Hitachi

JP1 Version 11 JP1/Performance Management - Remote Monitor for Virtual Machine Description, User's Guide and Reference

2.5.5 For Docker environment

If the virtual environment to be monitored uses Docker environment, communication between PFM - RM for Virtual Machine and the virtual environment can be encrypted using SSL/TLS. To use SSL/TLS for communication with Docker environment, the following certificates and passwords are required:

For the physical server running Docker environment to be monitored:

  • Root certificate of the certificate authority

    A root certificate of the certificate authority is needed. In this case, the certificate authority must be the same certificate authority that issues a certificate of the physical server.

  • Certificate of the physical server running Docker environment

    A certificate issued to the physical server is needed. In this case, the host name of the physical server is designated as an issuing destination of the certificate. This certificate is required for each physical server running Docker environment.

  • Private key for the certificate of the physical server

    A private key, which is used when the certificate of the physical server is issued, is needed.

For the Windows server running PFM - RM for Virtual Machine:

  • Root certificate of the certificate authority

    A root certificate of the certificate authority is needed. In this case, the certificate authority must be the same certificate authority that issues a certificate of the physical server.

  • Client certificate used for connecting with Docker environment (Personal Information Exchange format)

    A client certificate must be issued from the certificate authority that issues the certificate of the physical server. If the issuers of the client certificate and the certificate of the physical server differ, monitoring cannot be performed. When all certificates of the physical server are issued by the same certificate authority, monitoring can be performed with a single client certificate. When the certificates of the physical server are issued from various certificate authorities, each client certificate must be issued from each certificate authority.

  • Password for Personal Information Exchange

    For client certificates with Personal Information Exchange format, a password is set to protect the private key. This password is required when you register a certificate with the Windows certificate store.

The following figure shows how to place each certificate.

Figure 2‒9: Placement of certificates

[Figure]

The Docker environment specifies root certificate files, server certificate files and server private key files using arguments during execution of the Docker Engine.

PFM - RM for Virtual Machine uses the certificates and private keys that have been registered with the Windows certificate store.

Organization of this subsection

(1) Settings of target for monitoring

The Docker environment daemon enables certificates and TCP to change firewall settings of the physical server.

(a) Placing certificates

Place the root certificate, server certificates, and private keys in a location where the certificates and keys can be accessed by the Docker Engine.

An example of placing on /etc/docker/certs.d

Root certificates : /etc/docker/certs.d/ca.pem

Server certificates : /etc/docker/certs.d/server-cert.pem

Server private keys : /etc/docker/certs.d/server-key.pem

(b) Enabling TCP connection and SSL/TLS

Set a TCP port number and certificates necessary for encrypted communication so that you can connect with the Docker environment remotely.

Add -H, --tlsverify, --tlscacert, --tlscert, and --tlskey options as arguments of OPTIONS for the /etc/sysconfig/docker file.

An example of placing the certificate files on /etc/docker/certs.d and receiving them at the port number XXXX is shown below. 
OPTIONS='--selinux-enabled --log-driver=journald
  --tlsverify --tlscacert=/etc/docker/certs.d/ca.pem
  --tlscert=/etc/docker/certs.d/server-cert.pem
  --tlskey=/etc/docker/certs.d/server-key.pem
  -H unix:///var/run/docker.sock -H tcp://0.0.0.0:XXXX'

To enable the changes, restart the Docker Engine.

An example of a command to restart the Docker daemon is shown below. 
systemctl restart docker

(c) Changing the firewall settings

If firewall is enabled, change the settings to allow remote connection.

An example of a port number XXXX is shown below. 
firewall-cmd --permanent --zone=public --add-port=XXXX/tcp
firewall-cmd -reload

To Page Top

(2) Setting PFM - RM for Virtual Machine

When you set target for monitoring for PFM - RM for Virtual Machine, set the following parameters:

To enable encrypted communication with the Docker environment, register certificates.

(a) Registering a root certificate

  1. In Windows, choose Start and then Run.

    The Run dialog box opens.

    [Figure]

  2. In the Run dialog box, enter mmc and click OK.

    Management Console starts.

    [Figure]

  3. In Console1, choose File and then Add/Remove Snap-in.

    The Add/Remove Snap-in dialog box opens.

    [Figure]

  4. Choose Certificates and then click Add.

    The Certificates snap-in dialog box opens.

    [Figure]

  5. Choose Computer account and then click Next.

    The Select Computer dialog box opens.

    [Figure]

  6. Choose Local computer and click Finish.

    [Figure]

  7. Check that Certificates (Local Computer) is added to Selected snap-ins and click OK.

  8. Expand Certificates (Local Computer) and right-click Certificates under Trusted Root Certification Authorities. Then click All Tasks and Import from the displayed menu items.

    [Figure]

    The Certificate Import Wizard dialog box opens.

    [Figure]

  9. Click Next.

    [Figure]

  10. In the File name text box, enter the file name under which to save the certificate, and then click Next.

    Here, C:\Certs\ca.pem is entered as an example.

    Check that the certificate store is set as Trusted Root Certification Authorities.

    [Figure]

  11. Choose Place all certificates in the following store, and then click Next.

    [Figure]

  12. Click Finish.

    [Figure]

  13. Click OK and check that the certificate has been successfully imported.

(b) Registering a client certificate

Log on as a user of the PFM - RM host (that is, user specified as HostUserID in the instance environment setting).

  1. In Windows, choose Start and then Run.

    The Run dialog box opens.

    [Figure]

  2. In the Run dialog box, enter mmc and click OK.

    Management Console starts.

    [Figure]

  3. In Console1, choose File and then Add/Remove Snap-in.

    The Add/Remove Snap-in dialog box opens.

    [Figure]

  4. Choose Certificates and then click Add.

    The Certificates snap-in dialog box opens.

    [Figure]

  5. Select My user account and click Finish.

    [Figure]

  6. Check that Certificates - Current User is added to Selected snap-ins and click OK.

  7. Expand Certificates (Local Computer) and right-click Certificates under Trusted Root Certification Authorities. Then click All Tasks and Import from the displayed menu items.

    [Figure]

    The Certificate Import Wizard dialog box opens.

    [Figure]

  8. Click Next.

    [Figure]

  9. In the File name text box, enter the file name under which to save the certificate, and then click Next.

    Here, C:\Certs\client.pfx is entered as an example.

    [Figure]

  10. Specified the Personal Information Exchange's password and then click Next.

    Check that the certificate store is set as Personal.

    [Figure]

  11. Choose Place all certificates in the following store, and then click Next.

    [Figure]

  12. Click Finish.

    [Figure]

  13. Click OK and check that the certificate has been successfully imported.

To Page Top

Copyright (C) 2016, 2017, Hitachi, Ltd.

Copyright (C) 2016, 2017, Hitachi Solutions, Ltd.