Creating a TLS-enabled IBM Netcool Operations Insight ObjectServer integration to an Red Hat OpenShift ObjectServer

If you are connecting IBM Cloud Pak for AIOps to IBM Tivoli Netcool/OMNIbus and you have TLS enabled for your Red Hat OpenShift ObjectServer, you need to extract the TLS certificate to add to IBM Cloud Pak for AIOps.

A TLS-enabled connection between IBM Cloud Pak for AIOps and IBM Tivoli Netcool/OMNIbus provides end-to-end security to data that is transmitted through it. To create a TLS-enabled connection to a Red Hat OpenShift ObjectServer, complete the following steps:

  1. Get the host and port for primary and backup ObjectServers from the TLS Proxy service:

    NOI_INSTANCE=<NOI_instance_name>
    NOI_NAMESPACE=<NOI_namespace>
    NOI_PROXY_SVC=${NOI_INSTANCE}-proxy
    NOI_PROXY_PRIMARY_SVC=${NOI_PROXY_SVC}.${NOI_NAMESPACE}.svc
    NOI_PROXY_PRIMARY_PORT=$(oc describe svc -n $NOI_NAMESPACE $NOI_PROXY_SVC | grep aggp-proxy-port | awk -F' ' '{ print $3 }' | awk -F'/' '{ print $1 }')
    NOI_PROXY_BACKUP_SVC=${NOI_PROXY_SVC}.${NOI_NAMESPACE}.svc
    NOI_PROXY_BACKUP_PORT=$(oc describe svc -n $NOI_NAMESPACE $NOI_PROXY_SVC | grep aggb-proxy-port | awk -F' ' '{ print $3 }' | awk -F'/' '{ print $1 }')
    

    Where, <NOI_instance_name> is the Netcool instance name that is installed in the cluster and <NOI_namespace> is the namespace where Netcool is installed. For example, NOI_NAMESPACE=noi.

  2. Create a NetworkPolicy in the Netcool namespace to allow the probe to access the TLS Proxy service and port in the IBM Netcool Operations Insight namespace. To create the NetworkPolicy, complete the following steps:

    1. Set the environment variables.

      NOI_INSTANCE=<NOI_instance_name>
      NOI_NAMESPACE=<NOI_namespace>
      NOI_OBJSERV_AGG_PRIMARY_SVC=$NOI_INSTANCE-objserv-agg-primary
      NOI_OBJSERV_AGG_BACKUP_SVC=$NOI_INSTANCE-objserv-agg-backup
      NOI_OBJSERV_AGG_PRIMARY_PORT=$(kubectl get svc -n $NOI_NAMESPACE $NOI_OBJSERV_AGG_PRIMARY_SVC -o jsonpath='{.spec.ports[?(@.name=="primary-tds-port")].port}')
      NOI_OBJSERV_AGG_IDUC_PORT=$(kubectl get svc -n $NOI_NAMESPACE $NOI_OBJSERV_AGG_PRIMARY_SVC -o jsonpath='{.spec.ports[?(@.name=="primary-iduc-port")].port}')
      

      Where <NOI_instance_name> is the Netcool instance name that is installed in the cluster and <NOI_namespace> is the namespace where Netcool is installed.

    2. Run the following commands:

      cat << EOF | tee >(oc apply -f -) | cat
      kind: NetworkPolicy
      apiVersion: networking.k8s.io/v1
      metadata:
         name: noi-allow-objectserver
         namespace: ${NOI_NAMESPACE}
      spec:
         podSelector:
            matchLabels:
               app.kubernetes.io/instance: ${NOI_INSTANCE}
               appClass: objserv
         ingress:
            - ports:
               - protocol: TCP
                 port: ${NOI_OBJSERV_AGG_PRIMARY_PORT}
               - protocol: TCP
                 port: ${NOI_OBJSERV_AGG_IDUC_PORT}
         policyTypes:
            - Ingress
      EOF
      

      Note: Check to see whether the existing NetworkPolicy allows the probe to access the TLS Proxy service and port in Netcool namespace. The NetworkPolicy must show both the primary and IDUC ports.

  3. Create an ExternalName service for the primary and IDUC ports. It maps the namespace scoped service to the Netcool service in the namespace. To create the ExternalName service, complete the following steps:

    1. Set the environment variables.

      AIMANAGER_NAMESPACE=<AIManager_namespace>
      oc project $AIMANAGER_NAMESPACE
      

      Where <AIManager_namespace> is the namespace where IBM Cloud Pak for AIOps is installed.

    2. Run the following commands.

      cat << EOF | tee >(oc apply -f -) | cat
      apiVersion: networking.k8s.io/v1
      kind: Service
      apiVersion: v1
      metadata:
        name: ${NOI_INSTANCE}-objserv-agg-primary
        namespace: ${AIMANAGER_NAMESPACE}
      spec:
        type: ExternalName
        externalName: ${NOI_INSTANCE}-objserv-agg-primary.${NOI_NAMESPACE}.svc.cluster.local
        ports:
        - port: 4101
          name: primary-iduc-port
      ---
      kind: Service
      apiVersion: v1
      metadata:
        name: ${NOI_INSTANCE}-objserv-agg-backup
        namespace: ${AIMANAGER_NAMESPACE}
      spec:
        type: ExternalName
        externalName: ${NOI_INSTANCE}-objserv-agg-backup.${NOI_NAMESPACE}.svc.cluster.local
        ports:
        - port: 4101
          name: backup-iduc-port
      ---
      EOF
      
  4. Obtain a TLS certificate. To obtain the TLS certificate for the ObjectServer, run the following command:

    oc extract secret/$NOI_INSTANCE-proxy-tls-secret -n $NOI_NAMESPACE   --to=. --keys=tls.crt