Secure probe and ObjectServer communication requirements

There are several mechanisms to secure Netcool/OMNIbus. Authentication can be used to restrict user access while Secure Sockets Layer (SSL) protocol can be used for different levels of encryption.

The probe connection mode is dependent on the server component configuration. Check with your Netcool/OMNIbus Administrator whether the server is configured with either secured mode enabled without SSL, SSL enabled with secured mode disabled, or secured mode enabled with SSL protected communications

For more details on running the ObjectServer in secured mode, refer to Running the ObjectServer in secure mode in IBM Documentation. For more details on SSL protected communications, refer to Using SSL for client and server communications in IBM Documentation.

The chart must be configured according to the server components setup in order to establish a secured connection with or without SSL. This can be configured by setting the netcool.connectionMode chart parameter with one of the following options:

  • Default - This is the default mode. Use this mode to connect with the ObjectServer with neither secure mode nor SSL.
  • AuthOnly - Use this mode when the ObjectServer is configured to run in secured mode without SSL.
  • SSLOnly - Use this mode when the ObjectServer is configured with SSL without secure mode.
  • SSLAndAuth - Use this mode the ObjectServer is configured with SSL and secure mode.
To secure the communications between probe clients and the ObjectServer, you must perform the following tasks that must be completed before installing the chart:
  1. Determine files required for the secret
  2. Preparing credential files for authentication
  3. Preparing the key database file for SSL communication
  4. Create the probe-server communication secret

If you are using the Default mode, you can skip these steps and proceed configuring the chart with your ObjectServer connection details.

Note: There are several known limitations listed in the Limitations section when securing probe communications.

Determine files required for the secret

For AuthOnly, SSLOnly and SSLAndAuth options, a secret is required to support the secured connection prior installing the chart. The secret name should be set in the netcool.secretName parameter when configuring the chart or left unset if you want to use the default connection mode.

Several fields are required in the Secret depending on the connection mode that will be configured in the chart.

For secured mode (AuthOnly), the following fields are required:

  • encryption.keyfile - An encryption key file to decrypt your password.
  • AuthUserName - Specify the username to authenticate with the ObjectServer.
  • AuthPassword - Specify the password for the specified user. It is recommended to encrypt this string using the encryption key file above.

For SSL enabled mode (SSLOnly), the following fields are required:

  • omni.kdb - A Key Database file. This Key Database file should contain the root Certificate Authority certificate used by the server components.
  • omni.sth - The Key Database Stash file. This file is required for automatic authentication.

For secured and SSL enabled mode (SSLAndAuth), the following fields are required:

  • encryption.keyfile - An encryption key file to decrypt your password.
  • AuthUserName - Specify the username to authenticate with the ObjectServer.
  • AuthPassword - Specify the password of the specified user. It is recommended to encrypt this string using the encryption key file above.
  • omni.kdb - A Key Database file. This Key Database file should contain the root Certificate Authority certificate used by the server components.
  • omni.sth - The Key Database Stash file. This file is required for automatic authentication.

You only need to create a single secret with the required fields which can be used by both the Logstash and Prometheus probes.

Preparing credential files for authentication

For the probe to connect with a secured ObjectServer, the probe must be configured with a valid credential otherwise the ObjectServer will reject the connection. The credentials will be set in a secret for the pods to retrieve the secret and configure the probe. Follow the steps below to prepare the required files prior creating the secret.

If you are connecting to an ObjectServer on IBM Cloud Private, you need to extract the CA certificate from the proxy deployed with the ibm-netcool-prod deployment and use the proxy to secure the connection using TLS. For more information on how to get the connection details and the proxy certificate, see Connecting event sources.

Note:

This section is only applicable if you are using either the AuthOnly or SSLAndAuth connection mode.

Some of steps below use utility commands in the probe image. Update the image repository in the each command to pull the image from IBM Cloud Private's private registry or pull the image to your local file system first. For more details about how to pull the image to your local file system, see Pushing and pulling images.

  1. Contact your Netcool/OMNIbus Administrator to obtain the credentials that should be used by probe clients to authenticate with the ObjectServer. Optionally, you can also request an encrypted password with its encryption key file from the administrator to be used in the secret.
  2. Create a temporary workspace directory if necessary. The following steps uses /tmp/probe as the workspace directory. 
    # Create a temporary directory to mount to the container 
$ mkdir /tmp/probe
  3. Create a new file called username.txt and insert the username string into the file. For example:

    echo -n "probe_user" > /tmp/probe/username.txt

  4. If an encryption key file is not provided by the ObjectServer administrator, you (administrator) need to create a new encryption key file to encrypt the password. Otherwise, you can skip this step. To create an encryption file using the nco_keygen command from the probe Docker image, use the following commands:
    # Start the probe container and create an encryption key file in the mounted directory.
# Use valid 256 for the key length.
$ docker run -e LICENSE=accept \
--entrypoint /bin/bash -it \
-v /tmp/probe:/home/netcool netcool-probe-messagebus:12.0.0-amd64 \
-c "/opt/IBM/tivoli/netcool/omnibus/bin/nco_keygen \
-o /home/netcool/encryption.keyfile \
-l 256"
  5. Encrypt the password string with the encryption key file using the nco_aes_crypt tool with AES_FIPS cipher and output the encrypted password into a file called password.txt in the mounted directory. Example command to encrypt a password (AVeryStrongPassw0rd) is shown below. Replace the password string in the command with your own.
    # Encrypt the password
$ docker run -e LICENSE=accept \
--entrypoint /bin/bash -it \
-v /tmp/probe:/home/netcool \
netcool-probe-messagebus:12.0.0-amd64 \
-c "/opt/IBM/tivoli/netcool/omnibus/bin/nco_aes_crypt \
-c AES_FIPS \
-k /home/netcool/encryption.keyfile AVeryStrongPassw0rd \
-o /home/netcool/password.txt"
  6. Verify that the following files are created in the temporary workspace directory:
    • encryption.keyfile
    • password.txt
    • username.txt
    $ ls -1 /tmp/probe/
encryption.keyfile
password.txt
username.txt

Preparing the key database file for SSL communication

For the probe to connect using SSL, the probe needs the server certificate in its key database in order to authenticate with the server when establishing a connection. The key database files are then put in a secret. Follow the steps below to set up the key database files and add the server certificate.

Note:

This is section is only applicable if you are using either the SSLOnly or SSLAndAuth connection.

Some of steps below use utility commands in the probe image. Update the image repository in the each command to pull the image from IBM Cloud Private's private registry or pull the image to your local file system first. For more details about how to pull the image to your local file system, see Pushing and pulling images.

  1. Contact your Netcool/OMNIbus Administrator to extract the SSL certificate from the server key database which will then be added into the key database of the probe client, see Extracting certificates from a key database. Use the nc_gskcmd to extract the certificate from the server's key database on the server host, for example: 
    $NCHOME/bin/nc_gskcmd -cert -extract \ 
-db "$NCHOME/etc/security/keys/omni.kdb" \ 
-pw password \ 
-label "keylabel" \ 
-target "$NCHOME/etc/security/keys/certname.arm"

    Where password is the password for the key database, keylabel is the description of the certificate in the key database (specify this value as a quoted string), and certname is the name of the certificate that you want to extract. Specify the path to the certificate as a quoted string. A sample command to extract the a root CA certificate with the label "NCOMS_CA" label into the file ncoms-ca-cert.arm: 

    $NCHOME/bin/nc_gskcmd -cert -extract \ 
-db "$NCHOME/etc/security/keys/omni.kdb" \ 
-pw password \ 
-label "NCOMS_CA" \ 
-target "$NCHOME/etc/security/keys/ncoms-ca-cert.arm"
  2. Create a temporary workspace directory if necessary. The following steps use /tmp/probe as the workspace directory. 
    $ mkdir /tmp/probe
  3. Copy the server certificate into the workspace directory. 
    $ cp ncoms-ca-cert.arm /tmp/probe
  4. Create a key database file with a strong password which meets the password requirements, see Creating a key database using nc_gskcmd.

    For example, to create a key database file that is valid for 366 days: 

    # Create a Key Database file 
$ docker run -e LICENSE=accept \ 
--entrypoint /bin/bash -it \ 
-v /tmp/probe:/home/netcool \ 
netcool-probe-messagebus:12.0.0-amd64 \ 
-c "/opt/IBM/tivoli/netcool/bin/nc_gskcmd -keydb -create \ 
-db \"/home/netcool/omni.kdb\" \ 
-pw AVeryStrongKeyDBPasSw0rd \ 
-stash \ 
-expire 366"
  5. Add the server certificate into the key database file. The following example command adds the server certificate into the ncoms-ca-cert.arm file into the key database with the label NCOMS_CA:
    # Add server root CA into Key DB 
$ docker run -e LICENSE=accept \ 
--entrypoint /bin/bash -it \ 
-v /tmp/probe:/home/netcool \ 
netcool-probe-messagebus:12.0.0-amd64 \ 
-c "/opt/IBM/tivoli/netcool/bin/nc_gskcmd -cert -add \ 
-db \"/home/netcool/omni.kdb\" \ 
-pw AVeryStrongKeyDBPasSw0rd \ 
-label \"NCOMS_CA\" \ 
-file \"/home/netcool/ncoms-ca-cert.arm\""
  6. Optionally, you can verify that the server certificate has been added into the key database using the following command: 
    # Add server root CA into Key DB
$ docker run -e LICENSE=accept \ 
--entrypoint /bin/bash -it \ 
-v /tmp/probe:/home/netcool \ 
netcool-probe-messagebus:12.0.0-amd64 \ 
-c "/opt/IBM/tivoli/netcool/bin/nc_gskcmd -cert -list \ 
-db \"/home/netcool/omni.kdb\" \ 
-pw AVeryStrongKeyDBPasSw0rd"
Certificates found
default, - personal, ! trusted, # secret key
- NCOMS_CA

Create the probe-server communication secret

After the preparing the required files, use the kubectl create secret generic command with the --from-file option to create a Kubernetes secret.

Depending on the connection mode that is required by the ObjectServer, create a Secret with the required fields. The secret name should contain the helm release name as a prefix for easy reference.

Example commands are shown below for each connection mode using my-probe as the release name to create a secret called my-probe-comms in the icp-noi namespace.

  • To create a secret for secured communication (AuthOnly connection mode), use:

    kubectl create secret generic my-probe-comms \
--namespace icp-noi \
--from-file=encryption.keyfile=/tmp/probe/encryption.keyfile \
--from-file=AuthUserName=/tmp/probe/username.txt \
--from-file=AuthPassword=/tmp/probe/password.txt

  • To create a secret for SSL enabled communication (SSLOnly connection mode), use:

    kubectl create secret generic my-probe-comms \
--namespace icp-noi \
--from-file=omni.kdb=/tmp/probe/omni.kdb \
--from-file=omni.sth=/tmp/probe/omni.sth

  • To create a secret for SSL enabled and secured communication (SSLAndAuth connection mode), use:

    kubectl create secret generic my-probe-comms \
--namespace icp-noi \
--from-file=encryption.keyfile=/tmp/probe/encryption.keyfile \
--from-file=AuthUserName=/tmp/probe/username.txt \
--from-file=AuthPassword=/tmp/probe/password.txt \
--from-file=omni.kdb=/tmp/probe/omni.kdb \
--from-file=omni.sth=/tmp/probe/omni.sth
Note: Each field key must follow the expected names AuthUserName, AuthPassword, encryption.keyfile, omni.kdb and omni.sth and is case sensitive. If any of the field key is misspelled, the Pod might fail to mount to the secret to obtain the secret.
Tip: If you have a different encryption key file name, you can map the name of the file to encryption.keyfile when creating the secret as shown below. The sample command below renames ProbeEncryption.keyfile to the expected field name.
kubectl create secret generic my-probe-comms \
--namespace icp-noi \
--from-file=encryption.keyfile=/tmp/probe/ProbeEncryption.keyfile  \
--from-file=AuthUserName=/tmp/probe/username.txt \
--from-file=AuthPassword=/tmp/probe/password.txt \
--from-file=omni.kdb=/tmp/probe/omni.kdb \
--from-file=omni.sth=/tmp/probe/omni.sth

Remember to clean up this directory after you have successfully created the Kubernetes secret.