2.1.1 BlueCat
In order for Indeni to run its full set of discovery and interrogation scripts for BlueCat Address Manager and BlueCat DNS/DHCP Server, both SSH & SNMP access are required. For SSH access, a root user needs to be used to connect your system. Before adding a BlueCat device, make sure the SSH credential for the root user is provided in Credentials Set.
Note: For BDDS deployed in the cloud, make sure you enable SSH with the root user.
Add to your sshd_config:
PermitRootLogin prohibit-password
We also recommend that you limit to where you would allow root logins with a key. For example:
Match Address <ip_addr>
PermitRootLogin prohibit-password
SNMP
Before configuring the SNMP credential set, enable SNMP service on BlueCat Address Manager:
https://docs.bluecatnetworks.com/r/Address-Manager-Administration-Guide/Configuring-NTP-on-Address-Manager/9.5.0
Enable SNMP service on BlueCat DNS/DHCP Server:
https://docs.bluecatnetworks.com/r/Address-Manager-Administration-Guide/Enabling-SNMP-service-on-DNS/DHCP-Servers/9.5.0?tocId=m1bRY6lv5ui84YyRUXQXZw
Then, add the community string from the Indeni Server Credential Set page.
Indeni Server Configuration:
- Click on Devices icon on the side-panel to the left-hand side of the screen
- Select Credential Sets, and create a new/modify an existing credential set
- From the Username + Password drop down, select the SNMP version. The version must match your BDDS SNMP configuration
- Enter a description and select the security level that matches the BDDS SNMP configuration
- Hit Add
Creating an API user in Address Manager
We always recommend you defer to the vendor’s documentation for configuration. Please follow BlueCat Address Manager’s instructions for adding a new user, and then use the Indeni WebUI to store the credential in the relevant Credential Profile.
In 8.2.2, Indeni creates a session and interacts with BlueCat Address Manager via RESTful v2 API. Indeni authenticates with Address Manager through bearer tokens.
We recommend that you create a unique Indeni user in Address Manager for auditing and security purposes. To add a user, go to the Address Manager Administration tab, click Users and Groups.
Step 1: Add the API user’s name (Indeni) in the USERNAME field.
Step 2: Under Authentication, enter the API user’s password in the Password and Confirm Password fields.
Step 3: Under User Access, select the Administrator check box.
Step 4: Select API from the Access Type drop-down menu.
Step 5: Click Add at the bottom of the page.
Indeni Server Configuration
Step 5: Click on Devices icon on the side-panel to the left-hand side of the screen
Step 6: Select Credential Sets, and create a new credential set
Step 7: Select Username + Password
Step 8: Enter the username (Indeni) and credentials you created in Address Manager
Step 9: Select the HTTPS check box.
Step 10: Click Add
Note: In 8.2.2, you have an option to push DHCP statistics information to the Indeni Server.
DHCP Statistics (Optional)
The DHCP Statistics service uses a monitoring module that runs on the DNS/DHCP Server to collect statistics by sniffing DHCP packets. When enabled, DHCP statistics information is collected by the DNS/DHCP server based on the configured parameters and sent to a configured destination. You can choose to send the information to an Indeni server.
We always recommend you defer to the vendor’s documentation for configuration. Please follow the instructions for configuring DHCP Statistics in BluCat Address Manager (BAM) here.
Configuring the DHCP Statistics Service in BAM
- BAM → Servers → [Select a BDDS server]
- Click on the BDDS Server name and select Service Configuration in the drop-down menu
- In the Service Type drop-down menu select DHCP Statistics
Example configuration:
Output URI
The output URI is the Indeni HTTP endpoint that will be consuming the DHCP statistics information. Two modes are supported.
1 – Without authorization (default)
- Output URI format: http://<indeni-vm-ip-address>:8088/server/api/v1/metrics
- Bearer token not required
- TLS not required
2 – With authorization (AuthZ)
- Output URI format: https://<indeni-vm-ip-address>:8443/server/api/v1/metrics
- Enter the bearer token used to authenticate with the HTTP endpoint
- TLS required
Indeni Server Configuration
Note: For DHCP statistics collection, the device pushes telemetry information to the Indeni HTTP endpoint, instead of Indeni polling data from the device. You must ensure the device can connect to the Indeni server using port 8088 (non-AuthZ mode) or 8443 (AuthZ mode).
Enabling AuthZ and obtaining a token
Authorization is a one-time configuration needed to protect the API. Follow these three steps using the curl command to enable authorization:
- Reset the admin role password (only needed once effectively bootstrapping AuthZ)
- Create the bdds-integrator role (only needed once)
- Obtain tokens with the bdds-integrator role’s authorization (repeat to get a new token if desired)
Step 1 – Reset the admin role’s password
We share a one-time password (OTP) with the customer to bootstrap the admin role (this is the same as bootstrapping AuthZ. After resetting the admin’s role password, authorization is mandatory to access the API and access over http at port 8088 is disabled.
curl -k -H "Authorization: Basic YWRtaW46bXlwYXNzd29yZAo=" https://<ip-address>:8443/auth/reset/admin
In this example, the OTP would be YWRtaW46bXlwYXNzd29yZAo= (note that this isn’t the actual OTP)
The response has the following form returning the new admin role’s password and authorization header. At this point, AuthZ is bootstrapped.
Step 2 – Create the bdds-integrator role
The admin role is for administrating roles and tokens generated with the admin role. The User needs to create a designated role to get the correct token for DHCP, the bdds-integrator role.
curl -k -d '{"role":"bdds-integrator"}' -H "Authorization: Basic YWRtaW46bjZjSEs3ZVpDeE9QbnNCU1RrOWc=" https://<ip-address>:8443/auth/role
Using the Authorization provided in the admin role reset step, create the bdds-integrator role as in the example above.
The response has the following form returning the bdds-integrator role’s password and authorization header.
Step 3 – Obtaining tokens with the bdds-integrator roles’ authorization
Using the bdds-integrator role’s authorization we can request Bearer tokens for pushing DHCP metrics to Indeni. Note that these tokens have an expiry date. You can request any expiry for your tokens by adding a ttl query parameter to the request. For example, adding ttl=26280h will produce tokens that will expire in 3 years from the issuedAt date.
curl -k -H "Authorization: Basic YmRkcy1pbnRlZ3JhdG9yOm15U2VjdXJlUGFzc3dvcmQ=" https://<ip-address>:8443/auth/token?ttl=26280h
Response: