Installing Suite License Service

Install IBM Suite Licensing Service (SLS) to store and manage the IBM® TRIRIGA® Application Suite licenses.

Before you begin

Install and prepare the database, either as Installing and preparing Db2 on the Db2 Operator, IBM Db2 Warehouse on IBM Cloud Pak® For Data, or as an external database.

Note: For more information about the supported applications and dependencies for Suite License Service, see Suite License Service compatibility matrix.

About this task

Installing a certificate manager to manage the certificates.cert-manager.io/v1 and issuers.cert-manager.io/v1 CRDs is needed only if a certificate manager is not already installed. A IBM Cloud Pak For Data installation provides a certificate manager.

MongoDB is required for Suite License Service, which uses MongoDB as a core component to store configuration data. The MongoDB data storage is configured during the initial setup.

Procedure

Install and configure a certificate manager:

Note: IBM Cloud Pak For Data provides a certificate manager. You can skip this task if IBM Cloud Pak For Data is installed.

  1. Create the new common services project by running the following command:
    
    oc new-project ibm-common-services
    
  2. Enable the IBM Operator Catalog by running the following command:
    
    cat <<EOF |oc apply -f -
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-operator-catalog
      namespace: openshift-marketplace
    spec:
      displayName: ibm-operator-catalog
      publisher: IBM Content
      sourceType: grpc
      image: icr.io/cpopen/ibm-operator-catalog
      updateStrategy:
        registryPoll:
          interval: 45m
    EOF
    
  3. Install the Cloud Pak foundational services operator.
    1. Create the operator group by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: operators.coreos.com/v1alpha2
      kind: OperatorGroup
      metadata:
        name: operatorgroup
        namespace: ibm-common-services
      spec:
        targetNamespaces:
        - ibm-common-services
      EOF
      
    2. Install the Cloud Pak foundational services operator by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: ibm-common-service-operator
        namespace: ibm-common-services
      spec:
        channel: v3
        installPlanApproval: Automatic
        name: ibm-common-service-operator
        source: ibm-operator-catalog
        sourceNamespace: openshift-marketplace
      EOF
      
  4. Install the cert-manager Operator for Red Hat OpenShift.
    To install cert-manager, complete the steps for your Red Hat OpenShift version, see Installing the cert-manager Operator for Red Hat OpenShift.

Install and configure MongoDB:

  1. Create a MongoDB project by running the following command:
    
    oc new-project mongodb
    
  2. Download and install MongoDB Community version by running the following commands:
    
    git clone https://github.com/mongodb/mongodb-kubernetes-operator.git
    oc apply -f mongodb-kubernetes-operator/config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml
    oc apply -k mongodb-kubernetes-operator/config/rbac/
    
    
  3. Run the custom MongoDB Operator.

    Edit the mongodb-kubernetes-operator/config/manager/manager.yaml file and make the following changes:

    • Add MANAGED_SECURITY_CONTEXT and its value as true under env:
      
      ...
      ...
      - name: MONGODB_IMAGE
            value: mongo
          - name: MONGODB_REPO_URL
            value: docker.io
          - name: MANAGED_SECURITY_CONTEXT
            value: 'true'
      ...
      ...
      
    • Remove the following lines:

      
              securityContext:
            readOnlyRootFilesystem: true
            runAsUser: 2000
        securityContext:
          seccompProfile:
            type: RuntimeDefault
      

    Create the MongoDB Kubernetes Operator by running the edited manager.yaml:

    
    oc create -f mongodb-kubernetes-operator/config/manager/manager.yaml
    
  4. Generate certificates to secure MongoDB.
    1. Generate the CA key by running the following command:
      
      openssl genrsa -out ca.key 4096
      
    2. Generate the CA certificate by running the following command:
      
      openssl req -new -x509 -days 3650 -key ca.key  -reqexts v3_req -extensions v3_ca -out ca.crt   -subj "/C=US/ST=NY/L=New York/O=AIAPPS/OU=TAS/CN=TAS"
      
      If you encounter errors with loading extension section v3_ca or extension section v3_req, edit /etc/ssl/openssl.cnf with the following updates:
      
      [ v3_ca ]
      basicConstraints = critical,CA:TRUE
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid:always,issuer:always
      
      [ v3_req ]
      basicConstraints = critical,CA:TRUE
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid:always,issuer:always
      
    3. Generate the TLS secret by running the following command:
      
      oc create secret tls ca-key-pair --cert=ca.crt --key=ca.key -n mongodb
      
    4. Create the issuer resource by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: local-ca-issuer
        namespace: mongodb
      spec:
        ca:
          secretName: ca-key-pair     # tls secret containing the public and private key pair
      EOF
      
    5. Create the certificate using the preceding issuer by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: my-mongodb-cert
        namespace: mongodb
      spec:
        secretName: my-mongodb-cert
        duration: 87600h
        issuerRef:
          name: local-ca-issuer
          kind: Issuer
        organization:
        - AIAPPS
        dnsNames:
        - my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local
        - my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local
        - my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local
        privateKey:
          rotationPolicy: Always 
      EOF
      
    6. Create the configmap of the custom ca.crt by running the following command:
      
      oc create configmap custom-ca --from-file=ca.crt -n mongodb
      
  5. Create a password for MongoDB.

    Replace mongopwd with your password for MongoDB:

    
    cat <<EOF |oc apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: my-user-password
      namespace: mongodb
    type: Opaque
    stringData:
      password: mongopwd
    EOF
    
  6. Create the secured MongoDB ReplicaSet.

    Replace mongouser with intended username for MongoDB.

    Replace ibmc-file-gold-gid with the available storage class in the cluster.

    
    cat <<EOF |oc apply -f -
    apiVersion: mongodbcommunity.mongodb.com/v1
    kind: MongoDBCommunity
    metadata:
      name: my-mongodb
      namespace: mongodb
    spec:
      members: 3
      type: ReplicaSet
      version: "6.0.12"
      security:
        tls:
          enabled: true
          certificateKeySecretRef:
            name: my-mongodb-cert
          caConfigMapRef:
            name: custom-ca
        authentication:
          modes: ["SCRAM"]
      users:
        - name: mongouser
          db: admin
          passwordSecretRef:
            name: my-user-password
          roles:
            - db: admin
              name: clusterAdmin
            - db: admin
              name: readWriteAnyDatabase
            - db: admin
              name: dbAdminAnyDatabase
            - db: admin
              name: userAdminAnyDatabase
          scramCredentialsSecretName: my-scram
      statefulSet:
        spec:
          serviceName: my-mongodb-svc
          selector: {}
          volumeClaimTemplates:
            - metadata:
                name: data-volume
              spec:
                accessModes: [ "ReadWriteOnce" ]
                storageClassName: "ibmc-file-gold-gid"
                resources:
                  requests:
                    storage: 10Gi
            - metadata:
                name: logs-volume
              spec:
                accessModes: [ "ReadWriteOnce" ]
                storageClassName: "ibmc-file-gold-gid"
                resources:
                  requests:
                    storage: 2Gi
    EOF
    
  7. Optional: Check the installation to see whether the MongoDB pods are running by running the following command:
    
    oc get pods -n mongodb | grep my-mongodb
    
  8. Optional: Check the MongoDB connectivity by running the following command in any terminal of the MongoDB pods: my-mongodb-0, my-mongodb-1, or my-mongodb-2:
    
    mongo "mongodb://<mongoDB_User>:<mongoDB_Password>@my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local:27017,my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local:27017,my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local:27017/?replicaSet=my-mongodb"  --authenticationDatabase admin  --ssl --tlsAllowInvalidCertificates
    

    For reference, the following are useful MongoDB commands to view AppPoints data:

    
    my-mongodb:PRIMARY> show dbs
    my-mongodb:PRIMARY> use ibm-sls_sls_licensing
    my-mongodb:PRIMARY> show tables
    my-mongodb:PRIMARY> db.auditevents.find()
    my-mongodb:PRIMARY> db.licenses.find()
    my-mongodb:PRIMARY> db.products.find()
    my-mongodb:PRIMARY> db.reports.find()
    my-mongodb:PRIMARY> db.samples.find()
    my-mongodb:PRIMARY> db.tokenpools.find()
    

The following steps install and configure the Suite Licensing Service (SLS):

  1. Create an SLS project by running the following command:
    
    oc new-project ibm-sls
    
  2. Enable the IBM operator catalog by running the following command:
    
    cat <<EOF |oc apply -f -
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-operator-catalog
      namespace: openshift-marketplace
    spec:
      displayName: ibm-operator-catalog
      publisher: IBM Content
      sourceType: grpc
      image: icr.io/cpopen/ibm-operator-catalog
      updateStrategy:
        registryPoll:
          interval: 45m
    EOF
    
  3. Install SLS Operator.
    1. Create the operator group by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: operators.coreos.com/v1
      kind: OperatorGroup
      metadata:
        name: ibm-sls-operator-group
        namespace: ibm-sls
      spec:
        targetNamespaces:
          - ibm-sls
      EOF
      
    2. Install SLS Operator by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: ibm-sls
        namespace: ibm-sls
      spec:
        channel: 3.x
        installPlanApproval: Automatic
        name: ibm-sls
        source: ibm-operator-catalog
        sourceNamespace: openshift-marketplace
      EOF
      
  4. Create the IBM entitlement secret.
    1. Obtain your IBM entitlement registry from the Container software library. Click Copy key and substitute the value as <ENTITLEMENT_KEY> in the next step of this task.
    2. Create the secret by running the following command:
      
      oc create secret docker-registry ibm-entitlement --docker-server=cp.icr.io --docker-username=cp --docker-password="$ENTITLEMENT_KEY" -n ibm-sls
      
  5. Create database secrets.

    Create secret with MongoDB credentials.

    Replace mongouser and mongopwd with intended username/password and run:

    
    cat <<EOF |oc apply -f -
    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
      name: sls-mongo-credentials
      namespace: ibm-sls
    stringData:
      username: mongouser
      password: mongopwd
    EOF
    
  6. Create the SLS custom resource.

    Replace the certificate in the below YAML file with the content of ca.crt created during MongoDB installation.

    Replace ibmc-file-gold-gid with the available storage class in the cluster.

    
    cat <<EOF |oc apply -f -
    apiVersion: sls.ibm.com/v1
    kind: LicenseService
    metadata:
      name: sls
      namespace: ibm-sls
    spec:
      license:
        accept: true
      mongo:
        configDb: admin
        nodes:
          - host: >-
              my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local
            port: 27017
          - host: >-
              my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local
            port: 27017
          - host: >-
              my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local
            port: 27017
        retryWrites: true
        secretName: sls-mongo-credentials
        certificates:
        - alias: mongoca
          crt: |-
            -----BEGIN CERTIFICATE-----
            ...
            CA Certificate created for MongoDB installation
            ...
            -----END CERTIFICATE-----
      rlks:
        storage:
          class: ibmc-file-gold-gid
          size: 5G
      settings:
        auth:
          enforce: true
        compliance:
          enforce: false
        reconciliation:
          enabled: true
          reconciliationPeriod: 1800
        registration:
          open: true
        reporting:
          maxDailyReports: 90
          maxHourlyReports: 24
          maxMonthlyReports: 12
          reportGenerationPeriod: 3600
          samplingPeriod: 900
    EOF
    
  7. Check the completion status by running the following command:
    
    oc get licenseservice sls -n ibm-sls
    

    Wait for the status to be READY.

    The License ID is used to retrieve the IBM TRIRIGA Application Suite License Key (AppPoints) from IBM License Key Center.

  8. Optional: Check TRIRIGA Application Suite AppPoints by API.
    1. Save the SLS client key, cert, and CA (SLS requires mutual TLS) by running the following commands:
      
      mkdir sls-cert
      oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.tls\.key}' | base64 -d > sls-cert/tls.key
      oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.tls\.crt}' | base64 -d > sls-cert/tls.crt
      oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.ca\.crt}' | base64 -d > sls-cert/ca.crt
      
    2. Set up port forwarding to expose the internal API outside the cluster by running the following command:
      
      oc port-forward service/sls 7000:443 -n ibm-sls
      
    3. Open a new terminal and go to the directory where the preceding certificates are stored:
      
      cd sls-cert
      
    4. Verify that the API is running by running the following command:
      
      curl -ik --cert tls.crt --key tls.key --cacert ca.crt https://localhost:7000/api/entitlement/config
      
    5. Upload the entitlement file, for example, license_900.dat, by running the following command:
      
      curl -ik --cert tls.crt --key tls.key --cacert ca.crt -X PUT -F 'file=@license.dat' https://localhost:7000/api/entitlement/file
      
    6. Check the token pool by running the following command:
      
      curl -ik --cert tls.crt --key tls.key --cacert ca.crt https://localhost:7000/api/tokens