System requirements
Software, hardware, and system configuration settings that are required for setting up a Hyper Protect Virtual Server offering.
Hardware requirements for the Linux management server
The x86 or Linux on IBM Z/LinuxONE (i.e., s390x architecture) management server is used to download the Hyper Protect Virtual Server installation binary, and install IBM Hyper Protect Virtual Servers CLI tool.
Table 1. 64-bit x86 or Linux on IBM Z/LinuxONE (i.e., s390x architecture) management server requirements
| Minimal requirement |
|---|
| 2 or more x86 Linux cores with at least 2.4 GHz, or 1 Integrated Facility (IFL) on mainframe |
| 8 GB RAM |
| 150 GB disk space |
Hardware requirements for Secure Service Container partition
You can configure Secure Service Container partitions on the following IBM Z and LinuxONE systems.
- IBM z16 (z16) (machine type 3931)
- IBM z15 (z15) (machine type 8561 or 8562)
- IBM z14 (z14) (machine type 3906 or 3907)
- IBM LinuxONE III (LinuxONE III)
- IBM LinuxONE Emperor II (Emperor II), or IBM LinuxONE Rockhopper II (Rockhopper II)
The suggested practice is to use the latest available firmware for Secure Service Container, which is identified by the engineering changes (ECs) in the following table. To find the latest available EC microcode control levels (MCLs) for Secure Service Container, use the instructions for hardware updates in "Prerequisites for using Secure Service Container" after you download Secure Service Container User's Guide from the About topic.
Table 2. Engineering changes by machine type
| Machine Type | Version / Driver | Bundle | Engineering Changes |
|---|---|---|---|
| 3931 | Version 2.16.0 Driver 51 |
S08a or later |
|
| 8561 or 8562 | Version 2.15.0 Driver 41 |
S49a or later |
|
| 3906 | Version 2.14.1 Driver 36 |
S64b or later |
|
| 3907 | Version 2.14.1 Driver 36 |
S53 or later |
|
The following table shows the minimal requirement for one Secure Service Container partition.
Table 3. Secure Service Container partition requirements
| Minimal (one Hyper Protect Virtual Server container + one Secure Build container) |
|---|
| 2 IFLs |
| 12 GB RAM |
| 190 GB storage (50 GB for the hosting appliance, 100 GB in the storage pool for one Hyper Protect Virtual Server container, and 40 GB for one Secure Build container) |
Note:
- The actual resources required on the Secure Service Container partition depends on the resource consumption of your workload to be deployed into the Hyper Protect Virtual Server container.
- If you plan to have multiple Hyper Protect Virtual Server containers or Secure Build containers communicating with each other on the Secure Service Container partition, and assign IP addresses to each of them, you need to use at least 1 Open System Adapter (OSA) card to create multiple virtual devices for data traffic. If you plan to have internal network communication established between Hyper Protect Virtual Servers on two Secure Service Container partitions, you can have Hipersockets configured in layer 2=1 mode.
- If you want to use Enterprise PKCS #11 over gRPC (GREP11) containers in IBM Hyper Protect Virtual Servers, you must prepare a Trusted Key Entry (TKE) workstation and Crypto Express cards, such as IBM Crypto Express6s (CEX6S), IBM Crypto Express7s (CEX7S), and IBM Crypto Express8s (CEX8S). The Crypto Express will differ by machine generation (CEX6S for the z14 generation, CEX7S for the z15 generation, and CEX8S for the z17 generation).
Software requirements
- IBM PCIe Cryptographic Coprocessor Version 3 (PCIeCC3) software, which includes IBM Common Cryptographic Architecture (CCA) and Enterprise PKCS #11 (EP11), and be ordered from Cryptocards software-package selection page.
Supported operating systems and platforms
The operating system for running the containers on the Secure Service Container partitions is Ubuntu 20.04, which is provided by the hosting appliance.
However, you must configure the x86 or Linux on IBM Z/LinuxONE (i.e., s390x architecture) management server with the supported operating system in the following table.
Table 4. Supported operating system and platform
| Platform | Operating system | Supported version |
|---|---|---|
| Linux 64-bit | Ubuntu 20.04 LTS | 1.2.7.2 or earlier |
Note:
- Redhat Linux distribution is a compatible operating system for the management server, however, it has not been tested with IBM Hyper Protect Virtual Servers.
- Linux Unified Key Setup (LUKS) hardware encryption on the x86 or Linux on IBM Z/LinuxONE (i.e., s390x architecture) management server can protect the hardware from faulty access. When installing Ubuntu onto the x86 or Linux on Z server, select the Encrypt the new Ubuntu installation for Security option to encrypt the hard disk.
Networking
IBM Hyper Protect Virtual Servers requires two levels of network to work properly.
- Network among Hyper Protect Virtual Server containers by using the internal IP addresses
- Network for external requests to the services inside the workload deployed in the Hyper Protect Virtual Server container
Table 5. Supported network interfaces on the Secure Service Container partitions
| Interface | Layer 2 network | Layer 3 network |
|---|---|---|
| Ethernet | Yes | Yes |
| VLAN | Yes | Yes |
On the x86 or Linux on IBM Z/LinuxONE (i.e., s390x architecture) management server, network connection must be available to the Secure Service Container partition by using its IP address or host name.
Note:
- The default network driver is
bridgeand sufficient for communication among Hyper Protect Virtual Server containers. - If you plan to access Hyper Protect Virtual Server containers from your underlying network or the containers being accessed by external workload, use the network driver
macvlanand assign IP addresses to those containers, or configure the port mapping for the container on the Secure Service Container partition. When you are using port mapping, you must use the Secure Service Container management IP and mapped host port to access the virtual server application. - If you plan to access Hyper Protect Virtual Server containers on another Secure Service Container partition, use the network driver
macvlanand assign IP address to the containers on both partitions. - If you plan to have multiple Hyper Protect Virtual Server containers or Secure Build containers communicating with each other on the Secure Service Container partition, and assign IP addresses to each of them, you need to use at least 1 Open System Adapter (OSA) card to create multiple virtual devices for data traffic. If you plan to have internal network communication established between Hyper Protect Virtual Servers on two Secure Service Container partitions, you can have Hipersockets configured in layer 2=1 mode.
- For more information about networking requirements in IBM Hyper Protect Virtual Servers, see Network requirements for Hyper Protect Virtual Server.
- For more information, see Networking overview for Docker containers.
Supported Docker versions
You must install the supported Docker version on the x86 or Linux on IBM Z/LinuxONE (i.e., s390x architecture) management server.
- For the x86 management server, the minimum Docker version required by IBM Hyper Protect Virtual Servers is V19.03.2 or above.
- For the Linux on IBM Z/LinuxONE (i.e., s390x architecture), the minimum Docker version required by IBM Hyper Protect Virtual Servers is v18.06.3-ce or above.
- For Docker installation, see Get Docker Engine - Community for Ubuntu or Get Docker Engine - Enterprise for Ubuntu.
Note: You can only use IBM Hyper Protect Virtual Servers with Docker Hub or IBM Cloud Container Registry. IBM Cloud Container Registry (ICR) supports only Red Hat signing of the images.
Required ports
If you use port mapping for Secure Build container, Monitoring infrastructure, and GREP11 container, ensure that the following ports or configured mapping ports are available on the Secure Service Container partition. Otherwise, You need to request IP address for each container on the Secure Service Container partition.
Table 6. Required ports on the Secure Service Container partition
| Port No. | Required by Module |
|---|---|
443 |
Hosting Appliance REST API |
443 |
Secure Build Server or bring your own image, with macvlan |
| Any non-reserved port | Secure Build Server |
8443 |
Monitoring infrastructure |
9876 |
GREP11 container |
Note: You can map multiple ports on the Secure Service Container partaition with ports on your Hyper Protect virtual server container for your workload. For example, the configuration such as {"80":"8080","22":"220"} for a Hyper Protect container means port 80 on the container is mapped to port 8080 on the partition, and port 22 on the container to port 220 on the partition. For more information, see the Virtual server configuration file.