Setting up IBM Guardium Cryptography Manager in a High Availability (HA) environment

Edit online

You can set up IBM® Guardium® Cryptography Manager in a High Availability (HA) environment for redundancy.

Before you begin

  • Ensure external database support is available.
  • Set up MongoDB and PostgreSQL clusters in HA mode.

About this task

Complete the following steps for HA set up before you install Guardium Cryptography Manager. Deploy each service with two replicas to ensure redundancy. One server consists of Guardium Cryptography Manager set up and the other server consists of external databases.
Note: Additionally, due to increased database requirements and the need for higher throughput for the Key Management Interoperability Protocol (KMIP) server, configure three replicas for the KMIP server. For information on KMIP performance metrics, see KMIP Performance metrics.

Procedure

  1. Create a namespace
    • Run the following command to create a namespace for Guardium Cryptography Manager.
      kubectl create namespace gcmapp
  2. Create SSL certificate secrets
    • Create Kubernetes secrets for PostgreSQL and MongoDB certificates in the gcmapp namespace.
      PostgreSQL Certificate Secret
kubectl create secret generic postgres-external-cert \
  --from-file=tls.crt=<postgres-cert-name> \
  --namespace="gcmapp" \
  --dry-run=client -o yaml | kubectl apply -f -
      MongoDB Certificate Secret
kubectl create secret generic mongo-external-cert \
  --from-file=tls.crt=<mongodb-cert-name> \
  --namespace="gcmapp" \
  --dry-run=client -o yaml | kubectl apply -f -
    Note: If external database has a High Availability (HA) with Disaster Recovery (DR) instances then the certificate should have a Subject Alternative Name (SAN) field updated with all the host names or the regex with domain name.
  3. Create database credentials secrets (if applicable)
    • If you are using custom database usernames or passwords, create the respective secrets.
    • PostgreSQL credentials:
      kubectl create secret generic "gcm-postgres-secret" \
  --namespace="gcmapp" \
  --from-literal=DB_USER=<db-user> \
  --from-literal=DB_PASSWORD=<db-password> \
  --dry-run=client -o yaml | kubectl apply -f -
    • MongoDB credentials:
      kubectl create secret generic "gcm-mongodb-secret" \
  --namespace="gcmapp" \
  --from-literal=MONGO_DB_USERNAME=<db-user> \
  --from-literal=MONGO_DB_PASSWORD=<db-password> \
  --dry-run=client -o yaml | kubectl apply -f -
  4. Change the endpoint values
    • Configure 2 replicas for each service.
    • KMIP server: Configure 3 replicas to support higher throughput and availability.
    • In the global-values.yaml, update the endpoint of PostgreSQL and MongoDB to IP of the server.
  5. Install Guardium Cryptography Manager as external database. For more information, see Installing IBM Guardium Cryptography Manager.
  6. External database connection
    • Set the externalPostgres and externalMongoDB to true in the global-values.yaml.
      
postgres:
    externalPostgres:  true 
    endpoint: postgres
    port: 5432
    dbName: gem_postgres
#Enter 3 hostname and port number pairs: <postgres host name1:port number>, <postgres host name2:port number>, <postgres host name3:port number>
    hosts: postgres:5432 
    targetServerType: primary
kafka:
    endpoint: kafka
    port: 9092          
mongodb:
    externalMongoDB: true 
    endpoint: mongodb
    port: 27017
    dbName: tenant_manager
#Enter 3 hostname and port number pairs: <mongodb host name1:port number>, <mongodb host name2:port number>, <mongodb host name3:port number>
    hosts: mongodb:27017
    readPreference: primary
redis:
    port: 6379
    endpoint: redis
  7. After you configure the external database secrets and certificates, deploy the Guardium Cryptography Manager application on the other server. For more information, see Installing IBM Guardium Cryptography Manager.
  8. After installation, you must take the backup of the setup.