the status of an individual VA in the following ways:
click Test Appliance on the New Virtual Appliance page
On the Virtual Appliance Clusters page, click <cluster name> > Virtual Appliances to see the status of each VA in the cluster
.
Virtual Appliances list displays the following information for each VA
Configured CCG Version
Actual CCG Version
.
Commands match
grep -a "Networking check" log/charon.log | tail -1
sudo systemctl disable esx_dhcp_bump
nc (Netcat)
curl -i (URL)
sudo reboot
Ifconfig -a
cat /etc/systemd/network/static.network
Ping
netstat –rn
.
Monitoring Your VA Infrastructure
SailPoint has monitoring built in to alert us if a VA goes down.
Notifications - You can configure IdentityNow to send you email when a VA goes down.
Admin Dashboard - Click the Clusters tile of the system components status panel.
Virtual Appliance Clusters page - Click Admin > Connections > Virtual Appliances to see the status of your VA clusters. Click on a cluster
Check the widget page for virtual appliance status
Health report provides status of VA and clusters
.
|
