-
Title
Redis Agent Pre-Configuration -
Description
What are the pre-configuration requirements for the Redis cartridge?
-
Resolution
Configuration of the Redis Enterprise environment consists of creating or identifying an existing user with the appropriate permissions for accessing the REST API
Redis Agent User Permissions
Foglight requires a user with one of the following Cluster Management Access roles:- DB Member
- Cluster Viewer
- Cluster Member
- Admin
It is recommended to use one of the relatively less powerful roles DB Member or Cluster Viewer, if possible. For a full description of each role see the Redis Enterprise documentation at https://docs.redis.com/latest/rs/references/rest-api/permissions/
No Data Access Controls (Redis ACLs) are required.
To create a user with REST API permissions, open the Redis management UI in a browser and click on the “access control” section at the top. On the “users” tab, click the plus sign below the users table. Give the new user a name, email as appropriate, and password. For role, select one of the four roles given above. Finally, save the user.
Enable Certificate Authentication
To communicate securely with the Redis Enterprise REST API endpoint, the Foglight Agent Manage requires a copy of the root certificate in its truststore. When Redis Enterprise is installed, it is configured with a self-signed certificate. This certificate can be found on any database node at the following path:
/etc/opt/redislabs/api_cert.pem
Copy this certificate, if using the default, or the production certificate if one has been installed. Then import the certificate into a truststore to be used by the FglAM. If the FglAM is already configured to use a truststore, import into that truststore. One example of generating a truststore for use with Foglight, given below, is to create a JKS truststore using keytool. Set the store and certificate filenames, alias name, and password as appropriate.
keytool -importcert \
-keystore truststore.jks\
-alias redis__api_cert \
-file api_cert.pem \
-keypass \
-storepass \
-storetype JKS \
-noprompt
Next, edit the baseline.jvmargs.config file in the /state/default/config directory by adding the following parameters. Set the file paths and passwords appropriate for your system.
vmparameter.0 = "-Djavax.net.ssl.trustStore=/path/to/truststore.jks";
vmparameter.1 = "-Djavax.net.ssl.trustStorePassword=changeit";
vmparameter.2 = "-Djavax.net.ssl.trustStoreType=JKS";
Escape any quotes with a backslash (‘\’). On an Agent Manager installed on Windows, use forward slashes in the file paths, like so:
vmparameter.0 = "-Djavax.net.ssl.trustStore=\"C:/path/to/truststore\"";
Finally, restart the Foglight Agent Manager to load the modified JVM parameters. The Foglight for Redis agent may now be run with the “Disable certificate authentication?” checkbox unchecked in the Agent Status Properties settings.