You can configure observer jobs using plain text passwords, although some
on-prem observers require password encryption. In addition, some observer jobs require
additional authentication credentials such as certificates, keystores, or both. This topic describes
such configuration tasks for OCP and on-prem versions of Agile Service Manager, and also describes
how to post an observer job using Swagger (or cURL).
Before you begin
Remember:
- Using the Observer Configuration UI (both on-prem and OCP)
- Using the Observer Configuration UI is the recommended method to configure and run observer
jobs.
- Defining observer jobs using the Observer Configuration UI
- Using the Swagger UI (both on-prem and OCP)
- Password encryption is optional.
- The use of plain text passwords or encryption is described here.
- Using scripts for manual job configuration (on-prem only)
- The scripts and configuration files to manually set
up Observer jobs are for on-prem systems only and not available for OCP. Password encryption
is required when configuring observer jobs manually.
- Defining observer jobs manually (on-prem only)
About this task
The following steps are described:
- Encrypt the passwords for all on-prem observer load or listen jobs
- Obtain an authentication certificate
- Store that certificate as a secret
- Post an observer job
Procedure
Encrypt the passwords for all on-prem observer load
and listen jobs
-
The jobs for all on-prem observers require the password in the configuration file to be
encrypted.
For encryption: Run the
encrypt_password.sh
script in the
ASM_HOME/bin directory:
./bin/encrypt_password.sh
Enter
and then confirm the password. The encryption utility will return an encrypted
version.
Acquire an SSL certificate and copy the
certificate to the security folder (on-prem)
-
Use the following Cisco ACI Observer example to acquire an SSL certificate.
In the following example, you use OpenSSL to connect to Cisco APIC over port 443, and extract
a SSL Certificate from Cisco APIC to a
<certificate_file_name>.crt
file.
echo -n | openssl s_client -connect {Cisco APIC IpAddress}:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./{certificate_file_name}.crt
-
Copy the certificate file
<certificate_file_name>.crt
to
the $ASM_HOME/security directory to complete the SSL setup.
Manage authentication certificates and store them as
secrets (OCP)
-
Obtain the authentication certificate using OpenSSL.
echo -n | openssl s_client -connect {ipAddress}:{port} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | base64 -w 0 > target_system.crt
Where
target_system.crt
contains the encoded certificate, and
{ipAddress}
could be the IP address of any of the following target systems:
- Ansible
- Big Cloud Fabric
- Bigfix Inventory
- Ciena Blue Planet
- Cisco ACI
- Datadog
- Dynatrace
- GitLab
- HPNFVD
- Juniper CSO
- Kubernetes master node
- OpenStack
- Rancher
- SDC ONAP
- VMware NSX
- VMware vCenter
- Zabbix
Example
target_system.crt
:
[root@localhost ~]# cat target_system.crt
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3RENDQWFnQ0NRRGRuMENqU3BXZXhUQU5CZ2txaGtpRzl3MEJBUVVGQURBaU1RMHdDd1lEVlFRRERBUkIKVUVsRE1SRXdEd1lKS29aSWh2Y05BUWtCRmdKVlV6QWVGdzB4TmpBeE1qRXdOekV5TWpWYUZ3MHlOakF4TVRndwpOekV5TWpWYU1DSXhEVEFMQmdOVkJBTU1CRUZRU1VNeEVUQVBCZ2txaGtpRzl3MEJDUUVXQWxWVE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW1Ob0dxdFI0RlFPWkdoUWFtand1YmxRYjRobU0KTzJwOGtjbGUwL2NuUno3cSttWGYzWlRQYTZsWEk2MG9BbmVPSGowZEVaMkhwRWFFblBUbWJmWUF6Y0ZQdjNVWApMWjM3VWVoMDZXTjMxS29tSSs2czJtSk1IWWM0MW44M1RiUU5uWUNjYjZjdlZLcWV5NVhhaFBtdkZDbDBtM3Y3Cisxa1lFMFRNVlBnTk56R0ZSUXU1RVlGc3FZWHZGbFZhZ0lUalF6cks3YnE0RkJiMW1kVjFsYnVOMWhISzd2SFEKS3ZUNHBGbGx1NTRHU0JhZ2RSbUdad0dta0tNZHRGUkEvc3pBWEMrejQ0cHN3T05ydTJnbDR3bG5MZTVvM2NWZwpFQUx1THM4UDgrOUx0eFN3YWJvb0VMcHRjb3pKdEpUb2E4QS9zZXRaSi81RUJQNmhjNk1yUWxHQktRSURBUUFCCk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQkJuZzlJK2pBdjhNUjBYemM1SUUxdTBkK0JweW9OZGVRbkl4T2sKZWFsNzNUbmkzWmh4QUQzdlQzenZNSElSUEc0d3lxMWJqQ05LY3BZOGVCbVJuVzhOSnlNdG9vcU9hNlJMWGNPTAoyeVZublVna092THRPVjM5eFNFQ1BOMzV4YXJJdGYydE9NZWJRWlc1ZC9Hc1lPZUFLTlNrTlQwRmtreDE0UzJFClpBVi9IUUVHaVpUR0tQNkx1czYzLzJiTEJVNHdGUjg3bjNkdFJFVUp5eGQ4ZDJDTFA4MkE2UTNOT2lOZEdkam0KSnFQZXNEaWxXWE5Gd09xUk1XOWFGWTVUSUtOL25PQzhqczI0cVFmZTJZcllnZ242N0crLytBQy9kV21JSVQ2dgpBWTVMejhwOWQwSzZUaGxLeVpNZkdYVkNnMFlvTms1ajQ4ckJlZ2J5cFhTM1J2SnIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
[root@locahost ~]#
- For the SDC ONAP Observer, encrypt the contents of the key
store file using base64.
For example:
cat {onap_sdc_file_name}.jks | base64 -w 0 > org.onap.sdc.trust.txt
Where
org.onap.sdc.trust.txt contains the encoded key store file, and
{onap_sdc_file_name}.jks is the key store file downloaded from the target ONAP
SDC system.
-
For the GoogleCloud Observer, encrypt the contents of the service account key file using
base64.
For example:
cat {project_id_file_name}.json | base64 -w 0 > googlecloud.json
Where googlecloud.json
contains the encoded service account key file, and
project_id_file_name}.json
is the service account key file downloaded from
'Credentials' under 'API & Services' in the Google Cloud Platform dashboard.
Next, store the encoded service account key file as a secret.
-
Store the encoded certificate that was generated in a previous step as a secret.
Each installed Agile Service Manager release has a single special secrets file. Data added to
that is made available to the appropriate observer containers. Run the following command, assuming
<release-name>
is the Helm release name for Agile Service Manager when installed
with NOI.
$ oc edit secret <release-name>-topology-custom-secrets
Paste in
the encoded certificate generated in the previous step.
- The value of
<release-name>
can be obtained by using the following
example: oc get noi
Example with system
output:
[root@api.verbs.cp.fyre.ibm.com ~]# oc get noi
NAME AGE
evtmanager 11d
[root@api.verbs.cp.fyre.ibm.com ~]#
-
Find the correct secrets file using the following command:
[root@api.verbs.cp.fyre.ibm.com ~]# oc get secret evtmanager-topology-custom-secrets
NAME TYPE DATA AGE
evtmanager-topology-custom-secrets Opaque 1 48m
[root@api.verbs.cp.fyre.ibm.com ~]#
-
Edit the appropriate file for your release.
$ oc edit secret <release-name>-topology-custom-secrets
-
Add a name and value pair to the data section.
The value is the certificate generated earlier. The name is what you enter as the certificate
file name to run the observer job.
data:
{name}:{value}
Example of expected content in the secret file after adding vcenter.crt is as
follows (where the data section is between the 'apiVersion' and 'kind' sections).
Note: This VMware
vCenter Observer example registers the vcenter.crt SSL certificate in OCP Secret, and vcenter.crt is
the job parameter value for the VMware vCenter Observer. Define a new {name}
parameter in the same file for other observers that require SSL certificates. You provide the
certificate in OCP Secret and the settings you provide for truststore/truststore password will be
used to generate a new truststore automatically.
apiVersion: v1
data:
vcenter.crt:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3RENDQWFnQ0NRRGRuMENqU3BXZXhUQU5CZ2txaGtpRzl3MEJBUVVGQURBaU1RMHdDd1lEVlFRRERBUkIKVUVsRE1SRXdEd1lKS29aSWh2Y05BUWtCRmdKVlV6QWVGdzB4TmpBeE1qRXdOekV5TWpWYUZ3MHlOakF4TVRndwpOekV5TWpWYU1DSXhEVEFMQmdOVkJBTU1CRUZRU1VNeEVUQVBCZ2txaGtpRzl3MEJDUUVXQWxWVE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW1Ob0dxdFI0RlFPWkdoUWFtand1YmxRYjRobU0KTzJwOGtjbGUwL2NuUno3cSttWGYzWlRQYTZsWEk2MG9BbmVPSGowZEVaMkhwRWFFblBUbWJmWUF6Y0ZQdjNVWApMWjM3VWVoMDZXTjMxS29tSSs2czJtSk1IWWM0MW44M1RiUU5uWUNjYjZjdlZLcWV5NVhhaFBtdkZDbDBtM3Y3Cisxa1lFMFRNVlBnTk56R0ZSUXU1RVlGc3FZWHZGbFZhZ0lUalF6cks3YnE0RkJiMW1kVjFsYnVOMWhISzd2SFEKS3ZUNHBGbGx1NTRHU0JhZ2RSbUdad0dta0tNZHRGUkEvc3pBWEMrejQ0cHN3T05ydTJnbDR3bG5MZTVvM2NWZwpFQUx1THM4UDgrOUx0eFN3YWJvb0VMcHRjb3pKdEpUb2E4QS9zZXRaSi81RUJQNmhjNk1yUWxHQktRSURBUUFCCk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQkJuZzlJK2pBdjhNUjBYemM1SUUxdTBkK0JweW9OZGVRbkl4T2sKZWFsNzNUbmkzWmh4QUQzdlQzenZNSElSUEc0d3lxMWJqQ05LY3BZOGVCbVJuVzhOSnlNdG9vcU9hNlJMWGNPTAoyeVZublVna092THRPVjM5eFNFQ1BOMzV4YXJJdGYydE9NZWJRWlc1ZC9Hc1lPZUFLTlNrTlQwRmtreDE0UzJFClpBVi9IUUVHaVpUR0tQNkx1czYzLzJiTEJVNHdGUjg3bjNkdFJFVUp5eGQ4ZDJDTFA4MkE2UTNOT2lOZEdkam0KSnFQZXNEaWxXWE5Gd09xUk1XOWFGWTVUSUtOL25PQzhqczI0cVFmZTJZcllnZ242N0crLytBQy9kV21JSVQ2dgpBWTVMejhwOWQwSzZUaGxLeVpNZkdYVkNnMFlvTms1ajQ4ckJlZ2J5cFhTM1J2SnIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
kind:Secret
If the edit is successful, the following message will be displayed:
secret "<release-name>-topology-custom-secrets" edited
-
In the Red Hat OpenShift Container Platform console, view the configured secret.
You can view the configured secret under the option, where the 'Name' is
'<release-name>-topology-custom-secrets
'.
Within
<release-name>-topology-custom-secrets
, all data configured earlier is
displayed.
Posting a job
-
Post the job via the Swagger UI or cURL.
Note: The default value for the
password_ssl_truststore_file
property is
password and can be encrypted if required.
- For OCP
- Use the commands in the following example:
oc exec -ti asm-topology-pods -- java -jar /opt/ibm/topology-service/topology-service.jar encrypt_password --password 'password'
Where
the value of asm-topology-pods
can be obtained using the following command:
oc get pods | grep <release name>-topology <release name>-topology-xxxxx-xxxxx
The
encryption utility will return an encrypted password.
- For on-prem
-
For encryption: Run the
encrypt_password.sh
script in the
ASM_HOME/bin directory:
./bin/encrypt_password.sh
Enter
and then confirm the password. The encryption utility will return an encrypted
version.
- For an encrypted password, use one of the following sample
formats:
"password_ssl_truststore_file": "IxcQ9w==",
or"password_ssl_truststore_file": { "hiddenString":"IxcQ9w==", "encrypted": true},
- For an unencrypted (that is, plain text) password, use the following sample
format:
"password_ssl_truststore_file": { "hiddenString":"password", "encrypted": false},
Example cURL command (
encrypted
password):
curl --location --insecure --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'X-TenantID: cfd95b7e-3bc7-4006-a4a8-a73a79c71255' -d '{
"unique_id": "my job",
"type": "query",
"parameters": {
"data_center": "LondonDC1",
"vcenter_username": "admin",
"vcenter_password": "RW+w==",
"vcenter_api_url": "https://localhost/rest",
"vcenter_certificate": "vcenter.crt",
"ssl_truststore_file": "localhost.jks",
"password_ssl_truststore_file": "IxcQ9w==",
"connect_read_timeout_ms": 5000
}
}' 'https://<master-ip address>/1.0/vmvcenter-observer/jobs/restapi'
Note: When using
cURL, you may need to add --location
so that it will follow redirects, and
--insecure
as the proxy server is using HTTPS.
What to do next
For a repeating job, you can wrap the cURL in a script and use a normal cron job.