2.1.1 BlueCat - BlueCat Infrastructure Assurance - 25.2.0

BlueCat Integrity

SNMP

1. Before configuring the SNMP credential set, enable SNMP service on BlueCat Address Manager. See Configuring SNMP on Address Manager in the BlueCat Address Manager Administration Guide for details.

2. Enable SNMP service on BlueCat DNS/DHCP Server. See Enabling SNMP service on DNS/DHCP Servers in the BlueCat Address Manager Administration Guide for details.

Then, add the community string from the LiveAssurance Server Credential Sets page.

LiveAssurance creates a session and interacts with BlueCat Address Manager via RESTful v2 API. LiveAssurance authenticates with Address Manager through bearer tokens.

We recommend that you create a unique username in Address Manager for auditing and security purposes. To add a user, go to the Address Manager Administration tab, select Users and Groups.

Step 1: Add the API user’s name (Indeni, in this example) in the USERNAME field.

Step 2: Under Authentication, enter the API user’s password in the Password and Confirm Password fields.

Step 3: Under User Access, select the Administrator check box.

Step 4: Select API from the Access Type drop-down menu.

Step 5: Click Add at the bottom of the page.

Step 5: Click on Devices icon on the side-panel to the left-hand side of the screen

Step 6: Select Credential Sets, and create a new credential set

Step 7: Select Username + Password

Step 8: Enter the username (Indeni in this example) and credentials you created in Address Manager

Step 9: Select the HTTPS check box.

Step 10: Click Add

The DHCP Statistics service uses a monitoring module that runs on the DNS/DHCP Server to collect statistics by sniffing DHCP packets. When enabled, DHCP statistics information is collected by the DNS/DHCP server based on the configured parameters and sent to a configured destination. You can choose to send the information to a LiveAssurance server.

• BAM > Servers > [Select a BDDS server]

• Click on the BDDS Server name and select Service Configuration in the drop-down menu

• In the Service Type drop-down menu select DHCP Statistics

Example configuration:

The output URI is the LiveAssurance HTTP endpoint that will be consuming the DHCP statistics information. Two modes are supported.

1 – Without authorization (default)

• Output URI format: http://<liveassurance-vm-ip-address>:8088/server/api/v1/metrics
• Bearer token not required
• TLS not required

2 – With authorization (AuthZ)

• Output URI format: https://<iliveassurance-vm-ip-address>:8443/server/api/v1/metrics
• Enter the bearer token used to authenticate with the HTTP endpoint
• TLS required

Authorization is a one-time configuration needed to protect the API. Follow these three steps using the curl command to enable authorization:

1. Reset the admin role password (only needed once effectively bootstrapping AuthZ)

2. Create the bdds-integrator role (only needed once)

3. Obtain tokens with the bdds-integrator role’s authorization (repeat to get a new token if desired)

We share a one-time password (OTP) with the customer to bootstrap the admin role (this is the same as bootstrapping AuthZ. After resetting the admin’s role password, authorization is mandatory to access the API and access over http at port 8088 is disabled.

curl -k -H "Authorization: Basic YWRtaW46bXlwYXNzd29yZAo=" https://<ip-address>:8443/auth/reset/admin

In this example, the OTP would be YWRtaW46bXlwYXNzd29yZAo= (note that this isn’t the actual OTP)

The response has the following form returning the new admin role’s password and authorization header. At this point, AuthZ is bootstrapped.

The admin role is for administrating roles and tokens generated with the admin role. The User needs to create a designated role to get the correct token for DHCP, the bdds-integrator role.

curl -k -d '{"role":"bdds-integrator"}' -H "Authorization: Basic YWRtaW46bjZjSEs3ZVpDeE9QbnNCU1RrOWc=" https://<ip-address>:8443/auth/role

Using the Authorization provided in the admin role reset step, create the bdds-integrator role as in the example above.

The response has the following form returning the bdds-integrator role’s password and authorization header.

Using the bdds-integrator role’s authorization we can request Bearer tokens for pushing DHCP metrics to LiveAssurance. Note that these tokens have an expiry date. You can request any expiry for your tokens by adding a ttl query parameter to the request. For example, adding ttl=26280h will produce tokens that will expire in 3 years from the issuedAt date.

curl -k -H "Authorization: Basic YmRkcy1pbnRlZ3JhdG9yOm15U2VjdXJlUGFzc3dvcmQ=" https://<ip-address>:8443/auth/token?ttl=26280h

Response:

BlueCat Edge

LiveAssurance connects to the supported Edge Service Point devices via SSH. For SSH access, you must use an existing operations user account and the SSH key for that account. By using the predefined operations user account, there is no additional configuration required on the Edge Service Point devices.

The following image displays the credentials configured for an Edge Service Point using the operations user account.

To view the list of metrics retrieved from the Edge Service Points, select Code from the sidebar, and then navigate to the sp folder (bluecat > edge > sp).

To view the alerts assocaited with Edge Service Points, select Issues from the sidebar, and then click the Knowledge Explorer tab. You can filter to view only the alerts related to Edge Service Points.