HAProxy configuration

1. Ensure that each Web GUI is set up to use a valid TLS certificate with the correct DNS name in the subject alternative name extension and that the web browser doesn't show any certificate errors.
2. Obtain a copy of the root CA certificate used to sign each of the Web GUI certificates. You can skip this step if all the certificates were signed by a well-known public CAs.
3. Update the jazz/profile/config/cells/JazzSMNode01Cell/oauth20/base.clients.xml by creating a <client>element for each client. You need a different client ID for each Ha Proxy, and for each OpenShift cluster too if users can access Netcool Operations Insight directly on OpenShift. Follow this link to have more information. The following table shows the properties of each element according to the example.
   Table 1: Example of properties for Web GUI configuration.

   Id	Secret	Redirect
   east	secret1	https://netcool.east.example.com/
   west	secret2	https://netcool.west.example.com/
   primary	secret3	https://netcool.primary.example.com/
   secondary	secret4	https://netcool.secondary.example.com/

4. Stop and restart the server.

The HAProxy configuration file is normally called /usr/local/etc/haproxy/haproxy.cnf and is usually in a directory similar to /usr/local/etc/haproxy. The configuration file shows a single backend to explain the changes to requests and responses that the HAProxy needs to make. Click Ha Proxy Documents to the HAProxy documentation for guidance on setting up multiple backends with rules for monitoring and switching.

global
    log stdout local0
    # The following is the location for valid certificates for HA Proxy endpoint and the value is given by the PROXY_HOST.
    ca-base <full path to location of your haproxy server certs>
    # For example: ca-base /usr/local/etc/ca-certs 

    # PROXY_HOST includes port only if it is not default (443)
    presetenv PROXY_HOST <proxy hostname>
    # For example: presetenv PROXY_HOST "primary.apps.hadr.os.fyre.ibm.com:3443"

    # This is the NOI OCP route endpoint for the PRIMARY Deployment
    setenv NETCOOL_OCP_HOST_PRIMARY <PRIMARY NOI Deployment OCP route endpoint>
    # For example: setenv NETCOOL_OCP_HOST_PRIMARY "netcool.noi.apps.hadr.os.fyre.ibm.com"

    # This is the NOI OCP route endpoint for the BACKUP Deployment
    setenv NETCOOL_OCP_HOST_BACKUP <BACKUP NOI Deployment OCP route endpoint>
    # For example: setenv NETCOOL_OCP_HOST_BACKUP "netcool.noi.apps.pg2.os.fyre.ibm.com"
    
defaults
    mode http
    log global
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    option httplog

frontend http-in
# This is the server certificate for the proxy frontend hostname, PROXY_HOST. This is usually generated by the Corporation Signing Certificate authority (CA).
    bind *:443 ssl crt <location to your server certificate for the proxy>
    # For example: bind *:443 ssl crt /usr/local/etc/keys/proxy.pem
    use_backend http-out-primary  if { srv_is_up(http-out-primary/noi-primary) }
    use_backend http-out-backup  if { srv_is_up(http-out-backup/noi-backup) }

backend http-out-primary
    default-server inter 3s fall 3 rise 2
    # The ca-file refers to the signing certificate of the NETCOOL_OCP_HOST_PRIMARY route endpoint. 
    server noi-primary "${NETCOOL_OCP_HOST_PRIMARY}": 443 ssl verify required ca-file /usr/local/etc/ca-certs/rootca.pem sni str("${NETCOOL_OCP_HOST_PRIMARY}") check check-ssl check-sni "${NETCOOL_OCP_HOST_PRIMARY}"


    http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
    http-request set-header Host "${NETCOOL_OCP_HOST_PRIMARY}"

    # If redirecting to NOI, change base to point to the proxy
    http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2
    # If redirect has a return URI within NOI, change that as well
    http-response replace-value location ^(.*redirect_uri=[^&]*)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2

backend http-out-backup
    default-server inter 3s fall 3 rise 2
    server noi-backup "${NETCOOL_OCP_HOST_BACKUP}" addr "${NETCOOL_OCP_HOST_BACKUP}" port 443 ssl verify required ca-file /usr/local/etc/ca-certs/rootca.pem sni str("${NETCOOL_OCP_HOST_BACKUP}") check check-ssl check-sni "${NETCOOL_OCP_HOST_BACKUP}"

    http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
    http-request set-header Host "${NETCOOL_OCP_HOST_BACKUP}"

    # If redirecting to NOI, change base to point to the proxy
    http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
    # If redirect has a return URI within NOI, change that as well
    http-response replace-value location ^(.*redirect_uri=[^&]*[^\.])"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2

Where:

• server netcool-noi "${PRIMARY_OCP_HOST}" ssl verify required ca-file rootca.pem sni str("${PRIMARY_OCP_HOST}")

  must select the correct Netcool Operations Insight OpenShift ingress route. The rootca.pem file must contain the root certificate that was used to sign the Netcool Operations Insight OpenShift ingress route certificate. Refer https://www.ibm.com/docs/en/noi/1.6.3?topic=tasks-optional-using-custom-certificates-routes to use custom certificates for routes.

• http-request set-header X-NOI-HAProxy-Host

  is used by Netcool Operations Insight to identify which HAProxy the request passed through. This is used to identify the correct Web GUI.

• http-request set-header Host

  is used to update the Host header, in order for the OpenShift ingress router to direct the request to the correct pod.

• http-response replace-value location

  updates any redirect responses so that the client continues to use the HAProxy and does not get redirected to the OpenShift router.

1. Use the following command based on the example in Table 1 to create a secret containing the client id and secret values required:

   kubectl create secret generic RELEASE-was-oauth-cnea-secrets \
       --from-literal=client-id=primary \
       --from-literal=client-secret=secret3 \
       --from-literal=netcool.east.example.com.id=east \
       --from-literal=netcool.east.example.com.secret=secret1 \
       --from-literal=netcool.west.example.com.id=west \
       --from-literal=netcool.west.example.com.secret=secret2

   Where RELEASE needs to be replaced with the name of the Netcool Operations Insight hybrid deployment.
   Note: The values called client-id and client-secret must contain the values for the local instance. When you run this command for the secondary instance of your Netcool Operations Insight hybrid deployment, the values change to secondary and secret4. The other values are named after the FQDN of the HAProxies. Do not include the port numbers even if they are not default. For each proxy, there is a .id and a .secret value.
2. You can either create the RELEASE-was-oauth-cnea-secrets secret before the Netcool Operations Insight hybrid is installed or patch it after the installation. Read the kubectl documentation, Install kubectl and kubectl CLI for more information.
3. When Netcool Operations Insight hybrid is created, include the following:
   • dash.url as the URL of the default Web GUI.
   • dash.username as the username for connecting to on-premise Web GUI.
   • dash.trustedCAConfigMapName as the name of a configuration map that contains the CA certificates that were used to sign all of the Web GUI certificates. If all certificates were signed by well-known public CAs this might be omitted.
   • dash.crossRegionUrls as an array of the HAProxy and Web GUI pairs in the format below. Remember to include port numbers if they are not the default (443).

   dash:
   
     ....
   
     crossRegionUrls:
     - proxy: https://netcool.east.example.com
       dash: https://webgui.east.example.com
     - proxy: https://netcool.west.example.com
       dash: https://webgui.west.example.com