Installing IBM Suite Licensing Service

Install the Suite Licensing Service (SLS) to store and manage the TRIRIGA Application Suite licenses.

Before you begin

Ensure that you have completed the following tasks:

About this task

Certificate manager is required if you do not have IBM Cloud Pak For Data installed. If you have IBM Cloud Pak For Data installed, this section can be skipped, as IBM Cloud Pak For Data provides the certificate manager.

MongoDB is required for SLS to work correctly. MongoDB is a core component of IBM TRIRIGA and is used by TRIRIGA Application Suite and its applications to store configuration data. The MongoDB data storage is configured during the initial setup.

The first section of this task installs and configures certificate manager. Then, the second section installs and configures MongoDB. Finally, the third section installs and configures SLS.
Note: For more information about the supported applications and dependencies for each release, see SSL compatibility matrix table.

Procedure

The following steps install and configure certificate manager:

Note: You can skip installing and configuring certificate manager if you have IBM Cloud Pak For Data installed. In this scenario, IBM Cloud Pak For Data provides the certificate manager.

  1. Create the new common services project by running the following command:
    
    oc new-project ibm-common-services
    
  2. Enable the IBM operator catalog by running the following command:
    
    cat <<EOF |oc apply -f -
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-operator-catalog
      namespace: openshift-marketplace
    spec:
      displayName: ibm-operator-catalog
      publisher: IBM Content
      sourceType: grpc
      image: icr.io/cpopen/ibm-operator-catalog
      updateStrategy:
        registryPoll:
          interval: 45m
    EOF
    
  3. Install Cloud Pak Foundational Services Operator.
    1. Create the operator group by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: operators.coreos.com/v1alpha2
      kind: OperatorGroup
      metadata:
        name: operatorgroup
        namespace: ibm-common-services
      spec:
        targetNamespaces:
        - ibm-common-services
      EOF
      
    2. Install Cloud Pak Foundational Services Operator by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: ibm-common-service-operator
        namespace: ibm-common-services
      spec:
        channel: v3
        installPlanApproval: Automatic
        name: ibm-common-service-operator
        source: ibm-operator-catalog
        sourceNamespace: openshift-marketplace
      EOF
      
  4. Install IBM Cert Manager.
    
    cat <<EOF |oc apply -f -
    apiVersion: operator.ibm.com/v1alpha1
    kind: OperandRequest
    metadata:
      name: common-service
      namespace: ibm-common-services
    spec:
      requests:
        - operands:
            - name: ibm-cert-manager-operator
          registry: common-service
    EOF
    
    Note:
    If you receive the following error:
    
    unable to recognize "STDIN": no matches for kind "OperandRequest" in version "operator.ibm.com/v1alpha1"
    

    Wait 5 minutes for the previous commands to complete and then try again.

The following steps install and configure MongoDB:

  1. Create a new MongoDB project by running the following command:
    
    oc new-project mongodb
    
  2. Download and install MongoDB Community version by running the following commands:
    
    git clone https://github.com/mongodb/mongodb-kubernetes-operator.git
    oc apply -f mongodb-kubernetes-operator/config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml
    oc apply -k mongodb-kubernetes-operator/config/rbac/
    
    
  3. Run the custom MongoDB Operator.

    Edit the mongodb-kubernetes-operator/config/manager/manager.yaml file and make the following changes:

    • Add MANAGED_SECURITY_CONTEXT and its value as true under env:
      
      ...
      ...
      - name: MONGODB_IMAGE
            value: mongo
          - name: MONGODB_REPO_URL
            value: docker.io
          - name: MANAGED_SECURITY_CONTEXT
            value: 'true'
      ...
      ...
      
    • Remove the following lines:

      
              securityContext:
            readOnlyRootFilesystem: true
            runAsUser: 2000
        securityContext:
          seccompProfile:
            type: RuntimeDefault
      

    Create the MongoDB Kubernetes Operator by running the edited manager.yaml:

    
    oc create -f mongodb-kubernetes-operator/config/manager/manager.yaml
    
  4. Generate certificates to secure MongoDB.
    1. Generate the CA key by running the following command:
      
      openssl genrsa -out ca.key 4096
      
    2. Generate the CA certificate by running the following command:
      
      openssl req -new -x509 -days 3650 -key ca.key  -reqexts v3_req -extensions v3_ca -out ca.crt   -subj "/C=US/ST=NY/L=New York/O=AIAPPS/OU=TAS/CN=TAS"
      
      If you encounter errors loading extension section v3_ca or extension section v3_req, edit /etc/ssl/openssl.cnf with the following updates:
      
      [ v3_ca ]
      basicConstraints = critical,CA:TRUE
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid:always,issuer:always
      
      [ v3_req ]
      basicConstraints = critical,CA:TRUE
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid:always,issuer:always
      
    3. Generate the TLS secret by running the following command:
      
      oc create secret tls ca-key-pair --cert=ca.crt --key=ca.key -n mongodb
      
    4. Create the issuer resource by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: local-ca-issuer
        namespace: mongodb
      spec:
        ca:
          secretName: ca-key-pair     # tls secret containing the public and private key pair
      EOF
      
    5. Create the certificate using the preceding issuer by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: my-mongodb-cert
        namespace: mongodb
      spec:
        secretName: my-mongodb-cert
        duration: 87600h
        issuerRef:
          name: local-ca-issuer
          kind: Issuer
        organization:
        - AIAPPS
        dnsNames:
        - my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local
        - my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local
        - my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local
        privateKey:
          rotationPolicy: Always 
      EOF
      
    6. Create the config map of the custom ca.crt by running the following command:
      
      oc create configmap custom-ca --from-file=ca.crt -n mongodb
      
  5. Create password for MongoDB.

    Replace mongopwd with intended password for MongoDB:

    
    cat <<EOF |oc apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: my-user-password
      namespace: mongodb
    type: Opaque
    stringData:
      password: mongopwd
    EOF
    
  6. Create the secured MongoDB ReplicaSet.

    Replace mongouser with intended username for MongoDB.

    Replace ibmc-file-gold-gid with the available storage class in the cluster.

    
    cat <<EOF |oc apply -f -
    apiVersion: mongodbcommunity.mongodb.com/v1
    kind: MongoDBCommunity
    metadata:
      name: my-mongodb
      namespace: mongodb
    spec:
      members: 3
      type: ReplicaSet
      version: "4.4.7"
      security:
        tls:
          enabled: true
          certificateKeySecretRef:
            name: my-mongodb-cert
          caConfigMapRef:
            name: custom-ca
        authentication:
          modes: ["SCRAM"]
      users:
        - name: mongouser
          db: admin
          passwordSecretRef:
            name: my-user-password
          roles:
            - db: admin
              name: clusterAdmin
            - db: admin
              name: readWriteAnyDatabase
            - db: admin
              name: dbAdminAnyDatabase
            - db: admin
              name: userAdminAnyDatabase
          scramCredentialsSecretName: my-scram
      statefulSet:
        spec:
          serviceName: my-mongodb-svc
          selector: {}
          volumeClaimTemplates:
            - metadata:
                name: data-volume
              spec:
                accessModes: [ "ReadWriteOnce" ]
                storageClassName: "ibmc-file-gold-gid"
                resources:
                  requests:
                    storage: 10Gi
            - metadata:
                name: logs-volume
              spec:
                accessModes: [ "ReadWriteOnce" ]
                storageClassName: "ibmc-file-gold-gid"
                resources:
                  requests:
                    storage: 2Gi
    EOF
    
  7. Optional: Check the installation to see if the MongoDB pods are running by running the following command:
    
    oc get pods -n mongodb | grep my-mongodb
    
  8. Optional: Check the MongoDB connectivity by running the following command in any terminal of the mongoDB pods: my-mongodb-0, my-mongodb-1, or my-mongodb-2:
    
    mongo "mongodb://<mongoDB_User>:<mongoDB_Password>@my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local:27017,my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local:27017,my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local:27017/?replicaSet=my-mongodb"  --authenticationDatabase admin  --ssl --tlsAllowInvalidCertificates
    

    For reference, the following are useful mongodb commands to view App Points data:

    
    my-mongodb:PRIMARY> show dbs
    my-mongodb:PRIMARY> use ibm-sls_sls_licensing
    my-mongodb:PRIMARY> show tables
    my-mongodb:PRIMARY> db.auditevents.find()
    my-mongodb:PRIMARY> db.licenses.find()
    my-mongodb:PRIMARY> db.products.find()
    my-mongodb:PRIMARY> db.reports.find()
    my-mongodb:PRIMARY> db.samples.find()
    my-mongodb:PRIMARY> db.tokenpools.find()
    

The following steps install and configure the Suite Licensing Service (SLS):

  1. Create the new SLS project by running the following command:
    
    oc new-project ibm-sls
    
  2. Enable the IBM operator catalog by running the following command:
    
    cat <<EOF |oc apply -f -
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-operator-catalog
      namespace: openshift-marketplace
    spec:
      displayName: ibm-operator-catalog
      publisher: IBM Content
      sourceType: grpc
      image: icr.io/cpopen/ibm-operator-catalog
      updateStrategy:
        registryPoll:
          interval: 45m
    EOF
    
  3. Install SLS Operator.
    1. Create the operator group by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: operators.coreos.com/v1
      kind: OperatorGroup
      metadata:
        name: ibm-sls-operator-group
        namespace: ibm-sls
      spec:
        targetNamespaces:
          - ibm-sls
      EOF
      
    2. Install SLS Operator by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: ibm-sls
        namespace: ibm-sls
      spec:
        channel: 3.x
        installPlanApproval: Automatic
        name: ibm-sls
        source: ibm-operator-catalog
        sourceNamespace: openshift-marketplace
      EOF
      
  4. Create the IBM entitlement secret.
    1. Obtain your IBM entitlement registry from the Container software library. Click Copy key and substitute the value as <ENTITLEMENT_KEY> in the next step of this task.
    2. Create the secret by running the following command:
      
      oc create secret docker-registry ibm-entitlement --docker-server=cp.icr.io --docker-username=cp --docker-password="$ENTITLEMENT_KEY" -n ibm-sls
      
  5. Create database secrets.

    Create cecret with MongoDB credentials.

    Replace mongouser and mongopwd with intended username/password and run:

    
    cat <<EOF |oc apply -f -
    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
      name: sls-mongo-credentials
      namespace: ibm-sls
    stringData:
      username: mongouser
      password: mongopwd
    EOF
    
  6. Create the SLS custom resource.

    Replace the certificate in the below YAML file with the content of ca.crt created during MongoDB installation.

    Replace ibmc-file-gold-gid with the available storage class in the cluster.

    
    cat <<EOF |oc apply -f -
    apiVersion: sls.ibm.com/v1
    kind: LicenseService
    metadata:
      name: sls
      namespace: ibm-sls
    spec:
      license:
        accept: true
      mongo:
        configDb: admin
        nodes:
          - host: >-
              my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local
            port: 27017
          - host: >-
              my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local
            port: 27017
          - host: >-
              my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local
            port: 27017
        retryWrites: true
        secretName: sls-mongo-credentials
        certificates:
        - alias: mongoca
          crt: |-
            -----BEGIN CERTIFICATE-----
            ...
            CA Certificate created for MongoDB installation
            ...
            -----END CERTIFICATE-----
      rlks:
        storage:
          class: ibmc-file-gold-gid
          size: 5G
      settings:
        auth:
          enforce: true
        compliance:
          enforce: false
        reconciliation:
          enabled: true
          reconciliationPeriod: 1800
        registration:
          open: true
        reporting:
          maxDailyReports: 90
          maxHourlyReports: 24
          maxMonthlyReports: 12
          reportGenerationPeriod: 3600
          samplingPeriod: 900
    EOF
    
  7. Check the completion status by running the following command:
    
    oc get licenseservice sls -n ibm-sls
    

    Wait for the status to be READY.

    The License ID is used to retrieve the TAS License Key (App Points) from IBM License Key Center.

  8. Optional: Check TAS Application Points via API.
    1. Save the SLS client key, cert, and CA (SLS requires mutual TLS) by running the following commands:
      
      mkdir sls-cert
      oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.tls\.key}' | base64 -d > sls-cert/tls.key
      oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.tls\.crt}' | base64 -d > sls-cert/tls.crt
      oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.ca\.crt}' | base64 -d > sls-cert/ca.crt
      
    2. Set up port forwarding to expose the internal API outside of the cluster by running the following command:
      
      oc port-forward service/sls 7000:443 -n ibm-sls
      
    3. Open a new terminal and go to the directory where the preceding certificates are stored:
      
      cd sls-cert
      
    4. Verify that the API is running by running the following command:
      
      curl -ik --cert tls.crt --key tls.key --cacert ca.crt https://localhost:7000/api/entitlement/config
      
    5. Upload the entitlement file, for example, license_900.dat, by running the following command:
      
      curl -ik --cert tls.crt --key tls.key --cacert ca.crt -X PUT -F 'file=@license.dat' https://localhost:7000/api/entitlement/file
      
    6. Check the token pool by running the following command:
      
      curl -ik --cert tls.crt --key tls.key --cacert ca.crt https://localhost:7000/api/tokens