Upgrading IBM Cloud Pak for Security

Before you begin

Complete a backup procedure before beginning the upgrade. For more information about how to back up CouchDB and IBM® Security Case Management, see Backup .

Check that you have all the details that are required for installation. For more information, see Preparing to install IBM Cloud Pak for Security.

About this task

You can upgrade to a later version of the software or apply updates to configuration values by running the upgrade-all action. When you run the upgrade command, the following operations are completed:

• Upgrade IBM Cloud Pak® foundational services to 3.9.0.
• Upgrade Cloud Pak for Security to 1.7.2.0.

When you upgrade to IBM Cloud Pak for Security 1.7.2, the existing asset data that is managed by Connected Assets and Risk service connectors does not migrate. The asset data is repopulated when the data synchronization next occurs for each connector, typically within 24 hours.

Online upgrade

1. Download and extract the content of the Cloud Pak for Security archive file in preparation for installation by running the command: Note: If you already have cp4s_cli_install in your home directory, you must rename the directory or alternatively delete the directory before running the command.

   cloudctl case save -t 1 --case https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-security-1.0.19.tgz --outputdir $HOME/cp4s_cli_install/ && tar -xf $HOME/cp4s_cli_install/ibm-cp-security-1.0.19.tgz
   

2. Ensure that you are logged in to the cluster by using either of the following oc login commands:

   • Using username and password:

     oc login <openshift_url> -u <username> -p <password> -n <namespace>
     

   • Using a token:

     oc login --token=<token> --server=<openshift_url>
     

3. Update the parameters in the values.conf file that is located within the directory: $HOME/ibm-cp-security/inventory/installProduct/files/. For the full list of parameters, their description, and default values; see the table in the Configuration section.

4. To upgrade Cloud Pak for Security, the following arguments are required:

Run the upgrade-all action:

cloudctl case launch -t 1 --case ibm-cp-security --namespace <namespace>  --inventory installProduct --action upgrade-all --args "--license accept --inputDir $HOME/cp4s_cli_install/"

Air gap upgrade

1. Download and extract the archive

Download and extract the content of the Cloud Pak for Security archive file in preparation for installation.

1. If you already have cp4s_cli_install in your home directory, you must rename or delete the directory.
2. To download and extract the archive, run the following command.

   cloudctl case save -t 1 --case https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-security-1.0.19.tgz --outputdir $HOME/cp4s_cli_install/ && tar -xf $HOME/cp4s_cli_install/ibm-cp-security-1.0.19.tgz
   

2. Log in to the cluster

Ensure that you are logged in to the cluster by using either of the following oc login commands:

• Using username and password:

  oc login <openshift_url> -u <username> -p <password> -n <namespace>
  

• Using a token:

  oc login --token=<token> --server=<openshift_url>
  

3. Configure authentication and mirror images

1. Log in to the cluster by using the oc command:

   oc login <openshift_url> -u <username> -p <password> -n <namespace>
   

2. Update the parameters in the values.conf file that is located in the directory: $HOME/cp4s_cli_install/ibm-cp-security/inventory/installProduct/files/. For the full list of parameters, their description, and default values; see the table in the Configuration section.

3. Depending on the access that you are entitled to, provide your authentication credentials by using method A or B.
   A. If you are installing by using the IBM Entitled Registry, use --pass <entitled_key> as your authentication credentials. Configure the authentication credentials (URL, username, and password) for both your local Docker registry and the IBM Entitled Registry by running the following commands:

   cloudctl case launch \
      --case ibm-cp-security \
      --inventory installProduct \
      --action configure-creds-airgap \
      --args "--registry cp.icr.io --user cp --pass <entitled_key> --inputDir $HOME/cp4s_cli_install/" -t 1
   

   cloudctl case launch \
      --case ibm-cp-security \
      --inventory installProduct \
      --action configure-creds-airgap \
      --args "--registry ${LOCAL_DOCKER_REGISTRY}:5000 --user <username> --pass <password> --inputDir $HOME/cp4s_cli_install/" -t 1
   

   B. If you are installing from IBM® Passport Advantage, use --pass ppa as the authentication credentials. Configure the authentication credentials (URL, username, and password) for both your local Docker registry and the IBM® Passport Advantage by running the following commands:

   cloudctl case launch \
      --case ibm-cp-security \
      --inventory installProduct \
      --action configure-creds-airgap \
      --args "--registry cp.icr.io --user cp --pass ppa --inputDir $HOME/cp4s_cli_install/" -t 1
   

   cloudctl case launch \
      --case ibm-cp-security \
      --inventory installProduct \
      --action configure-creds-airgap \
      --args "--registry ${LOCAL_DOCKER_REGISTRY}:5000 --user <username> --pass <password> --inputDir $HOME/cp4s_cli_install/" -t 1
   

4. Configure the global image pull secret and imageContentSourcePolicy resource by running the following command:

   cloudctl case launch \
      --case ibm-cp-security \
      --inventory installProduct \
      --action configure-cluster-airgap \
      --args "--registry ${LOCAL_DOCKER_REGISTRY}:5000 --inputDir $HOME/cp4s_cli_install/" -t 1
   

   Note: Running the command against the Red Hat OpenShift cluster causes a restart of all the nodes. By listing the Red Hat OpenShift nodes, as the change is applied you might see node status Ready,SchedulingDisabled. Wait until the configuration is propagated to all nodes.

5. Mirror the images to the Docker registry by running the following command:

   cloudctl case launch \
      --case ibm-cp-security \
      --inventory installProduct \
      --action mirror-images \
      --args "--registry ${LOCAL_DOCKER_REGISTRY}:5000  --inputDir $HOME/cp4s_cli_install/" -t 1
   

6. Verify that the imageContentSourcePolicy resource is created:

   oc get imageContentSourcePolicy | grep ibm-cp-security
   

4. Upgrade Cloud Pak for Security

To upgrade Cloud Pak for Security, the following arguments are required:

Run the following command to upgrade:

cloudctl case launch -t 1 --case ibm-cp-security --namespace <namespace>  --inventory installProduct --action upgrade-all --args "--license accept --inputDir $HOME/cp4s_cli_install/ --airgap"

What to do next

The installation of Cloud Pak for Security takes ~1.5 hours. To track the progress of the installation, run the validate-cp4s action. For more information, see Verifying installation.

Configuration

The following table lists the configurable parameters for the Cloud Pak for Security installation, their description, and default values.

Parameter	Description	Default	Required
adminUserId	The user that is to be assigned as the initial administrator in the Cloud Pak for Security installation. The administrator user must exist in an LDAP directory that you will set up according to steps in LDAP connection.		Yes
cloudType	The target Red Hat OpenShift environment where IBM Cloud Pak for Security is being installed: AWS: aws, IBM Cloud: ibmcloud, Microsoft Azure: azure, VMware, Other environments: ocp.	ocp	Yes
storageClass	Dynamically provisioned block storage class for all the PVCs, see Storage requirements section for more details		Yes
registryType	The type of repository from which the images are pulled.	entitled	Yes
entitledRegistryUrl	The repository from which the images are pulled.	cp.icr.io	Only required for online installation.
entitledRegistryPassword	The password to access the entitled registry URL. This is the entitlement key retrieved from IBM Container Library .		Only required for online installation.
entitledRegistryUsername	The username to access the entitled registry URL.	cp	Only required for online installation.
localDockerRegistry	The local Docker host registry URL.		Required for air gap installation.
localDockerRegistryUsername	The username to access the local Docker host registry.		Required for air gap installation.
localDockerRegistryPassword	The password to access the local Docker host registry.		Required for air gap installation.
cp4sapplicationDomain	The Fully Qualified Domain Name (FQDN) created for Cloud Pak for Security.		Not required if cloudType is aws, ibmcloud, or vmware.
cp4sdomainCertificatePath	The path of the TLS certificate associated with the Cloud Pak for Security domain. For more information, see TLS certificate.		Not required if cloudType is aws, ibmcloud, or vmware.
cp4sdomainCertificateKeyPath	The path of the TLS key associated with the Cloud Pak for Security domain. For more information, see TLS certificate.		Not required if cloudType is aws, ibmcloud or vmware.
cp4scustomcaFilepath	The path of the custom TLS certificate associated with the Cloud Pak for Security domain. For more information, see TLS certificate.		Not required if cloudType is aws, ibmcloud or vmware and certificate is signed by well-known CA.
cp4sImagePullPolicy	The Pull policy for the images - Always or IfNotPresent.	Always	Yes
cp4sOpenshiftAuthentication	Enable Red Hat OpenShift authentication. Only supported on IBM Cloud® ROKS clusters.	False	No
defaultAccountName	The name for the default account. Only valid for a clean install, not for an upgrade.	Cloud Pak for Security	No
enableCloudSecurityAdvisor	Required only if you are installing IBM Cloud Security Advisor Adapter.	false	No
backupStorageClass	The storage class for the backup and restore pod. If not set, it will take the default storage class in the cluster.		No
backupStorageSize	The storage size for the backup and restore pod.	100Gi	No