Gateway Hub ["Geneos"]
["Geneos > Gateway Hub"]["User Guide"]

Connectivity requirements

Overview

This page outlines the connectivity requirements of a Gateway Hub node.

Existing Geneos components

You can find the latest versions of all Geneos components at ITRS Downloads.

For more information about the compatibility between Gateway Hub components and other Geneos components, see the Gateway Hub Compatibility Matrix.

Licence

A valid licence is required to run Gateway Hub. Contact your sales representative for a licence.

Server connections

Hostnames

Each server in the cluster must have a unique hostname, resolvable forward and backward with every other node with both normal and reverse DNS name lookup.

Logon method

You must decide to use either passwordless SSH, or an interactive logon, as the method to log in to any server that will form part of the Gateway Hub cluster.

Server to server access

Each Gateway Hub server must have access to the listed ports of all other Gateway Hub nodes in the cluster. You should configure your firewall to allow these connections.

Ports

All ports used are TCP ports unless otherwise specified. The table below shows the configuration for he default ports on each Gateway Hub node.

Ports marked as external must be accessible to systems connecting to Gateway Hub. Ports marked as internal must be available to other Gateway Hub nodes only.

Service Port (TCP) Source IP Destination IP Purpose
DNS 53 (UDP)

Any Gateway Hub node

DNS server Domain Name Service
Gateway Hub message bus (Kafka listener) 9092 Any external Gateway

Any Gateway Hub node

Receives Gateway data
Gateway Hub REST API 8081 Any external client

Any Gateway Hub node

Gateway Hub REST API
Gateway Hub Web Console 8443

Any external client

Any Gateway Hub node

Gateway Hub Web Console
NTP (optional) 123 (UDP)

Any Gateway Hub node

NTP server Network Time Protocol
SSH 22 Any external client

Any Gateway Hub node

Secure Shell, for Ansible install and troubleshooting
SSO Agent 8080 Any external client Any Gateway Hub node Gateway Hub SSO Agent
Zookeeper 5181

Any Gateway Hub node

Any Gateway Hub node

Zookeeper API calls
Zookeeper follow-the-leader 5188

Any Gateway Hub node

Any Gateway Hub node

Zookeeper server-to-server communication
Zookeeper leader election 5189

Any Gateway Hub node

Any Gateway Hub node

Zookeeper server-to-server communication
etcd cluster 2380 Any Gateway Hub node Any Gateway Hub node etcd member communication
Capacity Planner 9090 Any Gateway Hub node Capacity Planner Publishing to Capacity Planner
JMX 10974 Any Gateway Hub node Any Gateway Hub node JMX

TLS certificates

Gateway Hub uses TLS (Transport Layer Security) to secure:

  • Connections made from clients to Gateway Hub nodes.

  • Connections between Gateway Hub nodes.

By default the Gateway Hub installer automatically generates the certificates and private keys used to secure TLS connections. To do this, it creates a CA (Certificate Authority) certificate and uses that to sign a suitable server certificate. The generated CA certificate will not be trusted by default on desktop operating systems. As a result, when you browse to the Web Console you will receive a certificate trust warning.

To access the Web Console without a warning you must ensure the CA certificate used by Gateway Hub is trusted by your operating system. You can use the automatically generated certificates or you can specify your own certificates to be applied when either installing or reconfiguring the Gateway Hub.

To use your own certificates, perform the following steps:

  1. Ensure a suitable PEM file is present on the installation machine.

  2. Add your PEM file path in your installation descriptor's installation.tls.pem_file field.

  3. Install or reconfigure Gateway Hub. For more information about the installation descriptor and installation process, see Install.

  4. Configure your desktop operating systems to trust the root CA certificate (this may not be necessary if you are using an existing trusted CA).

PEM file requirements

In Gateway Hub versions 2.2.x, 2.4.x, and newer your PEM file must contain a full trust chain with content in the following order:

  • Private key for server certificate. This key must be in PKCS#1 (not PKCS#8) format.

  • Server certificate.

  • Any intermediate CA certificates (zero or more).

  • Root CA certificate.

Additionally, The server certificate must be suitable for all Gateway Hub nodes in your cluster. The commonName or subjectAltName fields need to contain either a suitable wildcard or a list of fully qualified DNS names.

A suitable PEM file should look similar to the following:

-----BEGIN RSA PRIVATE KEY-----
... private key for server certificate ...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
... server certificate ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... intermediate ca certificates (zero or more) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... root ca certificate ...
-----END CERTIFICATE-----

Partial trust chains and Gateway Hub version 2.3.x

Gateway Hub 2.3.x contains a bug which requires that the PEM file contains only a partial trust chain in the following order:

  • Private key for server certificate. This key must be in PKCS#1 (not PKCS#8) format.

  • Server certificate.

  • The CA certificate used to sign the server certificate (either an intermediate or root CA).

If there are no intermediate CA certificates there is no difference between the PEM file required for Gateway Hub 2.3.x and other versions. However, if there is an intermediate certificate the PEM file for Gateway Hub 2.3.x will start the same, but have at least one certificate removed from the end.