1. Unified Inventory and Topology Deployment Guide
  2. Checklists for Integration of Services

8 Checklists for Integration of Services

This chapter provides a checklist of integrating the services.

The checklists include the following variables:

  • <topology-project>: Refers to the Kubernetes namespace on which the UTIA service is running.
  • <topology-instance>: Refers to the instance name of the UTIA service running on<topology-project> namespace.
  • <messaging-project>: Refers to the Kubernetes namespace on which Message Bus service is running.
  • <messaging-instance>: Refers to the instance name of Message Bus running on <messaging-project> namespace.
  • <loadbalancerport>: Refers to the port of loadbalancer configured. If you use Oracle Cloud Infrastructure LBaaS, or any other external load balancer, if TLS is enabled set loadbalancerport to 443. Otherwise, set loadbalancerport to 80. If there is no external loadbalancer configured for the instance, change the value of loadbalancerport to the default Traefik NodePort. If TLS is enabled on Unified Topology Traefik NodePort is 30443 and if TLS is disabled, is 30305.
  • <loadbalancerhost>: Refers to the host of loadbalancer configured. If you use Oracle Cloud Infrastructure LBaaS, or any other external load balancer, update the value for loadbalancerhost appropriately. If there is no external loadbalancer configured for the instance change the value of loadbalancerhost to the worker node IP/ Kubernetes cluster IP.
  • <hostSuffix> : Refers to the host suffix configured using applications.yaml file. The default is: uim.org.
  • <oauth-token-endpoint-uri>: Get the OAuth token endpoint URI from your IdP. Usually, you can find it on .well-known/openid-configuration endpoint of your IdP. In case of OAM, it is https://<instance>.<project>.ohs.<hostSuffix>:<loadbalancerport>/oauth2/rest/token
  • <oauth-scope>: Provide the configured scope to your OAuth client. If not configured, keep it empty.
  • <oauth-audience>: Provide the configured audience to your OAuth client. If not configured, keep it empty.

Use the following checklist for integrating UIM cloud native instance, Message Bus, and UTIA:

Table 8-1 Checklist for UIM cloud native instance, Message Bus, and UTIA

Source Application SSL Enablement Deployment Configuration Application Properties
UIM CN

See Setting Up Secure Communication with SSL in UIM Cloud Native Deployment Guide.

See Enabling OAM Authentication in UIM Cloud Native Deployment Guide

For communications between applications on the same Kubernetes cluster provide internal Kubernetes service details.

Configure the Message Bus and UTIA settings.

See UIM System Administrator’s Guide for more information.

$UIM_CNTK/charts/uim/custom-config.properties

UIM CN to Message Bus service settings

bootstrap.server.url=<messaging-project>-<messaging-instance>-messaging-kafka-bootstrap.<messaging-project>.svc.cluster.local:9092

#Set below properties to pass Authentication service details

kafka.client.isOAuth=true

kafka.client.oauth.token.endpoint.uri=https://<oam-instance>.<oam-project>.ohs.<oam-host-suffix>:<loadbalancerport>/oauth2/rest/token

Note: This is applicable only if OAM is used as IdP. Otherwise, use the Token URL from the IdP.

kafka.client.oauth.token.endpoint.uri=<oauth-token-endpoint-uri>

kafka.client.oauth.scope=<oauth-scope>

kafka.client.oauth.audience=<oauth-audience>

kafka.client.oauth.client.id= <oauth-client-id>

kafka.client.oauth.client.secret= <oauth-client-secret>

#Internal commmunications between kubernetes services is non-ssl. Set kafka.client.isTLs to false.

kafka.client.isTLs=false

UIM CN to Unified Topology API settings

disableTopology=false

microServiceEnabled=true

For Same Namespace: microServiceUrl=http://<topology-project>-<topologyinstance>-unified-topology-api:8080/topology/v2/

For Different Namespace : microServiceUrl=http://<topology-project>-<topologyinstance>-unified-topology-api.<namespace>.svc.cluster.local:8080/topology/v2/

UIM CN to Unified Topology UI settings

uim.rest.filter.CORSAllowedOrigin=https://<topology-instance>.<topology-project>.topology.<hostSuffix>:<loadbalancerport>

topology.ui.host= https://<topology-instance>.<topology-project>.topology.<hostSuffix>

topology.ui.port= <loadbalancerport>

topology.ui.path=/apps/unified-topology-ui
Message Bus N/A See Enable Authentication on Kafka Cluster from "Configuring Authentication" N/A
Topology API or UI "Setting up Secure Communication using TLS"

"Creating Secrets"

"Configuring the applications.yaml File"

"Registering UTIA in Identity Provider"

"Integrate Unified Topology Service with Message Bus Service"

Use the following checklist for integrating traditional UIM, Message Bus, and UTIA:

Checklist for entries in /etc/hosts for integration:

  • Authentication service
    • If OAM is deployed as IdP:
      <loadbalancerIP>  <oam-instance>.<oam-project>.ohs.<oam-host-suffix>
    • If any IdP is used other than OAM, for accessing UIM:
      <instance>.<project>.<hostSuffix>
  • Message service
    <loadbalacerIP> <messaging-instance>.<messaging-project>.messaging.bootstrap.<hostSuffix>
<loadbalacerIP> <messaging-instance>.<messaging-project>.messaging.broker0.<hostSuffix>
<loadbalacerIP> <messaging-instance>.<messaging-project>.messaging.broker1.<hostSuffix>
  • UTIA service
    <loadbalancerIP>  <topology-instance>.<topology-project>.topology.<hostSuffix>

Table 8-2 Checklist for UIM, Message Bus, and UTIA

Source Application SSL Enablement Deployment Configuration Application Properties
UIM N/A For enabling SSO authentication on UIM On Premise instance, see Setting Up Unified Inventory Management for Single Sign-On Authentication section in UIM Installation Guide.

UIM on-prem to Message Bus settings

Provide ingress bootstrap server details as UIM traditional instance is outside of kubernetes cluster. External access is TLS enabled

bootstrap.server.url=<messaging-instance>.<messaging-project>.messaging.bootstrap.uim.org:<loadbalancerport>

#set below properties to pass Authentication service details kafka.client.isOAuth=true

kafka.client.oauth.token.endpoint.uri=<oauth-token-endpoint-uri>

kafka.client.oauth.scope=<oauth-scope>

kafka.client.oauth.audience=<oauth-audience>

kafka.client.oauth.client.id=<oauth-client-id>

kafka.client.oauth.client.secret=<oauth-client-secret>

#External commmunications is ssl enabled, provide truststore details.

kafka.client.isTLs=true

Add common certificate to JAVA HOME of UIM managed servers:

keytool -import -alias common-cert -keystore $JAVA_HOME/jre/lib/security/cacerts -file $COMMON_CNTK/certs/commoncert.pem

Configure the UTIA settings.

See UIM System Administrator’s Guide for more information.

UIM on-prem to UTIA API settings

#provide Unified Topology API kubernetes service name and port along with endpoint as provided in the sample below.

disableTopology=false

microServiceEnabled=true

microServiceUrl=https://<topology-instance>.<topology- project>.topology.<hostSuffix>:<loadbalancerport>/topology/v2

UIM on-prem to UTIA UI settings

uim.rest.filter.CORSAllowedOrigin=https://<topology-instance>.<topology-project>.topology.<hostSuffix>:<loadbalancerport>

topology.ui.port=<loadbalancerport>

topology.ui.path=/apps/unified-topology-ui

Message Bus

See Message Bus Ingress Listener in "Configuring Message Bus Listeners"

 See Enable Authentication on Kafka Cluster from "Configuring Authentication" N/A
Topology API or UI "Setting up Secure Communication using TLS"

"Creating Secrets"

"Configuring the applications.yaml File"

"Registering UTIA in Identity Provider"

"Integrate Unified Topology Service with Message Bus Service"

Integrating UIM with UTIA and Message Bus

This section provides you with instructions to integrate UIM (traditional and cloud native) with UTIA and Message Bus. The samples for IDCS Idp are packaged along with UTIA.

Integrating UIM CN with Message Bus and UTIA

To integrate UIM CN with Message Bus and UTIA:

  1. Update $UIM_CNTK/charts/uim/custom-config.properties file with the following details:
    • UIM CN to Message Bus service settings:
      bootstrap.server.url=<messaging-project>-<messaging-instance>-messaging-kafka-bootstrap.<messaging-project>.svc.cluster.local:9092
#Set below properties to pass Authentication service details
kafka.client.isOAuth=true
kafka.client.oauth.token.endpoint.uri=<oauth-token-endpoint-uri> (Ex. https://idcs-df3***********f64b21.identity.pint.oc9qadev.com:443/oauth2/v1/token)
kafka.client.oauth.client.id=<oauth-client-id> (Ex. e6e0b2cxxxxxxxxxxxxxxx)
kafka.client.oauth.client.secret=<oauth-client-secret> (Ex. xxxx-xxxx-xxxx-xxxx)
kafka.client.oauth.client.scope=<oauth-client-scope> (Ex. https://quick.sr.topology.uim.org:30443/utiaScope)
kafka.client.oauth.client.audience=<oauth-client-audience> (Ex. https://quick.sr.topology.uim.org:30443/)
#Internal commmunications between kubernetes services is non-ssl. Set kafka.client.isTLs to false.
kafka.client.isTLs=false
    • UIM CN to UTIA API settings:
      disableTopology=false
microServiceEnabled=true
microServiceUrl=http://<topology-project>-<topology-instance>-unified-topology-api:8080/topology/v2/
    • UIM CN to UTIA UI settings:
      uim.rest.filter.CORSAllowedOrigin=https://<topology-instance>.<topology-project>.topology.<hostSuffix>:<loadbalancerport>
topology.ui.host=https://<topology-instance>.<topology-project>.topology.<hostSuffix>
topology.ui.port=<loadbalancerport>
topology.ui.path=/apps/unified-topology-ui
  2. Create or restart the UIM CN instance as usual, after the above configurations.

Integrating Traditional UIM with Message Bus and UTIA

To integrate traditional UIM with Message Bus and UTIA:

  1. Update the system-config.properties file with the following details:
    • UIM to Message Bus service settings:
      Provide ingress bootstrap server details as UIM traditional instance is outside of kubernetes cluster.
bootstrap.server.url=<messaging-instance>.<messaging-project>.messaging.bootstrap.uim.org:<loadbalancerport>
#Set below properties to pass Authentication service details
kafka.client.isOAuth=true
kafka.client.oauth.token.endpoint.uri=<oauth-token-endpoint-uri>  (Ex. https://idcs-df3***********f64b21.identity.pint.oc9qadev.com:443/oauth2/v1/token)
kafka.client.oauth.client.id= <oauth-client-id> (Ex. e6e0b2cxxxxxxxxxxxxxxx)
kafka.client.oauth.client.secret= <oauth-client-secret> (Ex. xxxx-xxxx-xxxx-xxxx)
kafka.client.oauth.client.scope=<oauth-client-scope> (Ex. https://quick.sr.topology.uim.org:30443/utiaScope)
kafka.client.oauth.client.audience=<oauth-client-audience> (Ex. https://quick.sr.topology.uim.org:30443/)
# External access is TLS enabled
kafka.client.isTLs=true
    • UIM to UTIA API settings:
      disableTopology=false
microServiceEnabled=true
microServiceUrl=https://<topology-instance>.<topology-project>.topology.<hostSuffix>/topology/v2/
    • UIM to UTIA UI settings:
      uim.rest.filter.CORSAllowedOrigin=https://<topology-instance>.<topology-project>.topology.<hostSuffix>:<loadbalancerport>
topology.ui.host=https://<topology-instance>.<topology-project>.topology.<hostSuffix>
topology.ui.port=<loadbalancerport>
topology.ui.path=/apps/unified-topology-ui
  2. Add the Identity Providers certificate to JAVA_HOME as follows:
    keytool -import -alias idp-cert -keystore $JAVA_HOME/jre/lib/security/cacerts -file <idp-certificate-file>
  3. Add the UTIA certificate to JAVA_HOME as follows:
    keytool -import -alias utia-cert -keystore $JAVA_HOME/jre/lib/security/cacerts -file <utia-certiricate>
  4. Add the common certificate to JAVA_HOME as follows:
    keytool -import -alias common-cert -keystore $JAVA_HOME/jre/lib/security/cacerts -file $COMMON_CNTK/certs/commoncert.pem

    Note:

    Make sure that UTIA and Message bus are configured with commoncert.pem.