Configuring observer job security

You can configure observer jobs using plain text passwords, although some on-prem observers require password encryption. In addition, some observer jobs require additional authentication credentials such as certificates, keystores, or both. This topic describes such configuration tasks for OCP and on-prem versions of Agile Service Manager, and also describes how to post an observer job using Swagger (or cURL).

Before you begin

Remember:
Using the Observer Configuration UI (both on-prem and OCP)
Using the Observer Configuration UI is the recommended method to configure and run observer jobs.
Defining observer jobs using the Observer Configuration UI
Using the Swagger UI (both on-prem and OCP)
Password encryption is optional.
The use of plain text passwords or encryption is described here.
Using scripts for manual job configuration (on-prem only)
The scripts and configuration files to manually set up Observer jobs are for on-prem systems only and not available for OCP. Password encryption is required when configuring observer jobs manually.
Defining observer jobs manually (on-prem only)

About this task

The following steps are described:
  • Encrypt the passwords for all on-prem observer load or listen jobs
  • Obtain an authentication certificate
  • Store that certificate as a secret
  • Post an observer job

Procedure

Encrypt the passwords for all on-prem observer load and listen jobs

  1. The jobs for all on-prem observers require the password in the configuration file to be encrypted.
    For encryption: Run the encrypt_password.sh script in the ASM_HOME/bin directory:
    ./bin/encrypt_password.sh
    Enter and then confirm the password. The encryption utility will return an encrypted version.

Acquire an SSL certificate and copy the certificate to the security folder (on-prem)

  1. Use the following Cisco ACI Observer example to acquire an SSL certificate.
    In the following example, you use OpenSSL to connect to Cisco APIC over port 443, and extract a SSL Certificate from Cisco APIC to a <certificate_file_name>.crt file.
    echo -n | openssl s_client -connect {Cisco APIC IpAddress}:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./{certificate_file_name}.crt
  2. Copy the certificate file <certificate_file_name>.crt to the $ASM_HOME/security directory to complete the SSL setup.

Manage authentication certificates and store them as secrets (OCP)

  1. Obtain the authentication certificate using OpenSSL.
    echo -n | openssl s_client -connect {ipAddress}:{port} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | base64 -w 0 > target_system.crt
    Where target_system.crt contains the encoded certificate, and {ipAddress} could be the IP address of any of the following target systems:
    • Ansible
    • Big Cloud Fabric
    • Bigfix Inventory
    • Ciena Blue Planet
    • Cisco ACI
    • Datadog
    • Dynatrace
    • GitLab
    • HPNFVD
    • Juniper CSO
    • Kubernetes master node
    • OpenStack
    • Rancher
    • SDC ONAP
    • VMware NSX
    • VMware vCenter
    • Zabbix
    Example target_system.crt:
    [root@localhost ~]# cat target_system.crt
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3RENDQWFnQ0NRRGRuMENqU3BXZXhUQU5CZ2txaGtpRzl3MEJBUVVGQURBaU1RMHdDd1lEVlFRRERBUkIKVUVsRE1SRXdEd1lKS29aSWh2Y05BUWtCRmdKVlV6QWVGdzB4TmpBeE1qRXdOekV5TWpWYUZ3MHlOakF4TVRndwpOekV5TWpWYU1DSXhEVEFMQmdOVkJBTU1CRUZRU1VNeEVUQVBCZ2txaGtpRzl3MEJDUUVXQWxWVE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW1Ob0dxdFI0RlFPWkdoUWFtand1YmxRYjRobU0KTzJwOGtjbGUwL2NuUno3cSttWGYzWlRQYTZsWEk2MG9BbmVPSGowZEVaMkhwRWFFblBUbWJmWUF6Y0ZQdjNVWApMWjM3VWVoMDZXTjMxS29tSSs2czJtSk1IWWM0MW44M1RiUU5uWUNjYjZjdlZLcWV5NVhhaFBtdkZDbDBtM3Y3Cisxa1lFMFRNVlBnTk56R0ZSUXU1RVlGc3FZWHZGbFZhZ0lUalF6cks3YnE0RkJiMW1kVjFsYnVOMWhISzd2SFEKS3ZUNHBGbGx1NTRHU0JhZ2RSbUdad0dta0tNZHRGUkEvc3pBWEMrejQ0cHN3T05ydTJnbDR3bG5MZTVvM2NWZwpFQUx1THM4UDgrOUx0eFN3YWJvb0VMcHRjb3pKdEpUb2E4QS9zZXRaSi81RUJQNmhjNk1yUWxHQktRSURBUUFCCk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQkJuZzlJK2pBdjhNUjBYemM1SUUxdTBkK0JweW9OZGVRbkl4T2sKZWFsNzNUbmkzWmh4QUQzdlQzenZNSElSUEc0d3lxMWJqQ05LY3BZOGVCbVJuVzhOSnlNdG9vcU9hNlJMWGNPTAoyeVZublVna092THRPVjM5eFNFQ1BOMzV4YXJJdGYydE9NZWJRWlc1ZC9Hc1lPZUFLTlNrTlQwRmtreDE0UzJFClpBVi9IUUVHaVpUR0tQNkx1czYzLzJiTEJVNHdGUjg3bjNkdFJFVUp5eGQ4ZDJDTFA4MkE2UTNOT2lOZEdkam0KSnFQZXNEaWxXWE5Gd09xUk1XOWFGWTVUSUtOL25PQzhqczI0cVFmZTJZcllnZ242N0crLytBQy9kV21JSVQ2dgpBWTVMejhwOWQwSzZUaGxLeVpNZkdYVkNnMFlvTms1ajQ4ckJlZ2J5cFhTM1J2SnIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    
    [root@locahost ~]#
  2. For the SDC ONAP Observer, encrypt the contents of the key store file using base64.
    For example:
    cat {onap_sdc_file_name}.jks | base64 -w 0 > org.onap.sdc.trust.txt

    Where org.onap.sdc.trust.txt contains the encoded key store file, and {onap_sdc_file_name}.jks is the key store file downloaded from the target ONAP SDC system.

  3. For the GoogleCloud Observer, encrypt the contents of the service account key file using base64.
    For example:
    cat {project_id_file_name}.json | base64 -w 0 > googlecloud.json

    Where googlecloud.json contains the encoded service account key file, and project_id_file_name}.json is the service account key file downloaded from 'Credentials' under 'API & Services' in the Google Cloud Platform dashboard.

    Next, store the encoded service account key file as a secret.
  4. Store the encoded certificate that was generated in a previous step as a secret.
    Each installed Agile Service Manager release has a single special secrets file. Data added to that is made available to the appropriate observer containers. Run the following command, assuming <release-name> is the Helm release name for Agile Service Manager when installed with NOI.
    $ oc edit secret <release-name>-topology-custom-secrets
    Paste in the encoded certificate generated in the previous step.
    1. The value of <release-name> can be obtained by using the following example:
      oc get noi
      Example with system output:
      [root@api.verbs.cp.fyre.ibm.com ~]# oc get noi
      NAME         AGE
      evtmanager   11d
      [root@api.verbs.cp.fyre.ibm.com ~]#
    2. Find the correct secrets file using the following command:
      [root@api.verbs.cp.fyre.ibm.com ~]# oc get secret evtmanager-topology-custom-secrets
      NAME                                 TYPE     DATA   AGE
      evtmanager-topology-custom-secrets   Opaque   1      48m
      [root@api.verbs.cp.fyre.ibm.com ~]#
    3. Edit the appropriate file for your release.
      $ oc edit secret <release-name>-topology-custom-secrets
    4. Add a name and value pair to the data section.
      The value is the certificate generated earlier. The name is what you enter as the certificate file name to run the observer job.
      data:
      {name}:{value}
      
      Example of expected content in the secret file after adding vcenter.crt is as follows (where the data section is between the 'apiVersion' and 'kind' sections).
      Note: This VMware vCenter Observer example registers the vcenter.crt SSL certificate in OCP Secret, and vcenter.crt is the job parameter value for the VMware vCenter Observer. Define a new {name} parameter in the same file for other observers that require SSL certificates. You provide the certificate in OCP Secret and the settings you provide for truststore/truststore password will be used to generate a new truststore automatically.
      apiVersion: v1
      data:
      vcenter.crt:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3RENDQWFnQ0NRRGRuMENqU3BXZXhUQU5CZ2txaGtpRzl3MEJBUVVGQURBaU1RMHdDd1lEVlFRRERBUkIKVUVsRE1SRXdEd1lKS29aSWh2Y05BUWtCRmdKVlV6QWVGdzB4TmpBeE1qRXdOekV5TWpWYUZ3MHlOakF4TVRndwpOekV5TWpWYU1DSXhEVEFMQmdOVkJBTU1CRUZRU1VNeEVUQVBCZ2txaGtpRzl3MEJDUUVXQWxWVE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW1Ob0dxdFI0RlFPWkdoUWFtand1YmxRYjRobU0KTzJwOGtjbGUwL2NuUno3cSttWGYzWlRQYTZsWEk2MG9BbmVPSGowZEVaMkhwRWFFblBUbWJmWUF6Y0ZQdjNVWApMWjM3VWVoMDZXTjMxS29tSSs2czJtSk1IWWM0MW44M1RiUU5uWUNjYjZjdlZLcWV5NVhhaFBtdkZDbDBtM3Y3Cisxa1lFMFRNVlBnTk56R0ZSUXU1RVlGc3FZWHZGbFZhZ0lUalF6cks3YnE0RkJiMW1kVjFsYnVOMWhISzd2SFEKS3ZUNHBGbGx1NTRHU0JhZ2RSbUdad0dta0tNZHRGUkEvc3pBWEMrejQ0cHN3T05ydTJnbDR3bG5MZTVvM2NWZwpFQUx1THM4UDgrOUx0eFN3YWJvb0VMcHRjb3pKdEpUb2E4QS9zZXRaSi81RUJQNmhjNk1yUWxHQktRSURBUUFCCk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQkJuZzlJK2pBdjhNUjBYemM1SUUxdTBkK0JweW9OZGVRbkl4T2sKZWFsNzNUbmkzWmh4QUQzdlQzenZNSElSUEc0d3lxMWJqQ05LY3BZOGVCbVJuVzhOSnlNdG9vcU9hNlJMWGNPTAoyeVZublVna092THRPVjM5eFNFQ1BOMzV4YXJJdGYydE9NZWJRWlc1ZC9Hc1lPZUFLTlNrTlQwRmtreDE0UzJFClpBVi9IUUVHaVpUR0tQNkx1czYzLzJiTEJVNHdGUjg3bjNkdFJFVUp5eGQ4ZDJDTFA4MkE2UTNOT2lOZEdkam0KSnFQZXNEaWxXWE5Gd09xUk1XOWFGWTVUSUtOL25PQzhqczI0cVFmZTJZcllnZ242N0crLytBQy9kV21JSVQ2dgpBWTVMejhwOWQwSzZUaGxLeVpNZkdYVkNnMFlvTms1ajQ4ckJlZ2J5cFhTM1J2SnIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
      kind:Secret
      
    If the edit is successful, the following message will be displayed:
    secret "<release-name>-topology-custom-secrets" edited
  5. In the Red Hat OpenShift Container Platform console, view the configured secret.
    You can view the configured secret under the Menu > Workload > Secrets option, where the 'Name' is '<release-name>-topology-custom-secrets'.
    Within <release-name>-topology-custom-secrets, all data configured earlier is displayed.

Posting a job

  1. Post the job via the Swagger UI or cURL.
    Note: The default value for the password_ssl_truststore_file property is password and can be encrypted if required.
    For OCP
    Use the commands in the following example:
    oc exec -ti asm-topology-pods -- java -jar /opt/ibm/topology-service/topology-service.jar encrypt_password --password 'password'
    Where the value of asm-topology-pods can be obtained using the following command:
    oc get pods | grep <release name>-topology <release name>-topology-xxxxx-xxxxx
    The encryption utility will return an encrypted password.
    For on-prem
    For encryption: Run the encrypt_password.sh script in the ASM_HOME/bin directory:
    ./bin/encrypt_password.sh
    Enter and then confirm the password. The encryption utility will return an encrypted version.
    • For an encrypted password, use one of the following sample formats:
      "password_ssl_truststore_file": "IxcQ9w==",
      or
      "password_ssl_truststore_file": { "hiddenString":"IxcQ9w==", "encrypted": true},
    • For an unencrypted (that is, plain text) password, use the following sample format:
      "password_ssl_truststore_file": { "hiddenString":"password", "encrypted": false},
    Example cURL command (encrypted password):
    curl --location --insecure  --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'X-TenantID: cfd95b7e-3bc7-4006-a4a8-a73a79c71255' -d '{
      "unique_id": "my job",
      "type": "query",
      "parameters": {
        "data_center": "LondonDC1",
        "vcenter_username": "admin",
        "vcenter_password": "RW+w==",
        "vcenter_api_url": "https://localhost/rest",
        "vcenter_certificate": "vcenter.crt",
        "ssl_truststore_file": "localhost.jks",
        "password_ssl_truststore_file": "IxcQ9w==",
        "connect_read_timeout_ms": 5000
      }
    }' 'https://<master-ip address>/1.0/vmvcenter-observer/jobs/restapi'
    Note: When using cURL, you may need to add --location so that it will follow redirects, and --insecure as the proxy server is using HTTPS.

What to do next

For a repeating job, you can wrap the cURL in a script and use a normal cron job.