Getting started with the Anapaya Appliance¶
This section will guide you through the steps to get the Anapaya Appliance (henceforth only called appliance) up and running - from the initial power-on all the way to establishing SCION connectivity.
Note
This guide assumes you are using the Anapaya S-Type physical appliance that already comes with a pre-installed appliance base image. If you need instructions for how to install the appliance base image on your target platform, please refer to Installing the Appliance Base Image.
Note
If you require support with provisioning the appliance, do not hesitate to contact us at customer-support@anapaya.net.
Connecting to the Appliance¶
Most interactions with the appliance are done via its management API and the web interface. However, on a fresh installation, these components first need to be configured and activated from within the appliance host.
To connect to the appliance, you can use SSH. To do that, you first need to know the IP address of the appliance. The appliance attempts to lease an IP via DHCP on each of its interfaces.
ssh anapaya@<ip address>
Then, you can authenticate with the default password that has been given to you alongside the installation instructions.
If SSH is not an option, you can also use the serial console to connect to the appliance. Please check your platform documentation for instructions on how to connect to the serial console (or GUI). You can use the same default credentials as above to log in.
Configuring the Management Interface¶
If you connected to the appliance via the serial console or want to configure a
different interface for the management connection you can use the standard Linux
ip tool set. For example, to configure the IP address 192.168.1.1 on
interface eno1, you can run the following command:
sudo ip address add 192.168.1.1/24 dev eno1
sudo ip link set eno1 up
Changing User Authentication¶
If you want to change the default password of the anapaya user you can
simply run
passwd
enter the current password and then enter a new password.
Updating a SCION release¶
Your appliance comes with a release of the anapaya-scion and
anapaya-system packages installed. However, we recommend upgrading to the
latest release containing all the latest features, bug fixes, and improvements.
Ask your Anapaya Customer Success Engineer for the most suitable release for
your platform.
Note
The ${mgmt_address} in the curl commands below needs to be replaced
with the actual management address of the appliance. This can either be an
IP address or a DNS name.
Note
The -k option on the curl commands in the following steps is required
to skip verification of the TLS certificate. The appliance management API
uses a self-signed certificate. This will be configurable in the future.
Note
The -u <user>:<password> option on the curl commands in the
following steps is required to pass the user and password to the API. The
anapaya user is a default user that is configured in the base image. The
password should have been provided to you. If that is not the case, ask your
Anapaya Customer Success Engineer for it.
To update the anapaya-scion or anapaya-system release, follow the
instructions in Updating an Appliance.
Provisioning an Initial Configuration¶
Now that the initial installation is complete, you can use the appliance management API to provision an initial configuration.
The entire appliance configuration can be stored in a single JSON file - we will
refer to this file as appliance.json in the following. It contains all the
configuration - the networking interfaces on the appliance host, the SCION and
IP-in-SCION tunneling configuration, authentication, and other system
configuration. In this guide, we assume that you already have an initial
appliance configuration, e.g., from your service provider or from the Anapaya
Customer Success Engineering team, that contains the main network interface and
SCION configurations.
Tip
For more information on the contents of the appliance configuration, please refer to Appliance Configuration section and the Management API specification.
You can enact the configuration by using the /config endpoint of the
management API:
curl -X PUT -k -u <user>:<password> https://${mgmt_address}/api/v1/config -d @appliance.json
Similarly, you can always retrieve the active configuration and store it to a file:
curl -k -u <user>:<password> https://${mgmt_address}/api/v1/config > appliance.json
Configuring Authentication of the Management API¶
Now, that you have provisioned the initial configuration, we will look at how to configure authentication for the management API.
To do that, open the appliance.json file in your favorite text editor and
add the following configuration (for more information refer to Appliance
Management Configuration):
{
"management": {
"api": {
"listeners": [
{
"description": "Management API",
"address": "192.168.1.1:443"
}
],
"basic_auth": {
"enabled": true,
"users": [
{
"username": "admin",
"password_hashed": "$2y$05$9j6jB0DORgxVir0QerURDO669uiuMlbZSfz8F0t/Ty/GsjanBZlfW"
}
]
}
}
}
}
This configures the management API to be available on 192.168.1.1:443 and
enables HTTP basic auth for user admin and password password. The
password_hashed value can be derived using the interactive appliance-cli
command on an appliance or by using the Apache htpasswd command:
appliance-cli crypto kdf hash
htpasswd -nB admin
Note
Adjust the address value to the address of the appliance host in your
setup. Here we assume that the appliance host is reachable on
192.168.1.1.
If you need to add more users, you can simply extend the users list in the
basic_auth section.
Save the changes to appliance.json and apply the configuration by using the
/config endpoint of the management API:
curl -X PUT -k -u <user>:<password> https://${mgmt_address}/api/v1/config -d @appliance.json
You should now be able to access the management API from outside the appliance and only if you authenticated with the correct username and password. You can verify this by running the following command from outside the appliance host:
curl -k https://192.168.1.1/api/v1/config -u admin:<your-password>
Note
The initial anapaya user is now no longer usable because the
configuration only contains the admin user.
Tip
The appliance comes with a web-ui that can be used to view and update
the appliance configuration, inspect other system information, and use a
range of tools to do network troubleshooting. The web-ui can be accessed by
navigating your browser to https://192.168.1.1/.
Provisioning the TRC and AS Certificate¶
As the final step before being able to establish SCION connectivity, you need to provision at least the Trust Root Configuration (TRC) of your SCION ISD as well as a SCION AS certificate issued by a certificate authority (CA) of your SCION ISD.
Tip
This guide only covers the basics of provisioning the TRC and AS certificate. For more in-depth information please refer to Certificate/TRC Provisioning.
TRC Provisioning¶
Assume that you have a TRC called ISD1-B1-S1.trc which would be the TRC of
SCION ISD 1. To install this TRC, you need to run the following command:
curl -k https://192.68.1.1/api/v1/cppki/trcs -X POST --data-binary "@ISD1-B1-S1.trc" -u admin:<your-password>
The given TRC is first validated before it is added to the trust store. Only valid TRCs are added to the trust store.
To verify that the TRC has been added, you can run the following command:
curl -k https://192.68.1.1/api/v1/cppki/trcs -u admin:<your-password>
Tip
When your appliance does not have any TRCs installed, you can use the Add TRC bundle endpoint to install the full chain of TRCs at once. Download the TRC bundles from Isolation domains overview.
AS Certificate Provisioning¶
To create an initial AS certificate, you need to instruct the appliance to create a Certificate Signing Request (CSR). This CSR then needs to be signed by a local CA AS. The result is a certificate chain consisting of the issued SCION CPPKI AS certificate and the issuing SCION CPPKI CA certificate. This certificate chain then needs to be installed on the appliance.
To generate a CSR, you need to first create a file cp-as.json with the
following content:
{
"subject": {
"isd_as": "1-ff00:0:110",
"common_name": "Anapaya Switzerland AS",
"country": "CH",
"locality": "Zurich",
"organization": "Anapaya Systems AG",
"organizational_unit": "Anapaya Systems Engineering Department",
"postal_code": "8005",
"province": "Zurich",
"serial_number": "CHE 123.456.789",
"street_address": "Hardturmstrasse 253, 8005 Zurich"
}
}
Note
You should adapt the values to your needs.
Note
Generally, only the isd_as value is required and everything else is
optional. We do recommend that you at least specify a common_name. Some
CAs might have different requirements on these fields. Please refer to the CA
of your ISD for more information.
To generate a fresh CSR and store it in a file cp-as.csr you can run
curl -k https://192.68.1.1/api/v1/cppki/csrs -X POST --data '@cp-as.json' -u admin:<your-password> > cp-as.csr
The resulting CSR is a PEM-encoded file that needs to be signed by a CA. This is an out-of-band mechanism and is defined by the CA that is responsible for issuing your initial AS certificate.
After you have received back the SCION CPPKI AS certificate as part of a full SCION CPPKI certificate chain, you can install it on the appliance:
curl -k https://192.68.1.1/api/v1/cppki/certificates -X POST --data-binary "@cp-as.pem" -u admin:<your-password>
This first verifies the certificate chain against the active TRC of the local ISD before it is added. Only verifiable certificate chains are added.
To verify that the certificate has been added, you can run:
curl -k https://192.68.1.1/api/v1/cppki/certificates -u admin:<your-password>
From this point on, the AS certificate gets automatically renewed by the appliance and you do not have to manually provision it anymore.
Note
This only works assuming that the appliance has SCION connectivity to the CA. If you are not able to establish SCION connectivity within the validity period of the provisioned AS certificate, you will have to repeat the process above to request and provision a new AS certificate.
Verifying SCION Connectivity¶
You are now at the stage where you can verify that SCION connectivity is established. Showpaths is the primary tool available to do this.
Tip
The scion tool is installed on your appliance. Alternatively, you can
also access it from the web-ui that is available on your appliance by
navigating your browser to https://192.168.1.1/ or use the
management API directly (see here).
Showpaths will show all paths that are available to a given remote AS. Furthermore, it also automatically probes all paths to verify their health. Having showpaths report a set of available paths that are healthy, indicates that the SCION control plane and data plane are working properly.
The basic command to show all the available paths to a remote AS is
scion showpaths <remote_isd_as>
where <remote_isd_as> is the ISD-AS of the remote AS you want to probe. In a
first step, it makes sense to probe a direct neighbor, e.g., your upstream AS or
a peering AS. You should already know the ISD-AS identifier from the
configuration file, where the links to neighboring ASes are configured.
A further sensible choice is to probe all paths to the issuing AS for your AS
certificates. You can get its ISD-AS identifier by either inspecting the
appliance configuration (cppki.issuers section) or the AS certificate chain
that you installed on the appliance in a previous step.
Finally, if you are connected to the public SCION Internet, you can use one of
Anapaya’s SCION ASes 64-2:0:1a for probing.
scion showpaths 64-2:0:1a
Next Steps¶
You now have a fully configured appliance that is connected to a SCION network. A likely next step is to configure IP-in-SCION tunneling to enable legacy IP applications to use the SCION network for communication. You might also want to upgrade the appliance operating system to the latest version. Refer to Software Updates for documentation on how to do this.