IBM Guardium

 View Only

Deploying Guardium Insights On-Prem using VMware

By Anuj Shrivastava posted Wed October 30, 2024 01:57 AM

  

To deploy IBM Guardium Insights (v3.4.x or later) on-premises using VMware, you'll use Red Hat OpenShift Container Platform (OCP) on VMware vSphere. Below is a streamlined guide covering the essential technical points for a successful setup.

Overview of IBM Guardium Insights

Guardium Insights is a data security hub that provides in-depth data activity monitoring, risk scoring, and compliance reporting. It improves data protection efficiency and supports flexible IT environments.

Prerequisites and Requirements

  • Supported Software and Hardware:

    • OpenShift Container Platform (OCP): Version 4.14.x, deployed on Red Hat OpenShift.
    • VMware vSphere: Versions 7.0 Update 2 or 8.0 Update 1.
    • Cluster Sizing: Work with your IBM representative to configure cluster sizing based on workloads and instance numbers.
  • Network and Storage Configuration:

    • Persistent Storage: Provision ReadWriteMany (RWX) storage for OCP.
    • DHCP and IP Settings: Configure DHCP with static IPs and ensure reverse DNS resolution.
  • Load Balancing: Setup API and application ingress load balancers using HAProxy for API server, machine config, and ingress traffic across HTTP/HTTPS ports.

To set up the load balancing infrastructure for IBM Guardium Insights with OpenShift on VMware, you’ll need to provision HAProxy as a load balancer for both API server and application ingress traffic. Here’s a sample configuration file to guide you, which can be saved to /etc/haproxy/haproxy.cfg.

# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
  mode                    http
  log                     global
  option                  httplog
  option                  dontlognull
  option http-server-close
  option forwardfor       except 127.0.0.0/8
  option                  redispatch
  retries                 3
  timeout http-request    10s
  timeout queue           1m
  timeout connect         10s
  timeout client          1m
  timeout server          1m
  timeout http-keep-alive 10s
  timeout check           10s
  maxconn                 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main

  bind *:5000

  acl url_static path_beg -i /static /images /javascript /stylesheets
  acl url_static path_end -i .jpg .gif .png .css .js
  use_backend static          if url_static
  default_backend             app
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------

backend static

  balance     roundrobin
  server      static1 127.0.0.1:4331 check
  server      static2 127.0.0.1:4332 check
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app

  balance     roundrobin

  server  app1 127.0.0.1:5001 check
  server  app2 127.0.0.1:5002 check
  server  app3 127.0.0.1:5003 check
  server  app4 127.0.0.1:5004 check

Adding vCenter Root CA Certificates

  1. Download the vCenter Root CA Certificates: Retrieve the root CA certificates directly from the vCenter homepage.
  2. Add Certificates to System Trust:
    • Extract the downloaded certificates and copy them to the system trust directory:
      cp certs/lin/* /etc/pki/ca-trust/source/anchors
  3. Update the System Trust: Refresh the system trust settings with:
    update-ca-trust extract

Deploying the Cluster

Prerequisites

  • Download Requirements: Obtain the OpenShift installation program and the pull secret from Red Hat OpenShift pull-secret.
  • Cloud Account Permissions: Ensure that the cloud provider account has the necessary permissions for the deployment.

Deployment Procedure

  1. Navigate to the Installation Directory: Go to the directory where the installation program is located.
  2. Start the Cluster Deployment:
    • Run the following command to begin the OpenShift cluster deployment:sdfsdf
      ./openshift-install create cluster --dir <installation_directory> --log-level=info

      Ensure that you use an appropriate install-config.yaml file within <installation_directory> to configure and initiate the OpenShift cluster deployment.

Deployment on VMware vSphere

  1. VMware Setup:

    • Create a vCenter Account: Ensure it has global administrative privileges.
    • Persistent Storage: Enable access on port 443 for vCenter and ESXi hosts, and adjust firewall settings as needed.
  2. Red Hat OpenShift Installation:

    • Preparation:

      • Download and install OpenShift from the official documentation.
      • Create a YAML configuration (install-config.yaml) with specifications like the base domain, network CIDR, and machine/cluster network types.
    • Installation Command:

      ./openshift-install create cluster --dir <installation_directory> --log-level=info

      This will initialize the OpenShift cluster.

Example install-config.yaml

additionalTrustBundlePolicy: Proxyonly
apiVersion: v1
baseDomain: soclab.com
compute:
- architecture: amd64
  hyperthreading: Enabled
  name: worker
  platform: {}
  replicas: 5
controlPlane:
  architecture: amd64
  hyperthreading: Enabled
  name: master
  platform: {}
  replicas: 3
metadata:
  creationTimestamp: null
  name: oc
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 10.0.0.0/16
  networkType: OVNKubernetes
  serviceNetwork:
  - 172.30.0.0/16
platform:
  vsphere:
    vCenter: 10.221.192.2
    username: tamilselvam@gsilab.com
    password: Tamilselvam#2023
    cluster: NewCluster
    datacenter: Datacenter
    defaultDatastore: datastore1
    network: LAN
    folder: /Datacenter/vm/ocp-cluster
    resourcePool: /Datacenter/host/NewCluster/Resources/
    diskType: thin
fips: false
pullSecret: '’
sshKey:

Verification

Upon successful completion of the OpenShift installation:

  • Access Instructions: Instructions for accessing the cluster will be displayed on the console.
  • Credential Information: Login credentials are stored in <installation_directory>/.openshift_install.log.

Example Output

INFO Install complete!
INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/myuser/install_dir/auth/kubeconfig'
INFO Access the OpenShift web-console here: https://console-openshift-console.apps.mycluster.example.com
INFO Login to the console with user: "kubeadmin", and password: "password"
INFO Time elapsed: 36m22s

For more detailed installation instructions, refer to the official Red Hat OpenShift documentation.

Installing Guardium Insights Components

  1. Download the Guardium Insights CASE File:

    • Obtain the latest CASE version (e.g., 2.4.0 for v3.4.0) from IBM's GitHub.
    • Export environment variables to simplify the installation:
      export CASE_NAME=ibm-guardium-insights 
      export CASE_VERSION=<VERSION> 
      export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
  2. Install IBM Cloud Pak Foundational Services:

    • Namespace Setup:
      oc create namespace <GI_NAMESPACE> 
    • Cert Manager and Common Services:
      oc ibm-pak launch $CASE_NAME --version $CASE_VERSION --inventory ibmCertManagerOperatorSetup --namespace ibm-cert-manager

Deploying Storage Backend Using the ODF Operator

To deploy your storage backend with the OpenShift Data Foundation (ODF) operator, follow the guidelines outlined in the official documentation. Here’s a summarized step-by-step approach to get you started, along with setting the default storage class to thin-csi.

  1. Prerequisites

    Before you begin, ensure you have the following:

    • Access to an OpenShift cluster.
    • Sufficient permissions to create namespaces and manage operators.
  2. Install the ODF Operator

    Install the ODF Operator from the OperatorHub:

    • Navigate to the OpenShift Web Console.
    • Go to Operators > OperatorHub.
    • Search for "OpenShift Data Foundation" and click on it.
    • Click Install and select the appropriate namespace (e.g., openshift-storage).
  3. Configure the Operator Settings

    • Choose the installation mode (e.g., All namespaces).
    • Set the approval strategy (Automatic or Manual) as per your needs.
  4. Set Default Storage Class to thin-csi

    1. List available storage classes:
      oc get sc

    2. Set thin-csi as the default storage class by editing the storage class:
      oc patch storageclass thin-csi -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class":"true"}}}'
    3. Verify the change:
      oc get sc

Refer to the official OpenShift ODF operator installation documentation for a detailed step-by-step process. Openshift ODF operator installation 

Guardium Insights v3.4.x Deployment

Before installing IBM Guardium Insights, ensure that you have the required hardware, software, and storage. Detailed system requirements are available in the IBM documentation.


Download the Guardium Insights CASE File

The Guardium Insights Container Application Software for Enterprises (CASE) installer can be downloaded as an archive (tar) file from GitHub. Ensure that you only install products your site is entitled to.


Procedure

  1. Export Environment Variables and Create Local Directories:

    export CASE_NAME=ibm-guardium-insights 
    export CASE_VERSION=<CASE_VERSION> 
    export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION 
    export CASE_ARCHIVE=$CASE_NAME-$CASE_VERSION.tgz
  2. Specify the CASE_VERSION that matches the version of Guardium Insights you are deploying. For example, Guardium Insights 3.4.0 requires CASE_VERSION 2.4.0.

  3. Save the CASE Bundle Locally:

    oc ibm-pak get $CASE_NAME --version $CASE_VERSION --skip-verify


  4. Extract the CASE Bundle to Your Local Directory:

    tar -xvf $LOCAL_CASE_DIR/$CASE_ARCHIVE --directory $LOCAL_CASE_DIR

    This completes the setup of the Guardium Insights CASE file for deployment.


Installing IBM Cloud Pak Foundational Services

IBM Guardium Insights is deployed on IBM Cloud Pak foundational services with the OpenShift® Container Platform.

Note: If using the all-in-one script for installation, foundational services will be installed automatically if the SKIP_INSTALL_ICS parameter is set to false. If you already have Cloud Pak foundational services version 4.5.x installed, you can skip this task.


Procedure

  1. Log in to your OpenShift Cluster Instance:

    oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true] 
  2. Create a Namespace for Cloud Pak Foundational Services:

     export NAMESPACE=<GI_NAMESPACE>
    oc create namespace ${NAMESPACE}
  3. Choose the CASE Version:

    export CASE_ARCHIVE=ibm-guardium-insights-<GI_Case_version>.tgz 
  4. Install the IBM Cert Manager and IBM Common Services:

    • Create a Namespace for IBM Cert Manager:
      oc create namespace ibm-cert-manager 

    • Set the Environment Variable for the --inventory Parameter:
      export CERT_MANAGER_INVENTORY_SETUP=ibmCertManagerOperatorSetup
    • Install the IBM Cert Manager Catalog:
      oc ibm-pak launch $CASE_NAME \
       --version $CASE_VERSION \
       --action install-catalog \
       --inventory $CERT_MANAGER_INVENTORY_SETUP \
       --namespace openshift-marketplace \
       --args "--inputDir ${LOCAL_CASE_DIR}"
  5. Check the Pod and Catalog Source Status:

    oc get pods -n openshift-marketplace 
    oc get catalogsource -n openshift-marketplace
  6. Install the IBM Cert Manager Operators:

     oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --inventory $CERT_MANAGER_INVENTORY_SETUP \
      --action install-operator \
      --namespace ibm-cert-manager \
      --args "--inputDir ${LOCAL_CASE_DIR}"
  7. Install the IBM Cloud Pak Foundational Services Catalog:

    export ICS_INVENTORY_SETUP=ibmCommonServiceOperatorSetup oc ibm-pak launch $CASE_NAME \
     --version $CASE_VERSION \
     --action install-catalog \
     --inventory $ICS_INVENTORY_SETUP \
     --namespace $NAMESPACE \
     --args "--registry icr.io --recursive --inputDir ${LOCAL_CASE_DIR}"
  8. Check the Pod and Catalog Source Status:

    oc get pods -n openshift-marketplace 
    oc get catalogsource -n openshift-marketplace
  9. Install the Cloud Pak Foundational Services Operators:

    export ICS_SIZE=small oc ibm-pak launch $CASE_NAME \
     --version $CASE_VERSION \
     --inventory $ICS_INVENTORY_SETUP \
     --action install-operator \
     --namespace $NAMESPACE \
     --args "--size ${ICS_SIZE} --inputDir ${LOCAL_CASE_DIR}"
  10. Verify that the CSV is in Succeeded State:

    oc get csv -n $NAMESPACE
  11. Verify that the Operand Request is Available:

    oc get opreq -n $NAMESPACE 
  12. Verify that All Cloud Pak Foundational Services Pods are Running or Completed:

    oc get pods -n ${NAMESPACE} 
  13. Retrieve Console Credentials:

     oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' -n $NAMESPACE | base64 -d | awk '{print $1}'
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' -n $NAMESPACE | base64 -d | awk '{print $1}'
     
  14. Retrieve the Cloud Pak Console Route:

    oc get route cp-console -n $NAMESPACE

This completes the installation of IBM Cloud Pak foundational services.

Online Installation of Guardium Insights Using Automated Installation Script

Procedure

  1. Log in to Your OpenShift Cluster Instance:

    oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true] 
  2. Edit the values.conf File:

    • Locate the configuration file at $LOCAL_CASE_DIR/ibm-guardium-insights/inventory/automateInstall/files/values.conf and provide the mandatory parameters for the installation.
  3. Define the Location of the Custom Resource (CR) File:

    export LOCAL_INSTALL_DIR=<CR file location> 
  4. Start the Installation Process of Guardium Insights:

    oc ibm-pak launch $CASE_NAME \
     --version $CASE_VERSION \
     --namespace ${NAMESPACE} \
     --inventory automateInstall \
     --action autoInstall \
     --tolerance 1 | tee -a ${LOCAL_INSTALL_DIR}/installation.log
  5. Check the Status of the Instance Creation:

    oc get guardiuminsights

After completion, the output is similar to the following example.

Now its time to Login: 

Get the Correct Route using OC get Routes and then use the cpadmin to login as default login, also you can setup LDAP for login to Guardium Insights.

login screen would look like :


Troubleshooting Guardium Insights Deployment

If your Guardium Insights deployment fails, follow these steps to check and create the required PersistentVolumeClaim (PVC).

  1. Check the PVC Status:

    • List PVCs in the Guardium Insights namespace:
       oc get pvc -n guardium-insights
    • Look for a PVC named backup-pvc-support. If it is not present, proceed to the next step.
  2. Create the PVC:

    • If backup-pvc-support is missing, create it with the following YAML configuration.

      • Create a File Named backup-pvc-support.yaml:
        apiVersion: v1
        kind: PersistentVolumeClaim
        metadata:
          name: backup-pvc-support
          namespace: guardium-insights
        spec:
          accessModes:
            - ReadWriteMany
          resources:
            requests:
              storage: 500Gi
          storageClassName: ocs-storagecluster-cephfs
      • Apply the YAML File to Create the PVC:
        oc apply -f backup-pvc-support.yaml 
      • Verify the PVC Has Been Created Successfully:
        oc get pvc backup-pvc-support -n guardium-insights 
  3. Check the Deployment Again:

    • After creating the PVC, recheck the status of the Guardium Insights deployment.

    1. List the deployments in the Guardium Insights namespace:

      oc get deployments -n guardium-insights
      

If the deployment is still failing, check the logs for more details:

oc logs deployment/<guardium-insights-deployment-name> -n guardium-insights

Following these technical steps will guide you through a successful Guardium Insights deployment on a VMware-based on-premises infrastructure. For further details, consult IBM’s official documentation.

Reach out to us if you need further guidance. Let’s elevate your security operations together!

Tamil Selvam R - tamilselvam.ramalingam@ibm.com
Anuj Shrivastava  - ashrivastava@in.ibm.com
0 comments
19 views

Permalink