Configuring observer job security

All observer jobs require password encryption, and in addition some observers require authentication credentials such as certificates, keystores, or both. This topic describes such configuration tasks for OCP and on-prem versions of Agile Service Manager, and also describes how to post an observer job using Swagger (or cURL).

The following steps are described:
  • Encrypt the passwords for all observer load or listen jobs
  • Obtain an authentication certificate
  • Store that certificate as a secret
  • Post an observer job

Encrypt the passwords for all observer load and listen jobs

  1. The jobs for all observers require the password in the configuration file to be encrypted.
    To encrypt the password:
    For OCP
    Use the commands in the following example:
    kubectl exec -ti asm-topology-pods -- java -jar /opt/ibm/topology-service/topology-service.jar
encrypt_password --password 'password'
    Where the value of asm-topology-pods can be obtained using the following command:
    kubectl get pods | grep <release name>-topology
<release name>-topology-xxxxx-xxxxx
    The encryption utility will return an encrypted password.
    For on-prem
    Run the encrypt_password.sh script in the ASM_HOME/bin directory: 
    ./bin/encrypt_password.sh
    Enter and then confirm the password. The encryption utility will return an encrypted password.

To acquire an SSL certificate and copy the certificate to the security folder (on-prem)

  1. Use the following Cisco ACI Observer example to acquire an SSL certificate.
    In the following example, you use OpenSSL to connect to Cisco APIC over port 443, and extract a SSL Certificate from Cisco APIC to a <certificate_file_name>.crt file.
    echo -n | openssl s_client -connect {Cisco APIC IpAddress}:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./{certificate_file_name}.crt
  2. Copy the certificate file <certificate_file_name>.crt to the $ASM_HOME/security directory to complete the SSL setup.

Managing authentication certificates and storing them as secrets (OCP)

  1. Obtain the authentication certificate using OpenSSL. 
    echo -n | openssl s_client -connect {ipAddress}:{port} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | base64 -w 0 > target_system.crt
    Where target_system.crt contains the encoded certificate, and {ipAddress} could be the IP address of any of the following target systems:
    • Bigfix Inventory
    • Ciena Blue Planet
    • Cisco ACI
    • Juniper CSO
    • Kubernetes master node
    • OpenStack
    • Rancher
    • VMware NSX
    • VMware vCenter
    • Zabbix
    Example target_system.crt:
    [root@localhost ~]# cat target_system.crt
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3RENDQWFnQ0NRRGRuMENqU3BXZXhUQU5CZ2txaGtpRzl3MEJBUVVGQURBaU1RMHdDd1lEVlFRRERBUkIKVUVsRE1SRXdEd1lKS29aSWh2Y05BUWtCRmdKVlV6QWVGdzB4TmpBeE1qRXdOekV5TWpWYUZ3MHlOakF4TVRndwpOekV5TWpWYU1DSXhEVEFMQmdOVkJBTU1CRUZRU1VNeEVUQVBCZ2txaGtpRzl3MEJDUUVXQWxWVE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW1Ob0dxdFI0RlFPWkdoUWFtand1YmxRYjRobU0KTzJwOGtjbGUwL2NuUno3cSttWGYzWlRQYTZsWEk2MG9BbmVPSGowZEVaMkhwRWFFblBUbWJmWUF6Y0ZQdjNVWApMWjM3VWVoMDZXTjMxS29tSSs2czJtSk1IWWM0MW44M1RiUU5uWUNjYjZjdlZLcWV5NVhhaFBtdkZDbDBtM3Y3Cisxa1lFMFRNVlBnTk56R0ZSUXU1RVlGc3FZWHZGbFZhZ0lUalF6cks3YnE0RkJiMW1kVjFsYnVOMWhISzd2SFEKS3ZUNHBGbGx1NTRHU0JhZ2RSbUdad0dta0tNZHRGUkEvc3pBWEMrejQ0cHN3T05ydTJnbDR3bG5MZTVvM2NWZwpFQUx1THM4UDgrOUx0eFN3YWJvb0VMcHRjb3pKdEpUb2E4QS9zZXRaSi81RUJQNmhjNk1yUWxHQktRSURBUUFCCk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQkJuZzlJK2pBdjhNUjBYemM1SUUxdTBkK0JweW9OZGVRbkl4T2sKZWFsNzNUbmkzWmh4QUQzdlQzenZNSElSUEc0d3lxMWJqQ05LY3BZOGVCbVJuVzhOSnlNdG9vcU9hNlJMWGNPTAoyeVZublVna092THRPVjM5eFNFQ1BOMzV4YXJJdGYydE9NZWJRWlc1ZC9Hc1lPZUFLTlNrTlQwRmtreDE0UzJFClpBVi9IUUVHaVpUR0tQNkx1czYzLzJiTEJVNHdGUjg3bjNkdFJFVUp5eGQ4ZDJDTFA4MkE2UTNOT2lOZEdkam0KSnFQZXNEaWxXWE5Gd09xUk1XOWFGWTVUSUtOL25PQzhqczI0cVFmZTJZcllnZ242N0crLytBQy9kV21JSVQ2dgpBWTVMejhwOWQwSzZUaGxLeVpNZkdYVkNnMFlvTms1ajQ4ckJlZ2J5cFhTM1J2SnIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

[root@locahost ~]#
    Tip: To get the ipaddress and port for each respective observer, see Swagger reference or the observer subtopics under Defining observer jobs manually
  2. For the GoogleCloud Observer, encrypt the contents of the service account key file using base64.
    For example: 
    cat {project_id_file_name}.json | base64 -w 0 > googlecloud.json

    Where googlecloud.json contains the encoded service account key file, and {project_id_file_name}.json is the service account key file downloaded from 'Credentials' under 'API & Services' in the Google Cloud Platform dashboard.

    Next, store the encoded service account key file as a secret.
  3. Store a certificate as a secret.
    Each installed Agile Service Manager release has a single special secrets file. Data added to that is made available to the appropriate observer containers. Run the following command, assuming <release-name>-topology is the Helm release name for Agile Service Manager when installed with NOI.
    $ kubectl edit secret <release-name>-topology-custom-secrets
    Paste in the encoded certificate generated in the previous step.
    1. Find the correct secrets file using the following command: 
      $ kubectl get secrets -l app=<release-name>-topology-custom-secrets
NAME TYPE DATA AGE
asm-custom-secrets Opaque 2 29d
    2. Edit the appropriate file for your release. 
      $ kubectl edit secret <release-name>-topology-custom-secrets
    3. Add a name and value pair to the data section.
      The value is the certificate generated earlier. The name is what you enter as the certificate file name to run the observer job.
      data:
{name}:{value}
      Example of expected content in the secret file after adding vcenter.crt is as follows (where the data section is between the 'apiVersion' and 'kind' sections).
      Note: This VMware vCenter Observer example registers the vcenter.crt SSL certificate in OCP Secret, and vcenter.crt is the job parameter value for the VMware vCenter Observer. Define a new {name} parameter in the same file for other observers that require SSL certificates. You provide the certificate in OCP Secret and the settings you provide for truststore/truststore password will be used to generate a new truststore automatically.
      apiVersion: v1
data:
vcenter.crt:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3RENDQWFnQ0NRRGRuMENqU3BXZXhUQU5CZ2txaGtpRzl3MEJBUVVGQURBaU1RMHdDd1lEVlFRRERBUkIKVUVsRE1SRXdEd1lKS29aSWh2Y05BUWtCRmdKVlV6QWVGdzB4TmpBeE1qRXdOekV5TWpWYUZ3MHlOakF4TVRndwpOekV5TWpWYU1DSXhEVEFMQmdOVkJBTU1CRUZRU1VNeEVUQVBCZ2txaGtpRzl3MEJDUUVXQWxWVE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW1Ob0dxdFI0RlFPWkdoUWFtand1YmxRYjRobU0KTzJwOGtjbGUwL2NuUno3cSttWGYzWlRQYTZsWEk2MG9BbmVPSGowZEVaMkhwRWFFblBUbWJmWUF6Y0ZQdjNVWApMWjM3VWVoMDZXTjMxS29tSSs2czJtSk1IWWM0MW44M1RiUU5uWUNjYjZjdlZLcWV5NVhhaFBtdkZDbDBtM3Y3Cisxa1lFMFRNVlBnTk56R0ZSUXU1RVlGc3FZWHZGbFZhZ0lUalF6cks3YnE0RkJiMW1kVjFsYnVOMWhISzd2SFEKS3ZUNHBGbGx1NTRHU0JhZ2RSbUdad0dta0tNZHRGUkEvc3pBWEMrejQ0cHN3T05ydTJnbDR3bG5MZTVvM2NWZwpFQUx1THM4UDgrOUx0eFN3YWJvb0VMcHRjb3pKdEpUb2E4QS9zZXRaSi81RUJQNmhjNk1yUWxHQktRSURBUUFCCk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQkJuZzlJK2pBdjhNUjBYemM1SUUxdTBkK0JweW9OZGVRbkl4T2sKZWFsNzNUbmkzWmh4QUQzdlQzenZNSElSUEc0d3lxMWJqQ05LY3BZOGVCbVJuVzhOSnlNdG9vcU9hNlJMWGNPTAoyeVZublVna092THRPVjM5eFNFQ1BOMzV4YXJJdGYydE9NZWJRWlc1ZC9Hc1lPZUFLTlNrTlQwRmtreDE0UzJFClpBVi9IUUVHaVpUR0tQNkx1czYzLzJiTEJVNHdGUjg3bjNkdFJFVUp5eGQ4ZDJDTFA4MkE2UTNOT2lOZEdkam0KSnFQZXNEaWxXWE5Gd09xUk1XOWFGWTVUSUtOL25PQzhqczI0cVFmZTJZcllnZ242N0crLytBQy9kV21JSVQ2dgpBWTVMejhwOWQwSzZUaGxLeVpNZkdYVkNnMFlvTms1ajQ4ckJlZ2J5cFhTM1J2SnIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
kind:Secret
    If the edit is successful, the following message will be displayed: 
    secret "<release-name>-topology-custom-secrets" edited
  4. In the OCP GUI, you can view the configured secret under the Menu > Workload > Secrets option, where the Name is 'asm-custom-secrets'. Within asm-custom-secrets, all data configured earlier is displayed.

Posting a job

  1. Post the job via the Swagger UI or cURL.
    Note: The default value for the password_ssl_truststore_file property is password and has to be encrypted.
    Example cURL command:
    curl --location --insecure  --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'X-TenantID: cfd95b7e-3bc7-4006-a4a8-a73a79c71255' -d '{
  "unique_id": "my job",
  "type": "query",
  "parameters": {
    "data_center": "LondonDC1",
    "vcenter_username": "admin",
    "vcenter_password": "RW+w==",
    "vcenter_api_url": "https://localhost/rest",
    "vcenter_certificate": "vcenter.crt",
    "ssl_truststore_file": "localhost.jks",
    "password_ssl_truststore_file": "IxcQ9w==",
    "connect_read_timeout_ms": 5000
  }
}' 'https://<master-ip address>/1.0/vmvcenter-observer/jobs/restapi'
    Note: When using cURL, you may need to add --location so that it will follow redirects, and --insecure as the proxy server is using HTTPS.
For a repeating job, you can wrap the cURL in a script and use a normal cron job.