Configuring to use a proxy server

The CVE/PSIRT monitor and fix manager in WebSphere Automation communicate with the ibm.com site to download the most recent common vulnerability and exposure (CVE) data and fixes. If your environment requires an HTTP proxy to contact an external site, configure the CVE/PSIRT monitor and fix manager with your proxy settings.

1. Use the standard Java™ system properties to configure the proxy settings and pass them as an environment variable to the CVE/PSIRT monitor and fix manager. Refer to the following example.

   kind: WebSphereSecure
   spec:
     cveMonitor:
       env:
         - name: JVM_ARGS
           value: -Dhttps.proxyHost=<https://proxy-host> -Dhttps.proxyPort=<port> 

   kind: WebSphereSecure
   spec:
     fixManager:
       env:
         - name: JVM_ARGS
           value: -Dhttps.proxyHost=<https://proxy-host> -Dhttps.proxyPort=<port>

   In these examples, <http://proxy-host> is a proxy URL to use for creating HTTPS connections outside the cluster, such as the external network requirements specified in Network requirements. The URL scheme must be either http or https. Specify a URL for the proxy that supports the URL scheme. For example, most proxies report an error if they are configured to use https but they only support http. This failure message might not propagate to the logs and can appear to be a network connection failure instead. If using a proxy that listens for https connections from the cluster, you might need to configure the cluster to accept the certificate authorities and certificates that the proxy uses.

   Note: On configuring the proxy server in JVM_ARGS, the JVM_ARGS environment variable is added twice in the CVE Monitor cron job. This causes the proxy setting to not take effect. For more information on proxy configuration in JVM_ARGS and a workaround, see Proxy configuration does not take effect.
   1. If you need to pass sensitive information (such as proxy credentials), you can create a separate secret with proxy credentials and pass them separate variables. To create the secret with proxy credentials:

      oc create secret generic proxy-credentials --from-literal=user=<user> --from-literal=password=<password>

   2. Pass the credentials to the CVE/PSIRT monitor. Refer to the following example.

      kind: WebSphereSecure
      spec:
        cveMonitor:
          env:
            - name: PROXY_USER
              valueFrom:
                secretKeyRef:
                  key: user
                  name: proxy-credentials
            - name: PROXY_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: proxy-credentials
            - name: JVM_ARGS
              value: -Dhttps.proxyHost=<https://proxy-host> -Dhttps.proxyPort=<port> -Dhttp.proxyUser=$(PROXY_USER) -Dhttp.proxyPassword=$(PROXY_PASSWORD)

      kind: WebSphereSecure
      spec:
        fixManager:
          env:
            - name: PROXY_USER
              valueFrom:
                secretKeyRef:
                  key: user
                  name: proxy-credentials
            - name: PROXY_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: proxy-credentials
            - name: JVM_ARGS
              value: -Dhttps.proxyHost=<https://proxy-host> -Dhttps.proxyPort=<port> -Dhttp.proxyUser=$(PROXY_USER) -Dhttp.proxyPassword=$(PROXY_PASSWORD)

2. If your HTTP proxy rewrites certificates for HTTPS endpoints and uses custom CA certificates, you must configure the CVE/PSIRT monitor and fix manager to trust your custom CA certificates. Create the wsa-custom-ca-cert secret with the custom CA certificates. Refer to the following example.

   oc create secret generic wsa-custom-ca-cert –from-file=ca.crt=/home/mycacerts.pem