Welcome to ASGARD's Broker Network documentation!

Beginning from the Version 2.14.0 of the ASGARD Management Center, you can install a Broker Network in your environment (a special license is needed for this feature). This is designed to be your gateway which is placed in front of the ASGARD. You can use this for multiple Scenarios:

Multiple Brokers for load balancing
Multiple Brokers for load sharing
Internet facing Broker for remote clients
DMZ facing Broker

In the following chapters we will describe how to set this network up.

Before You Begin

This is an introductory chapter to the ASGARD Broker Network. Please read this chapter before you start installing or even configure your new ASGARD Broker Network

This chapter contains Hardware Requirements, Licensing and other topics.

Before You Begin

Agent to ASGARD Communication

There are a few things to consider before you start with the installation of you Broker Network. The communication between the ASGARD agent and the Broker Network is unidirectional. The ASGARD agent polls ASGARD, or one of the Brokers if configured, in a given time frame and looks for tasks to execute. There is no active triggering from ASGARD or the Broker(s) to the ASGARD agent – we have designed it that way, because we believe that opening a port on all connected endpoints should and can be avoided.

The Broker Network acts as a gateway between ASGARD Agents and ASGARD itself. This allows for more flexibility within your ASGARD environment, such as remote agents which are not using a VPN, or a dedicated Broker in your DMZ.

If an ASGARD Agent is configured to work with your Broker Network, it can still connect directly to your ASGARD if the Broker can't be reached.

Overview of the Components

There are three components which are needed for the Broker Network:

Lobby - New ASGARD Agents will get a certificate for a secure communication from the Lobby. An administrator can accept the agents or configure the auto-accept option. Certificates for agents can also be revoked here.

Gatekeeper - The Gatekeeper is used to communicate directly between all the components. Certificates and Revoke Lists get picked up from the Lobby and are being pushed to all Brokers.

Broker - Your Broker is the component which your ASGARD Agents directly communicate with. Once an ASGARD Agent received a valid certificate from the Lobby, communication is possible. You can have multiple Brokers configured.

Using a Proxy between ASGARD Agent and ASGARD

ASGARD supports using a standard HTTP proxy for the entire Agent to ASGARD communication. In order to use a proxy, the ASGARD agent must be repacked after installation. For details, see Agent Installer.

Hardware Requirements

You can find the hardware requirements for all of the components below.

ASGARD Broker Hardware

The required hardware for your Broker depends on the setup you are choosing.

If you want to use only one Broker, you can use the hardware requirements from the table below. If you want to use multiple Brokers, you can split the hardware requirements evenly among your Brokers. This scenario might be useful for networks with multiple segments to keep a proper segmentation.

Connected Endpoints

Combined Hardware Requirements

up to 500

- CPU Cores: 1

- System memory: 4 GB

- Hard Disk: 80 GB

up to 10,000

- CPU Cores: 4

- System memory: 6 GB

- Hard Disk: 200 GB

up to 25,000

- CPU Cores: 10

- System memory: 16 GB

- Hard Disk: 500 GB

Your Broker uses roughly 1 CPU Core for 2,500 agents. Generally we do recommend to use the approach with multiple smaller Brokers instead of one big Broker.

Example: For an environment of up to 10,000 agents, you can use the following hardware (per Broker; assuming all 10,000 agents communicate over the Broker Network):

1 Broker

CPU Cores: 4

System Memory: 6 GB

Hard Disk: 200 GB

2 Brokers

CPU Cores: 2

System Memory: 3 GB

Hard Disk: 100 GB

4 Brokers

CPU Cores: 1

System Memory: 3 GB

Hard Disk: 80 GB

Note

Try not to go lower than 80 GB of storage and 3 GB of system memory for your Broker, as this might influence system stability after a while.

ASGARD Gatekeeper Hardware

The ASGARD Gatekeeper uses roughly the same amount of resources as your ASGARD Management Center, apart from the disk space. Please orientate yourself on the configuration of your ASGARD. The recommendations are the following:

Connected Endpoints

Minimum Hardware Requirements

up to 500

- System memory: 4 GB

- Hard disk: 200 GB

- CPU Cores: 2

up to 10,000

- System memory: 8 GB

- Hard disk: 250 GB

- CPU Cores: 4

up to 25,000

- System memory: 16 GB

- Hard disk: 300 GB

- CPU Cores: 4

ASGARD Lobby Hardware

Hardware	Amount
CPU Cores	2
System Memory	4 GB
Disk	80 GB

Network Requirements

The ASGARD components use the ports in the following chapters. For a detailed and up to date list of our update and licensing servers, please visit https://www.nextron-systems.com/resources/hosts/.

ASGARD Agent

Description	Port	Source	Destination
Agent to Server communication	443/tcp	ASGARD Agent	Broker / ASGARD
Retrieve certificate	443/tcp	ASGARD Agent	Lobby

Warning

Your agents will always try to contact your ASGARD directly, and if this fails, they will try the Lobby or Brokers. If you are deploying agents with a broker network configuration in your internal network, and they can contact the ASGARD directly, they will not be able to get a valid certificate from your Lobby. This is not an issue if your Lobby is exposed to the internet and your agents will be able to request a certificate once they are connecting from the open internet.

If your Lobby is not exposed to the internet, the agents must not be able to contact your ASGARD directly, but rather your Lobby. To do this, you have to ensure your agents will not be able to communicate directly with your ASGARD, but only directly with the Lobby and a Broker (e.g. your ASGARD sits behind an internal Broker and can not be reached directly).

It is important to remember that your agents need a valid certificate from your Lobby, otherwise the Broker connection can not be established. This "onboarding phase" is happening once during the initial communication, so that your agents can get their unique key material for the secure channel within the broker network. For more information on how the Lobby operates, see the chapter Using the Lobby.

The following priorities of servers your agents try to connect to are in place:

Server	Priority	Info
ASGARD	1	Always highest priority
Lobby	2	If agent has no Broker Certificate
Broker	3	If agent has Broker Certificate

Gatekeeper

Description

Port

Source

Destination

- Statistics

- pull CA [2] and CRL [3]

12000/tcp

Gatekeeper

Lobby

- Statistics

- push CA [2] and CRL [3]

12000/tcp

Gatekeeper

Broker

Create secure tunnel per client

12001-1200x/tcp

(x = CPU count of Broker)

Gatekeeper

Broker

Note

Your Gatekeeper is receiving the root CA certificate, client certificates and CRL from the Lobby. Those are then being transmitted to the all Brokers via the Gatekeeper, to keep an up to date state of allowed and revoked agents.

ASGARD

Description

Port

Source

Destination

- Backend management of Gatekeeper, Broker and Lobby

- Agent communication

12000/tcp

ASGARD

Gatekeeper

Management Workstation

Description	Port	Source	Destination
CLI administration	22/tcp	Workstation	Broker
CLI administration	22/tcp	Workstation	Gatekeeper
CLI administration	22/tcp	Workstation	Lobby
Web administration	9443/tcp	Workstation	Lobby

Internet

The Broker Network components are configured to retrieve updates from the following remote systems.

Description	Port	Source	Destination
Product and system updates	443/tcp	Gatekeeper, Lobby, Broker	update3.nextron-systems.com
NTP	123/udp	Gatekeeper, Lobby, Broker	0.debian.pool.ntp.org [4]
NTP	123/udp	Gatekeeper, Lobby, Broker	1.debian.pool.ntp.org [4]
NTP	123/udp	Gatekeeper, Lobby, Broker	2.debian.pool.ntp.org [4]

All proxy systems should be configured to allow access to these URLs without TLS/SSL interception. (ASGARD uses client-side SSL certificates for authentication). It is possible to configure a proxy server, username and password during the setup process of the ASGARD platform. Only BASIC authentication is supported (no NTLM authentication support).

DNS

All the components need to have a resolvable FQDN.

Brokers facing the open internet need to be resolvable with a public FQDN and IP Address, so make sure to configure the necessary A-Records before setting up an external facing Broker and/or Lobby.

Verify the Downloaded ISO (Optional)

You can do a quick hash check to verify that the download was not corrupted. We recommend to verify the downloaded ISO's signature as this is the cryptographically sound method.

The hash and signature file are both part of the ZIP archive you download from our portal server.

Via Hash

Extract the ZIP and check the sha256 hash:

On Linux

user@host:~$ sha256sum -c nextron-universal-installer.iso.sha256
nextron-universal-installer.iso: OK

or in Windows command prompt

C:\Users\user\Desktop\asgard2-installer>type nextron-universal-installer.iso.sha256
efccb4df0a95aa8e562d42707cb5409b866bd5ae8071c4f05eec6a10778f354b  nextron-universal-installer.iso
C:\Users\user\Desktop\asgard2-installer>certutil -hashfile nextron-universal-installer.iso SHA256
SHA256 hash of nextron-universal-installer.iso:
efccb4df0a95aa8e562d42707cb5409b866bd5ae8071c4f05eec6a10778f354b
CertUtil: -hashfile command completed successfully.

or in Powershell

PS C:\Users\user\Desktop\asgard2-installer>type .\nextron-universal-installer.iso.sha256
efccb4df0a95aa8e562d42707cb5409b866bd5ae8071c4f05eec6a10778f354b  nextron-universal-installer.iso
PS C:\Users\user\Desktop\asgard2-installer>Get-FileHash .\nextron-universal-installer.iso

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          EFCCB4DF0A95AA8E562D42707CB5409B866BD5AE8071C4F05EEC6A10778F354B       C:\Users\user\Desktop\asgard2-installer\nextron-universal-installer.iso

Via Signature (Recommended)

Extract the ZIP, download the public signature and verify the signed ISO:

On Linux

user@host:~$ wget https://www.nextron-systems.com/certs/codesign.pem
user@host:~$ openssl dgst -sha256 -verify codesign.pem -signature nextron-universal-installer.iso.sig nextron-universal-installer.iso
Verified OK

or in powershell

PS C:\Users\user\Desktop\asgard2-installer>Invoke-WebRequest -Uri https://www.nextron-systems.com/certs/codesign.pem -OutFile codesign.pem
PS C:\Users\user\Desktop\asgard2-installer>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" dgst -sha256 -verify codesign.pem -signature nextron-universal-installer.iso.sig nextron-universal-installer.iso
Verified OK

Note

If openssl is not present on your system you can easily install it using winget: winget install openssl.

Setup Guide

This chapter contains the setup guide with an example on how to create a new ESXi virtual machine and installing the ASGARD Broker Network Components.

Overview of the Components

There are three components which are needed for the Broker Network:

Lobby - New ASGARD Agents will get a certificate for a secure communication from the Lobby. An administrator can accept the agents or configure the auto-accept option. Certificates for agents can also be revoked here.

Gatekeeper - The Gatekeeper is used to communicate directly between all the components. Certificates and Revoke Lists get picked up from the Lobby and are being pushed to all Brokers.

Broker - Your Broker(s) are the component which your ASGARD Agents communicate with. Once an ASGARD Agent received a valid certificate from the Lobby, communication is possible. You can have multiple Brokers configured.

In this guide, we will assume a scenario with only one Broker, one Lobby and one Gatekeeper. If you wish to install multiple smaller sized Brokers, you can do so.

Create a new ESX VM and mount the ISO

Note

This step has to be done three times, we need one dedicated server for each component. Please see Hardware Requirements for the hardware requirements.

Create a new VM with your virtualization software. In this case, we will use VMWare ESX managed through a VMWare VCenter.

The new VM must be configured with a Linux base system and Debian GNU/Linux 10 (64 bits) as target version. It is recommended to upload the ASGARD ISO to an accessible data store and mount the same to your newly created VM.

Please make sure to select a suitable v-switch or physical interface that reflects the IP address scheme you are planning to use for the new ASGARD.

Navigate through the Installer

The installation Process is started by clicking on ASGARD Graphical install. The installer then loads the additional components from the ISO and lets you select location and language.

Warning

Please make sure to select the correct Country, as this will also set your local timezone!

Note

If DHCP is available, network parameters will be configured automatically. Without DHCP, ASGARD drops into the manual network configuration dialogue. The IP address can be changed later, see Changing the IP-Address

Network Configuration

Warning

ASGARD needs to be able to resolve internal and external IP addresses.

Warning

Important: Make sure that the combination of hostname and domain creates an FQDN that can be resolved from the endpoints on which you intend to install the ASGARD agents. If you've configured a FQDN (hostname + domain) that cannot be resolved on the clients, no agent will be able to find and reconnect to the ASGARD server.

Choosing a Password

Set up users and passwords — Choosing a password for the `nextron` user

Partitioning of the Hard Disk

Finally, write your configuration to the disk by selecting "Yes" and clicking "Continue".

If you are using a proxy to access the internet, enter the proxy details in the next step. Please note, Internet connectivity is required for the next step.

Proxy Configuration

The base installation is now complete. In the next step we will install the Broker Network Components. For this step Internet connectivity is required.

Use SSH to connect to the appliance using the user nextron and the password you specified during the installation. If SSH is not available, you can perform the next steps via the Console of your Virtualization Host, though SSH has more possibilities.

Changing the IP-Address

You components IP Addresses can be changed in /etc/network/interfaces. The IP is configured with the address variable.

nextron@asgard:~$ sudo vi /etc/network/interfaces

auto ens32
iface ens32 inet static
address 192.0.2.7
netmask 255.255.255.0
gateway 192.0.2.254

Note

There might be a case where the name of the network interface (in this example: ens32) is different. To verify this you can run ip a and see the name of the network interface.

The new IP can be applied with the command sudo systemctl restart networking.

Make sure to update the A-Records in your local DNS Server to reflect the IP changes.

Verifying DNS Settings

To verify if your components are using the correct DNS Server, you can inspect the file /etc/resolv.conf:

nextron@asgard-ac:~$ cat /etc/resolv.conf
search example.org
nameserver 172.16.200.2

If you see errors in this configuration, you can change it with the following command:

nextron@asgard-ac:~$ sudoedit /etc/resolv.conf

Installing the Broker Network Components

After the base installation of your servers is completed, we can install the specific software for the components.

You can now choose the role you want to install (Broker, Gatekeeper or Lobby):

You can install the three [1] servers in any order, as we will configure them once they are all up and running.

Warning

The Broker Network needs a minimum version of 2.14.0 of the ASGARD Management Center. Please make sure you installed your Broker Network license in your ASGARD Management Center. If you still can't see the Broker Network tab in your Asset Management, restart the asgard2 service in Settings > System > Services.

Gatekeeper Installation

To install the Gatekeeper, run the following command on your newly installed system:

nextron@gatekeeper:~$ sudo nextronInstaller -gatekeeper

After the installation is done, you will see the following message:

You can now check if the service was installed successfully.

nextron@gatekeeper:~$ systemctl status asgard2-gatekeeper.service

You will see that the service is in a "failed/exited" state. This will change once we configured our ASGARD with the Gatekeeper.

To configure your Gatekeeper in the ASGARD Management Center, we will continue later in the chapter Gatekeeper Configuration.

Lobby Installation

To install the Lobby, run the following command on your newly installed system:

nextron@lobby:~$ sudo nextronInstaller -lobby

After a short while you will be prompted to enter a password for the admin user. This is the user for the web interface of the Lobby.

Note

The password has to be:

A minimum of 12 characters long
Contain at least one upper- and lowercase letter, one digit and one special character

After the installation is finished, you will see the following message:

You can check the service to see if everything is up and running.

nextron@lobby:~$ systemctl status asgard-lobby.service

You can now navigate to the web interface of the lobby https://<FQDN>:9443. Please log into the Lobby with the user admin and the password you chose during the installation:

To configure your Lobby in the ASGARD Management Center, we will continue later in the chapter Lobby Configuration.

Broker Installation

To install a Broker, run the following command on your newly installed system

nextron@broker:~$ sudo nextronInstaller -broker

After the installation is finished, you will see the following message:

You can now check if the service was installed successfully.

nextron@broker:~$ systemctl status asgard-broker.service

You will see that the service is in a "failed/exited" state. This will change once we configured our ASGARD with the Broker.

To configure your Broker in the ASGARD Management Center, we will continue later in the chapter Broker Configuration.

Administration

This chapter assumes you already installed at least one Lobby, one Gatekeeper and one Broker. If you did not do this yet, please get back to chapter Overview of the Components and follow the instructions carefully.

Configuration of the Components

This chapter assumes you already installed at least one Lobby, one Gatekeeper and one Broker. If you did not do this yet, please get back to chapter Overview of the Components and follow the instructions carefully.

Gatekeeper Configuration

Once you installed your Gatekeeper via the nextronInstaller you can start to configure it.

To do this, we have to connect the Gatekeeper to our ASGARD Management Center. Navigate to Asset Management > Broker Network in your ASGARD Management Center.

From here you can click the edit button on the Gatekeeper:

Once you clicked on the Edit Button, a pop-up will appear. Please set the FQDN of your gatekeeper.

After you confirmed your Gatekeeper's FQDN, you will get another pop-up with a command (sudo asgard2-gatekeeper-install '<TOKEN>'). Please copy this command and execute it on the gatekeeper via SSH:

Once you are done, you can check the status and other settings of the Gatekeeper in your ASGARD (magnifying glass icon):

To see if the Gatekeeper is running correctly, you can run the following command (status should be active (running)):

nextron@broker:~$ systemctl status asgard2-gatekeeper.service
● asgard2-gatekeeper.service - ASGARD 2 Gatekeeper
  Loaded: loaded (/lib/systemd/system/asgard2-gatekeeper.service; enabled; vendor preset: enabled)
  Active: active (running) since Fri 2022-11-04 08:40:15 CET; 17s ago
Main PID: 1826 (bash)
   Tasks: 7 (limit: 4667)
  Memory: 13.3M
  CGroup: /system.slice/asgard2-gatekeeper.service
          ├─1826 /bin/bash /etc/asgard2-gatekeeper/run_asgard2_gatekeeper.sh
          └─1827 /usr/bin/asgard2-gatekeeper

Note

You might need to restart the Gatekeeper after the initial setup. To do this, run sudo systemctl restart asgard2-gatekeeper.service on the CLI of your Gatekeeper.

Lobby Configuration

Once you installed your Lobby via the nextronInstaller you can start to configure it.

To do this, we have to connect the Lobby to our ASGARD Management Center. Navigate to Asset Management > Broker Network in your ASGARD Management Center. You can now add a new Lobby on the top right corner. Please fill in the FQDN and click Submit. You can assign a Group to group the Lobby and one or multiple Brokers into one group. If you are planning to only use one Lobby you can leave the value as default.

A pop-up will appear with configuration instructions. Download the configuration file, we will use this now in our Lobby.

In your Lobby, navigate to System Settings > Lobby. Here you can upload the configuration file we downloaded in the last step:

After you uploaded the configuration to your Lobby, you should now see that the Lobby is connected with your ASGARD Management Center (Broker Network view in your ASGARD):

Note

You might need to restart the Lobby after the initial setup. To do this, run sudo systemctl restart asgard-lobby.service on the CLI of your Lobby.

Broker Configuration

Once you installed your Broker via the nextronInstaller you can start to configure it.

To do this, we have to connect the Broker to our ASGARD Management Center. Navigate to Asset Management > Broker Network in your ASGARD Management Center.

On the top right corner, click Add Broker. Please fill in the FQDN for Gatekeeper - this is the FQDN which your Gatekeeper will use to communicate with this Broker. Additionally, if the Broker should be reached via the open internet, you should assign FQDN for Agents as well (make sure to set the A-Record in your public domain). If you leave the FQDN for Agents empty, your agents will use the value of FQDN for Gatekeeper. You can leave the Group as default, but should change it accordingly if you set a different group earlier for your Lobby.

After you confirmed the settings for your new Broker, you will get another pop-up with a command (sudo asgard2-gatekeeper-install '<TOKEN>'). Please copy this command and execute it on the broker via SSH:

Once you are done, you can check the status and other settings of the Broker in your your ASGARD Management Center (magnifying glass icon):

In this menu of your Broker, you can also configure NTP or rsyslog.

You might need to restart the Broker after the initial setup.

To see if the Broker is running correctly, you can run the following command (status should be active (running)):

nextron@broker:~$ systemctl status asgard-broker.service
● asgard-broker.service - ASGARD Broker
  Loaded: loaded (/lib/systemd/system/asgard-broker.service; enabled; vendor preset: enabled)
  Active: active (running) since Fri 2022-10-28 09:55:50 CEST; 6 days ago
Main PID: 10235 (bash)
   Tasks: 19 (limit: 4698)
  Memory: 1.4G
  CGroup: /system.slice/asgard-broker.service
          ├─10235 /bin/bash /etc/asgard-broker/run_asgard_broker.sh
          ├─10236 asgard-broker

Agent Installer

After the Broker Network has been set up, you need to create a new Agent Installer. To do this, navigate on your ASGARD to Downloads > Agent Installers. From here you can choose Add Agent Installers and set the configuration to your liking. Most importantly here is the Option for Broker Groups. Set this to the value which you gave your Lobby and your Broker(s). After you added the agent installer, make sure to install it on the agents.

Migrate existing Agents to Broker Network

If you need to update existing ASGARD Agents with your new configuration for the Broker Network, you can create a (Scheduled) Group Task.

To do this, navigate to Response Control > (Scheduled) Group Task and add a new task. Chose Maintenance for the Task and Configure the asset's Broker Network for the Maintenance Type.

The Broker Groups are optional, but you should choose accordingly if you created a different group in the earlier steps.

Group Task to Update the Asset's Broker configuration

Once the Agents received the task from your ASGARD, the configuration will be updated. The Agent will register itself to your Lobby and ask for a certificate. This certificate is used to allow communication with the Broker.

Using the Lobby

The Lobby is the component in your Broker Network which needs a little more attention. The Lobby is distributing or revoking certificates for ASGARD Agents, which are needed to communicate over the secure channel of the Broker Network. The first thing your Agents, if configured to use your Broker Network, will do, is to contact your Lobby. They need a unique certificate to be able to communicate with your Brokers.

During the initial setup of your Agent, a unique public and private key will be generated. The agent sends the public key to the Lobby, which in return (if the Asset is being accepted) sends the agent a signed TLS ClientAuth certificate.

The Gatekeeper is pulling the current CA certificate from the Lobby, as well as the CRL and sends it to all the Brokers. The Brokers need this CA certificate to verify the authenticity of the presented certificate (similar to TLS in Web traffic).

The agent will use the earlier issued certificate from the Lobby to communicate with the Broker. If the certificate is valid (i.e. it was signed by the root CA in the Lobby), it is allowed to continue further. If the certificate of the agent has been revoked (now in the CRL) or was not signed by the CA, communication is denied.

Asset Requests

In your Lobby you can see the Asset Request of your Agents in Assets > Asset Requests:

Here you have four options depending on what should happen to this agent:

Issue Certificate to allow connections from an asset
Revoke Certificate to deny connections from an asset
Delete Asset from Database; the asset may re-register
Edit Asset

You can set your Lobby to auto-accept new agents, see Lobby Settings.

Approved Assets

In your Lobby you can see all the approved assets in Assets > Approved Assets.

Here you can see more information about the issued certificates or revoke some certificates to deny connection from the assets.

Actions you can take:

Revoke Certificate to deny connections from an asset
Edit Asset

Once a certificate is revoked, the Agent communication is denied. The certificate will be placed in the CRL, which in return gets distributed by the Gatekeeper to all the Brokers.

Revoked Assets

In your Lobby you can see all the revoked assets in Assets > Revoked Assets.

Actions you can take here:

Issue Certificate to allow connections from an asset
Edit Asset

If you want to allow a revoked asset to communicate with the Brokers again, you can do this here. The certificate belonging to the asset will be removed from the CRL, which in return gets distributed by the Gatekeeper to all the Brokers.

From this point on, the Agent can communicate with the ASGARD through the Broker again. Revoking and Allowing certificates will reflect to the Brokers rather quickly.

Lobby Settings

The Settings in your Lobby allow you to configure and tweak certain settings:

Users
Roles
Lobby
TLS
NTP
Syslog
System Upgrade

Lobby Settings - Users

In the Users setting of the Lobby you can create new users or assign roles to existing users.

You can also enforce the usage of 2FA for certain users.

Lobby Settings - Roles

You can define different roles for your Lobby. The default roles are:

User Admin
Asset Manager
Admin

An Additional Role of Read-Only can be created.

Lobby Settings - Lobby

In the Lobby Settings, you can see if Current Config is Available, which in return allows Agent Registration. This does not need to be changed, only during the initial setup you need to import the configuration.

Additionally, you can enable the Automatic Approval of ASGARD Agents

Lobby Settings - TLS

You can upload a TLS Certificate for the Web Interface of the Lobby.

Lobby Settings - NTP

You can change the NTP Settings of the Lobby here. An indicator is shown with additional details regarding the NTP Status.

Lobby Settings - Syslog

You can configure Syslog Forwarding here, similar to the settings in your ASGARD, but only for your Lobby Logs.

Lobby Settings - Upgrade

Here you can apply system upgrades for the lobby. Additional information regarding the system are shown as well. You can also see and download the upgrade log if necessary.

Lobby Status

The Lobby Status on the left hand side of the navigation menu gives a good indicator if there are any issues with the system.

Lobby Status - OK

The green indicator means that everything is working as expected.

Lobby Status - Warning

A yellow indicator means that one or more services are not running properly.

Inspect the Diagnostics panel by clicking on the ASGARD Lobby Status button to get a better understanding of the issue.

Here we can see that the Gatekeeper didn't contact the Lobby. You can see more details by clicking the magnifying glass to the right.

Lobby Status - Error

A red indicator means that one or more services are problematic and need to be fixed in a timely manner.

Inspect the Diagnostics panel by clicking on the ASGARD Lobby Status button to get a better understanding of the issue.

Here we can see that the Lobby can't reach the update server. You can see more details by clicking the magnifying glass to the right.

Broker Network in the ASGARD Management Center

The Broker Network view in your ASGARD gives you:

The number of Asset connections
Gatekeeper Statistics
Open, Approved and Revoked Asset Requests in your Lobby
Indicator of connection issues between your components

Additionally, you can configure some settings of your Brokers, Gatekeeper and Lobby.

Broker Maintenance

In your Broker Network view, you can configure and inspect the status of your Brokers:

Restart Broker
Check for updates
Statistics regarding Open Connections
Broker Logs
Settings
- Configure syslog
- Configure NTP

Gatekeeper Maintenance

In your Broker Network view, you can configure and inspect the status of your Gatekeeper:

Restart Broker
Check for updates
Statistics regarding Open Connections
Gatekeeper Log
Rejected Headers
Rejected Requests
Settings
- Configure syslog
- Configure NTP

Broker Network View - Gatekeeper Details

Lobby Maintenance

In your Broker Network view, you can inspect the details of your Lobby:

For configuration and Maintenance, use the Web Interface of the Lobby running on port 9443, see chapter Using the Lobby.

Updates

This section focuses on updates for your products.

Warning

The section Major Updates should only be considered if you have updated your ASGARD Management Center to version 3.x

Please see the manual section Upgrade from Management Center v2 to v3 in the ASGARD Management Center Manual for the instructions to update your Management Center to the newest major version.

Minor Updates

This chapter guides you through the update process of your ASGARD Broker Network components.

ASGARD Broker

You can see new available versions for your Broker(s) if you open the details page for each Broker. To do this, navigate to Asset Management > Broker Network and click the magnifying glass icon next to your Broker:

Click the Update from X to Y Button. A popup will appear. Please read the information carefully and proceed with the Update.

The update process might take a few seconds, and you will get some warnings in your Broker Network overview, mainly that the connection to the broker is disrupted. This is normal and should correct itself after the service is up and running again.

ASGARD Gatekeeper

You can see new available versions for your Gatekeeper if you open the details page. To do this, navigate to Asset Management > Broker Network and click the magnifying glass icon next to your Gatekeeper:

Click the Update from X to Y Button. A popup will appear. Please read the information carefully and proceed with the Update.

The update process might take a few seconds, and you will get some warnings in your Broker Network overview, mainly that the connection to the broker is disrupted. This is normal and should correct itself after the service is up and running again.

ASGARD Lobby

To see if new updates for your Lobby are available, open the webinterface via your Broker Network view.

To do this, navigate to Asset Management > Broker Network and click the "open link" icon next to your Lobby:

A new browser tab with the URL to your Lobby will be opened. Log into the Lobby and navigate to System Settings > System Upgrade. You should see a new version available. You can also see available updates via the status indicator on the left navigation bar.

Click Upgrade System now to install the newest Lobby version. The Upgrade might take a while, and you will also see "Connectivity Issues" in your Broker Network tab on the Management Center, but this will correct itself once the Lobby has been updated successfully.

Major Updates

This chapter guides you through the update process of your ASGARD Broker Network components.

It is important to follow the steps carefully. We advise you to create a snapshot of the Gatekeeper and Lobby before starting your update. The Lobby and Gatekeeper contain certificates for your agents to connect through the broker endpoints. If those certificates get lost (i.e. the update failes and you need to reinstall), you need to re-connect all your agents again.

Note

You can start the update process on all your components simultaneously. The updates take a while and your components will be offline for the duration of the update.

Preparation

To prepare for your update, we compiled a list of tasks you should follow:

Task	Description
Snapshot of your Gatekeeper	For disaster recovery
Snapshot of your Lobby	For disaster recovery
Management Center running version 3.x	Prerequisite for the Updates
Connection to our new update servers	New update server infrastructure

For details regarding some of the above tasks, see the next section in this manual.

With the new version of your Broker Network, we also made changes to our update servers. Please make sure that all your components can reach the following servers:

Server	Port	Description
update3.nextron-systems.com	tcp/443	Old update server
update-301.nextron-systems.com	tcp/443	New update Server

The old update server is needed to fetch the updater and other prerequisites. The new update server is needed to update your servers to Debian 12 and also to install any new packages, which are needed for your Broker Network components.

You can find the corresponding IP-Addresses to the above FQDNs here: https://www.nextron-systems.com/resources/hosts/.

Management Center running version 3.x

To check if your Management Center is running on the correct version you can navigate to the Overview page. Here you can see the current version of your Management Center.

Performing the updates

In this section we will perform the actual update of the your components.

ASGARD Broker

Navigate to Asset Management > Broker Network and click the magnifying glass icon on your Broker(s). You will see that there is a major upgrade available. Click the yellow info icon next to the text and read the information.

To start your update, connect to your Broker(s) via SSH. We will utilize asgard-updater to perform the update. First we need to check if a newer version of the asgard-updater is available. If you get the highlighted output, you have already the newest version installed (the version might differ from the output here):

nextron@broker:~$ sudo apt update
nextron@broker:~$ sudo apt install asgard-updater
Reading package lists... Done
Building dependency tree
Reading state information... Done
asgard-updater is already the newest version (1.0.15).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

You can now run the asgard-updater with the following command:

nextron@broker:~$ start-asgard-update

The server running your Broker(s) will now restart multiple times. It is important to not interrupt the update process and let the server do all the tasks. You can, however, see if any errors occurred during the update or just observe at what stage the update is.

Run the following command to see the status of your update:

nextron@broker:~$ sudo tail -f /var/log/asgard-updater/update.log

Note

Since the update is downloading many packages of the debian base system, the process will take a while. Your Broker(s) might be online throughout the update sporadically, but we still advise to wait until the update is finished before changing anything on the system.

The update is finished if you are seeing the following lines:

nextron@broker:~$ sudo tail -f /var/log/asgard-updater/update.log
2024-01-16T14:20:54.253032+01:00 broker asgard-updater[667]: Upgrade finished. Deactivating service...
2024-01-16T14:20:54.259176+01:00 broker asgard-updater[667]: Removed "/etc/systemd/system/multi-user.target.wants/asgard-updater.service".

Your update is now finished.

ASGARD Gatekeeper

Navigate to Asset Management > Broker Network and click the magnifying glass icon on your Gatekeeper. You will see that there is a major upgrade available. Click the yellow info icon next to the text and read the information.

To start your update, connect to your Gatekeeper via SSH. We will utilize asgard-updater to perform the update. First we need to check if a newer version of the asgard-updater is available. If you get the highlighted output, you have already the newest version installed (the version might differ from the output here):

nextron@gatekeeper:~$ sudo apt update
nextron@gatekeeper:~$ sudo apt install asgard-updater
Reading package lists... Done
Building dependency tree
Reading state information... Done
asgard-updater is already the newest version (1.0.15).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

You can now run the asgard-updater with the following command:

nextron@gatekeeper:~$ start-asgard-update

The server running your Gatekeeper will now restart multiple times. It is important to not interrupt the update process and let the server do all the tasks. You can, however, see if any errors occurred during the update or just observe at what stage the update is.

Run the following command to see the status of your update:

nextron@gatekeeper:~$ sudo tail -f /var/log/asgard-updater/update.log

Note

Since the update is downloading many packages of the debian base system, the process will take a while. Your Gatekeeper might be online throughout the update sporadically, but we still advise to wait until the update is finished before changing anything on the system.

The update is finished if you are seeing the following lines:

nextron@gatekeeper:~$ sudo tail -f /var/log/asgard-updater/update.log
2024-01-16T14:20:54.253032+01:00 gatekeeper asgard-updater[667]: Upgrade finished. Deactivating service...
2024-01-16T14:20:54.259176+01:00 gatekeeper asgard-updater[667]: Removed "/etc/systemd/system/multi-user.target.wants/asgard-updater.service".

Your update is now finished.

ASGARD Lobby

Navigate to System Settings > System Upgrade in your Lobby's web interface. You will see a big notice with the headline Major System Update Available. If this is the case, your Lobby is ready for the major update.

To start your update, connect to your Lobby via SSH. We will utilize asgard-updater to perform the update. First we need to check if a newer version of the asgard-updater is available. If you get the highlighted output, you have already the newest version installed (the version might differ from the output here):

nextron@lobby:~$ sudo apt update
nextron@lobby:~$ sudo apt install asgard-updater
Reading package lists... Done
Building dependency tree
Reading state information... Done
asgard-updater is already the newest version (1.0.15).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

You can now run the asgard-updater with the following command:

nextron@lobby:~$ start-asgard-update

The server running your Lobby will now restart multiple times. It is important to not interrupt the update process and let the server do all the tasks. You can, however, see if any errors occurred during the update or just observe at what stage the update is.

Run the following command to see the status of your update:

nextron@lobby:~$ sudo tail -f /var/log/asgard-updater/update.log

Note

Since the update is downloading many packages of the debian base system, the process will take a while. Your Lobby might be online throughout the update sporadically, but we still advise to wait until the update is finished before changing anything on the system.

The update is finished if you are seeing the following lines:

nextron@lobby:~$ sudo tail -f /var/log/asgard-updater/update.log
2024-01-16T14:20:54.253032+01:00 lobby asgard-updater[667]: Upgrade finished. Deactivating service...
2024-01-16T14:20:54.259176+01:00 lobby asgard-updater[667]: Removed "/etc/systemd/system/multi-user.target.wants/asgard-updater.service".

Your update is now finished.

Known Issues

You can find a list of known issues in this section. There are no known issues at this point.

ABN#001: Placeholder

Introduced Version	Fixed Version
x	y

Placeholder Text.

ABN#001: Workaround

Placeholder Text.

Troubleshooting

Nothing to troubleshoot.

Index

Index