Upgrading IBM Cloud Pak for Security

If you have IBM Cloud Pak® for Security 1.6.0.X, 1.7.0.0 or 1.7.1.0 installed, you can upgrade to 1.7.2.0.

Before you begin

Complete a backup procedure before beginning the upgrade. For more information about how to back up CouchDB and IBM® Security Case Management, see Backup Opens in a new tab.

Check that you have all the details that are required for installation. For more information, see Preparing to install IBM Cloud Pak for Security.

About this task

You can upgrade to a later version of the software or apply updates to configuration values by running the upgrade-all action. When you run the upgrade command, the following operations are completed:

When you upgrade to IBM Cloud Pak for Security 1.7.2, the existing asset data that is managed by Connected Assets and Risk service connectors does not migrate. The asset data is repopulated when the data synchronization next occurs for each connector, typically within 24 hours.

Online upgrade

  1. Download and extract the content of the Cloud Pak for Security archive file in preparation for installation by running the command: Note: If you already have cp4s_cli_install in your home directory, you must rename the directory or alternatively delete the directory before running the command.

    cloudctl case save -t 1 --case https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-security-1.0.19.tgz --outputdir $HOME/cp4s_cli_install/ && tar -xf $HOME/cp4s_cli_install/ibm-cp-security-1.0.19.tgz
    
  2. Ensure that you are logged in to the cluster by using either of the following oc login commands:

    • Using username and password:
      oc login <openshift_url> -u <username> -p <password> -n <namespace>
      
    • Using a token:
      oc login --token=<token> --server=<openshift_url>
      
  3. Update the parameters in the values.conf file that is located within the directory: $HOME/ibm-cp-security/inventory/installProduct/files/. For the full list of parameters, their description, and default values; see the table in the Configuration section.

  4. To upgrade Cloud Pak for Security, the following arguments are required:

Argument Description
--inputDir $HOME/cp4s_cli_install is the directory in which the Cloud Pak for Security is extracted by cloudctl case save.
--license For the Cloud Pak for Security upgrade to proceed, the flag --license accept must be added to the launch command. After Cloud Pak for Security is installed, you can use the license and usage page to turn on and off applications to comply with your Cloud Pak for Security license purchase. For more information, see License & usage management.
--namespace The namespace where Cloud Pak for Security was installed. You can verify the namespace by running the oc projects command.

Run the upgrade-all action:

cloudctl case launch -t 1 --case ibm-cp-security --namespace <namespace>  --inventory installProduct --action upgrade-all --args "--license accept --inputDir $HOME/cp4s_cli_install/"

Air gap upgrade

1. Download and extract the archive

Download and extract the content of the Cloud Pak for Security archive file in preparation for installation.

  1. If you already have cp4s_cli_install in your home directory, you must rename or delete the directory.
  2. To download and extract the archive, run the following command.
    cloudctl case save -t 1 --case https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-security-1.0.19.tgz --outputdir $HOME/cp4s_cli_install/ && tar -xf $HOME/cp4s_cli_install/ibm-cp-security-1.0.19.tgz
    

2. Log in to the cluster

Ensure that you are logged in to the cluster by using either of the following oc login commands:

3. Configure authentication and mirror images

  1. Log in to the cluster by using the oc command:

    oc login <openshift_url> -u <username> -p <password> -n <namespace>
    
  2. Update the parameters in the values.conf file that is located in the directory: $HOME/cp4s_cli_install/ibm-cp-security/inventory/installProduct/files/. For the full list of parameters, their description, and default values; see the table in the Configuration section.

  3. Depending on the access that you are entitled to, provide your authentication credentials by using method A or B.
    A. If you are installing by using the IBM Entitled Registry, use --pass <entitled_key> as your authentication credentials. Configure the authentication credentials (URL, username, and password) for both your local Docker registry and the IBM Entitled Registry by running the following commands:

    cloudctl case launch \
       --case ibm-cp-security \
       --inventory installProduct \
       --action configure-creds-airgap \
       --args "--registry cp.icr.io --user cp --pass <entitled_key> --inputDir $HOME/cp4s_cli_install/" -t 1
    
    cloudctl case launch \
       --case ibm-cp-security \
       --inventory installProduct \
       --action configure-creds-airgap \
       --args "--registry ${LOCAL_DOCKER_REGISTRY}:5000 --user <username> --pass <password> --inputDir $HOME/cp4s_cli_install/" -t 1
    

    B. If you are installing from IBM® Passport Advantage, use --pass ppa as the authentication credentials. Configure the authentication credentials (URL, username, and password) for both your local Docker registry and the IBM® Passport Advantage by running the following commands:

    cloudctl case launch \
       --case ibm-cp-security \
       --inventory installProduct \
       --action configure-creds-airgap \
       --args "--registry cp.icr.io --user cp --pass ppa --inputDir $HOME/cp4s_cli_install/" -t 1
    
    cloudctl case launch \
       --case ibm-cp-security \
       --inventory installProduct \
       --action configure-creds-airgap \
       --args "--registry ${LOCAL_DOCKER_REGISTRY}:5000 --user <username> --pass <password> --inputDir $HOME/cp4s_cli_install/" -t 1
    
  4. Configure the global image pull secret and imageContentSourcePolicy resource by running the following command:

    cloudctl case launch \
       --case ibm-cp-security \
       --inventory installProduct \
       --action configure-cluster-airgap \
       --args "--registry ${LOCAL_DOCKER_REGISTRY}:5000 --inputDir $HOME/cp4s_cli_install/" -t 1
    

    Note: Running the command against the Red Hat OpenShift cluster causes a restart of all the nodes. By listing the Red Hat OpenShift nodes, as the change is applied you might see node status Ready,SchedulingDisabled. Wait until the configuration is propagated to all nodes.

  5. Mirror the images to the Docker registry by running the following command:

    cloudctl case launch \
       --case ibm-cp-security \
       --inventory installProduct \
       --action mirror-images \
       --args "--registry ${LOCAL_DOCKER_REGISTRY}:5000  --inputDir $HOME/cp4s_cli_install/" -t 1
    
  6. Verify that the imageContentSourcePolicy resource is created:

    oc get imageContentSourcePolicy | grep ibm-cp-security
    

4. Upgrade Cloud Pak for Security

To upgrade Cloud Pak for Security, the following arguments are required:

Argument Description
--airgap The flag to indicate air gap installation.
--inputDir $HOME/cp4s_cli_install/ is the directory in which the Cloud Pak for Security is extracted by cloudctl case save.
--license For the Cloud Pak for Security installation to proceed, the flag --license accept should be added to the launch command. After Cloud Pak for Security is installed, you can use the license and usage page to turn on and off applications to comply with your Cloud Pak for Security license purchase. For more information, see License & usage management.
--namespace The namespace where Cloud Pak for Security was installed. You can verify the namespace by running the oc projects command.

Run the following command to upgrade:

cloudctl case launch -t 1 --case ibm-cp-security --namespace <namespace>  --inventory installProduct --action upgrade-all --args "--license accept --inputDir $HOME/cp4s_cli_install/ --airgap"

What to do next

The installation of Cloud Pak for Security takes ~1.5 hours. To track the progress of the installation, run the validate-cp4s action. For more information, see Verifying installation.

Configuration

The following table lists the configurable parameters for the Cloud Pak for Security installation, their description, and default values.

Parameter Description Default Required
adminUserId The user that is to be assigned as the initial administrator in the Cloud Pak for Security installation. The administrator user must exist in an LDAP directory that you will set up according to steps in LDAP connection. Yes
cloudType The target Red Hat OpenShift environment where IBM Cloud Pak for Security is being installed:
AWS: aws,
IBM Cloud: ibmcloud,
Microsoft Azure: azure,
VMware,
Other environments: ocp.
ocp Yes
storageClass Dynamically provisioned block storage class for all the PVCs, see Storage requirements section for more details Yes
registryType The type of repository from which the images are pulled. entitled Yes
entitledRegistryUrl The repository from which the images are pulled. cp.icr.io Only required for online installation.
entitledRegistryPassword The password to access the entitled registry URL. This is the entitlement key retrieved from IBM Container Library Opens in a new tab. Only required for online installation.
entitledRegistryUsername The username to access the entitled registry URL. cp Only required for online installation.
localDockerRegistry The local Docker host registry URL. Required for air gap installation.
localDockerRegistryUsername The username to access the local Docker host registry. Required for air gap installation.
localDockerRegistryPassword The password to access the local Docker host registry. Required for air gap installation.
cp4sapplicationDomain The Fully Qualified Domain Name (FQDN) created for Cloud Pak for Security. Not required if cloudType is aws, ibmcloud, or vmware.
cp4sdomainCertificatePath The path of the TLS certificate associated with the Cloud Pak for Security domain. For more information, see TLS certificate. Not required if cloudType is aws, ibmcloud, or vmware.
cp4sdomainCertificateKeyPath The path of the TLS key associated with the Cloud Pak for Security domain. For more information, see TLS certificate. Not required if cloudType is aws, ibmcloud or vmware.
cp4scustomcaFilepath The path of the custom TLS certificate associated with the Cloud Pak for Security domain. For more information, see TLS certificate. Not required if cloudType is aws, ibmcloud or vmware and certificate is signed by well-known CA.
cp4sImagePullPolicy The Pull policy for the images - Always or IfNotPresent. Always Yes
cp4sOpenshiftAuthentication Enable Red Hat OpenShift authentication. Only supported on IBM Cloud® ROKS clusters. False No
defaultAccountName The name for the default account. Only valid for a clean install, not for an upgrade. Cloud Pak for Security No
enableCloudSecurityAdvisor Required only if you are installing IBM Cloud Security Advisor Adapter. false No
backupStorageClass The storage class for the backup and restore pod. If not set, it will take the default storage class in the cluster. No
backupStorageSize The storage size for the backup and restore pod. 100Gi No