If you want to use a proxy connection, you have three choices:
- You can set up an HTTP proxy standalone. In this case, the HTTP proxy creates connections for both configurations and for the main data flow.
If you use only an HTTP proxy, open port 5044 for outbound HTTP connections to allow the Cloud Connector to be able to successfully connect to the CMC. For example, for the Squid proxy, one way to satisfy this requirement is to add port 5044 as a safe port and then allow access to only safe ports:acl SAFE_CONNECT_ports port 5044
http_access deny CONNECT !SAFE_CONNECT_ports - You can set up a SOCKS5 proxy and an HTTP proxy. In this case, the HTTP proxy creates connections to fetch configurations and the socks proxy creates connections for the main data flow.
- You can set up a SOCKS5 proxy standalone. In this case, it will fetch configurations directly (no proxy). However, the main data flow happens through SOCKS5 proxy.
To view the IP addresses and ports that allow traffic through your firewall, click Settings > Cloud Connector.
Configure the SOCKS5 proxy without authentication. The Basic Authentication, Digest, Kerberos, LDAP, and No Authentication authentication types are supported with an HTTP proxy.
If the HTTP proxy uses authentication, specify an authentication choice by using the --auth option of the chsvc command. Setting auth type is optional. Authentication type is basic if this option value is not specified. The --auth syntax is as follows.
--auth ldap | digest-md5 | kerberos | basic
You run proxy commands on the HMC.
To add a proxy connection, complete the following steps:
- Run the following command:
chsvc -s cloudconn -o start -k <key> --socks/http username:password@hostname[:port]
Note: You can add a SOCKS5 proxy, http proxy, or neither, or both connections. If you specify the user name string starting with a:
(colon) and if you do not specify a password, you will be prompted for the password. The port number is not required, but recommended. The host name can also be a valid IP address.If you stop the Secure Cloud Connector by using the command
chsvc -s cloudconn -o stop
, the proxies are cleared. You must reuse the same startup command if you want to use proxies the next time you start the Secure Cloud Connector.If the Secure Cloud Connector was already started without using a proxy configuration, it must be stopped by using the
chsvc -o stop
option, and then restarted by using a proxy configuration.You can remotely run the
chsvc
command by using ssh and also run the command locally by using a terminal window. - To view your proxy setup, run the following command:
lssvc -s cloudconn
. The password is displayed in an encrypted format. - To test the firewall configuration from the HMC, enter the following command:
ssh -vvv -p Port <IP or FQDN>
. If the output of this command displays a "connection established" message, the specified address and port are reachable. The successful command may also generate spurious error messages, which you can ignore.
LDAP configuration
LDAP configuration requires that you have a proxy server with LDAP authentication.
- To test if the proxy server is correctly configured, run the following command from the HMC or from any other system that is correctly configured for LDAP:
$curl -v -x "<ldapUsername>:<password>@<proxyserver.domain.com>:3128" https://trial-powercloud.mybluemix.net/api/verifyApiKey
The output should return 200 Connection established without any errors.
- Start the Cloud Connector with LDAP authentication. Use the --http option to provide the LDAP user name and password with the portal key. Consider the following example. Note that the portal key has been truncated for readability.
chsvc -s cloudconn -o start -k RUtPN2t5YW4wWU0xZDFQS2xOY2RYOUdoSEVWYVlEalVlb2s4ZnY3dVlhTWpTZFNiS0VZd0hfNHVW --http ldapUsername:password@proxyserver.domain.com --auth ldap
- Verify that the Cloud Connector successfully connected to the portal:
lssvc -s cloudconn
The output from this command should be similar to the following for the HTTP proxy:
state=active,socks_proxy=,http_proxy=ldapUsername:*******@proxyserver.domain.com
Kerberos configuration
You must satisfy the following requirements when using Kerberos authentication:
- Configuring the Kerberos Key Distribution Center (KDC) server with the HMC is required if the HTTP proxy uses Kerberos authentication.
- You must specify the realm and the principle if multiple KDC servers are configured on the HMC and the HTTP proxy does not use the default KDC server. Consider the following example. Note that the portal key has been truncated for readability.
chsvc -s cloudconn -o start -k RUtPN2t5YW4wWU0xZDFQS2xOY2RYOUdoSEVWYVlEalVlb2s4ZnY3dVlhTWpTZFNiS0VZd0hfNHVW --http principle@EXAMPLE.REALM.COM:password@proxyserver.domain.com --auth kerberos
Comments
0 comments
Please sign in to leave a comment.