Scribd
Upload
23 views

IT How-To Guide-Onboarding Your Linux Computer

Uploaded by

RaphaelGuimarães
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views

IT How-To Guide-Onboarding Your Linux Computer

Uploaded by

RaphaelGuimarães
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

How-To Guide Onboarding Your Linux Computer

Use this document for instructions to onboard your Linux computer into the Viasat environment. Once onboarded, you will
be able to access Viasat corporate resources, applications, and remotely connect to the Viasat network from your Linux
computer.

NOTE: This entire process can take up to 3 days depending on how quickly service requests are processed. Please be
patient!

This document provides instructions for the following:

• Before You Continue


• Downloading and Installing Microsoft Defender ATP
• Installing Viasat Certificates
o Download and Install Certificates
o Import SSL Certificates for Browsers Manually
• Using the Cisco AnyConnect VPN Client
o Download and Install Cisco AnyConnect
o Generate a Certificate Signing Request (CSR)
o Connect to the Provisioning VPN Profile
• Enrolling and Installing Viasat Device Certificates
o Complete the CSR Enrollment Request
o Download the Certificate
o Save the Certificate Keys
• Connecting to the Viasat Corporate VPN Profiles
• Enabling Linux Device Management
o Configure Linux AWX
o Submit Linux AWX Onboarding Request in Slack
o Confirm the Playbook Successfully Completes
• Finishing the Onboarding
• Additional Services
• Resources

Before You Continue


Before you can complete the onboarding, you need the following:

• Your Viasat username


• Your Viasat password
• Your Viasat email address
• Have your Viasat account enrolled in Duo Security multi-factor authentication (MFA)

If you need assistance with your credentials or with your Duo Security MFA enrollment, contact the Viasat IT Service Desk
at [email protected].

Lastly, ensure your Linux computer is plugged into a power source during the setup process.

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
Downloading and Installing Microsoft Defender ATP
To get started, you must download and install Microsoft Defender Advanced Threat Protection (ATP), which is the anti-
virus solution for Viasat.

For reference information, see the Deploy Microsoft Defender on Linux Manually article on the Microsoft Support site.

IMPORTANT: Ensure your Linux computer is plugged into a power source during the setup process!

To access the Microsoft Defender ATP package:

1. On your computer, open a command window.


2. Run the command:
sudo apt-get install curl libplist-utils gpg apt-transport-https
3. Run the following command, but change ubuntu and 18.04 to the appropriate distro and version:
curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list
4. Run the command:
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list
5. Run the command:
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
6. Run the command: sudo apt-get update
7. Run the command: sudo apt-get install mdatp
8. Download the ATP onboarding package from
https://viasatinc.sharepoint.com/sites/Connect/atp/Forms/AllItems.aspx.
9. Unzip the package.
10. Run the following Python command as root: python MicrosoftDefenderATPOnboardingLinuxServer.py

Installing Viasat Certificates


Once you have downloaded and installed the Microsoft Defender ATP package, you can install the Viasat certificates
needed to access the corporate network and resources.

Download and Install Certificates


To download and install the certificates:

1. Download the certificates from the following links:


• http://crl.viasat.com/crl/vcasha2cap06.hq.corp.viasat.com_Viasat%20SHA%202%20CA-6.crt
• http://crl.viasat.com/crl/VCAROOTCA-2_Viasat%20SHA%202%20Root%20CA.crt
2. Open a command window.
3. Convert the files from DER to PEM using the following OpenSSL commands:
• openssl x509 -in VCAROOTCA-2_Viasat\ SHA\ 2\ Root\ CA.crt -inform DER -out
VCAROOTCA-2_Viasat\ SHA\ 2\ Root\ CA.cer -outform PEM

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
• openssl x509 -in vcasha2cap06.hq.corp.viasat.com_Viasat\ SHA\ 2\ CA-6.crt -
inform DER -out vcasha2cap06.hq.corp.viasat.com_Viasat\ SHA\ 2\ CA-6.cer -
outform PEM
4. Manually copy them into the local machine store for CA certificates:
• cp vcasha2cap06.hq.corp.viasat.com_Viasat\ SHA\ 2\ CA-6.cer
/usr/local/share/ca-certificates/vcasha2cap06.hq.corp.viasat.com_Viasat\ SHA\
2\ CA-6.crt
• cp VCAROOTCA-2_Viasat\ SHA\ 2\ Root\ CA.cer /usr/local/share/ca-
certificates/VCAROOTCA-2_Viasat\ SHA\ 2\ Root\ CA.crt
5. Update the CA certificate system database using this command: sudo update-ca-certificates

Import SSL Certificates for Browsers Manually


Once you have these certificates installed, your browsers will not recognize the SSL certificates. You need to import them
manually.

To import the SSL certificates for your browser:

Mozilla Firefox Google Chrome


1. Launch Firefox. 1. Launch Chrome.
2. Type the following in the URL bar: 2. Type the following in the URL bar:
about:preferences#privacy chrome://settings/certificates
3. Click View Certificates. 3. Click on the Authorities tab.
4. Select the Authorities tab. 4. Click Import.
5. Click Import.

Using the Cisco AnyConnect VPN Client


You need the Cisco AnyConnect VPN client to connect to the Viasat provisioning VPN profile and begin the certificate
request process. Once you have the necessary certificates, you will use the AnyConnect VPN client to connect to the
Viasat network remotely.

Download and Install Cisco AnyConnect


To install Cisco AnyConnect:

1. Navigate to https://viasatinc.sharepoint.com/sites/Connect/atp/Forms/AllItems.aspx.
2. Click on the anyconnect-linux64-4.10.05095-predeploy-k9.tar.gz file. The package begins downloading.
3. Complete the instructions in this Cisco Support article.
NOTE: Start at Step 4 in the support article (we are providing the installation file).

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
Generate a Certificate Signing Request (CSR)
To complete the process, you need to generate a CSR, which you will need to receive the necessary certificates.

To generate a CSR:

1. Open a shell command window, enter: openssl req -nodes -sha256 -newkey rsa:2048 -keyout
myclient.key -out myclient_csr.txt
2. Enter the following details (in bold) in the output to complete the request:
• Country Name (2 letter code) [AU]:BR
• State or Province Name (full name) [Some-State]:Sao Paolo
• Locality Name (eg, city) []:Sao Paolo
• Organization Name (eg, company) [Internet Widgits Pty Ltd]:Viasat, Inc.
• Organizational Unit Name (eg, section) []:Linux User
• Common Name (e.g. server FQDN or YOUR name) []:your_os_host_name.rig.net
• Email Address []:[email protected]
3. Leave the following attributes blank:
• A challenge password []: LEAVE ME BLANK
• An optional company name []: LEAVE ME BLANK

Now you can connect to the provisioning VPN profile.

Connect to the Provisioning VPN Profile


After generating the CSR, you need to connect to the provisioning VPN profile in the Cisco AnyConnect client.

To connect to the provisioning VPN profile:

NOTE: Connecting to a VPN profile may trigger an update to the AnyConnect client. Once updated, you may need to re-
enter your credentials to connect.

1. Launch the Cisco AnyConnect VPN client.


2. Connect to hawk.viasat.com/provisioning.
3. Enter your Viasat username and password.
4. In the Second Password/Passcode field, enter a Duo Security MFA passcode from the mobile app or enter
push to receive a push notification to authenticate.
NOTE: You must already have your Viasat corporate account enrolled in Duo Security MFA to connect to the
VPN. For instructions, see Enrolling in Duo Security Multi-Factor Authentication (MFA) on the RigNet SharePoint
site.

IMPORTANT: Once you complete authentication and connect to the provisioning VPN, your network routes will not work
for some domains and websites like google.com. This means that you will need to disconnect from the hawk.viassat.com

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
VPN whenever you need to access resources from the internet (such as search results for technical questions) and then
reconnect once you have the resources you need.

Once connected to the provisioning VPN, you can complete the CSR enrollment.

Enrolling and Installing Viasat Device Certificates


Now that you have access to the Viasat provisioning VPN, you can enroll and install the device certificates needed.

Complete the CSR Enrollment Request


To complete the CSR enrollment request:

1. Ensure you are connected to the hawk.viassat.com/provisioning VPN profile in the Cisco AnyConnect client.
2. In a browser, navigate to https://keyfactor.viasat.com.
3. Enter your Viasat username and password in the respective fields.
4. In the Duo Pin field, enter a passcode from the Duo Mobile app or enter push to receive a push notification to
your mobile device to complete MFA.
5. Click Logon.

6. On the home page, navigate to Certificate Enrollment > CSR Enrollment.

7. On the CSR Enrollment screen, select the TLSAppCert-2021 template from the Template drop-down menu.
NOTE: the Certificate Authority field auto-populates based on your selection.

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
8. On the CSR Content tab, copy and paste the contents of your previously generated CSR (see Generate a
Certificate Signing Request (CSR)).

9. Complete the following certificate metadata fields:


• Email-contact: enter your Viasat email address
• Group-EmailAddress: enter a secondary email address if applicable or re-enter your Viasat email
address
• Business-Unit: enter your team or department at Viasat
• Applications: if required, select Linux Web App
• Subject Alternate Names: leave blank
• Certificate Format: select Based 64 or EDR
10. Click Enroll to submit your request.
11. Disconnect from the provisioning VPN in Cisco AnyConnect.

IMPORTANT! Within 24 hours, you will receive an email notification from Keyfactor with your generated certificate. You
cannot continue until you receive this certificate email.

Download the Certificate


After you receive the email confirmation that your certificate has been generated, continue with the following procedure to
download that certificate from Keyfactor.

To download the certificate:

1. Reconnect to the provisioning VPN profile in Cisco AnyConnect.


2. In a browser, navigate to https://keyfactor.viasat.com.
NOTE: If your browser cannot connect, clear the browser cache.

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
3. Log in using your Viasat username and password and complete Duo Security MFA (follow Step 3 through Step 5
in Complete the CSR Enrollment Request).
4. On the home page, navigate to Certificates > My Certs.
5. Right-click on the new certificate to download it.

6. In the Download Certificate window, check Include Chain if you need the CA chaining certs for your certificate.
7. Ensure PEM is selected as the Format.
8. Click Download. The certificate downloads.

Once downloaded, you must save the certificate keys in the appropriate directories.

Save the Certificate Keys


To save the certificate keys:

1. Once the certificate is downloaded, disconnect from the provisioning VPN in Cisco AnyConnect.
2. Place the CER file in ~/.cisco/certificates/client/
3. Rename the file to myclient.pem.
4. Ensure your private key is in the following folder under your Home directory:
~/.cisco/certificates/client/private/
NOTE: Create the directory if it does not already exist.

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
5. Ensure your public key is in the following folder under your Home directory:
~/.cisco/certificates/client/
NOTE: Create the directory if it does not already exist.

With your certificate keys in the appropriate directories, you can now connect to the Viasat corporate network VPN
profiles.

Connecting to the Viasat Corporate VPN Profiles


Once you have all certificates, you can access the necessary VPN profiles to connect to the Viasat corporate network.

To connect to the Viasat corporate VPN profiles:

1. Relaunch the Cisco AnyConnect VPN client.


2. Enter harrier.viasat.com in the drop-down list. The corporate VPN profiles begin installing.
3. Once installed, select the Viasat Corporate VPN profile from the drop-down list.
4. Click Connect.
5. In the Groups field, Viasat Employees may be selected as default or select the available option.
6. Enter your Viasat username and password.
7. In the Second Password/Passcode field, enter a Duo Security MFA passcode from the mobile app or enter
push to receive a push notification to authenticate.

Once authenticated, you are connected to the Viasat corporate network.

Enabling Linux Device Management


Device management is required to provide the most robust access to resources on the Viasat network. This means your
computer needs to be enrolled in the Viasat AWX management platform.

IMPORTANT: To complete this task successfully, you must be on a stable VPN connection to the Viasat corporate
network. If you lose connectivity during this process, it may have unpredictable results.

Configure Linux AWX


To configure Linux AWX:

1. On your computer, open a command window.


2. Enter the following command to add the user account and then press the Enter key:
sudo adduser awx
3. When prompted, enter the password Viasat123! and press the Enter key.
4. Continue pressing the Enter key through the rest of the prompts.
5. Enter the following command to add the user account to the sudo group: sudo usermod -aG sudo awx
6. Enter the following command to install the SSH server: sudo apt install -y ssh

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
This completes the running of the playbook. The next step is to provide information to the AWX-Bot in Slack.

Submit Linux AWX Onboarding Request in Slack


You must submit a request through the Slack channel of the Viasat Desktop Architecture team.

Logging In to Slack

As a reminder, Slack is the unified collaboration solution for Viasat, and it is used across the enterprise. Think of Slack as
a collaboration hub where you and your team can work together to get things done.

Viasat has two workspaces in Slack:

• Viasat Global - this is where all business-related collaboration and communications take place. Company-wide
announcements are communicated here, and it provides segment, domain, and product teams with a place to
collaborate.

• Viasat Social - this is where all social chatter takes place. It provides you with a place to connect, build rapport
around common interests, and promotes camaraderie.

If you do not already have the Slack desktop app installed on your Linux computer, install it from here:
https://slack.com/downloads/linux.

To log in to Slack, review the following guides on the RigNet SharePoint site:

• How-To Guide Signing In to Slack (Browser)


• How-To Guide Signing In to Slack Desktop App

Once you are logged in to Slack, you can submit a Linux AWX onboarding request.

Submitting a Linux AWX Onboarding Request

To submit a Linux AWX onboarding request:

1. In Slack, join the #it-desktop-architecture channel in the Viasat Global workspace.


2. In the message field, type /awx-new and press the Enter key.
3. In the form that displays, enter the following information:
a. Your Viasat username (or the Viasat username of the primary user of the Linux computer if not you)

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
b. The IP address of the Linux host on the Viasat network, which is the IP address you receive while
connected to the Viasat corporate VPN at the time you ran the playbook (see Configure Linux AWX)

c. Enter the short hostname that was used during the VPN certification request (see Generate a Certificate
Signing Request (CSR)).
d. Select End User Machine as the Deployment Type
4. Click Submit.

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
The following message displays. The onboarding and provisioning can take up to 1 hour depending on your VPN
connection.

Confirm the Playbook Successfully Completes


1. After the provisioning completes (10 to 15 minutes), open a terminal window.
2. Enter id <network_name> where the network name is your Viasat username.
3. Verify that the output returns with your network account groups, which confirms the playbook has completed
successfully.

Finishing the Onboarding


Once you have successfully run the playbook, complete the onboarding by restarting your Linux computer and logging in
to your accounts.

To finish onboarding:

1. Reboot your Linux computer.


2. Log in with your local account credentials (the same credentials you used before running the playbook).
3. Launch the Cisco AnyConnect client and connect to the Viasat Corporate VPN (follow Step 3 through Step 5 in
Complete the CSR Enrollment Request).
4. Once connected, lock your screen.
5. Log into your computer with your Viasat username and password. Your credentials are then cached, which can
take 5 to 10 minutes to complete.
6. After you successfully login, reboot your computer.
7. Log in with your Viasat username and password. This creates a new Home folder for your Viasat account.
8. Once logged in, copy the VPN.cisco folder in the Home folder of your old account to the Home folder of your
Viasat account.
9. After you copy the folder, connect to the Viasat corporate VPN.

This completes your Linux computer onboarding!

Additional Services
Once your computer has access to the Viasat corporate network, you can access these common resources:

• Corporate Viasat Wiki: https://wiki.viasat.com


• Jira: https://jira.viasat.com

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT
Resources
Check the Viasat Wiki (https://wiki.viasat.com) for more help articles and get help from the Viasat IT Service Desk:

• Email: [email protected]
• Phone: 760-476-2345 (toll-free 866-894-1805)
• Slack: #help-it
• Hours: Monday - Friday 4:00am to 7:00pm PT
• Web: https://ithelp.viasat.com

#help-it [email protected]
760.476.2345 (toll-free 866.894.1805) Mon—Fri 4:00am to 7:00pm PT

You might also like