Download the Docker container

To deploy a Guardium® External S-TAP monitor, you first need to download the IBM® Guardium External S-TAP container from the IBM Cloud Container Registry (icr.io). Deploy the container onto the machine (real, virtual, or cloud) that serves as the External S-TAP host.

Before you begin

  1. Make sure that a Linux® environment is available for External S-TAP host. For the External S-TAP, Docker must be installed and running under Linux.
  2. For SSL-enabled sites, make sure that you have with the appropriate security certificates as described in SSL certificates for External S-TAP. If your environment is not SSL-enabled, you can skip this step.

Procedure

  1. If your site does not provide Docker, install Docker on the External S-TAP host. For more information, see Get Docker.
  2. Use skopeo to list the available docker tags for Guardium External S-TAP in the IBM Cloud Container Registry (icr.io). For example:
    ~$ skopeo list-tags docker://icr.io/guardium-insights/guardium_external_s-tap
  3. The skopeo command returns a list of all available tags for External S-TAP. Find and copy the appropriate docker pull command. For example:
    myname:~$ skopeo list-tags docker://icr.io/guardium-insights/guardium_external_s-tap 
    { "Repository": "icr.io/guardium-insights/guardium_external_s-tap", 
    "Tags": [ 
        "cpd-3.5-deploy-11.2.1-34", 
         . . .
        "v11.2.0-deploy-3.5-16", 
        . . .
        "v11.4.0", 
        "v11.4.1", 
        . . .
        "v11.5.0", 
        "v11.5.1"
       "v11.5" 
       ] 
    } 
    myname:~$
    Note: The container for the latest version of each Guardium release is available from the vx.x tag for that release. For example, for Guardium 11.5, copy docker pull from the v11.5 tag.
  4. Use the docker pull command to download the Docker container into your environment. For example, to pull the latest External S-TAP image,
    docker pull icr.io/guardium-insights/guardium_external_s-tap:v11.5

    For more information about accessing icr.io and using the skopeo command, see https://www.ibm.com/support/pages/node/6618197.

    To deploy to an internal repository: If your Docker host machine does not have access to the internet, create an internal repository on which to store the Docker containers. One method to create an internal repository is to use multiple steps, for example:
    1. Configure a host to run a local (private) docker registry. For more information, see Deploy a registry server.
    2. Take the following steps on a host that where Docker is installed and that can contact both the local Docker registry and icr.io:
      1. Pull the External S-TAP Docker image from icr.io.
      2. Push the External S-TAP Docker image to the local Docker registry.
    3. After the image is in the local registry, you can deploy the External S-TAP containers on a host that has access to that registry.

What to do next

After you download the External S-TAP Docker container, you can either deploy the container onto the Docker host machine or, if needed, create the security certificates to help ensure that your system remains secure. For more information, see External S-TAP deployment scripts or SSL certificates for External S-TAP.