1. Unified Inventory and Topology Deployment Guide
  2. Checklists for Integration of Services

14 Checklists for Integration of Services

This chapter provides a checklist of integrating the services.

The checklists include the following variables:

  • <topology-project>: Refers to the Kubernetes namespace on which the ATA service is running.
  • <topology-instance>: Refers to the instance name of the ATA service running on<topology-project> namespace.
  • <messaging-project>: Refers to the Kubernetes namespace on which Message Bus service is running.
  • <messaging-instance>: Refers to the instance name of Message Bus running on <messaging-project> namespace.
  • <loadbalancerport>: Refers to the port of loadbalancer configured. If you use Oracle Cloud Infrastructure LBaaS, or any other external load balancer, if TLS is enabled set loadbalancerport to 443. Otherwise, set loadbalancerport to 80. If there is no external loadbalancer configured for the instance, change the value of loadbalancerport to the default Traefik NodePort. If TLS is enabled on ATA Traefik NodePort is 30443 and if TLS is disabled, is 30305.
  • <loadbalancerhost>: Refers to the host of loadbalancer configured. If you use Oracle Cloud Infrastructure LBaaS, or any other external load balancer, update the value for loadbalancerhost appropriately. If there is no external loadbalancer configured for the instance change the value of loadbalancerhost to the worker node IP/ Kubernetes cluster IP.
  • <hostSuffix> : Refers to the host suffix configured using applications.yaml file. The default is: uim.org.
  • <oauth-token-endpoint-uri>: Get the OAuth token endpoint URI from your IdP. Usually, you can find it on .well-known/openid-configuration endpoint of your IdP. In case of OAM, it is https://<instance>.<project>.ohs.<hostSuffix>:<loadbalancerport>/oauth2/rest/token
  • <oauth-scope>: Provide the configured scope to your OAuth client. If not configured, keep it empty.
  • <oauth-audience>: Provide the configured audience to your OAuth client. If not configured, keep it empty.
  • <oauth-client-id>: Provide the Client ID of of your OAUTH 2.0 client.
  • <oauth-client-secret>: Provide the Client Secret of your OATUH 2.0 client.
  • <oauth-token-endpoint-uri>: Provide the token endpoint URI of your IDP client. You can find the well-known/openid-configurations site of your identity provider for details.
  • <smartsearch-instance>: Refers to the instance name of the Smart Search service on <smartsearch-project> namespace.

Note:

It is mandatory to deploy all applications with the same instance and project names with Message Bus as an exception as it can be in a different instance or project.

.

Use the following checklist for integrating UIM cloud native instance, Message Bus, and ATA:

Table 14-1 Checklist for UIM cloud native instance, Message Bus, ATA, Smart Search, and Authorization Service

Source Application Target Application Properties Configuration Reference
UIM CN ATA

ATA API

disableTopology=false
microServiceEnabled=true

microServiceUrl=http://<topology-project>-<topology-instance>-ata-api.<topology-project>.svc.cluster.local:8080/topology/v2/

ATA UI

uim.rest.filter.CORSAllowedOrigin=https://<topology-instance>.<topology-project>.topology.<hostSuffix>:<loadbalancerport>

topology.ui.host=https://<topology-instance>.<topology-project>.topology.<hostSuffix>
topology.ui.port=<loadbalancerport>
topology.ui.path=/apps/ata-ui

Rename custom-config.properties.samles file and update the properties.

mv $UIM_CNTK/charts/uim/custom-config.properties.samles $UIM_CNTK/charts/uim/custom-config.properties
Message Bus bootstrap.server.url=<messaging-project>-<messaging-instance>-messaging-kafka-bootstrap.<messaging-project>.svc.cluster.local:9092
Smart Search

#Uncomment the following properties only if UIM CN and Smart Search are not in the same namespace.

smartSearch.ui.host=http://<smartsearch-project>-<smartsearch-instance>-smart-search.<smartsearch-project>.svc.cluster.local

smartSearch.ui.port=8080
IDP OAUTH CLIENT 
oauth.enabled=true
oauth.token.endpoint.uri=<oauth-token-endpoint-uri>
oauth.client.id=<oauth-client-id>
oauth.client.secret=<oauth-client-secret>
oauth.scope=<oauth-scope>
oauth.audience=<oauth-audience>
IDP SAML 2.0   See Enabling SAML Based Authentication Provider in Cloud Native Deployment Guide.
SSL Enable ssl flag in instance.yaml
ssl:
  enabled: true
 See Setting Up UIM Cloud Native for Incoming Access in Cloud Native Deployment Guide.
ATA UIM   See Creating Secrets for UIM Credentials
Message Bus 
messagingBusConfig:
   namespace: <messaging-bus-namespace>
   instance: <messaging-bus-instance>
 
$SPEC_PATH/project/instance/applications.yaml
Authorization Service 
authorizationServiceConfig:
   namespace: <authorization-service-namespace>
   instance: <authorization-service-instance>
 
$SPEC_PATH/project/instance/applications.yaml
SSL Enable tls flag in applications.yaml
tls:

  enabled: true
 See Setting up Secure Communication using TLS section.

ATA

MB

Smart Search

Authorization Service

 IDP OATUH CLIENT Enable authentication flag in applications.yaml
authentication:
  enabled: true

See Adding Common OAuth Secret and ConfigMap in ATA Deployment Guide

See Common Configuration Options For all Services in ATA Deployment Guide

Use the following checklist for integrating traditional UIM, Message Bus, and ATA:

Checklist for entries in /etc/hosts for integration:

  • Authentication service
    • If OAM is deployed as IdP:
      <loadbalancerIP>  <oam-instance>.<oam-project>.ohs.<oam-host-suffix>
    • If any IdP is used other than OAM, for accessing UIM:
      <instance>.<project>.<hostSuffix>
  • Message service
    <loadbalacerIP> <messaging-instance>.<messaging-project>.messaging.bootstrap.<hostSuffix>
<loadbalacerIP> <messaging-instance>.<messaging-project>.messaging.broker0.<hostSuffix>
<loadbalacerIP> <messaging-instance>.<messaging-project>.messaging.broker1.<hostSuffix>
  • ATA service
    <loadbalancerIP>  <topology-instance>.<topology-project>.topology.<hostSuffix>

Table 14-2 Checklist for UIM, Message Bus, and ATA

Source Application Target Application Properties Configuration Reference
UIM ATA

ATA API

disableTopology=false
microServiceEnabled=true

microServiceUrl=https://<topology-instance>.<topology-project>.topology.<hostSuffix>:<loadbalancerport>/topology/v2/

ATA UI

uim.rest.filter.CORSAllowedOrigin=https://<topology-instance>.<topology-project>.topology.<hostSuffix>:<loadbalancerport>

topology.ui.host=https://<topology-instance>.<topology-project>.topology.<hostSuffix>
topology.ui.port=<loadbalancerport>
topology.ui.path=/apps/ata-ui
 Update system-config.properties file.
Message Bus 
bootstrap.server.url=<messaging-instance>.<messaging-project>.messaging.bootstrap.<hostSuffix>:<loadbalancerport>

kafka.client.isTLs=true

IDP

OATUH CLIENT

 
oauth.enabled=true
oauth.token.endpoint.uri=<oauth-token-endpoint-uri>
oauth.client.id=<oauth-client-id>
oauth.client.secret=<oauth-client-secret>
oauth.scope=<oauth-scope>
oauth.audience=<oauth-audience>

IDP

SAML 2.0

   For enabling SSO authentication on UIM On Premise instance, see Setting Up Unified Inventory Management for Single Sign-On Authentication section in UIM Installation Guide.
SSL You have to add MB, ATA, and IDP SSL certificates to the trust of UIM Managed Servers:
keytool -import -alias common-cert -keystore
$JAVA_HOME/jre/lib/security/cacerts -file $COMMON_CNTK/certs/commoncert.pem 

keytool -import -alias idp-cert -keystore $JAVA_HOME/jre/lib/security/cacerts
-file $COMMON_CNTK/certs/idpcertificate.pem

See Configuring the SSL Policy/Certificate section in System Administrator Guide.

See Enabling WebLogic SSL Port section in UIM Installation Guide.

Message Bus SSL Update applications.yaml
tls:
  enabled: true
 See Message Bus Ingress Listener in "Configuring Message Bus Listeners"
ATA UIM

Provide proxy server uri as UIM URL to the secret.

In applications.yaml, set Replica count of impact-analysis-api and alarm consumer to 0.

See Creating Secrets for UIM Credentials section.

See Configuring the applications.yaml File section.

Message Bus Update applications.yaml
messagingBusConfig:
   namespace: <messagingbus-project>
   instance: <messagingbus-instance>
 See Integrate ATA Service with Message Bus Service section.
SSL Make Sure you add UIM and IDP certificate to the truststore of oauthConfig secret. See Setting up Secure Communication using TLS section.

ATA

Message Bus

IDP

OAUTH CLIENT

 Enable authentication flag in applications.yaml
authentication:
  enabled: true

See Adding Common OAuth Secret and ConfigMap in ATA Deployment Guide

See Common Configuration Options For all Services in ATA Deployment Guide

Integrating UIM with ATA and Message Bus

This section provides you with instructions to integrate UIM (traditional and cloud native) with ATA and Message Bus. The samples for IDCS Idp are packaged along with ATA.

Integrating UIM CN with Message Bus and ATA

To integrate UIM CN with Message Bus and ATA:

  1. Update $UIM_CNTK/charts/uim/custom-config.properties file with the following details:
    • UIM CN to Message Bus service settings:
      bootstrap.server.url=<messaging-project>-<messaging-instance>-messaging-kafka-bootstrap.<messaging-project>.svc.cluster.local:9092
#Set below properties to pass Authentication service details
kafka.client.isOAuth=true
kafka.client.oauth.token.endpoint.uri=<oauth-token-endpoint-uri> (Ex. https://idcs-df3***********f64b21.identity.pint.oc9qadev.com:443/oauth2/v1/token)
kafka.client.oauth.client.id=<oauth-client-id> (Ex. e6e0b2cxxxxxxxxxxxxxxx)
kafka.client.oauth.client.secret=<oauth-client-secret> (Ex. xxxx-xxxx-xxxx-xxxx)
kafka.client.oauth.client.scope=<oauth-client-scope> (Ex. https://quick.sr.topology.uim.org:30443/ataScope)
kafka.client.oauth.client.audience=<oauth-client-audience> (Ex. https://quick.sr.topology.uim.org:30443/)
#Internal commmunications between kubernetes services is non-ssl. Set kafka.client.isTLs to false.
kafka.client.isTLs=false
    • UIM CN to ATA API settings:
      disableTopology=false
microServiceEnabled=true
microServiceUrl=http://<topology-project>-<topology-instance>-ata-api:8080/topology/v2/
    • UIM CN to ATA UI settings:
      uim.rest.filter.CORSAllowedOrigin=https://<topology-instance>.<topology-project>.topology.<hostSuffix>:<loadbalancerport>
topology.ui.host=https://<topology-instance>.<topology-project>.topology.<hostSuffix>
topology.ui.port=<loadbalancerport>
topology.ui.path=/apps/ata-ui
  2. Create or restart the UIM CN instance as usual, after the above configurations.

Integrating Traditional UIM with Message Bus and ATA

To integrate traditional UIM with Message Bus and ATA:

  1. Update the system-config.properties file with the following details:
    • UIM to Message Bus service settings:
      Provide ingress bootstrap server details as UIM traditional instance is outside of kubernetes cluster.
bootstrap.server.url=<messaging-instance>.<messaging-project>.messaging.bootstrap.uim.org:<loadbalancerport>
#Set below properties to pass Authentication service details
kafka.client.isOAuth=true
kafka.client.oauth.token.endpoint.uri=<oauth-token-endpoint-uri>  (Ex. https://idcs-df3***********f64b21.identity.pint.oc9qadev.com:443/oauth2/v1/token)
kafka.client.oauth.client.id= <oauth-client-id> (Ex. e6e0b2cxxxxxxxxxxxxxxx)
kafka.client.oauth.client.secret= <oauth-client-secret> (Ex. xxxx-xxxx-xxxx-xxxx)
kafka.client.oauth.client.scope=<oauth-client-scope> (Ex. https://quick.sr.topology.uim.org:30443/ataScope)
kafka.client.oauth.client.audience=<oauth-client-audience> (Ex. https://quick.sr.topology.uim.org:30443/)
# External access is TLS enabled
kafka.client.isTLs=true
    • UIM to ATA API settings:
      disableTopology=false
microServiceEnabled=true
microServiceUrl=https://<topology-instance>.<topology-project>.topology.<hostSuffix>/topology/v2/
    • UIM to ATA UI settings:
      uim.rest.filter.CORSAllowedOrigin=https://<topology-instance>.<topology-project>.topology.<hostSuffix>:<loadbalancerport>
topology.ui.host=https://<topology-instance>.<topology-project>.topology.<hostSuffix>
topology.ui.port=<loadbalancerport>
topology.ui.path=/apps/ata-ui
  2. Add the Identity Providers certificate to JAVA_HOME as follows:
    keytool -import -alias idp-cert -keystore $JAVA_HOME/jre/lib/security/cacerts -file <idp-certificate-file>
  3. Add the ATA certificate to JAVA_HOME as follows:
    keytool -import -alias ata-cert -keystore $JAVA_HOME/jre/lib/security/cacerts -file <ata-certiricate>
  4. Add the common certificate to JAVA_HOME as follows:
    keytool -import -alias common-cert -keystore $JAVA_HOME/jre/lib/security/cacerts -file $COMMON_CNTK/certs/commoncert.pem

    Note:

    Make sure that ATA and Message bus are configured with commoncert.pem.