Configuring EMS and SSH File Transfer Protocol (SFTP) Network Connectivity for Collector Discovery on OCP

You set up SSH File Transfer Protocol for use by the network discovery service.

Before you begin

SFTP is available on most Linux system out-of-the-box and can be readily configured.

Prerequisite for collectors:
Configuring SFTP in an OCP installation
As part of the collectors feature of the network discovery service, a Secure File Transfer Protocol (SFTP) server is required for using the Alcatel5620Sam Collector. If you do not want to use this collector, you do not need an SFTP server.
On OCP, no SFTP server is supplied. You must install your own SFTP server, and then configure network discovery to use it. The SFTP server can be inside or outside the OCP cluster.
To configure network discovery collectors to use your SFTP server, issue the following command:
oc create secret generic ${releaseName}-sftp-secret --from-literal=host=${IP} --from-literal=port=${PORT} --from-literal=username=${USERNAME} --from-literal=password=${PASSWORD} --from-literal=directory=${DIRECTORY}
Where:
Secret Name
The name of the secret is the release name of the Agile Service Manager installation, followed by sftp-secret.
IP
IP is the SFTP server IP address or hostname, which should be reachable from the OCP cluster.
PORT
PORT is the SFTP server port number.
USERNAME
USERNAME is the SFTP server user name to use to connect to the SFTP server from the collector.
PASSWORD
PASSWORD is the SFTP server password to use to connect to the SFTP server from the collector.
DIRECTORY
DIRECTORY is the location where the collector looks for the files.
Note: Restart the Network Discovery Collector pods to enable the changes. If you change the SFTP details in the future, you must re-create the SFTP secret and restart the Network Discovery Collector pods each time.
Configure EMS certificates
To enable https connection between Network Discovery Collectors and the EMS, issue the following command:
oc create configmap ${releaseName}-net-disco-ems-ca-certs --from-file /temp/collector-ems-certs/
Where:
Configmap Name
The name of configmap is the release name of the Agile Service Manager installation, followed by net-disco-ems-ca-certs
/temp/collector-ems-certs/
The folder that contains all EMS certificates (the filename extension of the certificate should be .crt).
Note: Restart the Network Discovery Collector pods to enable the changes. If you change the certificates in the future, you must reconfigure the EMS certificates and restart the Network Discovery Collector pods each time.

About this task

SFTP is required to connect to an EMS during a collector discovery.

Procedure

SFTP server setup

  1. Create a user on the desired server.
    The user and password in the following examples here are 'benedict'.
    [root@server ~]# useradd benedict
    [root@server ~]# passwd benedict

Client setup

  1. From the client environment, copy the ssh key of the newly created user
    [home@client ~]$ ssh-copy-id benedict@server
  2. Verify the ssh connection by logging into the machine.
    [home@client ~]$ ssh benedict@server
    [benedict@server ~]$ exit
    logout
    Connection to server closed
  3. Verify the sftp connection.
    [home@client ~]$ sftp benedict@server
    Connected to server
    sftp> quit

SFTP server setup

  1. After verifying both the sftp and ssh connections, return to the same server and create a new group to manage the chroot users.
    [root@server ~]#  groupadd sftpusers
  2. Create a common directory for the chroot users.
    [root@server ~]# mkdir /sftp
  3. Create a subdirectory for each individual user.
    [root@server ~]# mkdir /sftp/benedict
  4. Create the 'home' directory for the user.
    [root@server ~]# mkdir /sftp/benedict/home
  5. Modify the user to add them to the user group.
    [root@server ~]# usermod -aG sftpusers benedict
  6. Change permission for the user's chrooted 'home' directory only.
    [root@server ~]# chown benedict:sftpusers /sftp/benedict/home/
  7. Modify the /etc/ssh/sshd_config to include the following lines towards the end of the file:
    Match Group sftpusers
      ForceCommand internal-sftp -d /home
      ChrootDirectory /sftp/%u
  8. Restart the sshd service.
    [root@server ~]# systemctl restart sshd

Client verification

  1. Verify that the ssh connection no longer works.
    [home@client ~]$ ssh benedict@server
    This service allows sftp connections only.
    Connection to server closed.
  2. Verify that sftp access is still valid.
    [home@client ~]$ sftp benedict@server
    Connected to server.
    sftp> pwd
    Remote working directory: /home
    sftp> cd /root
    Couldn't stat remote file: No such file or directory
  3. Make sure that a regular user can still log in via ssh without issues.