Installing IBM Suite Licensing Service
Before you begin
- Installing and preparing the database, either as DB2 Warehouse on IBM Cloud Pak For Data or an external database.
About this task
Certificate manager is required if you do not have IBM Cloud Pak For Data installed. If you have IBM Cloud Pak For Data installed, this section can be skipped, as IBM Cloud Pak For Data provides the certificate manager.
MongoDB is required for SLS to work correctly. MongoDB is a core component of IBM TRIRIGA and is used by TRIRIGA Application Suite and its applications to store configuration data. The MongoDB data storage is configured during the initial setup.
The first section of this task installs and configures certificate manager. Then, the second section installs and configures MongoDB. Finally, the third section installs and configures SLS.
Procedure
The following steps install and configure certificate manager:
- Create the new common services project by running the following command:
oc new-project ibm-common-services
- Enable the IBM operator catalog by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-operator-catalog namespace: openshift-marketplace spec: displayName: ibm-operator-catalog publisher: IBM Content sourceType: grpc image: icr.io/cpopen/ibm-operator-catalog updateStrategy: registryPoll: interval: 45m EOF
- Install Cloud Pak Foundational Services Operator.
- Create the operator group by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha2 kind: OperatorGroup metadata: name: operatorgroup namespace: ibm-common-services spec: targetNamespaces: - ibm-common-services EOF
- Install Cloud Pak Foundational Services Operator by running the following
command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: ibm-common-service-operator namespace: ibm-common-services spec: channel: v3 installPlanApproval: Automatic name: ibm-common-service-operator source: ibm-operator-catalog sourceNamespace: openshift-marketplace EOF
- Create the operator group by running the following command:
- Install IBM Cert Manager.
cat <<EOF |oc apply -f - apiVersion: operator.ibm.com/v1alpha1 kind: OperandRequest metadata: name: common-service namespace: ibm-common-services spec: requests: - operands: - name: ibm-cert-manager-operator registry: common-service EOF
Note:If you receive the following error:unable to recognize "STDIN": no matches for kind "OperandRequest" in version "operator.ibm.com/v1alpha1"
Wait 5 minutes for the previous commands to complete and then try again.
The following steps install and configure MongoDB:
- Create a new MongoDB project by running the following command:
oc new-project mongodb
- Download and install MongoDB Community version by running the following commands:
git clone https://github.com/mongodb/mongodb-kubernetes-operator.git oc apply -f mongodb-kubernetes-operator/config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml oc apply -k mongodb-kubernetes-operator/config/rbac/
- Run the custom MongoDB Operator.
Edit the
mongodb-kubernetes-operator/config/manager/manager.yaml
file and make the following changes:- Add
MANAGED_SECURITY_CONTEXT
and its value astrue
under env:... ... - name: MONGODB_IMAGE value: mongo - name: MONGODB_REPO_URL value: docker.io - name: MANAGED_SECURITY_CONTEXT value: 'true' ... ...
-
Remove the following lines:
securityContext: readOnlyRootFilesystem: true runAsUser: 2000 securityContext: seccompProfile: type: RuntimeDefault
Create the MongoDB Kubernetes Operator by running the edited
manager.yaml
:oc create -f mongodb-kubernetes-operator/config/manager/manager.yaml
- Add
- Generate certificates to secure MongoDB.
- Generate the CA key by running the following command:
openssl genrsa -out ca.key 4096
- Generate the CA certificate by running the following command:
openssl req -new -x509 -days 3650 -key ca.key -reqexts v3_req -extensions v3_ca -out ca.crt -subj "/C=US/ST=NY/L=New York/O=AIAPPS/OU=TAS/CN=TAS"
If you encounter errors loading extension section v3_ca or extension section v3_req, edit /etc/ssl/openssl.cnf with the following updates:[ v3_ca ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always
- Generate the TLS secret by running the following command:
oc create secret tls ca-key-pair --cert=ca.crt --key=ca.key -n mongodb
- Create the issuer resource by running the following command:
cat <<EOF |oc apply -f - apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: local-ca-issuer namespace: mongodb spec: ca: secretName: ca-key-pair # tls secret containing the public and private key pair EOF
- Create the certificate using the preceding issuer by running the following
command:
cat <<EOF |oc apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-mongodb-cert namespace: mongodb spec: secretName: my-mongodb-cert duration: 87600h issuerRef: name: local-ca-issuer kind: Issuer organization: - AIAPPS dnsNames: - my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local - my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local - my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local privateKey: rotationPolicy: Always EOF
- Create the config map of the custom ca.crt by running the following command:
oc create configmap custom-ca --from-file=ca.crt -n mongodb
- Generate the CA key by running the following command:
- Create password for MongoDB.
Replace
mongopwd
with intended password for MongoDB:cat <<EOF |oc apply -f - apiVersion: v1 kind: Secret metadata: name: my-user-password namespace: mongodb type: Opaque stringData: password: mongopwd EOF
- Create the secured MongoDB ReplicaSet.
Replace
mongouser
with intended username for MongoDB.Replace
ibmc-file-gold-gid
with the available storage class in the cluster.cat <<EOF |oc apply -f - apiVersion: mongodbcommunity.mongodb.com/v1 kind: MongoDBCommunity metadata: name: my-mongodb namespace: mongodb spec: members: 3 type: ReplicaSet version: "4.2.6" security: tls: enabled: true certificateKeySecretRef: name: my-mongodb-cert caConfigMapRef: name: custom-ca authentication: modes: ["SCRAM"] users: - name: mongouser db: admin passwordSecretRef: name: my-user-password roles: - db: admin name: clusterAdmin - db: admin name: readWriteAnyDatabase - db: admin name: dbAdminAnyDatabase - db: admin name: userAdminAnyDatabase scramCredentialsSecretName: my-scram statefulSet: spec: serviceName: my-mongodb-svc selector: {} volumeClaimTemplates: - metadata: name: data-volume spec: accessModes: [ "ReadWriteOnce" ] storageClassName: "ibmc-file-gold-gid" resources: requests: storage: 10Gi - metadata: name: logs-volume spec: accessModes: [ "ReadWriteOnce" ] storageClassName: "ibmc-file-gold-gid" resources: requests: storage: 2Gi EOF
- Optional: Check the installation to see if the MongoDB pods are running by
running the following command:
oc get pods -n mongodb | grep my-mongodb
- Optional: Check the MongoDB connectivity by running the following command in
any terminal of the mongoDB pods:
my-mongodb-0
,my-mongodb-1
, ormy-mongodb-2
:mongo "mongodb://<mongoDB_User>:<mongoDB_Password>@my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local:27017,my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local:27017,my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local:27017/?replicaSet=my-mongodb" --authenticationDatabase admin --ssl --tlsAllowInvalidCertificates
For reference, the following are useful mongodb commands to view App Points data:
my-mongodb:PRIMARY> show dbs my-mongodb:PRIMARY> use ibm-sls_sls_licensing my-mongodb:PRIMARY> show tables my-mongodb:PRIMARY> db.auditevents.find() my-mongodb:PRIMARY> db.licenses.find() my-mongodb:PRIMARY> db.products.find() my-mongodb:PRIMARY> db.reports.find() my-mongodb:PRIMARY> db.samples.find() my-mongodb:PRIMARY> db.tokenpools.find()
The following steps install and configure the Suite Licensing Service (SLS):
- Create the new SLS project by running the following command:
oc new-project ibm-sls
- Enable the IBM operator catalog by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-operator-catalog namespace: openshift-marketplace spec: displayName: ibm-operator-catalog publisher: IBM Content sourceType: grpc image: icr.io/cpopen/ibm-operator-catalog updateStrategy: registryPoll: interval: 45m EOF
- Install SLS Operator.
- Create the operator group by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: ibm-sls-operator-group namespace: ibm-sls spec: targetNamespaces: - ibm-sls EOF
- Install SLS Operator by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: ibm-sls namespace: ibm-sls spec: channel: 3.x installPlanApproval: Automatic name: ibm-sls source: ibm-operator-catalog sourceNamespace: openshift-marketplace EOF
- Create the operator group by running the following command:
- Create the IBM entitlement secret.
- Obtain your IBM entitlement registry from the Container software library. Click Copy key and substitute the value
as
<ENTITLEMENT_KEY>
in the next step of this task. - Create the secret by running the following command:
oc create secret docker-registry ibm-entitlement --docker-server=cp.icr.io --docker-username=cp --docker-password="$ENTITLEMENT_KEY" -n ibm-sls
- Obtain your IBM entitlement registry from the Container software library. Click Copy key and substitute the value
as
- Create database secrets.
Create secret with MongoDB credentials.
Replace
mongouser
andmongopwd
with intended username/password and run:cat <<EOF |oc apply -f - apiVersion: v1 kind: Secret type: Opaque metadata: name: sls-mongo-credentials namespace: ibm-sls stringData: username: mongouser password: mongopwd EOF
- Create the SLS custom resource.
Replace the certificate in the below YAML file with the content of
ca.crt
created during MongoDB installation.Replace
ibmc-file-gold-gid
with the available storage class in the cluster.cat <<EOF |oc apply -f - apiVersion: sls.ibm.com/v1 kind: LicenseService metadata: name: sls namespace: ibm-sls spec: license: accept: true mongo: configDb: admin nodes: - host: >- my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local port: 27017 - host: >- my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local port: 27017 - host: >- my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local port: 27017 retryWrites: true secretName: sls-mongo-credentials certificates: - alias: mongoca crt: |- -----BEGIN CERTIFICATE----- ... CA Certificate created for MongoDB installation ... -----END CERTIFICATE----- rlks: storage: class: ibmc-file-gold-gid size: 5G settings: auth: enforce: true compliance: enforce: false reconciliation: enabled: true reconciliationPeriod: 1800 registration: open: true reporting: maxDailyReports: 90 maxHourlyReports: 24 maxMonthlyReports: 12 reportGenerationPeriod: 3600 samplingPeriod: 900 EOF
- Check the completion status by running the following command:
oc get licenseservice sls -n ibm-sls
Wait for the status to be READY.
The License ID is used to retrieve the TAS License Key (App Points) from IBM License Key Center.
- Optional: Check TAS Application Points via API.
- Save the SLS client key, cert, and CA (SLS requires mutual TLS) by running the
following commands:
mkdir sls-cert oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.tls\.key}' | base64 -d > sls-cert/tls.key oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.tls\.crt}' | base64 -d > sls-cert/tls.crt oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.ca\.crt}' | base64 -d > sls-cert/ca.crt
- Set up port forwarding to expose the internal API outside of the cluster by running
the following command:
oc port-forward service/sls 7000:443 -n ibm-sls
- Open a new terminal and go to the directory where the preceding certificates are
stored:
cd sls-cert
- Verify that the API is running by running the following command:
curl -ik --cert tls.crt --key tls.key --cacert ca.crt https://localhost:7000/api/entitlement/config
- Upload the entitlement file, for example, license_900.dat, by
running the following command:
curl -ik --cert tls.crt --key tls.key --cacert ca.crt -X PUT -F 'file=@license.dat' https://localhost:7000/api/entitlement/file
- Check the token pool by running the following command:
curl -ik --cert tls.crt --key tls.key --cacert ca.crt https://localhost:7000/api/tokens
- Save the SLS client key, cert, and CA (SLS requires mutual TLS) by running the
following commands: