How to Obtain your K5 Domain ID with ‘Developer’ only rights

So the easiest way to find your Domain ID for use with the K5 REST API, is via the the ‘Manage | User Management | Group’ menu within the IaaS Portal, where it is listed as a column for Group details.

Unfortunately this menu is only available for users with ‘Administrator’ permissions and not Developer permissions.

In this situation, developers can use the following API command to obtain the Domain ID (and Project ID) for their contract/domain:

 

 

 

Advertisements

How to Establish a IPSEC Network Connection between FUJITSU K5 and S5 Virtual Environments

Thanks to the built in IPsec VPN Gateway functionality of both FUJITSU’s Trusted Public S5 and K5 IaaS Cloud platforms, it is relatively easy and straight forward to securely connect virtual networks deployed within each platform together. In this blog I will show you how.

This may be of particular benefit to existing S5 users who are thinking of moving to K5 over a period of time, or need for some reason to merge two environments.

Both S5 and K5 IPSEC gateways use standardised ISAKMP (Internet Security Association and Key Management Protocol) and IPsec tunnelling protocols. Each IPsec VPN gateway encapsulates IP packets received from the local network and sends them securely to the IPSec VPN Peer gateway, where they are then unencapsulated. Once Firewall Rules/ Security Groups have been configured appropriately, Virtual Hosts in each location can then communicate securely with one another, as if on the same network (site-to-site).

For this to work. you will need a K5 and S5 contract, each configured with a basic Internet connected network/system. Ensure the IP subnet range used on each network/site does not overlap in any way, as this will cause havoc with your routing. You will probably want to have a VM on each K5 and S5 network also, so that you can verify the connection has been established with ping commands from both sides.

Within K5:

1. Using the portal or otherwise, deploy a network/subnet connected to a router configured with an external network gateway. In this example I will be using a K5 subnet of 192.168.1.0/24 and a gateway of 192.168.1.1. Then note down the ID numbers for the following 4 resources (the ID’s of my resources are shown below), as these will be required shortly:

  • ROUTER_ID=2f1cc335-e2f7-439e-870b-1eb17b9f4399
  • NETWORK_ID=86d5aef2-45fc-46b7-920b-3d3d904ff174
  • SUBNET_ID=245dba3b-ee29-4004-adea-8d73027d5474
  • VM_PORT_ID =60708c4f-19d3-483d-9d37-4550a53483f9     #1

#1 Within the “Virtual Network details” tab for your network, under ‘Ports’, click the port name for ‘network:router_interface’ to open up the properties to reveal the VM Port ID.

a

2. Next, within ‘Virtual Router Detail’s screen, add a public IP Address to the router_interface via the ‘Global IP Allocation’ option under the ‘Action’ menu. Note down the Global IP Address that is assigned for use later.

b

Note down the Global IP Address that is assigned for use later:

  • K5 Public –    62.60.46.142
  • K5 Gateway – 192.168.1.1

3. Within your API console, configure the following variables,  updating the below values with your IDs and a name of your choosing:

  • VPN_SERVICE_NAME=ipvpn-service_to_S5
  • ADMIN_STATE_UP=true
  • ROUTER_ID=2f1cc335-e2f7-439e-870b-1eb17b9f4399
  • NETWORK_ID=86d5aef2-45fc-46b7-920b-3d3d904ff174
  • SUBNET_ID=245dba3b-ee29-4004-adea-8d73027d5474
  • VM_PORT_ID=60708c4f-19d3-483d-9d37-4550a53483f9
  • AZ=uk-1a

4. Enter the following command to enable IPsec on your K5 router

This should result in output of the form of that shown below:

c

Create a new variable as below, containing the ID from above

  • VPN_SERVICE_ID1=e91bded7-ce3d-4483-a823-c7021ab6ee9e

5. Next create the following new variables, updating the values as required:

  • AUTH_ALGORITHM=sha1
  • ENCRYPTION_ALGORITHM=aes-256
  • IKE_VERSION=v1
  • LIFETIME_UNITS=seconds
  • LIFETIME_VALUE=86400
  • PFS=group5
  • PHASE_NEGOTIATION_MODE=main
  • IKE_POLICY_NAME=ipvpn_ikepolicy_S5

Enter the following command to create the IKE Policy to be used by the IPSEC service:

This should result in output of the form of that shown below:

d

Create a new variable as below, containing the ID from above

  • IKE_POLICY_ID1=def8495c-7108-4c97-a198-6a198ae046dd

6. Next add the following new variables, updating the values as appropriate:

  • ENCAPSULATION_MODE=tunnel
  • ENCRYPTION_ALGORITHM=aes-256
  • TRASFORM_PROTOCOL=esp
  • IPSEC_POLICY_NAME=ip_vpn_ipsecpolicy_S5

Enter the following command to create the IPSEC  Policy to be used by the IPSEC service:

This should result in output of the form of that shown below:

e

Create a new variable as below, containing the ID from above

  • IPSEC_POLICY_ID1=cbd8dc58-6caf-4c8d-bf8c-536eb34855e9

Within S5:

When logged into S5, IPSec VPN configuration is performed under the ‘IPsec VPN Manager’ menu from within ‘My Portal’

1

1. Record the IP address range for each S5 subnet you are wanting to connect to.  As an example, the subnet for the DMZ network would be 172.16.7.0/24, SECURE 1 would be 172.16.8.0/24 and SECURE 2 would be 172.16.9.0/24

K5 Subnet(s)                                                                   S5 Subnet(s)

192.168.1.0/24                                                                DMZ  –       172.16.60.0/24

SECURE1 – 172.16.61.0/24

SECURE2 – 172.16.62.0/24

2. Within the ‘My Portal’ area of the portal, select ‘IPsec VPN Manager’ from the left hand menu.

3. Select ‘Create New GW’ button and in the resulting box, enter a suitable name for the connection that relates to this particular contract and click ‘Next’ e.g. IPsecVPN-service_to_K5

3

4. Note the public IP Address and Local IP Address from this screen for the site, as these are required later.

K5 IP Addresses                                                                    S5 Network Addresses

Public –  62.60.46.142                                                        Public – 62.60.20.119

Gateway – 192.168.1.1                                                         Internal – 172.16.2.99

5. Select ‘On’ and answer ‘Yes’ to start the IPsec VPN. Once it is showing  a status of ‘Running’, select it and click the ‘VPN Settings’ button

6. Click ‘Add Destination GW’ and in the resulting box, enter the required information (see below for guidance):

4

  • ID : Choose 1 (or the next number available if you already have existing Gateways)
  • Destination GW Public IP Address : The public IP address assigned to your K5 router
  • Pre-share key : Any Key/Password up to 128 alphanumeric characters in length to be used on both K5 and S5. Must be identical at both sites
  • Ping Target: The IP Address of your K5 subnet gateway
  • Cipher Suite:Select ‘Cipher Suite A’

7. Click ‘Submit’ and answer ‘Yes’ to register the configuration, then ‘Ok’ when complete.

8. Within VPN Settings, select to highlight the Destination GW just created and click ‘Add Destination NW’. Then enter the CIDR of your K5 subnet e.g. 192.168.1.0/24. Repeat this to if adding more than one subnet.

5

Back with your K5 API console:

1. Add the following variables (amending the value as required):

  • PSK=Fghj6G0hAS              (Same preshared Key Value used on S5)
  • INITIATOR=bi-directional
  • ADMIN_STATE_UP=true
  • PEER_CIDRS1=172.16.0.0/16      (The IP Range in use on S5 contract, use a /16 to                                                                             cover the full range)
  • PEER_CIDRS2=172.16.60.0/24
  • MTU=1500
  • DPD_ACTION=hold
  • DPD_INTERVAL=60
  • DPD_TIMEOUT=240
  • PEER_ADDRESS=62.60.20.119    (Public IP Address of the S5 VPN Service from above)
  • PEER_ID=62.60.20.119                   (Public IP Address of the S5 VPN Service from above)
  • IPSEC_SITE_NAME=ipvpn_ipsec_S5

Enter the following command to create the IPSEC  Site Connection :

This should result in output of the form of that shown below:

f

2. Add the following variables, using the ID from above:

  • IPSEC_SITE_CONNECTION_ID=1b4c35f8-a50f-4446-b122-821730f27102

Enter the following command to view the IPSEC  Site Connection status and other details :

This should result in output of the form of that shown below:

g

3. Within the S5 IPsec VPN Manager, click to select your ‘IPSec VPN’ and click the ‘Monitor Status’ button. This should show a status of ‘Connected’

6

4. Firewall Rules and Security Groups on both S5 and K5 sides need to opened to allow the required traffic to flow between the subnets. As an example the below rules allow SSH and PING between K5 and S5 subnets.

K5 Security Groups (no Firewalls are configured on the Router):

sg

Here the CIDR of the S5 DMZ subnet is used at the source and destination address in the ingres and egress rules.

S5 Firewall Rules:

s5fw

Here the CIDR of the K5 subnet is used as the source and destination address on the Intranet network within the firewall rules.

5. Finally, you can then SSH onto each VM and ping across the IPSEC tunnel to a VM within the other environment…

ping

 

Additional Information:

Use the following commands in order to delete your IPSEC gateway and related components:

#Deletion of IPSec stufff

curl -s $NETWORK/v2.0/vpn/ipsec-site-connections -X GET -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” | jq .
curl -s $NETWORK/v2.0/vpn/ipsec-site-connections/<ID RETURNED FROM PREVIOUS COMMAND> -X DELETE -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”
curl -s $NETWORK/v2.0/vpn/vpnservices -X GET -H “X-Auth-Token:$OS_AUTH_TOKEN” -H “Content-Type:application/json” | jq .

curl -i -X DELETE $NETWORK/v2.0/vpn/vpnservices/<ID RETURNED FROM PREVIOUS COMMAND> -H “X-Auth-Token: $OS_AUTH_TOKEN”
#Delete IKEpolicies
curl -s $NETWORK/v2.0/vpn/ikepolicies -X GET -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” | jq .

curl -s $NETWORK/v2.0/vpn/ikepolicies/<ID RETURNED FROM PREVIOUS COMMAND> -X DELETE -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”
#Delete IPSecpolicies
curl -s $NETWORK/v2.0/vpn/ipsecpolicies -X GET -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” | jq .

curl -s $NETWORK/v2.0/vpn/ipsecpolicies/<ID RETURNED FROM PREVIOUS COMMAND> -X DELETE -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” | jq .

Introduction to using the K5 SMTP Relay Service

The K5 SMTP relay service allows the sending of emails via the REST API for easy integration with your application, or directly via a SMTP server from a client that supports either STARTTLS or SSL/TLS. For a comparison between STARTTLS, SSL/TLS and SMTP  protocols, please see https://www.fastmail.com/help/technical/ssltlsstarttls.html. See also the FJ IaaS Features Handbook for the latest on service constraints and limitations.

The K5 SMTP relay service utilises the Nifty SMTP service in Japan and requires you to authenticate against and obtain a security token from the K5 Japan East (jp-east-1) region. This will require you to enable the Japan-East-1 region for your contract, if not already enabled, and also create a project within this region, for which the account you are using in the scripts has full administrator permissions to.

You should ensure your scripts for obtaining a token (e.g. init.sh) refer to the following endpoints, and include the ID of the project in Japan region:

TOKEN=https://identity.jp-east-1.cloud.global.fujitsu.com

MAILSERVICE=https://mail.jp-east-1.cloud.global.fujitsu.com

NOTE: The mail service endpoints for other regions have been withdrawn and are no longer supported.

Using the API Service

Before you can use the K5 SMTP relay service , it is necessary to first identify the email address/domain you want to use and then validate/prove ownership of that email address/domain. This blog will provide a walk through of the process for both a single email address and full domain.

Sending an Email via the API from a Single Email Address

The following command can be used to start the ownership validation of a single email address (in the below example I am using my Fujitsu email address ian.purvis@uk.fujitsu.com).

smtp1

This will result in an email being automatically sent to the email address you specified. Scroll down this email, ignoring the Japanese text (unless you can speak Japanese) and click the link under ‘Verify registered email address’:

smtp2

This link will take you to the Nifty Cloud Portal in Japan. If you can see a screen as below, then you have successfully validated your email address and the web page can be closed:

smtp3

 

In the below command,  I am using the validated ian.purvis@uk.fujitsu.com email address as my source address and ianpurvis1976@gmail.com as my target address:

This results in an email being relayed to my target mailbox, as if from my validated source email address:

smtp5

Sending an Email via the API from any email address associated with your domain

The following command can be used to start the ownership validation of your domain name (in the below example I am using my  Godaddy registered public facing domain ianpurvis.co.uk).

smtp0

This results in a verification token that must be added as a TXT record to the DNS record for the Domain.  For the purposes of this blog, I am using the K5 DNS as configured in my previous blog , and have redirected Godaddy to use the K5 Nameservers. (I did try and get this to work with the Godaddy DNS servers, but I was unable to add a TXT record with a Domain Name\Name in the required format, without it being truncated).

I used the following command to create a TXT record with my Domain Name Space for ianpurvis.co.uk. with a Name\Domain Name in the format “_niftycloudess.<DOMAINNAME>” and the verification token from above, in place of <INSERT YOUR TOKEN HERE>

smtpdns

The following command can then be used to verify the domain validation is now successful.:

smtpc

 

The following command can now be used to send an email from any address in my validates domain (even if no actual mailbox exists):

Notes, that %40 must be used instead of the “@” sign. In the above example, I have succesfully sent my ianpurvis1976@gmail.com and email from ian@ianpurvis.co.uk

email

SMTP Relay Service

Sending an Email via the SMTP Relay Service

In addition to the API, emails can also be sent directly via the Nifty SMTP relay service, using a supported client. Note this service requires the use of either STARTTLS or SSL/TLS  protocols to ensure all emails are encrypted and  does not support the sending of emails via standard SMTP.

1. To enable this service within your K5 domain, you must first create /request a SMTP username and password using the API:

createuser

2. The username and password assigned can be later obtained again using the following command. Note there is only one account per K5 project and neither the username or password can be amended:

3. The username and password can then be used in conjunction with the SMTP Service details below, to configure your support client:

SMTP client Server: ess-smtp.cloud.nifty.com

Port: TCP 587 (STARTTLS) or TCP 465 (SSL TLS)

4. For the purpose of validating the connection, you can use a email client such as Mozilla Thunderbird. As Thunderbird requires a valid email account for both sending and receiving emails, you must first configure the client to use an email address such as a Google Mail (GMAIL) email account. You can then edit the outgoing server details to specify the K5 details above, ensuring your Security Groups/Firewalls allow outgoing TCP587 or TCP465 (and DNS).

Within ‘Options | Account Settings’ click ‘Manage Identities | Edit ‘ and update your email address and other details to reference the email address previously verified.

identitysettings

Then select ‘Outgoing Server | Edit ‘ and update the SMTP server details.

outgoing

And that is it!! When you first send an email, you will prompted for the SMTP user password. At this point you have the option to store the password, so that you do not have to re-enter it each time you send an email.

Introduction to using the K5 IaaS DNS as a Service

In this blog, I’m going to talk you through getting started with using the K5 DNS as a Service. This service provides an environment for running zone management and record management operations via the API, without the need to build and manage your own DNS server.

To get started, you need to own and have registered your own public Domain Name. For the purpose of this blog, I have registered the domain ianpurvis.co.uk with uk.godaddy.com.

Managing DNS Zones

The first thing you need to do is create a new DNS zone within your project using the API. To start, open up your K5 API environment and obtain your authentication token. Next, run the following command to list any/all existing zones for your project:

If this is the first time you have configured DNS, you should see the following information, indicating no zones are present:

listdns

Use the following command to create a DNS Zone, substituting “ianpurvis.co.uk” for your registered DNS name:

createdns

If successful, the output of this command will include an ‘Unauthorized’ error and a confirmation code, that you must use to verify/prove that you are the domain owner. There are two methods for doing this, the first if your domain is not yet managed by any DNS yet, and second if it is managed by DNS. As my domain “ianpurvis.co.uk” is currently managed by Godaddy, I will use the second method.

This second method requires that you create a DNS TXT record within your  existing DNS , so in my case Godaddy. The value of this text record is of the form: nifty-dns-verify=.

e.g. nifty-dns-verify=<RANDOMCHARACTERS>.cdns-verify.nifty.ad.jp

The below screen shot shows how this record is created within Godaddy:

txtrec

Once done, running the Create DNS Zone command again should result in output as shown below. For troubleshooting, you can verify what TXT records are being returned from your domain using an online tool such as https://mxtoolbox.com/TXTLookup.aspx or”NSLookup.exe -q=TXT  ianpurvis.co.uk”

createdns2

Now the DNS zone is verified, you can update the Nameservers for your existing managed Domain, to point to the K5 Name Servers shown above. The below screenshot shows how this is done within Godaddy, by choosing ‘custom’, entering the nameservers and clicking ‘save’ (note this may take up to an hour or two to complete):

nameservers

Further Information:

For information, the registered DNS zone can be deleted with the following command (substituting “ianpurvis.co.uk” with your own domain name)

Managing Records

Now that the DNS Zone is configured, DNS records can be added to it. To list any existing DNS records, enter the following command (substituting “ianpurvis.co.uk” for your domain):

The following output is displayed for an empty DNS Zone:

listrecords

To help get you started, the following example shows you how to add basic A, TXT, CNAME and MX records. Remember to substitute your domain for “ianpurvis.co.uk”. I’ll cover more advanced features like Latency-based routing and failover in subsequent blogs.

  • To add an A record, use the following command :

In the above example, I am setting the A record to http://www.ianpurvis.co.uk to refer to the public IP Address of my webserver on 62.60.53.77

  • To add a TXT record, use the following command:

  • To add a CNAME record, use the following command:

  • To add a MX record, use the following command:

Further Information:

To delete a particular record, resubmit the same command only this time change the Action to Delete:
e.g.

The entire DNZ zone can be deleted with the following command:

curl -X DELETE $DNS/v1.0/hostedzone/<DOMAIN NAME> -H “X-Auth-Token:$OS_AUTH_TOKEN” -H “Content-Type:application/xml”  | xmllint –format –