Installing QRadar Suite Software in an air-gapped environment by using a bastion host

If your cluster is not connected to the internet, you can install IBM Security QRadar® Suite Software in your cluster by using a bastion host as a mirroring device.

You store the product code and images on a bastion host and then transfer them to a local air-gapped network. A bastion host is a device that has access to both the public internet and the local intranet where a local registry and Red Hat® OpenShift® Container Platform cluster exist. Using the bastion host, you replicate your images through the bastion host directly to the local intranet registry behind the firewall.

Before you begin

To complete this task, you must be a Red Hat OpenShift cluster administrator.

You must satisfy the following prerequisites before you install IBM Security QRadar Suite Software in an air-gapped environment:

Review the Planning for installation section to ensure that you meet the hardware, system, storage, and other requirements.

Your mirroring device must have at least 1 TB of storage available.

Note:

Your mirroring device must have access to the following sites and ports while it is connected to the internet.

icr.io:443 for IBM Cloud Pak®® for Security catalog source
cp.icr.io:443 for IBM® Entitled Registry
github.com for Container Application Software for Enterprises (CASE) and tools

Before you install QRadar Suite Software, review and take the following prerequisite steps for a successful installation.

Setting up your mirroring environment

Before you install IBM Security QRadar Suite Software in an air-gapped environment, you must set up a mirroring device that can be connected to the internet to complete configuring your mirroring environment.

About this task

The following table shows the CLI tools that are needed to install QRadar Suite Software in an air-gapped environment.

Table 1. CLI tools needed to install QRadar Suite Software in an air-gapped environment
Software	Purpose
Docker or Podman	Container management
Red Hat OpenShift CLI (oc)	Red Hat OpenShift Container Platform administration
oc-mirror Red Hat OpenShift CLI (oc) plug-in	Mirror container images
IBM Catalog Management plug-in for Red Hat OpenShift CLI	Mirroring and installing QRadar Suite Software

Install Windows Subsystem for Linux (WSL)

Windows only If you are using a Windows computer, you must install Windows Subsystem for Linux® (WSL).

For more information about installing WSL, see Install WSL.

Install Docker CLI 18.0.0 or later

If Docker is not available for your OS, install Podman CLI 1.4 or later instead

Procedure

Install Docker.

Download and set up the Docker or Podman CLI tool for your computer operating system (OS).
1. CentOS
2. Debian
3. Fedora
4. MacOS
5. Ubuntu
Ensure that the Docker or Podman CLI tool is working by typing the following command.
```
 docker version 
```

If you can't install Docker, install Podman.

Download and set up the Podman CLI tool for your computer OS.
1. Linux distributions
2. MacOS
  
  Important: To install Podman on MacOS, you must first install Homebrew .
Ensure that the Podman CLI tool is working by typing the following command.
```
 podman version 
```

Install Red Hat OpenShift CLI 4.14 or later

The Red Hat OpenShift CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.

Procedure

Download Red Hat OpenShift CLI 4.14 or later from https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.14/. The file to download is called openshift-client-<platform>-<version>.tar.gz.
Extract the binary file that you downloaded by typing the following command, where <oc_cli_archive_file> is the name of the archive file that you downloaded.
```
tar -xf <oc_cli_archive_file>
```
Modify the permissions of the binary file by typing the following command, where <oc_cli_binary> is the name of the Red Hat OpenShift binary that you extracted from the archive.
Move the binary file to the /usr/local/bin directory by typing the following command.
```
mv <oc_cli_binary> /usr/local/bin/oc
```
Tip: If this command returns a No such file or directory or Not a directory error message, create the /usr/local/bin directory by typing the following command.
```
sudo mkdir /usr/local/bin
```
Ensure that the Red Hat OpenShift CLI client is working by typing the following command.
```
oc version
```
Tip: MacOS users might see a message that this tool cannot be opened because it is from an unidentified developer. Close this message and go to System Preferences > Security & Privacy. On the General tab, click Open Anyway or Allow Anyway. Repeat the oc version command.

Install the oc-mirror Red Hat OpenShift CLI (oc) plug-in

Procedure

To install the oc-mirror binary, use the following command.

curl -LO https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/oc-mirror.tar.gz && tar -xf oc-mirror.tar.gz
mv oc-mirror /usr/local/bin/

Install the IBM Catalog Management plug-in for Red Hat OpenShift CLI

The IBM Catalog Management plug-in simplifies the process for discovering required IBM product images and uses standard tooling for registry and cluster access.

Procedure

Download the latest version of the plug-in.

To download the latest release version from the public GitHub repo on MacOS, type the following command.

curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-darwin-amd64.tar.gz -o oc-ibm_pak-plugin.tar.gz

To download the latest release version from the public GitHub repo on Linux, type the following command.

curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz -o oc-ibm_pak-plugin.tar.gz

Extract the plug-in from the archive file by typing the following command.
```
tar -xvf oc-ibm_pak-plugin.tar.gz
```
Move the extracted plug-in to your /usr/local/bin directory by typing the following command.
```
mv oc-ibm_pak-*-amd64 /usr/local/bin/oc-ibm_pak
```
Verify that the plug-in is installed successfully by typing the following command.
```
oc ibm-pak --version
```

If you are planning to install IBM Cloud Pak foundational services in a custom namespace, create the common-service-maps configmap

If you are installing a single instance of foundational services in a custom namespace, see Installing IBM Cloud Pak foundational services in a custom namespace.

If you are installing multiple IBM Cloud® Paks with dependencies on different versions of foundational services on the same cluster, see Installing IBM Cloud Pak foundational services in multiple namespaces.

Install Red Hat OpenShift Container Platform

For the supported Red Hat OpenShift Container Platform versions, see System requirements.

For more information about installing and validating Red Hat OpenShift, see Setting up Red Hat OpenShift Container Platform cluster.

You must have a Docker V2 registry with at least 1 TB storage available, and that is accessible from the Red Hat OpenShift Container Platform cluster nodes

Docker

docker info

Look for Docker Root Dir: in the output, and ensure that the location shows has at least 1 TB storage available.

Podman

podman info

Look for volumePath: in the output, and ensure that the location shows has at least 1 TB storage available.

The registry is available to aid in mirroring to final location by using portable options. For more information, see Docker Manifest V2, Schema 2.

Deploy the Red Hat OpenShift Operator catalog with redhat-operators as the name of the catalog source in the openshift-marketplace namespace

Add the serverless-operator, ocs-operator, and mcg-operator packages to the catalog.

Procedure

Set the Red Hat OpenShift Container Platform cluster version by using the following command.
```
export OC_VERSION=<MAJOR.MINOR>
```
Important: Match the tag of the image to the major and minor versions of your Red Hat OpenShift Container Platform cluster. To verify the version of your Red Hat OpenShift Container Platform cluster, run the following command:
```
oc get clusterversion
```
Set the TARGET_REGISTRY to the URL and port of your target local registry that is connected to your Red Hat OpenShift Container Platform cluster. For example, myimageregistry.example.com:5000.
```
export TARGET_REGISTRY=<target_registry>
```

Apply the following YAML content.

cat << EOF > qrs_imageset.yaml
apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
 registry:                 
   imageURL: ${TARGET_REGISTRY}/mirror/metadata    #<-- Do not delete or modify metadata generated by the oc-mirror plugin, use the same storage backend every time run the oc-mirror plugin for the same mirror registry.
   skipTLS: true # Set to false to run tls on your target registry
mirror:
  operators:
    - catalog: registry.redhat.io/redhat/redhat-operator-index:v${OC_VERSION}    #<-- Set the Operator catalog
      packages:
        - name: ocs-operator       #<-- Operator name
          channels:
            - name: stable-${OC_VERSION}
        - name: mcg-operator
          channels:
          - name: stable-${OC_VERSION}
        - name: serverless-operator
          channels:
          - name: stable
EOF

Download the Red Hat OpenShift pull secret from the Red Hat Hybrid Cloud Console using your Red Hat credentials.

Merge the downloaded auths object and the auths object for your local registry that is located in the $XDG_RUNTIME_DIR/containers/auth.json or $HOME/.docker/config.json directory. Save the file in the same location.

The auth.json file should look similar to the following example.

{
   "auths": {
      "cloud.openshift.com": {
         "auth": "base64creds==",
         "email":"emailid@ie.com"
      },
      "quay.io": {
         "auth": "base64creds==",
         "email":"emailid@ie.com"
      },
      "registry.connect.redhat.com": {
         "auth": "base64creds==", 
         "email":"emailid@ie.com"
      },
      "registry.redhat.io": {
         "auth": "base64creds==", 
         "email":"emailid@ie.com"
      },
      "imagemirror.com:8443": {
         "auth": "base64creds=="
      }
   }
}

Create a pruned FBC catalog and mirror the images by using the following command.

oc mirror --config=./qrs_imageset.yaml docker://${TARGET_REGISTRY} >> redhat_operators_mirror_logs.txt

The following example shows the output result.

info: Mirroring completed in 4m24.54s (82.97MB/s)
Rendering catalog image "imagemirror.com:8443/redhat/redhat-operator-index:v4.14" with file-based catalog 
Writing image mapping to oc-mirror-workspace/results-1711117318/mapping.txt
Writing CatalogSource manifests to oc-mirror-workspace/results-1711117318
Writing ICSP manifests to oc-mirror-workspace/results-1711117318

The following files are added to the manifests directory that is created by the mirroring command. For example, oc-mirror-workspace/results-1711117318 is the manifest directory in the above output result.

imageContentSourcePolicy.yaml
catalogSource-cs-redhat-operator-index.yaml

Extract the output file path from the output result by using the following command.

path=$(grep "Writing CatalogSource manifests to" redhat_operators_mirror_logs.txt | sed -e 's/Writing CatalogSource manifests to//g')

Apply the imageContentSourcePolicy.yaml file by using the following command.
```
oc apply -f <path>/imageContentSourcePolicy.yaml
```
After the imageContentSourcePolicy is created, the configuration of your nodes is updated.

Apply the catalogSource-cs-redhat-operator-index.yaml file by using the following command.

sed -e 's/cs-redhat-operator-index/redhat-operators/g' "$path/catalogSource-cs-redhat-operator-index.yaml" | oc apply -f -

Check the status of the nodes using the following command, and wait until the Updating column is False for the Master and Worker nodes.
```
oc get MachineConfigPool -w
```
If you are using an insecure registry, patch the cluster configuration to include the registry in the list of insecure registries by using the following command.
```
oc patch image.config.openshift.io/cluster --type=merge \
 -p '{"spec":{"registrySources":{"insecureRegistries":["'${TARGET_REGISTRY}'"]}}}'
```
After the cluster configuration is patched, the configuration of your nodes is updated.
Check the status of the nodes using the following command, and wait until the Updating column is False for the Master and Worker nodes.
```
oc get MachineConfigPool -w
```

Install the Red Hat OpenShift Serverless operator

You must have access to a Red Hat OpenShift Container Platform account with cluster administrator access.

Procedure

Log in to the Red Hat OpenShift Container Platform web console.
In the Red Hat OpenShift Container Platform web console, go to Operators > OperatorHub.
Scroll, or type the keyword Serverless into the Filter by keyword box to find the Red Hat OpenShift Serverless operator.
Review the information about the operator and click Install.
On the Install Operator page, set the following parameters.
1. Set the Installation Mode to All namespaces on the cluster (default). This mode installs the operator in the default openshift-serverless namespace to be available to all namespaces in the cluster.
2. Set the Installed Namespace to openshift-serverless.
3. Select the stable channel as the Update Channel. The stable channel enables installation of the latest stable release of the Red Hat OpenShift Serverless operator.
4. Select Automatic or Manual approval strategy.
Click Install to make the operator available to the selected namespaces on this Red Hat OpenShift Container Platform cluster.
Go to Operators > Installed Operators to monitor the Red Hat OpenShift Serverless operator installation and upgrade progress.
1. If you selected a Manual approval strategy, the subscription upgrade remains in the Upgrading state until you review and approve its install plan. After you approve the subscription upgrade on the Install Plan page, the subscription upgrade status moves to Up to date.
2. If you selected an Automatic approval strategy, the upgrade status resolves to Up to date without intervention.
After the subscription upgrade status is Up to date, select Operators > Installed Operators to verify that the Red Hat OpenShift Serverless operator eventually shows up, and its Status ultimately resolves to Succeeded in the relevant namespace.

Install Knative Serving on your Red Hat OpenShift console

Knative Serving defines a set of resources that are used to define and control how your serverless workload behaves on the cluster.

Procedure

Click the Import YAML icon () on the menu bar.

On the Import YAML screen, add the following content.

apiVersion: operator.knative.dev/v1beta1
kind: KnativeServing
metadata:
    name: knative-serving
    namespace: knative-serving
spec:
    high-availability:
        replicas: 2

Click Create. After you install Knative Serving, the KnativeServing object is created, and you are automatically directed to the knative-serving custom resource. Knative Serving installation is complete if all of the conditions in the Conditions section show True. If the conditions have a status of Unknown or False, wait a few moments, and then check again after you confirm that the resources are created.

Gather the information needed to install QRadar Suite Software

Make sure you know the registry key and other information to successfully install QRadar Suite Software.

Table 2. Information needed to install QRadar Suite Software
Information needed	Description
The IBM Entitled Registry key	After you purchase a license for QRadar Suite Software, an entitlement for the Cloud Pak software is associated with your MyIBM account ID. You must have an entitlement key for the IBM Entitled Registry to install QRadar Suite Software by the online or air-gapped method that uses the IBM Entitled Registry. The value of the key is set in a parameter that is used during installation. Use the IBMid and the password that are associated with the entitled software to log in to the MyIBM Container Software Library. In the Container software library, from the menu bar, click Get entitlement key. In the Entitlement keys section, click Copy Key, and copy the key to a safe location. You need the IBM Entitled Registry key during the installation process and it must continue to be valid through the entire lifecycle of the platform. Important: If the IBM Entitled Registry key becomes invalid, you must create a new key in Passport Advantage® from a valid account and replace the key on QRadar Suite Software. If you do not replace the key on QRadar Suite Software, services fail.
The Fully Qualified Domain Name (FQDN) chosen for the QRadar Suite Software application	You must create a unique FQDN for the QRadar Suite Software platform. The FQDN must not be the same as the Red Hat OpenShift Container Platform cluster FQDN, the IBM Cloud Pak foundational services FQDN, or any other FQDN associated with the Red Hat OpenShift Container Platform cluster. Tip: If your QRadar Suite Software platform is installed in one of the following environments, the FQDN of the Red Hat OpenShift Container Platform cluster is used with the TLS certificate for the platform FQDN. IBM Cloud Amazon Web Services (AWS) Microsoft Azure VMware You can choose to create a unique FQDN for the QRadar Suite Software platform if you don't want to use the Red Hat OpenShift Container Platform cluster FQDN. For more information about the FQDN requirements, see Domain name and TLS certificates.
Certificate of Authority (CA), if required for the QRadar Suite Software application domain.	For more information about certificates, see Domain name and TLS certificates.
The persistent storage and storage class to be used.	For more information about the persistent storage required for QRadar Suite Software, see Storage requirements.
The user that you provide in the installation for the adminUser parameter to set the initial user in QRadar Suite Software.	The adminUser must exist in your identity provider. If you are using LDAP for your identity provider, the adminUser must have the mail attribute in LDAP. If you are using IBM Security Verify for your identity provider, be aware that email addresses are case-sensitive. Warning: Do not add a user with the username `admin` to your identity provider, as that might cause issues with other services on your cluster. For more information about the adminUser, see Logging in to QRadar Suite Software as initial user.

Setting environment variables and downloading CASE files

Before mirroring your images, set the environment variables on your mirroring device, and connect to the internet so that you can download the corresponding CASE files.

About this task

Tip: Save a copy of your environment variable values to a file by using a text editor. You can use that file as a reference to copy and paste from as you complete your air-gapped environment installation tasks.

Procedure

Connect your mirroring device to the internet, and disconnect it from your local air-gapped network.
Create the following environment variables with the installer image name and the image inventory on your mirroring device by typing the following command.
```
export CASE_NAME=ibm-cp-security && export CASE_VERSION=1.0.58
```
Download the IBM Security QRadar Suite Software installer and image inventory to your mirroring device by typing the following command.
```
oc ibm-pak get $CASE_NAME --version $CASE_VERSION --disable-top-level-images-mode
```
The CASE is saved to the ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION directory and the log file is saved to ~/.ibm-pak/logs/oc-ibm_pak.log.
Tip: If you want to save the CASE to a directory other than your home directory, set the $IBMPAK_HOME environment variable by typing the following command.
```
export IBMPAK_HOME=<working_directory>
```
When you set the $IBMPAK_HOME environment variable, the CASE is saved to <working_directory>/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION and the log is saved to <working_directory>/.ibm-pak/logs/oc-ibm_pak.log.
Important: If you change where the CASE is saved to, you must use $IBMPAK_HOME/.ibm-pak in place of ~/.ibm-pak throughout this procedure.

Tip: If you want the installation process to be repeatable across environments, you can reuse the same saved CASE instead of downloading the CASE files again in other environments. You don't need to update versions of dependencies into the saved cache.

Mirroring images from the internet to your mirroring device

Mirroring images takes the image from the internet to your mirroring device, then effectively copies that image on to your air-gapped environment. After you mirror your images, you can configure your cluster and complete the air-gapped installation.

Procedure

Set the $TARGET_REGISTRY environment variable to the IP address or FQDN and the port for your target registry by typing the following command. The target registry is the registry where your images are mirrored to and accessed by the Red Hat OpenShift Container Platform cluster.
```
export TARGET_REGISTRY=<target_registry>
```
For example, if your target registry is at 192.0.2.0:5000 type the following command.
```
export TARGET_REGISTRY=192.0.2.0:5000
```
Generate the mirror manifests to use when you mirror the images to the target registry by typing the following command.
```
oc ibm-pak generate mirror-manifests $CASE_NAME $TARGET_REGISTRY --version $CASE_VERSION
```
Tip: If you want to view the list of images to be mirrored, type the following command.
```
oc ibm-pak describe $CASE_NAME --version $CASE_VERSION --list-mirror-images
```
Store the authentication credentials for the IBM Entitled Registry, cp.icr.io.
- If you are using Podman, store authentication credentials for cp.icr.io by typing the following commands.
```
export REGISTRY_AUTH_FILE=~/.ibm-pak/auth.json
```
```
podman login cp.icr.io -u cp
```
- If you are using Docker, store authentication credentials for cp.icr.io by typing the following commands.
```
export REGISTRY_AUTH_FILE=$HOME/.docker/config.json
```
```
docker login cp.icr.io -u cp
```
The password is your IBM Entitled Registry key.

The command stores and caches the registry credentials in the location that is specified for the $REGISTRY_AUTH_FILE environment variable.
Store the authentication credentials for your target registry.
- If you are using Podman, store authentication credentials for your target registry by typing the following commands.
```
export REGISTRY_AUTH_FILE=~/.ibm-pak/auth.json
```
```
podman login $TARGET_REGISTRY
```
- If you are using Docker, store authentication credentials for your target registry by typing the following commands.
```
export REGISTRY_AUTH_FILE=$HOME/.docker/config.json
```
```
docker login $TARGET_REGISTRY
```
The command stores and caches the registry credentials in the location that is specified for the $REGISTRY_AUTH_FILE environment variable.

Mirror images to the target registry by typing the following command.

oc image mirror \
-f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping.txt \
--filter-by-os '.*'  \
-a $REGISTRY_AUTH_FILE \
--insecure  \
--skip-multiple-scopes \
--max-per-registry=1

Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
- Using a username and password.
```
oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
```
- Using a token.
```
oc login --token=<token> --server=<openshift_url>
```
Update the global image pull secret for your Red Hat OpenShift Container Platform cluster and add the credentials for your target registry.
1. Retrieve the existing global pull secret by typing the following command, where <pull_secret_location> is the location of the file where you want to store the global pull secret configuration.
```
oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > <pull_secret_location>
```
2. Add the new pull secret to the global pull secret file by typing the following command, where <username> and <password> are the username and password for your target registry.
```
oc registry login --registry="$TARGET_REGISTRY" --auth-basic="<username>:<password>" --to=<pull_secret_location>
```
3. Update the global pull secret in the cluster by typing the following command.
```
oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location>
```
4. Verify the status of the nodes by typing the following command.
```
oc get MachineConfigPool -w
```
After the global pull secret is updated, the configuration of your nodes is updated sequentially.
Important: Wait until all MachineConfigPools are updated before you proceed to the next step.
Create the ImageContentSourcePolicy resource by typing the following command.
```
oc apply -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-content-source-policy.yaml
```
1. Verify that the ImageContentSourcePolicy resource is created by typing the following command.
```
oc get imageContentSourcePolicy ibm-cp-security
```
2. Verify the status of the nodes by typing the following command.
```
oc get MachineConfigPool -w
```
After the ImageContentSourcePolicy resource is created, the configuration of your nodes is updated sequentially.
Important: Wait until all MachineConfigPools are updated before you proceed to the next step.
If you are using an insecure registry, you must add the local registry to the cluster insecureRegistries list by typing the following command.
```
oc patch image.config.openshift.io/cluster --type=merge \
 -p '{"spec":{"registrySources":{"insecureRegistries":["'${TARGET_REGISTRY}'"]}}}'
```
Important: Do not use insecure registries for production systems.
1. Verify the status of the nodes by typing the following command.
```
oc get MachineConfigPool -w
```
After the insecureRegistries list is updated, the configuration of your nodes is updated sequentially.
Important: Wait until all MachineConfigPools are updated before you proceed to the next step.

Installing QRadar Suite Software in an air-gapped environment by using a bastion host

After your images are mirrored to your target registry, you can deploy QRadar Suite Software to Red Hat OpenShift in your air-gapped environment.

Before you begin

Include specific IP addresses and URLs in an allowlist at the network layer for sites that need to be accessed externally. For more information, see Creating an allowlist for air-gapped installation.

Procedure

Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
- Using a username and password.
```
oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
```
- Using a token.
```
oc login --token=<token> --server=<openshift_url>
```
Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software.

Important: If you install QRadar Suite Software in the all namespace mode, set the <cp4s_namespace> value as openshift-operators.
```
export CP4S_NAMESPACE=<cp4s_namespace>
```

Extract the QRadar Suite Software CASE by typing the following command.

tar -xf \
~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION/ibm-cp-security-$CASE_VERSION.tgz \
-C ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION

Update the parameters in the ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION/ibm-cp-security/inventory/ibmSecurityOperatorSetup/files/values.conf file. The following table lists the configurable parameters for the QRadar Suite Software installation and their descriptions.

Important: Do not use a values.conf file from a release older than 1.8 because some of the parameters are different. Using a values.conf file from a release older than 1.8 causes the installation to fail.

Table 3. QRadar Suite Software installation parameters
Parameter	Description	Do you need to update this parameter?
adminUser	The user that is given administrator privileges in the QRadar Suite Software System Administration account after installation. Specify a username or an email address that exists in your identity provider.	Yes
airgapInstall	Set to `true`.	Yes
clusterProxy	Set to `false`. Cluster-wide proxy is not supported in an air-gapped environment.	No
domain	The fully qualified domain name (FQDN) created for QRadar Suite Software. If you don't specify an FQDN, it is generated as cp4s.`<cluster_ingress_subdomain>`.	No, unless you want to specify your own FQDN.
domainCertificatePath	The path of the TLS certificate that is associated with the QRadar Suite Software domain. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more information, see Domain name and TLS certificates.	No, unless you updated the domain parameter.
domainCertificateKeyPath	The path of the TLS key that is associated with the QRadar Suite Software domain. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more information, see Domain name and TLS certificates.	No, unless if you updated the domain parameter.
customCaFilePath	The path of the custom TLS certificate associated with the QRadar Suite Software domain. For more information, see Domain name and TLS certificates.	No, unless you are using a custom or self-signed certificate.
storageClass	The provisioned block or file storage class for all the PVCs required by QRadar Suite Software. When it is not specified, the default storage class is used. For more information, see Storage requirements.	No, unless you are using a storage class other than the default storage class for the cluster.
backupStorageClass	Storage class for the backup and restore PVC. If this value is not set, QRadar Suite Software takes the value from the storageClass parameter.	No, unless you are using a different storage class for the backup and restore pod than you set for the storageClass parameter.
backupStorageSize	The storage size for the backup and restore PVC. Must be `500Gi` or higher.	No, unless you need the storage size for the backup and restore PVC to be greater than 500 Gi.
imagePullPolicy	The pull policy for the images. When Red Hat OpenShift creates containers, it uses the imagePullPolicy to determine whether to pull the container image from the registry before it starts the container. Options are `Always`, `IfNotPresent`, or `Never`.	No
repository	Specify the URL and port for the local Docker registry with the /cp/cp4s namespace appended. For example, `example-registry:5000/cp/cp4s`.	Yes
repositoryUsername	The username to access your target registry.	Yes
repositoryPassword	The password to access your target registry.	Yes
roksAuthentication	Enable ROKS authentication. Only supported in IBM Cloud. For more information about configuring ROKS authentication, see Configuring Red Hat OpenShift authentication on IBM Cloud.	No, unless you're using ROKS authentication in an IBM Cloud environment.
deployDRC	Set to `true` to deploy Detection and Response Center. Set to `false` to skip deployment of Detection and Response Center. For more information, see Exploring security rule use cases with Detection and Response Center.	No, unless you don't want to deploy Detection and Response Center.
deployRiskManager	Set to `true` to deploy IBM Security Risk Manager. Set to `false` to skip deployment of IBM Security Risk Manager. For more information, see IBM Security Risk Manager.	No, unless you don't want to deploy IBM Security Risk Manager.
deployThreatInvestigator	Set to `true` to deploy Threat Investigator. Set to `false` to skip deployment of Threat Investigator. For more information, see Investigating cases with IBM Security Threat Investigator.	No, unless you don't want to deploy Threat Investigator.
CSNamespace	The namespace where foundational services will be installed. The default is `ibm-common-services`. Warning: Do not install foundational services in the same namespace as QRadar Suite Software. If you are installing QRadar Suite Software operators in the All Namespaces Mode, do not customize the namespace.	No, unless you want to install foundational services in a custom namespace or an existing QRadar Suite Software installation in your cluster uses foundational services in a custom namespace.

Install QRadar Suite Software by typing the following command.

Table 4. QRadar Suite Software installation command arguments
Argument	Description
--allNamespaceMode	In this mode, the QRadar Suite Software operators are installed in the `openshift-operators` project (namespace). The QRadar Suite Software operators are available to all namespaces in the cluster. Note: If the allNamespaceMode is not selected, the QRadar Suite Software operators are installed in ownNamespaceMode and is only available in the Operand Namespace.
--acceptLicense	Read the QRadar Suite Software license that is in the $HOME/ibm-cp-security/licenses directory. By accepting the license, you confirm that you read the license and accept the terms. For the QRadar Suite Software installation to proceed, the acceptLicense true parameter is added to the installation action. After QRadar Suite Software is installed, you can use the license and usage page to turn on and off applications to comply with your QRadar Suite Software license purchase. For more information, see Managing licensing and usage.

oc ibm-pak launch -t 1 \
$CASE_NAME \
--version $CASE_VERSION \
--inventory ibmSecurityOperatorSetup \
--namespace $CP4S_NAMESPACE \
--action install \
--args "--acceptLicense true --inputDir ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION"

Important: Installation takes approximately 1.5 hours. When installation is complete, the latest version of IBM Cloud Pak foundational services, and QRadar Suite Software 1.10.28 are installed.

Verify QRadar Suite Software installation by typing the following command.

oc ibm-pak launch -t 1 \
$CASE_NAME \
--version $CASE_VERSION \
--inventory ibmSecurityOperatorSetup \
--namespace $CP4S_NAMESPACE \
--action validate

Results

The following message is displayed when installation is complete.

[INFO] IBM
Cloud Pak for Security deployment is complete.

If the following message is displayed, follow the instructions in SOAR playbooks not available or SOAR automation limited to resolve the issue.0

[WARN] IBM Cloud Pak for Security deployment is complete but SOAR
Playbooks are not available.

What to do next

Postinstallation tasks