Secure probe and ObjectServer communication requirements
There are several mechanisms to secure Netcool/OMNIbus. Authentication can be used to restrict user access while Secure Sockets Layer (SSL) protocol can be used for different levels of encryption.
The probe connection mode is dependent on the server component configuration. Check with your Netcool/OMNIbus Administrator whether the server is configured with either secured mode enabled without SSL, SSL enabled with secured mode disabled, or secured mode enabled with SSL protected communications
For more details on running the ObjectServer in secured mode, refer to Running the ObjectServer in secure mode in IBM Documentation. For more details on SSL protected communications, refer to Using SSL for client and server communications in IBM Documentation.
The chart must be configured according to the server components setup in order to establish a
secured connection with or without SSL. This can be configured by setting the
netcool.connectionMode
chart parameter with one of the following options:
Default
- This is the default mode. Use this mode to connect with the ObjectServer with neither secure mode nor SSL.AuthOnly
- Use this mode when the ObjectServer is configured to run in secured mode without SSL.SSLOnly
- Use this mode when the ObjectServer is configured with SSL without secure mode.SSLAndAuth
- Use this mode the ObjectServer is configured with SSL and secure mode.
If you are using the Default
mode, you can skip these steps and proceed
configuring the chart with your ObjectServer connection details.
Determine files required for the secret
For AuthOnly
, SSLOnly
and SSLAndAuth
options,
a secret is required to support the secured connection prior installing the chart. The secret name
should be set in the netcool.secretName
parameter when configuring the chart or
left unset if you want to use the default connection mode.
Several fields are required in the Secret depending on the connection mode that will be configured in the chart.
For secured mode (AuthOnly
), the following fields are required:
encryption.keyfile
- An encryption key file to decrypt your password.AuthUserName
- Specify the username to authenticate with the ObjectServer.AuthPassword
- Specify the password for the specified user. It is recommended to encrypt this string using the encryption key file above.
For SSL enabled mode (SSLOnly
), the following fields are required:
omni.kdb
- A Key Database file. This Key Database file should contain the root Certificate Authority certificate used by the server components.omni.sth
- The Key Database Stash file. This file is required for automatic authentication.
For secured and SSL enabled mode (SSLAndAuth
), the following fields are
required:
encryption.keyfile
- An encryption key file to decrypt your password.AuthUserName
- Specify the username to authenticate with the ObjectServer.AuthPassword
- Specify the password of the specified user. It is recommended to encrypt this string using the encryption key file above.omni.kdb
- A Key Database file. This Key Database file should contain the root Certificate Authority certificate used by the server components.omni.sth
- The Key Database Stash file. This file is required for automatic authentication.
You only need to create a single secret with the required fields which can be used by both the Logstash and Prometheus probes.
Preparing credential files for authentication
For the probe to connect with a secured ObjectServer, the probe must be configured with a valid credential otherwise the ObjectServer will reject the connection. The credentials will be set in a secret for the pods to retrieve the secret and configure the probe. Follow the steps below to prepare the required files prior creating the secret.
If you are connecting to an ObjectServer on IBM Cloud Private, you need to extract the CA certificate from the proxy deployed with the ibm-netcool-prod deployment and use the proxy to secure the connection using TLS. For more information on how to get the connection details and the proxy certificate, see Connecting event sources.
This section is only applicable if you are using either the AuthOnly
or
SSLAndAuth
connection mode.
Some of steps below use utility commands in the probe image. Update the image repository in the each command to pull the image from IBM Cloud Private's private registry or pull the image to your local file system first. For more details about how to pull the image to your local file system, see Pushing and pulling images.
- Contact your Netcool/OMNIbus Administrator to obtain the credentials that should be used by probe clients to authenticate with the ObjectServer. Optionally, you can also request an encrypted password with its encryption key file from the administrator to be used in the secret.
- Create a temporary workspace directory if necessary. The following steps uses
/tmp/probe
as the workspace directory.# Create a temporary directory to mount to the container $ mkdir /tmp/probe
- Create a new file called username.txt and insert the username string into
the file. For example:
echo -n "probe_user" > /tmp/probe/username.txt
- If an encryption key file is not provided by the ObjectServer administrator, you (administrator)
need to create a new encryption key file to encrypt the password. Otherwise, you can skip this step.
To create an encryption file using the
nco_keygen
command from the probe Docker image, use the following commands:# Start the probe container and create an encryption key file in the mounted directory. # Use valid 256 for the key length. $ docker run -e LICENSE=accept \ --entrypoint /bin/bash -it \ -v /tmp/probe:/home/netcool netcool-probe-messagebus:12.0.0-amd64 \ -c "/opt/IBM/tivoli/netcool/omnibus/bin/nco_keygen \ -o /home/netcool/encryption.keyfile \ -l 256"
- Encrypt the password string with the encryption key file using the
nco_aes_crypt
tool withAES_FIPS
cipher and output the encrypted password into a file called password.txt in the mounted directory. Example command to encrypt a password (AVeryStrongPassw0rd
) is shown below. Replace the password string in the command with your own.# Encrypt the password $ docker run -e LICENSE=accept \ --entrypoint /bin/bash -it \ -v /tmp/probe:/home/netcool \ netcool-probe-messagebus:12.0.0-amd64 \ -c "/opt/IBM/tivoli/netcool/omnibus/bin/nco_aes_crypt \ -c AES_FIPS \ -k /home/netcool/encryption.keyfile AVeryStrongPassw0rd \ -o /home/netcool/password.txt"
- Verify that the following files are created in the temporary workspace directory:
- encryption.keyfile
- password.txt
- username.txt
$ ls -1 /tmp/probe/ encryption.keyfile password.txt username.txt
Preparing the key database file for SSL communication
For the probe to connect using SSL, the probe needs the server certificate in its key database in order to authenticate with the server when establishing a connection. The key database files are then put in a secret. Follow the steps below to set up the key database files and add the server certificate.
This is section is only applicable if you are using either the SSLOnly
or
SSLAndAuth
connection.
Some of steps below use utility commands in the probe image. Update the image repository in the each command to pull the image from IBM Cloud Private's private registry or pull the image to your local file system first. For more details about how to pull the image to your local file system, see Pushing and pulling images.
- Contact your Netcool/OMNIbus Administrator to extract the SSL certificate from the server key
database which will then be added into the key database of the probe client, see Extracting certificates from a key database. Use the
nc_gskcmd
to extract the certificate from the server's key database on the server host, for example:$NCHOME/bin/nc_gskcmd -cert -extract \ -db "$NCHOME/etc/security/keys/omni.kdb" \ -pw password \ -label "keylabel" \ -target "$NCHOME/etc/security/keys/certname.arm"
Where
password
is the password for the key database,keylabel
is the description of the certificate in the key database (specify this value as a quoted string), andcertname
is the name of the certificate that you want to extract. Specify the path to the certificate as a quoted string. A sample command to extract the a root CA certificate with the label"NCOMS_CA"
label into the filencoms-ca-cert.arm
:$NCHOME/bin/nc_gskcmd -cert -extract \ -db "$NCHOME/etc/security/keys/omni.kdb" \ -pw password \ -label "NCOMS_CA" \ -target "$NCHOME/etc/security/keys/ncoms-ca-cert.arm"
- Create a temporary workspace directory if necessary. The following steps use
/tmp/probe
as the workspace directory.$ mkdir /tmp/probe
- Copy the server certificate into the workspace directory.
$ cp ncoms-ca-cert.arm /tmp/probe
- Create a key database file with a strong password which meets the password requirements, see
Creating a key database using nc_gskcmd.
For example, to create a key database file that is valid for 366 days:
# Create a Key Database file $ docker run -e LICENSE=accept \ --entrypoint /bin/bash -it \ -v /tmp/probe:/home/netcool \ netcool-probe-messagebus:12.0.0-amd64 \ -c "/opt/IBM/tivoli/netcool/bin/nc_gskcmd -keydb -create \ -db \"/home/netcool/omni.kdb\" \ -pw AVeryStrongKeyDBPasSw0rd \ -stash \ -expire 366"
- Add the server certificate into the key database file. The following example command adds the
server certificate into the ncoms-ca-cert.arm file into the key database with
the label
NCOMS_CA
:# Add server root CA into Key DB $ docker run -e LICENSE=accept \ --entrypoint /bin/bash -it \ -v /tmp/probe:/home/netcool \ netcool-probe-messagebus:12.0.0-amd64 \ -c "/opt/IBM/tivoli/netcool/bin/nc_gskcmd -cert -add \ -db \"/home/netcool/omni.kdb\" \ -pw AVeryStrongKeyDBPasSw0rd \ -label \"NCOMS_CA\" \ -file \"/home/netcool/ncoms-ca-cert.arm\""
- Optionally, you can verify that the server certificate has been added into the key database
using the following command:
# Add server root CA into Key DB $ docker run -e LICENSE=accept \ --entrypoint /bin/bash -it \ -v /tmp/probe:/home/netcool \ netcool-probe-messagebus:12.0.0-amd64 \ -c "/opt/IBM/tivoli/netcool/bin/nc_gskcmd -cert -list \ -db \"/home/netcool/omni.kdb\" \ -pw AVeryStrongKeyDBPasSw0rd" Certificates found default, - personal, ! trusted, # secret key - NCOMS_CA
Create the probe-server communication secret
After the preparing the required files, use the kubectl create secret generic
command with the --from-file
option to create a Kubernetes secret.
Depending on the connection mode that is required by the ObjectServer, create a Secret with the required fields. The secret name should contain the helm release name as a prefix for easy reference.
Example commands are shown below for each connection mode using my-probe
as the
release name to create a secret called my-probe-comms
in the
icp-noi
namespace.
-
To create a secret for secured communication (
AuthOnly
connection mode), use:kubectl create secret generic my-probe-comms \ --namespace icp-noi \ --from-file=encryption.keyfile=/tmp/probe/encryption.keyfile \ --from-file=AuthUserName=/tmp/probe/username.txt \ --from-file=AuthPassword=/tmp/probe/password.txt
-
To create a secret for SSL enabled communication (
SSLOnly
connection mode), use:kubectl create secret generic my-probe-comms \ --namespace icp-noi \ --from-file=omni.kdb=/tmp/probe/omni.kdb \ --from-file=omni.sth=/tmp/probe/omni.sth
-
To create a secret for SSL enabled and secured communication (
SSLAndAuth
connection mode), use:kubectl create secret generic my-probe-comms \ --namespace icp-noi \ --from-file=encryption.keyfile=/tmp/probe/encryption.keyfile \ --from-file=AuthUserName=/tmp/probe/username.txt \ --from-file=AuthPassword=/tmp/probe/password.txt \ --from-file=omni.kdb=/tmp/probe/omni.kdb \ --from-file=omni.sth=/tmp/probe/omni.sth
AuthUserName
,
AuthPassword
, encryption.keyfile
, omni.kdb
and
omni.sth
and is case sensitive. If any of the field key is misspelled, the Pod
might fail to mount to the secret to obtain the secret.encryption.keyfile
when creating the secret as shown below. The sample command
below renames ProbeEncryption.keyfile
to the expected field name.kubectl create secret generic my-probe-comms \
--namespace icp-noi \
--from-file=encryption.keyfile=/tmp/probe/ProbeEncryption.keyfile \
--from-file=AuthUserName=/tmp/probe/username.txt \
--from-file=AuthPassword=/tmp/probe/password.txt \
--from-file=omni.kdb=/tmp/probe/omni.kdb \
--from-file=omni.sth=/tmp/probe/omni.sth
Remember to clean up this directory after you have successfully created the Kubernetes secret.