You can install the IBM Security Guardium Key Lifecycle Manager
container on a Red Hat® OpenShift® cluster. You can use the provided
Helm charts for the installation.
Before you begin
- Install a Red Hat OpenShift Container Platform cluster
- Obtain Red Hat OpenShift Container Platform Version 4.2 or
later.
- Review the minimum system requirements. For more information, see the Support matrix.
- Install an OpenShift Container Platform cluster, and ensure that it is up and running.
You can access the Red Hat OpenShift documentation here: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.3/
- If you plan to implement horizontal scaling, configure an internal or external load balancer to
distribute the incoming traffic to the IBM Security Guardium Key Lifecycle Manager
containers.
- Obtain the Red Hat OpenShift Command line (CLI) tool
- Obtain the oc command line tool as per the version of Red Hat OpenShift container platform and your operating system. For
instructions, see https://docs.openshift.com/container-platform/4.3/cli_reference/openshift_cli/getting-started-cli.html.
- Install the database
- You can use IBM® Db2U Standard Edition Version 11.5 or
PostgreSQL Version 10.
- To install IBM Db2U, see Installing Db2 on a Red Hat OpenShift cluster
Then, upload the license for
IBM Db2U. For more information, see Upgrading your Db2 Community Edition license certificate key.
- Obtain the Helm charts
-
- Install Helm on the system from which you will access the cluster. For more information, see
https://helm.sh/docs/intro/install/.
For information
about the supported Helm version, see Support matrix.
- From the IBM Security Guardium Key Lifecycle Manager utilities
page, download the file (openshift-helm.zip) that contains the sample Helm
charts for installing the IBM Security Guardium Key Lifecycle Manager container.
- Obtain the container installation files (eImages) and license activation file
- Obtain the container installation files (eImages) for IBM Security Guardium Key Lifecycle Manager from IBM Passport Advantage. For more information, see Installation images for containerized platforms.
- Extract the container installation files to a local repository directory. You need to provide
the location of this directory in the values.yaml file in the chart.
You can
avoid downloading the container installation files if you plan to pull the container image directly
from the Docker Hub repository.
- Install IBM License Service
-
- Install the IBM License Service. For instructions, see the relevant section in License Service for
stand-alone products.
- Verify the installation by running the following
commands:
# oc get pods --namespace ibm-common-services
# oc get service --namespace ibm-common-services
# oc get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-common-services | base64 -d
Note
down the host, port, and service token values from the command output to be updated in the Helm
charts file.
- Update the following parameters in the sample Helm charts
(openshift-helm.zip):
config:
sklmapp_license:
license_service_host
license_service_port
secret:
license_service_token
Procedure
Complete the following steps on the system on which you installed the common
tools:
-
Obtain the login token.
- Log in to the OpenShift Container
Platform.
- Click Display Token link.
- Copy the Login command that is displayed under Log in with this
token.
- Use the copied command to connect to the OCP server by using the command line tool
(oc).
-
Extract the openshift-helm.zip file.
-
In the directory where you extracted the files, navigate to the
directory.
- Create the Security Context Constraint (SCC):
Run the following command:
oc apply -f liberty_scc.yaml
The following output is
displayed:
securitycontextconstraints.security.openshift.io/ibm-websphere-scc configured
- Create the WebSphere service account and bind
ibm-websphere-scc
to the
project.
#oc create serviceaccount websphere -n project name
#oc create serviceaccount websphere -n sklmdb2
Output is like :
serviceaccount/websphere created
#oc adm policy add-scc-to-user ibm-websphere-scc -z websphere -n <project name>
#oc adm policy add-scc-to-user ibm-websphere-scc -z websphere -n sklmdb2
The following output is
displayed:
securitycontextconstraints.security.openshift.io/ibm-websphere-scc added to: ["system:serviceaccount:aaa:websphere"]
-
Open the values.yaml file and modify the parameter values in the file as
per your requirement.
The file has information about the mandatory parameters to be
updated and description of all the parameters.
- Optional: Provide the number of IBM Security Guardium Key Lifecycle Manager containers that you want in your deployment by
specifying the value for the replicas parameter.
For example:
replicas: 3
Note: The maximum IBM Security Guardium Key Lifecycle Manager containers that you can scale to is 5. The
recommended number of IBM Security Guardium Key Lifecycle Manager containers is
3.
- Navigate to the openshift-helm directory and run the following
command:
helm install sklmapp
Note: Use the helm command based on the versions of your operating system and CLI tools.
- Verify the installation.
- Log in to the Red Hat OpenShift Container
Platform.
- In the left pane, expand
.
A
new pod for the application is created with the status as
Running.
- To access the application, create a route.
- In the left pane, expand
, and click
Create Route.
- Specify values for the properties on the page.
Ensure that you specify the
following property settings:
- Name
- sklmapp-route
- Service
- sklmapp
- Target port
- 9443 -> 9443(TCP)
- Security
- Select the Secure route check box.
- TLS Termination
- Passthrough
- Insecure Traffic
- Redirect
- Click Create.
The application URL is generated
and displayed in the Location field.
- Copy the application URL.
- Launch the IBM Security Guardium Key Lifecycle Manager graphical user
interface by using the copied application URL.
- Log in to the IBM Security Guardium Key Lifecycle Manager
graphical user interface with the Administrator user credentials (For example,
sklmadmin).
- Activate IBM Security Guardium Key Lifecycle Manager license. For
instructions, see Trying IBM Security Guardium Key Lifecycle Manager trial version and activating a purchased license.
What to do next
- From the Welcome page, configure the drive types, keys, and certificates that your organization
requires, or get started with using the product. See Administering.
- (Optional) Enhance secure communication between the client and the IBM Security Guardium Key Lifecycle Manager server by using a CA-signed certificate. See Importing a server certificate.