Configuring an external PostgreSQL database for IM

Complete the following prerequisites to configure IM with the PostgreSQL database.

1. Make sure that you configure IM with the embedded or external EDB PostgreSQL database before you install or upgrade foundational services. You cannot migrate data from embedded PostgreSQL to external EDB PostgreSQL after you install or upgrade foundational services. For more information, see Configuring IM with the PostgreSQL database before installing or upgrading.
   • Although external PostgreSQL is compatible with foundational services, IBM does not provide support for external PostgreSQL, which is open source and has its own website and community.
2. Use your own external PostgreSQL 16 database for foundational services and the Zen database. For more information, see PostgreSQL.
   • IBM also provides a separate EDB Postgres Enterprise and Standard with IBM license for PostgreSQL. For more information, see EDB Postgres Enterprise and Standard with IBM and contact your IBM account team.

3. Set up the database server if you use new external database server. For more information, see Setting up an external PostgreSQL database server.

   You can skip this step if you already completed the setup for the external database server with all the certificates.

4. Configure Secure Sockets Layer (SSL) modes for IM. For more information, see Configuring SSL modes for IM.

5. You need to generate the following key files in the database server to configure IM to use PostgreSQL as a database:

   • client.crt
   • client.key
   • client_key.pem
   • client.pem
   • root.pem

   To generate the key files, see Generating key files for IM.

IM supports embedded and external PostgreSQL database. IM is configured with the embedded PostgreSQL database as default.

You can configure IM with PostgreSQL version 16 as the external database and use the SSL client-certificate authentication method.

You can configure IM with the require, verify-ca, and verify-full SSL modes. By default, IM is configured with the require SSL mode.

You can change the default SSL mode for IM with one of the following methods:

• To change the SSL mode with the OpenShift Container Platform console, complete the following steps:

  1. Log in to the OpenShift Container Platform console.

  2. From the navigation menu, click Workloads > Config Maps.

  3. Search for platform-auth-idp.

  4. Click ... > Edit Config Map.

  5. Update the DB_SSL_MODE parameter with verify-full or verify-ca SSL mode.

     apiVersion: v1
     kind: ConfigMap
     metadata:
       name: platform-auth-idp
       namespace: <your-foundational-service-namespace>
     data:
       DB_SSL_MODE: <ssl mode>
       DB_CONNECT_TIMEOUT: "60000"
       DB_IDLE_TIMEOUT: "10"
       DB_POOL_MAX_SIZE: "15"
       DB_POOL_MIN_SIZE: "5"
       DB_CONNECT_MAX_RETRIES: "5"
       SEQL_LOGGING: false
      

     Replace <ssl mode> with verify-full or verify-ca SSL mode parameters.

  6. Click Save.

  7. From the navigation menu, click Workloads > Deployments.

  8. Locate platform-auth-service.

  9. Click ... > Edit Deployment. A window for editing displays.

  10. Click Save without changes in the configmap to reload the platform-auth-service pods with the updated configmap values.

  11. Click platform-auth-service.

  12. Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of all the pods must show as 4/4 in the Ready field name.

  13. Repeat steps 8 through 13 for the platform-identity-provider and platform-identity-management pods.

• To change the SSL mode with the CLI, complete the following steps:

  Replace <your-foundational-services-namespace> in the commands with the namespace where you deployed the foundational services.

  1. Log in to your cluster with the oc login command.

  2. Edit the platform-auth-idp configmap.

     oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp
      

  3. Change the following attribute values as required:

  4. Restart the platform-auth-service, platform-identity-management, and platform-identity-provider pods.

     1. Get the platform-auth-service, platform-identity-management, and platform-identity-provider pod names.

        oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service
         

        oc -n <your-foundational-services-namespace> get pods | grep platform-identity-management
         

        oc -n <your-foundational-services-namespace> get pods | grep platform-identity-provider
         

     2. Delete the platform-auth-service, platform-identity-management, and platform-identity-provider pods.

        oc delete pod <platform-identity-management-pod-name> -n <your-foundational-services-namespace>
         

        oc delete pod <platform-auth-service-pod-name> -n <your-foundational-services-namespace>
         

        oc delete pod <platform-identity-provider-pod-name> -n <your-foundational-services-namespace>
         

  5. Wait for some time and then check the status of the platform-auth-service, platform-identity-management, and platform-identity-provider pods. The status of all platform-auth-service, platform-identity-management, and platform-identity-provider pods must show as Running.

     oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service
      

     oc -n <your-foundational-services-namespace> get pods | grep platform-identity-management
      

     oc -n <your-foundational-services-namespace> get pods | grep platform-identity-provider
      

To configure IM with an external PostgreSQL database, generate the key files in the database server with the following steps:

• Login to an external database server and copy the key files to your target cluster.

  scp client.crt client.key client_key.pem client.pem root.pem root@<your_ocp_IPaddress>:/root
   

  Replace <your_ocp_IPaddress> with the Red Hat OpenShift Container Platform IP address.

• Export the following environment variables.

  export PGREQUIRESSL=require 
  export PGSSLCERT=client.crt 
  export PGSSLKEY=client.key 
   

• Download and enable PostgreSQL 16 on your target cluster.

  sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm 
  sudo dnf -qy module disable postgresql 
  sudo dnf install -y postgresql16-server
   

• Test the PostgreSQL server connection.

  psql --host=<yourFyreClusterName>1.fyre.example.com --port=5432 --dbname=im --username=im_user -c "SELECT VERSION()" -c "SHOW ssl" -c "SHOW max_connections" -c "\list" -c "\dn" -c "\du"
   

  Replace <yourFyreClusterName> with your Fyre cluster name to specify the host name of the PostgreSQL server.

• Create the im-datastore-edb-secret secret.

  oc create secret generic im-datastore-edb-secret \
      --type=kubernetes.io/tls \
      --from-file=ca.crt=root.pem \
      --from-file=tls.crt=client.pem \
      --from-file=tls.key=client_key.pem \
      -n <your-foundational-service-operand-namespace>
   

  Replace <your foundational service operand namespace> with the namespace where you deployed the foundational services.

  You can update ca.crt, tls.crt, and tls.key parameters with the appropriate values.

• Verify that the certificates are stored in the secret.

  oc extract secret/im-datastore-edb-secret -n <your-foundational-service-operand-namespace> --to=- --keys=ca.crt | openssl x509 -noout -subject -issuer -startdate -enddate
  
  oc extract secret/im-datastore-edb-secret -n <your-foundational-service-operand-namespace> --to=- --keys=tls.crt | openssl x509 -noout -subject -issuer -startdate -enddate
   

  Replace <your foundational service operand namespace> with the namespace where you deployed the foundational services.

• Create the im-datastore-edb-cm configmap.

  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: im-datastore-edb-cm
    namespace: <your-foundational-service-operand-namespace>
  data:
    DATABASE_CA_CERT: ca.crt
    DATABASE_CLIENT_CERT: tls.crt
    DATABASE_CLIENT_KEY: tls.key
    DATABASE_NAME: im
    DATABASE_PORT: "5432"
    DATABASE_R_ENDPOINT: sertexternaledb16x1.fyre.example.com
    DATABASE_RW_ENDPOINT: sertexternaledb16x1.fyre.example.com
    DATABASE_SCHEMA: public
    DATABASE_USER: im_user
    IS_EMBEDDED: 'false'  
   

  Replace <your foundational service operand namespace> with the namespace where you deployed the foundational services.

  You can update the DATABASE_R_ENDPOINT, DATABASE_RW_ENDPOINT, DATABASE_USER, and DATABASE_NAME parameters with the appropriate values.

• Apply the im-datastore-edb-cm configmap.

  oc apply -f im-datastore-edb-cm.yaml
   

• Create a operand-request.yaml file with the following definitions:

  apiVersion: operator.ibm.com/v1alpha1
  kind: OperandRequest
  metadata:
    name: common-service
    namespace: $<your-foundational-services-namespace>
  spec:
    requests:
      - operands:
          - name: ibm-im-operator
          - name: ibm-events-operator
          - name: ibm-platformui-operator
          - name: cloud-native-postgresql
        registry: common-service
        registryNamespace: $<your-foundational-services-namespace>
   

  Replace <your foundational service namespace> with the namespace where you deployed the foundational services.

• Verify that the platform-auth-service, platform-identity-management, and platform-identity-provider pods are running. Ensure that the common-service-db cluster is not created and its pods are not running.