Installing, configuring, and completing common usage scenarios for a TLS proxy
This simple TLS/TCP proxy is used between IBM Netcool Operations Insight® applications that run on-premises and on Kubernetes cloud environments.
Before you begin
About this task
- License
- Review and accept the terms in the license file before you use this software.
- Installation
-
- You must enable the TLSProxy during the installation. To get the name of the deployment, use the
following command:
oc get noi
Example:# oc get noi NAME AGE noi-467 4d8h
- Edit the chart by using the following command:
Add the following lines:oc edit noi <noi-deployment-name>
helmValuesNOI: tlsproxy: enabled: true proxy: enabled: false
- The proxy installation archive can be downloaded directly from the target cluster, as shown in
the following example:
DEPLOYMENT_NAME=<noi-deployment-name> INGRESS_DOMAIN=$(oc get ingresses.config/cluster -o jsonpath={.spec.domain}) curl -kO https://netcool-${DEPLOYMENT_NAME}.${INGRESS_DOMAIN}/deploy/netcool-tls-proxy-0.0.4-linux-amd64.tar.gz
Note: Examples useExtract the tar archive on the target system and configure according to the quick start instructions or one of the how-to scenarios.evtmanager
as theDEPLOYMENT_NAME
. You must use theDEPLOYMENT_NAME=<noi-deployment-name>
, where <noi-deployment-name> is the name of your deployment.
- You must enable the TLSProxy during the installation. To get the name of the deployment, use the
following command:
Procedure
-
Configure plain text to TLS. The following route configuration specifies two routes that both
accept a plain text connection and connect to a TLS version 1.3 server. This configuration scenario
is typical of one that Netcool®
Operations Insight ObjectServer IDUC
Gateway requires.
{ "routes": [{ "name": "primary-tds", "source": { "host": "0.0.0.0", "port": 4100, "tls": false }, "destination": { "host": "DESTINATION_ADDR", "port": 4100, "tls": true, "tlsConfig": { "tlsVersion": "TLS_13", "tlsAuth": "server", "trustCertPath": "trusted-cert.pem" } } }, { "name": "primary-iduc", "source": { "host": "0.0.0.0", "port": 4101, "tls": false }, "destination": { "host": "DESTINATION_ADDR", "port": 4101, "tls": true, "tlsConfig": { "tlsVersion": "TLS_13", "tlsAuth": "server", "trustCertPath": "trusted-cert.pem" } } } ] }
- The server trusted certificate is stored in the trusted-cert.pem
file. To create this file on a system with Kubernetes API access through oc or
kubectl, run the following command:
oc get secret ${RELEASE_NAME}-tlsproxy-cert -o go-template='{{ index .data "tls.crt" }}' -n ${NAMESPACE} | base64 --decode > ${DEPLOYMENT_NAME}-tlsproxy-cert.pem
- The DESTINATION_ADDR that is specified in the route configuration
must match a value in the Subject Alternative Name extension section of the certificate that is
presented by the server.
openssl x509 -text -noout -in trusted-cert.pem ... X509v3 Subject Alternative Name: DNS:evtmanager-tlsproxy.netcool.svc, DNS:evtmanager-tlsproxy.netcool.svc.cluster.local
- It might be necessary to create an entry in /etc/hosts to provide
name resolution.
cat /etc/hosts ... CLUSTER_IP evtmanager-tlsproxy.netcool.svc
- Start the proxy.
NETCOOL_TLS_PROXY_ROUTE=routes.json ./netcool-tls-proxy
- The server trusted certificate is stored in the trusted-cert.pem
file. To create this file on a system with Kubernetes API access through oc or
kubectl, run the following command:
- Configure the proxy with environment variables and a routes configuration file. Values
that are specified in the routes configuration file take precedence over values from the
environment. The routes configuration file defines the source and destination elements that both
comprise a route. See the following example for a simple route configuration:
{ "routes": [{ "name": "primary-tds", "source": { "host": "0.0.0.0", "port": 4100, "tls": false }, "destination": { "host": "netcool.uk.ibm.com, "port": 4100, "tls": true } } ] }
The following table describes the route configuration.Name Description routes Array of route objects. name Text description of route. source Object describing the listening side of the proxy. host Hostname or IP address to listen for connection. port Port number to listen for connection. tls Enable TLS authentication (true or false). destination Object describing the connecting side of the proxy. host Hostname or IP address to dial. port Port number to dial. - If necessary, specify TLS configuration parameters in a configuration file for each
half of a route by defining a
tlsConfig
object."tlsConfig": { "tlsVersion": "TLS_13", "tlsAuth": "server", "certPath": "cert.pem", "keyPath": "key.pem", "trustCertPath": "cert.pem" }
The following table describes the route configuration.Name Description tlsConfig TLS configuration object tlsVersion Minimum version of TLS supported (TLS_12 or TLS_13) tlsAuth TLS authentication type (SERVER|MUTUAL) certPath Path to x509 certificate keyPath Path to private key trustCertPath Path to peer trusted certificate. - In the absence of a
tlsConfig
object, configuration is read from environment variables. Running the proxy with--help
displays all environment variables that are used by the proxy and their current value.bin/netcool-tls-proxy --help netcool-tls-proxy -help Output help text -version Output version info Env: NETCOOL_TLS_PROXY_ROUTE=(unset) NETCOOL_TLS_PROXY_SOURCE_CERT=(unset) NETCOOL_TLS_PROXY_SOURCE_KEY=(unset) NETCOOL_TLS_PROXY_SOURCE_TRUST_CERT=(unset) NETCOOL_TLS_PROXY_DESTINATION_TRUST_CERT=(unset) NETCOOL_TLS_PROXY_DESTINATION_CERT=(unset) NETCOOL_TLS_PROXY_DESTINATION_KEY=(unset) NETCOOL_TLS_PROXY_TLS_AUTH_TYPE=(unset) NETCOOL_TLS_PROXY_TLS_MIN_VERSION=(unset) NETCOOL_TLS_PROXY_HEALTH_HTTP=(unset) NETCOOL_TLS_PROXY_HEALTH_PORT=(unset)
The following definitions explain the environment variable values:- NETCOOL_TLS_PROXY_ROUTE
- The path to the route configuration file.
- NETCOOL_TLS_PROXY_SOURCE_CERT
- The certificate path for the source (listening) side of the proxy.
- NETCOOL_TLS_PROXY_SOURCE_KEY
- Key path for source (listening) side of proxy.
- NETCOOL_TLS_PROXY_SOURCE_TRUST_CERT
- The trusted certificate path for the client verification on the source (listening) side of proxy (Mutual TLS).
- NETCOOL_TLS_PROXY_DESTINATION_TRUST_CERT
- The trusted certificate path for the destination (dialing) side of the proxy.
- NETCOOL_TLS_PROXY_DESTINATION_CERT
- The certificate path for the destination (dialing) side of the proxy (Mutual TLS).
- NETCOOL_TLS_PROXY_DESTINATION_KEY
- The key path for the destination (dialing) side of the proxy (Mutual TLS).
- NETCOOL_TLS_PROXY_TLS_AUTH_TYPE
- The TLS authentication type (
SERVER
orMUTUAL
).
- NETCOOL_TLS_PROXY_TLS_MIN_VERSION
- Minimum accepted TLS version (
TLS_12
orTLS_13
).Note: If you want to send data from on-premises probes, for example Simnet, to your Netcool Operations Insight on Red Hat® OpenShift® deployment, you must specifyTLS_12
as theNETCOOL_TLS_PROXY_TLS_MIN_VERSION
value. - NETCOOL_TLS_PROXY_HEALTH_HTTP
- Health API (
ON
orOFF
).
- NETCOOL_TLS_PROXY_HEALTH_PORT
- Health API listening port.
- If necessary, specify TLS configuration parameters in a configuration file for each
half of a route by defining a
Connect an on-premises IDUC client
- Follow these steps to complete common usage scenarios. Connect an on-premises IDUC client
to the IBM
Netcool Operations Insight
cloud
ObjectServer
deployment.- [Cloud] Expose
ObjectServer ClusterIP
ports by using theloadbalancer
service.Use the
loadbalancer
service in a development or test environment to exposeObjectServer ClusterIP
services externally. Set the variables according to your environment. TheWORKER_IP
variable doesn't need to match the node that hosts theObjectServer
.NAMESPACE=netcool DEPLOYMENT_NAME=evtmanager WORKER_IP=1.2.3.4 cat <<- EOF | oc create -n ${NAMESPACE} -f - apiVersion: v1 kind: Service metadata: name: ${DEPLOYMENT_NAME}-tlsproxy-loadbalancer spec: ports: - name: aggp-tds port: 4100 - name: aggp-iduc port: 4101 - name: aggb-tds port: 4102 - name: aggb-iduc port: 4103 - name: tlsproxy-http port: 8000 externalTrafficPolicy: Cluster externalIPs: - ${WORKER_IP} type: LoadBalancer selector: app.kubernetes.io/name: tlsproxy EOF
- [Cloud] Change the backup
ObjectServer
to use port 4103 for IDUC.To avoid a port number clash, when both the primary and backupObjectServer
services are deployed on the same cluster, change the IDUC port number that is used by the backupObjectServer
service.DEPLOYMENT_NAME=evtmanager oc patch sts ${DEPLOYMENT_NAME}-ncobackup \ -p '{"spec":{"template":{"spec":{"containers":[{"name": "ncobackup-agg-b", "env":[{"name": "NCO_IDUC_LISTENING_PORT","value": "4103"}]}]}}}}'
Fix the backupObjectServer
service to reflect the port number change.oc patch svc ${DEPLOYMENT_NAME}-objserv-agg-backup -p '{"spec":{"ports":[{"name": "backup-iduc-port-patch","port": 4103}]}}'
- [On-premises] Add primary and backup ObjectServer IDUC hostnames to
/etc/hosts.
DEPLOYMENT_NAME=evtmanager cat << EOF >> /etc/hosts 127.0.0.1 ${DEPLOYMENT_NAME}-objserv-agg-primary ${DEPLOYMENT_NAME}-objserv-agg-backup EOF
- [On-premises] Store the proxy certificate as a trusted certificate on the on-premises
host. In a trusted environment, the certificate can be read directly through the following
command:
CLUSTER_ADDRESS=$(oc get ingresses.config/cluster -o jsonpath={.spec.domain}) DEPLOYMENT_NAME=evtmanager echo -n | openssl s_client -connect ${CLUSTER_ADDRESS}:4100 \ -servername ${DEPLOYMENT_NAME}-tlsproxy.netcool.svc | \ openssl x509 > ${DEPLOYMENT_NAME}-tlsproxy-cert.pem
Alternatively, on a system with Kubernetes API access through oc or kubectl, run the following command:DEPLOYMENT_NAME=evtmanager NAMESPACE=netcool oc get secret ${DEPLOYMENT_NAME}-tlsproxy-cert \ -o go-template='{{ index .data "tls.crt" }}' \ -n ${NAMESPACE} | base64 --decode > ${DEPLOYMENT_NAME}-tlsproxy-cert.pem
- [On-premises] Add the Subject Alternative Name from the certificate to the
/etc/hosts folder.
CLUSTER_IP=1.2.3.4 DEPLOYMENT_NAME=evtmanager SAN=${DEPLOYMENT_NAME}-tlsproxy.netcool.svc echo << EOF >> /etc/hosts ${CLUSTER_IP} ${SAN} EOF
The Subject Alternative Name can be read from the certificate:
openssl x509 -text -noout -in ${DEPLOYMENT_NAME}-tlsproxy-cert.pem ... X509v3 Subject Alternative Name: DNS:evtmanager-tlsproxy.netcool.svc, DNS:evtmanager-tlsproxy.netcool.svc.cluster.local
To complete TLS authentication, the
DESTINATION_ADDR
that is specified in the route configuration must match a value in the Subject Alternative Name extension section of the certificate that is presented by the server. - [On-premises] Configure the proxy route.
DEPLOYMENT_NAME=evtmanager SAN=${DEPLOYMENT_NAME}-tlsproxy.netcool.svc DESTINATION_ADDR=${SAN} TRUSTED_CERT=${DEPLOYMENT_NAME}-tlsproxy-cert.pem cat << EOF > routes.json { "routes": [{ "name": "primary-tds", "source": { "host": "0.0.0.0", "port": 4100, "tls": false }, "destination": { "host": "${DESTINATION_ADDR}", "port": 4100, "tls": true, "tlsConfig": { "tlsVersion": "TLS_13", "tlsAuth": "server", "trustCertPath": "${TRUSTED_CERT}" } } }, { "name": "primary-iduc", "source": { "host": "0.0.0.0", "port": 4101, "tls": false }, "destination": { "host": "${DESTINATION_ADDR}", "port": 4101, "tls": true, "tlsConfig": { "tlsVersion": "TLS_13", "tlsAuth": "server", "trustCertPath": "${TRUSTED_CERT}" } } }, { "name": "backup-tds", "source": { "host": "0.0.0.0", "port": 4102, "tls": false }, "destination": { "host": "${DESTINATION_ADDR}", "port": 4102, "tls": true, "tlsConfig": { "tlsVersion": "TLS_13", "tlsAuth": "server", "trustCertPath": "${TRUSTED_CERT}" } } }, { "name": "backup-iduc", "source": { "host": "0.0.0.0", "port": 4103, "tls": false }, "destination": { "host": "${DESTINATION_ADDR}", "port": 4103, "tls": true, "tlsConfig": { "tlsVersion": "TLS_13", "tlsAuth": "server", "trustCertPath": "${TRUSTED_CERT}" } } } ] } EOF
- [On-premises] Start the proxy.
NETCOOL_TLS_PROXY_ROUTE=routes.json ./netcool-tls-proxy
- [On-premises] Configure the
$NCHOME/etc/OMNI.dat
file.cat << EOF >> $NCHOME/etc/omni.dat [OCP_AGG_P] { Primary: 127.0.0.1 4100 } [OCP_AGG_B] { Primary: 127.0.0.1 4102 } EOF $NCHOME/bin/nco_igen
- You can now connect an IDUC client to the cloud-based
ObjectServer
services through the secure TLS tunnel provided by the TLS proxy.
- [Cloud] Expose