Connecting probes and gateways to an ObjectServer running in secure mode

Learn how to connect probes and gateways to an ObjectServer running in secure mode.

About this task

By default, probes and gateways are not required to provide credentials to connect to an ObjectServer. However, if you are running an ObjectServer in secure mode, probes and gateways do require credentials. These credentials must be made available using secrets. As with SSL, the probe and gateway use the presence of these credentials to determine whether secure mode is enabled.

Note: If you provide the credentials after the probe and gateway are started, you must restart those pods.

There is one secret for the probe and one for the gateway, which allows for different credentials for different layers of a multitier architecture. If the Netcool® Operations Insight® release name is noi, the two secrets should be called:

  • noi-topology-gateway-credentials
  • noi-topology-probe-credentials

Procedure

  1. Providing credentials in plain text

    The credentials can be provided in plain text. In this scenario, the plain text credentials are encrypted during the startup of the probe or gateway and are written to the relevant properties file.

    NOI_RELEASE_NAME=noi
    NAMESPACE=netcool
    oc create secret generic ${NOI_RELEASE_NAME}-topology-gateway-credentials \
                             --from-literal=username=asmgateway \
                             --from-literal=password=asmgateway \
                             --namespace=${NAMESPACE}
    oc create secret generic ${NOI_RELEASE_NAME}-topology-probe-credentials \
                             --from-literal=username=asmprobe \
                             --from-literal=password=asmprobe \
                             --namespace=${NAMESPACE}

  1. Providing encrypted credentials

    The credentials can be encrypted before being saved into a secret. This approach requires the encryption key to be added to the secret with the credentials. You also need to specify the encryption algorithm used. The default is AES_FIPS, but for some legacy systems AES may be required.

    In the following examples, change the value set for CRYPTO_ALG to AES if required.

    Note: If you use AES encryption, both the probe and gateway will generate warnings.

    You must run the following commands on a system with Netcool/OMNIbus installed:

    CRYPTO_ALG=AES_FIPS
    # create an encryption key if needed
    $NCHOME/omnibus/bin/nco_keygen -o omnibus-encryption.key
    # encrypt username 
    $NCHOME/omnibus/bin/nco_aes_crypt -k omnibus-encryption.key asmgateway -c ${CRYPTO_ALG}
    # encrypt password 
    $NCHOME/omnibus/bin/nco_aes_crypt -k omnibus-encryption.key asmgateway -c ${CRYPTO_ALG}
    Note: If you want to provide encrypted credentials, you must encrypt both the username and the password.

    The encrypted credentials and key must be transferred to the host configured with kubectl/oc. Create the secret using the following commands:

    CRYPTO_ALG=AES_FIPS
    NOI_RELEASE_NAME=noi
    NAMESPACE=netcool
    oc create secret generic ${NOI_RELEASE_NAME}-topology-gateway-credentials \
                            --from-literal=username=@44:kfxvIdgN5snzzwFbMl7HcEhtDVMGY7+PYtj1Fh0zZwU=@ \
                            --from-literal=password=@44:2G1n9MC2a5EiizzrGiob46wrUDsHUCayyQleYaQRH8I=@  \
                            --from-file=keyfile=omnibus-encryption.key \
                            --from-literal=cipher=${CRYPTO_ALG} \
                            --namespace=${NAMESPACE}
    
    oc create secret generic ${NOI_RELEASE_NAME}-topology-probe-credentials \
                            --from-literal=username=@44:kfxvIdgN5snzzwFbMl7HwhsjdhMGY7+PYtj1Fh0zZwU=@ \
                            --from-literal=password=@44:2G1n9MC2dwddizzrGiob46wrUDsHUCayyQleYaQRH8I=@  \
                            --from-file=keyfile=omnibus-encryption.key \
                            --from-literal=cipher=${CRYPTO_ALG} \
                            --namespace=${NAMESPACE}