NSS - yusukew62/docs GitHub Wiki
NSSの検証結果をまとめる
ZIAからovfをダウンロードし、VMwareへデプロイ
##############################################################
### ###
### Only authorized users are allowed to login into ###
### this machine! ###
### ###
##############################################################
Last login: Mon Dec 6 07:10:41 2021 from 192.168.1.4
##############################################################
### ###
### ZscalerOS-R24 ZSCALER(tm) PRODUCTION ###
### ###
### Only authorized users are allowed to login into ###
### this proprietary Zscaler machine! ###
### ###
##############################################################
[zsroot@ ~]$
[zsroot@ ~]$ sudo su
Password:
[root@ /usr/home/zsroot]# cd
[root@ ~]# nss configure
nameserver:192.168.1.1 (Options <c:change, d:delete, n:no change>) [n]
Do you wish to add a new nameserver? <n:no y:yes> [n]:
ifconfig_em0 (Management interface IP address with netmask) [192.168.1.111/24]:
defaultrouter (Mangement interface default gateway IP address) [192.168.1.1]:
smnet_dev=em1 (Service interface IP address with netmask) [192.168.1.111/24]:
smnet_dflt_gw (Service interface default gateway IP address) [192.168.1.1]:
[root@ ~]# ls -l /usr/home/zsroot/NssCertificate.zip
-rw-r--r-- 1 zsroot zsroot 3382 Nov 30 01:19 /usr/home/zsroot/NssCertificate.zip
[root@ ~]# nss install-cert
Please enter complete path to the certificate bundle(.zip): /usr/home/zsroot/NssCertificate.zip
Certificates successfully installed
[root@ ~]# nss dump-config
Configured Values:
CloudName:zscalerthree.net
nameserver:192.168.1.1
Mgmt IP:192.168.1.111/24
Default gateway for Mgmt IP:192.168.1.1
Internal Mgmt IP:
route_net:
Service IP Address:em1=zs0:192.168.1.111/24
Default gateway for Service IP:192.168.1.1
Routes for Siem N/w:
[root@ ~]# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGS em0
127.0.0.1 lo0 UHS lo0
192.168.1.0/24 link#1 U em0
192.168.1.111 link#1 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
::1 lo0 UHS lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
fe80::/10 ::1 UGRS lo0
fe80::%lo0/64 link#3 U lo0
fe80::1%lo0 link#3 UHS lo0
ff02::/16 ::1 UGRS lo0
[root@ ~]# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.572 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.577 ms
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.572/0.575/0.577/0.002 ms
[root@ ~]# nss update-now
Connecting to server...
Connecting to update server 104.129.193.117.
Installed build version: 302945
Latest available build version: 302945
Build file is up-to-date
Checking if installation required...
Service is up-to-date.
[root@ ~]# nss checkversion
Connecting to server...
Connecting to update server 104.129.193.117.
Installed build version: 302945
Latest available build version: 302945
[root@ ~]# nss enable-autostart
Auto-start of NSS enabled
[root@ ~]# nss status
NSS service not running
[root@ ~]# nss start
NSS service running with pid 3130
[root@ ~]# nss status
NSS service running with pid 3130
[root@ ~]# ps auxww | grep -v grep | grep 3130
root 3130 0.0 14.9 1758600 622524 - Ss 07:24 0:00.31 /sc/bin/smsm @/sc/conf/sc.conf,SMSM --daemon --pid_file /sc/log/smsm.pid
[root@ ~]# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:b7:5b:b8
hwaddr 00:0c:29:b7:5b:b8
inet 192.168.1.111 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:b7:5b:c2
hwaddr 00:0c:29:b7:5b:c2
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
enc0: flags=0<> metric 0 mtu 1536
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
groups: enc
tap1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:1a:0b:02:01
hwaddr 00:bd:1a:0b:02:01
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
groups: tap
Opened by PID 3130
[root@ ~]# less /sc/conf/sc.conf
[SMSM]
sm_port=9430
ssl_port=9431
dnsr_enable=1
nss_node=1
ca_port=9422
ssl_enable_ca=1
log_dir=/sc/log/weblog/
smcaclientcert=/sc/conf/zscaler_nss_certificate.crt
smcaclientkey=/sc/conf/zscaler_nss_key.key
smnet_dev=em1=zs0:192.168.1.111/24
smnet_dflt_gw=192.168.1.1
smnet_pktdev=/dev/tap1
tls1_disable=1
[-end-of-SMSM-]
[SMCDSC]
serv_port=443
internal_server_cert_verify=1
smcaclientcert=/sc/conf/zscaler_nss_certificate.crt
smcaclientkey=/sc/conf/zscaler_nss_key.key
dnsr_enable=1
is_nss_node=1
pid_file=/sc/log/smcdsc.pid
tls1_disable=1
[-end-of-SMCDSC-]