/
Securing WS-M Agents

IBM DataPower Operations Dashboard v1.0.22.x

Securing WS-M Agents

DPOD WS-M (WS-Management) agents receive data from multiple sources:

  • API-Connect Analytics - payload capture using Analytics Offload of API-Connect APIs

  • DataPower gateway Analytics Endpoint - payload capture of API-Connect APIs when Analytics Offload is not available

  • DataPower gateway WS-M Agent - payload capture of DataPower services (WSP, MPGW) as well as API-Connect v5/v5c APIs

  • DataPower gateway SOAP log targets - policy variables capture of API-Connect v5/v5c APIs

TLS support is only available for traffic coming from API-Connect Analytics Offload. Secure tunneling for the other sources is currently not supported.

Securing a WS-M Agent for API-Connect Analytics Offload

  1. Before securing the WS-M agent, it is recommended to test payload capture using API-Connect Analytics Offload using http (non-secured) and make sure payload capture is displayed in DPOD.

  2. Make sure you have the following files in .pem format - use exactly the file names listed below:

    1. CA certificate - dpod-agents-ca-cert.pem - if there are several CA certificates (root CA and intermediate CAs) - the pem file should contain all certificates concatenated (one after the other).

    2. WS-M agent certificate - dpod-agents-server-cert.pem

    3. WS-M agent certificate key - dpod-agents-server-key.pem

  3. Choose a single WS-M agent that will receive all traffic from API-Connect Analytics Offload. In a cell environment - this should be a single WS-M agent from one of the cell members. In case you have already tested this using http - use the WS-M agent you have chosen for testing. Make sure you are not using this WS-M agent for other sources listed above (it should be dedicated to API-Connect Analytics Offload).

  4. Configure the chosen WS-M agent:

    1. Log in to DPOD's server using SSH (in a cell environment - log in to the relevant cell member).

    2. Create a new custom keys directory:

      mkdir -p /app/keys/agents/custom
    3. Copy the pem files to this directory. i.e.:

      ls /app/keys/agents/custom dpod-agents-ca-cert.pem dpod-agents-server-cert.pem dpod-agents-server-key.pem
    4. Create a p12 key store with the certificates and key (replace <PASSWORD> with a password of your choice to protect the key store):

      cat /app/keys/agents/custom/dpod-agents-server-cert.pem >/app/keys/agents/custom/dpod-agents-server-chain.pem cat /app/keys/agents/custom/dpod-agents-ca-cert.pem >>/app/keys/agents/custom/dpod-agents-server-chain.pem openssl pkcs12 -export -in /app/keys/agents/custom/dpod-agents-server-chain.pem -inkey /app/keys/agents/custom/dpod-agents-server-key.pem -passout pass:<PASSWORD> >/app/keys/agents/custom/dpod-agents-server-keystore.p12
    5. Deploy the key store to the relevant WS-M agent (replace MonTier-WsmAgent-X with the name of the chosen WS-M agent):

    6. Change the following configuration in /app/flume/wsm_agents/conf/MonTier-WsmAgent-X/flume_wsm.properties (replace <PASSWORD> with the key store password):

    7. Stop and start WS-M agents using app-util.sh.

  5. Configure API-Connect Analytics Offload:

    1. Use API-Connect Analytics documentation to configure the API-Connect Analytics Offload to use https.
      The following steps are provided as an example.

    2. Make sure you have the file dpod-agents-ca-cert.pem available in the current directory and create a secret (for example dpod-offload-certificates) with the CA certificate:

    3. Edit the AnalyticsCluster CR and change the following configuration (merge it with the existing one):
      - Add secretName
      - Change url to start with https
      - Add cacert





Copyright © 2015 MonTier Software (2015) Ltd.