Installing the target system

On the target system, configure a cluster, create the necessary secrets, and install API Connect.

Before you begin

  • Complete Preparing the source system.
  • Ensure that any network route between the target installation and the source system is disabled. The target system must not be able to communicate with the source system.

About this task

Run the script to create the necessary secrets. If necessary, shutdown the Postgres database, and then install API Connect, either manually or by running the script.

Note: For data migration, you have the option of performing a complete migration at once, or performing migration in more than one step. To review these options, see v10 migration planning.


  1. Configure a target cluster either Kubernetes or OpenShift or Cloud Pak for Integration, where you intend to migrate the source system data.
    • Note that this configuration is for the cluster only. No API Connect software is installed yet.
    • Make sure KUBECONFIG is set to this target cluster, so you can access the cluster using oc or kubectl.
  2. Create the namespaces in the target cluster where you want the API Connect subsystems to run.
    • The namespaces can be different than the source system values.
    • If you have additional subsystems to be installed in different namespaces, create these namespaces also.
  3. Run to create the following secrets:
    • Database backup secrets for Management and Portal subsystems
    • Application credentials
    • Encryption secrets from the source system
    Usage examples:
    • If both Management and Portal are in the same namespace, or if Portal is not installed.
      python3 -n NAMESPACE
    • If both Management and Portal are in different namespaces:
      python3 -mgmt_ns <MGMT_NAMESPACE> -ptl_ns <PTL_NAMESPACE>
    • If you are creating multiple Portal subsystems in the target API Connect system, to match the configuration of the source system, you must run the script more than once for each Portal subsystem from the source system.

      The script detects that there are two Portal subsystems in the source system, and prompts you to select the subsystem name that matches the target Portal, as shown in the following commands:

      1. For Management and first Portal on the target system:
        python3 -mgmt_ns <MGMT_NAMESPACE> -ptl_ns <PTL_NAMESPACE1>
      2. For the second Portal on the target system:
        python3 -skip_mgmt -ptl_ns <PTL_NAMESPACE2>
  4. If applicable to your deployment, shutdown the Postgres database on your source system.

    You can shutdown the Postgres database now, to ensure that there are no delta changes to your source system while the remainder of the migration process takes place.

    Important: If s3 backup is being used for the Management subsystem in the source system, the postgres database MUST be shutdown before launching the target API Connect cluster. If it is not shutdown, the launch of the target apic cluster will fail.

    For steps to shutdown Postgres database on Kubernetes or OpenShift, see Shutting down the Postgres database.

  5. Launch the target API Connect system.
    1. Review prerequisites:
      • Have a new OpenShift cluster ready with enough resources (CPU, memory, and disk) as required for the installation profile you will use.
      • As needed, create an entitlement key to download the images related to API Connect.
      • The target system must match the topology (number of Gateways, Portals and Analytics) of the source system to ensure that all the data in the Management database is migrated. If all the data in the Management database is not migrated, the not migrated (stale) data must be manually deleted. Alternatively, you can attempt the remaining migration later after installing the additional Portals and Gateways. See v10 migration planning.
      Important: If s3 backup is being used for the Management subsystem in the target system, once the Management subsystem is ready, you will see that the backup job pods and stanza-create job pods are in Error state. This is expected behavior. Once management backup is restored, the error resolves and backups will work. Since the backup will not happen until the Management database is restored, it is very important to restore Management subsystem backup on the target system (see step 2 in Restoring the target system) immediately after installing the target system. Any delay can cause the disk to fill up with write-ahead log (WAL) files.

      To review how to monitor Postgres db disk usage, see:

    2. Launch the target API Connect system either manually or by using the script:

      • To manually launch from the OpenShift cluster UI:

        This method is the recommended way to launch the target API Connect system for production systems.

        This method is also used for advanced customization or when using custom certificates while launching the target API Connect system.

        • Install and launch the target API Connect cluster. See the instructions for your deployment type:
        • Before creating the top level CR, use the yaml view to add the properties which you saved from the source system configuration.

          For the Management subsystem, the saved configuration is in data/config.yaml. For the Portal subsystem, the saved configuration is in data/config_portal.yaml.

          Important: If you do not use the configuration from the source system, the migration fails.
          • Management subsystem properties:
            • encryptionSecret
            • Management subsystem name
            • site name
            • database backup credentials
            • custom application credentials
            • originalUID
          • Portal subsystem properties:
            • encryptionSecret
            • site name
            • database backup credentials
            • originalUID
          Note: If target system is Kubernetes, the properties must be in the Management and Portal subsystem CRs.
        • The top level CR must look like the following example. The values for this top CR are from the generated artifacts (data/config.yaml and data/config_portal.yaml) after running Preparing the source system. Note that the example shows a value for You can obtain this value from config.yaml.
          kind: APIConnectCluster
            name: c1
            namespace: test1
                enabled: true
                type: unique
              accept: true
              license: SOME_KEY
              use: nonproduction
              - name: atm-cred
                secretName: management-atm-cred
              - name: ccli-cred
                secretName: management-ccli-cred
              - name: cui-cred
                secretName: management-cui-cred
              - name: dsgr-cred
                secretName: management-dsgr-cred
              - name: juhu-cred
                secretName: management-juhu-cred
              - name: cli-cred
                secretName: management-cli-cred
              - name: ui-cred
                secretName: management-ui-cred
                credentials: ftp-mgmt-backup-secret
                host: SFTP_SERVER_HOST
                path: /root/backup/v10_management
                port: 22
                protocol: sftp
                  accept: false
                secretName: management-enc-key
              name: management 
              originalUID: d435b534-ce93-463a-9005-692c2af94df7
              siteName: be023200
                secretName: portal1-enc-key
              originalUID: 1adc672a-0e77-4890-b476-c41fcedb0b64
                credentials: ftp-mgmt-backup-secret
                path: /root/backup/portal1
                port: 22
                protocol: sftp
              siteName: cb06099f
            profile: n1xc7.m48
            storageClassName: rook-ceph-block
        • You can also use the script with -no_install flag to generate the top level CR yaml, and use the yaml in the OpenShift UI and customize further.
      • To launch using the script:
        The script is used to launch API Connect on OpenShift or API Connect with Cloud Pak for Integration using a top level CR that specifies one of each subsystem type:
        • Management
        • Developer Portal
        • Analytics
        • API Gateway
        • The OpenShift cluster must be ready, and accessible using oc.
        • Important: The script is used to launch ONLY the specific version of API Connect based on the downloaded version of the artifacts.


        • Run the script with --help option to show additional flags available like -production and -profile.
        • License use is set to nonproduction by default unless the flag -production is used while running this script.
        • The profile defaults to the one replica profile n1xc7.m48, to specify a different profile use the -profile flag. For details of the available profiles, see API Connect deployment profiles for OpenShift and Cloud Pak for Integration. The one replica profile deploys 1 replica of each pod and is only for light, non-critical workloads such as basic development and testing.
        • Optionally, you can use the -no_install flag if you want to generate the yaml files (top level CR and other files needed in installation) without installing. In the following example commands, add the -no_install flag to the existing command parameters. You can use this top level CR from the OpenShift UI, and create an API Connect cluster.
        • Note : If CP4I environment, check if configurator job is completed and also check the output of:
          oc get apiconnectcluster -n NAMESPACE

      Example command invocations:

      Note: Each of the example commands includes parameters for a three replica profile deployment: -production -profile n3xc16.m48. If you have a one replica profile, omit these parameters.
      • API Connect on OpenShift:
        • If the apiconnect and DataPower operators must be installed in all namespaces:
          python3 -license LICENSE_VALUE -n NAMESPACE -name topCRName -storageclass_apic STORAGE_CLASS_NAME -production -profile n3xc16.m48 
        • If the apiconnect and DataPower operators must be installed in a specific namespace:
          python3 -license LICENSE_VALUE -n NAMESPACE  -name topCRName -storageclass_apic STORAGE_CLASS_NAME  -operator_in_specific_namespace -production -profile n3xc16.m48 
      • API Connect in Cloud Pak for Integration:
        • If operators are in all namespaces:
          python3 -license LICENSE_VALUE1 -n NAMESPACE -name topCRName -storageclass_apic STORAGE_CLASS_NAME1 -cp4i -storageclass_pn STORAGE_CLASS_NAME2 -license_pn LICENSE_VALUE2 -production -profile n3xc16.m48 
        • If operators are in a specific namespace:
          python3 -license LICENSE_VALUE1 -n NAMESPACE -name topCRName -storageclass_apic STORAGE_CLASS_NAME1 -cp4i -storageclass_pn STORAGE_CLASS_NAME2 -license_pn LICENSE_VALUE2 -operator_in_specific_namespace -production -profile n3xc16.m48 
        • If operators are in all namespaces, with additional flags -production (for license to be set to production) and -profile (using n3 profile in this example):
          python3 -license LICENSE_VALUE1 -n NAMESPACE -name topCRName -storageclass_apic STORAGE_CLASS_NAME1 -cp4i -storageclass_pn STORAGE_CLASS_NAME2 -license_pn LICENSE_VALUE2 -production -profile n3xc16.m48
  6. Optional: Install any additional Gateways, Developer Portals, or Analytics subsystems that are needed.
    • Complete this step now if your target system will have additional Gateways, Developer Portals, or Analytics subsystems to match what is there in the source API Connect system, and you want to complete data migration for all subsystems in one pass through the procedures in Restoring the target system.
    • Skip this step now, and proceed to step 7 if either of the following cases are true:
      • If your target system will not need any additional Gateways, Developer Portals, or Analytics subsystems.
      • Your target system will have additional Gateways, Developer Portals, or Analytics subsystems but you want to first complete data migration based on the top CR installation (1 Management, 1 Portal, 1 Gateway, 1 Analytics), before you install any additional subsystems.
    Note: To review the data migration choices, see v10 migration planning.

    If you choose complete this step now, see:

  7. Next, restore the configuration from the source system. Continue with Restoring the target system.