Getting started with Hyper Protect Offline Signing Orchestrator

Before you begin

To use Hyper Protect Offline Signing Orchestrator, ensure that you meet the System requirements.

Decide on the Frontend and Backend plug-ins you want to use. For more information, see Customer-created plug-ins.

Step 1: Download and extract the package

You can download the Hyper Protect Offline Signing Orchestrator package from IBM Passport Advantage.

1. Log in to the IBM Passport Advantage website by using your IBM account ID and password. Contact your sales representative if you do not have one.

2. Go to My Programs, and then select the Hyper Protect Offline Signing Orchestrator .

3. Download the image of version 1.4.0, part number M0N14EN; the name of the downloaded file is IBM_HPOSO_OnPrem_v1.4.0_EN.tgz

4. Create a directory to store the Hyper Protect Offline Signing Orchestrator image, and extract the compressed file by using the following commands:

   mkdir /opt/<installation_directory>
   cd /opt/<installation_directory>
   tar -zxvf IBM_HPOSO_OnPrem_v1.4.0_EN.tgz
   

   The compressed IBM_HPOSO_OnPrem_v1.4.0_EN.tgz file consists of the following files:

   • oso_v1.4.0.tgz
   • oso_v1.4.0.tgz.sig

   Note: To download the public key issued by IBM, visit OSO_GPG_Key 1.4.0

5. To verify the integrity of Hyper Protect Offline Signing Orchestrator image tgz file, run the following command by using the signature file with the .sig suffix, and the public key that you downloaded with the suffix .pem, along with the image tgz file.

   gpg --import osoGpgPublicKey
   gpg --verify oso_v1.4.0.tgz.sig oso_v1.4.0.tgz
   

Step 2: Set up the environment

As a System Administrator, you need to configure LPAR resources, HiperSockets, initial VLAN, users, storage pool, logging, and Docker registry, perform the attestation, and create contracts. For more information, see Setting up the environment.

Step 3: Initialize the Hyper Protect Offline Signing Orchestrator

As an Operator, you can initialize the Hyper Protect Offline Signing Orchestrator:

POST {CONDUCTOR_ENDPOINT}/api/signing-conductor/admin/v1alpha1/init

The Operator can also start the init using oso_cli.py. For more information, see Deploying with oso_cli.py script.

For more information about Operator roles, see Operator.

Step 4: Audit documents

Auditors can view and approve documents that are contained in the confirmation queues:

GET {UI_ENDPOINT}/api/pre/v1alpha1/audit/documents
GET {UI_ENDPOINT}/api/pre/v1alpha1/audit/{DOC_ID}
POST {UI_ENDPOINT}/api/pre/v1alpha1/audit/{DOC_ID}/approve
POST {UI_ENDPOINT}/api/pre/v1aplha1/audit/{DOC_ID}/deny
GET {UI_ENDPOINT}/api/post/v1alpha1/audit/documents
GET {UI_ENDPOINT}/api/post/v1alpha1/audit/{DOC_ID}
POST {UI_ENDPOINT}/api/post/v1alpha1/audit/{DOC_ID}/approve
POST {UI_ENDPOINT}/api/post/v1aplha1/audit/{DOC_ID}/deny
POST {UI_ENDPOINT}/api/pre/v1alpha1/audit/documents/approve
POST {UI_ENDPOINT}/api/pre/v1alpha1/audit/documents/deny

You can also manage the documents in Offline Signing Orchestrator UI console. For more information, see Managing documents.

For more information, see Auditor.

Step 5: Start a signing iteration

If the release time of the Preconfirmation queue elapses, the Operator can start a signing iteration:

POST {UI_ENDPOINT}/api/admin/v1alpha1/run

You can also start a signing iteration in Offline Signing Orchestrator UI console. For more information, see Signing iteration.

For more information, see Operator.