Online install of Infrastructure Automation for IBM Cloud Pak for Watson AIOps

Follow these steps to complete an online install of Infrastructure Automation for use with IBM Cloud Pak for Watson AIOps.

Infrastructure automation is included with IBM Cloud Pak® for Watson AIOps. If you have a license for IBM Cloud Pak® for Watson AIOps, you are entitled to install and use Infrastructure automation. You can do the online installation of Infrastructure Automation once you have installed AI Manager.

This section explains the different steps and procedures you need to follow for the online installation of Infrastructure Automation for IBM Cloud Pak for Watson AIOps.

Before you begin

Confirm your environment meets the requirements for Infrastructure Automation and your chosen installation method:

  • Review the Planning section.

    Important: The storageClass and storageClassLargeBlock that are used for creating the IBM Cloud Pak for Watson AIOps custom resource must have the same value as the storageClass and storageClassLargeBlock that are used for creating the Infrastructure Automation custom resource.

  • You need to make sure that your system has the minimum requirements needed for installing IBM Cloud Pak for Watson AIOps or installing Infrastructure Automation. For instance, your architecture must be AMD64.

Note: The display names of some OpenShift console components, such as window titles and push buttons, vary between OpenShift versions. The following instructions are based on OpenShift version 4.8 console components.

Installation steps

From a high level, an installation of Infrastructure Automation consists of five steps:

  1. Install IBM Cloud Pak for Watson AIOps
  2. Install the Infrastructure Automation operator
  3. Create the custom resource for Infrastructure Automation
  4. Verify the install
  5. Create an EgressNetworkPolicy
  6. Log in to the IBM Cloud Pak Automation console
  7. Deploying Infrastructure management
  8. Assign user roles and permissions

1. Install IBM Cloud Pak for Watson AIOps

You are recommended to have the IBM Cloud Pak for Watson AIOps before you install Infrastructure Automation. If you have Infrastructure Automation installed in your cluster, you can install IBM Cloud Pak for Watson AIOps within the same cluster. The following steps install IBM Cloud Pak for Watson AIOps first.

Important: IBM Cloud Pak for Watson AIOps and Infrastructure Automation must be installed in the same namespace. Installing IBM Cloud Pak for Watson AIOps and Infrastructure Automation in separate namespaces is not supported.

You can install the IBM Cloud Pak for Watson AIOps by choosing to use either the command line interface (CLI) or console. If your cluster is connected to the internet, then you can install IBM Cloud Pak for Watson AIOps using the Red Hat® OpenShift® Container Platform console or the command line interface (CLI). Choose one of the following topics.

2. Install the Infrastructure Automation operator

For more information about operators, see Adding Operators to a cluster in the Red Hat OpenShift documentation.

  1. Log in to your OpenShift cluster's console.

  2. Click Operators > OperatorHub. The OperatorHub page is displayed.

  3. In the All Items field, enter IBM Infrastructure Automation. The Infrastructure Automation operator is displayed.

  4. Click the IBM Infrastructure Automation tile. The IBM Infrastructure Automation window is displayed.

  5. Click Install. The Install Operator page is displayed.

  6. Enter the following values:

    • Set the Namespace to be the project (namespace) in which to install the Operator, such as cp4waiops.
    • Set Update Channel to v4.1
    • Set Approval Strategy to Automatic.

  7. Click Install and wait for the IBM Infrastructure Automation operator to install.

  8. Verify that the IBM Infrastructure Automation is successfully installed.

    Navigate to Operators > Installed Operators, and select your project from the Projects dropdown. IBM Infrastructure Automation and its dependent operators in the project are listed with a status of Succeeded.

Important: IBM Cloud Pak for Watson AIOps and Infrastructure Automation must be installed in the same namespace. Installing IBM Cloud Pak for Watson AIOps and Infrastructure Automation in separate namespaces is not supported.

3. Create the custom resource for Infrastructure Automation

You can either create Infrastructure Automation custom resource with the default set of values that are provided by default or customize these value before you create Infrastructure Automation custom resource.

You would typically change the default value of Infrastructure Automation custom resource, if you plan to change one or more of the following for Managed services during installation of Managed services:

1. Create Infrastructure Automation custom resource with customization

The following command creates an instance of the Infrastructure Automation custom resource called IAConfig with customization to Managed services. You must have your customization parameters under spec.manageservice section. The list of install parameters that can be customized along with its default values are listed in Managed services installation parameters page.

cat << EOF | oc apply -f -
kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4waiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
  - enabled: <Set to true to install Infrastructure Management component of Infrastructure Automation, false otherwise>
    name: ibm-management-im-install
    spec: {}
  - enabled: <Set to true to install Managed services component of Infrastructure Automation, false otherwise>
    name: ibm-management-cam-install
    spec:
      manageservice:
        <Set your custom installation parameter values>
  license:
    accept: <Set true to accept the license>
  storageClass: <Storage Class name that supports RWX>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>
EOF

2. Create Infrastructure Automation custom resource with default values

Run the following command to create an instance of the Infrastructure Automation custom resource called IAConfig. The list of install parameters with its default values are listed in Managed services installation parameters page.

cat << EOF | oc apply -f -
kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4waiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
  - enabled: <set to true to install Infrastructure Management component of Infrastructure Automation, false otherwise>
    name: ibm-management-im-install
    spec: {}
  - enabled: <set to true to install Managed services component of Infrastructure Automation, false otherwise>
    name: ibm-management-cam-install
    spec: {}
  license:
    accept: <set true to accept the license>
  storageClass: <Storage Class name that supports RWX>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>
EOF

After a few minutes, verify that the Infrastructure Automation operator is installed in the cp4waiops project (namespace) with the following command:

oc get pods -n cp4waiops | grep ibm-infrastructure-automation-operator-controller-manager

4. Verify the install

After a few minutes, run the following command to verify that your deployment is successful.

oc get iaconfigs.aiops.ibm.com -A

Example output:

NAME               PHASE        VERSION   STORAGECLASS   STORAGECLASSLARGEBLOCK   AGE
ibm-ia-installer   Running      4.1.1     rook-cephfs    rook-ceph-block          8m44s

5. Create an EgressNetworkPolicy

There is no egress firewall policy defined when you install IBM Cloud Pak for Watson AIOps, so outgoing traffic from workload pods to the internal and external network is unrestricted.

If you require a more secure environment, then use the following steps.

  1. Create an EgressNetworkPolicy on your OpenShift cluster to limit egress from the IBM Cloud Pak for Watson AIOps project (namespace).

    For information on creating an EgressNetworkPolicy, see Configuring an egress firewall for a project.

    Note: There must be only one EgressNetworkPolicy per project (namespace).

  2. Configure exceptions to the EgressNetworkPolicy.

    You must edit your EgressNetworkPolicy to add exceptions for the following IBM Cloud Pak for Watson AIOps components that have egress dependencies, otherwise these IBM Cloud Pak for Watson AIOps components fail when attempting egress.

  3. Allow egress to any external services, such as the following connections:

    • Kubernetes
    • GitHub
    • MS Teams
    • ServiceNow
    • Slack
    • VMware vCenter
    • Public clouds

    Examples of public clouds are:

    • IBM Cloud
    • Amazon EC2
    • Microsoft Azure
    • Google Cloud
    • others

  4. Configure your EgressNetworkPolicy to allow traffic for your GitHub, Kubernetes, ServiceNow, and VMware vCenter connections.

    Edit your EgressNetworkPolicy to allow or deny egress, as in the following example:

    kind: EgressNetworkPolicy
metadata:
  name: default
spec:
  egress:
  - type: Allow
    to:
      cidrSelector: <1.2.3.0/24>
  - type: Allow
    to:
      dnsName: <www.github.com>
  - type: Allow
    to:
      dnsName: <www.developer.kubernetes.com>
  - type: Allow
    to:
      dnsName: <www.developer.servicenow.com>
  - type: Allow
    to:
      dnsName: <www.developer.vcenter.com>
  - type: Deny
    to:
      cidrSelector: <0.0.0.0/0>

    Where the values you enter for dnsName and cidrSelector are the DNS names and addresses of your GitHub, Kubernetes, ServiceNow or VMware vCenter sources.

Note: If you have any restrictive EgressNetworkPolicies in place, ensure that they are updated to allow for this outbound connection. You can manage your cloud connections. For more information, see Managing connections. You can also manage your Infrastructure Management Providers. For more information, see Managing Providers.

6. Log in to the IBM Cloud Pak Automation console

  1. Find the password for the admin username by running the following command:

    oc -n ibm-common-services get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d

  2. Find the URL to access the IBM Cloud Pak Automation console with the following command.

    oc get route -n cp4waiops cpd -o jsonpath=‘{.spec.host}’

    The following output is a sample output:

    cpd-cp4waiops.apps.mycluster.mydomain

    Based on the sample output, your console URL would be https://cpd-cp4waiops.apps.mycluster.mydomain

7. Deploying Infrastructure management

You can deploy Infrastructure management in two ways, as a:

  1. Containerized deployment
  2. Virtual Machine

Deploying Infrastructure management as a containerized deployment (podified).

Complete these steps to install Infrastructure management as a containerized deployment.

Prerequisites

  • Ensure the following operators for Infrastructure management have been installed.

    • ibm-management-im-install for Infrastructure management has been installed. For more information, see Infrastructure management.

  • Ensure IBM Cloud Pak® is setup for LDAP authentication. You need an existing user-group from this LDAP repository to use for the Infrastructure management deployment.

Deploy the ibm-management-im-install operand

Install an instance of the Infrastructure management using the Red Hat® OpenShift® Container Platform console or the CLI (command-line tools).

  1. Create an installation instance CR file <im-install-cr.yaml> using the following yaml file and update the applicationDomain, imagePullSecret, initialAdminGroupName and accept license.

    apiVersion: infra.management.ibm.com/v1alpha1
kind: IMInstall
metadata:
  labels:
    app.kubernetes.io/instance: ibm-infra-management-install-operator
    app.kubernetes.io/managed-by: ibm-infra-management-install-operator
    app.kubernetes.io/name: ibm-infra-management-install-operator
  name: im-iminstall
  namespace: cp4waiops
spec:
  applicationDomain: <YOUR_IM_HTTPD_ROUTE>
  imagePullPolicy: Always
  imagePullSecret: ibm-entitlement-key
  initialAdminGroupName: <YOUR_LDAP_USER_GROUP>
  storageClassName: <STORAGE_CLASS_NAME>
  license:
    accept: true

    Where:

    YOUR_IM_HTTPD_ROUTE is a user-defined route, which must include a name for your installation plus part of your IBM Cloud Pak Automation console console's route. Use the following oc command to obtain the console route and modify it to derive your Infrastructure management route.

    oc get ingress.config.openshift.io -o=jsonpath='{.items[0].spec.domain}'

    Example output:

    apps.mycluster.myibm.com

    Add inframgmtinstall to the output to create YOUR_IM_HTTPD_ROUTE. For example: inframgmtinstall.apps.mycluster.myibm.com.

    YOUR_LDAP_USER_GROUP is an existing user-group defined in your LDAP repository. As part of the initial setup, this LDAP group is created in Infrastructure management to match your existing LDAP group by name, and assigned an account role which facilitates SSO login.

    Important: You must specify an LDAP user-group and it must contain at least one user that is able to login to the IBM Cloud Pak Automation console. For example, you have an existing LDAP group that is named group100 and a user with the username user100 is a member of the group. You enter group100 for the value of <YOUR_LDAP_USER_GROUP>.

    STORAGE_CLASS_NAME The storage class that will be used by the Infrastructure management data stores. You can specify the same storage class name you used for Infrastructure Automation's storageClass. If you do not specify the storageClassName keyword, then the cluster's default storage class will be used.

    ACCEPT LICENSE set the accept value to true to accept the license.

  2. Deploy the installation instance CR yaml using one of the following methods:

    • Using the CLI login to your OpenShift cluster where Infrastructure Automation is installed. For example,

      oc login --token=`<sha256~EUe-BThLn-qRm32K16QDqLMCQZz5VKlM42JKIj2-U7M>` --server=https://`<api.mycluster.myibm.com>`:6443

      oc apply -f im-install-cr.yaml

    • Using the OpenShift Console.

      Create an IMInstall instance to deploy Infrastructure management.

      1. Navigate to Operators > Installed Operators.
      2. Switch the project to cp4waiops.
      3. Click IBM Infrastructure Management Install.
      4. Click Create Instance in the IMInstall tile.
      5. Switch to YAML view.
      6. Copy and paste the installation instance yaml created in step 1.
      7. Click Create.

  3. Verify the pods are running (It can take a few minutes for the pods to start) with the command,

    oc get pods -n cp4waiops

    The following Infrastructure management pods should be running.

    • 1-event-handle-*
    • 1-generic-*
    • 1-priority-*
    • 1-remote-console-*
    • 1-reporting-*
    • 1-schedule-*
    • 1-ui-*
    • 1-web-service-*
    • httpd-*
    • ibm-infra-management-application-*
    • memcached-*

Deploying Infrastructure management as a virtual machine appliance

Complete these steps to install Infrastructure management as a virtual machine appliance.

Prerequisites

  • Ensure you enable the operators for Infrastructure management by opening the installation YAML file. Locate the pakModules section, and change enabled: false to enabled: true. Enable these Infrastructure management-related operators:

    • ibm-management-im-install for Infrastructure management has been installed. For more information, see Infrastructure management.

  • You must configure and connect an LDAP directory with IBM Cloud Pak®. You must have an LDAP group in your configuration for IBM Cloud Pak with users defined who will access Infrastructure management.

Step 1. Download the Infrastructure management appliance package for your environment.

Follow the steps in Install the Infrastructure management appliance for your virtual environment.

Step 2. Install and configure the Infrastructure management appliance.

Follow the steps in Install the Infrastructure management appliance for your virtual environment.

Step 3. Configure OIDC integration between IBM Cloud Pak® and the Infrastructure management appliance.

**Note:**Only OIDC-based authentication (OpenID Connect) is supported. The configuration of OpenID Connect (OIDC) is required for integration with Infrastructure management and IBM Cloud Pak®.

Prerequisites

  • Before you configure OIDC make sure you install the Infrastructure management virtual machine appliance. For more information, see Installation and Upgrade.

  • Single sign-on with Infrastructure management and IBM Cloud Pak for Watson AIOps requires an LDAP server connection.

    For more information about adding an LDAP connection, see Configuring LDAP connection.

Step 1. Register Infrastructure management instance with IAM as an OIDC client

In order to enable single sign-on (SSO) for Infrastructure management with OIDC, the Infrastructure management instance needs to register as an OIDC client with Identity and Access Management (IAM). Complete these steps on the IBM Cloud Pak for Watson AIOps cluster.

You can register Infrastructure management as an OIDC client with IAM using the cloudctl command.

The registration method requires the following registration payload in a file "registration.json":

{
  "token_endpoint_auth_method":"client_secret_basic",
  "client_id": "<YOUR_CLIENT_ID>",
  "client_secret": "<YOUR_CLIENT_SECRET>",
  "scope":"openid profile email",
  "grant_types":[
     "authorization_code",
     "client_credentials",
     "password",
     "implicit",
     "refresh_token",
     "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "response_types":[
     "code",
     "token",
     "id_token token"
  ],
  "application_type":"web",
  "subject_type":"public",
  "post_logout_redirect_uris":[
     "https://<YOUR_CLOUD_PAK_ROUTE>"   ],
  "preauthorized_scope":"openid profile email general",
  "introspect_tokens":true,
  "trusted_uri_prefixes":[
     "https://<YOUR_CLOUD_PAK_ROUTE>/"    ],
  "redirect_uris":["https://<YOUR_CLOUD_PAK_ROUTE>/auth/liberty/callback","https://<INFRA_MGMT_URL>/oidc_login/redirect_uri"]
}

Example registration payload (for reference only):

{
  "token_endpoint_auth_method":"client_secret_basic",
  "client_id": "AaNzNVFsSjlLVkl6Zk5hZ01MRzJVaVdnbFcxNGl5cnQK",
  "client_secret": "AaNVNzF4ZUxNSVBQUHZHdG1xQmNsTTFOWmNUUGlnYUkK",
  "scope":"openid profile email",
  "grant_types":[
     "authorization_code",
     "client_credentials",
     "password",
     "implicit",
     "refresh_token",
     "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "response_types":[
     "code",
     "token",
     "id_token token"
  ],
  "application_type":"web",
  "subject_type":"public",
  "post_logout_redirect_uris":["https://cp-console.apps.mycluster.mydomain.com"],
  "preauthorized_scope":"openid profile email general",
  "introspect_tokens":true,
  "trusted_uri_prefixes":["https://cp-console.apps.mycluster.mydomain.com/"],
  "redirect_uris":["https://cp-console.apps.mycluster.mydomain.com/auth/liberty/callback","https://im-mycluster.mydomain.com/oidc_login/redirect_uri"]
}

  1. Create a file named registration.json from the example template. Replace the values in the example template payload registration with the actual values based on your installation.

    • YOUR_CLIENT_ID Your base64 encoded character string.

    • YOUR_CLIENT_SECRET Your base64 encoded character string.

      Note: The <YOUR_CLIENT_ID> and <YOUR_CLIENT_SECRET> need to be generated. The values can be any string, but normally a 32 character string that is base64 encoded is used. You can use BASE64 to encode your character string. For more information, see: BASE64. Make a note of the values you generate for <YOUR_CLIENT_ID> and <YOUR_CLIENT_SECRET>. You will use the values in the next section to update the Apache configuration file.

      Example command that uses base64 to encode a character string:

      #
# Generate two encrypted streams from some longer-than-32-characters strings
#
echo There is a huge white elephant in LA zoo |base64
echo 12345678901234567890123456789012345 |base64

    • YOUR_CLOUD_PAK_ROUTE The URL of the IBM Cloud Pak for Watson AIOps console.

    • INFRA_MGMT_URL The URL of the Infrastructure management virtual machine appliance.

    • post_logout_redirect_uris The URL of the IBM Cloud Pak for Watson AIOps console.

    • trusted_uri_prefixes The URL of the IBM Cloud Pak for Watson AIOps console with "forward slash" /.

    • redirect_uris The URL of the IBM Cloud Pak for Watson AIOps console with the path to call back and the URL of the Infrastructure management host with the path to the redirect_uri.

    Note: You can run the following command on the IBM Cloud Pak for Watson AIOps cluster to determine the URL of the IBM Cloud Pak for Watson AIOps console:

    oc get routes cp-console -o=jsonpath='{.spec.host}' -n ibm-common-services

  2. After the file registration.json is completed, log in and run the command to register Infrastructure management as an OIDC client.

    Note: Include the -n kube-system to specify this project, or the cloudctl iam command can fail.

    cloudctl login -a https://<YOUR_CLOUD_PAK_ROUTE> -n kube-system

    Example cloudctl iam command:

    cloudctl iam oauth-client-register -f registration.json

Step 2. Import the Root CA certificate to the Infrastructure management appliance

  1. Retrieve the cluster CA cert by running this command on the cluster:

    oc get secret -n ibm-common-services ibmcloud-cluster-ca-cert -o jsonpath='{.data.ca.crt}'| base64 -–decode

    Note: When copying this command there can be some additional characters added that can cause incorrect command syntax. You can copy the first portion oc get secret -n ibm-common-services ibmcloud-cluster-ca-cert -o jsonpath= and manually add the remaining syntax '{.data.ca\.crt}'| base64 --decode.

  2. Copy and paste the output to a file, for example ibm_cp_im.crt

  3. Edit the ibm_cp_im.crt file, and change:

    • BEGIN CERTIFICATE to BEGIN TRUSTED CERTIFICATE
    • END CERTIFICATE to END TRUSTED CERTIFICATE

    Note: The following steps must be completed by logging in to the Infrastructure management appliance system as root user:

  4. Copy the updated ibm_cp_im.crt file to the Infrastructure management appliance and save it in the directory: /etc/pki/ca-trust/source/anchors

  5. Run the command:

    update-ca-trust

  6. Restart the evm server by running the command:

    systemctl restart evmserverd

  7. Copy the Apache OIDC template configuration file with these steps:

    export TEMPLATE_DIR="/opt/IBM/infrastructure-management-appliance/TEMPLATE"

    cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-remote-user-openidc.conf /etc/httpd/conf.d/

    cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb  /etc/httpd/conf.d/manageiq-external-auth-openidc.conf

  8. The Apache /etc/httpd/conf.d/manageiq-external-auth-openidc.conf configuration file must be updated with installation-specific values. Replace the contents of the file with the actual values based on the installation.

    Sample configuration file:

    LoadModule          auth_openidc_module modules/mod_auth_openidc.so
ServerName          https://<YOUR_IM_APPLIANCE_HOSTNAME>
LogLevel            warn

OIDCCLientID                   <YOUR_CLIENT_ID>
OIDCClientSecret               <YOUR_CLIENT_SECRET>
OIDCRedirectURI                https://<YOUR_IM_APPLIANCE_HOSTNAME>/oidc_login/redirect_uri
OIDCCryptoPassphrase           <PASSPHRASE>
OIDCOAuthRemoteUserClaim       sub
OIDCRemoteUserClaim            name

OIDCOAuthClientID                  <YOUR_CLIENT_ID>
OIDCOAuthClientSecret              <YOUR_CLIENT_SECRET>
OIDCOAuthIntrospectionEndpoint     https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/introspect
OIDCOAuthIntrospectionEndpointAuth client_secret_basic

OIDCProviderIssuer                  https://127.0.0.1:443/idauth/oidc/endpoint/OP
OIDCProviderAuthorizationEndpoint   https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/authorize
OIDCProviderTokenEndpoint           https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/token
OIDCProviderJwksUri                 https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/jwk
OIDCProviderEndSessionEndpoint      https://<YOUR_CLOUD_PAK_ROUTE>/idprovider/v1/auth/logout

OIDCScope                        "openid email profile"
OIDCResponseMode                 "query"
OIDCProviderTokenEndpointAuth     client_secret_post

OIDCPassUserInfoAs json
OIDCSSLValidateServer off
OIDCOAuthSSLValidateServer off
OIDCHTTPTimeoutShort 10

OIDCCacheEncrypt On
<Location /oidc_login>
  AuthType  openid-connect
  Require   valid-user
</Location>

<Location /ui/service/oidc_login>
  AuthType openid-connect
  Require valid-user
  Header set Set-Cookie "miq_oidc_access_token=%{OIDC_access_token}e; Max-Age=10; Path=/ui/service"
</Location>

<LocationMatch ^/api(?!\/(v[\d\.]+\/)?product_info$)>
  SetEnvIf X-Auth-Token  '^.+$'                 let_api_token_in
  SetEnvIf X-MIQ-Token   '^.+$'                 let_sys_token_in
  SetEnvIf X-CSRF-Token  '^.+$'                 let_csrf_token_in

  AuthType  oauth20
  AuthName  "External Authentication (oidc) for API"

  Require   valid-user
  Order     Allow,Deny
  Allow from env=let_api_token_in
  Allow from env=let_sys_token_in
  Allow from env=let_csrf_token_in
  Satisfy   Any
</LocationMatch>

RequestHeader unset X-REMOTE-USER
RequestHeader unset X-REMOTE_USER
RequestHeader unset X_REMOTE-USER
RequestHeader unset X_REMOTE_USER
RequestHeader set X_REMOTE_USER %{OIDC_CLAIM_PREFERRED_USERNAME}e env=OIDC_CLAIM_PREFERRED_USERNAME
RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
RequestHeader set X_REMOTE_USER_EMAIL %{OIDC_CLAIM_EMAIL}e env=OIDC_CLAIM_EMAIL
RequestHeader set X_REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_GIVEN_NAME}e env=OIDC_CLAIM_GIVEN_NAME
RequestHeader set X_REMOTE_USER_LASTNAME %{OIDC_CLAIM_FAMILY_NAME}e env=OIDC_CLAIM_FAMILY_NAME
RequestHeader set X_REMOTE_USER_FULLNAME %{OIDC_CLAIM_NAME}e env=OIDC_CLAIM_NAME
RequestHeader set X_REMOTE_USER_GROUPS %{OIDC_CLAIM_GROUPS}e env=OIDC_CLAIM_GROUPS
RequestHeader set X_REMOTE_USER_DOMAIN %{OIDC_CLAIM_DOMAIN}e env=OIDC_CLAIM_DOMAIN
    • YOUR_IM_APPLIANCE_HOSTNAME Specifies the hostname of the Infrastructure management appliance server.
    • YOUR_CLIENT_ID The client ID used for registering Infrastructure management as an OIDC client with IAM.
    • YOUR_CLIENT_SECRET The client secret that is used for registering Infrastructure management as an OIDC client with IAM.
    • YOUR_CLOUD_PAK_ROUTE The URL of the IBM Cloud Pak UI console.
    • OIDCCryptoPassphrase Can be any arbitrary alpha-numeric string.

    Note: YOUR_CLIENT_ID and YOUR_CLIENT_SECRET values are generated when you register Infrastructure Management as an OIDC client.

    Example configuration file (for reference only):

    LoadModule          auth_openidc_module modules/mod_auth_openidc.so
ServerName          https://im-mycluster.mydomain.com
LogLevel            warn

OIDCCLientID                       N3NzNVFsSjlLVkl6Zk5hZ01MRzJVaVdnbFcxNGl5cnQK
OIDCClientSecret                   VWNVNzF4ZUxNSVBQUHZHdG1xQmNsTTFOWmNUUGlnYUkK
OIDCRedirectURI                    https://im-mycluster.mydomain.com/oidc_login/redirect_uri
OIDCCryptoPassphrase               alphabeta
OIDCOAuthRemoteUserClaim           sub
OIDCRemoteUserClaim                name

OIDCOAuthClientID                  N3NzNVFsSjlLVkl6Zk5hZ01MRzJVaVdnbFcxNGl5cnQK
OIDCOAuthClientSecret              VWNVNzF4ZUxNSVBQUHZHdG1xQmNsTTFOWmNUUGlnYUkK
OIDCOAuthIntrospectionEndpoint     https://cp-console.apps.mycluster.mydomain.com/idprovider/v1/auth/introspect
OIDCOAuthIntrospectionEndpointAuth client_secret_basic

OIDCProviderIssuer                 https://127.0.0.1:443/idauth/oidc/endpoint/OP
OIDCProviderAuthorizationEndpoint  https://cp-console.apps.mycluster.mydomain.com/idprovider/v1/auth/authorize
OIDCProviderTokenEndpoint          https://cp-console.apps.mycluster.mydomain.com/idprovider/v1/auth/token
OIDCProviderJwksUri                https://cp-console.apps.mycluster.mydomain.com/idprovider/v1/auth/jwk
OIDCProviderEndSessionEndpoint     https://cp-console.apps.mycluster.mydomain.com/idprovider/v1/auth/logout

OIDCScope                          "openid email profile"
OIDCResponseMode                   "query"
OIDCProviderTokenEndpointAuth      client_secret_post

OIDCPassUserInfoAs json
OIDCSSLValidateServer off
OIDCOAuthSSLValidateServer off
OIDCHTTPTimeoutShort 10

OIDCCacheEncrypt On
<Location /oidc_login>
  AuthType  openid-connect
  Require   valid-user
</Location>

<Location /ui/service/oidc_login>
  AuthType openid-connect
  Require valid-user
  Header set Set-Cookie "miq_oidc_access_token=%{OIDC_access_token}e; Max-Age=10; Path=/ui/service"
</Location>

<LocationMatch ^/api(?!\/(v[\d\.]+\/)?product_info$)>
  SetEnvIf X-Auth-Token  '^.+$'                 let_api_token_in
  SetEnvIf X-MIQ-Token   '^.+$'                 let_sys_token_in
  SetEnvIf X-CSRF-Token  '^.+$'                 let_csrf_token_in

  AuthType  oauth20
  AuthName  "External Authentication (oidc) for API"

  Require   valid-user
  Order     Allow,Deny
  Allow from env=let_api_token_in
  Allow from env=let_sys_token_in
  Allow from env=let_csrf_token_in
  Satisfy   Any
</LocationMatch>

RequestHeader unset X-REMOTE-USER
RequestHeader unset X-REMOTE_USER
RequestHeader unset X_REMOTE-USER
RequestHeader unset X_REMOTE_USER
RequestHeader set X_REMOTE_USER %{OIDC_CLAIM_PREFERRED_USERNAME}e env=OIDC_CLAIM_PREFERRED_USERNAME
RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
RequestHeader set X_REMOTE_USER_EMAIL %{OIDC_CLAIM_EMAIL}e env=OIDC_CLAIM_EMAIL
RequestHeader set X_REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_GIVEN_NAME}e env=OIDC_CLAIM_GIVEN_NAME
RequestHeader set X_REMOTE_USER_LASTNAME %{OIDC_CLAIM_FAMILY_NAME}e env=OIDC_CLAIM_FAMILY_NAME
RequestHeader set X_REMOTE_USER_FULLNAME %{OIDC_CLAIM_NAME}e env=OIDC_CLAIM_NAME
RequestHeader set X_REMOTE_USER_GROUPS %{OIDC_CLAIM_GROUPS}e env=OIDC_CLAIM_GROUPS
RequestHeader set X_REMOTE_USER_DOMAIN %{OIDC_CLAIM_DOMAIN}e env=OIDC_CLAIM_DOMAIN

  9. Restart Apache on the appliance.

    systemctl restart httpd

Step 3. Configure the Administrative UI

Update the Appliance Administrative UI to be OIDC aware and function. Complete these steps on each UI-enabled Infrastructure management appliance.

  1. Log in as admin.

  2. Select the Settings > Application Settings, select "Server "EVM [1]" (current)" under Zones, then select the Authentication tab.

  3. In the Authentication section, set the Mode to External (httpd)

  4. In the External Authentication (HTTPd) Settings section, set Provider Type to Enable OpenID-Connect.

    • Note: This setting enables the OIDC login button on the login screen that redirects to the OIDC protected page for authentication, and supports the OIDC logout process.

  5. Optional: In the External Authentication (HTTPd) Settings section, select Enable Single Sign-On.

    • Note: If you select this option, the initial access to the Appliance Administrative UI will redirect to the OIDC Identity Provider authentication screen.

  6. In the Role Settings section, select the Get User Groups from External Authentication (HTTPd) setting.

  7. Click Save.

  8. Select Access Control, click Groups and make sure the user’s groups are created on the Appliance and appropriate roles are assigned to those groups. The user's groups to be added in Infrastructure management should have the same names as the groups defined in the LDAP server that is configured in the IBM Cloud Pak console.

    1. Under the Access Control, click Groups.

    2. Click Configuration, then Add a new Group.

    3. Enter your existing LDAP group name in the Description field. For example, im_ldap_group.

    4. Select the Role for this LDAP group. For example, select the EvmRole-super_administrator to map to this group. The Infrastructure management administrator can map to the roles that make sense for the user group.

    5. Select My Company for Project/Tenant.

    6. Click Add.

      Note: Access control in Infrastructure management is based on group membership as roles are assigned to groups. When Infrastructure management is integrated with IBM Cloud Pak for Watson AIOps using single sign-on (SSO), it looks at the user’s group membership in the identity token and checks if that group exists in Infrastructure management. If the group doesn't exist, then access is denied. You must create at least one group with the role EvmRole-super_administrator and assign one user to this group. This user will be the Admin user for Infrastructure management and referred to as IM_ADMIN_LDAP_USER. The IM_ADMIN_LDAP_USER must be a member of the LDAP group with the role EvmRole-super_administrator in Infrastructure management.

      Important: You must create the groups in Infrastructure management that match your existing LDAP groups by name, and assign the groups account roles. At least one group to which the user belongs in LDAP that IBM Cloud Pak for Watson AIOps is configured to use must also be created in Infrastructure management. You must assign a proper role to this group in Infrastructure management.

      Example: In LDAP a group that is named imgroup100 exists and a user with username imuser100 is a member of the group. The user imuser100 and the group imgroup100 must be created in Infrastructure management.

Step 4. Integrating Infrastructure management with IBM Cloud Pak for Watson AIOps

Enable navigation to Infrastructure management within the IBM Cloud Pak console.

Complete the following steps on a Linux system. You can use the boot node from the HUB cluster where IBM Cloud Pak for Watson AIOps is installed. These steps enable navigation to Infrastructure management from the IBM Cloud Pak​​ console:

  1. Clone the IBM Cloud Pak for Watson AIOps samples GitHub repository Opens in a new tab to obtain the menu customization script. You must run the script on a Linux operating system.

    Download the supporting subdirectories to make the script run successfully. The files and subdirectories that are required to run the script are

    im-appliance-link-install.sh
nav/automate.yml
nav_template/automate.sh

  2. Install and authenticate kubectl. For more information, see Installing the Kubernetes CLI (kubectl).

  3. Navigate to the directoy cp4waiops-samples/infrastructure-automation/infrastructure-management/appliance. Set the file permissions on the script and run im-appliance-link-install.sh to enable navigation to your Infrastructure management instance:

    chmod 755 ./im-appliance-link-install.sh

./im-appliance-link-install.sh -i <Infrastructure management URL>
    • -i Is a required parameter that refers to the URL for the Infrastructure management console. For example, ./im-appliance-link-install.sh -i https://im-mycluster.mydomain.com/

  4. Verify that the Infrastructure management instance is in the IBM Cloud Pak​​ console navigation menu. From the IBM Cloud Pak​​ navigation menu, click Automate infrastructure > Infrastructure management.

Infrastructure management is integrated with the IBM Cloud Pak​​ console.

8. Assign user roles and permissions

When you install Infrastructure Automation and deploy Infrastructure management, you, or an administrator, must add the required Kubernetes permissions to user roles before your users can begin to access and use Infrastructure Automation tools, such as Managed services or the Service catalog. For instance, users that do not have an Administrator role are not able to use the Infrastructure management Managed services and Service Catalog or create user groups. For more information about how to add permissions to a role, see Managing roles for Infrastructure Automation.