OIDC Configuration steps for Infrastructure Management appliance only

Complete the following steps to configure Infrastructure Management virtual machine appliance with OIDC (OpenID Connect).

Prerequisites

  • Before you configure OIDC make sure you install the Infrastructure Management virtual machine appliance. For more information, see Installation and Upgrade.

  • Single sign-on with Infrastructure Management and IBM Cloud Pak for AIOps requires an LDAP server connection.

    For more information about adding an LDAP connection, see Configuring LDAP connection.

Step 1. Register Infrastructure Management instance with IAM as an OIDC client

In order to enable single sign-on (SSO) for Infrastructure Management with OIDC, the Infrastructure Management instance needs to register as an OIDC client with Identity and Access Management (IAM). Complete these steps on the IBM Cloud Pak for AIOps cluster.

You can register Infrastructure Management as an OIDC client with IAM using the cloudctl command.

The registration method requires the following registration payload in a file "registration.json":

{
  "token_endpoint_auth_method":"client_secret_basic",
  "client_id": "<YOUR_CLIENT_ID>",
  "client_secret": "<YOUR_CLIENT_SECRET>",
  "scope":"openid profile email",
  "grant_types":[
     "authorization_code",
     "client_credentials",
     "password",
     "implicit",
     "refresh_token",
     "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "response_types":[
     "code",
     "token",
     "id_token token"
  ],
  "application_type":"web",
  "subject_type":"public",
  "post_logout_redirect_uris":[
     "https://<YOUR_CLOUD_PAK_ROUTE>"   ],
  "preauthorized_scope":"openid profile email general",
  "introspect_tokens":true,
  "trusted_uri_prefixes":[
     "https://<YOUR_CLOUD_PAK_ROUTE>/"    ],
  "redirect_uris":["https://<YOUR_CLOUD_PAK_ROUTE>/auth/liberty/callback","https://<INFRA_MGMT_URL>/oidc_login/redirect_uri"]
}

Example registration payload (for reference only):

{
  "token_endpoint_auth_method":"client_secret_basic",
  "client_id": "AaNzNVFsSjlLVkl6Zk5hZ01MRzJVaVdnbFcxNGl5cnQK",
  "client_secret": "AaNVNzF4ZUxNSVBQUHZHdG1xQmNsTTFOWmNUUGlnYUkK",
  "scope":"openid profile email",
  "grant_types":[
     "authorization_code",
     "client_credentials",
     "password",
     "implicit",
     "refresh_token",
     "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "response_types":[
     "code",
     "token",
     "id_token token"
  ],
  "application_type":"web",
  "subject_type":"public",
  "post_logout_redirect_uris":["https://cp-console-cp4aiops.apps.mycluster.mydomain.com "],
  "preauthorized_scope":"openid profile email general",
  "introspect_tokens":true,
  "trusted_uri_prefixes":["https://cp-console-cp4aiops.apps.mycluster.mydomain.com /"],
  "redirect_uris":["https://cp-console-cp4aiops.apps.mycluster.mydomain.com /auth/liberty/callback","https://im-mycluster.mydomain.com/oidc_login/redirect_uri"]
}
  1. Create a file named registration.json from the example template. Replace the values in the example template payload registration with the actual values based on your installation.

    • YOUR_CLIENT_ID Your base64 encoded character string.

    • YOUR_CLIENT_SECRET Your base64 encoded character string.

      Note: The <YOUR_CLIENT_ID> and <YOUR_CLIENT_SECRET> need to be generated. The values can be any string, but normally a 32 character string that is base64 encoded is used. You can use BASE64 to encode your character string. For more information, see: BASE64. Make a note of the values you generate for <YOUR_CLIENT_ID> and <YOUR_CLIENT_SECRET>. You will use the values in the next section to update the Apache configuration file.

      Example command that uses base64 to encode a character string:

      #
      # Generate two encrypted streams from some longer-than-32-characters strings
      #
      echo There is a huge white elephant in LA zoo |base64
      echo 12345678901234567890123456789012345 |base64
      
    • YOUR_CLOUD_PAK_ROUTE The URL of the IBM Cloud Pak for AIOps console.

    • INFRA_MGMT_URL The URL of the Infrastructure Management virtual machine appliance.

    • post_logout_redirect_uris The URL of the IBM Cloud Pak for AIOps console.

    • trusted_uri_prefixes The URL of the IBM Cloud Pak for AIOps console with "forward slash" /.

    • redirect_uris The URL of the IBM Cloud Pak for AIOps console with the path to call back and the URL of the Infrastructure Management host with the path to the redirect_uri.

    Note: You can run the following command on the IBM Cloud Pak for AIOps cluster to determine the URL of the IBM Cloud Pak for AIOps console:

    oc get routes cp-console -o=jsonpath='{.spec.host}' -n <IA_installation_namespace>
    

    Where <IA_installation_namespace> is the namespace that Infrastructure Automation is installed in.

  2. After the file registration.json is completed, log in and run the command to register Infrastructure Management as an OIDC client.

    Note: Include the -n kube-system to specify this project, or the cloudctl iam command can fail.

    cloudctl login -a https://<YOUR_CLOUD_PAK_ROUTE> -n kube-system
    

    Example cloudctl iam command:

    cloudctl iam oauth-client-register -f registration.json
    

Step 2. Import the Root CA certificate to the Infrastructure Management appliance

  1. Retrieve the cluster CA cert by running this command on the cluster:

    oc get secret -n <IA_installation_namespace> ibmcloud-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 --decode
    

    Where <IA_installation_namespace> is the namespace that Infrastructure Automation is installed in.

    Note: When copying this command there can be some additional characters added that can cause incorrect command syntax. You can copy the first portion oc get secret -n <IA_installation_namespace> ibmcloud-cluster-ca-cert -o jsonpath= and manually add the remaining syntax '{.data.ca\.crt}'| base64 --decode.

  2. Copy and paste the output to a file, for example ibm_cp_im.crt

  3. Edit the ibm_cp_im.crt file, and change:

    • BEGIN CERTIFICATE to BEGIN TRUSTED CERTIFICATE
    • END CERTIFICATE to END TRUSTED CERTIFICATE

    Note: The following steps must be completed by logging in to the Infrastructure Management appliance system as root user:

  4. Copy the updated ibm_cp_im.crt file to the Infrastructure Management appliance and save it in the directory: /etc/pki/ca-trust/source/anchors

  5. Run the command:

    update-ca-trust
    
  6. Restart the evm server by running the command:

    systemctl restart evmserverd
    
  7. Copy the Apache OIDC template configuration file with these steps:

    export TEMPLATE_DIR="/opt/IBM/infrastructure-management-appliance/TEMPLATE"
    
    cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-remote-user-openidc.conf /etc/httpd/conf.d/
    
    cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb  /etc/httpd/conf.d/manageiq-external-auth-openidc.conf
    
  8. The Apache /etc/httpd/conf.d/manageiq-external-auth-openidc.conf configuration file must be updated with installation-specific values. Replace the contents of the file with the actual values based on the installation.

    Sample configuration file:

    LoadModule          auth_openidc_module modules/mod_auth_openidc.so
    ServerName          https://<YOUR_IM_APPLIANCE_HOSTNAME>
    LogLevel            warn
    
    OIDCCLientID                   <YOUR_CLIENT_ID>
    OIDCClientSecret               <YOUR_CLIENT_SECRET>
    OIDCRedirectURI                https://<YOUR_IM_APPLIANCE_HOSTNAME>/oidc_login/redirect_uri
    OIDCCryptoPassphrase           <PASSPHRASE>
    OIDCOAuthRemoteUserClaim       sub
    OIDCRemoteUserClaim            name
    
    OIDCOAuthClientID                  <YOUR_CLIENT_ID>
    OIDCOAuthClientSecret              <YOUR_CLIENT_SECRET>
    OIDCOAuthIntrospectionEndpoint     https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/introspect
    OIDCOAuthIntrospectionEndpointAuth client_secret_basic
    
    OIDCProviderIssuer                  https://127.0.0.1:443/idauth/oidc/endpoint/OP
    OIDCProviderAuthorizationEndpoint   https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/authorize
    OIDCProviderTokenEndpoint           https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/token
    OIDCProviderJwksUri                 https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/jwk
    OIDCProviderEndSessionEndpoint      https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/logout
    
    OIDCScope                        "openid email profile"
    OIDCResponseMode                 "query"
    OIDCProviderTokenEndpointAuth     client_secret_post
    
    OIDCPassUserInfoAs json
    OIDCSSLValidateServer off
    OIDCOAuthSSLValidateServer off
    OIDCHTTPTimeoutShort 10
    
    OIDCCacheEncrypt On
    <Location /oidc_login>
      AuthType  openid-connect
      Require   valid-user
    </Location>
    
    <Location /ui/service/oidc_login>
      AuthType openid-connect
      Require valid-user
      Header set Set-Cookie "miq_oidc_access_token=%{OIDC_access_token}e; Max-Age=10; Path=/ui/service"
    </Location>
    
    <LocationMatch ^/api(?!\/(v[\d\.]+\/)?product_info$)>
      SetEnvIf X-Auth-Token  '^.+$'                 let_api_token_in
      SetEnvIf X-MIQ-Token   '^.+$'                 let_sys_token_in
      SetEnvIf X-CSRF-Token  '^.+$'                 let_csrf_token_in
    
      AuthType  oauth20
      AuthName  "External Authentication (oidc) for API"
    
      Require   valid-user
      Order     Allow,Deny
      Allow from env=let_api_token_in
      Allow from env=let_sys_token_in
      Allow from env=let_csrf_token_in
      Satisfy   Any
    </LocationMatch>
    
    RequestHeader unset X-REMOTE-USER
    RequestHeader unset X-REMOTE_USER
    RequestHeader unset X_REMOTE-USER
    RequestHeader unset X_REMOTE_USER
    RequestHeader set X_REMOTE_USER %{OIDC_CLAIM_PREFERRED_USERNAME}e env=OIDC_CLAIM_PREFERRED_USERNAME
    RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
    RequestHeader set X_REMOTE_USER_EMAIL %{OIDC_CLAIM_EMAIL}e env=OIDC_CLAIM_EMAIL
    RequestHeader set X_REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_GIVEN_NAME}e env=OIDC_CLAIM_GIVEN_NAME
    RequestHeader set X_REMOTE_USER_LASTNAME %{OIDC_CLAIM_FAMILY_NAME}e env=OIDC_CLAIM_FAMILY_NAME
    RequestHeader set X_REMOTE_USER_FULLNAME %{OIDC_CLAIM_NAME}e env=OIDC_CLAIM_NAME
    RequestHeader set X_REMOTE_USER_GROUPS %{OIDC_CLAIM_GROUPS}e env=OIDC_CLAIM_GROUPS
    RequestHeader set X_REMOTE_USER_DOMAIN %{OIDC_CLAIM_DOMAIN}e env=OIDC_CLAIM_DOMAIN
    
    • YOUR_IM_APPLIANCE_HOSTNAME Specifies the hostname of the Infrastructure management appliance server.
    • YOUR_CLIENT_ID The client ID used for registering Infrastructure management as an OIDC client with IAM.
    • YOUR_CLIENT_SECRET The client secret that is used for registering Infrastructure management as an OIDC client with IAM.
    • YOUR_CLOUD_PAK_ROUTE The URL of the IBM Cloud Pak UI console.
    • OIDCCryptoPassphrase Can be any arbitrary alpha-numeric string.

    Note: YOUR_CLIENT_ID and YOUR_CLIENT_SECRET values are generated when you register Infrastructure Management as an OIDC client.

    Example configuration file (for reference only):

    LoadModule          auth_openidc_module modules/mod_auth_openidc.so
    ServerName          https://im-mycluster.mydomain.com
    LogLevel            warn
    
    OIDCCLientID                       AaNzNVFsSjlLVkl6Zk5hZ01MRzJVaVdnbFcxNGl5cnQK
    OIDCClientSecret                   AaNVNzF4ZUxNSVBQUHZHdG1xQmNsTTFOWmNUUGlnYUkK
    OIDCRedirectURI                    https://im-mycluster.mydomain.com/oidc_login/redirect_uri
    OIDCCryptoPassphrase               alphabeta
    OIDCOAuthRemoteUserClaim           sub
    OIDCRemoteUserClaim                name
    
    OIDCOAuthClientID                  AaNzNVFsSjlLVkl6Zk5hZ01MRzJVaVdnbFcxNGl5cnQK
    OIDCOAuthClientSecret
    AaNVNzF4ZUxNSVBQUHZHdG1xQmNsTTFOWmNUUGlnYUkK
    OIDCOAuthIntrospectionEndpoint     https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/introspect
    OIDCOAuthIntrospectionEndpointAuth client_secret_basic
    
    OIDCProviderIssuer                 https://127.0.0.1:443/idauth/oidc/endpoint/OP
    OIDCProviderAuthorizationEndpoint  https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/authorize
    OIDCProviderTokenEndpoint          https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/token
    OIDCProviderJwksUri                https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/jwk
    OIDCProviderEndSessionEndpoint     https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/logout
    
    OIDCScope                          "openid email profile"
    OIDCResponseMode                   "query"
    OIDCProviderTokenEndpointAuth      client_secret_post
    
    OIDCPassUserInfoAs json
    OIDCSSLValidateServer off
    OIDCOAuthSSLValidateServer off
    OIDCHTTPTimeoutShort 10
    
    OIDCCacheEncrypt On
    <Location /oidc_login>
      AuthType  openid-connect
      Require   valid-user
    </Location>
    
    <Location /ui/service/oidc_login>
      AuthType openid-connect
      Require valid-user
      Header set Set-Cookie "miq_oidc_access_token=%{OIDC_access_token}e; Max-Age=10; Path=/ui/service"
    </Location>
    
    <LocationMatch ^/api(?!\/(v[\d\.]+\/)?product_info$)>
      SetEnvIf X-Auth-Token  '^.+$'                 let_api_token_in
      SetEnvIf X-MIQ-Token   '^.+$'                 let_sys_token_in
      SetEnvIf X-CSRF-Token  '^.+$'                 let_csrf_token_in
    
      AuthType  oauth20
      AuthName  "External Authentication (oidc) for API"
    
      Require   valid-user
      Order     Allow,Deny
      Allow from env=let_api_token_in
      Allow from env=let_sys_token_in
      Allow from env=let_csrf_token_in
      Satisfy   Any
    </LocationMatch>
    
    RequestHeader unset X-REMOTE-USER
    RequestHeader unset X-REMOTE_USER
    RequestHeader unset X_REMOTE-USER
    RequestHeader unset X_REMOTE_USER
    RequestHeader set X_REMOTE_USER %{OIDC_CLAIM_PREFERRED_USERNAME}e env=OIDC_CLAIM_PREFERRED_USERNAME
    RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
    RequestHeader set X_REMOTE_USER_EMAIL %{OIDC_CLAIM_EMAIL}e env=OIDC_CLAIM_EMAIL
    RequestHeader set X_REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_GIVEN_NAME}e env=OIDC_CLAIM_GIVEN_NAME
    RequestHeader set X_REMOTE_USER_LASTNAME %{OIDC_CLAIM_FAMILY_NAME}e env=OIDC_CLAIM_FAMILY_NAME
    RequestHeader set X_REMOTE_USER_FULLNAME %{OIDC_CLAIM_NAME}e env=OIDC_CLAIM_NAME
    RequestHeader set X_REMOTE_USER_GROUPS %{OIDC_CLAIM_GROUPS}e env=OIDC_CLAIM_GROUPS
    RequestHeader set X_REMOTE_USER_DOMAIN %{OIDC_CLAIM_DOMAIN}e env=OIDC_CLAIM_DOMAIN
    
  9. Restart Apache on the appliance.

    systemctl restart httpd
    

Step 3. Configure the Administrative UI

Update the Appliance Administrative UI to be OIDC aware and function. Complete these steps on each UI-enabled Infrastructure Management appliance.

  1. Log in as admin.

  2. Select the Settings > Application Settings, select "Server "EVM [1]" (current)" under Zones, then select the Authentication tab.

  3. In the Authentication section, set the Mode to External (httpd)

  4. In the External Authentication (HTTPd) Settings section, set Provider Type to Enable OpenID-Connect.

    • Note: This setting enables the OIDC login button on the login screen that redirects to the OIDC protected page for authentication, and supports the OIDC logout process.
  5. Optional: In the External Authentication (HTTPd) Settings section, select Enable Single Sign-On.

    • Note: If you select this option, the initial access to the Appliance Administrative UI will redirect to the OIDC Identity Provider authentication screen.
  6. In the Role Settings section, select the Get User Groups from External Authentication (HTTPd) setting.

  7. Click Save.

  8. Select Access Control, click Groups and make sure the user’s groups are created on the Appliance and appropriate roles are assigned to those groups. The user's groups to be added in Infrastructure Management should have the same names as the groups defined in the LDAP server that is configured in the IBM Cloud Pak console.

    1. Under the Access Control, click Groups.
    2. Click Configuration, then Add a new Group.
    3. Enter your existing LDAP group name in the Description field. For example, im_ldap_group.
    4. Select the Role for this LDAP group. For example, select the EvmRole-super_administrator to map to this group. The Infrastructure Management administrator can map to the roles that make sense for the user group.
    5. Select My Company for Project/Tenant.
    6. Click Add.

    Note: Access control in Infrastructure Management is based on group membership as roles are assigned to groups. When Infrastructure Management is integrated with IBM Cloud Pak for AIOps using single sign-on (SSO), it looks at the user’s group membership in the identity token and checks if that group exists in Infrastructure Management. If the group doesn't exist, then access is denied. You must create at least one group with the role EvmRole-super_administrator and assign one user to this group. This user will be the Admin user for Infrastructure Management and referred to as IM_ADMIN_LDAP_USER. The IM_ADMIN_LDAP_USER must be a member of the LDAP group with the role EvmRole-super_administrator in Infrastructure Management.

    Important: You must create the groups in Infrastructure Management that match your existing LDAP groups by name, and assign the groups account roles. At least one group to which the user belongs in LDAP that IBM Cloud Pak for AIOps is configured to use must also be created in Infrastructure Management. You must assign a proper role to this group in Infrastructure Management.

    Example: In LDAP a group that is named imgroup100 exists and a user with username imuser100 is a member of the group. The user imuser100 and the group imgroup100 must be created in Infrastructure Management.

Step 4. Integrating Infrastructure Management with IBM Cloud Pak for AIOps

Enable navigation to Infrastructure Management within the IBM Cloud Pak console.

Complete the following steps on a Linux system. You can use the boot node from the HUB cluster where IBM Cloud Pak for AIOps is installed. These steps enable navigation to Infrastructure Management from the IBM Cloud Pak​​ console:

  1. Clone the IBM Cloud Pak for AIOps samples GitHub repository Opens in a new tab to obtain the menu customization script. You must run the script on a Linux operating system.

    Download the supporting subdirectories to make the script run successfully. The files and subdirectories that are required to run the script are

    im-appliance-link-install.sh
    nav/automate.yml
    nav_template/automate.sh
    
  2. Install and authenticate kubectl. For more information, see Installing the Kubernetes CLI (kubectl).

  3. Navigate to the directoy cp4waiops-samples/infrastructure-automation/infrastructure-management/appliance. Set the file permissions on the script and run im-appliance-link-install.sh to enable navigation to your Infrastructure management instance:

    chmod 755 ./im-appliance-link-install.sh
    
    ./im-appliance-link-install.sh -i <Infrastructure management URL>
    
    • -i Is a required parameter that refers to the URL for the Infrastructure Management console. For example, ./im-appliance-link-install.sh -i https://vm17-im-mycluster.mydomain.com/
  4. Verify that the Infrastructure Management instance is in the IBM Cloud Pak​​ console navigation menu. From the IBM Cloud Pak​​ navigation menu, click Automate infrastructure > Infrastructure management.

Infrastructure Management is integrated with the IBM Cloud Pak​​ console.