Searching...

Matching results

    Getting Started with Hybrid Cloud

    For customers getting started with Hybrid Cloud, this document provides a high-level overview of the process you should follow and provides guidance for configuring your account and AirLink routers.

    Hybrid Cloud is a feature that must be enabled at the account level and can only be used with AirLink OS devices running AirLink OS 5.0 or later. The following steps will guide you in setting up Hybrid Cloud for your organization.

    Summary of steps

    1. Purchase Licenses for Hybrid Cloud for all Routers in Your Account
    2. Create a New ALMS Account
    3. Ensure all AirLink routers are Running AirLink OS 5.0 or Later
    4. Determine Authorizer User(s) for your Account
    5. Obtain Root Certificate (for routers) and User Certificates (for Authorizers) from your Certificate Authority
    6. Decide on your approach for Root Certificate Installation on Routers and Activation of Hybrid Cloud Features on the Router
    7. Purchase Supported SmartCards (YubiKey)
    8. Install YubiKey Manager and Fortify on Authorizer’s Computer
    9. Configure YubiKey to Install User Certificate via YubiKey Manager
    10. Contact Semtech Customer Support to enable Hybrid Cloud
    11. If Enabling Root Certificate Distribution from ALMS, provide the Root Certificate to Semtech Customer Support
    12. Create an Authorizer Profile in ALMS and Assign to Authorizer Users
    13. Register routers in your ALMS Account

    Please review the following sections for more details on each step of the process.

    Initializing Table Of Contents...

    1. Purchasing Licenses

    Hybrid Cloud is a value-added feature that is licensed as an add-on to AirLink Complete and/or AirLink Premium. It is not available as an add-on to AirLink Basic. This policy requires that all devices in your account must be active on a valid AirLink Complete or AirLink Premium subscription prior to purchasing the add-on for Hybrid Cloud. On renewal, the add-on is required for all devices in the account.

    ALEOS devices are not supported on Hybrid Cloud-enabled accounts at this time. We expect to add support for ALEOS routers with a reduced feature set in a future release.

    IMPORTANT: Hybrid Cloud is recommended for new accounts with routers running AirLink OS only. If you have a combination of AirLink OS and ALEOS routers in a Hybrid Cloud-enabled account, you will not be able to send operations to ALEOS routers using ALMS.

    2. Creating a New ALMS Account

    It is recommended that you start with a new ALMS account when using Hybrid Cloud. As the feature is enabled account-wide, it requires the devices in the account to be in a specific state prior to communicating with ALMS. This is easier with a new account. Semtech Customer Support can assist with transferring devices from an older account to your new Hybrid Cloud account. Just make sure that they are running AirLink OS 5.0 or later.

    Enabling Hybrid Cloud on an Existing Account

    While it is not recommended, if you need to use an existing ALMS account, we can support you with the migration. If it must be done, then we suggest the following steps:

    Some of these steps are outlined further below.

    1. Upgrade the firmware of the AirLink OS devices in the company to AirLink OS 5.0 or later. Older versions of firmware are not supported.
    2. Manually load the Hybrid Cloud Root Certificate to the devices.

    3. Enable the Hybrid Cloud feature in AirLink OS on the devices. This can be done locally on the device using the AirLink OS UI or remotely using “Configuration” or “Apply Template” operation in ALMS.

      Important: after this step, these AirLink OS devices will not be able to accept any changes from ALMS that have not been signed by an Authorizer in ALMS

    4. Contact Semtech Customer Support to enable “Hybrid Cloud” feature on the company.

      Important: after this step, operations that are trying to change ALEOS devices will no longer work

      Note: Disabling Hybrid Cloud is also a complex process. If you determine that you no longer wish to use Hybrid Cloud, please contact Semtech Customer Support to assist you with this process.

    Prior to registering a device in a Hybrid Cloud enabled account, ensure that the device is already running AirLink OS 5.0 or later. Earlier versions of the embedded software are not supported with Hybrid Cloud. This may require that you update the devices locally, prior to registering them into ALMS.

    Hybrid Cloud-enabled ALMS accounts require routers running AirLink OS 5.0 or later. The following AirLink routers are compatible with Hybrid Cloud:

    • AirLink RX55
    • AirLink XR60
    • AirLink XR80
    • AirLink XR90

    4. Determining Authorizer User(s) for your Account

    One of the security features of Hybrid Cloud is an enforced separation of duties – someone with elevated privileges in your ALMS account will need to approve every operation that is sent to your routers. These users are referred to as “Authorizers”. You will need at least one user with these access rights, and we recommend that at least two users be given these privileges. You should not enable “standard” ALMS users, the day-to-day operators to have these extended privileges. Determine the number of Authorizer users and identify them in ALMS. You will need to generate User Certificates for each of these users, as well as provide them SmartCards and install software on their computer.

    5. Obtaining Root Certificate and User Certificates

    For Hybrid Cloud to operate and provide the additional security that you desire, you will need to obtain two types of certificates from your certificate authority.

    • Root Certificate: The root certificate is required to be installed on the router and provide the root of trust for the whole system. Please contact your IT or Infosec team to determine how to generate a compatible root certificate that meets the requirements of the Hybrid Cloud environment.

    • User Certificates: The user certificates are generated for all Authorizers in the Hybrid Cloud account. Generate one user certificate, which is an intermediary certificate linked to the Root Certificate that is installed on the routers, for each Authorizer. The user certificate will be installed on the hardware key (SmartCard) that the Authorizer uses.

    It is recommended that you use a Certificate Management System (CMS) to manage your certificates and their lifecycle.

    For details on this process, please see Generating Certificates.

    6. Deciding How to Install Root Certificates and Activate Hybrid Cloud Features

    You need to determine how you want to get the root certificate onto the routers, and how to enable the Hybrid Cloud features in AirLink OS. There are two options available.

    1. Automate the Process through ALMS: ALMS has the ability to automate this process on the routers’ first communication with ALMS.

      Note: This will only work once, on the first communication. If the devices are already communicating with ALMS (in this account or another), you will need to manually configure and install the root certificate.

      If you choose this approach, you must provide the Root Certificate to the Semtech Customer Support team. They will upload it into your ALMS account. When a new router checks in for the first time, it will download and install the root certificate onto the device and enable the Hybrid Cloud features in AirLink OS. No further configuration is required.

    2. Manually Install and Configure the Router: If you do not want to provide Semtech with a copy of the root certificate, or if you have other manual processes (kitting etc.) that you already do, then you can manually install the root certificate and update the AirLink OS configuration. You must do this prior to the device communicating with ALMS.

    You are able to use both processes and may still need to manually configure devices in some situations.

    For details, see Configuring the AirLink Router for Hybrid Cloud.

    7. Purchasing Supported SmartCards (YubiKey)

    For each Authorizer, you will need to purchase two SmartCards. Always load a primary and backup SmartCard with the Client certificates – if there is not backup, the user will not be able to use the system if one gets lost.

    These physical security tokens host the User Certificate and provide multi-factor authentication of the authorization process. The SmartCard is a physical security token, loaded with your certificates and located physically on your premises. This ensures that you must authorize any changes to your devices – not even Semtech can approve them.

    The Hybrid Cloud solution is X.509 compliant, and any X.509 compliant SmartCard should work with the system. Semtech has tested Yubikey 5 NFC with Hybrid Cloud.

    8. Installing YubiKey Manager and Fortify

    Each Authorizer needs to install two pieces of software on the computer that they use to access ALMS and authorize Hybrid Cloud operations.

    • YubiKey Manager: YubiKey Manager is used to generate a CSR that is used to create the Client Certificate. It is also used to upload the Client Certificate onto the SmartCard and configure the device.

    • Fortify: Fortify is an Open Source security application that provides the link between the Authorizer’s computer, the YubiKey and ALMS. When an Authorizer needs to authorize an operation, they will insert their YubiKey into their laptop, and Fortify will be used to sign the operation in ALMS. Semtech recommends Fortify version 2.0.3 or later on Edge or Chrome browsers. See https://fortifyapp.com/#download_app .

    9. Configuring the YubiKey

    Each Authorizer will use YubiKey Manager to generate a CSR (Certificate Signing Request), which must be sent to your certificate team to generate the Client certificate using the root certificate that is installed on your routers.

    Once the user has received the Client certificate, they will install it on their primary and backup YubiKeys using YubiKey Manager.

    For details, see Configuring the Hardware Key.

    10. Contacting Semtech Customer Support

    Once all the elements of the system are ready, reach out to Semtech Customer Support and open a support ticket to request that Hybrid Cloud be enabled on your account. The Customer Support team will walk through a check list to verify that your account and users are properly configured, and will enable Hybrid Cloud on your account.

    11. Providing the Root Certificate to Semtech Customer Support

    If in step 6 you decided to enable Root Certificate Distribution from ALMS, and use ALMS to enable Hybrid Cloud on your devices, provide the Root Certificate to Semtech Customer Support when you open the support ticket in step 10.

    12. Creating an Authorizer Profile and Assigning to Authorizer Users

    Once your account has Hybrid Cloud enabled, a new “Authorizer” access right is added to your ALMS account. You need to create a User Profile with this feature and assign it to all the Authorizer users in your ALMS account. Please ensure that there are at least 2, and that they are different from the standard users in the ALMS account. A detailed explanation of the user rights is provided in the online documentation. See Creating Profiles for Hybrid Cloud.

    13. Registering Routers in your ALMS Account

    At this point, your account is properly configured, your users are ready and you can start registering routers into your Hybrid Cloud-enabled ALMS account. For details, see Configuring the AirLink Router for Hybrid Cloud.

    After enabling Hybrid Cloud, all router configuration operations carried out in ALMS will need to be authorized before they can be applied to the router. For details, see see Using Hybrid Cloud

    TOP