You can install the IBM® Security Guardium® Key Lifecycle Manager
container on a Red Hat OpenShift cluster. You can use the provided
Helm charts for the installation.
Before you begin
- Install a Red Hat OpenShift Container Platform cluster
- Obtain Red Hat OpenShift Container Platform Version 4.2 or
later.
- Review the minimum system requirements. For more information, see the Support matrix.
- Install an OpenShift Container Platform cluster, and ensure that it is up and running.
You can access the Red Hat OpenShift documentation here: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.3/
- Obtain the Red Hat OpenShift Command line (CLI) tool
- Obtain the oc command line tool as per the version of Red Hat OpenShift container platform and your operating system. For
instructions, see https://docs.openshift.com/container-platform/4.3/cli_reference/openshift_cli/getting-started-cli.html.
- Install the database
- You can use IBM Db2U Standard Edition Version 11.5 or
PostgreSQL Version 10.
- To install IBM Db2U, see Installing Db2 on a Red Hat OpenShift cluster
Then, upload the license for
IBM Db2U. For more information, see Upgrading your Db2 Community Edition license certificate key.
- Obtain the Helm charts
-
- Install Helm Version 2.17.0 on the system from which you will access the cluster. For more
information, see https://helm.sh/docs/intro/install/.
- From the IBM Security Guardium Key Lifecycle Manager utilities
page, download the file (openshift-helm.zip) that contains the sample Helm
charts for installing the IBM Security Guardium Key Lifecycle Manager container.
- Obtain the container installation files (eImages) and license activation file
- Obtain the container installation files (eImages) and license activation file
for IBM Security Guardium Key Lifecycle Manager container from IBM Passport
Advantage. For more information, see Installation images for containerized platforms.
- Extract the container installation files to a local repository directory. You need to provide
the location of this directory in the values.yaml file in the chart.
You can
avoid downloading the container installation files if you plan to pull the container image directly
from the Docker Hub repository.
- Install IBM License Service
-
- Install the IBM License Service. For instructions, see the relevant section in License Service for
stand-alone products.
- Verify the installation by running the following
commands:
# oc get pods --namespace ibm-common-services
# oc get service --namespace ibm-common-services
# oc get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-common-services | base64 -d
Note
down the host, port, and service token values from the command output to be updated in the Helm
charts file.
- Update the following parameters in the sample Helm charts
(openshift-helm.zip):
config:
sklmapp_license:
license_service_host
license_service_port
secret:
license_service_token
Procedure
Complete the following steps on the system on which you installed the common
tools:
-
Obtain the login token.
- Log in to the OpenShift® Container
Platform.
- Click Display Token link.
- Copy the Login command that is displayed under Log in with this
token.
- Use the copied command to connect to the OCP server by using the command line tool
(oc).
-
Extract the openshift-helm.zip file.
-
In the directory where you extracted the files, navigate to the
directory.
- Create the Security Context Constraint (SCC):
Run the following command:
oc apply -f liberty_scc.yaml
The following output is
displayed:
securitycontextconstraints.security.openshift.io/ibm-websphere-scc configured
- Create the Websphere service account and bind the ibm-websphere-scc to the project.
#oc create serviceaccount websphere -n project name
#oc create serviceaccount websphere -n sklmdb2
Output is like :
serviceaccount/websphere created
#oc adm policy add-scc-to-user ibm-websphere-scc -z websphere -n <project name>
#oc adm policy add-scc-to-user ibm-websphere-scc -z websphere -n sklmdb2
The following output is
displayed:
securitycontextconstraints.security.openshift.io/ibm-websphere-scc added to: ["system:serviceaccount:aaa:websphere"]
-
Open the values.yaml file and modify the parameter values in the file as
per your requirement.
The file has information about the mandatory parameters to be
updated and description of all the parameters.
- Navigate to openshift-helm directory and run the following command:
helm install sklmapp
Note: Use the helm command based on the versions of your operating system and CLI tools.
- Verify the installation.
- Log in to the Red Hat OpenShift Container
Platform.
- In the left pane, expand
.
A
new pod for the application is created with the status as
Running.
- To access the application, create a route.
- In the left pane, expand
, and click
Create Route.
- Specify values for the properties on the page.
Ensure that you specify the
following property settings:
- Name
- sklmapp-route
- Service
- sklmapp
- Target port
- 9443 -> 9443(TCP)
- Security
- Select the Secure route check box.
- TLS Termination
- Passthrough
- Insecure Traffic
- Redirect
- Click Create.
The application URL is generated
and displayed in the Location field.
- Copy the application URL.
- Launch the IBM Security Guardium Key Lifecycle Manager graphical user
interface by using the copied application URL.
- On the Configuration page that appears, click the License
Agreements link to review the license terms, and then select the I accept the
terms in the License Agreements check box.
- Click Activate License.
- Upload the IBM Security Guardium Key Lifecycle Manager
license activation file and activate the license.
- Click Activate License.
- Upload the IBM Security Guardium Key Lifecycle Manager
license activation file and activate the license.
- Click Login.
- Log in to the IBM Security Guardium Key Lifecycle Manager
graphical user interface with the Administrator user credentials
(sklmadmin).