Connecting a data collector through an HTTPS Squid proxy

To enable the connection for a IBM® Storage Insights data collector through an HTTPS Squid proxy, you must configure the HTTPS port for IBM Storage Insights to accept internal HTTP communication.

Before you begin

Identify the outbound HTTPS port that is used by data collectors to communicate with IBM Storage Insights. This port is defined in the httpsProxyPort parameter in the setup.properties file for each data collector. The default HTTPS port for IBM Storage Insights is 443. 

If your organization uses a port number other than 443, remember that number when you complete the following procedure.

About this task

Update the squid.conf file located in the /etc/squid/ directory on the server where the Squid proxy is installed. To support HTTPS tunneling and a connection to data collectors, you must add a line that configures the Squid proxy with the port for IBM Storage Insights to accept HTTP communication.

Procedure

  1. On the Squid proxy server, use a text editor to open /etc/squid/squid.conf.
  2. Locate the https_port section in squid.conf, For example: 
    ## Accept certificates that fail verification (should only be needed if using 'sslproxy_cert_error allow all')
sslproxy_flags DONT_VERIFY_PEER
https_port 443 intercept ssl-bump cert=/etc/squid/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
  3. Add the following line above or below the https_port line: 
    http_port 443 ssl-bump cert=/etc/squid/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB

    where 443 is the same port number that is specified  in the https_port line of the squid.conf file  and is used by IBM Storage Insights.

    Here's an example of how the updated section in squid.conf might look:

    ## Accept certificates that fail verification (should only be needed if using 'sslproxy_cert_error allow all')
sslproxy_flags DONT_VERIFY_PEER
http_port 443 ssl-bump cert=/etc/squid/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
https_port 443 intercept ssl-bump cert=/etc/squid/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
  4. Save the file.
  5. Restart the Squid proxy server.

    To restart the Squid proxy server on a Linux® device, use the following command:

    service squid restart

    Or, you can stop the service using systemctl stop squid.service and then start it with systemctl start squid.service.

Results

After you enable the connection for data collectors through an HTTPS Squid proxy, metadata about your devices can be collected. If metadata collection continues to fail, open a support ticket as described in Getting support