How to create Tunnels between two hubs and Verify the communication using Queues

Document ID : KB000012105
Last Modified Date : 23/10/2018
Show Technical Document Details
Introduction:

Tunnels enable secure communication from one hub to another.

Tunnels are required for hubs separated by a firewall, and recommended for all secondary hubs.

Question:

How to create Tunnels between two hubs and Verify the communication using Queues

Environment:
UIM: 8.x
OS: Windows and UNIX
Answer:

Once you have decided on which hub will be acting as client and server, please follow the below steps to create the tunnel connectivity.

Server Side Configuration:

1. Open hub probe configuration and select General tab, and make sure to enable the checkbox "Enable tunneling" and click on Apply to restart the hub.

                   User-added image

2. Once Tunnels tab enabled, Select "Server Configuration" tab.

3. Create a server and client certificate setup with the required information.

Note: Uncheck "Check Server Common Name" if Tunnel Server is NAT'ed and you can also use wild-card i.e. either one asterisk '*' or four asterisks '*.*.*.*' (without quotes) to set up only one certificate which can then be used for multiple tunnel clients.

                                User-added image

4. Click on OK and then reopen the certificate.

5. Once "Certification Information" GUI opened, go to "Certificate" tab and click on "Copy" and then Ok.

                         User-added image

6. Click on "Apply" to restart the probe.

                     User-added image

 

Client Side Configuration:

1. Open hub probe configuration and select General tab, and make sure to enable the checkbox "Enable tunneling" and click on Apply to restart the hub.

2. Once Tunnels tab enabled, Select "Client Configuration" tab.

3. Click on "New", which will open "New Tunnel Connection" GUI.

                  User-added image

4. Provide the Tunnel Server IP address, password and paste the Certificate copied while creating Client certificate on Server side.

                User-added image

5. Click on "Apply" and Click "yes" to restart the probe.

 

Tunnel Verification: 

Tunnel verification can be done by creating Queues between Tunnel Server and Tunnel Client.

Queues allow messages from client hubs to reach the primary hub. We can either use a combination of attaching and get queues.

Attach queue: It is a permanent queue that collects the messages sent by the hub’s robots. A corresponding get queue is paired with each attach queue to retrieve those messages.

Post queue: A post queue sends a directed stream of messages to a specified hub.

 

Sent Queue Creation at Client/Remote Hub:

1. Open hub probe configuration and select "Queues" tab

2. Click on "New" to create a Queue and give the required name.

                    User-added image

3. Select the Type, Address, and Subject fields.

                    User-added image

                   User-added image

4. Click "OK" and then click on "Apply" to restart the probe.

                   User-added image

 

Receive Queue Creation at Server/Primary Hub:

1. Open hub probe configuration and select "Queues" tab

2. Click on "New" to create a Queue and give the required name.

                  User-added image

3. Select the Type, Address, and Subject fields. 

Select "get" type in case if the sent Queue created with attach.

Select Address field from which remote hub you want to receive the messages/alarms. 

                 

4. Click "OK" and then click on "Apply" to restart the probe.

                 User-added image

5. Please wait for sometime and then check Status tab under hub probe configuration.

               User-added image

 

 

Additional Information:

Multiple-hub infrastructure that uses tunnels that are NOT SSL tunnels:

All ports that are used in a single-hub installation

48003 for the tunnel server (can also be set to 443)

 

Multiple-hub infrastructure that uses SSL tunnels:

48000 (controller) and 48002 (hub)

48003 to allow the tunnel client to access the tunnel server

8443 and 8080 (service_host) to allow the tunnel client to access Admin Console and CA UIM web page

 

Reference:

https://docops.ca.com/ca-unified-infrastructure-management/8-31/en/installing/install-secondary-hubs/configure-queues-and-tunnels

http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec000002642.html