Guardium Data Security Center v3.6.x system requirements and prerequisites
Before you can install IBM Guardium Data Security Center, ensure that you have the required hardware, software, and storage. System requirements for IBM Guardium Data Security Center are described in this topic.
- The shared cluster components that you need to install
- The number of Guardium Data Security Center instances you plan to install on your cluster
- The services that you plan to install on top of Guardium Data Security Center
- The types of workloads that you plan to run
- If you do not yet have a Red Hat account, create one for free at https://www.redhat.com/wapps/ugc/register.html before following the remaining instructions.
- If you have a Red Hat account, navigate to https://cloud.redhat.com/openshift/install and log in with your account credentials.
This node's CPU resources are
overcommitted. The total CPU resource limit of all pods exceeds the node's total capacity. Pod
performance will be throttled under high load.
and
This node's memory
resources are overcommitted. The total memory resource limit of all pods exceeds the node's total
capacity. The total memory requested is also approaching the node's capacity. Pods will be
terminated under high load, and new pods may not be schedulable on this
node.
Review the following information to accurately size and configure your cluster:
Software prerequisites
-
To plan your installation of OpenShift Container Platform, see https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16 and https://docs.openshift.com/container-platform/4.16/welcome/index.html.
- Red Hat
OpenShift Container Platform Version
4.14.x can be
downloaded and installed by accessing https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/.
Verify that you download Red Hat
OpenShift Container Platform Version
4.14.x.Note: If you have purchased IBM Guardium Data Security Center for IBM Cloud Pak for Security, you are automatically entitled to install its OpenShift Container Platform. See IBM Guardium Data Security Center for IBM Cloud Pak for Security software requirements for more information.
- Data mart support: If you connect
to IBM
Guardium Data Protection (GDP) environments, Guardium data mart version 5 is required.
Data mart ingestion is supported for the following versions of GDP:
- Push mode:
- Version 11.4: patch 11.0p490 and up.
- Version 11.5: patch 11.0p540 and up.
- Version 12.0: patch 12.0p10 and up.
- Pull mode:
- Version 11.4: patch 11.0p490 and up.
- Version 11.5: patch 11.0p540 and up.
- Version 12.0: patch 12.0p10 and up.
- Push mode:
- Prerequisites for connecting Guardium Data Protection for
z/OS® to Guardium Data Security Center are:
- Guardium STAP for z/OS Version 10.1.3 and above
- If you connect to Amazon Web Services (AWS) Aurora PostgreSQL, Amazon Kinesis is required.
- If you connect to Azure, Azure Event Hubs is required.
- Optional:
IBM Guardium Data Security Center for IBM Cloud Pak for Security software requirements
IBM Guardium Data Security Center for IBM Cloud Pak for Security supports IBM Cloud Pak for Security Version 1.10, which includes the version of OpenShift Container Platform that is required by Guardium Data Security Center.
cloudctl case save --case https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-security-1.0.7.tgz --outputdir <working_directory> --tolerance=1
The requirements for IBM Guardium Data Security Center and IBM Guardium Data Security Center for IBM Cloud Pak for Security are the same - however, if you purchase IBM Guardium Data Security Center for IBM Cloud Pak for Security, you are automatically entitled to install its OpenShift Container Platform.
Container Application Software for Enterprises (CASE) version support
When installing Guardium Data Security Center, find the CASE version that corresponds to the version of Guardium Data Security Center that you are installing. These versions are
outlined in https://github.com/IBM/cloud-pak/blob/master/repo/case/ibm-guardium-insights/index.yaml. For example, if you are installing Guardium Data Security Center version 3.4.0, the appVersion
is
3.4.0, which means that the CASE version is 2.4.0.
Security context constraints (SCC) requirements
OpenShift provides security construct
constraints that control the actions that a pod can perform and what it has the ability to access.
Guardium Data Security Center has been validated with the restricted-v2
SCC, which is installed by default
with OpenShift.
If you have applied a custom SCC, it must not have fewer privileges than the OpenShift
restricted-v2
SCC.
Command line tools
Tools for command line administration of the cluster and Guardium Data Security Center can be accessed from the Red Hat OpenShift Container Platform and IBM Cloud Pak foundational services web consoles. This table details the tools and versions that are required for Guardium Data Security Center:
Tool | Download | Version |
---|---|---|
oc
|
4.10.35 or later | |
kubectl |
https://mirror.openshift.com/pub/openshift-v4/clients/ocp/ | 1.16 or later |
cloudctl |
https://github.com/IBM/cloud-pak-cli/releases | 3.17.0 or later |
openssl |
https://www.openssl.org/source/ | 3.3.1 |
ibm-pak |
https://github.com/IBM/ibm-pak/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz To install:
|
1.10.0 |
python with PyYAML installed (must have a symbolic link to
python ) |
https://www.python.org/downloads | 3.x or later |
yq | https://github.com/mikefarah/yq/#install | |
docker (or podman ) |
|
|
skopeo (Offline installations only) |
https://github.com/containers/skopeo/blob/master/install.md | 1.0.0 |
|
||
htpasswd (Offline installations only) |
||
Cluster administrator privileges to run the setup scripts | ||
Your login credentials to cp.icr.io
|
Ticketing support
Guardium Data Security Center allows you to connect to these ticketing services:
- IBM Cloud Pak for Security Cases
- IBM Resilient®
- ServiceNow
Browser support
Guardium Data Security Center is supported on Google Chrome, Mozilla Firefox, and Microsoft Edge.
Display resolution
Guardium Data Security Center is best viewed on screen display resolutions of 1024x768 pixels or higher.
External storage allocation for backups
Prior to deploying Guardium Data Security Center and its CR (custom
resource), you must manually create a PersistentVolumeClaim
(PVC) for backup
support (only NFS is supported). It is recommended that the size of the
PersistentVolumeClaim
be 1 terabyte (TB) - and the space on the NFS server should
be set to accommodate roughly 20% of the expected amount of data that is expected to be ingested
each month. See Configuring backup after Guardium Data Security Center installation, which provides examples for NFS storage class installation and provisioning a PVC.
Create the PVC file according to this template (but use values that are needed for your deployment):
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: <GDSCTarget-namespace-name>-backupsupport-pvc
#name of the PVC
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 500Gi # Update storage size, minimum size is 500Gi
storageClassName: managed-nfs-storage # Update you StorageClass name and it must be RWX with 777 writable Permissions
guardiumDataSecurityCenterGlobal:
backupsupport:
enabled: "true"
name: <GDSC_Backup_PVC>
storageClassName: <Storage class>
size: 500Gi
When creating the above backupsupport PVC, name it
<GDSCTargetNamespace-Name>-backupsupport-pvc, where
<GDSCTargetNamespace-Name>
is the namespace to which you are installing Guardium Data Security Center. By default, the Guardium Data Security Center operator will look for a PVC by this name.
After creating the PVC, check the PersistentVolumeClaim
list (for example, run
oc get pvc | grep staging-backupsupport-pvc
) and confirm that the status of your
PVC is Bound
:
oc get pvc | grep staging-backupsupport-pvc
NAME STATUS VOLUME
CAPACITY ACCESS MODES STORAGECLASS AGE
staging-backupsupport-pvc Bound
managed-nfs-storage 6s
If your PVC is properly Bound
and then you deploy Guardium Data Security Center, the status of the deployment will not contain
errors:
oc get guardiumdatasecuritycenter -w
NAME TYPE STATUS REASON MESSAGE
DESIRED_VERSION INSTALLED_VERSION
staging Running True Reconciling Starting
to Reconcile 3.6.0
staging Running True
GuardiumDataSecurityCenterInstallRunning Secret creation
completed 3.6.0
staging Running True
GuardiumDataSecurityCenterInstallRunning Instantiated DB2 CR
3.6.0
staging Running True
GuardiumDataSecurityCenterInstallRunning Instantiated
Postgres Resources 3.6.0
staging Running True
GuardiumDataSecurityCenterInstallRunning Instantiated Redis
Sentinel CR 3.6.0
staging Running True
GuardiumDataSecurityCenterInstallRunning Instantiated MongoDB
CR 3.6.0
If your PVC is not properly Bound
, you will receive error messages, depending on
the nature of the problem:
- If you attempt to deploy Guardium Data Security Center when the PVC
does not exist, the operator will fail with this
message:
oc get guardiumdatasecuritycenter -w NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION staging Running True Reconciling Starting to Reconcile 3.6.0 staging Failure True Failed Expecting Manual creation of PVC Name staging-backupsupport- pvc, Go to 'https://www.ibm.com/docs/en/gdsc/3.x?topic=srp-guardium-data-security-center-v36x-system-requirements-prerequisites' 3.6.0 staging Running True Running Running reconciliation
- If the name of your PVC file is not
<GDSCTargetNamespace-Name>-backupsupport-pvc, you will receive the above
error since the Guardium Data Security Center operator will be unable
to find the PVC file. The same error occurs if the name of the manually-created PVC and the Guardium Data Security Center CR
BackupSupport
name do not match. - If backup support is not required, you will receive an error message. In this case, update the
CR to indicate that backup support is not required. For example, include this
setting:
guardiumDataSecurityCenterGlobal: backupsupport: enabled: "false"
- If you attempt to deploy Guardium Data Security Center when the PVC
is not in the
Bound
state, the operator will fail with this message:oc get guardiumdatasecuritycenter -w NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION staging Running True Reconciling Starting to Reconcile 3.6.0 staging Failure True Failed Required Backup PVC exists but not ‘Bound’ state. 3.6.0 staging Running True Running Running reconciliation
In addition, the Network File System (NFS) needs to be able to communicate with the cluster running Guardium Data Security Center. The requirements for this are:
- If you are placing backups in a remote destination, a Network File System (NFS) is required.
- The NFS storage class must be installed before installing Guardium Data Security Center.
- A
PersistentVolume
(PV) and aPersistentVolumeClaim
(PVC) need to be created with the NFS storage class before Guardium Data Security Center is installed.
When you are ready to deploy, set the flag for backup support in the installation YAML file for
Guardium Data Security Center. The backup data is stored on the PV
designated by the storageClassName
:
guardiumDataSecurityCenterGlobal:
backupsupport:
enabled: "true"
name: backup-pvc-support # name of the PVC previously created and bound to the external NFS
If the flag for backup support is not set before deployment of Guardium Data Security Center, the backup data is stored internally on the backup POD, and you might run out of internal storage space.