Stan's Corner

 View Only

Installing IBM API Connect in OpenShift Container Platform

By Swathi Kannan posted Wed January 17, 2024 04:06 AM


Authors: Swathi Kannan, Vaishak A, Joice Joy

This blog covers how to install IBM API Connect (APIC) on OpenShift (OCP). 


IBM API Connect is a software that assists organizations in creating and managing safe and organized web interfaces and APIs. It provides tools for developing APIs, securing them, and monitoring their performance. 

Red Hat OpenShift Container Platform (OCP) is a hybrid cloud foundation for building and scaling containerized applications. 



  • An OCP cluster with version 4.12.7 (Preferably, 3 master nodes with 8v CPU and 16GB RAM and 3 worker nodes with 16v CPU and 32GB RAM) 

  • Permissions to install and configure software in the OCP cluster 

  • IBMid for obtaining entitlement key. 

Installation of a storage orchestrator

Storage orchestrator is used for allocating storage classes for operates as per their requirement. Block storage class is required to install IBM API Connect. Installing IBM API Connect by using rook-ceph is covered in this blog. Rook-ceph is an open-source Kubernetes cloud-native storage orchestrator. 

  • To install rook-ceph in OCP cluster, run the following shell scripts. 

yum install git -y 
git clone 
cd rook/deploy/examples 
oc create -f crds.yaml 
oc create -f common.yaml 
oc create -f operator-openshift.yaml 
#verify pod are in running state instead of container creating state ‘oc get all -n rook-ceph’) 
oc create -f cluster.yaml 
#verify all pods are in running state ‘oc get pod -n rook-ceph’, especially the rook-ceph-mon* and rook-ceph-osd* pods are in running state) 
oc create -f ./csi/rbd/storageclass.yaml 
#verify sc rook-ceph-block created through oc get sc) 
oc create -f ./csi/rbd/pvc.yaml 
oc create -f filesystem.yaml 
oc create -f ./csi/cephfs/storageclass.yaml 
oc create -f ./csi/cephfs/pvc.yaml 
oc create -f toolbox.yaml (verify all pods status at the end 
#3 pods for rook-ceph-osd-prepare-node* should be in completed state) 

  • Make rook-ceph as the default storage class by running the following command: 

oc patch storageclass <storage class name> -p '{"metadata": {"annotations":{"":"true"}}}'

Here <storage class name> is the name of the storage class. In our case rook-ceph-block

Installation of APIC Operator in OCP cluster

  •  To install API Operator in an OCP cluster, complete the following steps: 

    1. Obtain an entitlement key for the Entitled Registry. 

    1. Log on to IBM Container Library.  

    1. Go to Container software library and then select Get entitlement key.  

    1. After the Access your container software heading, click Copy key.  

    1. Create a namespace:  

      oc create ns <APIC-namespace>
    2. If you are installing the operator into a single namespace, create an OperatorGroup object with that namespace specified.

Skip this step if you are installing the operator in every namespace as the openshift-operators namespace already has the necessary Operator group installed. 

    1. Set up an OperatorGroup object in the apiconnect-operator-group.yaml file: 

      • Specify the namespace to access the CSV and generate Role-Based Access Control for the IBM API Connect Operator. Role-Based Access Control is a technique for controlling access and permissions in a system. 

        kind: OperatorGroup
          name: <operator-group-name>
          namespace: <APIC-namespace>
          - <APIC-namespace>
    2. Apply the OperatorGroup object: 
      oc apply -f apiconnect-operator-group.yaml 
    3. Create an image pull secret to securely pull container images from a container registry in the namespace in which you want to install API Connect:  
    4. Open the web console for OpenShift.

    5. Go to Workloads and then click Secrets.

    6. Make sure that the Project is set to the namespace where you intend to install API Connect. 

    7. Click Create and select Image pull secret

    8. Set the parameters for the secret as follows:

      1. Secret name: ibm-entitlement-key.

      2. Authentication type: Image registry credentials 

      3. Registry server address: 

      4. Username: cp

      5. Password: Entitlement key generated 

    9. Click Create.

    10. Add the IBM Common Services Catalog source:

      1. Open the OpenShift web console and click + (in the page banner) to open the Import YAML dialog.

      2. Paste the following resource definition into the dialog and click Create

        kind: CatalogSource
          name: opencloud-operators
          namespace: openshift-marketplace
          displayName: IBMCS Operators
          publisher: IBM
          sourceType: grpc
              interval: 45m
    11. Add the IBM Operator Catalog source:
      1. Open the OpenShift web console and click + and import the YAML.
      2. Paste the following resource definition into the dialog and click Create
        kind: CatalogSource
          name: ibm-operator-catalog
          namespace: openshift-marketplace
          displayName: "IBM Operator Catalog" 
          publisher: IBM
          sourceType: grpc
              interval: 45m
    12. Create the apiconnect subscription with the appropriate channel: 
      1. Create a file with the name apic-sub.yaml
      2. Paste the  following contents and update the namespace: 

        kind: Subscription
          name: ibm-apiconnect
          namespace: <namespace>
          channel: v3.3
          name: ibm-apiconnect
          source: ibm-operator-catalog
          sourceNamespace: openshift-marketplace
      3.  Apply the subscription 
        oc apply -f apic-sub.yaml 
    13. Select Operators > Installed Operators and ensure that Project: All Projects is selected. 
    14. If an operator such as ibm-apiconnect or ibm-cert-manager-operator shows "Upgrade available", approve the upgrade: 
      1. Click Upgrade available
      2. Click Preview InstallPlan
      3. Click Approve.  
    1. Wait for the IBM API Connect and IBM DataPower Gateway operators to install.  

    2. IBM DataPower Gateway operator is required for API Connect. Ensure that IBM DataPower Gateway operator is retained.  

    3. Check whether the ibm-common-services-operator subscription is available. 

    4. If ibm-common-services-operator subscription is not available, create the subscription:

        1. Create a file named as common-services-sub.yaml. 

        2. Paste the following contents:  
          kind: Subscription
            name: ibm-common-service-operator
            namespace: <namespace>
            channel: <channel>
            name: ibm-common-service-operator
            source: ibm-operator-catalog
            sourceNamespace: openshift-marketplace
    5.  Use one of the values for <namespace>:

      1. To install the operator in all namespaces, use openshift-operators as the namespace. 

      2.  To install the operator in a single namespace, use the namespace created in step 5.

      3.  Use one of the following values for <channel>

        1. If you are using IBM Cloud Pak foundational services for CD (continuous delivery), use v3.23.  
        2. If you are using IBM Cloud Pak foundational services for LTSR (long term service release, v3.
      4. Apply the subscription: 
        oc apply -f common-services-sub.yaml
      5. Wait until the installation is completed for IBM Cloud Pak foundational services, IBM NamespaceScope, and Operand Deployment Lifecycle Manager operators.

      6. Install cert manager: 

        1. Create a file named as cert-manager-operand-request.yaml.

        2. Paste the following content in the file: 

          kind: OperandRequest
            name: ibm-apiconnect-cert-manager
            namespace: <namespace>
            - operands:
              - name: ibm-cert-manager-operator
              registry: common-service
              registryNamespace: ibm-common-services
      7. Create the operandRequest for cert-manager: 

        oc apply -f cert-manager-operand-request.yaml 
      8. Wait until the IBM Cert Manager operator installation is completed.  

    Installing API Connect 

    1. Install the subsystems by using the OpenShift web console. 

    1. Select Operators->Installed Operators.

    2. Click the IBM API Connect operator.

    3. Click Create Instance on the API Connect cluster tile to install the top-level Custom Resource. The API Connect subsystems are Management, Developer Portal, Gateway, and Analytics.

    4. Set the values for the following parameters: 






    The name to use for deploying the API Connect cluster Custom Resource 


    License acceptance 

    Click to accept the license. You must accept the license to install API Connect. 



    License use 

    Select production or non-production to match the type of license that you purchased. 


    License metric 



    License ID 

    The license ID for the API Connect program that you purchased. To view all license IDs, see API Connect licenses


    Deployment profile 

    The available profiles are listed in API Connect deployment profiles for OpenShift and Cloud Pak for Integration


    Product version 

    The latest product version is set by default. 


    Default storage class name 

    The name of the Storage class to use. 


    1. To verify your API Connect cluster is successfully installed, run
      oc get apic -n <APIC-namespace>
    2. Verify that you can log in to the API Connect Cloud Manager UI.

    3. Determine the location for logging in, view all the endpoints:

      oc get routes -n <APIC-namespace>
    4. Locate the gmt.-admin-apic endpoint and access the Cloud Manager UI. 

    5. Log in as the admin user. When you install with the top-level CR, the password is automatically generated. 

    6. To get the password:

      oc get secret -n <APIC-namespace> | grep mgmt-admin-pass 
      oc get secret -n <APIC-namespace> <secret_name_from_previous command> -o jsonpath="{.data.password}" | base64 -d && echo ""

    After the log-in to API Connect Cloud manager is enabled, you can create API Managers, create products, and publish them. 


    By following these steps, you can install IBM API Connect on the Red Had OpenShift platform.