Installation on IBM Cloud

Edit online

Detailed procedure to install the IBM Verify Identity Governance - Container on IBM Cloud platform.

Overview

The IBM Verify Identity Governance - Container supports deployment on the Red Hat OpenShift platform on the IBM Cloud, utilizing all the supported Databases and Directory Servers.

Red Hat OpenShift on IBM Cloud offers a managed solution for creating clusters of compute hosts. This allows you to deploy and manage containerized applications on the IBM Cloud platform.

Optionally, you can also use IBM DB2 service on the IBM Cloud platform, as an external database for the IBM Verify Identity Governance - Container. For more details, see the Setting up IBM Db2 service on IBM Cloud section.

Before you begin

Ensure that you complete the following prerequisites:
  1. Refer to the documentation for instructions on setting up and configuring an account on IBM Cloud to create clusters.
  2. Verify the software requirements.
  3. Additionally, you may choose to install the IBM CLI. Instructions can be found in the cli-getting-started documentation.

[Optional] Setting up IBM DB2 service on IBM Cloud

Overview
You have the option to utilize IBM DB2 service as an external database for IBM Verify Identity Governance - Container within your IBM Cloud cluster. This a fully-managed cloud SQL database powered by an accelerated Db2 engine. For comprehensive details, refer to the IBM DB2 documentation.
Note that this section is optional. If you do not want to use IBM DB2 service on IBM Cloud, go directly to the Deployment procedure.
Steps
If you want to set up IBM DB2 service on IBM Cloud, perform the following steps:
  1. From IBM Catalog, search for IBM db2, and create an instance.
  2. Access your IBM Cloud DB2 Console. Go to the Administration tab, and then select Connection to view connection properties.
  3. Within Administration tab, go to User Management to generate an Admin User (for example: db2admin).
  4. Create a regular user (for example: db2user).
    Note: To enable the usage of CREATE_EXTERNAL_ROUTINE and facilitate the deployment of a regex-dependent jar in IBM Cloud DB2, you need to initiate a support ticket with the IBM Cloud Team and include the following details:
    • [Mandatory] Request a permission for granting CREATE_EXTERNAL_ROUTINE.
    • [Optional] If you want to perform regex-related operations, use the starter/config/db/jars/isim_regexp-1.0.jar and submit a request to upload isim_regexp-1.0.jar jar to the specified location: /mnt/blumeta0/home/db2inst1/sqllib/function, equivalent to $HOME/sqllib/function.
  5. Utilize the connection properties and the previously created user to establish a connection with the DB2 Cloud instance.
  6. For SSL connections, retrieve the SSL Certificate by clicking Download SSL Certificate.
  7. Convert the downloaded certificate into PEM format and store it in the starter/config/cert directory using the following bash command:
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  8. During installation, while executing configure.sh script, specify the name of this certificate for the truststore.
  9. Provide relevant details when executing starter/bin/configure.sh script.

    Here is a sample of the DB2 section in the config.yaml file:

    
db:
   user: db2user
   password:{user_password}
   dbtype: db2
   ip: {database_link}
   port: {database_port}
   name: {database_name}
   admin: db2admin
   adminPwd: {admin_password}
   security.protocol: ssl
   tablespace.location.data:
   tablespace.location.indexes:
  10. When establishing connections through DB Clients, ensure that the DB2 4 Driver is accessible. Utilize the subsequent connection string similar to: 
    jdbc:db2://{database_link}:{database_port}/{database_name}:sslConnection=true;
  11. Provide the username details for authentication.

Deployment procedure

Perform the following steps to deploy IBM Verify Identity Governance - Container on IBM Cloud.
Cluster setup
  1. Begin the OpenShift cluster creation process on IBM Cloud by visiting Getting started with Red Hat OpenShift on IBM Cloud
    Note: For the purpose of this documentation, IBM Verify Identity Governance - Container uses Standard VPC Cluster option among the available choices.
  2. Perform the steps outlined in Creating VPC clusters to establish your own cluster.
Endpoint Gateway
When the Master Service Endpoint is configured to be public, it is essential to create a public gateway and connect it to the VPC associated with the cluster. For instructions to create a gateway, see the Create gateway documentation.

After the Public Gateway is activated and the provisioning of the OpenShift Container Platform (OCP) is completed, the OCP status should reflect as healthy.

Cluster login
  1. Go to your Cluster Page on IBM Cloud.
  2. Open the OpenShift Web Console by clicking the designated button.
  3. Select "User" and copy the login command provided.
  4. Utilize this login command in the oc command line tool or IBM Cloud shell for subsequent operations.
Starter kit
  1. After you are logged in, execute the following bash command: kubectl get storageclass
  2. Choose a storage class from the provided list that meets your needs, or create a custom one if necessary. For assistance, consult the containers-vpc-block documentation. For example: Select the ibmc-vpc-block-10iops-tier option.
  3. Click the upload button in Cloud Shell to upload the starter.
  4. Run starter/bin/configure.sh script. This script prompts for all the required parameters required for the installation process.
    • Provide the InstallType as cloud.
    • Based on your StorageClass selection, assign its name to the storageclass when prompted.
  5. Go to starter/bin directory and run the install.sh script. For detailed information, see the Installation topic.

Post-installation steps

Attention: After the installation, you must retain the Starter kit. The Starter kit contains configuration files that are required for executing various scripts. The starter kit is also required when deploying the Fix Packs and Interim Fixes.
Perform the following steps.
  1. After successful installation of the Starter kit, go to the OpenShift Web Console and initiate the creation of a secure route.
  2. Choose the isvgim service and expose the port 9443.
  3. After creating the route, access it through the provided URL.
  4. To make the internal ISVD service accessible externally, modify the starter/yaml/115-service-ldapExt.yaml file.

    In the section where metadata.name is set as isvd-external, change its type from NodePort to LoadBalancer.

    Apply the changes using the command: kubectl apply -f 115-service-ldapExt.yaml

  5. Similarly, to expose the internal PostgreSQL service externally, edit the starter/yaml/116-service-dbExt.yaml file.

    In the section where metadata.name is specified as `postgres-external`, change its type from NodePort to LoadBalancer.

    Apply the changes using the command: kubectl apply -f 116-service-dbExt.yaml

Next steps

If you are deploying a fresh installation of IBM Verify Identity Governance - Container, then proceed to configuration activities.