You can obtain the prerequisites that you need to register your servers and set up
security monitoring manually. The information that you need to enable the usage metering feature
includes the URL of the usage metering feature in WebSphere Automation,
the API Key, and the usage metering certificate.
Before you begin
To register your application servers with the usage metering service in
WebSphere Automation, you must configure the usage metering feature in each
application server. The usage metering feature is available in the following
WebSphere® Application Server fix packs and
Liberty versions. If your application servers are on older fix packs or versions, you cannot register
them with
WebSphere Automation.
- WebSphere Application Server (all editions) 8.5.5.15 and later
- WebSphere Application Server (all editions) 9.0.0.9 and later
- Liberty (all editions) 18.0.0.3 and later
Important: The usage metering feature is a supported, stabilized component of WebSphere Application Server and WebSphere Application Server Liberty for
use with WebSphere Automation. It was previously used with the now
removed metering service in IBM Cloud Private. Stabilization of the feature supersedes any mention
of its deprecation in the documentation for WebSphere Application Server or WebSphere Application Server Liberty.
About this task
To configure the usage metering feature in each of your application servers, you must obtain the
following usage metering items. Example code snippets for these items are provided in the
Register server dialog. To view, click
Register server
from the
Server management page. Make copies of the example code and adjust as
necessary for your environment. The instructions for registering
WebSphere Application Server and
WebSphere Application Server Liberty
servers detail how to use these items.
- URL
- The URL of the usage metering service in WebSphere Automation. This
service registers WebSphere Application Server servers and Liberty servers with WebSphere Automation so that you can track security vulnerabilities.
- API key
- The token used to authenticate the WebSphere Application Server servers and Liberty servers during the registration process.
- Usage metering certificate
- The certificate that contains the public key. This key allows an application server that is
registering with WebSphere Automation to do an SSL handshake with the
metering service.
You use the same URL, API key, and usage metering certificate for all your application servers
that you register with the usage metering service in WebSphere Automation. The application servers can be WebSphere Application Server servers or Liberty servers. Therefore, if you obtained the URL, API key,
and certificate previously and still have them, you don't need to obtain them again.
Use either of the following methods to obtain the URL and the API key for both
WebSphere Application Server servers and for
Liberty servers. Also, use either method to obtain the usage
metering certificate for
Liberty servers.
To obtain usage metering certificates for WebSphere Application Server servers, you
use a command specific to WebSphere Application Server.
Procedure
- Obtain the usage metering URL.
You can use either the
Red Hat OpenShift CLI client or the administrative console.
- Obtain the URL through the Red Hat OpenShift CLI client.
- With the oc command, obtain the URL and save it to the
url.txt file.
Set the name_space variable to the
namespace where WebSphere Automation is installed.
For the UNIX operating system, run the following
command.
oc get route cpd -n name_space -o jsonpath=https://{.spec.host}/websphereauto/meteringapi > url.txt && cat url.txt
For
the Windows operating system, run the following
command.
oc get route cpd -n name_space -o jsonpath=https://{.spec.host}/websphereauto/meteringapi > url.txt && type url.txt
The
url.txt file is saved to the same directory in which the command runs. However,
you can choose a different file name and directory. In some situations, you manually specify the URL
that you saved so that you can configure your application server with the usage metering
service.
- Obtain the URL from your Red Hat OpenShift administrative console.
- On the Red Hat OpenShift administrative console, click
Installed Operators.
- In the Project menu, select the namespace in which the WebSphere Automation instance is installed.
- Select the WebSphere Automation operator.
- Select the WebSphereSecure Instances tab.
- Select the instance.
- Copy the hostname from the IBM Automation UI field and replace the
hostname variable in the
https://hostname/websphereauto/meteringapi URL with it.
- Save the URL to a file, such as the url.txt file.
You choose the file
name and directory. In some situations, you manually specify the URL so that you can configure your
application server with the usage metering service that is in WebSphere Automation.
- Obtain the API key.
You can use either the
Red Hat OpenShift CLI client or the administrative console.
- Obtain the API key with the Red Hat OpenShift CLI client.
- Set the name_space variable to the namespace where WebSphere Automation is installed. The resulting instance name is used in
the next command to obtain the API key.
For the UNIX
operating system, run the following
command.
oc get WebSphereSecure -n name_space -o jsonpath='{.items[?(@.kind=="WebSphereSecure")].metadata.name}'
For
the Windows operating system, run the following
command.
oc get WebSphereSecure -n name_space -o jsonpath={.items[?(@.kind=='WebSphereSecure')].metadata.name}
- With the oc command, obtain the API key and save it to the
api-key.txt file.
Replace the instance_name variable with
the instance name that resulted from the previous command. The variable is in two places in the
following commands.
For the UNIX operating system, run
the following
command.
oc -n name_space get secret instance_name-metering-apis-encrypted-tokens -o jsonpath='{.data.'instance_name'-metering-apis-sa}' | base64 -d > api-key.txt && cat api-key.txt
For
the Windows operating system, run the following
command.
oc -n name_space get secret instance_name-metering-apis-encrypted-tokens -o jsonpath={.data.instance_name-metering-apis-sa} > temp.txt && type temp.txt
For
the Windows operating system, decode the API key by using
base64
decoding.
certutil -decode temp.txt api-key.txt && type api-key.txt
The
api-key.txt file is saved to the same directory in which the command runs.
However, you can choose a different file name and directory. In some situations, you manually
specify the API key that you saved so that you can configure your application server with the usage
metering service.
- Obtain the API key from your Red Hat OpenShift administrative console.
- On the Red Hat OpenShift administrative console, click .
- In the project menu, select the namespace in which the WebSphere Automation instance is installed.
- Search for the
metering-apis-encrypted-tokens field, and then click the
secret.
- Click Reveal values and copy the API key.
- Save the API key to a file, such as the api-key.txt file.
You choose the
file name and directory. In some situations, you manually specify the API key so that you can
configure your application server with the usage metering service that is in WebSphere Automation.
Note: Storing the API key in plain text format is
not a security concern. The key permits access only to the usage metering APIs, and is only used to
register servers. No information is returned back to the caller by the usage metering
APIs.
- Obtain the usage metering certificate.
You can use either the
Red Hat OpenShift CLI client or the administrative console.
Note: The usage
metering certificate is valid for 90 days. When it expires, it must be replaced.
- Obtain the usage metering certificate by using your Red Hat OpenShift CLI client.
- Run one of the following oc commands to obtain the usage metering
certificate.
Save the usage metering certificate to a
metering_certificate_file.pem file.
Set the
name_space variable to the namespace where WebSphere Automation is installed.
For the UNIX operating system when a custom certificate is configured, run the following
command:
oc get secret wsa-external-tls-secret -n name_space -o jsonpath='{.data.cert\.crt}' | base64 -d > metering_certificate_file.pem && cat metering_certificate_file.pem
Otherwise,
for the UNIX operating system when the default certificate is
used, run the following
command:
oc get secret wsa-default-external-tls-secret -n name_space -o jsonpath='{.data.cert\.crt}' | base64 -d > metering_certificate_file.pem && cat metering_certificate_file.pem
For
the Windows operating system when a custom certificate is configured, run the following
command:
oc get secret wsa-external-tls-secret -n name_space -o jsonpath='{.data.cert\.crt}' | base64 -d > cert.txt
Otherwise,
for the Windows operating system when the default certificate
is used, run the following
command:
oc get secret wsa-default-external-tls-secret -n name_space -o jsonpath='{.data.cert\.crt}' | base64 -d > cert.txt
For
the Windows operating system, decode the certificate by using
base64
decoding.
certutil -decode cert.txt usagemeteringcert.pem && type usagemeteringcert.pem
The
usagemeteringcert.pem file is saved to the same directory in which the command
runs. You can choose the file name and directory. In some situations, you manually specify the usage
metering certificate that you saved so that you can configure your application server with the usage
metering service.
- Obtain the usage metering certificate from your Red Hat OpenShift
administrative console.
- On the Red Hat OpenShift console, click .
- Choose the project in which the WebSphere Automation instance was
created.
- Search for the
external-tls-secret secret (if a custom certificate is
configured) or wsa-default-external-tls-secret (if the default certificate is
configured), then click it.
- Click Reveal values, then copy the certificate.
- Save the contents of the certificate to a file, such as the
metering_certificate_file.pem file. You choose the file name
and directory for the file. In some situations, you manually specify the usage metering certificate
that you saved so that you can configure your application server with the usage metering
service.
