Maximo® Application Suite uses MongoDB for its data dictionary and local user
management. Your MongoDB instance can run in the Red Hat® OpenShift® cluster or external to it.
For installation and configuration information, see the MongoDB
documentation.
Before you begin
Starting in Maximo Application Suite 8.10.1, if you
enable Federal Information Processing Standard (FIPS) to configure MongoDB, you must use the Enterprise Edition of MongoDB.
Certain components in MAS leverage the IBM®
Java™ Semeru Runtime, which has limited cipher support in FIPS Mode.
If you are deploying MongoDB
Enterprise Edition to an Red Hat OpenShift Cluster and enabling FIPS,
ensure a subset of the ciphers that IBM
Java Semeru supports in FIPS mode are enabled.
If you are leveraging the MongoDB
Enterprise Operator where the containers are based on Red Hat OpenShift
Universal Base Images, no action is needed as the OpenSSL implementation provided has cipher support
for Maximo Application Suite. Universal Base Images can be used to build and deliver
certified containers and operators.
Table 1. Supported ciphers
| Ciphers |
Name (OpenSSL) |
Cipher Suite Name (IANA) |
0xC024 |
ECDHE-ECDSA-AES256-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
0xC028 |
ECDHE-RSA-AES256-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
0xC023 |
ECDHE-ECDSA-AES128-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
0xC027 |
ECDHE-RSA-AES128-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
0xC026 |
ECDH-ECDSA-AES256-SHA384 |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |
0xC02A |
ECDH-RSA-AES256-SHA384 |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 |
0xC025 |
ECDH-ECDSA-AES128-SHA256 |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |
0xC029 |
ECDH-RSA-AES128-SHA256 |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 |
0xC00A |
ECDHE-ECDSA-AES256-SHA |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
0xC014 |
ECDHE-RSA-AES256-SHA |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
0xC009 |
ECDHE-ECDSA-AES128-SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
0xC013 |
ECDHE-RSA-AES128-SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
0xC005 |
ECDH-ECDSA-AES256-SHA |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
0xC00F |
ECDH-RSA-AES256-SHA |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA |
0xC004 |
ECDH-ECDSA-AES128-SHA |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
0xC00E |
ECDH-RSA-AES128-SHA |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA |
For Maximo Application Suite 8.9 or earlier, you can use the Community
Edition of MongoDB. To set up MongoDB Community Edition on Red Hat OpenShift cluster, use
the MongoDB quick start guide on GitHub.
To work with Maximo Application Suite, your MongoDB instance must support the transport layer security (TLS)
communication protocol. For more information, see TLS/SSL (Transport Encryption) in the MongoDB documentation.
To complete the setup of Maximo Application Suite, note the following
MongoDB requirements.
- The hostnames and ports of the MongoDB servers.
- The
Config db name the database name that is used by MongoDB to store its user IDs.
- The user credentials for an admin user who has table creation authority.
- The MongoDB certificate authority (CA) certificates. If
your MongoDB cluster uses self-signed CA certificates, you
must retrieve them automatically or add them manually when you complete the setup of the
Suite.
Procedure
To install by using the Red Hat OpenShift command-line interface
(CLI).
- Create the Mongo CE project.
- Create the MongoDB roles and service accounts YAML file
mongo-rbac.yaml.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: mongodb-kubernetes-operator
namespace: "mongoce"
rules:
- apiGroups:
- ""
resources:
- pods
- services
- configmaps
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mongodbcommunity.mongodb.com
resources:
- mongodbcommunity
- mongodbcommunity/status
- mongodbcommunity/spec
- mongodbcommunity/finalizers
verbs:
- get
- patch
- list
- update
- watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mongodb-kubernetes-operator
namespace: "mongoce"
subjects:
- kind: ServiceAccount
name: mongodb-kubernetes-operator
roleRef:
kind: Role
name: mongodb-kubernetes-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mongodb-kubernetes-operator
namespace: "mongoce"
- Apply the mongo-rbac.yaml file to the Red Hat OpenShift cluster.
oc apply -f mongo-rbac.yaml
- Configure the
anyuid permissions in the MongoDB namespace.
oc adm policy add-scc-to-user anyuid system:serviceaccount:mongoce:default
oc adm policy add-scc-to-user anyuid system:serviceaccount:mongoce:mongodb-kubernetes-operator
- Install the MongoDB Community edition CRD. Create the
YAML file mongo-crd.yaml.
---
# Source: https://github.com/mongodb/mongodb-kubernetes-operator/blob/v0.7.0/config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: mongodbcommunity.mongodbcommunity.mongodb.com
spec:
group: mongodbcommunity.mongodb.com
names:
kind: MongoDBCommunity
listKind: MongoDBCommunityList
plural: mongodbcommunity
shortNames:
- mdbc
singular: mongodbcommunity
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Current state of the MongoDB deployment
jsonPath: .status.phase
name: Phase
type: string
- description: Version of MongoDB server
jsonPath: .status.version
name: Version
type: string
name: v1
schema:
openAPIV3Schema:
description: MongoDBCommunity is the Schema for the mongodbs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: MongoDBCommunitySpec defines the desired state of MongoDB
properties:
additionalMongodConfig:
description: 'AdditionalMongodConfig is additional configuration that
can be passed to each data-bearing mongod at runtime. Uses the same
structure as the mongod configuration file: https://docs.mongodb.com/manual/reference/configuration-options/'
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
arbiters:
description: Arbiters is the number of arbiters (each counted as a
member) in the replica set
type: integer
featureCompatibilityVersion:
description: FeatureCompatibilityVersion configures the feature compatibility
version that will be set for the deployment
type: string
members:
description: Members is the number of members in the replica set
type: integer
replicaSetHorizons:
description: ReplicaSetHorizons Add this parameter and values if you
need your database to be accessed outside of Kubernetes. This setting
allows you to provide different DNS settings within the Kubernetes
cluster and to the Kubernetes cluster. The Kubernetes Operator uses
split horizon DNS for replica set members. This feature allows communication
both within the Kubernetes cluster and from outside Kubernetes.
items:
additionalProperties:
type: string
type: object
type: array
security:
description: Security configures security features, such as TLS, and
authentication settings for a deployment
properties:
authentication:
properties:
ignoreUnknownUsers:
default: true
nullable: true
type: boolean
modes:
description: Modes is an array specifying which authentication
methods should be enabled.
items:
enum:
- SCRAM
- SCRAM-SHA-256
- SCRAM-SHA-1
type: string
type: array
required:
- modes
type: object
roles:
description: User-specified custom MongoDB roles that should be
configured in the deployment.
items:
description: CustomRole defines a custom MongoDB role.
properties:
authenticationRestrictions:
description: The authentication restrictions the server
enforces on the role.
items:
description: AuthenticationRestriction specifies a list
of IP addresses and CIDR ranges users are allowed to
connect to or from.
properties:
clientSource:
items:
type: string
type: array
serverAddress:
items:
type: string
type: array
required:
- clientSource
- serverAddress
type: object
type: array
db:
description: The database of the role.
type: string
privileges:
description: The privileges to grant the role.
items:
description: Privilege defines the actions a role is allowed
to perform on a given resource.
properties:
actions:
items:
type: string
type: array
resource:
description: Resource specifies specifies the resources
upon which a privilege permits actions. See https://docs.mongodb.com/manual/reference/resource-document
for more.
properties:
anyResource:
type: boolean
cluster:
type: boolean
collection:
type: string
db:
type: string
type: object
required:
- actions
- resource
type: object
type: array
role:
description: The name of the role.
type: string
roles:
description: An array of roles from which this role inherits
privileges.
items:
description: Role is the database role this user should
have
properties:
db:
description: DB is the database the role can act on
type: string
name:
description: Name is the name of the role
type: string
required:
- db
- name
type: object
type: array
required:
- db
- privileges
- role
type: object
type: array
tls:
description: TLS configuration for both client-server and server-server
communication
properties:
caConfigMapRef:
description: CaConfigMap is a reference to a ConfigMap containing
the certificate for the CA which signed the server certificates
The certificate is expected to be available under the key
"ca.crt"
properties:
name:
type: string
required:
- name
type: object
certificateKeySecretRef:
description: CertificateKeySecret is a reference to a Secret
containing a private key and certificate to use for TLS.
The key and cert are expected to be PEM encoded and available
at "tls.key" and "tls.crt". This is the same format used
for the standard "kubernetes.io/tls" Secret type, but no
specific type is required.
properties:
name:
type: string
required:
- name
type: object
enabled:
type: boolean
optional:
description: Optional configures if TLS should be required
or optional for connections
type: boolean
required:
- enabled
type: object
type: object
statefulSet:
description: StatefulSetConfiguration holds the optional custom StatefulSet
that should be merged into the operator created one.
properties:
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- spec
type: object
type:
description: Type defines which type of MongoDB deployment the resource
should create
enum:
- ReplicaSet
type: string
users:
description: Users specifies the MongoDB users that should be configured
in your deployment
items:
properties:
db:
description: DB is the database the user is stored in. Defaults
to "admin"
type: string
name:
description: Name is the username of the user
type: string
passwordSecretRef:
description: PasswordSecretRef is a reference to the secret
containing this user's password
properties:
key:
description: Key is the key in the secret storing this password.
Defaults to "password"
type: string
name:
description: Name is the name of the secret storing this
user's password
type: string
required:
- name
type: object
roles:
description: Roles is an array of roles assigned to this user
items:
description: Role is the database role this user should have
properties:
db:
description: DB is the database the role can act on
type: string
name:
description: Name is the name of the role
type: string
required:
- db
- name
type: object
type: array
scramCredentialsSecretName:
description: ScramCredentialsSecretName appended by string "scram-credentials"
is the name of the secret object created by the mongoDB operator
for storing SCRAM credentials
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
- passwordSecretRef
- roles
- scramCredentialsSecretName
type: object
type: array
version:
description: Version defines which version of MongoDB will be used
type: string
required:
- security
- type
- users
- version
type: object
status:
description: MongoDBCommunityStatus defines the observed state of MongoDB
properties:
currentMongoDBMembers:
type: integer
currentStatefulSetReplicas:
type: integer
message:
type: string
mongoUri:
type: string
phase:
type: string
required:
- currentMongoDBMembers
- currentStatefulSetReplicas
- mongoUri
- phase
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
- Apply the mongo-crd.yaml file to the Red Hat OpenShift Container Platform cluster.
oc apply -f mongo-crd.yaml
- Install the MongoDB operator. Create the YAML file
mongo-op.yaml.
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
email: support@mongodb.com
labels:
owner: mongodb
name: mongodb-kubernetes-operator
namespace: "mongoce"
spec:
replicas: 1
selector:
matchLabels:
name: mongodb-kubernetes-operator
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
name: mongodb-kubernetes-operator
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: name
operator: In
values:
- mongodb-kubernetes-operator
topologyKey: kubernetes.io/hostname
containers:
- command:
- /usr/local/bin/entrypoint
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: mongodb-kubernetes-operator
- name: AGENT_IMAGE
value: quay.io/mongodb/mongodb-agent@sha256:4db6e9c7df3d9421dcc09e98c5b43ba9d95952eae3c2ccbfdb83a49743b3195f # 11.0.5.6963-1
- name: VERSION_UPGRADE_HOOK_IMAGE
value: quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook@sha256:da347eb74525715a670280545e78ecee1195ec2630037b3821591c87f7a314ee # 1.0.2
- name: READINESS_PROBE_IMAGE
value: quay.io/mongodb/mongodb-kubernetes-readinessprobe@sha256:bf5a4ffc8d2d257d6d9eb45d3e521f30b2e049a9b60ddc8e4865448e035502ca # 1.0.4
- name: MONGODB_IMAGE
value: ibmmas/mongo
- name: MONGODB_REPO_URL
value: quay.io
image: quay.io/mongodb/mongodb-kubernetes-operator@sha256:e19ae43539521f0350fb71684757dc535fc989deb75f3789cd84b782489eda80 # 0.7.0
imagePullPolicy: IfNotPresent
name: mongodb-kubernetes-operator
resources:
limits:
cpu: 1100m
memory: 1Gi
requests:
cpu: 500m
memory: 200Mi
securityContext:
readOnlyRootFilesystem: true
runAsUser: 2000
serviceAccountName: mongodb-kubernetes-operator
- Apply the mongo-op.yaml file to the Red Hat OpenShift cluster.
oc apply -f mongo-op.yaml
- Install the MongoDB CA and server certificate issuers. Create the YAML file
mongo-cert.yaml:
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: mongo-issuer
namespace: "mongoce"
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mongo-ca-crt
namespace: "mongoce"
spec:
isCA: true
commonName: mongo-ca-crt
secretName: mongo-ca-secret
duration: 175200h # 20 years
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- "*.mas-mongo-ce-svc.mongoce.svc.cluster.local"
- "127.0.0.1"
- "localhost"
issuerRef:
name: mongo-issuer
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: mongo-server-cert-issuer
namespace: "mongoce"
spec:
ca:
secretName: mongo-ca-secret
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mongo-server
namespace: "mongoce"
spec:
duration: 8760h # 365d
renewBefore: 360h # 15d
dnsNames:
- "*.mas-mongo-ce-svc.mongoce.svc.cluster.local"
- "127.0.0.1"
- "localhost"
issuerRef:
name: mongo-server-cert-issuer
secretName: mongo-server-cert
- Apply the mongo-cert.yaml file to the Red Hat OpenShift cluster.
oc apply -f mongo-cert.yaml
- Create the MongoDB configmap containing CA. Save the CA
certificate from the mongo-server-cert secret in an environment
variable.
export MONGO_CA_CERT=$(oc get secret -n mongoce mongo-server-cert -o jsonpath='{.data.ca\.crt}' | base64 -d)
- Create the YAML file mongo-cert-cm.yaml.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mas-mongo-ce-cert-map
namespace: "mongoce"
type: Opaque
data:
ca.crt: |
- Append the CA certificate that is stored in the MONGO_CA_CERT variable
to the YAML file mongo-cert-cm.yaml.
echo "$MONGO_CA_CERT" | sed 's/^/ /' >> mongo-cert-cm.yaml
-
Ensure that the format of the mongo-cert-cm.yaml file looks like
this after the preceding command is run.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mas-mongo-ce-cert-map
namespace: "mongoce"
type: Opaque
data:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIBwDCCAWagAwIBAgIRAPIhJ3zLTJT3zbezFcfDY9QwCgYIKoZIzj0EAwIwFzEV
MBMGA1UEAxMMbW9uZ28tY2EtY3J0MB4XDTIyMDYwMzE3NTE1OVoXDTIyMDkwMTE3
NTE1OVowFzEVMBMGA1UEAxMMbW9uZ28tY2EtY3J0MFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAEy+y46zz3AyETWmWenf9WZks5ld1w2Dm+GK3KzkYnUYu6CzQtMJN6
iTLSh6NDdOtccXUrO52dIh8hHNyIN1O2XqOBkjCBjzAOBgNVHQ8BAf8EBAMCAqQw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUcXjRLPwjM3pqYTzc9g0R3ivLbicw
TQYDVR0RBEYwRIIsKi5tYXMtbW9uZ28tY2Utc3ZjLm1vbmdvY2Uuc3ZjLmNsdXN0
ZXIubG9jYWyCCTEyNy4wLjAuMYIJbG9jYWxob3N0MAoGCCqGSM49BAMCA0gAMEUC
IBdQcAvsmauofQ24KPo6ck8zfKtThWUrIFWnRaz4e6bxAiEAvhYY97lK9z/vc0g2
+tNSf6w8y8MME6DHPWqVWsbh4nA=
-----END CERTIFICATE-----
- Apply the mongo-cert-cm.yaml file to the Red Hat OpenShift cluster:
oc apply -f mongo-cert-cm.yaml
- Create the MongoDB admin password secret YAML file
mongo-admin-password.yaml:
---
apiVersion: v1
kind: Secret
metadata:
name: mas-mongo-ce-admin-password
namespace: "mongoce"
type: Opaque
stringData:
password: password
- Apply the mongo-admin-password.yaml file to the Red Hat OpenShift cluster:
oc apply -f mongo-admin-password.yaml
- Create the MongoDB cluster YAML file mongo-cluster.yaml:
---
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: mas-mongo-ce
namespace: "mongoce"
spec:
members: 3
type: ReplicaSet
version: "4.2.6"
security:
tls:
enabled: true
certificateKeySecretRef:
name: mongo-server-cert
caConfigMapRef:
name: mas-mongo-ce-cert-map
authentication:
modes:
# Note: MAS 8.5 and earlier only support SCRAM-SHA-1
- SCRAM-SHA-256
- SCRAM-SHA-1
users:
- name: admin
db: admin
passwordSecretRef:
name: mas-mongo-ce-admin-password
roles:
- name: clusterAdmin
db: admin
- name: userAdminAnyDatabase
db: admin
- name: dbOwner
db: admin
- name: readWriteAnyDatabase
db: admin
scramCredentialsSecretName: mas-mongo-ce-scram
additionalMongodConfig:
storage.wiredTiger.engineConfig.journalCompressor: snappy
net.tls.allowInvalidCertificates: true
net.tls.allowInvalidHostnames: true
statefulSet:
spec:
serviceName: mas-mongo-ce-svc
selector: {}
template:
spec:
containers:
- name: mongod
image: quay.io/ibmmas/mongo@sha256:8c48baa1571469d7f5ae6d603b92b8027ada5eb39826c009cb33a13b46864908 # 4.2.6
resources:
limits:
cpu: "2"
memory: "2Gi"
volumeClaimTemplates:
- metadata:
name: data-volume
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "ocs-storagecluster-ceph-rbd"
resources:
requests:
storage: "20Gi"
- metadata:
name: logs-volume
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "ocs-storagecluster-ceph-rbd"
resources:
requests:
storage: "20Gi"
- Apply the mongo-cluster.yaml file to the Red Hat OpenShift cluster:
oc apply -f mongo-cluster.yaml
- Verify the MongoDB installation.
Wait for the
MongoDB cluster to complete provisioning. Three replicas
are ready, when the provisioning is
complete.
oc get sts mas-mongo-ce -n mongoce -o jsonpath="{.status.readyReplicas}{'\n'}"
The sample output is shown as follows.
3