Stan's Corner

 View Only

Using Instana to monitor IBM Db2 LUW with IBM SOS Vault configured in secrets

By Vipin M V posted Sun January 01, 2023 04:28 AM

  

Authors: @Alice QIN @Padmini Krishnamurthy

Abstract
 

As we strive to bring in support for new technologies and capabilities to Instana, we also make sure it is well documented so that it is quite easy for end-users to adopt.  

 

In a previous blog, we described multi-instance and multi-database monitoring. In this blog, we will discuss the adoption of IBM SOS vault in monitoring Db2 on Instana. 

 

The Db2 sensors are designed to support multiple authentication methods, and how they support storage of credentials in a vault built on hashicorp. We will discuss one such vault –  IBM SOS Vault – and the steps to configure it on Instana for Db2 monitoring. 

 

Introduction to IBM SOS Vault 

Vault is an identity-based secret and encryption management system where we can centrally store, access, and deploy secrets across applications, systems, and infrastructure. IBM SOS Vault provides Hashicorp's Vault "as a service" for internal use by IBM Cloud Production Services, Non Cloud Production Services, Internal Projects and Individuals. This documentation explains the steps to understand the differences between the 3 ways you can leverage the IBM SOS service. 

 

After the account creation on SOS Vault, vault server address, role_id and secret_id will be received. It will be similar to this: 

 

 vault_addr: https://<sos-vault-server>:<port> 
 role_id:     xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx 
 secret_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 

 

 For the next step, install the vault command-line tool on the system from here. 

 

Authentication 

After the command-line is installed, set the credentials obtained from IBM SOS Service into the vault server. 

 

    1. Export the server Address as follows: 

 

        $ export VAULT_ADDR=https://<sos-vault-server>:<port> 

 
    2. Write login credentials into the vault server as follows: 


         
$ vault write auth/approle/login \
            role_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ 
            secret_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 

 

A sample output of step 2 is shown as follows: 

 

Key                     Value 
---------               ---------- 
token                   s.xxxxxxxxxxxxxxxxxxxxxxxxxx 
token_accessor          xxxxxxxxxxxxxxxxxxxxxxxxxx 
token_duration          6h 
token_renewable         true 
token_policies          ["default" "project/<your-project>:r:default"] 
identity_policies       [] 
policies                ["default" "project/<your-project>:r:default"] 
token_meta_person       xxxxxxxx@ibm.com 
token_meta_role_name    project_<your-project>_default 

  

    3. Look for the token obtained from step 2, and use the same to log in to the vault server. 

 

        $ vault login s.xxxxxxxxxxxxxxxxxxxxxxxxxx 

 

This completes vault server configuration and its login. 

Credentials storage 

 

After authentication, the next step is to save the credentials into the vault server, as outlined in the following steps: 

 

  1. Identify the Db2 credentials for monitoring, and use the following command to save it in the vault server. 

 
          $ vault kv put project/<your-project>/monitor/customer/instance1/jdbccfg \        
             jdbc_instance_username=monuser \
            jdbc_instance_password=monpassword 

       Where: 

  • jdbc_instance_username and jdbc_instance_password are the keys.
  • monuser and monpassword are username and password for db2.
  •  /<your-project>/monitor/customer/instance1/jdbccfg is a convenient location chosen for the demo. 

 

    2. The credentials can be verified by using following command: 

 

        $ vault kv get project/<your-project>/monitor/customer/instance1/jdbccfg    

        A sample output of step 2 is shown as follows: 

================= Secret Path ================= 
project/<your-project>/monitor/customer/instance1/jdbccfg    

 

====== Metadata ====== 
Key              Value 
---              ----- 
created_time     2022-11-08T07:11:55.955184045Z 
deletion_time    n/a 
destroyed        false 
version          1 
============= Data ============= 
Key                       Value 
---                       ----- 
jdbc_instance_password    monpassword 
jdbc_instance_username    monuser 

 

 

    3. After the credentials are stored, you need to generate an SSL certificate to handshake with the vault server. 

 

        $ openssl s_client -connect https://<sos-vault-server>:<port> -showcerts </dev/null | openssl x509 -outform pem > vault.pem 

  

    4. Store the vault.pem certificate that is generated from the previous step as Kubenetes or Openshift Secret. 

 

        $ oc create secret generic vault-cert-pem --from-file=./vault.pem -n instana-agent 

 

    ​​​5. Update Instana daemon set in the config.yaml file to mount secret as file. 



    6. Update the Instana configuration yaml file with Db2, including the vault details. 



After you complete the configuration, you can start monitoring your Db2 environment as Db2 credentials are stored in the vault. 

 

Conclusion 

While IBM SOS vault is more of a service, this blog focuses more on configuring it in a cloud environment by using Kubernetes/OpenShift. With these steps, you can quickly configure a vault based on hashicorp in an on-premises environment. 



References

 1. https://pages.github.ibm.com/vault-as-a-service/vault/
 2. https://www.ibm.com/docs/en/instana-observability/current?topic=technologies-monitoring-db2

Permalink