OIDC Configuration steps for Infrastructure Management appliance only
Complete the following steps to configure Infrastructure Management virtual machine appliance with OIDC (OpenID Connect).
- Prerequisites
- Step 1. Register Infrastructure Management instance with IAM as an OIDC client
- Step 2. Import the Root CA certificate to Infrastructure Management
- Step 3. Configure the Administrative UI
- Step 4. Integrating Infrastructure Management with IBM Cloud Pak for AIOps
Prerequisites
-
Before you configure OIDC make sure you install the Infrastructure Management virtual machine appliance. For more information, see Installation and Upgrade.
-
Single sign-on with Infrastructure Management and IBM Cloud Pak for AIOps requires an LDAP server connection.
For more information about adding an LDAP connection, see Configuring LDAP connection.
Step 1. Register Infrastructure Management instance with IAM as an OIDC client
In order to enable single sign-on (SSO) for Infrastructure Management with OIDC, the Infrastructure Management instance needs to register as an OIDC client with Identity and Access Management (IAM). Complete these steps on the IBM Cloud Pak for AIOps cluster.
You can register Infrastructure Management as an OIDC client with IAM using the cloudctl
command.
The registration method requires the following registration payload in a file "registration.json":
{
"token_endpoint_auth_method":"client_secret_basic",
"client_id": "<YOUR_CLIENT_ID>",
"client_secret": "<YOUR_CLIENT_SECRET>",
"scope":"openid profile email",
"grant_types":[
"authorization_code",
"client_credentials",
"password",
"implicit",
"refresh_token",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"response_types":[
"code",
"token",
"id_token token"
],
"application_type":"web",
"subject_type":"public",
"post_logout_redirect_uris":[
"https://<YOUR_CLOUD_PAK_ROUTE>" ],
"preauthorized_scope":"openid profile email general",
"introspect_tokens":true,
"trusted_uri_prefixes":[
"https://<YOUR_CLOUD_PAK_ROUTE>/" ],
"redirect_uris":["https://<YOUR_CLOUD_PAK_ROUTE>/auth/liberty/callback","https://<INFRA_MGMT_URL>/oidc_login/redirect_uri"]
}
Example registration payload (for reference only):
{
"token_endpoint_auth_method":"client_secret_basic",
"client_id": "AaNzNVFsSjlLVkl6Zk5hZ01MRzJVaVdnbFcxNGl5cnQK",
"client_secret": "AaNVNzF4ZUxNSVBQUHZHdG1xQmNsTTFOWmNUUGlnYUkK",
"scope":"openid profile email",
"grant_types":[
"authorization_code",
"client_credentials",
"password",
"implicit",
"refresh_token",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"response_types":[
"code",
"token",
"id_token token"
],
"application_type":"web",
"subject_type":"public",
"post_logout_redirect_uris":["https://cp-console-cp4aiops.apps.mycluster.mydomain.com "],
"preauthorized_scope":"openid profile email general",
"introspect_tokens":true,
"trusted_uri_prefixes":["https://cp-console-cp4aiops.apps.mycluster.mydomain.com /"],
"redirect_uris":["https://cp-console-cp4aiops.apps.mycluster.mydomain.com /auth/liberty/callback","https://im-mycluster.mydomain.com/oidc_login/redirect_uri"]
}
-
Create a file named
registration.json
from the example template. Replace the values in the example template payload registration with the actual values based on your installation.-
YOUR_CLIENT_ID
Your base64 encoded character string. -
YOUR_CLIENT_SECRET
Your base64 encoded character string.Note: The
<YOUR_CLIENT_ID>
and<YOUR_CLIENT_SECRET>
need to be generated. The values can be any string, but normally a 32 character string that is base64 encoded is used. You can use BASE64 to encode your character string. For more information, see: BASE64. Make a note of the values you generate for<YOUR_CLIENT_ID>
and<YOUR_CLIENT_SECRET>
. You will use the values in the next section to update the Apache configuration file.Example command that uses base64 to encode a character string:
# # Generate two encrypted streams from some longer-than-32-characters strings # echo There is a huge white elephant in LA zoo |base64 echo 12345678901234567890123456789012345 |base64
-
YOUR_CLOUD_PAK_ROUTE
The URL of the IBM Cloud Pak for AIOps console. -
INFRA_MGMT_URL
The URL of the Infrastructure Management virtual machine appliance. -
post_logout_redirect_uris
The URL of the IBM Cloud Pak for AIOps console. -
trusted_uri_prefixes
The URL of the IBM Cloud Pak for AIOps console with "forward slash" /. -
redirect_uris
The URL of the IBM Cloud Pak for AIOps console with the path to call back and the URL of the Infrastructure Management host with the path to the redirect_uri.
Note: You can run the following command on the IBM Cloud Pak for AIOps cluster to determine the URL of the IBM Cloud Pak for AIOps console:
oc get routes cp-console -o=jsonpath='{.spec.host}' -n <IA_installation_namespace>
Where
<IA_installation_namespace>
is the namespace that Infrastructure Automation is installed in. -
-
After the file
registration.json
is completed, log in and run the command to register Infrastructure Management as an OIDC client.Note: Include the
-n kube-system
to specify this project, or thecloudctl iam
command can fail.cloudctl login -a https://<YOUR_CLOUD_PAK_ROUTE> -n kube-system
Example
cloudctl iam
command:cloudctl iam oauth-client-register -f registration.json
Step 2. Import the Root CA certificate to the Infrastructure Management appliance
-
Retrieve the cluster CA cert by running this command on the cluster:
oc get secret -n <IA_installation_namespace> ibmcloud-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 --decode
Where
<IA_installation_namespace>
is the namespace that Infrastructure Automation is installed in.Note: When copying this command there can be some additional characters added that can cause incorrect command syntax. You can copy the first portion
oc get secret -n <IA_installation_namespace> ibmcloud-cluster-ca-cert -o jsonpath=
and manually add the remaining syntax'{.data.ca\.crt}'| base64 --decode
. -
Copy and paste the output to a file, for example
ibm_cp_im.crt
-
Edit the
ibm_cp_im.crt
file, and change:BEGIN CERTIFICATE
toBEGIN TRUSTED CERTIFICATE
END CERTIFICATE
toEND TRUSTED CERTIFICATE
Note: The following steps must be completed by logging in to the Infrastructure Management appliance system as root user:
-
Copy the updated
ibm_cp_im.crt
file to the Infrastructure Management appliance and save it in the directory:/etc/pki/ca-trust/source/anchors
-
Run the command:
update-ca-trust
-
Restart the evm server by running the command:
systemctl restart evmserverd
-
Copy the Apache OIDC template configuration file with these steps:
export TEMPLATE_DIR="/opt/IBM/infrastructure-management-appliance/TEMPLATE"
cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-remote-user-openidc.conf /etc/httpd/conf.d/
cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb /etc/httpd/conf.d/manageiq-external-auth-openidc.conf
-
The Apache
/etc/httpd/conf.d/manageiq-external-auth-openidc.conf
configuration file must be updated with installation-specific values. Replace the contents of the file with the actual values based on the installation.Sample configuration file:
LoadModule auth_openidc_module modules/mod_auth_openidc.so ServerName https://<YOUR_IM_APPLIANCE_HOSTNAME> LogLevel warn OIDCCLientID <YOUR_CLIENT_ID> OIDCClientSecret <YOUR_CLIENT_SECRET> OIDCRedirectURI https://<YOUR_IM_APPLIANCE_HOSTNAME>/oidc_login/redirect_uri OIDCCryptoPassphrase <PASSPHRASE> OIDCOAuthRemoteUserClaim sub OIDCRemoteUserClaim name OIDCOAuthClientID <YOUR_CLIENT_ID> OIDCOAuthClientSecret <YOUR_CLIENT_SECRET> OIDCOAuthIntrospectionEndpoint https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/introspect OIDCOAuthIntrospectionEndpointAuth client_secret_basic OIDCProviderIssuer https://127.0.0.1:443/idauth/oidc/endpoint/OP OIDCProviderAuthorizationEndpoint https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/authorize OIDCProviderTokenEndpoint https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/token OIDCProviderJwksUri https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/jwk OIDCProviderEndSessionEndpoint https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/logout OIDCScope "openid email profile" OIDCResponseMode "query" OIDCProviderTokenEndpointAuth client_secret_post OIDCPassUserInfoAs json OIDCSSLValidateServer off OIDCOAuthSSLValidateServer off OIDCHTTPTimeoutShort 10 OIDCCacheEncrypt On <Location /oidc_login> AuthType openid-connect Require valid-user </Location> <Location /ui/service/oidc_login> AuthType openid-connect Require valid-user Header set Set-Cookie "miq_oidc_access_token=%{OIDC_access_token}e; Max-Age=10; Path=/ui/service" </Location> <LocationMatch ^/api(?!\/(v[\d\.]+\/)?product_info$)> SetEnvIf X-Auth-Token '^.+$' let_api_token_in SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in SetEnvIf X-CSRF-Token '^.+$' let_csrf_token_in AuthType oauth20 AuthName "External Authentication (oidc) for API" Require valid-user Order Allow,Deny Allow from env=let_api_token_in Allow from env=let_sys_token_in Allow from env=let_csrf_token_in Satisfy Any </LocationMatch> RequestHeader unset X-REMOTE-USER RequestHeader unset X-REMOTE_USER RequestHeader unset X_REMOTE-USER RequestHeader unset X_REMOTE_USER RequestHeader set X_REMOTE_USER %{OIDC_CLAIM_PREFERRED_USERNAME}e env=OIDC_CLAIM_PREFERRED_USERNAME RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR RequestHeader set X_REMOTE_USER_EMAIL %{OIDC_CLAIM_EMAIL}e env=OIDC_CLAIM_EMAIL RequestHeader set X_REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_GIVEN_NAME}e env=OIDC_CLAIM_GIVEN_NAME RequestHeader set X_REMOTE_USER_LASTNAME %{OIDC_CLAIM_FAMILY_NAME}e env=OIDC_CLAIM_FAMILY_NAME RequestHeader set X_REMOTE_USER_FULLNAME %{OIDC_CLAIM_NAME}e env=OIDC_CLAIM_NAME RequestHeader set X_REMOTE_USER_GROUPS %{OIDC_CLAIM_GROUPS}e env=OIDC_CLAIM_GROUPS RequestHeader set X_REMOTE_USER_DOMAIN %{OIDC_CLAIM_DOMAIN}e env=OIDC_CLAIM_DOMAIN
YOUR_IM_APPLIANCE_HOSTNAME
Specifies the hostname of the Infrastructure management appliance server.YOUR_CLIENT_ID
The client ID used for registering Infrastructure management as an OIDC client with IAM.YOUR_CLIENT_SECRET
The client secret that is used for registering Infrastructure management as an OIDC client with IAM.YOUR_CLOUD_PAK_ROUTE
The URL of the IBM Cloud Pak UI console.OIDCCryptoPassphrase
Can be any arbitrary alpha-numeric string.
Note:
YOUR_CLIENT_ID
andYOUR_CLIENT_SECRET
values are generated when you register Infrastructure Management as an OIDC client.Example configuration file (for reference only):
LoadModule auth_openidc_module modules/mod_auth_openidc.so ServerName https://im-mycluster.mydomain.com LogLevel warn OIDCCLientID AaNzNVFsSjlLVkl6Zk5hZ01MRzJVaVdnbFcxNGl5cnQK OIDCClientSecret AaNVNzF4ZUxNSVBQUHZHdG1xQmNsTTFOWmNUUGlnYUkK OIDCRedirectURI https://im-mycluster.mydomain.com/oidc_login/redirect_uri OIDCCryptoPassphrase alphabeta OIDCOAuthRemoteUserClaim sub OIDCRemoteUserClaim name OIDCOAuthClientID AaNzNVFsSjlLVkl6Zk5hZ01MRzJVaVdnbFcxNGl5cnQK OIDCOAuthClientSecret AaNVNzF4ZUxNSVBQUHZHdG1xQmNsTTFOWmNUUGlnYUkK OIDCOAuthIntrospectionEndpoint https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/introspect OIDCOAuthIntrospectionEndpointAuth client_secret_basic OIDCProviderIssuer https://127.0.0.1:443/idauth/oidc/endpoint/OP OIDCProviderAuthorizationEndpoint https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/authorize OIDCProviderTokenEndpoint https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/token OIDCProviderJwksUri https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/jwk OIDCProviderEndSessionEndpoint https://cp-console-cp4aiops.apps.mycluster.mydomain.com /idprovider/v1/auth/logout OIDCScope "openid email profile" OIDCResponseMode "query" OIDCProviderTokenEndpointAuth client_secret_post OIDCPassUserInfoAs json OIDCSSLValidateServer off OIDCOAuthSSLValidateServer off OIDCHTTPTimeoutShort 10 OIDCCacheEncrypt On <Location /oidc_login> AuthType openid-connect Require valid-user </Location> <Location /ui/service/oidc_login> AuthType openid-connect Require valid-user Header set Set-Cookie "miq_oidc_access_token=%{OIDC_access_token}e; Max-Age=10; Path=/ui/service" </Location> <LocationMatch ^/api(?!\/(v[\d\.]+\/)?product_info$)> SetEnvIf X-Auth-Token '^.+$' let_api_token_in SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in SetEnvIf X-CSRF-Token '^.+$' let_csrf_token_in AuthType oauth20 AuthName "External Authentication (oidc) for API" Require valid-user Order Allow,Deny Allow from env=let_api_token_in Allow from env=let_sys_token_in Allow from env=let_csrf_token_in Satisfy Any </LocationMatch> RequestHeader unset X-REMOTE-USER RequestHeader unset X-REMOTE_USER RequestHeader unset X_REMOTE-USER RequestHeader unset X_REMOTE_USER RequestHeader set X_REMOTE_USER %{OIDC_CLAIM_PREFERRED_USERNAME}e env=OIDC_CLAIM_PREFERRED_USERNAME RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR RequestHeader set X_REMOTE_USER_EMAIL %{OIDC_CLAIM_EMAIL}e env=OIDC_CLAIM_EMAIL RequestHeader set X_REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_GIVEN_NAME}e env=OIDC_CLAIM_GIVEN_NAME RequestHeader set X_REMOTE_USER_LASTNAME %{OIDC_CLAIM_FAMILY_NAME}e env=OIDC_CLAIM_FAMILY_NAME RequestHeader set X_REMOTE_USER_FULLNAME %{OIDC_CLAIM_NAME}e env=OIDC_CLAIM_NAME RequestHeader set X_REMOTE_USER_GROUPS %{OIDC_CLAIM_GROUPS}e env=OIDC_CLAIM_GROUPS RequestHeader set X_REMOTE_USER_DOMAIN %{OIDC_CLAIM_DOMAIN}e env=OIDC_CLAIM_DOMAIN
-
Restart Apache on the appliance.
systemctl restart httpd
Step 3. Configure the Administrative UI
Update the Appliance Administrative UI to be OIDC aware and function. Complete these steps on each UI-enabled Infrastructure Management appliance.
-
Log in as
admin
. -
Select the Settings > Application Settings, select "Server "EVM [1]" (current)" under Zones, then select the Authentication tab.
-
In the Authentication section, set the Mode to
External (httpd)
-
In the External Authentication (HTTPd) Settings section, set Provider Type to
Enable OpenID-Connect
.- Note: This setting enables the OIDC login button on the login screen that redirects to the OIDC protected page for authentication, and supports the OIDC logout process.
-
Optional: In the External Authentication (HTTPd) Settings section, select Enable Single Sign-On.
- Note: If you select this option, the initial access to the Appliance Administrative UI will redirect to the OIDC Identity Provider authentication screen.
-
In the Role Settings section, select the Get User Groups from External Authentication (HTTPd) setting.
-
Click Save.
-
Select Access Control, click Groups and make sure the user’s groups are created on the Appliance and appropriate roles are assigned to those groups. The user's groups to be added in Infrastructure Management should have the same names as the groups defined in the LDAP server that is configured in the IBM Cloud Pak console.
- Under the Access Control, click Groups.
- Click Configuration, then Add a new Group.
- Enter your existing LDAP group name in the Description field. For example,
im_ldap_group
. - Select the Role for this LDAP group. For example, select the EvmRole-super_administrator to map to this group. The Infrastructure Management administrator can map to the roles that make sense for the user group.
- Select My Company for Project/Tenant.
- Click Add.
Note: Access control in Infrastructure Management is based on group membership as roles are assigned to groups. When Infrastructure Management is integrated with IBM Cloud Pak for AIOps using single sign-on (SSO), it looks at the user’s group membership in the identity token and checks if that group exists in Infrastructure Management. If the group doesn't exist, then access is denied. You must create at least one group with the role EvmRole-super_administrator and assign one user to this group. This user will be the Admin user for Infrastructure Management and referred to as
IM_ADMIN_LDAP_USER
. TheIM_ADMIN_LDAP_USER
must be a member of the LDAP group with the role EvmRole-super_administrator in Infrastructure Management.Important: You must create the groups in Infrastructure Management that match your existing LDAP groups by name, and assign the groups account roles. At least one group to which the user belongs in LDAP that IBM Cloud Pak for AIOps is configured to use must also be created in Infrastructure Management. You must assign a proper role to this group in Infrastructure Management.
Example: In LDAP a group that is named
imgroup100
exists and a user with usernameimuser100
is a member of the group. The userimuser100
and the groupimgroup100
must be created in Infrastructure Management.
Step 4. Integrating Infrastructure Management with IBM Cloud Pak for AIOps
Enable navigation to Infrastructure Management within the IBM Cloud Pak console.
Complete the following steps on a Linux system. You can use the boot node from the HUB cluster where IBM Cloud Pak for AIOps is installed. These steps enable navigation to Infrastructure Management from the IBM Cloud Pak console:
-
Clone the IBM Cloud Pak for AIOps samples GitHub repository
to obtain the menu customization script. You must run the script on a Linux operating system.
Download the supporting subdirectories to make the script run successfully. The files and subdirectories that are required to run the script are
im-appliance-link-install.sh nav/automate.yml nav_template/automate.sh
-
Install and authenticate
kubectl
. For more information, see Installing the Kubernetes CLI (kubectl). -
Navigate to the directoy
cp4waiops-samples/infrastructure-automation/infrastructure-management/appliance
. Set the file permissions on the script and runim-appliance-link-install.sh
to enable navigation to your Infrastructure management instance:chmod 755 ./im-appliance-link-install.sh ./im-appliance-link-install.sh -i <Infrastructure management URL>
-i
Is a required parameter that refers to the URL for the Infrastructure Management console. For example,./im-appliance-link-install.sh -i https://vm17-im-mycluster.mydomain.com/
-
Verify that the Infrastructure Management instance is in the IBM Cloud Pak console navigation menu. From the IBM Cloud Pak navigation menu, click Automate infrastructure > Infrastructure management.
Infrastructure Management is integrated with the IBM Cloud Pak console.