Step 2: Connect IAG5 to Itential Cloud

Prerequisites

You will need the following to complete this step:

• A running IAG5 server with internet access for WSS traffic over port 443.
  • See: Install IAG5 if you need to install an IAG5 server
• An active Itential Automation Service account in Itential Cloud
• A Linux text editor for making configuration file changes
  
  

1. Configure IAG5 Public/Private Certificates

To authenticate your IAG5 server to the Automation Service, you need a public certificate. For this tutorial we will generate and use a private key and self-signed certificate. On your Linux server, run the following command:

sudo openssl req -x509 -newkey rsa:4096 \
               -keyout /etc/gateway/certificates/commander-key.pem \
               -out /etc/gateway/certificates/commander.pem \
               -days 365 -nodes \
               -subj "/CN=`hostname --long`" \
               -addext "basicConstraints=CA:FALSE" \
               -addext "keyUsage=digitalSignature,keyEncipherment" \
               -addext "extendedKeyUsage=serverAuth"

This will generate a private key file and certificate file in these locations:

/etc/gateway/certificates/commander-key.pem
/etc/gateway/certificates/commander.pem

Note - In step 5, you will need to upload the /etc/gateway/certificates/commander.pem file to your Itential Cloud account.

2. Get your Automation Service Host URI

We will now complete IAG5 configuration so it can connect to the Automation Service in Itential Cloud. You will need to get the Automation Service cloud host URI from the Automation Service UI by following these steps:

1. Log in to your Automation Service account.
2. Go to Automation → Gateways
3. Click the 'copy' button to copy the value indicated in the red box below - we'll refer to this as the Automation Service Host URI:

Figure 3: IAG5 Automation Service Host URI

3. Update IAG5 Server Config File

We will now update the IAG5 configuration with this end-point and some other information.

1. Open IAG5 configuration file found at /etc/gateway/gateway.conf with an editor
2. Update the configuration under [commander] to match the following:

[commander]
certificate_file = '/etc/gateway/certificates/commander.pem'
private_key_file = '/etc/gateway/certificates/commander-key.pem'
enabled = true
host = '<your automation service host uri>'

4. Get your IAG5 Cluster ID

In the same gateway.conf file, look for (and take note of) the cluster ID. Optionally, you can update this value to a string of your choosing, but it must be unique amongst all IAG5 servers that you wanted connected to your Automation Service.

[application]
cluster_id = 'cluster_1'

More information on IAG5 configuration variables can be found here.

5. Upload IAG5 certificate and register it in Itential Cloud

1. Log in to your Automation Service account.
2. Go to the Automation → Gateways page
3. Click Upload Certificate
4. Navigate to the commander.pem file and upload it
5. Confirm that you want to trust this certificate
6. Click Add Gateway
7. Enter a meaningful name for the gateway (your choice)
8. Enter the Cluster ID that you took note of in step 4 (default value is cluster_1 on a fresh install)
9. Make sure Set As = "Enabled"
10. Click Next and then click Yes
11. From the drop down list, select the certificate you uploaded and click Save
12. Select the admins and users groups that will manage the gateway and click Create

You will get a message telling you the IAG5 gateway has been added. You will see the new gateway listed under Gateways.

6. Restart IAG5 to Connect

Now that an IAG5 gateway is configured in the Automation Service you can restart the IAG5 service so that the new configuration variables you set earlier will take effect.

sudo systemctl restart iagctl.service

Check if IAG5 was able to successfully connect via its log.

cat /var/log/gateway/gateway.log | grep "connected to commander"

You should see a log that resembles the following:

INF connected to commander at <your-commander-hostname>:443

You can also confirm that IAG5 has successfully connected to your Automation Service account by doing the following:

1. Log in to your Automation Service account.
2. Go to the Automation → Gateways page
3. Locate your IAG5 in the gateways list and verify that it shows as being CONNECTED

_
Your IAG5 server is now connected to the Automation Service in Itential Cloud.
_