DPOD WS-M (WS-Management) agents receive data from multiple sources:
API-Connect Analytics - payload capture using Analytics Offload of API-Connect APIs
DataPower gateway Analytics Endpoint - payload capture of API-Connect APIs when Analytics Offload is not available
DataPower gateway WS-M Agent - payload capture of DataPower services (WSP, MPGW) as well as API-Connect v5/v5c APIs
DataPower gateway SOAP log targets - policy variables capture of API-Connect v5/v5c APIs
TLS support is only available for traffic coming from API-Connect Analytics Offload. Secure tunneling for the other sources is currently not supported.
Securing a WS-M Agent for API-Connect Analytics Offload
Before securing the WS-M agent, it is recommended to test payload capture using API-Connect Analytics Offload using
http(non-secured) and make sure payload capture is displayed in DPOD.Make sure you have the following files in
.pemformat - use exactly the file names listed below:CA certificate -
dpod-agents-ca-cert.pem- if there are several CA certificates (root CA and intermediate CAs) - thepemfile should contain all certificates concatenated (one after the other).WS-M agent certificate -
dpod-agents-server-cert.pemWS-M agent certificate key -
dpod-agents-server-key.pem
Choose a single WS-M agent that will receive all traffic from API-Connect Analytics Offload. In a cell environment - this should be a single WS-M agent from one of the cell members. In case you have already tested this using
http- use the WS-M agent you have chosen for testing. Make sure you are not using this WS-M agent for other sources listed above (it should be dedicated to API-Connect Analytics Offload).Configure the chosen WS-M agent:
Log in to DPOD's server using SSH (in a cell environment - log in to the relevant cell member).
Create a new custom keys directory:
mkdir -p /app/keys/agents/custom
Copy the
pemfiles to this directory. i.e.:ls /app/keys/agents/custom dpod-agents-ca-cert.pem dpod-agents-server-cert.pem dpod-agents-server-key.pem
Create a
p12key store with the certificates and key (replace<PASSWORD>with a password of your choice to protect the key store):cat /app/keys/agents/custom/dpod-agents-server-cert.pem >/app/keys/agents/custom/dpod-agents-server-chain.pem cat /app/keys/agents/custom/dpod-agents-ca-cert.pem >>/app/keys/agents/custom/dpod-agents-server-chain.pem openssl pkcs12 -export -in /app/keys/agents/custom/dpod-agents-server-chain.pem -inkey /app/keys/agents/custom/dpod-agents-server-key.pem -passout pass:<PASSWORD> >/app/keys/agents/custom/dpod-agents-server-keystore.p12
Deploy the key store to the relevant WS-M agent (replace
MonTier-WsmAgent-Xwith the name of the chosen WS-M agent):mkdir -p /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/certs cp /app/keys/agents/custom/dpod-agents-server-keystore.p12 /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/certs/
Change the following configuration in
/app/flume/wsm_agents/conf/MonTier-WsmAgent-X/flume_wsm.properties(replace<PASSWORD>with the key store password):MonTier-WsmAgent-X.sources.wsmHttpSource1.protocol = https MonTier-WsmAgent-X.sources.wsmHttpSource1.keyStorePassword = <PASSWORD> MonTier-WsmAgent-X.sources.wsmHttpSource1.keyPassword = <PASSWORD>
Stop and start WS-M agents using
app-util.sh.
Configure API-Connect Analytics Offload:
Use API-Connect Analytics documentation to configure the API-Connect Analytics Offload to use
https.
The following steps are provided as an example.Make sure you have the file
dpod-agents-ca-cert.pemavailable in the current directory and create a secret (for exampledpod-offload-certificates) with the CA certificate:kubectl create secret generic dpod-offload-certificates --from-file=cacert.pem=dpod-agents-ca-cert.pem
Edit the
AnalyticsClusterCR and change the following configuration (merge it with the existing one):
- AddsecretName
- Changeurlto start withhttps
- Addcacertkubectl edit analyticscluster spec: external: offload: ... secretName: dpod-offload-certificates output: | http { url => "https:..." cacert => "/etc/velox/external_certs/offload/cacert.pem" ... }