Using the IBM License Metric Tool to report license usage
You can use IBM License Metric Tool to report license usages for the Crypto Express Network API for Secure Execution Enclaves. For more information about License Metric Tool, see License Metric Tool documentation or watch the License Metric Tool video. IBM License Metric Tool disconnected scanner is built and installed into the Crypto Express Network API for Secure Execution Enclaves version 1.1.1, which is also configured to scan the system daily.
Note: IBM License Metric Tool is not supported in Crypto Express Network API for Secure Execution Enclaves version 1.1.0. If you already installed version 1.1.0, you need to reinstall with version 1.1.1. For more information, see Installing Crypto Express Network API for Secure Execution Enclaves.
Complete the following steps for IBM License Metric Tool version earlier than 9.2.30:
-
Use the
/api/com.ibm.crypto/ilmt:GETREST API to request and download IBM License Metric Tool scan reports asilmt_scanlog.tar.gz.curl -k -X GET https://<crypto_appliance_host>/api/com.ibm.crypto/ilmt -H "Accept: application/octet-stream" -H "zACI-API: com.ibm.zaci.system/1.0" -H "Authorization: Bearer <token>" --output ilmt_scanlog.tar.gzExpected logs with the operation to download scan reports:
Oct 20 21:04:24 9.20.6.65 0 2022-10-21T01:04:24.539124+00:00 hurssci cryptoapi-ilmt-log - - Analysis admin from token... Oct 20 21:04:24 9.20.6.65 0 2022-10-21T01:04:24.539496+00:00 hurssci cryptoapi-ilmt-log - - Receive a request from user - 'root' to download ILMT scan results. Oct 20 21:04:24 9.20.6.65 0 2022-10-21T01:04:24.550116+00:00 hurssci ilmt-scan-log - - (2022-10-21 01:04:24) execute pack output files at 202210210104 Oct 20 21:04:24 9.20.6.65 0 2022-10-21T01:04:24.554640+00:00 hurssci cryptoapi-ilmt-log - - 9.197.232.163 - - [21/Oct/2022:01:04:24] "GET /api/com.ibm.crypto/ilmt HTTP/1.1" 200 3101 "" "curl/7.79.1" Oct 20 21:04:24 9.20.6.65 0 2022-10-21T01:04:24.554809+00:00 hurssci cryptoapi-ilmt-log - - 9.197.232.163 - - [21/Oct/2022:01:04:24 +0000] "GET /api/com.ibm.crypto/ilmt HTTP/1.1" 200 3399 "-" "curl/7.79.1"
2. Extract scan reports from the download compressed file. The compressed file packs all existing scan reports (recent maximum 30 files) on the Crypto Express Network API for Secure Execution Enclaves appliance.
- Upload the scan reports to IBM License Metric Tool official website. You need to decide when and how frequent to upload the scan reports. To upload the scan reports, manually copy them to the IBM License Metric Tool disconnected data source from the installed IBM License Metric Tool server. For more information, see License Metric Tool Lite infrastructure.
Complete the following steps for IBM License Metric Tool version 9.2.30, or later:
There are two ways of uploading the scan results. One method is by configuring the ILMT server (automatically) and is the recommended method. The other one is by using the ILMT REST API (manual).
Configuring the ILMT server to upload scan results automatically
Use /api/com.ibm.crypto/ilmt:POST REST API to bind LMT server to crypto_appliance_host to upload the scan results to ILMT Server after they're generated.
The following shell script is provided as an example.
#!/bin/bash -xe
echo "---> config crypto-appliance certificate...."
server_ip="<server_ip>"
server_user="<server_user>"
server_pass="<server_pass>"
lmtserver="<lmtserver>"
lmttoken="<lmttoken>"
#---------------------------------------------
# get auth token
echo "---> request api: /api-tokens:"
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"user":"${server_user}",
"password":"${server_pass}"
}
}
EOF
)
auth_token=$(curl -k -X POST https://${server_ip}/api/com.ibm.zaci.system/api-tokens -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -d "${req_json}" | jq -r .parameters.token)
echo "---> auth_token: [${auth_token}]"
#---------------------------------------------
# accept license manually
echo "---> request api: /api-tokens:"
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"accept": true
}
}
EOF
)
response=$(curl -k -X PUT https://${server_ip}/api/com.ibm.zaci.system/software-license -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -d "${req_json}" | jq -r .)
echo "---> response: [${response}]"
#---------------------------------------------
# post ilmtserver
echo "---> request api: /api/com.ibm.crypto/ilmt:"
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"server": "${lmtserver}",
"token": "${lmttoken}"
}
}
EOF
)
req_resp=$(curl -k -X POST https://${server_ip}/api/com.ibm.crypto/ilmt -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -d "${req_json}" | jq -r .)
echo "${req_resp}"
req_resp=$(curl -k -X GET https://${server_ip}/api/com.ibm.crypto/configs -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json;version=1.0' -H "Authorization: Bearer ${auth_token}" | jq -r .)
echo "${req_resp}"
Upload scan results manually
You must complete the following tasks before you can run the script:
- It is recommended that you execute the script as a cron job.
- You must accept the license when you invoke the Crypto Express Network API for Secure Execution Enclaves for the first time.
- You must install the
jqtool.
Use the POST operation on the /api/sam/v2/scan_results_upload element to upload the results of the disconnected scans to the disconnected data source. For more information about the API, see REST API for uploading disconnected scan results.
The results are provided in the request body in the binary form.
You can use the following shell script that is provided as an example, to download the disconnected scan results from Crypto Express Network API for Secure Execution Enclaves, and thereafter, to upload the disconnected scan results to LMT Server:
#!/bin/bash
crypto_appliance_server_ip=""
# loginuser like "root"
crypto_appliance_loginuser=""
crypto_appliance_password=""
# LMT Server address, like "9.30.219.165:9081"
SERVER_ADDRESS=""
# LMT Server access token, like "3fcc77b521f1df1150224690ada1482694bf76ad".
# How to get API token: to login LMT Server, enter user "profile", copy the existed or generate a new "API Token"
API_TOKEN=""
# Name of the disconnected data source to which the file will be uploaded.
# If you have one disconnected data source, you do not need to provide this parameter.
# However, if you provide the parameter, its value must match the actual data source. Otherwise, the upload fails.
datasource_name=""
#---------------------------------------------
# get auth token
req_json=$(cat << EOF
{
"kind": "request",
"parameters":{
"user":"${crypto_appliance_loginuser}",
"password":"${crypto_appliance_password}"
}
}
EOF
)
auth_token=$(curl -k -X POST https://${crypto_appliance_server_ip}/api/com.ibm.zaci.system/api-tokens -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -d "${req_json}" | jq -r .parameters.token)
#---------------------------------------------
# accept license
# req_json=$(cat << EOF
# {
# "kind": "request",
# "parameters":{
# "accept": true
# }
# }
# EOF
# )
# curl -k -X PUT https://${crypto_appliance_server_ip}/api/com.ibm.zaci.system/software-license -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: # application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}" -d "${req_json}"
#---------------------------------------------
# download ilmt disconnected scan results
rm -f *.tar.gz
curl -k -X GET https://${crypto_appliance_server_ip}/api/com.ibm.crypto/ilmt -H "Accept: application/octet-stream" -H "zACI-API: com.ibm.zaci.system/1.0" -H "Authorization: Bearer ${auth_token}" --output scan_results.tar.gz
tar -zxvf scan_results.tar.gz
rm -f scan_results.tar.gz
#---------------------------------------------
# upload ilmt disconnected scan results
for file in `ls *.tar.gz`
do
echo "uploading $file..."
if test -z $datasource_name ; then
echo "datasource_name is not defined"
request_res=$(curl -k -X POST "https://${SERVER_ADDRESS}/api/sam/v2/scan_results_upload?filename=${file}" -H "Accept:application/json" -H "Token:${API_TOKEN}" -H "Accept-Language: en-US" -H "Content-Type:application/octet-stream" -T ./${file} | jq -r .)
else
echo "datasource_name is defined"
request_res=$(curl -k -X POST "https://${SERVER_ADDRESS}/api/sam/v2/scan_results_upload?datasource_name=${datasource_name}&&filename=${file}" -H "Accept:application/json" -H "Token:${API_TOKEN}" -H "Accept-Language: en-US" -H "Content-Type:application/octet-stream" -T ./${file} | jq -r .)
fi
echo "uploading $file result: ${request_res}"
done