Skip to main content
Table of contents

Infrastructure

Connect to vCloud Director (Carrenza only)

vCloud Director is the interface we use to manage our infrastructure in Carrenza. This includes virtual machines, gateways, firewalls and VPNs between providers.

To access vCloud Director, you will need to connect to a Carrenza-provided VPN. You can use either Cisco AnyConnect or OpenConnect as a VPN client for this.

Setting up the Cisco AnyConnect VPN profile on a Mac

  1. Make sure you have the latest version of govuk-secrets.

  2. Install oathtool (this will be used to generate one time passwords).

   $ brew install oath-toolkit
  1. Get the VPN client certificate and private key from the 2nd line password store and save the decrypted contents to a file on your machine (for example ~/carrenza-vpn-cert-and-key.pem).

    $ PASSWORD_STORE_DIR=~/govuk/govuk-secrets/pass/2ndline pass carrenza/vpn-certificate > ~/carrenza-vpn-cert-and-key.pem
    
  2. Get the VPN credentials, also from the 2nd line password store.

    $ PASSWORD_STORE_DIR=~/govuk/govuk-secrets/pass/2ndline pass carrenza/vpn-credentials
    Certificate passphrase: ...
    MFA key: ................
    Password: ...
    VPN gateway: ...
    
  3. Convert the VPN client certificate from PEM format to PFX format. You will be asked for two passwords (one for decrypting the PEM and one for encrypting the PFX). The first password is the Certificate passphrase field from carrenza/vpn-credentials. The second password can be of your own choice. You will need it for the next few steps but you won’t need to remember it after that.

    $ openssl pkcs12 -export -in ~/carrenza-vpn-cert-and-key.pem -out ~/carrenza-vpn-cert-and-key.pfx
    Enter pass phrase for /Users/.../carrenza-vpn-cert-and-key.pem: <Certificate passphrase from vpn-credentials>
    Enter Export Password: <Password from vpn-credentials>
    Verifying - Enter Export Password:
    
  4. Import the PFX format certificate into your macOS login keychain. You’ll be asked for a password. Enter the passphrase which you used to encrypt the PFX file (Certificate passphrase field from carrenza/vpn-credentials).

   $ security import ~/carrenza-vpn-cert-and-key.pfx
  1. Create a new file on your machine at /opt/cisco/anyconnect/profile/carrenza-secure.xml and copy the following XML into that file:

    cat << EOF > ~/carrenza-secure.xml
    <?xml version="1.0" encoding="UTF-8"?>
    <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
      <ServerList>
        <HostEntry>
          <HostName>Carrenza - Secure</HostName>
          <HostAddress>https://secure.carrenza.com</HostAddress>
          <PrimaryProtocol>SSL</PrimaryProtocol>
        </HostEntry>
      </ServerList>
    </AnyConnectProfile>
    EOF
    sudo cp ~/carrenza-secure.xml /opt/cisco/anyconnect/profile/
    
  2. Restart Cisco AnyConnect if it’s already running.

  3. Delete the key files created earlier as these are no longer needed. (The PEM file is needed if you plan to use OpenConnect, however.)

    $ rm ~/carrenza-vpn-cert-and-key.{pem,pfx}
    

Connecting with Cisco AnyConnect

  1. Choose “Carrenza - Secure” from the drop down list and click “Connect”.

Note: The very first time you connect, you may be asked (multiple times) for your macOS username and password (that is, your LDAP username and password). Press Always Allow when the option appears. If this happens every time you connect, try this fix.

  1. The first password is a second-factor (MFA) code. The second password is the VPN password. (Yes, they’re the opposite way around compared to the GDS VPN.)

Note: To generate a two factor code, you can use oathtool: oathtool -b <MFA key> --totp

Connecting with OpenConnect

  1. Run openconnect. Make sure you provide the correct path to where you’ve saved the VPN client certificate.
   $ sudo openconnect https://secure.carrenza.com -c ~/carrenza-vpn-cert-and-key.pem
  1. The first password is your machine password (requested by sudo).
  2. The second password (the PEM passphrase) is the certificate passphrase from the password store.
  3. The third password is the 2FA code.

Note: To generate a two factor code, you can use oathtool: oathtool -b <MFA key> --totp

  1. The fourth password is the password from the password store.

Accessing vCloud Director

  1. Fetch the VCloud Director credentials for the environment which you want to connect to.

    $ PASSWORD_STORE_DIR=~/govuk/govuk-secrets/pass/2ndline pass carrenza/vcloud-integration
    ......... <a long string which is the VCloud Director password>
    User: <username for logging into VCloud Director>
    Org: <this string goes in the URL path for accessing VCloud Director>
    
  2. Ensure that you are connected to the Carrenza VPN (see above).

  3. Visit https://vcloud.carrenza.com/cloud/org/{organisation}/ (replacing {organisation} with the value of the Org field from the password store entry.

  4. Log in with the username and password from the password store entry.

This page was last reviewed on 26 November 2019. It needs to be reviewed again on 26 May 2020 by the page owner #govuk-2ndline .
This page was set to be reviewed before 26 May 2020 by the page owner #govuk-2ndline. This might mean the content is out of date.