Installing IBM Cloud Pak foundational services on Guardium Data Security Center
IBM Guardium Data Security Center is deployed on IBM Cloud Pak foundational services with OpenShift® Container Platform.
Before you begin
If the SKIP_INSTALL_ICS parameter in the configuration file is set to the default value
of false, you can proceed directly to Online and offline/air gap installation of Guardium Data Security Center by using automated (all-in-one) installation script.
If you are installing Guardium Data Security Center manually or if
SKIP_INSTALL_ICS is set to true, install IBM Cloud Pak
foundational services beforehand by following the procedure.
About this task
If you are installing Guardium Data Security Center version 3.6.x, install Cloud Pak foundational services version 4.6.6.
If you currently have IBM® Common Services version 4.5.x, you can upgrade to IBM Common Services version 4.6.x by using the case bundle.
Important: If you already downloaded Cloud Pak foundational services for use with another product, you might not
need to download it again. If you have the correct version for the Guardium Data Security Center version that you want to install, you can skip
this task.
Procedure
- Log in to your Red Hat®
OpenShift cluster instance.
oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]For example,oc login api.example.ibm.com:6443 -u kubeadmin -p xxxxx-xxxxx-xxxxx-xxxxx - Create a namespace for Cloud Pak foundational services. Use the same namespace where you install
Guardium Data Security Center.
export NAMESPACE=<GI NAMESPACE> oc create namespace ${NAMESPACE} - Choose the CASE version that you want to use.
export CASE_ARCHIVE=ibm-guardium-data-security-center-<Case version>.tgzFor example, to use version 2.6.0, specify the 2.6.0 bundle file as shown in the following command.export CASE_ARCHIVE=ibm-guardium-data-security-center-2.6.0.tgz - Install the IBM Certificate
Manager and IBM Common
Services.
- Create a namespace ibm-cert-manager for
the IBM Certificate
Manager.
oc create namespace ibm-cert-manager - Set the environment variable for the
--inventory parameter.
export CERT_MANAGER_INVENTORY_SETUP=ibmCertManagerOperatorSetup - Install the IBM Certificate
Manager catalog.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --action install-catalog \ --inventory $CERT_MANAGER_INVENTORY_SETUP \ --namespace openshift-marketplace \ --args "--inputDir ${LOCAL_CASE_DIR}"
- Create a namespace ibm-cert-manager for
the IBM Certificate
Manager.
- Check the pod and catalog source status.
oc get pods -n openshift-marketplace oc get catalogsource -n openshift-marketplaceThe following output is an example of the output that results from running the command.
NAME READY STATUS RESTARTS AGE ibm-cert-manager-catalog-bxjjb 1/1 Running 0 49s NAME DISPLAY TYPE PUBLISHER AGE ibm-cert-manager-catalog ibm-cert-manager-4.2.1 grpc IBM 52s - Install the IBM Certificate
Manager operators.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --inventory $CERT_MANAGER_INVENTORY_SETUP \ --action install-operator \ --namespace ibm-cert-manager \ --args "--inputDir ${LOCAL_CASE_DIR}"Verify that the IBM Certificate Manager CSV is in theSucceededphase.oc get csv -n ibm-cert-manager oc get pod -n ibm-cert-managerThe following example shows the output of the commands.NAME DISPLAY VERSION REPLACES PHASE aws-efs-csi-driver-operator.v4.14.0-202403060538 AWS EFS CSI Driver Operator 4.14.0-202403060538 Succeeded ibm-cert-manager-operator.v4.2.1 IBM Cert Manager 4.2.1 Succeeded oc get pods -n ibm-cert-manager NAME READY STATUS RESTARTS AGE cert-manager-cainjector-c9dd8 1/1 Running 0 97s cert-manager-controller-54fb 1/1 Running 0 97s cert-manager-webhook-5dc 1/1 Running 0 96s ibm-cert-manager-operator-75c8 1/1 Running 0 106s - Install the IBM Cloud Pak
foundational services
catalog.
export ICS_INVENTORY_SETUP=ibmCommonServiceOperatorSetup oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --action install-catalog \ --inventory $ICS_INVENTORY_SETUP \ --namespace $NAMESPACE \ --args "--registry icr.io --recursive \ --inputDir ${LOCAL_CASE_DIR}" - Check the pod and catalog source status of the
opencloud-operatorsby using the following commands.oc get pods -n openshift-marketplace; oc get catalogsource -n openshift-marketplaceThe following example shows the output of the commands.opencloud-operators-zmtmv 1/1 Running 0 25s opencloud-operators IBMCS Operators grpc IBM 46s - Export the following environment variables.
export CP_REPO_USER=<cp user> export CP_REPO_PASS=<cp password> - Install the Cloud Pak foundational services
operators.
export ICS_SIZE=small; oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --action install-operator \ --inventory $ICS_INVENTORY_SETUP \ --namespace $NAMESPACE \ --args "--size ${ICS_SIZE} --registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --recursive --inputDir ${LOCAL_CASE_DIR}" - Verify that the CSV is in
Succeededstate:oc get csv -n $NAMESPACEThe following example shows the output of the command.oc get pods -n ${NAMESPACE} NAME READY STATUS RESTARTS AGE common-service-db-1 1/1 Running 0 4h2m common-web-ui-75fb7fcbff-rpx9w 1/1 Running 0 4h3m create-postgres-license-config-vvzj8 0/1 Completed 0 4h3m ibm-common-service-operator-7b9f6c49bc-ffl9f 1/1 Running 0 4h7m ibm-commonui-operator-86c45f5df9-grm27 1/1 Running 0 4h3m ibm-iam-operator-76969bf99b-lbd85 1/1 Running 0 4h4m ibm-zen-operator-69c4bf46f8-9vt5x 1/1 Running 0 4h4m oidc-client-registration-hcmxf 0/1 Completed 0 4h3m operand-deployment-lifecycle-manager-5d4fff9f89-75vkf 1/1 Running 0 4h5m platform-auth-service-6d7c654fc6-sj5gg 1/1 Running 0 4h1m platform-identity-management-8dccc6b84-rt47d 1/1 Running 0 4h1m platform-identity-provider-5d74f7d65d-h7l7l 1/1 Running 0 4h1m postgresql-operator-controller-manager-1-18-12-6b9b4fb545-d6stw 1/1 Running 0 4h3m - Verify that the
operandrequestis available:oc get opreq -n $NAMESPACEThe following example shows the output of the command.NAME AGE PHASE CREATED AT common-service 4h3m Running 2024-08-27T09:27:50Z ibm-iam-request 4h2m Running 2024-08-27T09:28:36Z postgresql-operator-request 4h2m Running 2024-08-27T09:29:00Z - Verify that all the Cloud Pak foundational services
pods are in the
RunningorCompletedstate by using the following command.oc get pods -n ${NAMESPACE}The following example shows the output of the command.
After you complete the verification, install the Guardium Data Security Center operators. This process takes approximately 20 minutes.oc get pods -n ${NAMESPACE} NAME READY STATUS RESTARTS AGE common-service-db-1 1/1 Running 0 4h2m common-web-ui-75fb7fcbff-rpx9w 1/1 Running 0 4h3m create-postgres-license-config-vvzj8 0/1 Completed 0 4h3m ibm-common-service-operator-7b9f6c49bc-ffl9f 1/1 Running 0 4h7m ibm-commonui-operator-86c45f5df9-grm27 1/1 Running 0 4h3m ibm-iam-operator-76969bf99b-lbd85 1/1 Running 0 4h4m ibm-zen-operator-69c4bf46f8-9vt5x 1/1 Running 0 4h4m oidc-client-registration-hcmxf 0/1 Completed 0 4h3m operand-deployment-lifecycle-manager-5d4fff9f89-75vkf 1/1 Running 0 4h5m platform-auth-service-6d7c654fc6-sj5gg 1/1 Running 0 4h1m platform-identity-management-8dccc6b84-rt47d 1/1 Running 0 4h1m platform-identity-provider-5d74f7d65d-h7l7l 1/1 Running 0 4h1m postgresql-operator-controller-manager-1-18-12-6b9b4fb545-d6stw 1/1 Running 0 4h3m - The default username to access the console is
cpadmin. To retrieve the password, use these commands:oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' -n $NAMESPACE | base64 -d | awk '{print $1}' oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' -n $NAMESPACE | base64 -d | awk '{print $1}'The output that you receive, for example
EwK9dj_example_password_lZSzVsA, is the password that is used for accessing the console. To change the default username (cpadmin) or password, see Changing the cluster administrator access credentials. - To retrieve the
cp-consoleroute and credentials, use the following command.oc get route cp-console -n $NAMESPACE