Announcements

SecurID® Community Blog

Subscribe to the official SecurID Community blog for information about new product features, industry insights, best practices and more.

Changing AM Embedded IDR Management/Docker Subnet Networks

KarimYoussef
Contributor Contributor
Contributor
0 0 151

When the embedded IDR is installed and created on the AM, two new network interfaces are added afterwards:
br-29aa4b (172.19.0.1/16 – management network of IDR)

docker0 (172.17.0.1/16)

Some customers may need to change the default subnets used as they might be conflicting with some internal subnets utilized within their internal infrastructure, which may bring the AM network down. 

The following two scripts show a step-by-step guide on how to change the default subnets used by the embedded IDR.

SCRIPT 1 (CHANGING EMBEDDED IDR MANAGEMENT SUBNET):
1- Take backup of following files.
    cp /opt/rsa/am/config/src/scripts/IDRSoftware.groovy /opt/rsa/am/config/src/scripts/IDRSoftware.groovy.orig
    cp /etc/sysconfig/network/scripts/ifup-rules /opt/rsa/am/config/src/scripts/ifup-rules.orig

2- Delete the existing embedded IDR from SC

3- Change the permission for IDRSoftware.groovy
chmod 777 /opt/rsa/am/config/src/scripts/IDRSoftware.groovy

4- Edit the IDRSoftware.groovy script ,change subnet to 192.168.0.0/16 (Or any other range of your choice)
vi /opt/rsa/am/config/src/scripts/IDRSoftware.groovySearch and update the values for idrContainerIPAddress and idrNetworkSubnet as seen below.
From-
idrContainerIPAddress = "172.19.0.2"
idrNetworkSubnet = "172.19.0.0/16"
To-
idrContainerIPAddress = "192.168.0.2"
idrNetworkSubnet = "192.168.0.0/16"

5- ssh as root and update IP rules
vi /etc/sysconfig/network/scripts/ifup-rules
Search and update as seen below
From-
ip rule add to 172.19.0.0/16 table main priority 32765To-
ip rule add to 192.168.0.0/16 table main priority 32765

6- Reboot

7- Download, install and configure embedded IDR on SC

8- Check the ifconfig for the subnets available

9- Test the cloud authentications and the Radius authentication are working fine.

SCRIPT 2 (CHANGING EMBEDDED IDR DOCKER SUBNET):
Take a snapshot and delete the IDR if you have installed it.
 To change the default ip (172.17.0.0/16) subnet to 192.168.1.1/24 for docker interface.
1- Reboot and SSH, sudo as root.

2- Take a backup of /usr/lib/systemd/system/docker.service
 cp /usr/lib/systemd/system/docker.service /tmp/docker.service.orig

3- Check the current routing table
 netstat -rn
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
 0.0.0.0         10.101.56.1     0.0.0.0         UG        0 0          0 eth0
 10.101.56.0     0.0.0.0         255.255.254.0   U         0 0          0 eth0

4- Edit /usr/lib/systemd/system/docker.service before start Docker. Add --bip "192.168.1.1/24" at the end of line as shown below
 ExecStart=/usr/bin/dockerd ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS --bip "192.168.1.1/24" 

5- systemctl daemon-reload

6- systemctl start docker

7- Install the IDR

8- Check the network again.
 rsaadmin # netstat -rn
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
 0.0.0.0         10.101.56.1     0.0.0.0         UG        0 0          0 eth0
 10.101.56.0     0.0.0.0         255.255.254.0   U         0 0          0 eth0
 172.19.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-65441c89a5f5
 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 docker0
 
9- Test cloud authentications.