Searching...

Matching results

    Using Hybrid Cloud

    Hybrid Cloud is an optional security feature that merges the benefits of cloud technology with on-premise security controls for the management of your AirLink routers. Benefit from full local control and complete network isolation, while relying on a leading cloud infrastructure that scales with your needs.

    By enabling Hybrid Cloud on your ALMS account, you are changing the way ALMS operates by enabling additional security features and enforcing security best practices like separation of duties and multi-factor authentication.

    This page explains the changes in the operation of ALMS and the new tasks required of Hybrid Cloud Users and Authorizers. An overview of the relationship between the roles is shown below.

    When Hybrid Cloud is enabled, there are two roles that are required in the system: “Users” and “Authorizer”. “Users” are standard users within ALMS that manage the day-to-day activities on the platform, the same as in a standard ALMS account. “Authorizers” should be a separate user or set of users with a unique set of privileges that are required to review and authorize all operations (such as a Firmware Upgrade) using a security key. Only once approved are operations sent to the device. With Hybrid Cloud enabled, you are enforcing the concept of separation of duties for your routers.

    User Role Overview

    As a Hybrid Cloud “user”, you are managing the operation and configuration of your fleet, and, as a result, initiating operations from within ALMS. There are two types of operations: those that are sent to the router and those that take place only within ALMS.

    Operations requiring approval include any changes that are made from ALMS that are executed on the router, including:

    • Apply Settings (which includes any configuration updates)
    • Apply setting (CSV)
    • Apply Template
    • Synchronize System
    • Configure communication
    • Install application (Firmware Update)
    • Send Command
    • Retrieve System Data
    • Retrieve System Logs
    • Reboot System
    • Reset System

    These operations in ALMS may be triggered using the menu bar on the System page (such as Configure communication and Reboot) or may be triggered from the AirLink OS Configuration UI within ALMS.

    After each operation, Hybrid Cloud notifies the authorizer and requests approval for those operations.

    Apply Workflow does not trigger a single authorization action. Instead, you will be asked to authorize each operation included in that workflow.

    Tip: When making configuration updates in the AirLink OS UI, wait until you have made all your changes before clicking Save. Each “Save” action triggers an operation. Semtech recommends grouping several configuration updates into one operation for your Authorizer to approve.

    Operations that happen purely in ALMS (such as creating or apply labels) do not require the authorization process. These operations will continue to happen as they would have before Hybrid Cloud was enabled on the account.

    Such operations include:

    • Register system
    • Activate system
    • Update system label or name
    • Delete system
    • Create dataset, template or alerts
    • Run and view AMR reports

    There is only one significant operation change for users, once Hybrid Cloud is enabled on the account. Now, when you initiate an operation that needs to execute on the device, rather than immediately moving to the “In Progress”, it is displayed in the Operations timeline in the “Waiting For Approval” state. The state will update after the Authorizer approves or rejects the operation.

    After the authorizer approves the operation, it remains in the “In Progress” state while it is being executed on the router.

    For more information about Operations, see this page.

    In the Operations widget, green indicates a successful operation. Red indicates the operation was rejected or failed to complete. Black indicates aborted.

    Click the operation in the widget to view operation details.

    You can send email notifications for operations triggered and approval/rejection responses by clicking “Send email notification when operation completed”.

    The Authorizer Role Overview, and How to Authorize Operations

    Before you can authorize operations in Hybrid Cloud, you need to ensure that Fortify is installed and running on the computer that you log in to ALMS with, and that your Yubikey loaded with your user certificate is inserted on the authorizing computer.

    Semtech recommends ejecting the YubiKey from your computer after your Hybrid Cloud authorization session is over. Windows may treat the YubiKey as an authentication device and try to log you into Windows. In some configurations, this can result in temporarily locking out the Windows PIN for authentication.

    When you receive operation notifications by email, log in to your ALMS account and go to the Authorize tab. Alternatively, you can click the Authorization notification icon on the top right. The red dot indicates that you have pending notifications.

    After you click Authorize, a new browser tab opens, and all the operations waiting for approval are displayed.

    Note: The new Authorize features in ALMS run separately from the main ALMS user interface and require separate privileges. To return to other activities in ALMS, go to your previous browser tab, or click an icon along the left side of the Authorize screen. This, in turn, will open a new tab.

    The Authorization Status widget shows you the signing status of all the operations sent to your account. This widget makes it easy to identify the operations that still need to be authorized. Note that operations that have expired with no action are not shown).

    The Operations widget shows you what types of operations have been sent to your account. This provides an overview of the types of operations that your users are triggering within you account.

    The Average Pending Time widget shows you how long (on average) an operation waits in the Pending state before being authorized or rejected. Keeping this value as short as possible will reduce the impact to your team.

    Click the arrow to refresh the data displayed in a widget.

    You can use filters to locate and identify operations for approval or rejection. Click ADD FILTER.

    To authorize an operation:

    1. In the Authorize screen, select an operation and click Authorize.

      Note: You can approve only one operation at a time. The Authorize and Reject buttons are unavailable if more than one operation is selected.

      Note: In the case of multiple pending operations, Semtech requires authorizing operations from oldest to newest, in case any system configurations depend on updates being performed in a specific order. Authorizing a newer operation before an older one will trigger an error message.

    2. After clicking Authorize, an Authorize window opens, showing the operation details for you to review. You can click APPROVE or CANCEL from there. The following steps assume that you are authorizing the operation.

      The Summary screen provides an overview of the changes being made by the requested operation. It will identify the System (or list of Systems), the user that triggered the operation, and details on the changes that are being made. In this example, the operation is a Setting change to one value.

      The details screen provides more information on the operation. It is recommended that the Authorizer review this information closely before authorizing the operation. This secondary review ensures that all operations being sent to a device are legitimate and known to the organization before they are sent from ALMS.

    3. If you click APPROVE, enter your YubiKey password and then click OK. If you have not inserted your YubiKey, do so at this time.

    4. Click the certificate you want to use to authorize the operation and then click Continue. Multiple certificates are displayed if multiple Keys are attached to your laptop.

    TOP