SeaCat Gateway Installation

Preparing the SeaCat Gateway environment

Prerequisites for SeaCat Gateway installation:

  • Fully operational Linux Server
  • SSH access to this server with root privileges
  • Installed command-line OpenSSL (latest version)
  • Internet access (recommended)

For more details, go to Requirements chapter.

Installing SeaCat Gateway

It is assumed that the Linux shell is opened with root privileges.

1. Create local seacat user with disabled password and disabled interactive logon:

# adduser --disabled-password --gecos "" seacat

2. Copy SeaCat Gateway binary distribution archive to the Linux server. In this example, we choose 1.2.3.4 for IP address and SeaCatGateway_x86-64_v15.12.tar.bz2 for distribution archive name. This command must be processed under operator's operating system.

# scp /local/path/to/SeaCatGateway_x86-64_v15.12.tar.bz2 root@1.2.3.4:/home/seacat

3. Navigate into /opt directory:

# cd /opt

4. Extract the binary distribution archive:

# tar xvjf /home/seacat/SeaCatGateway_x86-64_v15.12.tar.bz2

5. Create a new etc directory in /opt/user and navigate in it. In this example, the user is set to seacat:

# mkdir /opt/seacat/etc
# cd /opt/seacat/etc

6. Generate a 2048b long Diffie-Hellman parameters in /opt/seacat/etc directory. It may take a long time to finish (e.g. 5 minutes):

# openssl dhparam -outform PEM -out /opt/seacat/etc/dh_params.pem 2048

7. The output should look like this:

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................................+....................+...................................................+...................................

8. Generate a 4096b long RSA private key and a SeaCat Gateway Certificate Signing Request in /opt/seacat/etc directory. Before RSA private key generation, high entropy should be available. To check the available entropy, execute:

# cat /proc/sys/kernel/random/entropy_avail

If the result is above number 1024, it is safe to proceed. Otherwise, use of randomness generator is recommended (for example haveged). Simple step for haveged installation in Linux operating systems with apt (Ubuntu Linux, Debian Linux) or yum (Red Hat Enterprise Linux, CentOS Linux) support is:

# apt-get install haveged

or

# yum install haveged

If it is safe to continue, proceed to the generation with inputs related to the installation. Common Name has to meet requirements specified by regular expression: ^gw-[a-zA-Z0-9-]{1,60}\.s\.seacat\.mobi$ and has to be globally unique. Common Name is used for easy identification of SeaCat Gateway purpose (e.g. Application name).

# openssl req -out /opt/seacat/etc/gateway_csr.pem -new -newkey rsa:4096 -nodes -keyout /opt/seacat/etc/gateway_key.pem


Country Name (2 letter code) [AU]: Country (e.g. UK)
State or Province Name (full name) [Some-State]: State (e.g. Great-Britain)
Locality Name (eg, city) []: City (e.g. London)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company Name (e.g. My Company Ltd)
Organizational Unit Name (eg, section) []: Company Unit Name (e.g. CRM Mobile)
Common Name (e.g. server FQDN or YOUR name) []: Gateway Name (e.g. gw-crm.s.seacat.mobi or gw-mobile-security.s.seacat.mobi)
Email Address []: Contact email address (e.g. support@mycompany.com)
A challenge password []:
An optional company name []:

9. Restrict access rights to SeaCat Gateway RSA private key file:

# chmod o-rwx /opt/seacat/etc/gateway_key.pem
# chown root:seacat /opt/seacat/etc/gateway_key.pem
# chmod g+r-wx /opt/seacat/etc/gateway_key.pem

10. Copy all Certificate Signing Request texts from start to end, paste them into a new mail and send them to support@teskalabs.com with CSR request: + Common Name as an email subject:

# cat /opt/seacat/etc/gateway_csr.pem

An example of copied text:

-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
...
...
...
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----

11. Create a new /opt/seacat/var/ca directory and set appropriate access rights for the directory. In this example, uid and gid are set to seacat:

# mkdir -p /opt/seacat/var/ca
# chown seacat:seacat /opt/seacat/var/ca

12. Create a new /opt/seacat/var/log directory:

# mkdir -p /opt/seacat/var/log

13. Create a new configuration file in /opt/seacat/etc:

# vi /opt/seacat/etc/seacat.conf

14. Tap i to insert text using vim text editor and insert this:

[gateway]
listen=0.0.0.0:443
uid=seacat
gid=seacat

key=/opt/seacat/etc/gateway_key.pem
cert=/opt/seacat/etc/gateway_cert.pem
ca_chain=/opt/seacat/etc/ca_chain.pem
dh_params=/opt/seacat/etc/dh_params.pem

[gateway:triggers]
on_client_csr_received=/opt/seacat/bin/seacatca -c /opt/seacat/etc/seacat.conf store_csr -
on_client_cert_query=/opt/seacat/bin/seacatca -c /opt/seacat/etc/seacat.conf get -RCo -
on_client_cert_verify=/opt/seacat/bin/seacatca -c /opt/seacat/etc/seacat.conf verify_cert -

[ca:backend_dir]
directory=/opt/seacat/var/ca

[host:example1]
uri=http://www.example.com/endpoint1

[host:example2]
uri=http://other.example.com/endpoint2

15. Press Esc and write :wq to save changes.

This is a typical configuration file. SeaCat Gateway configuration is described in Configuration chapter. Also, SeaCat Configuration Reference chapter provides more details on this topic.

16. Copy and paste SeaCat Gateway Certificate you received via email into the console:

# cat > /opt/seacat/etc/gateway_cert.pem

An example of SeaCat Gateway Certificate to copy:

-----BEGIN CERTIFICATE-----
MIIGBzCCA++gAwIBAgIEAuQ0BDANBgkqhkiG9w0BAQwFADCBnjELMAkGA1UEBhMC
Q1oxFzAVBgNVBAgMDkN6ZWNoIFJlcHVibGljMQ8wDQYDVQQHDAZQcmFndWUxFDAS
IB7UbxOMrCG/fAedZZ93ImwxCenjDM+EMdXT8Atu+rwhdW4RdLG1b66kAqwVmnAs
...
...
...
HUI8Eps13fpbl/ehac32PlJ+LLXwbk/R3E35H19lVVetWvE/0FxI325Vab5HwJmr
To+c/nv6jKXzy6rYWvjAvx1AeepBie56TQSOHwTHbTykDDKSB7fbfJGpYBjBisYV
sO8a5EyYbTKQlMbfNcJHltJukKpMcLwolV4rbpyP7bVNsMnKDALw3P1YDkIMSNhA
dY8RsP6GWCAEGa8=
-----END CERTIFICATE-----

17. Press Enter to create the file and CTRL-D simultaneously to continue.

18. Install a public certificate of TeskaLabs root Certificate Authority and create Certificate Authority chain:

# curl http://ca.seacat.mobi/seacat-ca.crt | cat - /opt/seacat/etc/gateway_cert.pem > /opt/seacat/etc/ca_chain.pem

19. Removing SeaCat Gateway Certificate Signing Request file at this time is safe.

# rm /opt/seacat/etc/gateway_csr.pem

20. Update network settings by shorten TCP keepalive time settings to better fit to a behavior of mobile Client connections. You can find more information about the settings in the configuration chapter

# vi  /etc/sysctl.d/10-seacat.conf

21. Tap i to insert text using vim text editor and insert this:

net.ipv4.tcp_keepalive_time = 900
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9

22. SeaCat Gateway is installed at this point and ready for configuration fine-tuning and eventual use.

SeaCat Gateway init scripts

To ensure that SeaCat Gateway is correctly started and stopped e.g. during OS reboot, it is strongly advised to prepare init script for SeaCat Gateway. This part varies per Linux distribution, so continue based on your Linux distribution:

Log Rotating

SeaCat Gateway produces a lot of logs regarding the amount of data traffic. It is strongly recommended to use log rotation functionality to save hard drive space.

SeaCat Gateway log file is placed in the directory specified by -l <file> as a command line argument (more information of command line arguments is located in the SeaCat Gateway Command-line Interface). In our case, the path is set to /var/log/seacatd.log

# seacatd <...> -l /var/log/seacatd.log -p /var/run/seacatd.pid

To enable log rotation, execute:

# vi /etc/logrotate.d/seacat

For daily log rotation with one-month logs history, tap i to insert text using vim text editor and insert this:

/var/log/seacatd.log
{
    su root root
    daily
    rotate 31
    compress
    dateext
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/seacatd.pid 2>/dev/null`
    endscript
}

Press Esc and write :wq to save changes.

To check if the logrotation is properly set, execute:

# cat /var/lib/logrotate/status | grep seacatd

An example of the result with the timestamp of next logrotate planned run:

"/opt/seacat/var/log/seacatd.log" 2016-5-27-8:15:59

For immediate log rotation, execute:

# logrotate --force /etc/logrotate.d/seacat

Found a mistake? Please contact us.