Installing Concert, Concert Workflows, and Concert Data Apps with Secure Coder (VM)

Before you begin

Ensure that your system meets all the installation specific requirements. For more information, see System requirements.
Ensure that you have obtained a valid IBM Entitlement Key. See Obtaining an IBM® entitlement API key.

Note: For new installations on x86 VMs, K3s (a lightweight distribution of Kubernetes) is installed. Its native containerd runtime is used as the default container runtime for all product components that you choose to install.

Step 1: Configure external databases (Optional)

You can use external databases and storages instead of the default internal database and storage. To configure external databases and storages for the components you are installing, see:

Step 2: Configure Istio (Optional)

Note: This step applies only if you are installing Concert Workflows.

If you require enhanced security for inter-pod communication in Concert Workflows, then you can implement Istio. See Enhancing pod communication security by using Istio for detailed instructions, as these security enhancements must be configured prior to the initial installation.

Step 3: Download, extract, and export the latest software packages

Download the latest software packages from the public GitHub repository: https://github.com/IBM/Concert/releases
```
wget https://github.com/IBM/Concert/releases/download/v3.0.0/ibm-concert-x86.tar.gz
```
To set the default permissions for the package file, run the following command:
```
umask 0022
```
Extract the package:
```
tar xfz ibm-concert-x86.tar.gz
```
Export install directory:
```
export INSTALL_DIR=<install_directory>/ibm-concert
```
Note: Replace <install_directory> with your install directory.
Navigate to the target installation directory:
```
cd $INSTALL_DIR
```

Step 4: Create a custom values file (Optional)

Note: This step applies only if you are installing Concert Workflows.

You can customize your Concert Workflows installation by creating a custom values file. This allows you to enable advanced features and optimize resource usage. For example, you can optimize CPU and memory allocation for Concert Workflows microservices. For more information, see Customizing microservice resource usage.

Creating a custom values file:

Create a custom values file in your installation directory:
```
vi $INSTALL_DIR/custom-values.yaml
```
Add your custom configurations.
Save the file.

Step 5: Configure the params.ini file

The installation script requires a configuration file (params.ini) that defines environment-specific settings for Concert, Concert Workflows, and Concert Data Apps, located at $INSTALL_DIR/etc/params.ini.

For more information on params.ini file, list of sample params files as per the installation type, and list of required and optional parameters for installing on VM, see Configuring the params.ini file.

Copy the required parameters from the concert-securecoder-vm-quick-start-params.ini sample-params file:
```
cp $INSTALL_DIR/etc/sample-params/concert-securecoder-vm-quick-start-params.ini $INSTALL_DIR/etc/params.ini
```
For more information on list of parameters for Secure Coder installation, see Sample params.ini files.
Open and edit the $INSTALL_DIR/etc/params.ini file with required parameters:
```
vi $INSTALL_DIR/etc/params.ini
```
For more information on list of required and optional parameters for installing on VM, see Parameters for installing on VM.
Save the $INSTALL_DIR/etc/params.ini file.

Step 6: Configure the Secure Coder Mend integration (Optional)

If you set the SECURECODER_MEND_ENABLED parameter to true in the params.ini file, you must provide the sensitive credentials that will be used to configure the Secure Coder Mend integration.

If you want to use Secure Coder Mend integration, you must provide the key that is used to authenticate to the Mend user by running this command:
```
export SECURECODER_MEND_USER_KEY=<my-user-key>
```
Replace <my-user-key> with the user key.
If you want to use Secure Coder Mend integration, you must provide the API key that is used to authenticate to the Mend service by running this command:
```
export SECURECODER_MEND_API_KEY=<my-mend-api-key>
```
Replace <my-mend-api-key> with the Mend API key.
If you want to use a Secure Coder Mend integration with watsonx.ai, provide the API key that is used to authenticate to the watsonx.ai instance by running this command:
```
export WATSONX_API_KEY=<my-watsonx-api-key>
```
Replace <my-watsonx-api-key> with the API key.

Step 7: Authenticate to an LLM instance (Optional)

Note: This step applies only if you intend to enable the Concert Workflows AI assistant.

If you set the ENABLE_AI parameter to true in the params.ini file, you must provide the sensitive credentials that will be used to authenticate to the large language model (LLM) instance.

If you want to use the on-premises instance of watsonx.ai that your Concert license entitles you to, and you set the WATSONX_API_USER parameter in params.ini, provide the corresponding password by running this command:
```
export WATSONX_API_PASSWORD=<my-secret-password>
```
Replace <my-secret-password> with the password.
If you want to use a SaaS instance of watsonx.ai, provide the API key that is used to authenticate to the SaaS watsonx.ai instance by running this command:
```
export WATSONX_API_KEY=<my-watsonx-api-key>
```
Replace <my-watsonx-api-key> with the API key. If required, you can generate a key here.
If you want to use a vLLM-provided model instance which requires authentication, you must provide the API key that is used to authenticate to the vLLM instance by running this command:
```
export LLM_API_KEY=<my-vllm-api-key>
```
Replace <my-vllm-api-key> with the API key.

Step 8: Run the installation setup script

Run the installation setup script to deploy Concert, Concert Workflows, and Concert Data Apps on your VM:

$INSTALL_DIR/bin/setup --license_acceptance=y --username=<user> --password=<password> --registry_password=<registry_entitlement_key>

Remember: The username and password that you specify when running the setup script will be used as the default values for the login, providing the initial credentials for access.

Parameter	Description
`--username`	Use the `--username` option to specify the default user for the installation. This option enables you to set a custom username value, which is used as the username for your product login.
`--password`	Use the `--password` option to specify the password for the default user for the installation. If you do not specify a value for this option, the tool prompts you to enter it.
`--registry_password`	Use the `--registry_password` option to specify the password required to access the source registry. If you are using `cp.icr.io/cp` as the source registry, then the password is the entitlement key.
`--license_acceptance`	License acceptance flag must be set to `y` to proceed with installation. Note: Concert is sold under multiple licenses. All licenses are available in IBM Terms. Prior to installing or upgrading Concert, ensure that you know the license associated with your product, read the license that applies to your purchase, and ensure that you agree to the terms and conditions of the license.

Note: The installation process may take 15 to 30 minutes depending on your system resources and network speed.

Verify installation:
- Upon successful installation completion, you will see:
```
INFO DEPLOYMENT SUCCESSFUL
```
- If you encounter any errors during installation, check the installation logs:
```
$INSTALL_DIR/localstorage/logs/prod_install_logs_<timestamp>.log
```

Step 9: Access the UI

After successful installation, open your web browser and access the Concert product. To login to your required component, you can either login to the unified instance UI or use the component specific URL for login:

You can access the unified instance UI by navigating to the URL details provided in the output. Enter your login credentials (username and password provided in the setup script during installation), and click Login. After you log in to the unified UI, you can access and navigate to each component, allowing for easy navigation between them.

Access to the Concert products using the following URLs:

Table 1. Component specific access URL
Components	URL	Default port
Concert	https://<VM_FQDN>:12443	12443
Concert Workflows	https://<VM_FQDN>:443	443
Concert Data Apps	https://<VM_FQDN>:15443	15443

Replace <VM_FQDN> with your VM's fully qualified domain name (for example, vm.example.com). For local access, you can use localhost instead of the FQDN.

Log in with your credentials. Use the username and password that you specified when running the installation setup script to log in to Concert.
Click Login to access the product.
Note: You might see a security warning about the SSL certificate. This is expected for self-signed certificates. Proceed to the site (the exact steps depend on your browser). To bring your own SSL certificate for Concert and Concert Data Apps, see Bring your own SSL certificate.

Enable or disable Secure Coder Mend integration

You can enable or disable Secure Coder Mend integration after you complete the installation without resetting IBM Concert. The manage-sc-scanner-config.sh in ibm-concert-std-securecoder/bin/manage-sc-scanner-config.sh path allows Mend SAST or SCA scanner integration to be enabled or disabled without performing a full reinstallation.

To enable Secure Coder Mend integration:

Export the required variables:

# Credentials
export SECURECODER_MEND_USER_KEY="<mend-user-key>"
export SECURECODER_MEND_API_KEY="<mend-api-key>"
export WATSONX_API_KEY="<watsonx-api-key>"

# Non-sensitive configuration
export SECURECODER_MEND_ORG_NAME="<org-name>"
export SECURECODER_MEND_SERVICE_URL="https://saas.mend.io"
export SECURECODER_MEND_EMAIL_ADDRESS="<mend-account-email>"
export SECURECODER_MEND_PROJECT_NAME="<project-name>"
export WATSONX_API_PROJECT_ID="<watsonx-project-id>"
export WATSONX_API_URL="<watsonx-base-url>"

# Optional
# export SECURECODER_MEND_PRODUCT_NAME="<product-name>"
# export WATSONX_API_MODEL_ID="<model-id>"

Variable	Description
`<mend-user-key>`	Replace with your Mend user key.
`<mend-api-key>`	Replace with the Mend API key.
`<watsonx-api-key>`	Replace with the API key.
`<org-name>`	Replace with the Mend organization name. This is the organization identifier in your Mend account, for example: my-company-org.
<service-url>	Replace with the Mend service endpoint URL, for example:`https://app.mend.io`.
<mend-account-email>	Replace with the email address associated with your Mend account, for example:`security-team@company.com`.
<project-name>	Replace with the name of the Mend project associated with the deployment.
<watsonx-project-id>	Replace with the ID of the watsonx.ai project that you want to use.
<watsonx-base-url>	Replace with the URL of the watsonx.ai instance, for example:`https://us-south.ml.cloud.ibm.com`.
<product-name>	Replace with the Mend product name.
<model-id>	Replace with the watsonx.ai model that is used.

Enable Secure Coder Mend integration by running the following command:

./ibm-concert-std-securecoder/bin/manage-sc-scanner-config.sh \
  enable-mend --namespace=concert-securecoder

Disable Secure Coder Mend integration by running the following command:

./ibm-concert-std-securecoder/bin/manage-sc-scanner-config.sh \
  disable-mend --namespace=concert-securecoder

Check the current scanner status by running the following command:

./ibm-concert-std-securecoder/bin/manage-sc-scanner-config.sh \
  status --namespace=concert-securecoder

Next steps

After accessing the product, manage user permissions through the Managing users and roles guide.

If you encounter issues during installation or operation, see Troubleshooting.