Configuring observer job security

Some observers require authentication credentials such as certificates, keystores, or both. This topic describes such configuration tasks.

Note: Information on specific observers is located in the subtopics under Defining observer jobs.

To configure the security, complete the following steps:

  • Obtain an authentication certificate.
  • Store that certificate as a secret.

Important: Only update topology-custom-secrets with the Red Hat OpenShift Container Platform command-line interface (CLI). If you update custom secrets in the console, the crypto key is corrupted and the command to encrypt passwords does not work.

Managing authentication certificates and storing them as secrets (Red Hat OpenShift Container Platform)

  1. Obtain the authentication certificate by using OpenSSL.

    echo -n | openssl s_client -connect {ipAddress}:{port} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | base64 -w 0 > target_system.crt

    Where target_system.crt contains the encoded certificate, and {ipAddress} is the IP address of any of the following target systems:

    • Ansible
    • Big Cloud fabric
    • BigFix Inventory
    • Ciena Blue Planet
    • Cisco ACI
    • Datadog
    • Dynatrace
    • Juniper CSO
    • HPNFVD
    • GitLab
    • Kubernetes master node
    • OpenStack
    • Rancher
    • SDC ONAP
    • VMware NSX
    • VMware vCenter
    • Zabbix

    Example target_system.crt:

    [root@localhost ~]# cat target_system.crt
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3RENDQWFnQ0NRRGRuMENqU3BXZXhUQU5CZ2txaGtpRzl3MEJBUVVGQURBaU1RMHdDd1lEVlFRRERBUkIKVUVsRE1SRXdEd1lKS29aSWh2Y05BUWtCRmdKVlV6QWVGdzB4TmpBeE1qRXdOekV5TWpWYUZ3MHlOakF4TVRndwpOekV5TWpWYU1DSXhEVEFMQmdOVkJBTU1CRUZRU1VNeEVUQVBCZ2txaGtpRzl3MEJDUUVXQWxWVE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW1Ob0dxdFI0RlFPWkdoUWFtand1YmxRYjRobU0KTzJwOGtjbGUwL2NuUno3cSttWGYzWlRQYTZsWEk2MG9BbmVPSGowZEVaMkhwRWFFblBUbWJmWUF6Y0ZQdjNVWApMWjM3VWVoMDZXTjMxS29tSSs2czJtSk1IWWM0MW44M1RiUU5uWUNjYjZjdlZLcWV5NVhhaFBtdkZDbDBtM3Y3Cisxa1lFMFRNVlBnTk56R0ZSUXU1RVlGc3FZWHZGbFZhZ0lUalF6cks3YnE0RkJiMW1kVjFsYnVOMWhISzd2SFEKS3ZUNHBGbGx1NTRHU0JhZ2RSbUdad0dta0tNZHRGUkEvc3pBWEMrejQ0cHN3T05ydTJnbDR3bG5MZTVvM2NWZwpFQUx1THM4UDgrOUx0eFN3YWJvb0VMcHRjb3pKdEpUb2E4QS9zZXRaSi81RUJQNmhjNk1yUWxHQktRSURBUUFCCk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQkJuZzlJK2pBdjhNUjBYemM1SUUxdTBkK0JweW9OZGVRbkl4T2sKZWFsNzNUbmkzWmh4QUQzdlQzenZNSElSUEc0d3lxMWJqQ05LY3BZOGVCbVJuVzhOSnlNdG9vcU9hNlJMWGNPTAoyeVZublVna092THRPVjM5eFNFQ1BOMzV4YXJJdGYydE9NZWJRWlc1ZC9Hc1lPZUFLTlNrTlQwRmtreDE0UzJFClpBVi9IUUVHaVpUR0tQNkx1czYzLzJiTEJVNHdGUjg3bjNkdFJFVUp5eGQ4ZDJDTFA4MkE2UTNOT2lOZEdkam0KSnFQZXNEaWxXWE5Gd09xUk1XOWFGWTVUSUtOL25PQzhqczI0cVFmZTJZcllnZ242N0crLytBQy9kV21JSVQ2dgpBWTVMejhwOWQwSzZUaGxLeVpNZkdYVkNnMFlvTms1ajQ4ckJlZ2J5cFhTM1J2SnIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

[root@locahost ~]#

  2. For the SDC ONAP Observer, encrypt the contents of the key store file using base64.

    For example:

    cat {onap_sdc_file_name}.jks | base64 -w 0 > org.onap.sdc.trust.txt

    Where org.onap.sdc.trust.txt contains the encoded key store file, and {onap_sdc_file_name}.jks is the key store file downloaded from the target ONAP SDC system.

    Next, store the encoded file as a secret.

  3. For the GoogleCloud Observer, encrypt the contents of the service account key file by using base64.

    For example:

    cat {project_id_file_name}.json | base64 -w 0 > googlecloud.json

    Where googlecloud.json contains the encoded service account key file, and {project_id_file_name}.json is the service account key file you downloaded from Credentials under API & Services in the Google Cloud Platform dashboard.

    Next, store the encoded service account key file as a secret.

  4. Store the encoded certificate that was generated in the previous step as a secret.

    Each installed IBM Cloud Pak for Watson AIOps release has a single special secrets file. Data added to that is made available to the appropriate observer containers.

    • Find the correct secrets file by using the following command:

      oc get secret <releasename>-custom-secrets

      Where the value of <releasename> and the secret can be obtained by using the following example:

      oc get asm

      Sample output:

      NAME            AGE
aiops-topology  12d

      Find the secret for aiops-topology:

      oc get secret aiops-topology-custom-secrets

      Sample output:

      NAME                            TYPE     DATA   AGE
aiops-topology-custom-secrets   Opaque   4      12d

    • Edit the appropriate file for your release.

      oc edit secret <releasename>-custom-secrets

    • Add a name and value pair to the data section.

      The value is the certificate generated earlier. The name is the value that you entered as the certificate file name to run the observer job.

      Example: The following sample shows the expected content in the secret file after adding vcenter.crt. The data section is between the apiVersion and kind sections.

      data:
{name}:{value}

      Note: This VMware vCenter Observer example registers the vcenter.crt SSL certificate in Red Hat OpenShift Container Platform Secret. vcenter.crt is the job parameter value for the VMware vCenter Observer. Define a new {name} parameter in the same file for other observers that require SSL certificates. You provide the certificate in Red Hat OpenShift Container Platform Secret and the settings you provide for truststore/truststore password is used to generate a new truststore automatically.

      apiVersion: v1
data:
vcenter.crt:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3RENDQWFnQ0NRRGRuMENqU3BXZXhUQU5CZ2txaGtpRzl3MEJBUVVGQURBaU1RMHdDd1lEVlFRRERBUkIKVUVsRE1SRXdEd1lKS29aSWh2Y05BUWtCRmdKVlV6QWVGdzB4TmpBeE1qRXdOekV5TWpWYUZ3MHlOakF4TVRndwpOekV5TWpWYU1DSXhEVEFMQmdOVkJBTU1CRUZRU1VNeEVUQVBCZ2txaGtpRzl3MEJDUUVXQWxWVE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW1Ob0dxdFI0RlFPWkdoUWFtand1YmxRYjRobU0KTzJwOGtjbGUwL2NuUno3cSttWGYzWlRQYTZsWEk2MG9BbmVPSGowZEVaMkhwRWFFblBUbWJmWUF6Y0ZQdjNVWApMWjM3VWVoMDZXTjMxS29tSSs2czJtSk1IWWM0MW44M1RiUU5uWUNjYjZjdlZLcWV5NVhhaFBtdkZDbDBtM3Y3Cisxa1lFMFRNVlBnTk56R0ZSUXU1RVlGc3FZWHZGbFZhZ0lUalF6cks3YnE0RkJiMW1kVjFsYnVOMWhISzd2SFEKS3ZUNHBGbGx1NTRHU0JhZ2RSbUdad0dta0tNZHRGUkEvc3pBWEMrejQ0cHN3T05ydTJnbDR3bG5MZTVvM2NWZwpFQUx1THM4UDgrOUx0eFN3YWJvb0VMcHRjb3pKdEpUb2E4QS9zZXRaSi81RUJQNmhjNk1yUWxHQktRSURBUUFCCk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQkJuZzlJK2pBdjhNUjBYemM1SUUxdTBkK0JweW9OZGVRbkl4T2sKZWFsNzNUbmkzWmh4QUQzdlQzenZNSElSUEc0d3lxMWJqQ05LY3BZOGVCbVJuVzhOSnlNdG9vcU9hNlJMWGNPTAoyeVZublVna092THRPVjM5eFNFQ1BOMzV4YXJJdGYydE9NZWJRWlc1ZC9Hc1lPZUFLTlNrTlQwRmtreDE0UzJFClpBVi9IUUVHaVpUR0tQNkx1czYzLzJiTEJVNHdGUjg3bjNkdFJFVUp5eGQ4ZDJDTFA4MkE2UTNOT2lOZEdkam0KSnFQZXNEaWxXWE5Gd09xUk1XOWFGWTVUSUtOL25PQzhqczI0cVFmZTJZcllnZ242N0crLytBQy9kV21JSVQ2dgpBWTVMejhwOWQwSzZUaGxLeVpNZkdYVkNnMFlvTms1ajQ4ckJlZ2J5cFhTM1J2SnIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
kind:Secret

      If the edit is successful, the following message will be displayed:

      secret "<release-name>-custom-secrets" edited

  5. In the Red Hat OpenShift Container Platform web console, you can view the configured secret under the Menu > Workload > Secrets option, where the Name is '<releasename>-custom-secrets'. Within '<releasename>-custom-secrets', all data configured earlier displays.