The IBM API Connect Analytics Policy enables integration with the IBM API Connect Analytics subsystem to offload and process API activity data. By configuring this policy, users can enhance observability and analyze data in the Traceable SaaS platform, enabling better decision-making and security insights.
Before you begin
Ensure the following requirements are met before proceeding:
Access Requirements:
IBM API Connect Administrator privileges.
Networking:
IBM API Connect → TPA: Open a connection to the TPA host on port
5443.TPA → Traceable SaaS: Open a connection to
https://api.apac.traceable.aion port443.
Configuration:
Configure the IBM API Connect activity log policy to capture payloads. For more details, see the IBM documentation.
Ensure sufficient storage provisioning to handle the additional logs generated by this configuration in alignment with your internal data retention policies.
Make sure that the Traceable Platform agent (TPA) is installed. For more information, see the Installation section.
Required Information:
TPA VM IP/Hostname.
Access to the TPA certificate for Base64 conversion.
Download the policy from Traceable’s download site.
Installation
The installation process consists of two steps:
Setting up TLS communication with TPA
Deploying the offloading policy
Step 1 — Setting up TLS communication with TPA
Convert the TPA certificate to Base64 format. Use a Base64 conversion tool or command (e.g.,
base64in Linux) to encode the certificate:base64 /path/to/tpa_certificate.crt > tpa_certificate_base64.txtCreate a
secret.yamlfile with the following structure:apiVersion: v1 kind: Secret metadata: # Update the name to your preferred secret name name: offload-certificates data: cacert.crt: "<Base64 Converted Secret>"Apply the secret in the namespace where the analytics cluster is installed:
kubectl apply -f secret.yaml -n <namespace>
Step 2 — Deploy the offloading policy
Follow these steps to deploy the offloading policy. You can complete the steps using either the Red Hat GUI or CLI. The following steps use the CLI to deploy the policy.
Download the current
analyticsclusterconfiguration for the IBM API Connect Analytics subsystem. This file contains the existing settings for the analytics subsystem.oc get analyticscluster -n <namespace> -o yaml > analyticscluster.yamlModify the configuration:
Open the downloaded
analyticscluster.yamlfile in a text editor.Look for the
spec.analyticssection:If the
external.offloadsubsection does not exist, create it.
Add the following configuration to enable offloading:
spec: analytics: external: offload: enabled: true filter: >- if "apicapievent" in [tags] { ruby { code => " require 'base64'; request_method = event.get('[request_method]'); source_port = 0; path = event.get('[uri_path]'); scheme = event.get('[request_protocol]'); source_address = event.get('[client_ip]'); host = event.get('[host]'); request_headers = event.get('[request_http_headers]'); request_headers_hash = {}; request_headers.each do |header| header.transform_keys!(&:downcase); request_headers_hash.merge!(header); end; request_body = event.get('[request_body]'); encoded_request_body = Base64.strict_encode64(request_body); response_body = event.get('[response_body]'); encoded_response_body = Base64.strict_encode64(response_body); status_code = event.get('[status_code]').split(' ')[0]; response_headers = event.get('[response_http_headers]'); response_headers_hash = {}; response_headers.each do |header| header.transform_keys!(&:downcase); response_headers_hash.merge!(header); end; message = { 'request' => { 'method' => request_method, 'source_port' => source_port, 'path' => path, 'scheme' => scheme, 'source_address' => source_address, 'host' => host, 'headers' => request_headers_hash, 'body' => encoded_request_body, }, 'response' => { 'status_code' => status_code, 'body' => encoded_response_body, 'headers' => response_headers_hash } }; event.set('[@metadata][newevent]',message.to_json)" } } output: | http { url => "<REPLACE TPA IP HERE>:5443/ext_cap/v1/req_res_cap" http_method => "post" codec => "json" ssl_certificate_authorities => "/etc/velox/external_certs/offload/cacert.crt" content_type => "application/json" id => "offload_http" format => "message" message => "%{[@metadata][newevent]}" } secretName: offload-certificatesReplace placeholders such as
<REPLACE TPA IP HERE>with the actual TPA IP.Apply the updated configuration:
Upload the updated configuration to the IBM API Connect Analytics subsystem:
oc edit analyticscluster -n <namespace>Copy the modified
spec.analytics.external.offloadsection from your local file and paste it into the appropriate section in the editor.Save and exit the editor.
Deploying the changes
To enable the offloading policy:
Apply the Configuration: After saving the changes in the
analyticsclusterconfiguration, Kubernetes will automatically apply the updates.Verify the Deployment: Check the status of the analytics cluster. Ensure the cluster status is healthy, and no errors are reported.
kubectl get analyticscluster -n <namespace>Restart Pods (if Necessary): If the changes do not take effect immediately, restart the relevant pods:
kubectl rollout restart deployment <analytics-cluster-deployment-name> -n <namespace>Verify in Traceable SaaS: Log in to the Traceable SaaS platform and navigate to Analytics → Spans. Confirm that new spans are being reported.
Verification
To confirm the deployment:
Log in to the Traceable SaaS platform.
Navigate to Analytics → Spans.
Verify that new spans are being reported.
Uninstall
To remove the offloading policy:
Edit the
analyticsclusterconfiguration:kubectl edit analyticscluster -n <namespace>Remove the offloading policy sections added earlier.
Apply the changes by saving and exiting the editor.
Verify the uninstallation:
Ensure the cluster status is healthy using the following:
kubectl get analyticscluster -n <namespace>