Create and Configure a Gateway Instance

The first time you create a Gateway, you must download the Enterprise Service Gateway image file and register it with Identity as a Service. If you whitelist outbound connections, you need to whitelist the following URLs for the Gateway to function:

Your Identity as a Service account name (mycorp.us.trustedauth.com)
entrust.us.trustedauth.com (for Enterprise Service Gateways upgrades)
entrust.net (Entrust Certificate Authority)

Note: When you add an Enterprise Service Gateway, Entrust recommends that you use the defaults set by the appliance when you load it into VMWare. For the Enterprise Service Gateway to function, the minimum requirements are 2 x CPU, 4GB RAM, and 50GB of disk space. Adding more resources can help in high-end deployments.

Create a Gateway

Click > Resources > Gateways. The Gateways page appears.
Click Identity as a Service Gateway. The Identity as a Service Gateway Download URL dialog box appears.
Click one the following options:

VMware vSphere to download a vSphere (.ova) image file.
Microsoft Hyper-V to download a Hyper-V (.vhd) image file.

The file is downloaded to your device.

Click Close on the pop-up window.
Click Add.
Enter a Gateway Name and click Add. The Registration Code appears.

Note: The Gateway name must be unique. The name can only include alphanumeric characters and spaces.
Click Copy to Clipboard to copy the Registration Code appear.
Import your Gateway image file. Consult the VMWare vSphere or Microsoft Hyper-V documentation for instructions on how to import your image file. If you are deploying to Microsoft Hyper-V, enter the following in the New Virtual machine Wizard:
1. Generation 1
2. Startup Memory: 4096 MB
3. Deselect Dynamic Memory
4. Connection: Select a connection that can reach the public Internet directly or through a proxy.
Follow the instructions to Configure the Gateway.

Configure the Gateway

Power on your the virtual machine.
If the VM is in a network with DHCP disabled, you must log in to the VM and set up the static IP before using the cockpit to register the Gateway as follows:
1. At the login prompt, enter "entrust".
2. At the password prompt, enter "entrust". You are prompted to create a new password.
3. At the (current) UNIX password prompt, enter "entrust" to confirm your existing password.
4. Enter a new password. The password must meet the following rules:
  - Must not be based on any word found in the English dictionary
  - Cannot contain spaces.
  - Must contain at least 8 alphanumeric (a-z, A-Z, 0-9) characters.
  - Must contain at least one special character (for example, ! %*) character.
5. At the Retype new password prompt, re-enter the password. The Entrust Identity as a Service Gateway Configuration Tool appears.
6. Setup static IP for the VM
  - Option one: Run sudo /home/entrust/tools/setup_static_ip.sh and respond to the prompts. The network service restarts.
  - Option two: Set up the static IP manually according to the needs.
In your Web browser, enter the IP address of your Virtual Machine using port 9090, for example, https://192.168.1.20:9090 and accept the browser self-signed certificate warning. The Identity as a Service Gateway Web Interface opens.

The self-signed certificate is created on VM boot, which is unique to each Enterprise Gateway. If you want to change the certificate for the cockpit (IDaaS Gateway Web interface), replace the file /etc/cockpit/ws-certs.d/0-self-signed.cert which contains both the certificate and the private key. If multiple certificates exist under the /etc/cockpit/ws-certs.d/ folder, the cockpit uses the last file with a .cert or .crt extension in alphabetical order. Use the following command to see which certificate has been used:

sudo remotectl certificate

Note: Internet Explorer is not supported.

At the User Name prompt, enter "entrust".
At the password prompt, enter "entrust". You are prompted to create a new password.
Follow the prompts to reset the password.

Note: After you have changed your password, when you log in to the Web Interface, you must select Reuse my password for privileged tasks.

At the (current) UNIX password prompt, enter "entrust" to confirm your existing password and click Log In.
Enter a new password. The password must meet the following rules:
- Must not be based on any word found in the English dictionary
- Cannot contain spaces.
- It must contain at least 8 alphanumeric (a-z, A-Z, 0-9) characters.
- It must contain at least one special character (for example, ! %*) character.

At the Retype new password prompt, re-enter the password. The Identity as a Service Enterprise Gateway Configuration Tool appears.
Click Get Started. The Network Settings page appears.
By default the hostname is "entrust-Identity as a Service-agent". To change the hostname:
1. Click the Hostname link. The Hostname dialog box appears.
2. Enter a new hostname and click Save.
To change the IP Configuration, click the IP Address link
1. Select Static or DHCP.
2. Make the required Network Settings changes. A confirmation dialog box appears.
3. Click Save.
Click Next. The NTP Settings appear.
Optional: If you want to change any of the NTP Settings, do the following:
1. On the NTP Settings page, click Edit.
2. Make the required NTP Settings changes and click Save.
Click Next.
If required, click Configure. The Configure Proxy page appears.
1. Enter the Proxy server host IP or Proxy host name.
2. Enter the Proxy port number.
3. Enter the Proxy username.
4. Enter the Proxy password.
5. Click Save.
Click Next. The Registration Parameters appear.
Paste the Registration Code you copied when you created the Gateway.
Click Register.
Recommended. For high availability, add more than one Gateway Instance.

Note: When making changes to the proxy configuration on the Identity as a Service Gateway the appliance must be restarted in order for the changes to take effect.