Platform System Manager Operating System setup
Before you install the product, configure the disk partitions and optionally set up an encrypted partition or logical volume to encrypt all sensitive data on the Red Hat Enterprise Linux operating system.
Before you begin
Important:
- Complete these steps for the Platform System Manager Operating System.
- When you create the directories in the subsequent steps on the Platform System Manager Operating System, all directories must
have
755
permission (read and execute for everyone).
Procedure
- Use the following procedure to complete the recommended
disk partition encryption configuration steps:
- Create a physical volume on the two installation disk
partitions, one for runtime and one for data:
pvcreate /dev/<disk1_name> pvcreate /dev/<disk2_name>
- Create a volume group on each physical volume:
vgcreate <volume_group_name> /dev/<disk1_name>
- Create a logical volume in each volume group:
lvcreate --size <size> --name <logical_volume_name> <volume_group_name>
- Install the LUKS package if it is not already installed.
yum install -y cryptsetup-luks
- Activate the LUKS module:
modprobe dm_crypt
- Verify the module is running:
lsmod | grep dm_crypt
If the module is not running, check the installation of the LUKS package.
-
Change the logical volume to the LUKS format.
This command will prompt you to enter a passphrase. Create a new passphrase and make a note of it. You will need to re-enter the passphrase later in the process.
cryptsetup luksFormat /dev/<volume_group_name>/<logical_volume_name>
- Name the LUKS logical volume, for example:
cryptsetup luksOpen /dev/<volume_group_name>/<logical_volume_name> luks-runtime
- Create an ext4 file system on the LUKS logical volume:
mkfs.ext4 /dev/mapper/luks-runtime
- Create the /etc/crypttab file and add the following
line:
luks-runtime /dev/<volume_group_name>/<logical_volume_name> /root/<luks_key_name>.key
-
Create the /root/<luks_key_name>.key file to store the passphrase you specified when you ran
the cryptsetup luksFormat command.
This is a text file with a single line containing only the passphrase.
- Add the password to the LUKS logical volume:
cryptsetup luksAddKey /dev/<volume_group_name>/<logical_volume_name> /root/<luks_key_name>.key
- Add the following link to thee /etc/fstab file:
/dev/mapper/luks-runtime /cps-sw-runtime ext4 defaults 1 2
- Create the mount point and mount the LUKS logical volume:
mkdir /cps-sw-runtime mount /cps-sw-runtime
- Verify the encryption is set up correctly:
cryptsetup status /dev/mapper/luks-runtime
- Repeat steps 1g.- 1i. for the second logical volume.
Instead of creating a new crypttab file, add the following line for second volume to the existing file:
luks-data /dev/<volume_group_name_2>/<logical_volume_2> /root/<luks_key_name_2>.key
- Repeat steps 1k. - 1o. to complete the setup of the second encrypted volume.
- Create a physical volume on the two installation disk
partitions, one for runtime and one for data:
- You must use the following steps to perform bind-mounts
from the runtime disk partition and the data disk partition.
You must use these steps regardless of whether or not you performed
the recommended steps to set up disk partition encryption. Important: The examples used in the following steps are based off of the recommended encryption approach. Your disk partitions and their bind-mount points can be different. You must use the bind-mount points as described in these steps.
- Run the following commands to create directories in
the runtime directory that is mounted on the encrypted volume.
Cloud Pak System Software for Power organizes the production code and data into a specific directory structure. You do not need to set up separate encryption, because the directories are bound to the encrypted partitions. Make sure the runtime encrypted partition is bound first.
mkdir -p /opt/ibm mkdir -p /data mkdir -p /home/iwd mkdir -p /var/log/purescale mkdir -p /cps-sw-runtime/opt/ibm mkdir -p /cps-sw-runtime/data mkdir -p /cps-sw-runtime/home/iwd mkdir -p /cps-sw-runtime/var/log/purescale
- Run the following commands to bind-mount all of the directories to the corresponding
mapping in /cps-sw-runtime:
mount --bind /cps-sw-runtime/opt/ibm /opt/ibm mount --bind /cps-sw-runtime/data /data mount --bind /cps-sw-runtime/home/iwd /home/iwd mount --bind /cps-sw-runtime/var/log/purescale /var/log/purescale
- Run the following commands to bind-mount entries to
the /etc/fstab file:
echo "/cps-sw-runtime/opt/ibm /opt/ibm none bind 0 0" >> /etc/fstab echo "/cps-sw-runtime/data /data none bind 0 0" >> /etc/fstab echo "/cps-sw-runtime/home/iwd /home/iwd none bind 0 0" >> /etc/fstab echo "/cps-sw-runtime/var/log/purescale /var/log/purescale none bind 0 0" >> /etc/fstab
- Run the following commands to create directories in
the data partition:
mkdir -p /data/system mkdir -p /data/workload mkdir -p /drouter mkdir -p /cps-sw-data/data/system mkdir -p /cps-sw-data/data/workload mkdir -p /cps-sw-data/drouter
- Use the following commands to bind-mount all of the directories to the corresponding
mapping in /cps-sw-data:
mount --bind /cps-sw-data/data/system /data/system mount --bind /cps-sw-data/data/workload /data/workload mount --bind /cps-sw-data/drouter /drouter
- Run the following commands to add the /cps-sw-data bind-mount entries
below the /cps-sw-runtime bind-mount entries in the /etc/fstab file:
echo "/cps-sw-data/data/system /data/system none bind 0 0" >> /etc/fstab echo "/cps-sw-data/data/workload /data/workload none bind 0 0" >> /etc/fstab echo "/cps-sw-data/drouter /drouter none bind 0 0" >> /etc/fstab
- Run the following commands to create directories in
the runtime directory that is mounted on the encrypted volume.
- It is recommended that you restart your Red Hat Enterprise
Linux operating system to verify the disk partition configuration.
The following is an example of the contents of the /etc/fstab file
after completing this procedure:
/dev/mapper/luks-runtime /cps-sw-runtime ext4 auto 1 2 /dev/mapper/luks-data /cps-sw-data ext4 auto 1 2 /cps-sw-runtime/opt/ibm /opt/ibm none bind 0 0 /cps-sw-runtime/data /data none bind 0 0 /cps-sw-runtime/home/iwd /home/iwd none bind 0 0 /cps-sw-runtime/var/log/purescale /var/log/purescale none bind 0 0 /cps-sw-data/data/system /data/system none bind 0 0 /cps-sw-data/data/workload /data/workload none bind 0 0 /cps-sw-data/drouter /drouter none bind 0 0
- Enable ipv6 if it is not already enabled. To enable ipv6 , do these steps:
- Open /etc/sysctl.conf configuration file.
- Comment out the following lines by putting a # in the
beginning:
#net.ipv6.conf.all.disable_ipv6 = 1 #net.ipv6.conf.default.disable_ipv6 = 1 #net.ipv6.conf.lo.disable_ipv6 = 1
- Add the following three lines after the commented lines:
net.ipv6.conf.all.disable_ipv6 = 0 net.ipv6.conf.default.disable_ipv6 = 0 net.ipv6.conf.lo.disable_ipv6 = 0
- Open /etc/sysconfig/network file and do the following:
- Add NETWORKING_IPV6=yes to the end of /etc/sysconfig/network file.
- Restart network service to pick the changes by adding the systemctl restart network command.
- Enable iptables if firewalld is enabled. To enable the iptables, do these steps:
systemctl disable firewalld systemctl stop firewalld yum install iptables-services systemctl start iptables systemctl start ip6tables systemctl enable iptables systemctl enable ip6tables
What to do next
Install Cloud Pak System Software for Power.