Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DPOD WS-M (WS-Management) agents receive HTTP requests over TCP connection, since the DataPower gateway does not support TLS configuration on the WS-M agent. Secure tunneling is currently not supported.data from multiple sources:

  • API-Connect Analytics - payload capture using Analytics Offload of API-Connect APIs

  • DataPower gateway Analytics Endpoint - payload capture of API-Connect APIs when Analytics Offload is not available

  • DataPower gateway WS-M Agent - payload capture of DataPower services (WSP, MPGW) as well as API-Connect v5/v5c APIs

  • DataPower gateway SOAP log targets - policy variables capture of API-Connect v5/v5c APIs

TLS support is only available for traffic coming from API-Connect Analytics Offload. Secure tunneling for the other sources is currently not supported.

Securing a WS-M Agent for API-Connect Analytics Offload

  1. Before securing the WS-M agent, it is recommended to test payload capture using API-Connect Analytics Offload using http (non-secured) and make sure payload capture is displayed in DPOD.

  2. Make sure you have the following files in .pem format - use exactly the file names listed below:

    1. CA certificate - dpod-agents-ca-cert.pem - if there are several CA certificates (root CA and intermediate CAs) - the pem file should contain all certificates concatenated (one after the other).

    2. WS-M agent certificate - dpod-agents-server-cert.pem

    3. WS-M agent certificate key - dpod-agents-server-key.pem

  3. Choose a single WS-M agent that will receive all traffic from API-Connect Analytics Offload. In a cell environment - this should be a single WS-M agent from one of the cell members. In case you have already tested this using http - use the WS-M agent you have chosen for testing. Make sure you are not using this WS-M agent for other sources listed above (it should be dedicated to API-Connect Analytics Offload).

  4. Configure the chosen WS-M agent:

    1. Log in to DPOD's server using SSH (in a cell environment - log in to the relevant cell member).

    2. Create a new custom keys directory:

      Code Block
      mkdir -p /app/keys/agents/custom
    3. Copy the pem files to this directory. i.e.:

      Code Block
      ls /app/keys/agents/custom
      dpod-agents-ca-cert.pem dpod-agents-server-cert.pem dpod-agents-server-key.pem
    4. Create a p12 key store with the certificates and key (replace <PASSWORD> with a password of your choice to protect the key store):

      Code Block
      cat /app/keys/agents/custom/dpod-agents-server-cert.pem >/app/keys/agents/custom/dpod-agents-server-chain.pem
      cat /app/keys/agents/custom/dpod-agents-ca-cert.pem >>/app/keys/agents/custom/dpod-agents-server-chain.pem
      openssl pkcs12 -export -in /app/keys/agents/custom/dpod-agents-server-chain.pem -inkey /app/keys/agents/custom/dpod-agents-server-key.pem -passout pass:<PASSWORD> >/app/keys/agents/custom/dpod-agents-server-keystore.p12
    5. Deploy the key store to the relevant WS-M agent (replace MonTier-WsmAgent-X with the name of the chosen WS-M agent):

      Code Block
      mkdir -p /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/certs
      cp /app/keys/agents/custom/dpod-agents-server-keystore.p12 /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/certs/
    6. Change the following configuration in /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/flume_wsm.properties (replace <PASSWORD> with the key store password):

      Code Block
      MonTier-WsmAgent-X.sources.wsmHttpSource1.protocol = https
      MonTier-WsmAgent-X.sources.wsmHttpSource1.keyStorePath = /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/certs/dpod-agents-server-keystore.p12
      MonTier-WsmAgent-X.sources.wsmHttpSource1.keyStoreType = PKCS12
      MonTier-WsmAgent-X.sources.wsmHttpSource1.keyStorePassword = <PASSWORD>
      MonTier-WsmAgent-X.sources.wsmHttpSource1.keyPassword = <PASSWORD>
    7. Stop and start WS-M agents using app-util.sh.

  5. Configure API-Connect Analytics Offload:

    1. Use API-Connect Analytics documentation to configure the API-Connect Analytics Offload to use https.
      The following steps are provided as an example.

    2. Make sure you have the file dpod-agents-ca-cert.pem available in the current directory and create a secret (for example dpod-offload-certificates) with the CA certificate:

      Code Block
      kubectl create secret generic dpod-offload-certificates --from-file=cacert.pem=dpod-agents-ca-cert.pem
    3. Edit the AnalyticsCluster CR and change the following configuration (merge it with the existing one):
      - Add secretName
      - Change url to start with https
      - Add cacert

      Code Block
      kubectl edit analyticscluster
      
      spec:
        external:
          offload:
            ...
            secretName: dpod-offload-certificates
            output: |
              http {
                url => "https://..."
                cacert => "/etc/velox/external_certs/offload/cacert.pem"
                ...
              }