For the Elasticsearch Metrics component to work with HCL
Connections™ Component Pack, you must run a
script on the Component Pack system to set the Elasticsearch server base URL in Highway. Also,
WebSphere Application Server, which hosts the Metrics component, must run Java 8 and use an SSL
client certificate when sending HTTPS requests to Elasticsearch on the Component Pack
system.
Before you begin
Make sure that secure connections are established in your deployment, as explained in Forcing traffic to use TLS 1.2.Important: Elasticsearch Metrics
requires that the WebSphere Application Server is running Java 8. If you have a new Filenet
deployment and you temporarily switched to Java 6 to update FileNet components after applying
Connections 6.0 CR1, make sure that you switch back to Java 8 before you start the following
procedure.
Procedure
-
If your single sign-on solution includes IBM Security Access Manager, SiteMinder, or SPNEGO
with SiteMinder, update the URLs that require basic authentication to include
/metricssc/configsetter by referring to the appropriate topic:
-
Run the config_blue_metrics.py script as follows:
On the Connections Component Pack system, from the
extractedFolder/microservices_connections/hybridcloud/support
directory, call the script by running the following Linux command:
python config_blue_metrics.py --skipSslCertCheck true --pinkhost hostname.ibm.com
- You must use --skipSslCertCheck (set to true) on systems that use
self-signed SSL certificates.
- Set --pinkhost to the FQDN of the Kubernetes master (this would be the
fronting Kubernetes master load balancer or virtual IP in a HA environment).
- Use --namespace on an Connections Component Pack deployment where
connections is not the Kubernetes namespace to use.
Here is a sample of the output from the script:
[Adminuser@Server127 ~]$ python config_blue_metrics.py --skipSslCertCheck true
--pinkhost Server127.yourDomain.com Updating Metrics settings on:
https://Server127.yourDomain.com/metricssc/configsetter {"c2.export.elasticsearch.baseurl" :
"https://Server127.swg.usma.ibm.com:30099"}
-
Restart MetricsEventCapture and MetricsUI through the WebSphere Integrated Solutions
Console.
-
To ensure a secure connection, retrieve the PKCS12 and CA Signer certificates by running the
following commands on the Component Pack master node:
kubectl get secret elasticsearch-secret -n connections -o=jsonpath="{.data['chain-ca\.pem']}" | base64 -d > chain-ca.pem
kubectl get secret elasticsearch-secret -n connections -o=jsonpath="{.data['elasticsearch-metrics\.p12']}" | base64 -d > elasticsearch-metrics.p12
-
Copy the certificate files to the Deployment Manager in a common location readable and writable
by all WebSphere Application Server nodes.
For example, copy the 2 files chain-ca.pem and
elasticsearch-metrics.p12 from the Component Pack master node to the following
directory: /opt/IBM on the Deployment Manager.
-
Now configure Elasticsearch metrics within Connections by completing the following steps:
-
Open wsadmin, making sure that you use the -lang jython option.
For example, on Linux, run the following commands to open
wsadmin:
cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
sudo sh wsadmin.sh -lang jython -user wasadmin_user -password wasadmin_password
-
Run the following commands to merge the signer certificate into the
elasticsearch-metrics.p12 keystore:
execfile('esSecurityAdmin.py')
enableSslForMetrics('KEYSTORE_FULL_PATH', 'STORE_PASSWORD', 'SIGNER_CA_FULL_PATH', 'ELASTICSEARCH_HTTPS_PORT')
quit
For
example:
execfile('esSecurityAdmin.py')
enableSslForMetrics('/opt/IBM/elasticsearch-metrics.p12', 'Elasticsearch_CA_password', '/opt/IBM/chain-ca.pem', '30099')
where Elasticsearch_CA_password
is the password that was set
while Bootstrapping the Kubernetes cluster.
-
Copy the updated elasticsearch-metrics.p12 file from the Deployment
Manager to the same location on the WebSphere Application Server nodes.
-
Synchronize the nodes and then restart the servers or clusters that are running the Search and
Common applications (including the Deployment Manager and nodes).
-
If you are using type-ahead search on a separate cluster, add the SSL configuration as
explained in Setting up certificates for type-ahead search.
What to do next
Deploy Elasticsearch-based metrics for Connections as explained in Deploying Elasticsearch Metrics as your first use of metrics.