Adding HAProxy Device

Prerequisites

  1. Ensure that the following packages are installed on the HAProxy machine:
    • socat
    • systemctl
    • ps
    • sftp
    • setfacl (optional)
  2. As SFTP is used for file transfers (certificate push), it is crucial to ensure that SFTP is properly configured for the logged-in user.
    1. From the cloud connector, use the sftp command to test the connection to an SFTP server. Open your terminal and type:
      sftp username@hostname
    2. Use the put command to upload the file to the remote server: put localfile /path/to/remote/directory
  3. Do not limit SFTP sessions to a single connection. Allowing only one SFTP session at a time can lead to failures during push operations. To prevent this, it is advisable to modify the settings in /etc/security/limits.conf to permit up to 5 simultaneous connections.

    Add sftptest hard nproc 5 to the limits.conf. Log out and log back in to validate the SFTP connections. If this does not work, restart the SSH service and retry the use case.

    If the above step does not work, add or modify the MaxSessions to 5 in the sshd_config or any included file in the sshd_config.

  4. Ensure that the target IP/FQDN is accessible from the cloud connector (SaaS) or from vendor pods (on-prem) and the port is open.
  5. Certificates located in paths without the necessary user permissions cannot be detected. Therefore, either update the configuration files to reference certificates in accessible paths or modify the file permissions to ensure the certificates are accessible.
  6. The user must have appropriate access to the configuration file and certificates. If direct access is not permitted, elevated privileges must be granted for the commands listed in the Commands requiring Access Elevation section.

Adding HAProxy Device

To add an HAProxy device:

  1. Go to (Menu) > CERT+ > Device Management.
    By default, the ADC tab is displayed.
  2. Click the (Add) icon.
  3. In the Device details page, select HAProxy from the left sidebar.
  4. Enter the field information in the General information section.
    Table 1. General information Section - Field and Description Table
    Name Type Description Validation
    *Modules Checkbox Select a module. NA
    *Device name Text Unique name of the device to be added. Device names can only contain alphanumeric characters, '-' , '_' , '.' , '*' , '|' , '!' and spaces.
    Communication Radio button The communication mode that ADC devices can be added to AppViewX. NA
    *SSH Port Text Communication port of the device. Numbers only.
    *IP Address Text The IPv4/IPv6 address of the device. IP address must be a valid IPv4/IPv6 address.
    *FQDN Text FQDN/hostname of the device. FQDN value must be a valid FQDN/hostname.
    Data center Dropdown Datacenter name where the device is configured. The default value is absecon. Data center name can only contain alphanumeric characters, '-' , '_' , '.' , '*' , ':' , '|' and spaces.
    Onboarding Group Dropdown Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    		NA
    *Cert Sync Radio button
    • Managed: The certificates of the device can be managed.
    • Monitored: The certificates of the device can be monitored.
    • Ignored: The certificate sync can be ignored.
    		 NA
    LB Sync Toggle button The LB Sync toggle button is enabled and modifiable only with an ADC+ license. In environments with a CERT+ only license, the toggle is disabled. NA
    *: Mandatory fields
  5. Enter the field information in the Credentials section.
    Table 2. Credentials Section - Field and Description Table
    Name Type Description Validation
    *Credential Type Dropdown
    • Manual entry: The user should enter the username and password.
    • Credential List - AppViewX: The user can select the credential details which are already stored in the credential inventory page.
    Note:
    • All other vault settings (BeyondTrust, Cyberark, Hashicorp Vault, Thycotic, and so on.) configured in the Credentials will be displayed in the dropdown.
    • If Credential list - AppViewX is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    • If Credential list - HashiCorp is selected, the *Credentials list dropdown field is displayed with credential type by default
    		 NA
    *User Name Text The user name of the device. NA
    *Password Text The password of the device. NA
    *: Mandatory fields
  6. Enter the fields in Vendor Specific Details.
    Table 3. Vendor Specific Details Section - Field and Description Table
    Name Type Description Validation
    *Access Elevation Dropdown
    • None: By default, None is selected.
    • sudo: sudo enablement is supported for CLM actions. LB operations do not currently support this functionality.
    		 NA
    *File Upload Temp Path Text This field is displayed when Access Elevation = sudo. The path specified here will be used for push, bind, and CSR generation. It must either be left empty or set to a valid Linux folder with an absolute path. The path should begin with a forward slash (/), and all folder separators must also use forward slashes.
    *: Mandatory fields
  7. Click Save.

CSR Generation

When pushing a certificate where the private key is generated on the end device, ensure that the Private key at end device checkbox is selected, and specify the same location for the private key in the push screen.
Note: The key generated at the endpoint during CSR generation will permit read-only access for the owner of the file; no other user in the same user group or anyone else will have any permission.

Backing Up Certificates

  • Copy the content of the configuration file and parse it to find the certificate locations.
  • Download the certificates from the locations bind to SSL configurations under the frontend.
  • Parse the certificates and store them under the backup properties.

Pushing Certificates

  • After the push, a single file will be pushed to the endpoint, which has the content of the certificate chain (root, intermediate and server certs) appended with the private key.
  • The following order of content is followed as a standard:
    • Server certificate
    • Intermediate certificate(s)
    • Root certificate
    • Private key
    There is a provision to re-order the content. As the PEM file content requires the private key to appear at the beginning, a database script must be run to meet this requirement:
    db.cert_metadata.update({_id:"CERT_VENDOR_BASED_CONDITIONS"},{"$set":
            {"map.adc_haproxy_push_private_private_key_at_first" : "true"}})
  • A file is created at the haproxy endpoint in the user-configured location and the content will be written in that PEM file.
  • When you choose the private key on the device, provide the absolute path of the server-generated private key on the UI screen.

Binding Certificates

Copy the config file content (haproxy.cfg) and update the certificate location using regex for the profile that is associated with an SSL bind directive under the front end. Upload the updated config file to the original location.
Note: If certificate and config file exist, file permissions are retained.

Restarting/Reloading Service

Once the new certificate is successfully bound in the configuration file, it will be used after the configuration is restarted or reloaded.
  • Restart: Kills the process by closing all the connections immediately and starting a new process.
  • Reload: It will not accept any new connections (stops listening on all the respective ports) and gracefully reloads the haproxy service.

Rolling Back Certificates

The rollback process follows the same push and bind flow, with certificate details retrieved from the backup properties created during the backup.

Commands requiring Access Elevation

find
mkdir
touch
stat
openssl
cat
rm
chmod
chown
ps
systemctl
cp
setacl (Optional)