Version: 4.3

Local admin

Local admin configuration

The DD Engine system has two separated console interfaces called Local admin, one for the Upstream DD Engine and one for the Downstream DD Engine. They are both accessed and managed in the same manner.

Access Local admin

To access Local admin, follow the instructions below.

Connect to Local admin

Step 1Step 2Step 3

Connect a keyboard and display to the DD Engine device.
Power on the DD Engine device.
When the login prompt is displayed, log in using
Username: admin
Password: default password set during firmware installation or if it has been changed using Local admin, see Admin password.

note

When making changes in Local admin, settings are only applied to the connected DD Engine.

Once logged in, the following main menu options are displayed:

Device configuration...
Admin password...
Date and time...
Export device logs...
View third-party licenses...
Factory reset...

note

When making changes in Local admin, previously configured and operational services might temporarily pause data transfer but will be resumed as quickly as possible.

Required settings at initial setup

When setting up Dd Engine for the first time it is required to set Certificate configuration.

Before using the DD Engine in an operational environment, it is highly recommended to also set:

IP addresses
Diode transfer configuration
Admin password
Date and time

Device configuration

Device configuration includes settings for IP addresses, DNS, diode transfer configuration, certificates for DD Manager communication and hostname. Applying the configuration takes several minutes and therefore it is encouraged to first make all changes in the submenus before selecting Save.

IP configuration

In IP configuration..., interfaces and IP addresses for Admin, Data and the Data Diode can be viewed and changed. It is required to configure the interface parameters and highly recommended to set customized IP addresses. The IP address set for ADMIN will be used to access the DD Manager. The interfaces defines which information will be sent through which port, this must map to how the system was set up, see Connecting cables. The IP set for Admin will be used by a client to access the DD Manager. The IP set for Data will be used when transferring data over the diode. DNS can be configured to resolve hostnames into IP addresses.

Default IP addresses are:

Upstream Admin: 192.168.0.100
Upstream Data: 192.168.1.100
Downstream Admin: 192.168.0.101
Downstream Data: 192.168.1.101

IP configuration of IP addresses, default gateways and DNS servers

Step 1Step 2Step 3Step 4Step 5Step 6Step 7Step 8Step 9

Select Device configuration... from the DD Engine Upstream or Downstream Configuration menu.
Select IP configuration... from the DD Engine Device Configuration menu.
The current configuration for the Admin, Data and Data Diode interfaces are displayed. Click Select interface... and define interfaces to match the actual network ports and how they will be connected.
The current IP addresses of the Admin and Data interfaces are displayed. Enter IP addresses and subnet masks on the format [IP address]/[subnet mask].
If Default gateway is enabled, the configured values for the Admin and Data interfaces are displayed. Enter any gateways to be used.
If Primary DNS server is enabled, the configured values for the Admin and Data interfaces are displayed. Enter the IP addresses of any DNS servers to be used.
To enable advanced options for the Data Diode interface, follow the instructions under Configure Advanced Interface.
Select Confirm to confirm the new IP address, gateways and DNS server.
Once all settings are confirmed for Device configuration..., select Save to apply changes. This will take several minutes.

warning

It is recommended that all default IP addresses are changed before connecting the DD Engine in an operational environment.

DNS configuration

DNS servers are used to resolve hostnames into IP addresses. The data interface DNS setting is used to configure the DNS server used by services. Without a configured DNS server, services will be unable to resolve hostnames. The admin interface DNS setting is used to configure the DNS server used by the non-service functionality of the device, e.g., remote logging. Without a configured DNS server, these functions will be unable to resolve hostnames.

When attempting to resolve a hostname, the primary DNS server will be tried first. If it's unreachable, the secondary DNS server, if configured, will be tried instead.

Configure Advanced Interface

When enabling Configure Advanced Interface, it allows control of some parameters which are otherwise given default values. If a field is left empty, the default value will be applied. The parameters are the following:

Upstream

IP Address: Sets the IP address and subnet on the Upstream OUT interface. Defaults to 203.0.113.2/25.
Destination IP Address: The IP address on the Downstream IN interface. Must match the assigned value on the Downstream DD Engine. Defaults to 203.0.113.1.
Destination MAC Address: The MAC address on the Downstream IN interface. Must match the assigned value on the Downstream DD Engine. Defaults to 0e:c4:7a:00:00:01.
MTU: Sets the minimum MTU, must match the assigned value on the Downstream DD Engine and is dependent of the host machine hardware. Defaults to 9000.

Downstream

IP Address: Sets the IP address and subnet on the Downstream IN interface. Defaults to 203.0.113.1/25.
MAC Address: Sets the MAC address on the Downstream IN interface. Defaults to 0e:c4:7a:00:00:01.
MTU: Sets the minimum MTU, must match the assigned value on the Upstream DD Engine and is dependent of the host machine hardware. Defaults to 9000.

warning

If the host machine hardware does not allow changes of the MAC address, the configuration must match the hardware default values. The currently configured MAC address is visible in the interface settings.

Diode transfer configuration

In Diode transfer configuration it is possible to configure throughput, forward error correction and encryption. The default parameters are the following:

Max throughput: 950
Forward error correction: 0
Encryption: false

Diode transfer configuration

Step 1Step 2Step 3Step 4Step 5Step 6Step 7Step 8

Select Device configuration... from the DD Engine Upstream or Downstream Configuration menu.
Select Diode transfer configuration... from the DD Engine Device Configuration menu.
The Diode Transfer Configuration view is displayed, showing the active configuration.
Set Max throughput to a value between 0-10000 Mb/s. This will set the maximum speed through the Data Diode. A value of 0 results in no speed limit.
note
Not having a speed limit configured may result in packet loss.

Max throughput should be set to a value slightly lower than link speed for the setup.
Set Forward error correction to a desired percentage. A greater value results in a higher probability of successful data transfer. The configured value must match on Upstream and Downstream DD Engines.
Enable Encryption to protect the data in transfer. When prompted, enter an encryption password. The encryption password must match between Upstream and Downstream DD Engines.
note
The enabled or disabled setting for encryption must match on both Upstream and Downstream DD Engines. If enabled, the encryption password must match on both DD Engines.
Select Confirm.
Once all settings are confirmed for Device configuration..., select Save to apply changes. This will take several minutes.

Certificate configuration

In Certificate configuration..., certificates and keys needed for DD Manager access can be uploaded.

See Certificates for information about certificate generation.

note

Authentication by certificates and keys is required. Without certificates and keys, the DD Engine cannot be remotely configured.

Upload certifications and keys

Step 1Step 2Step 3Step 4Step 5Step 6Step 7Step 8Step 9

Create Certificates and make them available on a USB drive connected to the correct DD Engine side.
Select Device configuration... from the DD Engine Upstream or Downstream Configuration menu.
Select Certificate configuration... from the DD Engine Device Configuration menu.
The Certificate Configuration view is displayed, listing required certificates and keys.
Select Select file under Client CA and locate the CA certificate that will be used to verify client certificates. The selected .crt file name will be displayed after Selected:.
Select Select file under Certificate and locate the Server certificate that will be presented to clients. The selected .crt file name will be displayed after Selected:.
Select Select file under Key and locate the key that corresponds with the selected Server certificate. The selected .key file name will be displayed after Selected:.
Select Confirm to save selected certificates and files.
Once all settings are confirmed for Device configuration..., select Save to apply changes. This will take several minutes.

Hostname configuration

In Hostname configuration..., the hostname used for identification of the device can be viewed and changed.

The default hostnames are:

Upstream: ddengine-upstream
Downstream: ddengine-downstream

Change hostname

Step 1Step 2Step 3Step 4Step 5

Select Device configuration... from the DD Engine Upstream or Downstream Configuration menu.
Select Hostname configuration... from the DD Engine Device Configuration menu.
The current hostname is displayed. Enter a new hostname to be used.
Select Confirm to confirm the new hostname.
Once all settings are confirmed for Device configuration..., select Save to apply changes. This will take several minutes.

Location configuration

In Location configuration, a user-defined text identifying the physical location of the device can be viewed and changed. By default, the location text is empty. If SNMP is enabled (see Monitoring), the location is available at the sysLocation object (OID .1.3.6.1.2.1.1.6.0). If the location text is empty, the sysLocation object will contain "Unknown".

Change location

Step 1Step 2Step 3Step 4Step 5

Select Device configuration... from the DD Engine Upstream or Downstream Configuration menu.
Select Location configuration... from the DD Engine Device Configuration menu.
The current location is displayed. Enter a new location to be used.
Select Confirm to confirm the new location.
Once all settings are confirmed for Device configuration..., select Save to apply changes. This will take several minutes.

Access control configuration

LDAP Access control must be configured using Local admin.

Admin password

In Admin password... the administrator can change the password used for administrator access to the Local admin.

The default password was set during firmware installation.

Change administrator password

Step 1Step 2Step 3Step 4Step 5

Select Admin password... from the DD Engine Upstream or Downstream Configuration menu.
The Change Admin Password view is displayed. Enter the Current password.
Enter the New password.
Repeat the new password in Reenter new password.
Select Confirm to save the new password.

Date and time

Date and time... is used to change the system time used throughout the system for logs and certificate validation.

Change date and time

Step 1Step 2Step 3Step 4Step 5

Select Date and time... from the DD Engine Upstream or Downstream Configuration menu.
The Set date and time view is displayed.
The current date is displayed. Enter new date in format yyyy-mm-dd.
The current time is displayed. Enter the time in format hh-mm-ss.
Select Confirm to save the new date and time.

Export device logs

Export device logs... is used to copy generated log events, stored on the device, to a USB drive for further analysis on a separate Linux platform. Log events can be both system and service generated. The logs are exported to a .journal file.

note

When exporting device logs, a USB drive with minimum 16 GB is required.

Export logs

Step 1Step 2Step 3Step 4Step 5

Insert a USB drive in one of the USB ports on the DD Engine host machine.
Select Export device logs... from the DD Engine Upstream or Downstream Configuration menu.
Select the USB drive from the displayed list.
Select Confirm to copy log events to the USB drive. This can take several minutes.
When the log events have been copied successfully, a confirmation message is displayed, presenting the filename containing the log events on format [hostname]_[date]_[time].journal .

View third party licenses

View third party licenses... makes all included licenses available in a list.

To view third party licenses, perform the following step:

View third party licenses

Step 1Step 2Step 3

Select View third party licenses... from the DD Engine Upstream or Downstream Configuration menu.
The third party licenses text is displayed. Scroll the text using the Arrow UP and DOWN keys.
Select Close to return to the DD Engine Upstream or Downstream Configuration menu.

Factory reset

Factory reset... allows for a full reset of the DD Engine. All settings will fall back to default values but the firmware will stay on the latest installed version. The action will reset all configuration of the device, including uploaded certificates, services and passwords.

Factory reset

Step 1Step 2

Step 1
Select Factory reset... from the DD Engine Upstream or Downstream Configuration menu.
Step 2
A Factory Reset confirmation message is displayed. Select Confirm to trigger the factory reset process. The process may take several minutes.

Local admin configuration​

Access Local admin​

Required settings at initial setup​

Device configuration​

IP configuration​

DNS configuration​

Configure Advanced Interface​

Diode transfer configuration​

Certificate configuration​

Hostname configuration​

Location configuration​

Access control configuration​

Admin password​

Date and time​

Export device logs​

View third party licenses​

Factory reset​

Local admin configuration

Access Local admin

Required settings at initial setup

Device configuration

IP configuration

DNS configuration

Configure Advanced Interface

Diode transfer configuration

Certificate configuration

Hostname configuration

Location configuration

Access control configuration

Admin password

Date and time

Export device logs

View third party licenses

Factory reset