Login to the TCA Airgap Appliance using SSH admin account then switch to root with su
to use agctl
command.
Prerequisites
The network the TCA Airgap Appliance is wiring to is reachable to the Proxy Server.
The Proxy Server allows anonymous access.
Procedure
- (Optional) Upload untrusted Root CA certificate or self-signed certificate of proxy server.
This step is only required if the Proxy Server in your organization is HTTPS and configured with an untrusted self-signed certificate or private CA signed certificate.
Copy the untrusted Root CA certificate file or self-signed certificate to some directory of the TCA Airgap Appliance. For example, on the TCA Airgap Appliance console, users create and edit proxy-ca.crt file with the editor, copy the certificate content to it, then save it with :wq
vi /tmp/proxy-ca.crt
Verify the
proxy-ca.crt
.openssl s_client -connect <proxy address>:<proxy https port> -CAfile /tmp/proxy-ca.crt
It is expected the output of above command contains “Verification: OK”.
- Edit
/usr/local/airgap/scripts/vars/user-inputs.yml
using the following commmand:vi /usr/local/airgap/scripts/vars/user-inputs.yml
Update following settings in the file:
enable_proxy: True http_proxy: <proxy url> https_proxy: <proxy url> no_proxy: <network list sperated by comma by passing the proxy> proxy_ca_cert_path: <optional, file path prepared in Step 1>
Examples:
The Proxy opens HTTP port on 3128
enable_proxy: True http_proxy: http://proxy.example.com:3128 https_proxy: http://proxy.example.com:3128 no_proxy: 192.168.0.0/15,.example.com #proxy_ca_cert_path: /tmp/proxy-ca.crt
Proxy opens HTTPS port on 3443
enable_proxy: True http_proxy: https://proxy.example.com:3128 https_proxy: https://proxy.example.com:3128 no_proxy: 192.168.0.0/15,.example.com proxy_ca_cert_path: /tmp/proxy-ca.crt
- Apply the configuration using the
agctl deploy
command. - Log out the console then log in again to ensure your shell takes the latest proxy environment variable. Check the connectivities to remote repositories by running
agctl selfcheck remote
command. It is expected all repository sites in the output are reachable.For example:
root@airgap320 [ /home/admin ]# agctl selfcheck remoteCheck Remote Repositories Connectivities Environment Proxy settings: http_proxy : http://proxy.ipv6.eng.vmware:3128 https_proxy :http://proxy.ipv6.eng.vmware.com:3128 no_proxy :localhost,192.168.0.0/16,172.16,0.0/16, .ipv6.eng.vmware.com Docker proxy settings: http_proxy :http://proxy.ipv6.eng.vmware:3128 https_proxy : http://proxy.ipv6.eng.vmware.com:3128 no_proxy : localhost,192.168.0.0/16,172.16,0.0/16, .ipv6.eng.vmware.com projects.registry.vmware.com : reachable packages.vmware.com/photon : reachable vmwaresaas.jfrog.io : reachable s3.amazonaws.com : reachable