Manually installing Guardium Data Security Center online

Before you begin

Before you proceed with the installation, complete these steps:
  1. Verify that your environment meets the System requirements and prerequisites and Hardware cluster requirements.
  2. Prepare for installation.
  3. Log in to the OpenShift® command-line interface.
  4. Downloading the Guardium Data Security Center CASE file and set up your environment for dependencies.

Procedure

  1. Log in to your Red Hat® OpenShift cluster instance.
    oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]
    For example,
    oc login api.example.ibm.com:6443 -u kubeadmin -p xxxxx-xxxxx-xxxxx-xxxxx
  2. Set these environment variables:
    export CP_REPO_USER=<entitlement_user>
    export CP_REPO_PASS=<entitlement_key>
    export NAMESPACE=<guardium_data_security_center_namespace>
    export CASE_NAME=ibm-guardium-data-security-center
    export CASE_VERSION=2.6.0   #<YOUR_CASE_VERSION>
    export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
    • <entitlement_user> and <entitlement_key> are the entitlement user and key, as described in Obtain your entitlement key.
    • <guardium_insights_namespace> is the namespace that you create in step 4. This namespace must be 10 or fewer characters in length.
  3. Install the IBM® Certificate Manager and IBM Common Services by completing the steps 4-13 that are outlined in Installing IBM Cloud Pak® foundational services.
  4. Create the Guardium Data Security Center namespace and then switch to it:
    oc create namespace ${NAMESPACE}
    oc project ${NAMESPACE} 
    Note: If IBM Common Services is already created and installed, you do not need to create the namespace in this step (Guardium Data Security Center uses the same namespace).
  5. Install the Guardium Data Security Center operator and related components:
    1. Run the pre-install script. This script sets up secrets and parameters for the Guardium Data Security Center instance.
      oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --namespace ${NAMESPACE} \
      --inventory install \
      --action preInstall \
      --tolerance 1 \
      --args "-n ${NAMESPACE} -h <DB_worker_host> -l <true/false>"
      The pre-install script supports these parameters:
      Table 1. Parameters for preInstall.sh
      Name Description Type
      -n or --i-namespace Guardium Data Security Center OpenShift namespace (this value must be 10 or fewer characters) Mandatory
      -h or --host-datanodes Specify the comma-delimited host names of the data nodes that you designate for data computation (you can determine the host names by running oc get nodes).
      Important: When you manage Hardware cluster requirements, use the larger set of Guardium Data Security Center nodes as your data nodes. To determine which node has the most free requests, issue the oc describe nodes command and then look in the Allocation section.
      Mandatory
      -l or --label-datanodes If you specify true, the data nodes are labeled as dedicated for data service usage. If you specify false, labeling is skipped. The default value is true. Mandatory
      -t or --taint-datanodes If you specify true, the data nodes are tainted and dedicated for data service usage. If you specify false, tainting is skipped. Do not use false to skip tainting for production deployments. Optional
      -k or --ingress-keystore

      The path of the TLS certificate that is associated with the Guardium Data Security Center application domain.

      If you supply a custom ingress, provide the path to its key file. This file can contain only newline (\n) delimiters. If you do not supply a custom ingress, a default of none is assumed.

      For more information, see Domain name and TLS certificates.

      Optional
      -f or --ingress-cert

      The path of the TLS key that is associated with the Guardium Data Security Center application domain.

      If you supply a custom ingress, provide the path to its cert file. This file can contain only newline (\n) delimiters. If you do not include this, a default of none is assumed.

      For more information, see Domain name and TLS certificates.

      Optional
      -c or --ingress-ca

      The path of the custom TLS certificate that is associated with the Guardium Data Security Center application domain.

      If you supply a custom ingress, provide the path to its certificate authority (CA) file. This file can contain only newline (\n) delimiters. If you do not include this, a default of none is assumed.

      For more information, see Domain name and TLS certificates.

      Optional
      -help or --help Displays the preInstall.sh parameters. Optional
    2. Install the catalogs.
      oc ibm-pak launch $CASE_NAME \
        --version $CASE_VERSION \
        --inventory install \
        --action install-catalog \
        --namespace openshift-marketplace \
        --args "--inputDir ${LOCAL_CASE_DIR}"
      To verify that the catalogs are installed, run the following command.
      oc get pod -n openshift-marketplace
      The output is similar to:
      ibm-cloud-databases-redis-operator-catalog-ms97x                  1/1     Running     0          12m
      ibm-db2uoperator-catalog-k8pwc                                    1/1     Running     0          13m
    3. Install the operators.
      oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --inventory install \
      --action install-operator \
      --namespace ${NAMESPACE} \
      --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
    4. Verify that the operators are installed by running the following command.
      oc get pods -n $NAMESPACE
      The output is similar to:
      
      NAME                                                    READY STATUS  RESTARTS AGE
      
      db2u-day2-ops-controller-manager-5488d5c844-vvhgt       1/1   Running 0        24h
      db2u-operator-manager-5fc886d4bc-wwcrv                  1/1   Running 0        24h
      ibm-cloud-databases-redis-operator-6d668d7b88-z7fzh     1/1   Running 0        24h
      ibm-guardium-insights-operator-75d6c489fd-qfkss         1/1   Running 0        24h
      mongodb-kubernetes-operator-856bc86746-lfk69            1/1   Running 0        24h
      

What to do next

Follow the Creating a Guardium Data Security Center instance by using a custom resource (CR).