Configuring the application stack

Configure the application stack settings.

1. In vSphere Client, power on the virtual machine.
2. Open the console to launch the configuration wizard.
   Depending on your version of vSphere Client, you might either have a Launch Console or an Open Console link to do so.

   The wizard is text based. To work in the wizard, use the Tab key to navigate, the Space bar to select items, and the Enter key to apply your selections.

3. Accept the CentOS and IBM license agreements when prompted.
4. In the Password Utility window, enter the new passwords for the root user and the siqadmin user twice and press Enter.
5. Within the Corporate Network window, select either Static IP or Obtain IP via DHCP.
   • If you select the Static IP option, complete these fields to configure the static address:

     Parameter	Value
     Hostname	The fully qualified host name
     IP Address	The IPv4 address of the application stack
     Netmask	The netmask for the assigned IP address
     Gateway	The IP address of the default gateway for the IP subnet Note: This is the network gateway, not the IBM StoredIQ gateway.
     Primary DNS Host	The IP address for the domain name server

   • If you select the Obtain IP via DHCP option, complete these fields:

     Parameter	Value
     Hostname	The fully qualified host name
     Primary DNS Host	The IP address for the domain name server

6. Select the Restart services option to commit the IP and restart services.
7. Click Next.

Within the Appstack configuration window, set these options.

8. In the Domain name field, enter the fully qualified domain name (FQDN) or IP address of the application stack.
   This information is used in generated URLs, such as links to reports.

   If you enable the synchronization with the governance catalog, the domain name is used for building the base URLs for REST access to the application stack and for links to IBM StoredIQ artifacts that make these artifacts accessible from the governance catalog.

   Important: If you ever need to change the host name or IP address of the application stack (using the appstackcfg utility), you must restart all application stack services afterward by running the command systemctl restart appstack.target from the command line. Selecting the Restart appstack services option is not sufficient because this option triggers the restart of only the uwsgi and tomcat services.
9. In the StoredIQ Gateway field, enter the IP address of the StoredIQ Gateway server.
10. Set the following SMTP options to enable the application stack's capability to send and receive notification email.
    Tip: All SMTP settings are optional and can be configured during or after your deployment. If you choose to set or change the SMTP settings at a later time, see Configuring the application stack to send and receive reports and notifications.
    1. Set these options:

       Parameter	Value
       Server	The mail server's fully qualified domain name or IP address.
       Port	The SMTP port. The default port is 25.
       Username	The login user name. For the default configuration, leave this field empty. Otherwise, provide the user name of the user with which to authenticate to the Exchange server. If you authorized any Authenticated User, you can use any user name and password as long as that individual is valid member of the domain. If you used a specific user, you must use the user name of the single user for which you granted permissions. This must be a fully qualified user name. In this case, you must have completed the instructions in Configuring authenticated users for SMTP notifications before configuring the SMTP settings.
       Password	The login password for the specified user. For the default configuration, leave this field empty.

    2. Select Enable TLS to enable TLS encryption, if it is supported by the mail server.
       For email notification with an authenticated user, enable this option.
    For additional information about SMTP notification, see Configuring authenticated users for SMTP notifications.
11. Optional: Set these options to enable the synchronization of specific objects between IBM StoredIQ and a governance catalog.
    Tip: These settings can be configured during or after the deployment. If you choose to set or change the synchronization settings at a later time, see Configuring the application stack to synchronize data with the governance catalog.

    If the synchronization is not enabled, the values entered here are not validated. However, as soon as you enable synchronization, all entries must be valid. Otherwise, a warning is displayed and synchronization is implicitly disabled.

    1. Select Enable synchronization with the governance catalog and provide the following settings.

       If the data catalog to which you want to publish the IBM StoredIQ object resides in an IBM Cloud Private for Data environment, select the Server runs in IBM Cloud Private for Data checkbox.

       Provide or accept the values for these fields:

       Parameter	Value
       Host	The host name or IP address of the Information Server or IBM Cloud Private for Data installation. The specified host is part of the base URLs for REST access to the Information Governance Catalog or IBM Cloud Private for Data instance and for links to catalog artifacts that make these artifacts accessible from IBM StoredIQ. Therefore, you should provide the fully qualified domain name of the Information Server or IBM Cloud Private for Data host. If you specify a server port, this port also becomes part of such base URLs. In addition, the host name is also used to address the Information Server Apache Kafka server, which provides all Information Server events as Kafka messages. Specific Kafka messages are consumed by IBM StoredIQ and trigger the synchronization of objects from the governance catalog to IBM StoredIQ.
       Port	The port of the governance catalog server. This setting is optional. For connections to an Information Server 11.7 environment: To ensure proper communication, you should set the port to the HTTPS port that is defined in Information Server. The default port is 9443. For connections to an Information Server 11.7 FP1 (or later) environment without Information Server Enterprise Search installed: To ensure proper communication, you should set the port to the HTTPS port that is defined in Information Server. The default port is 9446.. For connections to an Information Server 11.7 FP1 (or later) environment with Information Server Enterprise Search installed: Do not specify a port. For connections to IBM Cloud Private for Data, you can specify the IBM Cloud Private for Data port.
       Kafka port	The port of the Information Server Kafka server. The port setting can be overridden. For connections to an Information Server 11.7 environment: the Kafka port defined in Information Server. The default port is 59092. For connections to an Information Server 11.7 FP1 (or later) environment without Information Server Enterprise Search installed: the Kafka port defined in Information Server. The default port is 59092. For connections to an Information Server 11.7 FP1 (or later) environment with Information Server Enterprise Search installed: the Kafka port defined in Information Server. The default port is 9092. For connections to IBM Cloud Private for Data: the Kafka port defined in IBM Cloud Private for Data. For more information, see the topic Enabling synchronization with IBM StoredIQ in the IBM Cloud Private for Data product documentation.
       Username	The user name for authenticating to Information Server or IBM Cloud Private for Data when publishing IBM StoredIQ objects to the governance catalog. This user must be defined in Information Server with the following security roles: Suite User Common Metadata Administrator Information Governance Catalog Information Asset Administrator In IBM Cloud Private for Data, this user must be defined with the Data Stewart role.
       Password	The password of the user set with Username.
       Sync frequency (minutes)	Data is periodically propagated to the governance catalog at the specified interval. The value must be a positive number of minutes. The default value is 15 minutes.
       StoredIQ instance name	The name identifying the IBM StoredIQ instance for which data is synchronized. This name can be freely chosen, but must be unique within the governance catalog instance.

12. Optional: Select Enable FIPS mode at boot time to enable running your system in FIPS-compliant security mode. By default, FIPS mode is not enabled.
13. Optional: Select Enable secure gateway communication to encrypt the communication between the application stack and the gateway.
    By default, the communication is in plain text and is not encrypted.

    Secure communication via stunnel can impact performance. Therefore, enable this setting only if your enterprise security policy mandates encryption of data in motion. If you do so, the IBM StoredIQ gateway and the data server must be configured accordingly. For more information, see Security. For additional guidance, contact IBM Support.

    You can change the enablement status at any time after the installation.

14. Click Next.
    Important: For synchronization with the governance catalog to work, HTTPS must be enabled on the AppStack. Therefore, generate and install at least a self-signed certificate. HTTPS must also be enabled for IBM StoredIQ Cognitive Data Assessment to work.
15. Optional: Within the Certificate configuration window, perform the procedure in its entirety to generate a self-signed SSL or TLS certificate.

    SSL or TLS certificates are used to establish secure communications. You can generate self-signed certificates, which should be used in test and development environments only, or certificates that are signed by an internal or a third-party certificate authority (CA). To avoid certificate trust issues, you should obtain and install a certificate signed by a third-party CA.

    To skip certificate configuration, tab to Exit and click Enter. The certificate can be configured at a later time by logging in as siqadmin user and running this command: certcfg

    Important: Synchronization with the governance catalog requires a certificate to be installed. Therefore, do not skip certificate generation now if you enabled the synchronization.

    If you choose to generate a certificate, complete the steps of this procedure in the described sequence. In the wizard, use the Up and Down Arrow keys to navigate between options and the space bar to select an option.

    1. Generate a self-signed root certificate. Make sure that option 1 is selected and press Enter.
       The resulting certificate can be used as a certificate authority (CA).

       If you want to use a root certificate from a third party CA to sign your certificates, you can skip this step.

       The following table lists the configuration settings for a self-signed root certificate. Required settings are denoted by an asterisk. Edit the settings as required.

       Table 1. Creating self-signed root certificate

       Setting	Value
       Common Name *	The name of the certificate. You can use the prefilled value or choose a different name. However, make sure not to use the AppStack host name.
       Email Address *	The email address that is used in the certificate.
       Country (two-letter) *	An acceptable entry is an ISO-3166-1 alpha-2 code. A listing is available here.
       State/Province *
       City *
       Organization *
       Department *
       Key length	The length of the key to be created. The default value is 2048.
       Days to expiry *	The number of days before the certificate expires. The default value is 3650.
       Root key location *	The fully qualified file name of the root key file. This name can be freely chosen. If the file does not exist, it is created when the certificate is created. However, it is recommended to use the prefilled default file name.
       Root certificate location	The fully qualified file name of the root certificate file. This name can be freely chosen. If the file does not exist, it is created when the certificate is created. However, it is recommended to use the prefilled default file name.

       Click Next to proceed to creating a certificate-signing request.

    2. Create a certificate-signing request. Make sure that option 2 is selected and press Enter.
       Generate a certificate signing request (CSR) to be signed by a certificate authority. The process creates a key or uses a provided key and generates the CSR from it.

       The following table lists the settings for a certificate signing request. Required settings are denoted by an asterisk. Edit the settings as appropriate.

       Table 2. Creating certificate signing request

       Setting	Value
       Common Name *	The host name of the AppStack. It must match the domain of the URL that you use. Important: This value is prefilled. If you create a self-signed root certificate, make sure to change this value so that it is different from the common name of Step 15.a.
       Email Address *
       Country (two-letter) *	An acceptable entry is an ISO-3166-1 alpha-2 code. A listing is available here.
       State/Province *
       City *
       Organization *
       Department *
       Key length	The length of the key to be created. The default value is 2048.
       Key location *	The fully qualified file name of the key file. This name can be freely chosen. If the file does not exist, it is created when the certificate is created. However, it is recommended to use the prefilled default file name.
       Certificate request location *	The fully qualified file name of the CSR file. This name can be freely chosen. If the file does not exist, it is created when the request is created. However, it is recommended to use the prefilled default file name.

       Click Next to proceed to signing the certificate.

    3. Generate the signed certificate. Make sure that option 3 is selected and press Enter.
       Sign a certificate with a certificate-authority-eligible root certificate based on the certificate-signing request.

       The following table lists the settings for signing the certificate. All settings are required. Edit them as appropriate.

       Table 3. Signing request with root certificate

       Setting	Value
       Days to expire	The number of days before the certificate expires. The default value is 3650.
       Certificate request location	The fully qualified file name of the CSR to sign as specified in step 15.b.
       Certificate location	The fully qualified file name of the signed certificate. This name can be freely chosen. If the file does not exist, it is created when the certificate is created. However, it is recommended to use the prefilled default file name.
       Root key location	The fully qualified file name of the root key file as specified in step 15.a. Or, if you chose to use a root certificate signed by a third-party CA, the fully qualified file name of the respective root key file. However, it is recommended to create a copy of the third-party root key file with the default name assigned by IBM StoredIQ.
       Root certificate location	The fully qualified file name of the root certificate as specified in step 15.a. Or, if you chose to use a root certificate signed by a third-party CA, the fully qualified file name of the respective root certificate. However, it is recommended to create a copy of the third-party root certificate with the default name assigned by IBM StoredIQ.

       Click Next to proceed to updating the AppStack HTTPS certificate.

    4. Update the AppStack HTTPS certificate. Make sure that option 4 is selected and press Enter.
       Update the application stack to use the provided certificate and key for HTTPS access.

       The following table lists the settings for updating the certificate. These settings are required and are prefilled with the information from the previous steps. Do not change these settings.

       Table 4. Updating the AppStack HTTPS certificate

       Setting	Value
       Key location	The fully qualified file name of the key file.
       Certificate location	The fully qualified file name of the certificate.

       Click Finish to complete the certificate configuration.