Installing Suite License Service
Install IBM Suite Licensing Service (SLS) to store and manage the IBM® TRIRIGA® Application Suite licenses.
Before you begin
Install and prepare the database, either as Installing and preparing Db2 on the Db2 Operator, IBM Db2 Warehouse on IBM Cloud Pak® For Data, or as an external database.
About this task
Installing a certificate manager to manage the
certificates.cert-manager.io/v1
and issuers.cert-manager.io/v1
CRDs is needed only if a certificate manager is not already installed. A IBM Cloud Pak For Data
installation provides a certificate manager.
MongoDB is required for Suite License Service, which uses MongoDB as a core component to store configuration data. The MongoDB data storage is configured during the initial setup.
Procedure
Install and configure a certificate manager:
- Create the new common services project by running the following command:
oc new-project ibm-common-services
- Enable the IBM Operator Catalog by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-operator-catalog namespace: openshift-marketplace spec: displayName: ibm-operator-catalog publisher: IBM Content sourceType: grpc image: icr.io/cpopen/ibm-operator-catalog updateStrategy: registryPoll: interval: 45m EOF
- Install the Cloud Pak foundational services operator.
- Create the operator group by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha2 kind: OperatorGroup metadata: name: operatorgroup namespace: ibm-common-services spec: targetNamespaces: - ibm-common-services EOF
- Install the Cloud Pak foundational services operator by running the following
command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: ibm-common-service-operator namespace: ibm-common-services spec: channel: v3 installPlanApproval: Automatic name: ibm-common-service-operator source: ibm-operator-catalog sourceNamespace: openshift-marketplace EOF
- Create the operator group by running the following command:
- Install the cert-manager Operator for Red Hat
OpenShift. To install cert-manager, complete the steps for your Red Hat OpenShift version, see Installing the cert-manager Operator for Red Hat OpenShift.
Install and configure MongoDB:
- Create a MongoDB project by running the following command:
oc new-project mongodb
- Download and install MongoDB Community version by running the following commands:
git clone https://github.com/mongodb/mongodb-kubernetes-operator.git oc apply -f mongodb-kubernetes-operator/config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml oc apply -k mongodb-kubernetes-operator/config/rbac/
- Run the custom MongoDB Operator.
Edit the
mongodb-kubernetes-operator/config/manager/manager.yaml
file and make the following changes:- Add
MANAGED_SECURITY_CONTEXT
and its value astrue
under env:... ... - name: MONGODB_IMAGE value: mongo - name: MONGODB_REPO_URL value: docker.io - name: MANAGED_SECURITY_CONTEXT value: 'true' ... ...
-
Remove the following lines:
securityContext: readOnlyRootFilesystem: true runAsUser: 2000 securityContext: seccompProfile: type: RuntimeDefault
Create the MongoDB Kubernetes Operator by running the edited
manager.yaml
:oc create -f mongodb-kubernetes-operator/config/manager/manager.yaml
- Add
- Generate certificates to secure MongoDB.
- Generate the CA key by running the following command:
openssl genrsa -out ca.key 4096
- Generate the CA certificate by running the following command:
openssl req -new -x509 -days 3650 -key ca.key -reqexts v3_req -extensions v3_ca -out ca.crt -subj "/C=US/ST=NY/L=New York/O=AIAPPS/OU=TAS/CN=TAS"
If you encounter errors with loading extension section v3_ca or extension section v3_req, edit /etc/ssl/openssl.cnf with the following updates:[ v3_ca ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always
- Generate the TLS secret by running the following command:
oc create secret tls ca-key-pair --cert=ca.crt --key=ca.key -n mongodb
- Create the issuer resource by running the following command:
cat <<EOF |oc apply -f - apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: local-ca-issuer namespace: mongodb spec: ca: secretName: ca-key-pair # tls secret containing the public and private key pair EOF
- Create the certificate using the preceding issuer by running the following
command:
cat <<EOF |oc apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-mongodb-cert namespace: mongodb spec: secretName: my-mongodb-cert duration: 87600h issuerRef: name: local-ca-issuer kind: Issuer organization: - AIAPPS dnsNames: - my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local - my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local - my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local privateKey: rotationPolicy: Always EOF
- Create the configmap of the custom ca.crt by running the
following command:
oc create configmap custom-ca --from-file=ca.crt -n mongodb
- Generate the CA key by running the following command:
- Create a password for MongoDB.
Replace
mongopwd
with your password for MongoDB:cat <<EOF |oc apply -f - apiVersion: v1 kind: Secret metadata: name: my-user-password namespace: mongodb type: Opaque stringData: password: mongopwd EOF
- Create the secured MongoDB ReplicaSet.
Replace
mongouser
with intended username for MongoDB.Replace
ibmc-file-gold-gid
with the available storage class in the cluster.cat <<EOF |oc apply -f - apiVersion: mongodbcommunity.mongodb.com/v1 kind: MongoDBCommunity metadata: name: my-mongodb namespace: mongodb spec: members: 3 type: ReplicaSet version: "6.0.12" security: tls: enabled: true certificateKeySecretRef: name: my-mongodb-cert caConfigMapRef: name: custom-ca authentication: modes: ["SCRAM"] users: - name: mongouser db: admin passwordSecretRef: name: my-user-password roles: - db: admin name: clusterAdmin - db: admin name: readWriteAnyDatabase - db: admin name: dbAdminAnyDatabase - db: admin name: userAdminAnyDatabase scramCredentialsSecretName: my-scram statefulSet: spec: serviceName: my-mongodb-svc selector: {} volumeClaimTemplates: - metadata: name: data-volume spec: accessModes: [ "ReadWriteOnce" ] storageClassName: "ibmc-file-gold-gid" resources: requests: storage: 10Gi - metadata: name: logs-volume spec: accessModes: [ "ReadWriteOnce" ] storageClassName: "ibmc-file-gold-gid" resources: requests: storage: 2Gi EOF
- Optional: Check the installation to see whether the MongoDB pods are running
by running the following command:
oc get pods -n mongodb | grep my-mongodb
- Optional: Check the MongoDB connectivity by running the following command in
any terminal of the MongoDB pods:
my-mongodb-0
,my-mongodb-1
, ormy-mongodb-2
:mongo "mongodb://<mongoDB_User>:<mongoDB_Password>@my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local:27017,my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local:27017,my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local:27017/?replicaSet=my-mongodb" --authenticationDatabase admin --ssl --tlsAllowInvalidCertificates
For reference, the following are useful MongoDB commands to view AppPoints data:
my-mongodb:PRIMARY> show dbs my-mongodb:PRIMARY> use ibm-sls_sls_licensing my-mongodb:PRIMARY> show tables my-mongodb:PRIMARY> db.auditevents.find() my-mongodb:PRIMARY> db.licenses.find() my-mongodb:PRIMARY> db.products.find() my-mongodb:PRIMARY> db.reports.find() my-mongodb:PRIMARY> db.samples.find() my-mongodb:PRIMARY> db.tokenpools.find()
The following steps install and configure the Suite Licensing Service (SLS):
- Create an SLS project by running the following command:
oc new-project ibm-sls
- Enable the IBM operator catalog by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-operator-catalog namespace: openshift-marketplace spec: displayName: ibm-operator-catalog publisher: IBM Content sourceType: grpc image: icr.io/cpopen/ibm-operator-catalog updateStrategy: registryPoll: interval: 45m EOF
- Install SLS Operator.
- Create the operator group by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: ibm-sls-operator-group namespace: ibm-sls spec: targetNamespaces: - ibm-sls EOF
- Install SLS Operator by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: ibm-sls namespace: ibm-sls spec: channel: 3.x installPlanApproval: Automatic name: ibm-sls source: ibm-operator-catalog sourceNamespace: openshift-marketplace EOF
- Create the operator group by running the following command:
- Create the IBM entitlement secret.
- Obtain your IBM entitlement registry from the Container software library. Click Copy key and substitute the value
as
<ENTITLEMENT_KEY>
in the next step of this task. - Create the secret by running the following command:
oc create secret docker-registry ibm-entitlement --docker-server=cp.icr.io --docker-username=cp --docker-password="$ENTITLEMENT_KEY" -n ibm-sls
- Obtain your IBM entitlement registry from the Container software library. Click Copy key and substitute the value
as
- Create database secrets.
Create secret with MongoDB credentials.
Replace
mongouser
andmongopwd
with intended username/password and run:cat <<EOF |oc apply -f - apiVersion: v1 kind: Secret type: Opaque metadata: name: sls-mongo-credentials namespace: ibm-sls stringData: username: mongouser password: mongopwd EOF
- Create the SLS custom resource.
Replace the certificate in the below YAML file with the content of
ca.crt
created during MongoDB installation.Replace
ibmc-file-gold-gid
with the available storage class in the cluster.cat <<EOF |oc apply -f - apiVersion: sls.ibm.com/v1 kind: LicenseService metadata: name: sls namespace: ibm-sls spec: license: accept: true mongo: configDb: admin nodes: - host: >- my-mongodb-0.my-mongodb-svc.mongodb.svc.cluster.local port: 27017 - host: >- my-mongodb-1.my-mongodb-svc.mongodb.svc.cluster.local port: 27017 - host: >- my-mongodb-2.my-mongodb-svc.mongodb.svc.cluster.local port: 27017 retryWrites: true secretName: sls-mongo-credentials certificates: - alias: mongoca crt: |- -----BEGIN CERTIFICATE----- ... CA Certificate created for MongoDB installation ... -----END CERTIFICATE----- rlks: storage: class: ibmc-file-gold-gid size: 5G settings: auth: enforce: true compliance: enforce: false reconciliation: enabled: true reconciliationPeriod: 1800 registration: open: true reporting: maxDailyReports: 90 maxHourlyReports: 24 maxMonthlyReports: 12 reportGenerationPeriod: 3600 samplingPeriod: 900 EOF
- Check the completion status by running the following command:
oc get licenseservice sls -n ibm-sls
Wait for the status to be READY.
The License ID is used to retrieve the IBM TRIRIGA Application Suite License Key (AppPoints) from IBM License Key Center.
- Optional: Check
TRIRIGA Application Suite AppPoints by API.
- Save the SLS client key, cert, and CA (SLS requires mutual TLS) by running the
following commands:
mkdir sls-cert oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.tls\.key}' | base64 -d > sls-cert/tls.key oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.tls\.crt}' | base64 -d > sls-cert/tls.crt oc get secret -n ibm-sls sls-cert-client -o jsonpath='{.data.ca\.crt}' | base64 -d > sls-cert/ca.crt
- Set up port forwarding to expose the internal API outside the cluster by running the
following command:
oc port-forward service/sls 7000:443 -n ibm-sls
- Open a new terminal and go to the directory where the preceding certificates are
stored:
cd sls-cert
- Verify that the API is running by running the following command:
curl -ik --cert tls.crt --key tls.key --cacert ca.crt https://localhost:7000/api/entitlement/config
- Upload the entitlement file, for example, license_900.dat, by
running the following command:
curl -ik --cert tls.crt --key tls.key --cacert ca.crt -X PUT -F 'file=@license.dat' https://localhost:7000/api/entitlement/file
- Check the token pool by running the following command:
curl -ik --cert tls.crt --key tls.key --cacert ca.crt https://localhost:7000/api/tokens
- Save the SLS client key, cert, and CA (SLS requires mutual TLS) by running the
following commands: