Adjusting Guardium central manager and OpenShift Container Platform settings for data mart streaming

This topic describes settings that you can configure to avoid problems or delays when streaming to Guardium® Insights.

Adjust OpenShift load balancer settings
Managing the Guardium central manager user synchronization setting to avoid delays

Adjust OpenShift® load balancer settings

If your OpenShift Container Platform employs a load balancer, you will need to adjust its settings to properly route traffic to Guardium Insights. For example, if you use a High Availability Proxy (HAProxy) load balancer, you will need to define a frontend and backend to enable data mart streaming by adding settings similar to these:

frontend sshd
 bind *:<port_number>
 default_backend ssh
 timeout client 1h

backend ssh
 mode tcp
 server worker0 10.16.38.62:<port_number>
 server worker1 10.16.46.74:<port_number>
 server worker2 10.16.50.102:<port_number>
 server worker3 10.16.50.179:<port_number>
 server worker4 10.16.51.116:<port_number>
 server worker5 10.16.51.117:<port_number>
 server worker6 10.16.51.146:<port_number>
 server worker7 10.16.53.241:<port_number>
 server worker8 10.16.53.249:<port_number>

Where <port_number> is the port that the frontend listens on. This port number is dynamically-allocated for communication between Guardium Data Protection and Guardium Insights, and it is described in Port requirements (this topic includes instructions for determining the port).

Draft comment: JENNIFERCalder
haproxy url

Draft comment: JENNIFERCalder
unused as of yet - considering adding to connect_guardium_settings.dita

Draft comment: JENNIFERCalder

Parameter (all are required) Description

Table 1. Parameters for installer.sh
Parameter (all are required)	Description
#--------------------------------------------------------------------- global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 #--------------------------------------------------------------------- listen stats bind :9000 mode http stats enable stats uri / monitor-uri /healthz frontend openshift-api-server bind :6443 default_backend openshift-api-server mode tcp option tcplog backend openshift-api-server balance source mode tcp server master0 10.16.36.231:6443 check server master1 10.16.37.205:6443 check server master2 10.16.37.206:6443 check frontend machine-config-server bind :22623 default_backend machine-config-server mode tcp option tcplog backend machine-config-server balance source mode tcp server master0 10.16.36.231:22623 check server master1 10.16.37.205:22623 check server master2 10.16.37.206:22623 check frontend ingress-http bind :80 default_backend ingress-http mode tcp option tcplog backend ingress-http balance source mode tcp server worker0 10.16.38.62:80 check server worker1 10.16.46.74:80 check server worker2 10.16.50.102:80 check server worker3 10.16.50.179:80 check server worker4 10.16.51.116:80 check server worker5 10.16.51.117:80 check server worker6 10.16.51.146:80 check server worker7 10.16.53.241:80 check server worker8 10.16.53.249:80 check frontend ingress-https bind :443 default_backend ingress-https mode tcp option tcplog backend ingress-https balance source mode tcp server worker0 10.16.38.62:443 check server worker1 10.16.46.74:443 check server worker2 10.16.50.102:443 check server worker3 10.16.50.179:443 check server worker4 10.16.51.116:443 check server worker5 10.16.51.117:443 check server worker6 10.16.51.146:443 check server worker7 10.16.53.241:443 check server worker8 10.16.53.249:443 check #---------------------------------------------------------------------	----------------------------------------------------------------- global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 #--------------------------------------------------------------------- listen stats bind :9000 mode http stats enable stats uri / monitor-uri /healthz frontend openshift-api-server bind :6443 default_backend openshift-api-server mode tcp option tcplog backend openshift-api-server balance source mode tcp server master0 10.16.36.231:6443 check server master1 10.16.37.205:6443 check server master2 10.16.37.206:6443 check frontend machine-config-server bind :22623 default_backend machine-config-server mode tcp option tcplog backend machine-config-server balance source mode tcp server master0 10.16.36.231:22623 check server master1 10.16.37.205:22623 check server master2 10.16.37.206:22623 check frontend ingress-http bind :80 default_backend ingress-http mode tcp option tcplog backend ingress-http balance source mode tcp server worker0 10.16.38.62:80 check server worker1 10.16.46.74:80 check server worker2 10.16.50.102:80 check server worker3 10.16.50.179:80 check server worker4 10.16.51.116:80 check server worker5 10.16.51.117:80 check server worker6 10.16.51.146:80 check server worker7 10.16.53.241:80 check server worker8 10.16.53.249:80 check frontend ingress-https bind :443 default_backend ingress-https mode tcp option tcplog backend ingress-https balance source mode tcp server worker0 10.16.38.62:443 check server worker1 10.16.46.74:443 check server worker2 10.16.50.102:443 check server worker3 10.16.50.179:443 check server worker4 10.16.51.116:443 check server worker5 10.16.51.117:443 check server worker6 10.16.51.146:443 check server worker7 10.16.53.241:443 check server worker8 10.16.53.249:443 check frontend sshd bind *:31511 default_backend ssh timeout client 1h backend ssh mode tcp server worker0 10.16.38.62:31511 server worker1 10.16.46.74:31511 server worker2 10.16.50.102:31511 server worker3 10.16.50.179:31511 server worker4 10.16.51.116:31511 server worker5 10.16.51.117:31511 server worker6 10.16.51.146:31511 server worker7 10.16.53.241:31511 server worker8 10.16.53.249:31511 #---------------------------------------------------------------------

#---------------------------------------------------------------------
global
 log 127.0.0.1 local2
 chroot /var/lib/haproxy
 pidfile /var/run/haproxy.pid
 maxconn 4000
 user haproxy
 group haproxy
 daemon
 stats socket /var/lib/haproxy/stats

defaults
 mode http
 log global
 option httplog
 option dontlognull
 option http-server-close
 option forwardfor except 127.0.0.0/8
 option redispatch
 retries 3
 timeout http-request 10s
 timeout queue 1m
 timeout connect 10s
 timeout client 1m
 timeout server 1m
 timeout http-keep-alive 10s
 timeout check 10s
 maxconn 3000

#---------------------------------------------------------------------

listen stats
 bind :9000
 mode http
 stats enable
 stats uri /
 monitor-uri /healthz


frontend openshift-api-server
 bind *:6443
 default_backend openshift-api-server
 mode tcp
 option tcplog

backend openshift-api-server
 balance source
 mode tcp
 server master0 10.16.36.231:6443 check
 server master1 10.16.37.205:6443 check
 server master2 10.16.37.206:6443 check


frontend machine-config-server
 bind *:22623
 default_backend machine-config-server
 mode tcp
 option tcplog

backend machine-config-server
 balance source
 mode tcp
 server master0 10.16.36.231:22623 check
 server master1 10.16.37.205:22623 check
 server master2 10.16.37.206:22623 check


frontend ingress-http
 bind *:80
 default_backend ingress-http
 mode tcp
 option tcplog

backend ingress-http
 balance source
 mode tcp
 server worker0 10.16.38.62:80 check
 server worker1 10.16.46.74:80 check
 server worker2 10.16.50.102:80 check
 server worker3 10.16.50.179:80 check
 server worker4 10.16.51.116:80 check
 server worker5 10.16.51.117:80 check
 server worker6 10.16.51.146:80 check
 server worker7 10.16.53.241:80 check
 server worker8 10.16.53.249:80 check


frontend ingress-https
 bind *:443
 default_backend ingress-https
 mode tcp
 option tcplog

backend ingress-https
 balance source
 mode tcp
 server worker0 10.16.38.62:443 check
 server worker1 10.16.46.74:443 check
 server worker2 10.16.50.102:443 check
 server worker3 10.16.50.179:443 check
 server worker4 10.16.51.116:443 check
 server worker5 10.16.51.117:443 check
 server worker6 10.16.51.146:443 check
 server worker7 10.16.53.241:443 check
 server worker8 10.16.53.249:443 check


#---------------------------------------------------------------------

-----------------------------------------------------------------
global
 log 127.0.0.1 local2
 chroot /var/lib/haproxy
 pidfile /var/run/haproxy.pid
 maxconn 4000
 user haproxy
 group haproxy
 daemon
 stats socket /var/lib/haproxy/stats

defaults
 mode http
 log global
 option httplog
 option dontlognull
 option http-server-close
 option forwardfor except 127.0.0.0/8
 option redispatch
 retries 3
 timeout http-request 10s
 timeout queue 1m
 timeout connect 10s
 timeout client 1m
 timeout server 1m
 timeout http-keep-alive 10s
 timeout check 10s
 maxconn 3000

#---------------------------------------------------------------------

listen stats
 bind :9000
 mode http
 stats enable
 stats uri /
 monitor-uri /healthz


frontend openshift-api-server
 bind *:6443
 default_backend openshift-api-server
 mode tcp
 option tcplog

backend openshift-api-server
 balance source
 mode tcp
 server master0 10.16.36.231:6443 check
 server master1 10.16.37.205:6443 check
 server master2 10.16.37.206:6443 check


frontend machine-config-server
 bind *:22623
 default_backend machine-config-server
 mode tcp
 option tcplog

backend machine-config-server
 balance source
 mode tcp
 server master0 10.16.36.231:22623 check
 server master1 10.16.37.205:22623 check
 server master2 10.16.37.206:22623 check


frontend ingress-http
 bind *:80
 default_backend ingress-http
 mode tcp
 option tcplog

backend ingress-http
 balance source
 mode tcp
 server worker0 10.16.38.62:80 check
 server worker1 10.16.46.74:80 check
 server worker2 10.16.50.102:80 check
 server worker3 10.16.50.179:80 check
 server worker4 10.16.51.116:80 check
 server worker5 10.16.51.117:80 check
 server worker6 10.16.51.146:80 check
 server worker7 10.16.53.241:80 check
 server worker8 10.16.53.249:80 check


frontend ingress-https
 bind *:443
 default_backend ingress-https
 mode tcp
 option tcplog

backend ingress-https
 balance source
 mode tcp
 server worker0 10.16.38.62:443 check
 server worker1 10.16.46.74:443 check
 server worker2 10.16.50.102:443 check
 server worker3 10.16.50.179:443 check
 server worker4 10.16.51.116:443 check
 server worker5 10.16.51.117:443 check
 server worker6 10.16.51.146:443 check
 server worker7 10.16.53.241:443 check
 server worker8 10.16.53.249:443 check

frontend sshd
 bind *:31511
 default_backend ssh
 timeout client 1h

backend ssh
 mode tcp
 server worker0 10.16.38.62:31511
 server worker1 10.16.46.74:31511
 server worker2 10.16.50.102:31511
 server worker3 10.16.50.179:31511
 server worker4 10.16.51.116:31511
 server worker5 10.16.51.117:31511
 server worker6 10.16.51.146:31511
 server worker7 10.16.53.241:31511
 server worker8 10.16.53.249:31511

#---------------------------------------------------------------------

Managing the Guardium central manager user synchronization setting to avoid delays

After configuring data mart from Guardium Insights, it will take 1 to 2 hours for data related information to start showing up in Guardium Insights.

Draft comment: JENNIFERCalder
https://github.ibm.com/Activity-Insights/project-tracking/issues/1734