Remote Integration Client
In this section:
The SD Elements integration process normally requires direct network access to the relevant server to integrate with. In this case, the server is considered to be accessible to SD Elements. However, if a server is hosted in a different network or restrictions prevent direct communication, then expected configuration is not possible: the server is inaccessible to SD Elements. By using the Remote Integration Client SD Elements can integrate with systems hosted on a different network.
The Remote Integration Client is an application supported by Security Compass and is available from SD Elements Support or your Sales Engineer. The following image illustrates the typical configuration using the Remote Integration Client:
-
SD Elements instance accessible from the Internet.
-
Remote Integration Client running on a private network. The Remote Integration Client must have access to SD Elements and the ALM services to integrate with (Jira, Team Foundation Server, Fortify SSC, Active Directory, and so on.)
Allow integration between SD Elements (SaaS) and another system:
Steps:
-
The server connector should be marked "inaccessible" in System → Integration.
-
Install the Remote Integration Client on a computer having network access to the SD Elements server and the server running the integrated service.
-
Teams set up project integrations using the web UI as usual, including frequency.
-
The Remote Integration Client must be scheduled to run on an interval that matches the settings chosen by the SD Elements project teams.
-
How the Remote Integration Client works:
-
The application authenticates to the SD Elements server over HTTPS using an API token.
-
The application retrieves the list of integration jobs that the user has permission to view and run.
-
Details of each integration job are retrieved from the SD Elements server, including ALM, scanner, and LDAP hostname and credentials.
-
Each job is executed and its result (success or failure) is returned to the SD Elements server.
-
Requirements
The Remote Integration Client has the following requirements.
User permissions:
-
ALM sync.
-
Permission Global Roles → Edit ALM connections.
-
-
Scanner import:
-
Permission Global Roles → Edit verification connections.
-
Permissions Project Roles → Sync with ALM tools, and Project Roles → Verify tasks for each project.
-
-
LDAP Sync:
-
Access the SD Elements server as a user with superuser privileges.
-
Technical requirements:
-
TCP/IP access via port 443 (HTTPS) to the SD Elements server.
-
CentOS7/RHEL7 Linux, or Windows (Desktop/Server).
-
If using CentOS6/RHEL6, you may have to configure EPEL and IUS as additional repositories.
-
Network connectivity via port 443 (HTTPS) to the integration server.
Installation
Remote Integration Client supports Windows or Linux systems.
Windows
-
Download and run the installer.
The integration process runs periodically using the Windows Task Scheduler.
Linux
Contact SD Elements support with your version of SD Elements to add the Remote Integation client to your customer download account.
The Linux Remote Integration Client is distributed as a set of wheel packages that are preferably installed in a Python Virtual Environment. This enables the Remote Integration Client to be installed without modifying the system’s Python installation.
Prerequisites
-
The
python-virtualenvpackage must be installed in order to create Python virtual environments. -
Access to
updates.sdelements.comusing provided customer account credentials is required in order to download the Remote Integration Client.
Installation
-
Create a virtual environment for running the Remote Integration Client:
virtualenv ric-env
-
Activate the virtual environment:
source ric-env/bin/activate
-
Extract the Remote Integration Client package and ensure it is accessible to the user running the Remote Integration Client. Next, enter the extracted directory:
tar -xzvf remote-integration.tar.gz && cd sdetools
-
Get the Directory listing:
pwd > /home/ricuser/sdetools ls > dist sdetools-YOUR.VERSION.HERE-py2-none-any.whl - Note the filename, "sdetools-YOUR.VERSION.HERE-py2-none-any.whl"
-
Install the wheel package using
pip:pip install --no-index --find-links=dist/ sdetools-YOUR.VERSION.HERE-py2-none-any.whl
-
While the Virtual Environment is activated, you can call the
sderic.pycommand:sderic.py help
Troubleshooting
Assuming a user has the proper project permissions, any errors that occur
while running integration steps will display in the web interface. Further
information about integrating with third party systems can be found by adding -d (debug)
command-line arguments.
Trust a new TLS Certificate:
Windows
Import a trusted CA certificate to the Windows Certificate Store by double-clicking it and following the Certificate Import Wizard.
Linux
To obtain a remote self-signed server certificate, use openssl:
openssl s_client -connect [SD Elements or ALM URL]:443 <<<'' | openssl x509 -out /tmp/cacert.pem
To manually add an SSL certificate into the system CA bundle, first determine your Linux distribution:
As a user for Centos/RHEL with sudo permissions, where your certificate exists as /tmp/cacert.pem:
sudo cp /tmp/cacert.pem /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust enable && sudo update-ca-trust extract
As a user for Ubuntu with sudo permissions, where your certificate exists as /tmp/cacert.pem:
sudo apt-get install ca-certificates sudo cp /tmp/cacert.pem /usr/local/share/ca-certificates sudo update-ca-certificates --fresh
Disable TLS certification validation for ALM Integration:
python sderic.py command_driver --sde_api_token=APIv2_CONNECTION_STRING --command_params='{"alm_validate_cert":"False"}'
Run a specific integration type for an ALM or scanner:
python sderic.py command_driver --filter_connections=alm-## --sde_api_token=APIv2_CONNECTION_STRING
Where ## is a database ID. This value is not shown on the Web UI, but
you can find it in the project connection links:
On an SDE Project > Integration page, there will be a list of connections with a "Sync" button. Click the button to start syncing the tasks over to an ALM (such as Jira or Rally). Examine the links of each connection. These links have a form similar to:
https://your.server.com/bunits/general/demo-application/demo-project/integration/alm/335
When you find the integration you want to run, examine its URL. It
should look similar to the one above. In this example you would use 335
for XX.
Connect through a proxy
The Remote Integration Console can normally detect when it should connect through a proxy server. In cases where it cannot, you can follow the steps below:
Windows
Open "integrate.bat" in the application directory. By default it is located at:
C:\Users\YOUR-NAME\AppData\Local\Programs\SD Elements Remote Integration\integrate.bat
Add the proxy’s server and port to the top of the file:
SET https_proxy=http://someproxy.com:3128
Linux
Before calling the "python sderic.py" process, set the "https_proxy" environment variable to the proxy’s server and port:
export https_proxy=http://someproxy.com:3128
|
|
Try HTTPS_PROXY if https_proxy does not give the desired behavior. If connecting over http to the server, replace https_proxy with http_proxy.
|
Bypass the proxy for certain hosts
When a proxy is configured, all connections flow through it. There are
situations when the Remote Integration Client needs to connect through a proxy
to access SD Elements, but connect normally to an internal ALM server
(internal.alm.server): in this case, set the no_proxy environment variable.
Windows
Open "integrate.bat" in the application directory. By default, it is located at:
C:\Users\YOUR-NAME\AppData\Local\Programs\SD Elements Remote Integration\integrate.bat
Add the following line and include your internal server name (FQDN or IP) in the instruction,
SET no_proxy=internal.alm.server
Linux
Before calling the "python sde.py" process, set the "no_proxy" environment variable and include your internal server name (FQDN or IP) in the following instruction:
export no_proxy=internal.alm.server
|
|
Try NO_PROXY if no_proxy does not give the desired behavior.
|
|
|
Add additional servers to the no_proxy setting by separating each FQDN or IP with a comma.
|
Scheduling ongoing integration
Windows
The Remote Integration Client relies on the Windows Task Scheduler for scheduled integration runs. During installation, the installer will prompt a user to automatically create Windows Task Scheduler entries for hourly, daily, weekly or monthly frequencies.
Linux
By using the filtering options outlined above, it is possible to schedule ongoing integration to match the SD Elements user interface.
On Unix-like environments, the following crontab can be used to run jobs consistent with the UI. In the terminal type:
crontab -e
Then paste the following crontab:
# Hourly (On the hour) 0 * * * * [virtualenv path]/bin/python [virtualenv path]/bin/sderic.py command_driver --sde_api_token=APIv2_CONNECTION_STRING --filter_frequency=hourly > /path/to/output.log 2> /path/to/debug.log # Daily (1230) 30 0 * * * [virtualenv path]/bin/python [virtualenv path]/bin/sderic.py command_driver --sde_api_token=APIv2_CONNECTION_STRING --filter_frequency=daily > /path/to/output.log 2> /path/to/debug.log # Weekly (Mondays at 0130) 30 1 * * 1 [virtualenv path]/bin/python [virtualenv path]/bin/sderic.py command_driver --sde_api_token=APIv2_CONNECTION_STRING --filter_frequency=weekly > /path/to/output.log 2> /path/to/debug.log # Monthly (First of the month at 0230) 30 2 1 * * [virtualenv path]/bin/python [virtualenv path]/bin/sderic.py command_driver --sde_api_token=APIv2_CONNECTION_STRING --filter_frequency=monthly > /path/to/output.log 2> /path/to/debug.log
Update the paths to reflect the relevant locations.