2.1.1 BlueCat - BlueCat Infrastructure Assurance - 26.1.0

BlueCat LiveAssurance User Guide
ft:locale
en-US
Product name
BlueCat Infrastructure Assurance
Version
26.1.0

The following BlueCat devices are supported:

  • BlueCat Integrity: BlueCat Address Manager (BAM) and BlueCat DNS/DHCP Server (BDDS)

    See BlueCat Integrity for details.

  • BlueCat Edge: Edge service points

    See BlueCat Edge for details.

BlueCat Integrity

In order for LiveAssurance to run its full set of discovery and interrogation scripts for BAM and BDDS, the following types of access are required:
  • SSH—see About SSH access.
  • SNMP—see About SNMP access.
  • (Required only when connecting to BAM) API—About API access.
    Note: API access to BAM is required as LiveAssurance creates a session and interacts with BlueCat Address Manager via RESTful v2 API.

About SSH access:

  • (Applicable to Integrity releases other than v9.6.2 and greater, and v25.1.1 and greater) For SSH access to on-premises BAM and BDDS deployments—a root user must be used to connect your device.
    • Before adding a BlueCat device, make sure the SSH credentials for the root user are provided in the Credential Sets tab.
    • Add to your sshd_config:
      PermitRootLogin prohibit-password
    • We also recommend that you limit to where you would allow root logins with a key. For example:
      Match Address <ip_addr>
  PermitRootLogin prohibit-password
  • (Applicable to Integrity releases other than v9.6.2 and greater, and v25.1.1 and greater) For simplified SSH access to BAM and BDDS deployments in the cloud—in LiveAssurance v9.0.0 and greater, BlueCat recommends using the predefined bluecat user account (that you configure in the Credential Sets tab) for BAM and BDDS, instead of the root user account. The SSH key for the bluecat user account is created when the BAM/BDDS instance is created. This account has the required privileges to run the necessary commands.

    The following image displays the credentials configured for a BAM deployed in AWS, where the username is bluecat (instead of root).

  • Attention:

    Starting in Integrity v9.6.2 and v25.1.1, a predefined bcia user account with appropriate privileges is defined in Integrity for enhanced security. This user account persists through Integrity appliance upgrades and therefore, preserves its user account data and LiveAssurance configurations. BlueCat strongly recommends using the bcia user account to connect cloud and on-premises BAM/BDDS v9.6.2 and v25.1.1 (and greater) with LiveAssurance v25.3 (and greater). For other versions of Integrity and LiveAssurance, the root and bluecat user accounts described above will continue to remain valid. For cloud deployments, the bcia user account will automatically use the same SSH key configured for the bluecat user account. For on-premises deployments, you can generate SSH keys locally and then copy them to Integrity devices using ssh-copy-id.

    The following table provides a quick overview of the supported versions and user accounts:

    For information on the bcia user account, refer to User management and Setting the BCIA password in the Address Manager Administration Guide (v9.6.0 or v25.1.0 per your requirements).

    LiveAssurance Version BAM/BDDS Version Supported User Account
    Earlier than 25.3.0
    • Earlier than 9.6.2, 25.1.1
    • 9.6.2, 25.1.1, and greater

    root (for on-premises BAM/BDDS deployments)

    and

    bluecat (for cloud BAM/BDDS deployments)
    25.3.0 and greater Earlier than 9.6.2, 25.1.1

    root (for on-premises BAM/BDDS deployments)

    and

    bluecat (for cloud BAM/BDDS deployments)
    25.3.0 and greater 9.6.2, 25.1.1, and greater Strongly recommended: bcia (for on-premises and cloud BAM/BDDS deployments)

About SNMP access:

Prerequisites:

Before configuring the SNMP credential set, ensure that you do the following:
Then, use the following procedure to configure SNMP credential set in LiveAssurance:

  1. Select the Devices tab in the sidebar, then select Credential Sets.

  2. In the Credentials section, select New to create a new credential set in the New Credentials window that is displayed. Alternatively, modify an existing credential set.

  3. From the access type drop-down list (displaying the Username + Password access type by default), select SNMPv2 or SNMPv3, as shown in the following image.
    Note: You must select the SNMP version that matches your BDDS SNMP configuration.


  4. Do one of the following:

    • If you selected SNMPv2—enter the community string in the Community field that is displayed.

    • If you selected SNMPv3—from the Security level dropdown list that is displayed, select the security level that matches the BDDS SNMP configuration, as shown in the following image.



    • Configure the additional parameters as required, for the security level you selected.

  5. In the Description field, enter a description for the credentials.

  6. Select Save.

About API access:

LiveAssurance creates a session and interacts with BlueCat Address Manager via RESTful v2 API. LiveAssurance authenticates with Address Manager through bearer tokens.

Address Manager configuration:

BlueCat recommends that you create a unique username in Address Manager for auditing and security purposes.

Note: BlueCat always recommends that you defer to the vendor’s documentation for configuration details. Follow BlueCat Address Manager’s instructions for your specific version to add a new user, and then use the LiveAssurance WebUI to store the credential in the relevant Credential Profile.

Create an API user in Address Manager by using the following procedure:

  1. To add a user, go to the Address Manager Administration tab, then select Users and Groups.



  2. Under User, add the API user’s name (Indeni, in this example) in the USERNAME field.

  3. Under Authentication, enter the API user’s password in the Password and Confirm Password fields.

  4. Under User Access:
    • Select the Administrator checkbox.
    • From the Access Type drop-down menu, select API.

  5. Select Add.



LiveAssurance Server Configuration: Add credentials for the API user via the LiveAssurance webUI by using the following procedure:

  1. Select the Devices tab in the sidebar, then select Credential Sets.

  2. In the Credential Sets section, select New and create a new credential set.

  3. In the Credentials section, select New to configure the credentials for the API user in the New Credentials window that is displayed.

  4. From the access type dropdown list, select Username + Password. (This option is usually selected by default).

  5. In the Username and Passwordfields, enter the same username (Indeni in this example) and password you created in Address Manager.

  6. Select the HTTPS checkbox.

  7. Select Add.

The following image shows an example:



DHCP Statistics (Optional)

Optionally, you can push DHCP statistics information to the LiveAssurance Server.

The DHCP Statistics service uses a monitoring module that runs on the DNS/DHCP Server to collect statistics by sniffing DHCP packets. When enabled, DHCP statistics information is collected by the DNS/DHCP server based on the configured parameters and sent to a configured destination. You can choose to send the information to a LiveAssurance server.

Note: BlueCat always recommends that you defer to the vendor’s documentation for configuration details. Follow the instructions for your specific version to configure DHCP Statistics in BlueCat Address Manager.
Configure the DHCP Statistics Service in BAM by using the following procedure:

  1. In the BAM UI, select Servers > [Select a BDDS server].

  2. Click the BDDS Server name and select Service Configuration in the dropdown list.



  3. In the Service Type dropdown list, select DHCP Statistics.



Example configuration:



Output URI
The output URI is the LiveAssurance HTTP endpoint that will be consuming the DHCP statistics information. Two modes are supported:
LiveAssurance Server Configuration
Note: For DHCP statistics collection, the device pushes telemetry information to the LiveAssurance HTTP endpoint, instead of LiveAssurance polling data from the device. You must ensure the device can connect to the LiveAssurance server using port 8088 (non-AuthZ mode) or 8443 (AuthZ mode).
Enabling AuthZ and obtaining a token

Authorization is a one-time configuration needed to protect the API. Follow these three steps using the curl command to enable authorization:

  1. Reset the admin role password (only needed once effectively bootstrapping AuthZ)

  2. Create the bdds-integrator role (only needed once)

  3. Obtain tokens with the bdds-integrator role’s authorization (repeat to get a new token if desired)

Step 1 – Reset the admin role’s password

We share a one-time password (OTP) with the customer to bootstrap the admin role (this is the same as bootstrapping AuthZ. After resetting the admin’s role password, authorization is mandatory to access the API and access over http at port 8088 is disabled. 

curl -k -H "Authorization: Basic YWRtaW46bXlwYXNzd29yZAo=" https://<ip-address>:8443/auth/reset/admin

In this example, the OTP would be YWRtaW46bXlwYXNzd29yZAo= (note that this isn’t the actual OTP)

The response has the following form returning the new admin role’s password and authorization header. At this point, AuthZ is bootstrapped.



Step 2 – Create the bdds-integrator role

The admin role is for administrating roles and tokens generated with the admin role. The User needs to create a designated role to get the correct token for DHCP, the bdds-integrator role. 

curl -k -d '{"role":"bdds-integrator"}' -H "Authorization: Basic YWRtaW46bjZjSEs3ZVpDeE9QbnNCU1RrOWc=" https://<ip-address>:8443/auth/role

Using the Authorization provided in the admin role reset step, create the bdds-integrator role as in the example above.

The response has the following form returning the bdds-integrator role’s password and authorization header.



Step 3 – Obtaining tokens with the bdds-integrator roles’ authorization

Using the bdds-integrator role’s authorization we can request Bearer tokens for pushing DHCP metrics to LiveAssurance. Note that these tokens have an expiry date. You can request any expiry for your tokens by adding a ttl query parameter to the request. For example, adding ttl=26280h will produce tokens that will expire in 3 years from the issuedAt date. 

curl -k -H "Authorization: Basic YmRkcy1pbnRlZ3JhdG9yOm15U2VjdXJlUGFzc3dvcmQ=" https://<ip-address>:8443/auth/token?ttl=26280h

Response:



BlueCat Edge

LiveAssurance connects to the supported Edge Service Point devices via SSH. For SSH access, you must use an existing operations user account and the SSH key for that account. By using the predefined operations user account, there is no additional configuration required on the Edge Service Point devices.

The following image displays the credentials configured for an Edge Service Point using the operations user account.

To view the list of metrics retrieved from the Edge Service Points, select Code from the sidebar, and then navigate to the sp folder (bluecat > edge > sp).

To view the alerts associated with Edge Service Points, select Issues from the sidebar, and then click the Knowledge Explorer tab. You can filter to view only the alerts related to Edge Service Points.