Monitoring Crypto Express Network API for Secure Execution Enclaves

The Prometheus Node Exporter is installed along with Crypto Express Network API for Secure Execution Enclaves. The Node Exporter exposes a wide variety of hardware and kernel related metrics, which can be scraped by Prometheus for monitoring.

Configuring the monitoring service

Preparing the parameters for authentication

Node Exporter does not perform authentication by default. To add a user, you must define a password. The following is an example of how you can generate a random password:

password=`openssl rand -base64 32`
passwordHashed=`echo ${password} | htpasswd -inBC 10 "" | tr -d ':\n'`
echo "Clear password to keep for Prometheus Server: ${password}"

Note: If you don't have the htpasswd binary, you can install it on Debian or Ubuntu by running the apt-get install --no-install-recommends apache2-utils command.

Save the "clear password" because you will need it later for verifying the metrics and configuring Prometheus.

Preparing the certificates for TLS encryption

Node Exporter doesn't encrypt communications by default and you can avoid it by configuring TLS encryption.

You can run a Prometheus instance served with TLS. You must generate the following certificates by using OpenSSL, or an analogous tool:

Filename Description
tlsCertificate.crt an SSL certificate
tlsCertificate.key an SSL key

The following snippet is an example of how you can create the certificates:

# Create TLS certificate
cd /tmp
sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
  -keyout tlsCertificate.key \
  -out tlsCertificate.crt \
  -subj "/CN=`hostname`" \
  -addext "subjectAltName = DNS:`hostname`"

Setting secure settings for CA monitoring

You can leverage the /api/com.ibm.crypto/camonitor:POST API to set up secure settings for CA monitoring.

Step 2. Submit the request

curl -k -X POST -d@camon.json https://${dst_server_ip}/api/com.ibm.crypto/camonitor/ -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}"

Notes: All password or certificate related parameters should be encoded by using BASE64. You can use the following commands to encode:

For password related parameters

echo -n ${passwordHashed} | base64

For certificate related parameters

base64 <certificate> -w 0

Verifying the metrics

You can verify that metrics are being exported by using the following commands:

curl -k -u ${username}:${password} https://<server-ip>:9100/metrics

The following is an example of the output:

# HELP go_gc_duration_seconds A summary of the GC invocation durations.
# TYPE go_gc_duration_seconds summary
go_gc_duration_seconds{quantile="0"} 3.8996e-05
go_gc_duration_seconds{quantile="0.25"} 4.5926e-05
go_gc_duration_seconds{quantile="0.5"} 5.846e-05
...

Checking different types of metrics

1. General collectors enabled by default

The Node Exporter exposes metrics that Prometheus can scrape, including a wide variety of system metrics further down in the output (prefixed with node_). For more information, see Enabled by default.

To view those metrics (along with help and type information), run the following command:

curl -k -u ${username}:${password} https://<server-ip>:9100/metrics | grep "node_"

The following snippet is an example of the output:

# HELP node_cpu_guest_seconds_total Seconds the CPUs spent in guests (VMs) for each mode.
# TYPE node_cpu_guest_seconds_total counter
node_cpu_guest_seconds_total{cpu="0",mode="nice"} 0
node_cpu_guest_seconds_total{cpu="0",mode="user"} 0
node_cpu_guest_seconds_total{cpu="1",mode="nice"} 0
node_cpu_guest_seconds_total{cpu="1",mode="user"} 0
...

Configuring the Prometheus Server

After checking out different metrics types, you can configure your Promemtheus server to scrape data from the Node Exporter. For more information, see Configuring your Prometheus instances.

The following is an example of configuring Prometheus to fetch data from the monitoring endpoint.

  - job_name: 'example'
    scrape_interval: 5s
    static_configs:
      - targets: ['${prom-ip}:9100']
    scheme: https
    basic_auth:
      username: "${username}"
      password: "${password}"
    tls_config:
      insecure_skip_verify: true

Exploring metrics

After integrating with Prometheus instance, you can explore metrics via the Prometheus expression browser by following guidance at Exploring Node Exporter metrics through the Prometheus expression browser.