Refresh the solution namespace whenever cluster certificates are updated

Whenever you replace the security certificates in the OpenShift Container Platform cluster, you must refresh the IBM® Security Center for Z namespace to use the new certificates. This standard maintenance procedure ensures that IBM Security Center for Z uses the correct certificates.

Before you begin

Ensure that you are logged in to Red Hat OpenShift Container Platform (RHOCP). If you are not already logged in to the Red Hat OpenShift cluster, complete the following steps:
  1. Log in to the Red Hat OpenShift Container Platform web console for your cluster. Then, click your user name in the upper-right corner, and click Copy Login Command.
  2. In the new browser tab that opens, click Display Token. Then, copy the command that is displayed under Log in with this token.
  3. In a command line, paste the command that you copied in the preceding step to log in to Red Hat OpenShift Container Platform.

    It is assumed that the OpenShift Container Platform command-line interface (CLI) is installed in a directory that is in your PATH. The CLI is installed when you download the Red Hat OpenShift CLI binary. For more information, see Getting started with the OpenShift CLI.

    Tip: To verify that the CLI is installed, enter the following command: 
    oc version

About this task

By default, Red Hat OpenShift Container Platform (RHOCP) issues certificates that are valid for the applications that run in the OpenShift Container Platform cluster. IBM Security Center for Z uses these certificates as well.

Whenever your installation updates the OpenShift Container Platform cluster certificates, you must delete and restart the IBM Security Center for Z instance (in ibmz-scc namespace). This standard maintenance procedure ensures that the existing tls-credentials secret, which contains the outdated certificates, is recreated with the new certificates. Otherwise, if this action is not taken, IBM Security Center for Z cannot perform new scans until the outdated certificates are replaced.

To perform this procedure, you will delete the IBM Security Center for Z instance, then restart it. The newly created pods will use the updated secret. This action does not result in any data loss; persistent storage is not changed.

This activity requires that you log in to Red Hat OpenShift Container Platform with your cluster-admin user role. That is, you log in to the cluster through the command line under a user identity that is bound to the cluster-admin ClusterRole. If you are assigned another role, ask a cluster-admin role user to grant you access or add you to a group that has cluster-admin privileges. Only a cluster-admin role user can grant other users the cluster-admin access.

Procedure

  1. Log in through the OpenShift Container Platform command-line interface (CLI).
    This action can be done from any remote host.
    For more information, see Getting started with the OpenShift CLI.
  2. Delete the custom resource instance. 
    oc delete zsccs.zscc.ibm.com ibmz-scc -n ibmz-scc
    Note: Do not delete the namespace. For example, do not use the command oc delete -f zscc-deployment.yaml because it deletes the namespace.
  3. Reapply the deployment YAML file. 
    oc apply -f zscc-deployment.yaml

What to do next

Wait for all the pods to be up and running, which takes around 5 - 10 minutes.

Then, verify that the IBM Security Center for Z solution is installed by running the following command:
oc get pods -n ibmz-scc
The command output should appear as shown in the following example. For simplicity, the example omits several columns that would be included in the actual output, such as RESTARTS and AGE. 

NAME                                                    READY            STATUS     
keycloak-xxxx                         1/1             Running     
postgres-0                                               1/1             Running  
scp-alembic-xxxx                      0/1             Completed       
scc-controller-xxxx                   1/1             Running    
scc-ui-xxxx                           1/1             Running
Check for the following:
  • A total of 5 pods are created. In the figure, xxxx are random strings in the pod names.
  • READY and STATUS values appear as shown.