DPOD WS-M (WS-Management) agents receive HTTP requests over TCP connection, since the DataPower gateway does not support TLS configuration on the WS-M agent.Secure tunneling is currently not supported.data from multiple sources:
API-Connect Analytics - payload capture using Analytics Offload of API-Connect APIs
DataPower gateway Analytics Endpoint - payload capture of API-Connect APIs when Analytics Offload is not available
DataPower gateway WS-M Agent - payload capture of DataPower services (WSP, MPGW) as well as API-Connect v5/v5c APIs
DataPower gateway SOAP log targets - policy variables capture of API-Connect v5/v5c APIs
TLS support is only available for traffic coming from API-Connect Analytics Offload. Secure tunneling for the other sources is currently not supported.
Securing a WS-M Agent for API-Connect Analytics Offload
Before securing the WS-M agent, it is recommended to test payload capture using API-Connect Analytics Offload using
http
(non-secured) and make sure payload capture is displayed in DPOD.Make sure you have the following files in
.pem
format - use exactly the file names listed below:CA certificate -
dpod-agents-ca-cert.pem
- if there are several CA certificates (root CA and intermediate CAs) - thepem
file should contain all certificates concatenated (one after the other).WS-M agent certificate -
dpod-agents-server-cert.pem
WS-M agent certificate key -
dpod-agents-server-key.pem
Choose a single WS-M agent that will receive all traffic from API-Connect Analytics Offload. In a cell environment - this should be a single WS-M agent from one of the cell members. In case you have already tested this using
http
- use the WS-M agent you have chosen for testing. Make sure you are not using this WS-M agent for other sources listed above (it should be dedicated to API-Connect Analytics Offload).Configure the chosen WS-M agent:
Log in to DPOD's server using SSH (in a cell environment - log in to the relevant cell member).
Create a new custom keys directory:
Code Block mkdir -p /app/keys/agents/custom
Copy the
pem
files to this directory. i.e.:Code Block ls /app/keys/agents/custom dpod-agents-ca-cert.pem dpod-agents-server-cert.pem dpod-agents-server-key.pem
Create a
p12
key store with the certificates and key (replace<PASSWORD>
with a password of your choice to protect the key store):Code Block cat /app/keys/agents/custom/dpod-agents-server-cert.pem >/app/keys/agents/custom/dpod-agents-server-chain.pem cat /app/keys/agents/custom/dpod-agents-ca-cert.pem >>/app/keys/agents/custom/dpod-agents-server-chain.pem openssl pkcs12 -export -in /app/keys/agents/custom/dpod-agents-server-chain.pem -inkey /app/keys/agents/custom/dpod-agents-server-key.pem -passout pass:<PASSWORD> >/app/keys/agents/custom/dpod-agents-server-keystore.p12
Deploy the key store to the relevant WS-M agent (replace
MonTier-WsmAgent-X
with the name of the chosen WS-M agent):Code Block mkdir -p /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/certs cp /app/keys/agents/custom/dpod-agents-server-keystore.p12 /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/certs/
Change the following configuration in
/app/flume/wsm_agents/conf/MonTier-WsmAgent-X/flume_wsm.properties
(replace<PASSWORD>
with the key store password):Code Block MonTier-WsmAgent-X.sources.wsmHttpSource1.protocol = https MonTier-WsmAgent-X.sources.wsmHttpSource1.keyStorePath = /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/certs/dpod-agents-server-keystore.p12 MonTier-WsmAgent-X.sources.wsmHttpSource1.keyStoreType = PKCS12 MonTier-WsmAgent-X.sources.wsmHttpSource1.keyStorePassword = <PASSWORD> MonTier-WsmAgent-X.sources.wsmHttpSource1.keyPassword = <PASSWORD>
Stop and start WS-M agents using
app-util.sh
.
Configure API-Connect Analytics Offload:
Use API-Connect Analytics documentation to configure the API-Connect Analytics Offload to use
https
.
The following steps are provided as an example.Make sure you have the file
dpod-agents-ca-cert.pem
available in the current directory and create a secret (for exampledpod-offload-certificates
) with the CA certificate:Code Block kubectl create secret generic dpod-offload-certificates --from-file=cacert.pem=dpod-agents-ca-cert.pem
Edit the
AnalyticsCluster
CR and change the following configuration (merge it with the existing one):
- AddsecretName
- Changeurl
to start withhttps
- Addcacert
Code Block kubectl edit analyticscluster spec: external: offload: ... secretName: dpod-offload-certificates output: | http { url => "https://..." cacert => "/etc/velox/external_certs/offload/cacert.pem" ... }