Configuring the AirLink Router for Hybrid Cloud
After you have created the root certificate and added client certificates to security hardware keys that your Hybrid Cloud approver(s) will use, you can take the final steps to getting your Hybrid Cloud company up and running.
These steps include adding the root certificate to your routers and enabling Hybrid Cloud on the router. You can do this one of two ways:
- Send your root certificate to Semtech, who will add the certificate to your company. This makes the certificate available to be pushed to your new routers when they are registered and begin communicating with ALMS.
- Alternatively, you can add the root certificate as part of your deployment and upload the root certificate to each of your routers using a direct connection to the routers.
Semtech recommends that you select just one of these methods and use it exclusively when setting up your Hybrid Cloud company.
If a correct root certificate is not installed on the router, all operations sent to the router from ALMS will fail. Before enabling the Hybrid Cloud features on your routers, ensure that the root certificate and Client certificates are correctly generated.
Before you begin the steps below, ensure that your routers are running AirLink OS 5.0 or later.
Your routers must have AirLink OS 4.0 or 4.1 installed before they can be upgraded to AirLink OS 5.0. Do not try and upgrade directly from AirLink OS 2.x or 3.x to 5.0.
Initializing Table Of Contents...Deploying the root certificate through router registration
After Semtech adds the root certificate to your company through the backoffice, the router registration process will automatically install the root certificate and enable Hybrid Cloud on the router. After that is done, operations performed on the router will require approval as part of the Hybrid Cloud process.
The registration process is fully described here, but a summary for Hybrid Cloud is below.
To register the router in your Hybrid Cloud company:
- Enter the serial number and registration code, as printed on the router label.
- Provide a unique Name for the router (optional).
- Select the Offer.
- Click Register.
The router will not have communicated with Airvantage yet. Under System Communications (viewed by going to Monitor > Systems and selecting the desired router), “Last seen” will be empty. When the router is powered on and communicates with AirVantage, AirVantage pushes the root cert to the router and enables Hybrid Cloud.
You can confirm this by checking the router configuration. Under System > ALMS > Hybrid Cloud, ENFORCE REQUEST VERIFICATION will be enabled and the certificate appears in the AVAILABLE CA CERTIFICATES table. The certificate is also listed under System > Security > Certificates in the IMPORTED CERTIFICATES table.
If routers in your company are already registered before the certificate is uploaded through the backoffice, you must manually upload the certificate to each router through the AirLink OS UI and then enable Hybrid Cloud. The root certificate will need to be available to you from your laptop. You cannot add the root certificate through ALMS.
Manual Configuration
If you need to bypass the registration process described above, you can connect to the router through a LAN connection (via USB or Ethernet) and manually add the root certificate and enable Hybrid Cloud. Ensure that all your routers are using AirLink OS 5.0 or later.
Uploading the Root CA Certificate
- Connect a laptop to the AirLink router and log in to AirLink OS.
- Go to System > Security > Certificates.
Click the three vertical dots and edit the “Hybrid Cloud CA” entry.
In the Edit PEM certificates window, name the root certificate.
Click ROOT CERTIFICATE to upload your root certificate (.pem file).
Click UPDATE to save the file.
Enable Hybrid Cloud
To enable the Hybrid Cloud feature on the router:
- In the AirLink OS UI, go to System > ALMS > Hybrid Cloud (Beta).
- Under ENFORCE REQUEST VERIFICATION, click the slider to Enabled and save the settings.
Using Reset Settings to Preserve Hybrid Cloud Configuration
Semtech recommends using a reset template and the use of “Reset to Custom Settings” under System > Admin > Reset Settings. If you must reset the router at any point, it is essential that the router retains its Hybrid Cloud configuration and installed certificates.
For an overview of the Reset Settings feature, see the AirLink OS documentation.
Create a template from a configured router that includes the desired settings to preserve the router’s configuration. At a minimum, include the Hybrid Cloud (Beta) settings and the imported certificates, as shown below. You should also include any firewall rules and custom APN values in the template if your configuration requires them to be reapplied after a router reset.
Export/download the template to your computer. You can also export the template to ALMS, where it can be downloaded later under Configure > Templates.
In AirLink OS, go to System > Admin > Reset Settings.
Set RESET CONFIGURATION TYPE to Use Custom Template.
Click SET TEMPLATE.
Upload the template file.
Click SAVE.
Other Considerations
To fully secure your environment, ALMS should be the only means of making router configuration changes. You can increase security by implementing the following procedures.
Semtech advises against implementing all of the following procedures. You will want to retain at least one way to access the router in case offline configuration changes are required, or to reset the router to factory default settings.
Blocking Local Access to the Router
You may want to block users from accessing AirLink OS locally, using a laptop connected by USB or Ethernet. This will prevent anyone with direct, local access from being able to tamper with the router and its configuration. Configuration changes that are made through a local connection are not part of Hybrid Cloud. Such changes are not sent for authorization—they are applied whenever a locally connected user clicks SAVE.
Changing the Default Password
This should be done as a matter of routine when deploying new routers. Changing the default password will block unauthorized users from accessing the router’s configuration using a local LAN connection (using USB or Ethernet, for example). Please see this page for information on how to change the default password.
Deleting the Admin Account
Semtech recommends applying this step only after you have confirmed that Hybrid Cloud is fully operational—that operations in your account are being sent for approval, and are being applied to your routers after being authorized.
IMPORTANT: Once you make this change you will no longer be able to locally access the router’s configuration. All changes afterward must be made through ALMS.
You can create a template that will delete the local user “admin” account.
- Enter Template mode, and select Create template from scratch.
- Go to System > User Accounts > Local.
- Click EMPTY TABLE ON APPLY TEMPLATE.
- Click EXPORT.
Applying this template to your routers will delete the admin account and prevent anyone logging in to the UI locally.
Blocking HTTPS Access
You can create a firewall rule to block access to HTTPS/port 443. An example is shown here, but the essential settings are:
- INPUT ZONES: specify the LAN segment or select Any LAN segments
- DESTINATION ZONES: leave blank, to specify traffic to the router itself
- DESTINATION SERVICES: Specify HTTPS. If you leave this blank, it will affect all services including DHCP and DNS which are required for normal operation.
- ACTION: Drop or Block
Configuring the Router Reset Button
You can also disable the device reset button on the router. See this page for more information.
If you choose this option, local users cannot reset the router. However, disabling the reset button will prevent the router from being reset to factory default settings in the event that you need to re-provision and deploy the router.
If you are confident that the router is deployed in a physically secure location, you can leave the router’s reset button enabled.