For customers getting started with Hybrid Cloud, this document provides a high-level overview of the process you should follow and provides guidance for configuring your account and AirLink routers.
Hybrid Cloud is a feature that must be enabled at the account level and can only be used with AirLink OS devices running AirLink OS 5.0 or later. The following steps will guide you in setting up Hybrid Cloud for your organization.
Please review the following sections for more details on each step of the process.
Hybrid Cloud is a value-added feature that is licensed as an add-on to AirLink Complete and/or AirLink Premium. It is not available as an add-on to AirLink Basic. This policy requires that all devices in your account must be active on a valid AirLink Complete or AirLink Premium subscription prior to purchasing the add-on for Hybrid Cloud. On renewal, the add-on is required for all devices in the account.
ALEOS devices are not supported on Hybrid Cloud-enabled accounts at this time. We expect to add support for ALEOS routers with a reduced feature set in a future release.
IMPORTANT: Hybrid Cloud is recommended for new accounts with routers running AirLink OS only. If you have a combination of AirLink OS and ALEOS routers in a Hybrid Cloud-enabled account, you will not be able to send operations to ALEOS routers using ALMS.
It is recommended that you start with a new ALMS account when using Hybrid Cloud. As the feature is enabled account-wide, it requires the devices in the account to be in a specific state prior to communicating with ALMS. This is easier with a new account. Semtech Customer Support can assist with transferring devices from an older account to your new Hybrid Cloud account. Just make sure that they are running AirLink OS 5.0 or later.
While it is not recommended, if you need to use an existing ALMS account, we can support you with the migration. If it must be done, then we suggest the following steps:
Some of these steps are outlined further below.
Enable the Hybrid Cloud feature in AirLink OS on the devices. This can be done locally on the device using the AirLink OS UI or remotely using “Configuration” or “Apply Template” operation in ALMS.
Important: after this step, these AirLink OS devices will not be able to accept any changes from ALMS that have not been signed by an Authorizer in ALMS
Contact Semtech Customer Support to enable “Hybrid Cloud” feature on the company.
Important: after this step, operations that are trying to change ALEOS devices will no longer work
Note: Disabling Hybrid Cloud is also a complex process. If you determine that you no longer wish to use Hybrid Cloud, please contact Semtech Customer Support to assist you with this process.
Prior to registering a device in a Hybrid Cloud enabled account, ensure that the device is already running AirLink OS 5.0 or later. Earlier versions of the embedded software are not supported with Hybrid Cloud. This may require that you update the devices locally, prior to registering them into ALMS.
Hybrid Cloud-enabled ALMS accounts require routers running AirLink OS 5.0 or later. The following AirLink routers are compatible with Hybrid Cloud:
One of the security features of Hybrid Cloud is an enforced separation of duties – someone with elevated privileges in your ALMS account will need to approve every operation that is sent to your routers. These users are referred to as “Authorizers”. You will need at least one user with these access rights, and we recommend that at least two users be given these privileges. You should not enable “standard” ALMS users, the day-to-day operators to have these extended privileges. Determine the number of Authorizer users and identify them in ALMS. You will need to generate User Certificates for each of these users, as well as provide them SmartCards and install software on their computer.
For Hybrid Cloud to operate and provide the additional security that you desire, you will need to obtain two types of certificates from your certificate authority.
Root Certificate: The root certificate is required to be installed on the router and provide the root of trust for the whole system. Please contact your IT or Infosec team to determine how to generate a compatible root certificate that meets the requirements of the Hybrid Cloud environment.
User Certificates: The user certificates are generated for all Authorizers in the Hybrid Cloud account. Generate one user certificate, which is an intermediary certificate linked to the Root Certificate that is installed on the routers, for each Authorizer. The user certificate will be installed on the hardware key (SmartCard) that the Authorizer uses.
It is recommended that you use a Certificate Management System (CMS) to manage your certificates and their lifecycle.
For details on this process, please see Generating Certificates.
You need to determine how you want to get the root certificate onto the routers, and how to enable the Hybrid Cloud features in AirLink OS. There are two options available.
Automate the Process through ALMS: ALMS has the ability to automate this process on the routers’ first communication with ALMS.
Note: This will only work once, on the first communication. If the devices are already communicating with ALMS (in this account or another), you will need to manually configure and install the root certificate.
If you choose this approach, you must provide the Root Certificate to the Semtech Customer Support team. They will upload it into your ALMS account. When a new router checks in for the first time, it will download and install the root certificate onto the device and enable the Hybrid Cloud features in AirLink OS. No further configuration is required.
Manually Install and Configure the Router: If you do not want to provide Semtech with a copy of the root certificate, or if you have other manual processes (kitting etc.) that you already do, then you can manually install the root certificate and update the AirLink OS configuration. You must do this prior to the device communicating with ALMS.
You are able to use both processes and may still need to manually configure devices in some situations.
For details, see Configuring the AirLink Router for Hybrid Cloud.
For each Authorizer, you will need to purchase two SmartCards. Always load a primary and backup SmartCard with the Client certificates – if there is not backup, the user will not be able to use the system if one gets lost.
These physical security tokens host the User Certificate and provide multi-factor authentication of the authorization process. The SmartCard is a physical security token, loaded with your certificates and located physically on your premises. This ensures that you must authorize any changes to your devices – not even Semtech can approve them.
The Hybrid Cloud solution is X.509 compliant, and any X.509 compliant SmartCard should work with the system. Semtech has tested Yubikey 5 NFC with Hybrid Cloud.
Each Authorizer needs to install two pieces of software on the computer that they use to access ALMS and authorize Hybrid Cloud operations.
YubiKey Manager: YubiKey Manager is used to generate a CSR that is used to create the Client Certificate. It is also used to upload the Client Certificate onto the SmartCard and configure the device.
Fortify: Fortify is an Open Source security application that provides the link between the Authorizer’s computer, the YubiKey and ALMS. When an Authorizer needs to authorize an operation, they will insert their YubiKey into their laptop, and Fortify will be used to sign the operation in ALMS. Semtech recommends Fortify version 2.0.0 or later on Edge or Chrome browsers. See https://fortifyapp.com/#download_app .
Each Authorizer will use YubiKey Manager to generate a CSR (Certificate Signing Request), which must be sent to your certificate team to generate the Client certificate using the root certificate that is installed on your routers.
Once the user has received the Client certificate, they will install it on their primary and backup YubiKeys using YubiKey Manager.
For details, see Configuring the Hardware Key.
Once all the elements of the system are ready, reach out to Semtech Customer Support and open a support ticket to request that Hybrid Cloud be enabled on your account. The Customer Support team will walk through a check list to verify that your account and users are properly configured, and will enable Hybrid Cloud on your account.
If in step 6 you decided to enable Root Certificate Distribution from ALMS, and use ALMS to enable Hybrid Cloud on your devices, provide the Root Certificate to Semtech Customer Support when you open the support ticket in step 10.
Once your account has Hybrid Cloud enabled, a new “Authorizer” access right is added to your ALMS account. You need to create a User Profile with this feature and assign it to all the Authorizer users in your ALMS account. Please ensure that there are at least 2, and that they are different from the standard users in the ALMS account. A detailed explanation of the user rights is provided in the online documentation. See Creating Profiles for Hybrid Cloud.
At this point, your account is properly configured, your users are ready and you can start registering routers into your Hybrid Cloud-enabled ALMS account. For details, see Configuring the AirLink Router for Hybrid Cloud.
After enabling Hybrid Cloud, all router configuration operations carried out in ALMS will need to be authorized before they can be applied to the router. For details, see see Using Hybrid Cloud