Tehama Gateway User Guide

The Tehama Gateway establishes a gateway, a secure channel, between the Room and your network. All network traffic from the Room flows through the Tehama Gateway.

Your instance of the Tehama Gateway is uniquely identified by the unique access key provided to you during the Room creation or Room connection process1.

Your instance of the Tehama Gateway must be installed and run from behind your Organization's firewall. In order to administer your network properly, the Tehama Gateway will need to be placed in a network segment which has access to the resources you wish to administer remotely through Tehama.

Because Pythian loves your data, the Tehama Gateway is fully encrypted to ensure all communication with your Room is secure. Should you have any questions or concerns about the Tehama Gateway, please feel free to reach out to a Tehama Concierge.

1. The installation of a Tehama Gateway for a room is optional. You can configure your room's 'Network Access' to be either 'Internet Only' or 'Tehama Gateway'. The 'Internet Only' setting does not require the installation of a Tehama Gateway. The 'Network Status' setting is found on the Room's CONNECTION tab in the STATUS sidebar item.


Obtain an Access Key

The Room connection process presents you with an Access Key you will need to initiate the connection to your Room.

Note: If you haven't connected your Room yet, you can find the current key on the Room's CONNECTION tab in the STATUS sidebar item, when the 'Network Access' setting is 'Tehama Gateway'.

As you are following the instructions to install the Tehama Gateway, you will either be prompted to paste-in the key or be required to place the Key file (secret.sck) in a specific location in order to initiate the connection.

You can transfer this key to the Tehama Gateway in two ways:

Choose one option:

  1. Click the Copy button (found beside the key on the page) to place the unique encryption key on your clipboard
    • to be pasted into the Tehama Gateway when prompted by the Automated-script

  2. Click Download (also found beside the key on the page) to save a copy of the Key file (secret.sck)
    • transfer it to your host where the Tehama Gateway will reside. (This is the recommended option when using Docker)

Generate a new Access Key

If you lose your key or have internal policies regarding regular regenerating access keys, you can regenerate a new one on the Room's CONNECTION tab in the STATUS sidebar item, when the 'Network Access' setting is 'Tehama Gateway'.

Click the REGENERATE KEY button. The displayed key will be the regenerated key, ready for copying or downloading.


Tehama Gateway Network Limitations

NOTE: Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network.

In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.

If you have the following situation:

  • the Tehama Gateway is on a supported network; and
  • a resource is on the 172.31.x.x network

then a workaround would be to create a NAT on the network to NAT the address of the resource to an address that Tehama can see, like 10.x.x.x or something similar.


Install the Tehama Gateway from an automated-script

This is the recommended method for Linux-based systems. (For Windows systems, see the Docker method.)

Note: Please ensure the get-gateway.sh installation script conforms to your Organization's security policies prior to using the script. To view the script, download it from: https://app.tehama.io/get-gateway.sh

Install the Tehama Gateway from Tehama's automated get-gateway.sh installation script as follows:

Step 1 - Configure your gateway host (for automated-script installations)

  • Select a host in your network for your gateway.


    Important - Be aware of existing network limitations for the Tehama Gateway, and make changes to your network if necessary.

    Note - Tehama does not currently support running more than one gateway per host, when installed via automated-script.

Choose a gateway host that has a 64-bit Linux processor and runs one of the following Linux operating systems (the script has been tested on the Intel/AMD x64 platform):

Minimum Linux Host OS Recommended Linux Host OS
  • Ubuntu 14.04
  • CentOS 7
  • Amazon AMI 2017.3
  • Red Hat Enterprise Server 7.3
  • Fedora 25
  • CentOS 7.3
  • SUSE Linux Enterprise Server 12 SP3
  • Ubuntu 16.04
  • Ubuntu 17.1
  • Ubuntu 18.04
  • Amazon Linux 2 AMI

It should also work on other Linux versions. Contact Tehama Concierge at Tehama Support if you want to install on a different version.

Note MacOS: The Tehama Gateway will not run on Mac directly.

  • Verify that the following standard software is installed on your gateway host:
    Note: the get-gateway.sh script will check for missing required software.
    • wget
      • Run "wget". It should complain that the URL is missing. If it says not found, it is not installed.
    • curl
      • Run "curl". It should tell you to look at the manual. If it says not found, it is not installed.
    • unzip
      • Run "unzip". It should show a help file. If it says not found, it is not installed.
    • tee
      • Run "tee". It should not give an error but show an empty line. If it does, do CTRL+C to go back to the command line. If it says not found, it is not installed.
    • python 2.4 to 3.6
      • Run "python -V". It will show the version number. Verify that it falls between 2.4 and 3.6, inclusive. If it says not found, it is not installed.
    • net-tools
      • Run "netstat". If it says not found, it is not installed.
    • glibc >=2.15
      • Run "ldd --version". It will show the version number. Verify that it is version 2.15 or higher. If it says not found, it is not installed.
    • nohup
      • Run "nohup". It should show a usage statement. If it says not found, it is not installed.
    • pgrep
      • Run "pgrep". It should show a usage statement. If it says not found, it is not installed.
    • secure shell utilities:
      NOTE: The Tehama Gateway will run without the secure shell utilities, ssh, sshd and ssh-keygen, but the network performance will be degraded.
      • ssh
        • Run "ssh". It should show a usage statement. If it says not found, it is not installed.
      • sshd
        • Run "sshd". It should complain that the path is missing. If it says not found, it is not installed.
      • ssh-keygen
        • Run "ssh --help". It should show an error followed by a usage statement. If it says not found, it is not installed.

Step 2 - Download and launch the automated script (get-gateway.sh) to install Tehama Gateway

  1. Open a Linux terminal.
  2. Create and enter a working directory for Tehama. (e.g.: ~/tehama)
    • mkdir ~/tehama
    • cd ~/tehama
  3. Download and launch the installation script:
    1. wget https://app.tehama.io/get-gateway.sh
    2. chmod +x ./get-gateway.sh
    3. ./get-gateway.sh
      NOTE:
      The script automates the following tasks:
      1. It verifies required software is installed.
      2. It handles the automated download, verification and installation of the Tehama Gateway in the current directory.
      3. It starts the Tehama Gateway as a background task using nohup.
  4. Enter in the Access Key when prompted.
    1. First generate the key using the following steps:
      1. Log into the Tehama WebUI at: https://app.tehama.io/
      2. Navigate to your room (i.e.: Click on the ROOMS tab, then select the room for this Tehama Gateway from the rooms list)
      3. Navigate to the CONNECTION tab's STATUS sidebar item (with 'Network Access' set to 'Tehama Gateway').
      4. Click the REGENERATE KEY button (not necessary if this is the first time you have installed a Tehama Gateway for this room)
      5. Click the Copy button to copy the key to the clipboard
    2. Next enter the key:
      1. Return to the Linux terminal and paste in the Access Key when prompted
      2. Press Enter, and Confirm
    (The steps above to generate the key are summarized from Obtain an access key and Generate a new access key above.)

Once the Tehama Gateway is installed and successfully connected, you can register it for auto-start in the rc.local as follows: sudo ./get-gateway.sh -r


Step 3 - Configure your network firewall (for automated-script installations)

Important - if your network has a firewall, please be sure to follow the firewall configuration steps after the Tehama Gateway is installed and running.


Step 4 - Maintain and update a Tehama Gateway installed from the automated installation script

For instructions on how to monitor an automated-script installation of Tehama Gateway please see 'Monitor Tehama Gateway when installed via automated script.

For instructions on how to update an automated-script installation of Tehama Gateway to the latest version please see the 'Update Tehama Gateway' section below and select one of the options for gateways installed via the automated-script, based on the version of your gateway.


Install the Tehama Gateway using Docker

This is the Docker method used for both Linux and Windows. (Note that the recommended method for Linux systems is the automated-script.)

Install the Tehama Gateway in a Docker container as follows:

Step 1 - Configure your gateway host (for Docker installations)


Step 2 - Install Gateway in Docker container

Follow the instructions to install the Tehama Gateway using Docker found here:

Note: Instructions to stop or update the Tehama Gateway using Docker are found on the same site.


Step 3 - Configure your network firewall (for Docker installations)

Important - if your network has a firewall, please be sure to follow the firewall configuration steps after the Tehama Gateway is installed and running (in its Docker container).


Step 4 - Maintain and update a Tehama Gateway installed in a Docker container

For instructions on how to monitor a Docker installation of Tehama Gateway please see 'Monitor Tehama Gateway when installed via Docker'.

For instructions on how to update a Docker installation of Tehama Gateway to the latest version please see 'Manual update for gateways running inside a Docker container' found under the 'Update Tehama Gateway' section towards the end of this page.