High Availability Conductor Installation
This process assumes you have already created a bootable device using a USB. Instructions for downloading and creating a bootable device are available in Downloading an SSR ISO and Creating a Bootable USB.
The steps in this section describe the interactive conductor installation from the packaged-based ISO. The section Initialize the Conductor describes using the Initializer to configure the system as a Conductor after installing from the Interactive ISO.
The Conductor installation must be completed before installing a Session Smart Router or routers using the ISO. The same ISO is used for both installations.
To install a router after installing and configuring the Conductor, use the SSR Installation. The Router Installation Using OTP procedure can be used for whitebox and air-gap, conductor-managed network installations.
Prerequisites
- Ensure that the platform you are installing on meets the SSR hardware requirements.
- Verify that the boot priority of the USB drive is properly listed in the system BIOS.
- Local console connectivity to the device/VM.
Conductor Conversion
An SSR device (SSR1xx or SSR1xxx) shipped with SSR 5.4.x Routing software may be reinitialized as a conductor for use in an existing network. The conductor can be used with or without Cloud Telemetry for devices running software versions 5.5 or greater.
To to convert an SSR device to a conductor, follow the Conductor Installation procedure. The NMTUI and Initialization process will configure your device properly for managing routers.
Choose the Installation Type
Conductor installations are not supported by the OTP Install process. Please use the Interactive Install on either the VGA or the Serial console.
After imaging the ISO onto removable media, insert it into the target device and power it on.
Upon boot, the following screen is displayed. The default selection is booting to the serial console (115200 baud). You must manually choose the installation process suited for your environment.
To install using the Interactive Installation, use the arrow keys to select either Install 128T Routing Software Serial Console or Install 128T Routing Software VGA Console. As noted earlier, this guide describes the installation process using the Interactive Installation, specifically using the VGA console.
Because not all hardware has video support, booting to the serial console 115200 baud is the default, and is automatically selected after 30 seconds. When using the serial console, the terminal size is 80x25 - anything smaller may result in abnormal navigation behavior.
Selecting the wrong type of console (Serial or VGA) may result in garbled characters being displayed. If allowed to continue it will result in an incorrect installation. If the wrong console is selected, reboot the target system and select the correct line for the target hardware.
Install via Serial Console
Use this option when running on hardware with no video chipset. It uses /dev/ttyS0 115200 baud as the serial console for interacting with the installer.
For serial console issues please refer to Serial Console Troubleshooting.
Install via VGA Console
Use this option when running on hardware that has onboard graphics chipsets. This installs SSR software using the GUI installer.
The procedure that follows here is the Interactive Install on the VGA Console.
Conductor Installation
After the Linux installation completes, the SSR software installation begins. Note that this may take several minutes to complete (approximately 20 minutes). After the installation has completed, the following screen is displayed:
Select <Yes> to shut down the system. Remove the bootable media, then power the system up to complete the installation process.
Initial Boot and NMTUI
When the system boots from the Install 128T Routing Software... Interactive Installation work flow, the system asks whether to configure initial Linux Networking before the SSR Initializer is started.
Selecting Yes launches the NMTUI application to perform an initial network interface setup.
Configure the Network Interface
Configure the IP address that will be used to manage the network routers.
- Select the device ethernet interface that corresponds to the management port for your Conductor and select
<Edit>
- In the Edit Connection screen, configure the following:
- The IP address for the port
- the Gateway IP address
- DNS server addresses
- Scroll to the bottom of the screen and select
Automatically ConnectandAvailable to All Users, then select OK.
- From the NMTUI screen, select
Set system hostname, and<OK>.
- Enter the hostname and select
<OK>. Note that the hostname will be used as the Asset ID.
-
From the NMTUI screen, select
Activate a connection, and<OK>. -
Select the port, and
<Activate>.
When the port has been activated, an asterisk will appear next to the port name.
Ethernet (enp2s0f0)
* enp2s0f0
- Select
<Back>and then<Quit>NMTUI.
The Initializer process starts automatically.
Initialize the Conductor Node
The SSR Initializer tunes your operating system, prepares the platform to run the SSR software, and creates the bootstrapping files necessary to load the software. The Initializer is launched on first boot.
There are three different types of conductor installations;
- Standalone Conductor
- Conductor High Availability
- Conductor High Availability for Cloud Deployments
Install the First Conductor HA Node
Use the following diagram as a reference during the HA installation.
- On the SSR Initializer wizard screen, use the space bar to select the Conductor role for the SSR node, and press the Enter key to select OK.
- When asked What kind of Router/Conductor node is this?, select 1st HA Node:
-
1st HA Node: This conductor is the first node of a high availability pair. You will be prompted to provide the local IP address for this node. The 2nd HA node will contact this node at the address provided to synchronize state. Note: The 1st Node IP address must be reachable by the 2nd HA Node.
-
2nd HA Node: This conductor is the second node of a high availability pair, where the first node has been initialized. You will be prompted to provide the 1st Node IP address for this 2nd node that will be used to synchronize state. Note: The 2nd Node IP address must be reachable by the 1st HA Node.
- The following steps configure a high availability conductor node.
a). Enter the IP address of the local HA sync interface.
b). Enter the following system properties on the Node Info screen:
- Node Name: The name of the system within your SSR Router or Conductor, for example, conductor. By default this field uses the Linux system's hostname.
Both routers and conductors can consist of one node (for standalone systems) or two nodes (for highly available systems). :::
- Conductor Name: The name of the Conductor system as a whole. When referring to a running SSR software instance, it is identifiable by the full name; e.g.,
conductor-node1.conductor. The full system name is reflected in the PCLI prompt.
- On the Password Setup screen, create a password for the SSR Admin user. The administrator password must be at least 8 characters long, contain at least 1 uppercase letter, at least 1 lowercase letter, at least 1 number, cannot contain the username in any form, and cannot repeat characters more than 3 times. This operation is only performed on the standalone or first node in the HA peer, and the password must be entered twice.
Resetting a password requires entering the old password. If a password is lost or forgotten and the account is inaccessible, the account cannot be recovered. Please keep password records accessible and secure.
-
Press the Enter key to select OK. The Initializer performs a hardware compatibility check. The compatibility check may fail due to warnings or failure notices, which are displayed in the output script. If no failures are present, you can choose to continue with the installation even if multiple warnings exist. For information on why a specific test may have failed or generated a warning, contact Juniper Technical Support.
-
When prompted, select
<Yes>to start the conductor.
If installing the SSR software for the first time, a system reboot is required.
Verify the Installation
After installing the SSR Software it is important to verify that the installation was completed successfully.
To Verify the SSR Installation:
After starting the Conductor, the login screen appears.
- Login using the admin credentials.
test-conductor login: admin
Password:
- Enter the Linux shell:
a. Type exit to exit the PCLI.
b. Type shell and press Enter to enter the linux shell.
- Log into the command window as
root. - Execute the command:
sudo systemctl status 128T
- When the service is listed as Active, log into the system using the system default password. By logging into the system, you have verified the installation.
Configure the Token
Once the system has been setup for the first time, the next step is to provision credentials for SSR software access on the conductor. Provisioning the software credentials on the conductor propagates those settings down to all of the managed routers.
Use the PCLI command set software access-token. For information on this command, see set software access-token.
From the root user in the workflow above, run the pcli command to access the PCLI and configure the token.
[root@test-conductor ~]# pcli
Starting the PCLI...
root@node1.test-conductor# set software access-token <username> <password>
Saving...
Waiting for process to complete
...(messages removed for brevity)...
Making the DNF cache
No further operation requested. Exiting
Installer complete
Successfully saved credentials.
root@node1.test-conductor#
Add the Conductor to the Authority
Take this opportunity to log into the Conductor GUI to complete the following operations. This will provide validation that the installation was successful, and familiarize you with GUI operations.
Connecting the Conductor to the Network
To make sure the conductor is on a network and accessible via GUI, the IP address on the interface must be in the same subnet as the VLAN on the switch port. Use https://<interface IP address> for GUI login.
- Select the Conductor from the Authority menu on the left side of the GUI.
- Select the Configure icon.
- Select the node for the conductor - in this example it is
node1.
- Under Associated Asset ID select the hostname for the conductor.
- Validate and Commit the changes to the configuration.
Set the Authority Name
The authority represents the complete set of all SSRs managed under a single organizational entity.
- Return to the Authority level.
- Select the Authority Settings.
- Under Basic Information, enter the new Authority name. For example, a good name for the Authority would be the name of the business, e.g., Acme Corp.
Set the Conductor IP Address for each Node
- Under Conductor Addresses, select ADD.
- In the New Conductor Address window, enter the conductor public IP address.
- Click Validate and Commit. Warnings will appear, advising you of the change.
The steps during initialization setup the management IP. The conductor IP address is the public IP address to which the managed routers connect. It is not necessary to manually associate this IP address with a network interface; the interactions between the SSR software and Linux will identify and assign the IP address to the network interface.
Install the Second Conductor HA Node
For the second node for Conductor HA, install the system using the same process beginning with Installing the ISO and ending at Initialize SSR step 2. From step 2, perform the following:
- When prompted for
What kind of Conductor node is this?Select the 2nd HA Node.
- Enter the HA Address and Peer HA Address for the second node. The HA Address is the local 2nd HA Node IP address, and the Peer HA Address is the 1st HA Node IP address.
- Enter the HA Peer Credentials. This is a one time operation for the initialization of the second HA Node with the first HA Peer. The
t128user is a good choice for this operation, using the default username and password. Be sure to change this password after the installation of the second HA node.
This operation has no impact on future changes to users and passwords. Once HA is established between conductor nodes, security keys are exchanged for secure communication.
-
Press the Enter key to select OK. The Initializer performs a hardware compatibility check. The compatibility check may fail due to warnings or failure notices, which are displayed in the output script. If no failures are present, you can choose to continue with the installation even if multiple warnings exist. For information about why a specific test may have failed or generated a warning, contact Juniper Technical Support.
-
After the initialization process completes the setup, the following screen displays. Use the Enter key to select
Got it!
- When prompted, select
<Yes>to start the conductor.
Verify the Installation
After installing the SSR Software it is important to verify that the installation was completed successfully.
To Verify the SSR Installation:
After starting the Conductor, the login screen appears.
- Login using the admin credentials.
test-conductor login: admin
Password:
- Enter the Linux shell:
a. Type exit to exit the PCLI.
b. Type shell and press Enter to enter the linux shell.
- Log into the command window as
root. - Execute the command:
sudo systemctl status 128T
- When the service is listed as Active, log into the system using the system default password. By logging into the system, you have verified the installation.
Change the Default Passwords
The following user accounts and passwords are created during the ISO installation process:
| Username | Password |
|---|---|
| root | 128tRoutes |
| t128 | 128tRoutes |
It is strongly recommended that you change these passwords immediately. Use the passwd command from the UNIX window.
[t128@test-conductor ~]$ passwd
Changing password for user t128
Changing password for t128
(current)UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[t128@test-conductor ~]$ su -
Password:
[root@test-conductor ~]# passwd
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@test-conductor ~]#
Configure the Token
Once the system has been setup for the first time, the next step is to provision credentials for SSR software access on the conductor. Provisioning the software credentials on the conductor propagates those settings down to all of the managed routers.
Use the PCLI command set software access-token. For information on this command, see set software access-token.
From the root user in the workflow above, run the pcli command to access the PCLI and configure the token.
[root@test-conductor ~]# pcli
Starting the PCLI...
root@node1.test-conductor# set software access-token <username> <password>
Saving...
Waiting for process to complete
...(messages removed for brevity)...
Making the DNF cache
No further operation requested. Exiting
Installer complete
Successfully saved credentials.
root@node1.test-conductor#
Add the Conductor to the Authority
Take this opportunity to log into the Conductor GUI to complete the following operations. This will provide validation that the installation was successful, and familiarize you with GUI operations.
Connecting the Conductor to the Network
To make sure the conductor is on a network and accessible via GUI, the IP address on the interface must be in the same subnet as the VLAN on the switch port. Use https://<interface IP address> for GUI login.
- Select the Conductor from the Authority menu on the left side of the GUI.
- Select the Configure icon.
- Select the node for the conductor - in this example it is
node1.
- Under Associated Asset ID select the hostname for the conductor.
- Validate and Commit the changes to the configuration.
Set the Conductor IP Address for each Node
- Under Conductor Addresses, select ADD.
- In the New Conductor Address window, enter the conductor public IP address.
- Click Validate and Commit. Warnings will appear, advising you of the change.
The steps during initialization setup the management IP. The conductor IP address is the public IP address to which the managed routers connect. It is not necessary to manually associate this IP address with a network interface; the interactions between the SSR software and Linux will identify and assign the IP address to the network interface.
Next Steps - Router Configuration
Congratulations, you have successfully installed and configured a conductor! The next step is to optimize the router onboarding process. Creating router configurations on the conductor allows individual routers to download the necessary configuration to get up and running smoothly.
A sample branch router configuration is available as a template on the conductor. This is a great place to start the configuration process. Additionally, you can create configuration templates that allow administrators to automate the configuration of top level resources. For more information, see Configuration Templates.
FIPS Enforcement Mode
FIPS Enforcement is available for version 6.0 and later. FIPS mode can be enabled manually during the installation. In cases where the flag was not or cannot be set during installation, a FIPS RPM is available for download from the SSR repos, and can be installed.
If you require strict FIPS compliance, the fips=1 kernel option must be added to the kernel command line during system installation to ensure that key generation is done with FIPS approved algorithms and continuous monitoring tests in place.
If FIPS enablement is done retrospectively via RPM installation, the already created accounts could be using non-FIPS compliant cyphers.
Use the following procedure to enable FIPS enforcement.
- Use up/down keys to highlight the desired install mode.
-
Press TAB to edit the configuration.
-
Add
fips=1to the end of thevmlinuzparameters.
- Press Enter to start the install.