Install the PCE and UI
When installing the PCE and UI packages together, you perform the following high-level steps:
- Prepare for installation by planning your deployment and reviewing the prerequisites, such as capacity planning and OS setup. See PCE Installation Planning for information.
- Download the software.
- Install the PCE and UI software.
- Configure the PCE.
- (Optional) Validate TLS certificate and private key.
- Install the TLS certificate and private key.
- Verify the runtime environment was configured correctly.
- Start the PCE.
- Initialize the PCE.
-
Install Virtual Enforcement Nodes (VENs) to enable the PCE to manage your workloads as described in the VEN Installation and Upgrade Guide
At this point, the PCE is up and running, receiving communication about workloads from the VENs.
After installing the PCE software, perform these additional procedures to complete your PCE deployment.
- Configure backups.
- (Optional) Configure the internal syslog. See (Optional) Configure PCE Internal syslog for information.
The following tasks describe installing the PCE as an MNC. When you install the PCE as an SNC, you do not repeat the steps on the additional nodes. You can disregard those instructions in the following tasks.
Download the Software
For a multi-node cluster:
- Download the software from the Illumio Support portal (login required).
-
On the core nodes only, copy the Illumio PCE UI RPM file to the
/tmp
folder. The following steps refer to this file asillumio_ui_rpm
. -
On each node in the cluster, copy the Illumio PCE software RPM file to the
/tmp
folder. The following steps refer to this file asillumio_pce_rpm
.
For a single-node cluster:
Install the PCE and UI Packages
The packages to install depend on the type of PCE node:
- Core nodes: Two packages, the PCE RPM and UI RPM.
- Data nodes: One package, the PCE RPM.
-
On each core node in the cluster, log in as root and install the PCE RPM:
$ rpm -Uvh illumio_pce_rpm
For
illumio_pce_rpm
, substitute the path and filename of the software you downloaded from the Illumio Support portal. -
On each core node in the cluster, log in as root and install the UI RPM:
$ rpm -Uvh illumio_ui_rpm
For
illumio_ui_rpm
, substitute the path and filename of the software you downloaded from the Illumio Support portal. -
On each data node in the cluster, log in as root and install the PCE RPM:
$ rpm -Uvh illumio_pce_rpm
For
illumio_pce_rpm
, substitute the path and filename of the software you downloaded from the Illumio Support portal. - After installing the RPMs, configure the software using the PCE setup wizard. See Configure the PCEfor information.
Runtime Parameter | Value to Use |
---|---|
$ service_discovery_fqdn: x.x.x.x
|
# IP address of PCE (this node) |
$ cluster_public_ips/cluster_fqdn:
|
# Auto-generated |
$ node_type: snc0
|
# Use snc0 |
$ datacenter [dc1]:
|
# Leave as default (dc1) |
$ front_end_https_port: 8443
|
# 8443 is default port |
$ web_service_private_key:
|
# SNC domain key; for example, /etc/pki/tls/private/your_snc_domain.key |
$ web_service_certificate:
|
# Certificate bundle; for example, /etc/pki/tls/certs/good_cert_bundle.crt |
$ trusted_ca_bundle:
|
# Certificate bundle; for example, /etc/pki/tls/certs/good_cert_bundle.crt |
$ email_address:
|
# noreply@your-snc-domain |
$ email_display_name: noreply
|
# noreply should be the default |
$ service_discovery_encryption_key:
|
# Leave blank or just press enter |
$ smtp_relay_address: 127.0.0.1:587
|
# Use the default 127.0.0.1:587 |
$ reporting_datastore: data_dir:
|
# Leave default and press enter |
$ reporting_datastore: data_dir:
|
# Leave default and press enter |
$ syslog_event_export_format: json
|
# Use json default |
$ insecure_tls_weak_ciphers_enabled [true]:
|
# Enter false |
$ standby_management_database: data_dir:
|
# Leave default and press enter |
$ Save to configuration /etc/illumio-pce/runtime_env.yml [Y/n]?
|
# Enter Y |
Runtime Parameter | Value to Use |
---|---|
common_criteria_events_enabled
|
true
Enables TLS events messages. |
min_tls_version
|
|
max_failed_login_attempts
|
|
account_lockout_duration_minutes
|
Runtime Parameter | Value to Use |
---|---|
server_load_balancer
|
Enable HTST |
strict_transport_security_max_age_in_seconds
|
Runtime Parameter | Value to Use |
---|---|
internal_service_ip
|
Enter the node public IP address. |
Runtime Parameter | Value to Use |
---|---|
login_banner
|