Install Cloud Exchange
This document is for non-Amazon ECS deployment. For guidance on how to install a Cloud Exchange for Amazon ECS image purchased through the AWS Marketplace, go to Install Netskope Cloud Exchange with AWS ECS Fargate.
Only an Admin should install Cloud Exchange. The docker images are available on docker-hub. Make sure the volume can connect to docker-hub before executing the ./start
command. Ensure docker connectivity prior to running the docker-compose
command.
Note
Ensure that the most up-to-date version of docker is installed on the host prior to installing or upgrading cloud exchange.
For guidance on how to back-up your data and files for restoration after a clean install, or for disaster recovery, read this article: Backup Cloud Exchange.
To ensure your cloud exchange instance notifies you whenever an update is available, go to Settings > General and click Check for Updates as shown here.
For guidance on how to upgrade/migrate to the newest code, refer to one of these articles:
To install Cloud Exchange:
Please review and ensure that all host and connectivity requirements have been validated before starting the install.
Note
To install Cloud Exchange on a Red Hat Enterprise Linux host (8.x or newer), refer to this article for additional requirements related to RHEL 8.0.
Clone the
netskopeoss/ta_cloud_exchange
public Github repository to a volume with with at least 20 GB of storage. Always clone to any folder other than/usr/local
to avoid a conflict within Docker.mkdir netskope cd netskope git clone https://github.com/netskopeoss/ta_cloud_exchange cd ta_cloud_exchange
Note
If you are a Beta user, run the following command during Step 2 to download the beta version of a release instead of the git clone command shown above:
git clone -b beta https://github.com/netskopeoss/ta_cloud_exchange
During step 2, while executing the setup script, opt IN to beta to use the beta code rather than the default action of searching for the latest GA version.
Execute the setup script and follow the steps:
python3 ./setup
Special characters (including, but not limited to "#", "$", "/", etc.) are not supported when setting the maintenance password for CE. Some of the processes do not work and will cause system failures if you use special characters.
Only use alphanumeric values for the maintenance password used by the JWT token.
Launch Cloud Exchange 3:
./start
The Cloud Exchange UI is now accessible with the system’s IP (https://<ip>)
.
How to Generate and Install an SSL Certificate into Cloud Exchange
When first installed, Cloud Exchange does not require an SSL certificate and the web server can be reached over an unencrypted connection.
Note
There are two SSL-related folders created on the file system: ssl_certs
and ca_certs
.
If you want to add your own SSL certificate(s), you can add them to the ta_cloud_exchange/data/ssl_certs
directory. The name of certificate file should be cte_cert.crt
and cte_cert_key.key
. The steps below explain how to do this.
The ca_certs
directory is used, for example, when you configure a plugin for an on-premises product (like MISP, QRadar etc.) that has a self signed SSL certificate issued by your organization. In this case, you need to put your CA certs in the ca_certs
directory to add them to the trust chain.
After you have the certificate(s) you'd want to use for connecting to Cloud Exchange, follow the steps to install your private certificate(s) to securely access Cloud Exchange.
Log in to your Cloud Exchange host via CLI.
Browse to the directory
ta_cloud_exchange/$
.Execute the command
run ./stop
.Remove certificates by going to the
/ta_cloud_exchange/data/ssl_certs
directory and using these commands:$ rm -rf cte_cert.crt
$ rm -rf cte_cert_key.key
After the existing SSL certificate is removed, you can install your private SSL certificate.
Copy new certs to
/ta_cloud_exchange/data/ssl_certs ‘sudo cp -r ../<Path_of_SSL_Certificate>.
Restart Cloud Exchange using the command
$run ./start
.
This video shows how to use a Cloud Exchange setup script to create a self-signed certificate to enable and access the Cloud Exchange UI over HTTPS.