Creating a TLS-enabled IBM Netcool Operations Insight ObjectServer integration to an Red Hat OpenShift ObjectServer
If you are connecting IBM Cloud Pak for AIOps to IBM Tivoli Netcool/OMNIbus and you have TLS enabled for your Red Hat OpenShift ObjectServer, you need to extract the TLS certificate to add to IBM Cloud Pak for AIOps.
A TLS-enabled connection between IBM Cloud Pak for AIOps and IBM Tivoli Netcool/OMNIbus provides end-to-end security to data that is transmitted through it. To create a TLS-enabled connection to a Red Hat OpenShift ObjectServer, complete the following steps:
-
Get the host and port for primary and backup ObjectServers from the TLS Proxy service:
NOI_INSTANCE=<NOI_instance_name> NOI_NAMESPACE=<NOI_namespace> NOI_PROXY_SVC=${NOI_INSTANCE}-proxy NOI_PROXY_PRIMARY_SVC=${NOI_PROXY_SVC}.${NOI_NAMESPACE}.svc NOI_PROXY_PRIMARY_PORT=$(oc describe svc -n $NOI_NAMESPACE $NOI_PROXY_SVC | grep aggp-proxy-port | awk -F' ' '{ print $3 }' | awk -F'/' '{ print $1 }') NOI_PROXY_BACKUP_SVC=${NOI_PROXY_SVC}.${NOI_NAMESPACE}.svc NOI_PROXY_BACKUP_PORT=$(oc describe svc -n $NOI_NAMESPACE $NOI_PROXY_SVC | grep aggb-proxy-port | awk -F' ' '{ print $3 }' | awk -F'/' '{ print $1 }')
Where,
<NOI_instance_name>
is the Netcool instance name that is installed in the cluster and<NOI_namespace>
is the namespace where Netcool is installed. For example,NOI_NAMESPACE=noi
. -
Create a NetworkPolicy in the Netcool namespace to allow the probe to access the TLS Proxy service and port in the IBM Netcool Operations Insight namespace. To create the NetworkPolicy, complete the following steps:
-
Set the environment variables.
NOI_INSTANCE=<NOI_instance_name> NOI_NAMESPACE=<NOI_namespace> NOI_OBJSERV_AGG_PRIMARY_SVC=$NOI_INSTANCE-objserv-agg-primary NOI_OBJSERV_AGG_BACKUP_SVC=$NOI_INSTANCE-objserv-agg-backup NOI_OBJSERV_AGG_PRIMARY_PORT=$(kubectl get svc -n $NOI_NAMESPACE $NOI_OBJSERV_AGG_PRIMARY_SVC -o jsonpath='{.spec.ports[?(@.name=="primary-tds-port")].port}') NOI_OBJSERV_AGG_IDUC_PORT=$(kubectl get svc -n $NOI_NAMESPACE $NOI_OBJSERV_AGG_PRIMARY_SVC -o jsonpath='{.spec.ports[?(@.name=="primary-iduc-port")].port}')
Where
<NOI_instance_name>
is the Netcool instance name that is installed in the cluster and<NOI_namespace>
is the namespace where Netcool is installed. -
Run the following commands:
cat << EOF | tee >(oc apply -f -) | cat kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: noi-allow-objectserver namespace: ${NOI_NAMESPACE} spec: podSelector: matchLabels: app.kubernetes.io/instance: ${NOI_INSTANCE} appClass: objserv ingress: - ports: - protocol: TCP port: ${NOI_OBJSERV_AGG_PRIMARY_PORT} - protocol: TCP port: ${NOI_OBJSERV_AGG_IDUC_PORT} policyTypes: - Ingress EOF
Note: Check to see whether the existing NetworkPolicy allows the probe to access the TLS Proxy service and port in Netcool namespace. The NetworkPolicy must show both the primary and IDUC ports.
-
-
Create an ExternalName service for the primary and IDUC ports. It maps the namespace scoped service to the Netcool service in the namespace. To create the ExternalName service, complete the following steps:
-
Set the environment variables.
AIMANAGER_NAMESPACE=<AIManager_namespace> oc project $AIMANAGER_NAMESPACE
Where
<AIManager_namespace>
is the namespace where IBM Cloud Pak for AIOps is installed. -
Run the following commands.
cat << EOF | tee >(oc apply -f -) | cat apiVersion: networking.k8s.io/v1 kind: Service apiVersion: v1 metadata: name: ${NOI_INSTANCE}-objserv-agg-primary namespace: ${AIMANAGER_NAMESPACE} spec: type: ExternalName externalName: ${NOI_INSTANCE}-objserv-agg-primary.${NOI_NAMESPACE}.svc.cluster.local ports: - port: 4101 name: primary-iduc-port --- kind: Service apiVersion: v1 metadata: name: ${NOI_INSTANCE}-objserv-agg-backup namespace: ${AIMANAGER_NAMESPACE} spec: type: ExternalName externalName: ${NOI_INSTANCE}-objserv-agg-backup.${NOI_NAMESPACE}.svc.cluster.local ports: - port: 4101 name: backup-iduc-port --- EOF
-
-
Obtain a TLS certificate. To obtain the TLS certificate for the ObjectServer, run the following command:
oc extract secret/$NOI_INSTANCE-proxy-tls-secret -n $NOI_NAMESPACE --to=. --keys=tls.crt