Installing IBM Suite License Service on premises

The Suite License Service (SLS) stores and manages the Maximo® Application Suite license.

Each Maximo Application Suite instance can be connected to a unique SLS instance. Two or more Maximo Application Suite instances can also share an SLS and the corresponding license file. However, if you do share SLS between Maximo Application Suite instances, ensure that you keep track of your AppPoint usage, as the AppPoint pool is shared between both instances in this scenario.

Tip: This task maps to the following Ansible role: sls. For more information, see IBM Maximo Application Suite installation with Ansible collection.

Installing by using the Red Hat OpenShift Container Platform web console

Before you begin

Ensure that the following default ciphers for Java™ are supported when you enable Federal Information Processing Standard (FIPS).

sh-4.4$ java -Dsemeru.fips=true Ciphers
Default Cipher
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

About this task

Procedure

From Home > Projects, click the Create Project button, enter the name ibm-sls and click Create to provision the new namespace for SLS.

In the banner, click Import YAML (

). Enter the following YAML.


---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: sls-mongo-credentials
  namespace: ibm-sls
stringData:
  username: $MONGODB_USERNAME
  password: $MONGODB_PASSWORD

Replace the variables:

$MONGODB_USERNAME: The MongoDB administrator user name.
$MONGODB_PASSWORD: The MongoDB administrator password.

To get the MongoDB username and password, run the following commands:


oc get secret -n $MONGODB_NAMESPACE mas-mongo-ce-admin-admin -o jsonpath="{.data.username}" | base64 -d ; echo


oc get secret -n $MONGODB_NAMESPACE mas-mongo-ce-admin-admin -o jsonpath="{.data.password}" | base64 -d ; echo

Replace $MONGODB_NAMESPACE with the namespace where your MongoDB was installed to.

Click the Create button to create the secret containing the MongoDB connection credentials.
Create a docker secret that is named ibm-entitlement containing your entitlement key for the IBM Entitled Registry:
```
oc -n ibm-sls create secret docker-registry ibm-entitlement --docker-server=cp.icr.io --docker-username=cp --docker-password=$ER_KEY
```
Replace $ER_KEY with your entitlement key that you obtain from the IBM Container Library.
From Operators > OperatorHub, type Suite License Service as a keyword into the filter text box.
Click the IBM Suite License Service tile.
From the IBM Suite License Service tile page, click Install.
Accept the default values for Update Channel and Installation Mode. Enable the Select a Namespace radio button and enter ibm-sls as the target namespace to install SLS.

Note: For system stability, consider setting the Installation Mode to manual so that SLS updates are not automatically applied as they become available. In addition, you can also set the starting CSV to a specific value to ensure that the version you install is the intended version.
Click Install.
Verify that the SLS operator pod ibm-sls-controller-manager in the ibm-sls namespace is in Ready state.
From Operators > Installed Operators, switch to the ibm-sls namespace and select the IBM Suite License Service operator.
From the Operator Details page, click Create instance.

Select configure by using the YAML view and enter the following YAML:


---
apiVersion: sls.ibm.com/v1
kind: LicenseService
metadata:
  name: sls
  namespace: ibm-sls
spec:
  domain: $DOMAIN
  settings:
    auth:
      enforce: true
    compliance:
      enforce: true
    registry: cp.icr.io/cp
    registration:
      open: true
  license:
    accept: true
  mongo:
    configDb: admin
    nodes:
      - host: "mas-mongo-ce-0.mas-mongo-ce-svc.$MONGO_NAMESPACE.svc.cluster.local"
        port: 27017
      - host: "mas-mongo-ce-1.mas-mongo-ce-svc.$MONGO_NAMESPACE.svc.cluster.local"
        port: 27017
      - host: "mas-mongo-ce-2.mas-mongo-ce-svc.$MONGO_NAMESPACE.svc.cluster.local"
        port: 27017
    retryWrites: true
    secretName: sls-mongo-credentials

Replace the variables:

$DOMAIN: This domain can be obtained by performing the following steps:
Go to Search > Resources and look for Ingress. Select the config.openshift.io/v1 Ingress returned. Click cluster. Go to the YAML tab and get the value of spec.domain. For example:
Sample output
jcdoccluster02-6f1620198115433da1cac8216c06779b-0000.us-south.containers.appdomain.cloud
$MONGO_NAMESPACE: The namespace where your MongoDB was installed to.
As a best practice, you can also put the Mongo CA certificate in the YAML so that SLS knows the trusted endpoints.

On the Home > Search page, select the ibm-sls project and search for the resource type LicenseService. Click the sls instance to see its details.

Suite License Service API is ready. GET https://sls.ibm-sls.svc/api/entitlement/config rc=200. After you upload your license, SLS will be initialized.

Installing by using the OpenShift command-line interface (CLI)

Procedure

Create the new project ibm-sls for SLS use:
```
oc new-project ibm-sls
```
Query the MongoDB admin password information in the cluster:
```
oc get secret -n $MONGODB_NAMESPACE mas-mongo-ce-admin-admin -o jsonpath="{.data.username}" | base64 -d ; echo
```
```
oc get secret -n $MONGODB_NAMESPACE mas-mongo-ce-admin-admin -o jsonpath="{.data.password}" | base64 -d ; echo
```
Replace $MONGODB_NAMESPACE with the namespace where your MongoDB was installed to.

Take note of the values of the username and password returned by the commands. They should be used as the values for $MONGODB_USERNAME and $MONGODB_PASSWORD respectively in the next commands.
Create the YAML file sls-mongo-credentials.yaml which will contain the MongoDB administrator user name and password information for the SLS service to access MongoDB:
```
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: sls-mongo-credentials
  namespace: ibm-sls
stringData:
  username: $MONGODB_USERNAME
  password: $MONGODB_PASSWORD
```
Replace the variables:
- $MONGODB_USERNAME: The MongoDB administrator user name.
- $MONGODB_PASSWORD: The MongoDB administrator password.
Run this command to create the secret.
```
oc apply -f sls-mongo-credentials.yaml
```
Create a docker secret that is named ibm-entitlement containing your entitlement key for the IBM Entitled Registry:
```
oc -n ibm-sls create secret docker-registry ibm-entitlement --docker-server=cp.icr.io --docker-username=cp --docker-password=$ER_KEY
```
Replace $ER_KEY with your entitlement key that you obtain from the IBM Container Library.
Confirm if you have an OperatorGroup already configured for the ibm-sls namespace.
Replace $MAS_INSTANCE_ID by the same value you used in the previous steps.
1. Go to Home/Search > Resources, select the ibm-sls namespace in the Project field and look for OperatorGroup and Click it.
2. If you see an operator group listed, you can skip this step and go to the next step.
3. If you do not see an operator group listed, create a slsopgroup.yaml file with the following content:
```
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ibm-sls-operator
  namespace: ibm-sls
spec:
  targetNamespaces:
    - ibm-sls
```
4. Apply the slsopgroup.yaml file to the OpenShift cluster:
```
oc apply -f slsopgroup.yaml
```
Create the SLS subscription YAML file sls-sub.yaml to install the SLS operator:
```
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-sls
  namespace: "ibm-sls"
spec:
  channel: "3.x"
  installPlanApproval: Automatic
  name: ibm-sls
  source: ibm-operator-catalog
  sourceNamespace: openshift-marketplace
```
Note: If you want to install a specific version of this Maximo Application Suite dependency operator, you must add the spec.startingCSV element to the YAML file and set the installPlanApproval value to Manual.
The value of startingCSV varies depending on your environment. Each dependency might set this value differently. Ensure that you review the dependencies so that you can specify the exact names and version numbers that you want to use.
For example, to set the previously-released version 1.0.1 of Service Binding Operator, instead of the latest version, you set:
- installPlanApproval: Manual
- startingCSV: service-binding-operator.v1.0.1
For more information, see Example: Install a specific version of an Operator.
Apply the sls-sub.yaml file to the OCP cluster:
```
oc apply -f sls-sub.yaml
```

Verify that the SLS operator and its dependent trust manager operator are installed successfully:


oc get pods -n ibm-sls

Sample output

NAME                                                    READY   STATUS      RESTARTS   AGE
ibm-sls-controller-manager-b98d5fd66-f2l6m              1/1     Running     0          9h
ibm-truststore-mgr-controller-manager-7fd7447d7-n5hv9   1/1     Running     0          9h

Obtain the domain value to be used in the SLS license service instance creation by running the following command:
```
oc get Ingress.config cluster -o jsonpath='{.spec.domain}'; echo
```
Note: The result should be used to replace the value of the variable $DOMAIN in the commands of the next steps.

Create the SLS license service instance YAML file sls-cr.yaml:


---
apiVersion: sls.ibm.com/v1
kind: LicenseService
metadata:
  name: sls
  namespace: ibm-sls
spec:
  domain: $DOMAIN
  settings:
    auth:
      enforce: true
    compliance:
      enforce: true
    registry: cp.icr.io/cp
    registration:
      open: true
  license:
    accept: true
  mongo:
    configDb: admin
    nodes:
      - host: "mas-mongo-ce-0.mas-mongo-ce-svc.$MONGO_NAMESPACE.svc.cluster.local"
        port: 27017
      - host: "mas-mongo-ce-1.mas-mongo-ce-svc.$MONGO_NAMESPACE.svc.cluster.local"
        port: 27017
      - host: "mas-mongo-ce-2.mas-mongo-ce-svc.$MONGO_NAMESPACE.svc.cluster.local"
        port: 27017
    retryWrites: true
    secretName: sls-mongo-credentials

Replace the variables:

$DOMAIN: The domain value that was obtained in a previous step.
$MONGO_NAMESPACE: The namespace where your MongoDB was installed to.
As a best practice, you can also put the Mongo CA certificate in the YAML so that SLS knows the trusted endpoints.

Apply the sls-cr.yaml file to the Red Hat® OpenShift® cluster:
```
oc apply -f sls-cr.yaml
```

Verify the SLS instance status:


oc get licenseservice sls -n ibm-sls -o jsonpath='{.status.conditions[0].message} {"\n"}'

Sample output

Suite License Service API is ready. GET https://sls.ibm-sls.svc/api/entitlement/config rc=200