Enabling Elasticsearch Metrics to connect to a Component Pack server

For the Elasticsearch Metrics component to work with HCL Connections™ Component Pack, you must run a script on the Component Pack system to set the Elasticsearch server base URL in Highway. Also, WebSphere Application Server, which hosts the Metrics component, must run Java 8 and use an SSL client certificate when sending HTTPS requests to Elasticsearch on the Component Pack system.

Before you begin

Make sure that secure connections are established in your deployment, as explained in Forcing traffic to use TLS 1.2.

Important: Elasticsearch Metrics requires that the WebSphere Application Server is running Java 8. If you have a new Filenet deployment and you temporarily switched to Java 6 to update FileNet components after applying Connections 6.0 CR1, make sure that you switch back to Java 8 before you start the following procedure.

Procedure

If your single sign-on solution includes IBM Security Access Manager, SiteMinder, or SPNEGO with SiteMinder, update the URLs that require basic authentication to include /metricssc/configsetter by referring to the appropriate topic:
- For IBM Security Access Manager, see Enabling single sign-on for Security Access Manager.
- For SiteMinder, see Enabling single sign-on for SiteMinder.
- For SPNEGO with SiteMinder, see Enabling SPNEGO single sign-on for SiteMinder.
Run the config_blue_metrics.py script as follows:
On the Connections Component Pack system, from the extractedFolder/microservices_connections/hybridcloud/support directory, call the script by running the following Linux command:
```
python config_blue_metrics.py --skipSslCertCheck true --pinkhost hostname.ibm.com
```
- You must use --skipSslCertCheck (set to true) on systems that use self-signed SSL certificates.
- Set --pinkhost to the FQDN of the Kubernetes master (this would be the fronting Kubernetes master load balancer or virtual IP in a HA environment).
- Use --namespace on an Connections Component Pack deployment where connections is not the Kubernetes namespace to use.
Here is a sample of the output from the script:

[Adminuser@Server127 ~]$ python config_blue_metrics.py --skipSslCertCheck true --pinkhost Server127.yourDomain.com Updating Metrics settings on: https://Server127.yourDomain.com/metricssc/configsetter {"c2.export.elasticsearch.baseurl" : "https://Server127.swg.usma.ibm.com:30099"}
Restart MetricsEventCapture and MetricsUI through the WebSphere Integrated Solutions Console.

To ensure a secure connection, retrieve the PKCS12 and CA Signer certificates by running the following commands on the Component Pack master node:

kubectl get secret elasticsearch-secret -n connections -o=jsonpath="{.data['chain-ca\.pem']}" | base64 -d > chain-ca.pem
kubectl get secret elasticsearch-secret -n connections -o=jsonpath="{.data['elasticsearch-metrics\.p12']}" | base64 -d > elasticsearch-metrics.p12

Copy the certificate files to the Deployment Manager in a common location readable and writable by all WebSphere Application Server nodes.

For example, copy the 2 files chain-ca.pem and elasticsearch-metrics.p12 from the Component Pack master node to the following directory: /opt/IBM on the Deployment Manager.
Now configure Elasticsearch metrics within Connections by completing the following steps:
1. Open wsadmin, making sure that you use the -lang jython option.
  For example, on Linux, run the following commands to open wsadmin:
```
        cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
        sudo sh wsadmin.sh -lang jython -user wasadmin_user -password wasadmin_password
```
2. Run the following commands to merge the signer certificate into the elasticsearch-metrics.p12 keystore:
```
        execfile('esSecurityAdmin.py')    
        enableSslForMetrics('KEYSTORE_FULL_PATH', 'STORE_PASSWORD', 'SIGNER_CA_FULL_PATH', 'ELASTICSEARCH_HTTPS_PORT')
        quit
```
  For example:
```
        execfile('esSecurityAdmin.py')
        enableSslForMetrics('/opt/IBM/elasticsearch-metrics.p12', 'Elasticsearch_CA_password', '/opt/IBM/chain-ca.pem', '30099')
```
  where Elasticsearch_CA_password is the password that was set while Bootstrapping the Kubernetes cluster.
3. Copy the updated elasticsearch-metrics.p12 file from the Deployment Manager to the same location on the WebSphere Application Server nodes.
4. Synchronize the nodes and then restart the servers or clusters that are running the Search and Common applications (including the Deployment Manager and nodes).
5. If you are using type-ahead search on a separate cluster, add the SSL configuration as explained in Setting up certificates for type-ahead search.

What to do next

Deploy Elasticsearch-based metrics for Connections as explained in Deploying Elasticsearch Metrics as your first use of metrics.