Installing the Wired portal on the same cluster as the Cloud Pak
Install the IBM® Cloud Pak for Network Automation Wired portal on the same cluster where you installed IBM Cloud Pak for Network Automation.
Before you begin
For any steps that use the Red Hat®
OpenShift® Container Platform CLI,
run the oc login
command to log in to your Red Hat OpenShift cluster.
- Complete the steps in Preparing to install.
- Generate SSL certificates and private keys for SAML authentication and HTTPS communication.
- SAML is used for user authentication to the Wired portal. To configure this authentication, you must first generate certificates and keys.
- For HTTPS communication, a default certificate is used when you install the portal. You can optionally generate your own certificate and use it instead.
- You can use separate certificates for SAML signature, SAML encryption, and HTTPS communication, or use the same certificate for all three.
- Generate the certificates and keys by using an online tool, such as OpenSSL.
- In a file system location of your choosing, save each certificate in a file that has a .crt extension, and save each private key in a file that has a .key extension.
- In the namespace where the Cloud Pak is installed, create a secret to store the access
credentials that the Wired portal uses for the Cloud Pak by running this
command:
oc create secret generic cp4na-o-wired-credentials --from-literal=keystorePassword='<keystore_pw>' --from-literal=mcnp.gateway.zen.userName='<cp_username>' --from-literal=mcnp.gateway.zen.apiKey='<cp_api-key>'
<keystore_pw> is a password of your choosing. When you create this secret, a keystore is created to store the portal's certificate and private key. This value is the keystore password.
<cp_username> is your Cloud Pak username.
<cp_api-key> is your Cloud Pak API key. To retrieve or generate an API key, see Authenticating REST API requests.
- Determine the URL of the Wired portal.
- Retrieve the URL of the Ishtar microservice by running this
command:
<cp4na_namespace> is the namespace where IBM Cloud Pak for Network Automation is installed.oc get routes -n <cp4na_namespace> | grep 'cp4na-o-ishtar'
The Ishtar URL is shown in the format
cp4na-o-ishtar-<namespace>.apps.<cluster_name>.<domain_name>
. - Copy the Ishtar URL to a temporary location, such as the clipboard.
- To determine the portal's URL, replace
ishtar
withmcnp
.For example, if the Ishtar URL is
cp4na-o-ishtar-lifecycle-manager.apps.cp4nawiredenv.cp.fyre.ibm.com
, the Wired URL iscp4na-o-mcnp-lifecycle-manager.apps.cp4nawiredenv.cp.fyre.ibm.com
.
- Retrieve the URL of the Ishtar microservice by running this
command:
- In your identity provider, register the Wired portal as a service provider and
generate a metadata file.
- You need the URL that you retrieved in the previous step to complete this registration.
- After the registration is complete, generate a metadata file for your identity provider and save it in a file system location of your choosing.
- For registration and metadata generation steps, refer to your identity provider's documentation.
- Configure SAML authentication between the Wired portal and your identity
provider. As part of this step, you can optionally configure SAML signature and encryption. You need
these items to complete this step:
- The certificates and keys that you generated in step 2.
- The identity provider metadata file that you generated in step 5.
- Gather the security certificates for the external services that the portal communicates with,
such as AWS and Azure, and add these certificates to the portal's truststore.
- Gather the certificates and store them in a file system directory. See Gathering security certificates for external services.
- In the file system directory, add the certificates to the portal's truststore by running this
command:
oc create secret generic cp4na-o-wired-trustedcerts --from-file=.
Install the portal
- Install the portal by using the OpenShift Container Platform console
-
Complete the following steps to install the portal:
- Log in to your OpenShift Container Platform cluster console.
- Optional: If you want to use your own certificate and private key files for
HTTPS communication, store them in a secret.
- In the console navigation menu, click .
- In the Secrets screen, in the Project drop-down, select the namespace where you intend to install the Wired portal.
- Click Create and select Key/value secret from the drop-down.
- In the Secret name field, enter cp4na-o-mcnp-cert.
- In the Key field, enter the name of the SSL certificate file that you generated.
- In the Value field, paste the contents of the certificate.
- Click Add key/value and enter the name and contents of the private key file.
- If your identity provider has extra certificates, add these certificates and their private keys.
- Click Create.
- From the navigation menu, click .
- From the list of installed operators, click IBM Cloud Pak for Network Automation Orchestration Manager.
- Under Provided APIs, locate the Orchestration
CP4NAWired tile and click Create Instance.
The default Form View is shown.
- View the CR attributes by clicking the YAML View radio button.
- Configure the CR attributes.
- In the
licence
section, ensure that the value of theaccept
attribute is set to true. - Set the values of the SAML attributes that are shown in this table:
CR attribute Description Example mcnpSamlIdentityProviderEntityId
The entity ID of your SAML identity provider. https://w3id-prep.ice.ibmcloud.com/saml/sps/saml20ip/saml20 mcnpSamlSingleSignonUrl
The login URL of your SAML identity provider. https://preprod.login.w3.ibm.com/saml/sps/saml20ip/saml20/login - Enable or disable multitenancy for Wired by setting the
mcnpEnableMultiTenancy
attribute.- If you set this attribute to true, you must configure tenants and security groups to ensure that each Wired user sees only the data that is created by users in their group. For more information, see Managing Wired tenants.
- If you set this attribute to false, you ensure that all Wired users can see each other’s data.
- Optional: To use your own SSL certificate for HTTPS communication, set the value of the
mcnpGeneratedSslCert
attribute to false.Note:- Verify that you stored the certificate and key in a secret in step 2.
- If the value of
mcnpGeneratedSslCert
is true, an SSL certificate is generated automatically when you create the CR instance.
- Optional: Enable application logging for Wired.
- Install Red Hat OpenShift Logging on your cluster. For more information, see Application logging with EFK.
- In the Wired CR, configure the following attributes.
Wired logging attributes
CR attribute Description Example mcnpEnableAuditLog
A Boolean value that determines whether application logs are written to the Wired pods. true mcnpLogLevel
The level of detail in the log information. The following levels are supported: INFO
DEBUG
INFO
- Optional: For production environments, you might want to make the following adjustments:
- Increase the settings for CPU, memory, and replicas for the Wired microservice, that is, the
mcnp
microservice.For example, increase the number of
mcnp
pod replicas to three. - Update related settings in the IBM Cloud Pak for Network
Automation CR to enable the creation of virtual
networks in AWS and Azure that contain more than 20 subnets.
For more information, see Configuring the Wired portal.
- Increase the settings for CPU, memory, and replicas for the Wired microservice, that is, the
- In the
- Click Create.
The instance might take some time to create. You can monitor the progress on the Orchestration tab.
- To verify that the instance is successfully created, view the status of the instance on the All Instances tab. Your instance is ready when you see the Succeeded status.
- Install the portal by using the Red Hat OpenShift CLI
-
Complete the following steps to install the portal:
- Optional: If you want to use your own certificate and private key files for HTTPS
communication, store them in a secret.In the namespace where you want to install the portal, create the secret by running this command:
oc create secret generic cp4na-o-mcnp-cert --from-file=<certificate_file> --from-file=<private_key>
<certificate_file> is the certificate file that you generated to be used for HTTPS communication.
<private_key> is the file that contains the private key.
- Create a YAML file and add the custom resource (CR).
The following example CR is used to create a default instance of IBM Cloud Pak for Network Automation Wired. Some SAML settings must be specified. All of the other keys that are not specified in the CR, such as CPU, memory, and replicas, use the default settings.
Important:The default CR settings for CPU, memory, and replicas are for a starter instance.
apiVersion: tnc.ibm.com/v1beta1 kind: CP4NAWired metadata: name: cp4nawired-default labels: app.kubernetes.io/instance: cp4nawired app.kubernetes.io/managed-by: olm app.kubernetes.io/name: cp4nawired spec: shutdown: "None" license: accept: true version: 2.7.6 advanced: imagePullPolicy: "IfNotPresent" mcnpUiThemeConfig: "ibm" mcnpZenAccessTokenUri: "" mcnpIshtarEndpoint: "" mcnpSiteplannerEndpoint: "" mcnpAwsDriverEndpoint: "" mcnpAzureDriverEndpoint: "" mcnpSamlEntityId: "" mcnpSamlIdentityProviderEntityId: "" mcnpSamlSingleSignonUrl: "" mcnpGeneratedSslCert: true mcnpIdentityProviderVerify: true mcnpCorePoolSize: 20 mcnpMaxPoolSize: 50 mcnpQueueCapacity: 200 mcnpLogLevel: "INFO" mcnpEnableAuditLog: false mcnpEnableMultiTenancy: true podSettings: mcnp: replicas: 1 terminationGracePeriodSeconds: 60 resources: requests: memory: "584Mi" cpu: "0.1" ephemeral-storage: "100Mi" limits: memory: "884Mi" cpu: "1" ephemeral-storage: "1Gi" livenessProbe: initialDelaySeconds: 90 periodSeconds: 30 failureThreshold: 6 timeoutSeconds: 1 readinessProbe: initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 failureThreshold: 12 timeoutSeconds: 1 affinity: podAntiAffinity: ## Default anti-affinity rule is to try and schedule multiple pods of this app on different nodes preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: topologyKey: "kubernetes.io/hostname" labelSelector: matchExpressions: - key: app operator: In values: - mcnp nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "kubernetes.io/arch" operator: In values: - amd64 tolerations: [] routeSettings: mcnp: rateLimitConnections: true concurrentTcpConnections: 20 tcpConnectionRate: 100 jvmSettings: mcnp: "-Xmx384m"
- Configure the CR attributes.
- In the
licence
section, ensure that the value of theaccept
attribute is set to true. - Set the values of the SAML attributes that are shown in this table:
CR attribute Description Example mcnpSamlIdentityProviderEntityId
The entity ID of your SAML identity provider. https://w3id-prep.ice.ibmcloud.com/saml/sps/saml20ip/saml20 mcnpSamlSingleSignonUrl
The login URL of your SAML identity provider. https://preprod.login.w3.ibm.com/saml/sps/saml20ip/saml20/login - Enable or disable multitenancy for Wired by setting the
mcnpEnableMultiTenancy
attribute.- If you set this attribute to true, you must configure tenants and security groups to ensure that each Wired user sees only the data that is created by users in their group. For more information, see Managing Wired tenants.
- If you set this attribute to false, you ensure that all Wired users can see each other’s data.
- Optional: To use your own SSL certificate for HTTPS communication, set the
value of the
mcnpGeneratedSslCert
attribute to false.Note:- Verify that you stored the certificate and key in a secret in step 1.
- If the value of
mcnpGeneratedSslCert
is true, an SSL certificate is generated automatically when you create the CR instance.
- Optional: Enable application logging for Wired.
- Install Red Hat OpenShift Logging on your cluster. For more information, see Application logging with EFK.
- In the Wired CR, configure the following attributes.
Wired logging attributes
CR attribute Description Example mcnpEnableAuditLog
A Boolean value that determines whether application logs are written to the Wired pods. true mcnpLogLevel
The level of detail in the log information. The following levels are supported: INFO
DEBUG
INFO
- Optional: For production environments, you might want to make the following adjustments:
- Increase the settings for CPU, memory, and replicas for the Wired microservice, that is, the
mcnp
microservice.For example, increase the number of
mcnp
pod replicas to three. - Update related settings in the IBM Cloud Pak for Network
Automation CR to enable the creation of virtual
networks in AWS and Azure that contain more than 20 subnets.
For more information, see Configuring the Wired portal.
- Increase the settings for CPU, memory, and replicas for the Wired microservice, that is, the
- In the
- Create the CR instance by running this
command:
oc apply -f <cr_file_name> -n <namespace>
<cr_file_name> is the name of the YAML file that contains the CR.
<namespace> is the namespace where you want to create the instance.
- Run the following command to verify that your instance of the Wired portal is successfully
created:
oc get CP4NAWired
The instance might take some time to create. When the
Status
value is Ready, your instance is created. - Verify that the Wired pods start successfully.
- Get the names of the Wired pods, that is, the
mcnp
pods, by running this command:oc get pods -n <namespace> | grep -i mcnp
<namespace> is the namespace where you created the instance.
- Verify that each pod starts successfully by running this
command:
oc get pods -n <namespace> <mcnp_pod_name>
<mcnp_pod_name> is the name of the
mcnp
pod.
- Get the names of the Wired pods, that is, the
- Optional: If you want to use your own certificate and private key files for HTTPS
communication, store them in a secret.
What to do next
Use the portal to automate the deployment of SD-WANs so that your branch offices can connect to your cloud environment. For more information, see Automating deployment of SD-WANs.