Guardium Insights v3.4.x system requirements and prerequisites

Before you can install IBM® Guardium® Insights, ensure that you have the required hardware, software, and storage. System requirements for IBM Guardium Insights are described in this topic.

Version 3.4.x and later This content only applies to Guardium Insights Version 3.4.x and later.

Guardium Insights is installed on a Red Hat® OpenShift® Container Platform cluster. The requirements for your cluster depends on several factors:

The shared cluster components that you need to install
The number of Guardium Insights instances you plan to install on your cluster
The services that you plan to install on top of Guardium Insights
The types of workloads that you plan to run

Important: Work with your IBM Sales representative to size your cluster.

Some steps in this topic require you to access Red Hat OpenShift Cluster Manager at https://cloud.redhat.com/openshift/install by using your Red Hat account, which can be created freely, without a paid Red Hat subscription entitlement to any IBM offering.

If you do not yet have a Red Hat account, create one for free at https://www.redhat.com/wapps/ugc/register.html before following the remaining instructions.
If you have a Red Hat account, navigate to https://cloud.redhat.com/openshift/install and log in with your account credentials.

Note: When accessing Red Hat OpenShift Cluster Manager, you can safely ignore messages similar to these:

This node's CPU resources are overcommitted. The total CPU resource limit of all pods exceeds the node's total capacity. Pod performance will be throttled under high load.

and

This node's memory resources are overcommitted. The total memory resource limit of all pods exceeds the node's total capacity. The total memory requested is also approaching the node's capacity. Pods will be terminated under high load, and new pods may not be schedulable on this node.

Review the following information to accurately size and configure your cluster:

Hardware cluster requirements
Software prerequisites
- IBM Guardium Insights for IBM Cloud Pak® for Security software requirements
Container Application Software for Enterprises (CASE) version support
Security context constraints (SCC) requirements
Command line tools
Ticketing support
Browser support
Display resolution
External storage allocation for backups

Software prerequisites

To plan your installation of OpenShift Container Platform, see https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16 and https://docs.openshift.com/container-platform/4.16/welcome/index.html.
Red Hat OpenShift Container Platform Version 4.14.x can be downloaded and installed by accessing https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/. Verify that you download Red Hat OpenShift Container Platform Version 4.14.x.
Note: If you have purchased IBM Guardium Insights for IBM Cloud Pak for Security, you are automatically entitled to install its OpenShift Container Platform. See IBM Guardium Insights for IBM Cloud Pak for Security software requirements for more information.
Data mart support: If you connect to IBM Guardium Data Protection (GDP) environments, Guardium data mart version 5 is required.
Data mart ingestion is supported for the following versions of GDP:
- Push mode:
  - Version 11.4: patch 11.0p490 and up.
  - Version 11.5: patch 11.0p540 and up.
  - Version 12.0: patch 12.0p10 and up.
- Pull mode:
  - Version 11.4: patch 11.0p490 and up.
  - Version 11.5: patch 11.0p540 and up.
  - Version 12.0: patch 12.0p10 and up.
When you upgrade your GDP systems to the supported patch levels, re-register your central managers and collectors to Guardium Insights so the v5 data marts are activated.
Prerequisites for connecting Guardium Data Protection for z/OS® to Guardium Insights are:
- Guardium STAP for z/OS Version 10.1.3 and above
If you connect to Amazon Web Services (AWS) Aurora PostgreSQL, Amazon Kinesis is required.
If you connect to Azure, Azure Event Hubs is required.
Optional:

IBM Guardium Insights for IBM Cloud Pak for Security software requirements

IBM Guardium Insights for IBM Cloud Pak for Security supports IBM Cloud Pak for Security Version 1.10, which includes the version of OpenShift Container Platform that is required by Guardium Insights.

Important: When you install IBM Cloud Pak for Security, the repository defaults to its most recent product version. Since Guardium Insights supports only IBM Cloud Pak for Security Version 1.10, you need to manually set the download tags and release to Version 1.10. Alternatively, you can download the Version 1.10 by running the following command.

cloudctl case save --case https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-security-1.0.7.tgz --outputdir <working_directory> --tolerance=1

The requirements for IBM Guardium Insights and IBM Guardium Insights for IBM Cloud Pak for Security are the same - however, if you purchase IBM Guardium Insights for IBM Cloud Pak for Security, you are automatically entitled to install its OpenShift Container Platform.

Container Application Software for Enterprises (CASE) version support

When installing Guardium Insights, find the CASE version that corresponds to the version of Guardium Insights that you are installing. These versions are outlined in https://github.com/IBM/cloud-pak/blob/master/repo/case/ibm-guardium-insights/index.yaml. For example, if you are installing Guardium Insights version 3.4.0, the appVersion is 3.4.0, which means that the CASE version is 2.4.0.

Security context constraints (SCC) requirements

OpenShift provides security construct constraints that control the actions that a pod can perform and what it has the ability to access. Guardium Insights has been validated with the restricted-v2 SCC, which is installed by default with OpenShift.

If you have applied a custom SCC, it must not have fewer privileges than the OpenShift restricted-v2 SCC.

Command line tools

Tools for command line administration of the cluster and Guardium Insights can be accessed from the Red Hat OpenShift Container Platform and IBM Cloud Pak foundational services web consoles. This table details the tools and versions that are required for Guardium Insights:

Table 1. Tools and versions that are required for Guardium Insights v3.4.x or later
Tool	Download	Version
`oc` `oc login <OCP endpoint>` (Workstation must be logged in to the OpenShift cluster)	4.14.33: https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/4.14.33/openshift-client-linux.tar.gz All v4: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/	4.10.35 or later
`kubectl`	https://mirror.openshift.com/pub/openshift-v4/clients/ocp/	1.16 or later
`cloudctl`	https://github.com/IBM/cloud-pak-cli/releases	3.17.0 or later
`openssl`	https://www.openssl.org/source/	3.3.1
`ibm-pak`	https://github.com/IBM/ibm-pak/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz To install: `wget https://github.com/IBM/ibm-pak/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz tar -xf oc-ibm_pak-linux-amd64.tar.gz mv oc-ibm_pak-linux-amd64 /usr/local/bin/oc-ibm_pak oc ibm-pak --help`	1.10.0
`python` with `PyYAML` installed (must have a symbolic link to `python`)	https://www.python.org/downloads	3.x or later
yq	https://github.com/mikefarah/yq/#install
`docker` (or `podman`)	https://hub.docker.com/?overlay=onboarding https://podman.io/docs/installation	`docker`: 17.03 or later `podman`: 4.9.4 or later
`skopeo` (Offline installations only)	https://github.com/containers/skopeo/blob/master/install.md	1.0.0
`ssh-keygen` CLI tool `base64` `cat` `echo` `grep` `awk` `rm` `tr` `cut` `tar`
`htpasswd` (Offline installations only)
Cluster administrator privileges to run the setup scripts
Your login credentials to cp.icr.io CP_REPO_USER="cp" CP_REP_PASS=entitlement key available at https://myibm.ibm.com/products-services/containerlibrary

Note: Some operating systems have SSL by default that is not OpenSSL. Ensure that the correct version of OpenSSL is set to default on your machine.

Ticketing support

Guardium Insights allows you to connect to these ticketing services:

IBM Cloud Pak for Security Cases
IBM Security QRadar SOAR®
ServiceNow

Browser support

Guardium Insights is supported on Google Chrome, Mozilla Firefox, and Microsoft Edge.

Display resolution

Guardium Insights is best viewed on screen display resolutions of 1024x768 pixels or higher.

External storage allocation for backups

Prior to deploying Guardium Insights and its CR (custom resource), you must manually create a PersistentVolumeClaim (PVC) for backup support (only NFS is supported). It is recommended that the size of the PersistentVolumeClaim be 1 terabyte (TB) - and the space on the NFS server should be set to accommodate roughly 20% of the expected amount of data that is expected to be ingested each month. See Configuring backup after Guardium Insights installation, which provides examples for NFS storage class installation and provisioning a PVC.

Create the PVC file according to this template (but use values that are needed for your deployment):

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: <GITarget-namespace-name>-backupsupport-pvc  
#name of the PVC
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 500Gi    # Update storage size, minimum size is 500Gi
  storageClassName: managed-nfs-storage    # Update you StorageClass name and it must be RWX with 777 writable Permissions
guardiumInsightsGlobal:
    backupsupport:
      enabled: "true"
      name: <GI_Backup_PVC>
      storageClassName: <Storage class>
      size: 500Gi

When creating the above backupsupport PVC, name it <GITargetNamespace-Name>-backupsupport-pvc, where <GITargetNamespace-Name> is the namespace to which you are installing Guardium Insights. By default, the Guardium Insights operator will look for a PVC by this name.

After creating the PVC, check the PersistentVolumeClaim list (for example, run oc get pvc | grep staging-backupsupport-pvc) and confirm that the status of your PVC is Bound:

oc get pvc  | grep staging-backupsupport-pvc         
NAME                        STATUS    VOLUME   
CAPACITY   ACCESS MODES   STORAGECLASS         AGE
staging-backupsupport-pvc   Bound                    
managed-nfs-storage       6s

If your PVC is properly Bound and then you deploy Guardium Insights, the status of the deployment will not contain errors:

oc get guardiuminsights -w                           
NAME      TYPE      STATUS   REASON        MESSAGE   
DESIRED_VERSION   INSTALLED_VERSION
staging   Running   True     Reconciling   Starting 
to Reconcile   3.4.0
staging   Running   True     
GuardiumInsightsInstallRunning   Secret creation 
completed   3.4.0
staging   Running   True     
GuardiumInsightsInstallRunning   Instantiated DB2 CR 
3.4.0
staging   Running   True     
GuardiumInsightsInstallRunning   Instantiated 
Postgres Resources   3.4.0
staging   Running   True     
GuardiumInsightsInstallRunning   Instantiated Redis 
Sentinel CR    3.4.0
staging   Running   True     
GuardiumInsightsInstallRunning   Instantiated MongoDB
CR           3.4.0

If your PVC is not properly Bound, you will receive error messages, depending on the nature of the problem:

If you attempt to deploy Guardium Insights when the PVC does not exist, the operator will fail with this message:

oc get guardiuminsights -w 
NAME      TYPE      STATUS   REASON        MESSAGE   
DESIRED_VERSION   INSTALLED_VERSION
staging   Running   True     Reconciling   Starting 
to Reconcile   3.4.0
staging   Failure   True     Failed        Expecting 
Manual creation of PVC Name staging-backupsupport-
pvc, Go to 'https://www.ibm.com/docs/en/guardium-
insights/3.2.x?topic=planning-system-requirements-
prerequisites'   3.4.0
staging   Running   True     Running       Running 
reconciliation

If the name of your PVC file is not <GITargetNamespace-Name>-backupsupport-pvc, you will receive the above error since the Guardium Insights operator will be unable to find the PVC file. The same error occurs if the name of the manually-created PVC and the Guardium Insights CR BackupSupport name do not match.
If backup support is not required, you will receive an error message. In this case, update the CR to indicate that backup support is not required. For example, include this setting:
```
guardiumInsightsGlobal:
    backupsupport:
      enabled: "false"
```

If you attempt to deploy Guardium Insights when the PVC is not in the Bound state, the operator will fail with this message:

oc get guardiuminsights -w 
NAME      TYPE      STATUS   REASON        MESSAGE   
DESIRED_VERSION   INSTALLED_VERSION
staging   Running   True     Reconciling   Starting 
to Reconcile   3.4.0
staging   Failure   True     Failed        Required 
Backup PVC exists but not ‘Bound’ state.   3.4.0
staging   Running   True     Running       Running 
reconciliation

In addition, the Network File System (NFS) needs to be able to communicate with the cluster running GI. The requirements for this are:

If you are placing backups in a remote destination, a Network File System (NFS) is required.
The NFS storage class must be installed before installing Guardium Insights.
A PersistentVolume (PV) and a PersistentVolumeClaim (PVC) need to be created with the NFS storage class before Guardium Insights is installed.

When you are ready to deploy, set the flag for backup support in the installation YAML file for Guardium Insights. The backup data is stored on the PV designated by the storageClassName:

Example:

guardiumInsightsGlobal:
    backupsupport:
    enabled: "true"
    name: backup-pvc-support # name of the PVC previously created and bound to the external NFS

Warning: You cannot add external storage after deploying Guardium Insights.

If the flag for backup support is not set before deployment of Guardium Insights, the backup data is stored internally on the backup POD, and you might run out of internal storage space.