Author : Leela P Chitta
IBM Documentation Reference - https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=deployments-installing-cp4ba-filenet-content-manager-production-deployment
What is Separation of duties deployment: The Cloud Pak for Business Automation operators are in one namespace and the deployments (operands) are in a different namespace.
Prerequisites for the Deployment.
· Preparing for a deployment is completed (https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=deployment-preparing-production)
· Optional: Preparing Customized versions of JDBC & ICCSAP libraries is completed (https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=icfcmpd-optional-preparing-customized-versions-jdbc-drivers-iccsap-libraries)
Separation of duties deployment must be performed using deployment scripts. (https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=suc-recommended-option-1-setting-up-cluster-by-running-script)
Installing a fresh production deployment by running scripts for Separation of duties
You can install the Cloud Pak capabilities that you want by running the cluster admin script and the deployment script. The cluster admin script can be run on the command-line interface (CLI) or in silent mode.
· Setting up the cluster with the admin script
o To install the Cloud Pak capabilities with the Cloud Pak operators, a cluster administrator must run the script to set up the cluster. The administrator must also provide information that they get from the script to a non-administrator user so they can run the deployment script to install capability (operands).
o The script will prompt the user to choose this deployment is for Separation of duties.
Procedure
1. Log in to the target cluster as the <cluster-admin> user.
If you are not already logged in on OpenShift (OCP), then log in using the oc CLI:
oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>
2. Download the cert-kubernetes from github. For this blog we are doing 25.0.0 Fresh production Deployment with separation of duties, so let’s switch to 25.0.0 branch.
Migrate to any folder in your infrastructure node of Openshift cluster and download the github repository.
git clone https://github.com/icp4a/cert-kubernetes.git -b 25.0.0 --single-branch
3. Change the directory to the extracted cert-kubernetes/scripts folder.
cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes/scripts
4. Run the cluster setup script and follow the prompts in the command window.
./cp4a-clusteradmin-setup.sh
a. Select the CP4BA deployment environment: Online (1) / Offline or Airgap (2). Select Online.
b. Select the platform type: OCP (2).
c. Select the deployment type production (2).
d. If you plan to enable FIPS for your Cloud Pak for Business Automation deployment, select Yes to check that the worker nodes on the cluster are FIPS enabled.
e. Accept the default Yes to install CP4BA as a private catalog
f. Select Yes for the question where it asks -> if you want to install the CP4BA operators and the CP4BA deployments in separate namespaces. Select Yes
g. Enter the name for a new project or an existing project (namespace).Example – cp2500opr
When asked you must provide a namespace for operands (runtime pods)
a. Where (namespace) do you want to deploy CP4BA operands (i.e., runtime pods)? Example -- cp25oprands
i. Enter Yes to confirm that you have an IBM Entitlement Registry key.
j. Enter your IBM Entitled Registry key
Cluster admin script deployment starts...
The following message is displayed:
[INFO] Checking the IBM Cert-manager Operator ready or not
....
…
[INFO] Applying the latest IBM CP4BA Operator catalog source...
[✔] IBM CP4BA Operator catalog source Updated!
To verify, in Openshift console check under project which you have specified for operators (Example: cp2500opr) and Installed Operators to see if all operators are succeeded.
You must see “NamespaceScope Operator” as this deployment is for Separation of duties.
IBM CP4BA Operators version can be verified as 25.0.0 version.
Preparing databases and secrets for your chosen capabilities by running a script
(Reference - https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script)
The cp4a-prerequisites.sh script is provided in the cert-kubernetes repository to help you prepare for an installation of Cloud Pak for Business Automation. The script generates property files for the selected capabilities in your deployment and must be run before your deployment is installed.
Procedure:
1. Make sure you are on the current project
oc project ${NAMESPACE}
2. Run ./cp4a-prerequisites.sh -m generate -n cp2500opr
3. The script will check the configmap called “ibm-cp4ba-common-config” and determines the deployment is for Separation of duties. When the script asks to provide operand namespace provide the namespace for your operands was given during cluster-admin-setup script. (For example: cp25oprands)
4. Select 1 as we are deploying FileNet Content Manager
5. Select optional components for “FileNet Content Manager”. For this blog, I am selecting 1 & 5.
6. Press Enter to proceed
7. Select LDAP type
Enter your dynamic storage classes for slow, medium, fast file storage (RWX). For this blog, I am using “nfs-client” as a storage class for all storage class requirements.
8. Select a deployment profile size from small, medium, or large [1 to 3]. The default is small (1).
9. Choose the database type that you want to use for the CP4BA deployment.
Note - By default, the databases are SSL enabled. You can disable SSL for a database when you edit the database property file
10 . Enter alias name for database
11. Select No to restrict network (Default is Yes)
12. Select No for external certificate
13. Enter the number of object stores of a FileNet P8 domain to configure for the CP4BA deployment.
15. Make sure that you are in the propertyfile folder under cp4ba-prerequisites/project/$NAMESPACE and edit the property files as indicated by the NEXT ACTIONS messages from the script. Update the (cp4ba_db_name_user.property, cp4ba_db_server.property, cp4ba_LDAP.property, cp4ba_user_profile.property
Make sure all the <Required> values in all of the property files are replaced correctly.