Getting started with IBM Vault Self-Managed for Z and LinuxONE
This topic helps you navigate through the documentation and follow the correct order of topics for a successful installation, configuration, and deployment.
Before you begin
IBM Vault Self-Managed for Z and LinuxONE extends HashiCorp Vault Enterprise to IBM mainframe environments, providing centralized secrets management with the security and reliability of IBM Z and LinuxONE platforms. Before starting your deployment, familiarize yourself with the product capabilities, deployment options, and team roles required for successful implementation.
Understanding the product
IBM Vault Self-Managed for Z and LinuxONE version 1.19.12 provides enterprise-grade secrets management with IBM Z-specific integrations:
- RACF LDAP integration: Generates dynamic IBM z/OS Security Server RACF credentials with automated rotation.
- SSH secrets engine: Provides certificate-based SSH authentication for z/OS Unix System Services using modern ED25519 keys.
- Vault Secrets Operator: Synchronizes secrets from Vault to Kubernetes secrets in OpenShift environments.
- IBM CEX HSM integration: Integrates with IBM Crypto Express hardware security modules for enhanced key protection.
For detailed information about product capabilities, see IBM Vault Self-Managed for Z and LinuxONE overview.
Choosing your deployment platform
IBM Vault Self-Managed for Z and LinuxONE supports multiple deployment platforms. Select the option that best fits your infrastructure and operational requirements:
- z/OS Container Extensions (zCX)
-
Deploy Vault directly on z/OS using Docker containers. This option provides native integration with z/OS environments and is ideal for organizations with z/OS infrastructure who want to run Vault close to their mainframe workloads.
Key characteristics:
- Docker-based container deployment on z/OS.
- Direct access to z/OS resources and security features.
- High availability through HAProxy load balancing.
- Simplified deployment for z/OS-centric environments.
- Red Hat OpenShift Container Platform
-
Deploy Vault on OpenShift for Kubernetes-native orchestration. This option provides enterprise Kubernetes management capabilities and is ideal for organizations using OpenShift for container orchestration.
Key characteristics:
- Helm chart-based installation.
- Built-in high availability with Raft consensus.
- OpenShift-native monitoring and logging.
- Integration with Vault Secrets Operator for application secret management.
For detailed comparison and selection guidance, see Deployment options.
Identifying required roles
Successful deployment requires collaboration across multiple roles with specific responsibilities. The personas involved depend on your chosen deployment platform, but core responsibilities remain consistent. For detailed role descriptions and responsibilities, see Who can deploy?.
Planning your deployment
Before beginning deployment, ensure you have the following prerequisites:
- Infrastructure requirements
-
- For zCX: z/OS Container Extensions environment with Docker support.
- For OpenShift: Red Hat OpenShift Container Platform cluster on IBM Z or LinuxONE.
- Network connectivity between Vault nodes and client systems.
- Sufficient storage for Vault data and configuration.
- Security requirements
-
- CA-signed TLS certificates for secure communication.
- Certificate authority (CA) certificate chain.
- Private keys for Vault server certificates.
- Secure storage for root tokens and unseal keys.
- Access requirements
-
- Administrative access to deployment platform (zCX or OpenShift).
- Permissions to create and manage containers or pods.
- Network access to configure load balancers and routing.
- Vault CLI installed for cluster management.
Deployment workflow
The deployment process follows these high-level steps:
- Prepare infrastructure: Set up the deployment platform (zCX or OpenShift) with required resources.
- Configure networking: Establish network connectivity, DNS resolution, and load balancing.
- Deploy Vault cluster: Install and configure Vault nodes with high availability.
- Initialize and unseal: Initialize the Vault cluster and securely distribute unseal keys.
- Configure integrations: Enable secrets engines and authentication methods for your use cases.
- Verify deployment: Test cluster health, replication, and secret access.
Next steps
After understanding the product capabilities, deployment options, and required roles, proceed with deployment:
- For zCX deployment, see Deploying HashiCorp Vault on IBM z/OS Container Extensions.
- For OpenShift deployment, see Deploying Vault on OpenShift Container Platform.
After deployment, configure integrations based on your requirements:
- For OpenShift secret synchronization, see Deploying Vault Secrets Operator on OpenShift.
- For RACF credential management, see Managing IBM RACF LDAP credentials with Vault.
- For SSH certificate authentication, see Understanding Vault SSH certificate authentication.
- For hardware security module integration, see Integrating Vault with IBM CEX HSM.
Additional resources
- HashiCorp Vault documentation: Official Vault documentation and tutorials.
- IBM z/OS documentation: z/OS platform documentation and resources.
- Red Hat OpenShift documentation: OpenShift platform documentation.