Installing the Wired portal on the same cluster as the Cloud Pak

Install the IBM® Cloud Pak for Network Automation Wired portal on the same cluster where you installed IBM Cloud Pak for Network Automation.

Before you begin

For any steps that use the Red Hat® OpenShift® Container Platform CLI, run the oc login command to log in to your Red Hat OpenShift cluster.

On the cluster where you intend to install the Wired portal, complete the following steps:
  1. Complete the steps in Preparing to install.
  2. Generate SSL certificates and private keys for SAML authentication and HTTPS communication.
    • SAML is used for user authentication to the Wired portal. To configure this authentication, you must first generate certificates and keys.
    • For HTTPS communication, a default certificate is used when you install the portal. You can optionally generate your own certificate and use it instead.
    • You can use separate certificates for SAML signature, SAML encryption, and HTTPS communication, or use the same certificate for all three.
    • Generate the certificates and keys by using an online tool, such as OpenSSL.
    • In a file system location of your choosing, save each certificate in a file that has a .crt extension, and save each private key in a file that has a .key extension.
  3. In the namespace where the Cloud Pak is installed, create a secret to store the access credentials that the Wired portal uses for the Cloud Pak by running this command:
    oc create secret generic cp4na-o-wired-credentials --from-literal=keystorePassword='<keystore_pw>'
     --from-literal=mcnp.gateway.zen.userName='<cp_username>' --from-literal=mcnp.gateway.zen.apiKey='<cp_api-key>'

    <keystore_pw> is a password of your choosing. When you create this secret, a keystore is created to store the portal's certificate and private key. This value is the keystore password.

    <cp_username> is your Cloud Pak username.

    <cp_api-key> is your Cloud Pak API key. To retrieve or generate an API key, see Authenticating REST API requests.

  4. Determine the URL of the Wired portal.
    1. Retrieve the URL of the Ishtar microservice by running this command:
      oc get routes -n <cp4na_namespace> | grep 'cp4na-o-ishtar'
      <cp4na_namespace> is the namespace where IBM Cloud Pak for Network Automation is installed.

      The Ishtar URL is shown in the format cp4na-o-ishtar-<namespace>.apps.<cluster_name>.<domain_name>.

    2. Copy the Ishtar URL to a temporary location, such as the clipboard.
    3. To determine the portal's URL, replace ishtar with mcnp.

      For example, if the Ishtar URL is cp4na-o-ishtar-lifecycle-manager.apps.cp4nawiredenv.cp.fyre.ibm.com, the Wired URL is cp4na-o-mcnp-lifecycle-manager.apps.cp4nawiredenv.cp.fyre.ibm.com.

  5. In your identity provider, register the Wired portal as a service provider and generate a metadata file.
    • You need the URL that you retrieved in the previous step to complete this registration.
    • After the registration is complete, generate a metadata file for your identity provider and save it in a file system location of your choosing.
    • For registration and metadata generation steps, refer to your identity provider's documentation.
  6. Configure SAML authentication between the Wired portal and your identity provider. As part of this step, you can optionally configure SAML signature and encryption. You need these items to complete this step:
    • The certificates and keys that you generated in step 2.
    • The identity provider metadata file that you generated in step 5.
    See Configuring SAML authentication.
  7. Gather the security certificates for the external services that the portal communicates with, such as AWS and Azure, and add these certificates to the portal's truststore.
    1. Gather the certificates and store them in a file system directory. See Gathering security certificates for external services.
    2. In the file system directory, add the certificates to the portal's truststore by running this command:
      oc create secret generic cp4na-o-wired-trustedcerts --from-file=.

Install the portal

Install the portal by using the OpenShift Container Platform console
Complete the following steps to install the portal:
  1. Log in to your OpenShift Container Platform cluster console.
  2. Optional: If you want to use your own certificate and private key files for HTTPS communication, store them in a secret.
    1. In the console navigation menu, click Workloads > Secrets.
    2. In the Secrets screen, in the Project drop-down, select the namespace where you intend to install the Wired portal.
    3. Click Create and select Key/value secret from the drop-down.
    4. In the Secret name field, enter cp4na-o-mcnp-cert.
    5. In the Key field, enter the name of the SSL certificate file that you generated.
    6. In the Value field, paste the contents of the certificate.
    7. Click Add key/value and enter the name and contents of the private key file.
    8. If your identity provider has extra certificates, add these certificates and their private keys.
    9. Click Create.
  3. From the navigation menu, click Operators > Installed Operators.
  4. From the list of installed operators, click IBM Cloud Pak for Network Automation Orchestration Manager.
  5. Under Provided APIs, locate the Orchestration CP4NAWired tile and click Create Instance.

    The default Form View is shown.

  6. View the CR attributes by clicking the YAML View radio button.
  7. Configure the CR attributes.
    1. In the licence section, ensure that the value of the accept attribute is set to true.
    2. Set the values of the SAML attributes that are shown in this table:
      CR attribute Description Example
      mcnpSamlIdentityProviderEntityId The entity ID of your SAML identity provider. https://w3id-prep.ice.ibmcloud.com/saml/sps/saml20ip/saml20
      mcnpSamlSingleSignonUrl The login URL of your SAML identity provider. https://preprod.login.w3.ibm.com/saml/sps/saml20ip/saml20/login
    3. Enable or disable multitenancy for Wired by setting the mcnpEnableMultiTenancy attribute.
      • If you set this attribute to true, you must configure tenants and security groups to ensure that each Wired user sees only the data that is created by users in their group. For more information, see Managing Wired tenants.
      • If you set this attribute to false, you ensure that all Wired users can see each other’s data.
    4. Optional: To use your own SSL certificate for HTTPS communication, set the value of the mcnpGeneratedSslCert attribute to false.
      Note:
      • Verify that you stored the certificate and key in a secret in step 2.
      • If the value of mcnpGeneratedSslCert is true, an SSL certificate is generated automatically when you create the CR instance.
    5. Optional: Enable application logging for Wired.
      • Install Red Hat OpenShift Logging on your cluster. For more information, see Application logging with EFK.
      • In the Wired CR, configure the following attributes.

      Wired logging attributes
      CR attribute Description Example
      mcnpEnableAuditLog A Boolean value that determines whether application logs are written to the Wired pods. true
      mcnpLogLevel The level of detail in the log information. The following levels are supported:
      • INFO
      • DEBUG
      For more information, see Viewing change logs.
      INFO

    6. Optional: For production environments, you might want to make the following adjustments:
      • Increase the settings for CPU, memory, and replicas for the Wired microservice, that is, the mcnp microservice.

        For example, increase the number of mcnp pod replicas to three.

      • Update related settings in the IBM Cloud Pak for Network Automation CR to enable the creation of virtual networks in AWS and Azure that contain more than 20 subnets.

        For more information, see Configuring the Wired portal.

  8. Click Create.

    The instance might take some time to create. You can monitor the progress on the Orchestration tab.

  9. To verify that the instance is successfully created, view the status of the instance on the All Instances tab. Your instance is ready when you see the Succeeded status.
Install the portal by using the Red Hat OpenShift CLI
Complete the following steps to install the portal:
  1. Optional: If you want to use your own certificate and private key files for HTTPS communication, store them in a secret.
    In the namespace where you want to install the portal, create the secret by running this command:
    oc create secret generic cp4na-o-mcnp-cert --from-file=<certificate_file> --from-file=<private_key>

    <certificate_file> is the certificate file that you generated to be used for HTTPS communication.

    <private_key> is the file that contains the private key.

  2. Create a YAML file and add the custom resource (CR).

    The following example CR is used to create a default instance of IBM Cloud Pak for Network Automation Wired. Some SAML settings must be specified. All of the other keys that are not specified in the CR, such as CPU, memory, and replicas, use the default settings.

    Important:

    The default CR settings for CPU, memory, and replicas are for a starter instance.

    apiVersion: tnc.ibm.com/v1beta1
    kind: CP4NAWired
    metadata:
      name: cp4nawired-default
      labels:
        app.kubernetes.io/instance: cp4nawired
        app.kubernetes.io/managed-by: olm
        app.kubernetes.io/name: cp4nawired
    spec:
      shutdown: "None"
      license:
        accept: true
    
      version: 2.7.6
    
      advanced:
        imagePullPolicy: "IfNotPresent"
        mcnpUiThemeConfig: "ibm"
        mcnpZenAccessTokenUri: ""
        mcnpIshtarEndpoint: ""
        mcnpSiteplannerEndpoint: ""
        mcnpAwsDriverEndpoint: ""
        mcnpAzureDriverEndpoint: ""
        mcnpSamlEntityId: ""
        mcnpSamlIdentityProviderEntityId: ""
        mcnpSamlSingleSignonUrl: ""
        mcnpGeneratedSslCert: true
        mcnpIdentityProviderVerify: true
        mcnpCorePoolSize: 20
        mcnpMaxPoolSize: 50
        mcnpQueueCapacity: 200
        mcnpLogLevel: "INFO"
        mcnpEnableAuditLog: false
        mcnpEnableMultiTenancy: true
        podSettings:
          mcnp:
            replicas: 1
            terminationGracePeriodSeconds: 60
            resources:
              requests:
                memory: "584Mi"
                cpu: "0.1"
                ephemeral-storage: "100Mi"
              limits:
                memory: "884Mi"
                cpu: "1"
                ephemeral-storage: "1Gi"
            livenessProbe:
              initialDelaySeconds: 90
              periodSeconds: 30
              failureThreshold: 6
              timeoutSeconds: 1
            readinessProbe:
              initialDelaySeconds: 30
              periodSeconds: 10
              successThreshold: 1
              failureThreshold: 12
              timeoutSeconds: 1
            affinity:
              podAntiAffinity:
                ## Default anti-affinity rule is to try and schedule multiple pods of this app on different nodes
                preferredDuringSchedulingIgnoredDuringExecution:
                - weight: 100
                  podAffinityTerm:
                    topologyKey: "kubernetes.io/hostname"
                    labelSelector:
                      matchExpressions:
                      - key: app
                        operator: In
                        values:
                        - mcnp
              nodeAffinity:
                requiredDuringSchedulingIgnoredDuringExecution:
                  nodeSelectorTerms:
                  - matchExpressions:
                    - key: "kubernetes.io/arch"
                      operator: In
                      values:
                      - amd64
            tolerations: []              
        routeSettings:
          mcnp:
            rateLimitConnections: true
            concurrentTcpConnections: 20
            tcpConnectionRate: 100
        jvmSettings:
          mcnp: "-Xmx384m"
  3. Configure the CR attributes.
    1. In the licence section, ensure that the value of the accept attribute is set to true.
    2. Set the values of the SAML attributes that are shown in this table:
      CR attribute Description Example
      mcnpSamlIdentityProviderEntityId The entity ID of your SAML identity provider. https://w3id-prep.ice.ibmcloud.com/saml/sps/saml20ip/saml20
      mcnpSamlSingleSignonUrl The login URL of your SAML identity provider. https://preprod.login.w3.ibm.com/saml/sps/saml20ip/saml20/login
    3. Enable or disable multitenancy for Wired by setting the mcnpEnableMultiTenancy attribute.
      • If you set this attribute to true, you must configure tenants and security groups to ensure that each Wired user sees only the data that is created by users in their group. For more information, see Managing Wired tenants.
      • If you set this attribute to false, you ensure that all Wired users can see each other’s data.
    4. Optional: To use your own SSL certificate for HTTPS communication, set the value of the mcnpGeneratedSslCert attribute to false.
      Note:
      • Verify that you stored the certificate and key in a secret in step 1.
      • If the value of mcnpGeneratedSslCert is true, an SSL certificate is generated automatically when you create the CR instance.
    5. Optional: Enable application logging for Wired.
      • Install Red Hat OpenShift Logging on your cluster. For more information, see Application logging with EFK.
      • In the Wired CR, configure the following attributes.

      Wired logging attributes
      CR attribute Description Example
      mcnpEnableAuditLog A Boolean value that determines whether application logs are written to the Wired pods. true
      mcnpLogLevel The level of detail in the log information. The following levels are supported:
      • INFO
      • DEBUG
      For more information, see Viewing change logs.
      INFO

    6. Optional: For production environments, you might want to make the following adjustments:
      • Increase the settings for CPU, memory, and replicas for the Wired microservice, that is, the mcnp microservice.

        For example, increase the number of mcnp pod replicas to three.

      • Update related settings in the IBM Cloud Pak for Network Automation CR to enable the creation of virtual networks in AWS and Azure that contain more than 20 subnets.

        For more information, see Configuring the Wired portal.

  4. Create the CR instance by running this command:
    oc apply -f <cr_file_name> -n <namespace>

    <cr_file_name> is the name of the YAML file that contains the CR.

    <namespace> is the namespace where you want to create the instance.

  5. Run the following command to verify that your instance of the Wired portal is successfully created:
    oc get CP4NAWired

    The instance might take some time to create. When the Status value is Ready, your instance is created.

  6. Verify that the Wired pods start successfully.
    1. Get the names of the Wired pods, that is, the mcnp pods, by running this command:
      oc get pods -n <namespace> | grep -i mcnp

      <namespace> is the namespace where you created the instance.

    2. Verify that each pod starts successfully by running this command:
      oc get pods -n <namespace> <mcnp_pod_name>

      <mcnp_pod_name> is the name of the mcnp pod.

What to do next

Use the portal to automate the deployment of SD-WANs so that your branch offices can connect to your cloud environment. For more information, see Automating deployment of SD-WANs.