You can find the latest versions of all Geneos components at ITRS Downloads.
For more information about the compatibility between Gateway Hub components and other Geneos components, see the Gateway Hub Compatibility Matrix.
Licence
A valid licence is required to run Gateway Hub. Contact your sales representative for a licence.
Server connections
Hostnames
Each server in the cluster must have a unique hostname, resolvable forward and backward with every other node with both normal and reverse DNS name lookup.
Logon method
You must decide to use either passwordless SSH, or an interactive logon, as the method to log in to any server that will form part of the Gateway Hub cluster.
Server to server access
Each Gateway Hub server must have access to the listed ports of all other Gateway Hub nodes in the cluster. You should configure your firewall to allow these connections.
Ports
All ports used are TCP ports unless otherwise specified. The table below shows the configuration for he default ports on each Gateway Hub node.
| Service | Port (TCP) | Source IP | Destination IP | Purpose |
|---|---|---|---|---|
| DNS | 53 (UDP) |
Any Gateway Hub node |
DNS server | Domain Name Service |
| Gateway Hub message bus (Kafka listener) | 9092 | Any external Gateway and any Gateway Hub Node |
Any Gateway Hub node |
Receives Gateway data |
| Gateway Hub REST API |
|
Any external client |
Any Gateway Hub node |
Gateway Hub REST API |
| Gateway Hub Web Console |
|
Any external client |
Any Gateway Hub node |
Gateway Hub Web Console |
| NTP (optional) | 123 (UDP) |
Any Gateway Hub node |
NTP server | Network Time Protocol |
| SSH | 22 | Any external client |
Any Gateway Hub node |
Secure Shell, for Ansible install and troubleshooting |
| SSO Agent |
|
Any external client | Any Gateway Hub node | Gateway Hub SSO Agent |
| Zookeeper | 5181 |
Any Gateway Hub node |
Any Gateway Hub node |
Zookeeper API calls |
| Zookeeper follow-the-leader |
|
Any Gateway Hub node |
Any Gateway Hub node |
Zookeeper server-to-server communication |
| Zookeeper leader election |
|
Any Gateway Hub node |
Any Gateway Hub node |
Zookeeper server-to-server communication |
| etcd cluster | 2380 | Any Gateway Hub node | Any Gateway Hub node | etcd member communication |
| Capacity Planner | 9090 | Any Gateway Hub node | Capacity Planner | Publishing to Capacity Planner |
| JMX | 10974 | Any Gateway Hub node | Any Gateway Hub node | JMX |
Firewall access
You may need to update your firewall policies to open ports required by Gateway Hub. You should always consult with your local security policy and team before making firewall changes.
If you are installing on a 7.x or RHEL 7.x system you can use the firewall-cmd command to check and modify your firewall policy. For a full list of supported operating systems, see Operating Systems in Software requirements.
The following procedures are provided as an example, you will need to modify these steps to suit your local network configuration and security policies.
-
Check which ports are currently open:
firewall-cmd --list-ports
-
Open each of the ports that are required:
sudo firewall-cmd --permanent --add-port={22/tcp,8080-8081/tcp,8443/tcp,9092/tcp,5181/tcp,5188-5189/tcp,2380/tcp,10974/tcp} -
Restart the firewall:
sudo firewall-cmd --reload
-
Check that the required ports are now open:
firewall-cmd --list-ports
Note: In the above example all listed ports are opened to external in addition to internal access.
TLS certificates
Gateway Hub uses TLS (Transport Layer Security) to secure:
-
Connections made from clients to Gateway Hub nodes.
-
Connections between Gateway Hub nodes.
By default the Gateway Hub installer automatically generates the certificates and private keys used to secure TLS connections. To do this, it creates a CA (Certificate Authority) certificate and uses that to sign a suitable server certificate. The generated CA certificate will not be trusted by default on desktop operating systems. As a result, when you browse to the Web Console you will receive a certificate trust warning.
To access the Web Console without a warning you must ensure the CA certificate used by Gateway Hub is trusted by your operating system. You can use the automatically generated certificates or you can specify your own certificates to be applied when either installing or reconfiguring the Gateway Hub.
To use your own certificates, perform the following steps:
-
Ensure a suitable PEM file is present on the installation machine.
-
Add your PEM file path in your installation descriptor's
installation.tls.pem_filefield. -
Install or reconfigure Gateway Hub. For more information about the installation descriptor and installation process, see Install.
-
Configure your desktop operating systems to trust the root CA certificate (this may not be necessary if you are using an existing trusted CA).
PEM file requirements
In Gateway Hub versions 2.2.x, 2.4.x, and newer your PEM file must contain a full trust chain with content in the following order:
-
Private key for server certificate. This key must be in PKCS#1 (not PKCS#8) format.
-
Server certificate.
-
Any intermediate CA certificates (zero or more).
-
Root CA certificate.
Additionally, The server certificate must be suitable for all Gateway Hub nodes in your cluster. The commonName or subjectAltName fields need to contain either a suitable wildcard or a list of fully qualified DNS names.
A suitable PEM file should look similar to the following:
-----BEGIN RSA PRIVATE KEY----- ... private key for server certificate ... -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... server certificate ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... intermediate ca certificates (zero or more) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... root ca certificate ... -----END CERTIFICATE-----
Partial trust chains and Gateway Hub version 2.3.x
Gateway Hub 2.3.x contains a bug which requires that the PEM file contains only a partial trust chain in the following order:
-
Private key for server certificate. This key must be in PKCS#1 (not PKCS#8) format.
-
Server certificate.
-
The CA certificate used to sign the server certificate (either an intermediate or root CA).
If there are no intermediate CA certificates there is no difference between the PEM file required for Gateway Hub 2.3.x and other versions. However, if there is an intermediate certificate the PEM file for Gateway Hub 2.3.x will start the same, but have at least one certificate removed from the end.