IBM Verify

 View Only



LinkedIn Share on LinkedIn

Digging into ISAM on Docker

By Nilesh Amrutkar posted Tue October 22, 2019 11:59 AM

  

This blog will help to answer few of the frequently asked questions for ISAM on docker. 

 

How to get information about running RP instances such as the health status in docker env? 
We only have a very small subset of REST APIs in the runtime container, namely just the logging and CLI rest APIs.  Health status of a particular reverse proxy instance is the health of the container.  The health of the container is determined based on the health of the running WebSEAL instance.

Can we use REST APIs to get information about memory statistics, CPU utilization, storage utilization?
For things like CPU, memory etc. you should look to the host infrastructure capabilities rather than anything we provide in the container.

Can LMI be configured over non secure port?
As such there is no non-ssl port for lmi and aac/fed runtime in docker environment. If you need HTTP access just file an RFE and dev team will take it into consideration. 

Is the ISAM Docker container FIPS 140-2 compliant?

The ISAM docker environment will only support FIPS compliant ciphers. So it is 'FIPS 140-2 Compliant' but not 'FIPS Certified'.  

Where Can I find AAC runtime logs in ISAM on docker?
The container log is the AAC Runtime log.

/var/application.logs/rtprofile  

SNMP monitoring is available in docker env or not?
SNMP monitoring is not available in ISAM on Docker and an external system to monitor the events is needed. You can configure syslog on ISAM on Docker and leverage a ELK stack or TICK stack. You can use Prometheus monitoring , to monitor your containers. Even a number of the more traditional tools allows to monitor containers performance.

https://github.com/stefanprodan/dockprom   

Is there an NTP setting available in ISAM on docker?
There is no NTP setting for docker - the time/date should always come from the docker host.

How do we secure secrets? How do we ensure they are secure?
For secrets managed by ISAM this is ultimately based on file system security. For secrets managed by kubernetes this is the cloud provider's responsibility and we make no statements about that.

How to delete logs older than X days?
https://github.ibm.com/will-murphy/isam-log-tools

You set the number of days in the script, then you can either put the LMI Url, Username and Password in the script too, or provide all three on the command line by running ./deleteAllLogs.sh <lmi> <username> <password>.   

Can customer spawn only WebSEAL instances on docker and connect to existing Policy Severs on appliance?
It is possible to run both Docker and the ISAM appliances in the same environment.  However, there are a few restrictions which can make this challenging.   The biggest challenge to running a hybrid environment involves sharing certain services between the two environments.

https://www.ibm.com/blogs/security-identity-access/hybrid-isam-environments/ 

How to turn on pdweb.snoop trace on a running Webseal container?
You can dynamically turn on the trace on the container itself - using isam_cli to start pdadmin and do a trace set. 

Eg. 

docker exec -ti example.org-isamreverseproxy isam_cli 

Welcome to the IBM Security Access Manager appliance 

Enter "help" for a list of available commands 

pdadmin> login -a sec_master –p passw0rd 

pdadmin sec_master> s t default-webseald-isamconfig.example.org trace set pdweb 9 file path=pdweb.snoop.log 

docker container cp  example.org-isamreverseproxy:/var/application.logs/wrp/default/trace/pdweb.snoop.log /tmp/ 

Use pdweb-snoop-viewer.html to decode and view. 

https://github.com/IBM-Security/isam-support/blob/master/diagnostic/pdweb/pdweb-snoop-viewer.html 

How to publish snapshot from Ansible?

 cat publish.yml 

--- 

- hosts: localhost 

connection: local 

roles: 

- { role: publish_snapshot, inventory_hostname: 192.168.42.138, username: admin, password: xxxx, lmi_port: 9443, log_level: INFO, force: false } 

 2.role folder has this main component, the tasks folder 

cd tasks/ 

[root@rhelhost2 tasks]# ls 

main.yml 

[root@rhelhost2 tasks]# cat main.yml 

- name: Snapshot of Appliance 

isam: 

appliance: "{{ inventory_hostname }}" 

username: "{{ username }}" 

password: "{{ password }}" 

lmi_port: "{{ lmi_port }}" 

log:    "{{ log_level }}" 

force:   "{{ force }}" 

action  : ibmsecurity.isam.docker.publish.publish_changes 

isamapi: 

ansible-playbook -i inventory publish.yml 

[WARNING]: Found both group and host with same name: localhost 

PLAY [localhost] ********************************************************************************************************************** 

TASK [Gathering Facts] **************************************************************************************************************** 

ok: [localhost] 

TASK [publish_snapshot : Snapshot of Appliance] *************************************************************************************** 

[WARNING]: Module did not set no_log for password 

changed: [localhost] 

PLAY RECAP **************************************************************************************************************************** 

localhost        : ok=2  changed=1  unreachable=0  failed=0  skipped=0  rescued=0  ignored=0 

  

Author:  

Nilesh Amrutkar  (IBM ISAM/ISDS Technical Specialist) 

Email ID – nilesh_amrukar@in.ibm.com 

0 comments
32 views

Related Content

Permalink