User Guide 19.11 documentation
The authentication methods have been modified in SkyLIGHT PVX 4.1 and there are some simple steps that you will have to perform in order to properly migrate your distributed SkyLIGHT PVX system.
By looking at your distributed nodes configuration on a 4.0 datastore, you should see a similar output from the Pulsar shell:
datastore# capture
Name: datastore
Address: localhost
Created the: 2016-08-10 11:26
Device ID: 55EAE076-C7F8-7245-979E-6C2E1E9E394A
Device md5: 44535c8b627a532e07ed3c6d6b379c6e
Time: 2016-08-10 11:35
SPV Version: 4.0.28-r1-internal
Sniffer status: ok, pid 3434
Sniffer version: 4.0.28
License: ok
Expiration: 2016-08-24 22:00 UTC
MTU: System default
Is booting: False
Location ID: 0
Location md5: cfcd208495d565ef66e7dff9f98764da
Name: capture
Address: 192.168.10.227
Created the: 2016-08-10 11:35
Device ID: D0FD45EA-673D-FE40-AAF2-BD3E4D86FA4B
Device md5: 0a7583d16e5625f615d466ffbce9c783
Time: 2016-08-10 11:35
SPV Version: 4.0.28-r1-internal
Sniffer status: ok, pid 3216
Sniffer version: 4.0.28
License: ok
Expiration: 2016-12-31 23:00 UTC
MTU: System default
Is booting: False
Location ID: 0
Location md5: cfcd208495d565ef66e7dff9f98764da
Here, we have one datastore and one capture that are both reachable and in the same 4.0.x release.
Warning
Once the 4.1 release has been applied on all of your nodes, any communication will be unsuccessful as the authentication scheme has changed to increase security.
The distributed system has been updated to 4.1 and we now clearly see that any previously registered capture has been disabled automatically:
datastore# capture
Name: datastore (ACTIVE)
Address: localhost
Created the: 2016-08-10 11:26
Device ID: 55EAE076-C7F8-7245-979E-6C2E1E9E394A
Device md5: 44535c8b627a532e07ed3c6d6b379c6e
Time: 2016-08-10 13:45
SPV Version: 4.1.0-r1-internal
Sniffer status: ok, pid 3502
Sniffer version: nova/4.1.0
License: ok
Expiration: 2016-08-24 22:00 UTC
Is booting: False
Location ID: 0
Location md5: cfcd208495d565ef66e7dff9f98764da
Name: capture (DISABLED)
Address: 192.168.10.227
Created the: 2016-08-10 11:35
Device ID: D0FD45EA-673D-FE40-AAF2-BD3E4D86FA4B
Device md5: 0a7583d16e5625f615d466ffbce9c783
One of the few changes in the 4.1 release is the revamped registration system.
To learn how new captures can be added on your 4.1 datastore, see How to configure a capture probe.
As described in the new registration guide, we first have to create a PIN code on the freshly updated capture (capture 192.168.10.227 on the previous example):
capture# register pin create
PIN: 6297
Fingerprint: e8:70:3d:e1:a3:ee:25:c4:ca:9e:c3:35:11:c6:f0:ea
The register
command has been added in the 4.1 release and allow you to
handle any authorized connection on your nodes.
The pin
sub-command allow you to create
, discard
or show
any PIN
code you may have created. PIN codes are temporary and one-time use only.
Once the PIN code has been created on the capture, the datastore can use it to authenticate itself on the capture. From the pulsar on the datastore (localhost in previous example):
datastore# register authenticate 192.168.10.227 6297
Do you validate the remote host key fingerprint? e8:70:3d:e1:a3:ee:25:c4:ca:9e:c3:35:11:c6:f0:ea: yes
Successfully registered
The authenticate
sub-command will register a datastore on a capture (its
first argument) with a PIN code (its second argument).
To avoid any man-in-the-middle attack, you should closely verify the host key fingerprint (which will also be displayed to you when you try to connect to your node via the SSH protocol).
Now that the capture authorizes connections from the datastore, it can be marked as active. From the pulsar on the datastore (localhost in previous example):
datastore# capture activate 192.168.10.227
Capture '192.168.10.227' is now active.
In the 4.1 release your capture can be activated or deactivated at will (useful if you are moving the machines around, for example). The datastore won’t try to reach any deactivated capture and as such, won’t warn if any of them appears to be unreachable.
To verify the connection has been re-established to all of your captures, simply list them again. The datastore should be able to retrieve some information about each of them (like their new version):
datastore# capture
Name: datastore (ACTIVE)
Address: localhost
Created the: 2016-08-10 11:26
Device ID: 55EAE076-C7F8-7245-979E-6C2E1E9E394A
Device md5: 44535c8b627a532e07ed3c6d6b379c6e
Time: 2016-08-10 13:57
SPV Version: 4.1.0-r1-internal
Sniffer status: ok, pid 3502
Sniffer version: nova/4.1.0
License: ok
Expiration: 2016-08-24 22:00 UTC
Is booting: False
Location ID: 0
Location md5: cfcd208495d565ef66e7dff9f98764da
Name: capture (ACTIVE)
Address: 192.168.10.227
Created the: 2016-08-10 11:35
Device ID: D0FD45EA-673D-FE40-AAF2-BD3E4D86FA4B
Device md5: 0a7583d16e5625f615d466ffbce9c783
Time: 2016-08-10 13:58
SPV Version: 4.1.0-r1-internal
Sniffer status: ok, pid 3215
Sniffer version: nova/4.1.0
License: ok
Expiration: 2016-12-31 23:00 UTC
Is booting: False
Location ID: 0
Location md5: cfcd208495d565ef66e7dff9f98764da